© 2013 ibm corporation ibm security systems 1 © 2013 ibm corporation presenter name designation,...

© 2013 IBM Corporation

IBM Security Systems

1© 2013 IBM Corporation

Presenter NameDesignation, Department

Concepts & principles of security

© 2013 IBM Corporation2

IBM Security

The concepts covered in this presentation will help you examine:

How to secure information in today's data explosion scenario?

How IT security has evolved into a business process?

How can we measure “Security”?

What are the various categories of security services?

Why is enforcing security difficult?

How can we manage vulnerabilities?

Objectives


IBM Security


IBM Security

Agenda

Evolution of information infrastructure security

Security services measures and categories

Security concerns

Vulnerability management

Summary and resources


IBM Security

The need to manage and secure the explosion of information

Sources: CIO Magazine survey 2007; IBM Tivoli Market needs and profiling study 2005; The Costs of Enterprise Downtime: NA Vertical Markets 2005" Information Research; IBM Market Intelligence. SNIA Data Management Forum, 100 Year Archive Requirements Survey, © Storage Networking Industry Association (SNIA), 2007

Regulatory compliance pressures directly target critical financial, customer, and employee data

Sarbanes-Oxley (SOX), HIPAA, Basel II, EU Data Protection Directive, Payment Card Industry (PCI)

Deliver continuous, reliable access to information

Downtime costs can amount up to 16% of revenue in some industries.

Support information retention policies:

37% of data is expired or inactive.

Secure sharing of information:

84% of security breaches come from internal sources

External breaches continue to dominate the headlines, with increasing costs to address

Information Compliance

Information Availability

Information Retention

Information Security


IBM Security

The proper handling and management of sensitive information is becoming a fundamental requirement for maintaining competitiveness in today’s world

Identity Management

Patch Management

ConfigurationThreats

DataThreats

ExecutableThreats

AuditThreats

Identity Management

Business Controls

Po

lici

esR

egu

latory C

om

plia

nce

On-goingAssessments

InfrastructureCapability

LeastPrivileges

Test Data

Separation of Duties

VulnerabilityAssessments

ChangeManagement


IBM Security

The information challenge...

Do decision makers have the right information at hand to take timely, effective action?

Is content being leveraged effectively to improve business performance?

How much time do employees spend looking for the right answers?

Is content being utilized to gather insight on operational effectiveness of the organization?


IBM Security

Platform infrastructure

Compliance and audit

Data Privacy Extended enterprise

Do you know what your data & information assets are ?

Do you know where your information assets are located?

Where should data be kept?Should it be safeguarded?

Do you know the value of your data and economic risk of loss?

Is the data security technology deployed aligned with your internal controls?

How do you demonstrate compliance with data centric regulations?

How long do you need to keep your data?

Who owns the data?Who can modify or delete the data?Who can use the data?Who should?

Platform infrastructure

Data Privacy

Helping answer the big questions…

Replace with “Business policies”


IBM Security

Decomposition of high-level policies

Why

What

How

Business Policies

Operational Policies & Controls

Information Policies & Controls

RegulatoryRequirements

CorporateStrategy

Aggregation of obligations, practices, and strategy

• High level conformance metrics

• Compliance requirements

• Corporate strategy and policies

Classification of information

• Define access privileges to categorized information

Operational deployment, enforcement, and monitoring

• Specify and enforce policies to optimize efficiency and quality, manage change

• Enforce information policies

• Ongoing monitoring and feedback in support of continuous assurance


IBM Security

Preemptive or reactive security?

Jim joined an organization as Head of IT security, where they apply security methods in response to security attacks. He asked his team to come up with a plan to analyze the current setup and apply security mechanisms based on vulnerabilities.

Which method would be a more effective approach to provide security?

a. The organization’s current security model

b. Jim’s plan of a vulnerability based security model


IBM Security

11

Why vulnerability based research = preemptive security

Protecting against exploits is reactive• Too late for many

• Variants undo previous updates

Protecting against vulnerabilities and malicious behaviors is preemptive

• Stops threat at source

• Requires advanced R&D


IBM Security

Industry focus has evolved from the “T” to the “I” of IT


IBM Security

Security defined as a business process

CORPORATESECURITY

ARCHITECTURE

Assess Risk & Vulnerabilities

Audit & Report

Define RequirementsAnd Policies

Administer &Maintain

Implement Policies

Awareness trainingEducation

Procedures for Change Management

Deploy Incident Management Systems

Internal AuditExternal Audit

Regulatory Reporting

Identity AssetsClassify DataCompute Risk

Assess LiabilitiesIdentify Owners

Set policies requirements for

securing DataDefine measures of assessing protection

Select TechnologyDeploy Technology

Defend from ThreatsSet Management

Operational Processes


IBM Security

Agenda



Security concerns




IBM Security

Security concept of “Defense in depth”

Idea is to put multiple barriers around the flow to deter, delay and detect attacks, so that if one layer of defense fails, the others can act as the next layer of protection.

Security measures and services exist at each layer to ensure only the right traffic is let through and the unauthorized, unwanted traffic is stopped

Defense in Depth Layers

Data

Application

Host

Internal Network

Perimeter

Physical

Policies,ProceduresAwareness

Suggest removing boxes and using singular visual


IBM Security

Security concept of “Defense in depth”: Example

Concept is to put multiple barriers around the flow to deter, delay and detect attacks, so that if one layer of defense fails, the others can act as the next layer of protection.

Security measures and services exist at each layer to ensure only the right traffic is let through and the unauthorized, unwanted traffic is stopped

Defense in Depth Layers

Data

Application

Host

Internal Network

Perimeter

Physical

Policies,ProceduresAwareness


IBM Security

Security measures

Accountability

Asset protection

Authorization

Digital SignatureAudit LogsEvent generation disposition

Data confidentialityData integrityData privacy

User authenticationAccess controlPermissions manager (roles)Privacy access manager

Administration

Policy managerRegistryDirectoryConfiguration manager

Assurance

Intrusion detectionContent filteringExposure testingMonitoring

Availability

Fault toleranceLoad balancingRedundancy“Denial of service” defenseBackup/ recoveryKey recoveryAnti Virus


IBM Security

Security service categories

Management

Authentication Non-Repudiation

Access Control Data Integrity

Confidentiality


IBM Security

Security services: Authentication

Authentication

“Identifying Users/Entities”

Prevent Impersonation

ISSUES: Examples:

Logon IDs and Passwords Pass Tickets Digital Certificates and Private Keys Smart Cards & PINs Tokens/fobs (SecurID, USB port fob,..) Biometric Devices

SW vs. HW Multi-factor authentication

What you know What you have What you are

Scalability (ID/key mgmt.) Portability/Mobility Linking authentication

policy to business policy Single sign-on


IBM Security

Security services: Access control

Access Control

“Selectively Granting/Denying Access to Resources”

a.k.a “Authorization”

ISSUES:

Granular control over heterogeneous resources

Groups/roles simplify administration Single, comprehensive policy

versus multiple, disparate approaches

Control access while maintaining high availability/ performance

Ability to tight link business policy to authorization policy

Examples:

Access Control Lists Roles Security Labels Physical Barriers (Locks Guards) Firewalls Split Control


IBM Security

Security services: Confidentiality

Confidentiality

“Preventing Unauthorized Disclosure of Stored andTransmitted Data”

ISSUES:

Choice of protocol (SSL, IPSEC,..) Choice of strength (Key/algorithm) Performance (hardware versus

software) Security of keys (hardware versus

software) Scalability (key management) Ease of implementing, ease of use

Examples:

Encryption (based on selected algorithms, e.g. Des)

Data masking


IBM Security

Security services: Data integrity

Data Integrity

ISSUES: Examples:

“Detecting Unauthorized Modification of Stored andTransmitted Data”

Checksums, CRCs,… Message integrity codes Hashes Digital signatures Anti-virus programs

Choice of protocol (SSL, IPSEC,..) Choice of strength (Key/algorithm) Performance (hardware versus

software) Security of keys (hardware versus

software) Scalability (key management) Ease of implementing, ease of use


IBM Security

Security services: Non-repudiation

Non-Repudiation

ISSUES: Examples:

“Proof of: Origin Receipt Transmission . of a message”

Digital signature being written into laws

Security of keys (hardware versus software)

Scalability (key management) Integrating into existing middleware/

applications

Message Authentication Codes (MACs)

Digital signatures Audit Trusted Time


IBM Security

Security services: Security management (1 of 2)

Management

ISSUES: Examples:

“Administering, Auditing, and Controlling SecurityPolicy, Processes, Mechanisms, and Events”

Security management ideally fits into overall enterprise management approach

Scalability Centralized management

Ability to tightly link business policy, authorization policy and enterprise security policy

Defining and controlling security policy (authentication, access control,…)

Administering user identities (certificates, user IDs)

Controlling passwords Auditing


IBM Security

Security services: Security management (2 of 2)

BoundaryNetworkSystemApplication

Authentication

Access Control

Confidentiality

RESOURCES

SERVICES

Data Integrity

Non-Repudiation

Security Management


IBM Security

Integration of security services results in auditability

Executive dashboards Digital signature being written into

laws Industry regulatory reporting

End user authentication Digital signatures Database vulnerability assessment Data labels for specific regulations

ISSUES: Examples:


IBM Security

Which security service is employed? (1 of 2)

1. Which type of security service is employed when a user is asked to enter a login ID and password to enter an application?

a. Data integrity

b. Authentication

c. Confidentiality

2. Which security service involves protecting transmitted or stored data from unauthorized disclosure?

a. Data integrity

b. Authentication

c. Confidentiality

d. Access control

e. Non-repudiation


IBM Security

Which security service is employed? (2 of 2)

Edith needs to send a highly confidential message to Jim ensuring that her name is associated with the data exchange.

She creates a hash of the message and encrypts the hash using her private key before sending the message.

Jim uses Edith’s public key to decrypt the hash, calculates the hash of the message, which is well-known, and compares the two results. Since they match, Jim is sure that the message came from Edith and the message was not altered.

Which security mechanism did Edith employ to successfully send the message as per the requirements?

a. Checksum

b. Data masking

c. Digital signature


IBM Security

What makes the hash function an effective cryptographic tool?

Which of the following features make hash an effective cryptographic tool?

a. It is infeasible to compute the original message from the hash.

b. It is infeasible to compute any message that, when hashed with the same hashing technique, will produce a value equal to a given hash value.

c. a & b


IBM Security

Agenda



Security concerns




IBM Security

95752:1-32

Motivations to violate security

Greed

Ego

Curiosity

Revenge

Competition

Political and ideological


IBM Security

Software security concerns

Theft

Modification

Deletion

Misplacement


IBM Security

Exposure: “actual harm or possible harm”

Vulnerability: “weakness that may be exploited”

Attack: “human originated perpetration”

Threat: “potential for exposure”

Control: “preventative measure”

Security terminology


IBM Security

Threats are continuously evolving

Difficult to assign asset valuations of resources

Damage to public image deters openness

Legal implications often vague or non-existent

Legal prosecution is difficult

Many subtle technical issues

Insider trust is a pre-requisite

Why is enforcing and measuring security difficult?


IBM Security

Consider this…

A network with 10,000 IP devices, each with 10 vulnerabilities

That’s 100,000 different ways loss can occur

But of course, not all vulnerabilities cause the same amount of loss, and their likelihood of being exploited will differ

So the challenges are:

How do you figure out what’s at risk?

How do you prioritize the work?

Risk & vulnerability analysis


IBM Security

Different groups will have their own use for the results (which is good if you’re the one rolling this out!)

For the Network and Firewall Engineer: show me any errors in my configurations

For the Security Manager: show me the top 10 most vulnerable devices

For the IT Manager: show me the most common vulnerabilities

For the Auditor: show me all machines that are out of SOX / PCI compliance

Prioritization is contextual


IBM Security

Methods of defense

Overlapping controls:

Authentication

Encryption

Integrity control

Firewalls

Network configuration

Application configuration

Policy


IBM Security

Vulnerability management life cycle

Stop the spread

Establish OLAs

Automate

Mitigate

Leverage ITprocesses

Assess risks

Prioritize vulnerabilities

Scoping systems

Detecting

Validate

1) Identification and Validation

2) Risk Assessment and Prioritization 3) Remediation 4) Continual

Improvement


IBM Security

Scoping systems: Find all the networks; wireless, backup, transit, admin, test, production. Identify and document them all, even if you won’t be scanning them immediately.

Detecting vulnerabilities (vuln): All IT assets should be scanned or monitored, (even printers!). Scanners actively probe devices whereas monitoring passively checks networks or hosts.

Validating findings: Once you have the (mountain of) data, validate the results to weed out false positives.

Vulnerability management life cycle 1) Identification and validation


IBM Security

Assessing risks: Perform a quick risk assessment.

For example: Risk = threat likelihood * vuln severity * asset value.

Take note of security controls that limit or mitigate the actual risk of the vulns.

Prioritization: Prioritize the remaining vulns according to their risk and the effort (cost) required to fix them.

Also consider how past incidents occurred, this may affect the prioritization.

For example, perhaps all past breaches occurred from 3rd party network connectivity.

Vulnerability management life cycle 2) Risk assessment and prioritization


IBM Security

The challenge is: How to affect change when the motivations of the group finding the vulnerabilities aren’t (necessarily) those of the group fixing them?

Leverage (not circumvent) existing IT processes by delivering fixes as just another stock of planned work, that is, Change Management.

IT can then test and coordinate the fixes as necessary. It may not be done as fast, but it will get done.

For critical vulnerabilities: Use the emergency change request process (most organizations will have one. If not, you can create it).

Vulnerability management life cycle 3) Remediation


IBM Security

Vulnerability management life cycle4) Continual improvement

Stopping the spread: Incorporate changes or patches of current findings into future system builds.

Setting expectations: By setting proper SLAs, both parties have clear expectations as to what can be done when.

Automation: Much of the efficiency and effectiveness can be achieved through automation of detection, reporting, and remediation (if possible).


IBM Security

Vulnerability management metrics (1 of 2)

Metric Description

Percent of systems scanned Measures completeness of an organization’s VM solution

Number of unique vulnerabilities Measures the amount of variability -- and therefore -- risk of IT systemsAny disadvantages with zero variation (complete uniformity)?

Percent of total systems tracked by Configuration Management

Measures degree to which an organization is aware (and has control) of devices on its network

Tracking of vulnerability metrics is key to keeping a handle on how one improves their security posture


IBM Security

Vulnerability management metrics (2 of 2)

Metric Description

Percentage of SLAs that have been met Measures efficiency of the organization’s VM efforts

Number of security incidents (period of time)

A proxy for effectiveness of the organization’s VM efforts

Impact of security incidents Measures the full cost due to vulnerable systems


IBM Security

How to measure vulnerability management?

Which of the following metric is used to measure the efficiency of the organization’s vulnerability management efforts?

a. Percent of systems scanned

b. Number of security incidents

c. Percentage of SLAs that have been met

d. Percent of total systems tracked by configuration management


IBM Security

What activities are involved in vulnerability management life cycle?

Setup: Form four teams and assign each team with one of the following parts of vulnerability management life cycle:

1. Identification and validation

2. Risk assessment and prioritization

3. Remediation

4. Continual improvement

Duration: 10-15 mins

Task: Each team should identify the steps involved in each part of the cycle assigned to them and explain why.


IBM Security

Agenda


Security services: Measures and categories

Security concerns




IBM Security

Summary

In this presentation, we have examined the responses to:

How to secure information in today's data explosion scenario?

How IT security has evolved into a business process?

How do we measure “Security”?

What are the various categories of security services?

Why is enforcing security difficult?

How can we manage vulnerabilities?


IBM Security

IBM Security Services Cyber Security Intelligence Index

Analysis of cyber security attack and incident data from IBM worldwide security operationsHelp understand and prepare for security breaches

Highlights:Key insights to the depth and breadth of cyber security attacksReview attack rates and incidents by category, including type, industry, and individualLearn which industries are experiencing the most and least rate of incidentsSee why incidents were possible in the first place

EXTERNAL DOWNLOAD LINK


IBM Security

Responding to—and recovering from—sophisticated security attacks Use this compelling new White Paper to talk your clients about the reputational and financial risk they carry if they are not prepared to withstand and respond to cyber attacks.

Learn the four proactive steps your clients can—and should—take to keep their business safe:Step 1: Prioritize business objectives and set risk toleranceStep 2: Protect your organization with a proactive security planStep 3: Prepare a response to the inevitable: a sophisticated attackStep 4: Promote and support a culture of security awareness

Whitepaper

EXTERNAL DOWNLOAD LINK


IBM Security

Additional whitepapers

Finding a Strategic Voice

IBM 2012 CISO Assessment

IBM 2012 Global Chief Executive Officer StudySecurity Intelligence and Compliance Analytics

IBM Institute for Advanced SecurityGlobal Security Leaders Share intelligence and collaborate


IBM Security

X-Force Report Deliverables

URL – http://ibm.co/xforce12

URL – http://www.ibm.com/common/ssi/cgi-bin/ssialias?subtype=XB&infotype=PM&appname=SWGE_WG_WG_USEN&htmlfid=WGE03020USEN&attachment=WGE03020USEN.PDFPartnerWorld URL – http://www.ibm.com/partnerworld/wps/servlet/ContentHandler/WGE03020USEN

Executive Summary

Full Report


IBM Security


IBM Security

ibm.com/security

© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use

of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement

governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United

States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

© 2013 ibm corporation ibm security systems 1 © 2013 ibm corporation presenter name designation,...

Documents