© 2013 ibm corporation ibm security systems 1 © 2013 ibm corporation presenter name designation,...
TRANSCRIPT
© 2013 IBM Corporation
IBM Security Systems
1© 2013 IBM Corporation
Presenter NameDesignation, Department
Concepts & principles of security
© 2013 IBM Corporation2
IBM Security
The concepts covered in this presentation will help you examine:
How to secure information in today's data explosion scenario?
How IT security has evolved into a business process?
How can we measure “Security”?
What are the various categories of security services?
Why is enforcing security difficult?
How can we manage vulnerabilities?
Objectives
© 2013 IBM Corporation3
IBM Security
© 2013 IBM Corporation4
IBM Security
Agenda
Evolution of information infrastructure security
Security services measures and categories
Security concerns
Vulnerability management
Summary and resources
© 2013 IBM Corporation5
IBM Security
The need to manage and secure the explosion of information
Sources: CIO Magazine survey 2007; IBM Tivoli Market needs and profiling study 2005; The Costs of Enterprise Downtime: NA Vertical Markets 2005" Information Research; IBM Market Intelligence. SNIA Data Management Forum, 100 Year Archive Requirements Survey, © Storage Networking Industry Association (SNIA), 2007
Regulatory compliance pressures directly target critical financial, customer, and employee data
Sarbanes-Oxley (SOX), HIPAA, Basel II, EU Data Protection Directive, Payment Card Industry (PCI)
Deliver continuous, reliable access to information
Downtime costs can amount up to 16% of revenue in some industries.
Support information retention policies:
37% of data is expired or inactive.
Secure sharing of information:
84% of security breaches come from internal sources
External breaches continue to dominate the headlines, with increasing costs to address
Information Compliance
Information Availability
Information Retention
Information Security
© 2013 IBM Corporation6
IBM Security
The proper handling and management of sensitive information is becoming a fundamental requirement for maintaining competitiveness in today’s world
Identity Management
Patch Management
ConfigurationThreats
DataThreats
ExecutableThreats
AuditThreats
Identity Management
Business Controls
Po
lici
esR
egu
latory C
om
plia
nce
On-goingAssessments
InfrastructureCapability
LeastPrivileges
Test Data
Separation of Duties
VulnerabilityAssessments
ChangeManagement
© 2013 IBM Corporation7
IBM Security
The information challenge...
Do decision makers have the right information at hand to take timely, effective action?
Is content being leveraged effectively to improve business performance?
How much time do employees spend looking for the right answers?
Is content being utilized to gather insight on operational effectiveness of the organization?
© 2013 IBM Corporation8
IBM Security
Platform infrastructure
Compliance and audit
Data Privacy Extended enterprise
Do you know what your data & information assets are ?
Do you know where your information assets are located?
Where should data be kept?Should it be safeguarded?
Do you know the value of your data and economic risk of loss?
Is the data security technology deployed aligned with your internal controls?
How do you demonstrate compliance with data centric regulations?
How long do you need to keep your data?
Who owns the data?Who can modify or delete the data?Who can use the data?Who should?
Platform infrastructure
Data Privacy
Helping answer the big questions…
Replace with “Business policies”
© 2013 IBM Corporation9
IBM Security
Decomposition of high-level policies
Why
What
How
Business Policies
Operational Policies & Controls
Information Policies & Controls
RegulatoryRequirements
CorporateStrategy
Aggregation of obligations, practices, and strategy
• High level conformance metrics
• Compliance requirements
• Corporate strategy and policies
Classification of information
• Define access privileges to categorized information
Operational deployment, enforcement, and monitoring
• Specify and enforce policies to optimize efficiency and quality, manage change
• Enforce information policies
• Ongoing monitoring and feedback in support of continuous assurance
© 2013 IBM Corporation10
IBM Security
Preemptive or reactive security?
Jim joined an organization as Head of IT security, where they apply security methods in response to security attacks. He asked his team to come up with a plan to analyze the current setup and apply security mechanisms based on vulnerabilities.
Which method would be a more effective approach to provide security?
a. The organization’s current security model
b. Jim’s plan of a vulnerability based security model
© 2013 IBM Corporation11
IBM Security
11
Why vulnerability based research = preemptive security
Protecting against exploits is reactive• Too late for many
• Variants undo previous updates
Protecting against vulnerabilities and malicious behaviors is preemptive
• Stops threat at source
• Requires advanced R&D
© 2013 IBM Corporation12
IBM Security
Industry focus has evolved from the “T” to the “I” of IT
© 2013 IBM Corporation13
IBM Security
Security defined as a business process
CORPORATESECURITY
ARCHITECTURE
Assess Risk & Vulnerabilities
Audit & Report
Define RequirementsAnd Policies
Administer &Maintain
Implement Policies
Awareness trainingEducation
Procedures for Change Management
Deploy Incident Management Systems
Internal AuditExternal Audit
Regulatory Reporting
Identity AssetsClassify DataCompute Risk
Assess LiabilitiesIdentify Owners
Set policies requirements for
securing DataDefine measures of assessing protection
Select TechnologyDeploy Technology
Defend from ThreatsSet Management
Operational Processes
© 2013 IBM Corporation14
IBM Security
Agenda
Evolution of information infrastructure security
Security services measures and categories
Security concerns
Vulnerability management
Summary and resources
© 2013 IBM Corporation15
IBM Security
Security concept of “Defense in depth”
Idea is to put multiple barriers around the flow to deter, delay and detect attacks, so that if one layer of defense fails, the others can act as the next layer of protection.
Security measures and services exist at each layer to ensure only the right traffic is let through and the unauthorized, unwanted traffic is stopped
Defense in Depth Layers
Data
Application
Host
Internal Network
Perimeter
Physical
Policies,ProceduresAwareness
Suggest removing boxes and using singular visual
© 2013 IBM Corporation16
IBM Security
Security concept of “Defense in depth”: Example
Concept is to put multiple barriers around the flow to deter, delay and detect attacks, so that if one layer of defense fails, the others can act as the next layer of protection.
Security measures and services exist at each layer to ensure only the right traffic is let through and the unauthorized, unwanted traffic is stopped
Defense in Depth Layers
Data
Application
Host
Internal Network
Perimeter
Physical
Policies,ProceduresAwareness
© 2013 IBM Corporation17
IBM Security
Security measures
Accountability
Asset protection
Authorization
Digital SignatureAudit LogsEvent generation disposition
Data confidentialityData integrityData privacy
User authenticationAccess controlPermissions manager (roles)Privacy access manager
Administration
Policy managerRegistryDirectoryConfiguration manager
Assurance
Intrusion detectionContent filteringExposure testingMonitoring
Availability
Fault toleranceLoad balancingRedundancy“Denial of service” defenseBackup/ recoveryKey recoveryAnti Virus
© 2013 IBM Corporation18
IBM Security
Security service categories
Management
Authentication Non-Repudiation
Access Control Data Integrity
Confidentiality
© 2013 IBM Corporation19
IBM Security
Security service categories
Management
Authentication Non-Repudiation
Access Control Data Integrity
Confidentiality
© 2013 IBM Corporation20
IBM Security
Security services: Authentication
Authentication
“Identifying Users/Entities”
Prevent Impersonation
ISSUES: Examples:
Logon IDs and Passwords Pass Tickets Digital Certificates and Private Keys Smart Cards & PINs Tokens/fobs (SecurID, USB port fob,..) Biometric Devices
SW vs. HW Multi-factor authentication
What you know What you have What you are
Scalability (ID/key mgmt.) Portability/Mobility Linking authentication
policy to business policy Single sign-on
© 2013 IBM Corporation21
IBM Security
Security services: Access control
Access Control
“Selectively Granting/Denying Access to Resources”
a.k.a “Authorization”
ISSUES:
Granular control over heterogeneous resources
Groups/roles simplify administration Single, comprehensive policy
versus multiple, disparate approaches
Control access while maintaining high availability/ performance
Ability to tight link business policy to authorization policy
Examples:
Access Control Lists Roles Security Labels Physical Barriers (Locks Guards) Firewalls Split Control
© 2013 IBM Corporation22
IBM Security
Security services: Confidentiality
Confidentiality
“Preventing Unauthorized Disclosure of Stored andTransmitted Data”
ISSUES:
Choice of protocol (SSL, IPSEC,..) Choice of strength (Key/algorithm) Performance (hardware versus
software) Security of keys (hardware versus
software) Scalability (key management) Ease of implementing, ease of use
Examples:
Encryption (based on selected algorithms, e.g. Des)
Data masking
© 2013 IBM Corporation23
IBM Security
Security services: Data integrity
Data Integrity
ISSUES: Examples:
“Detecting Unauthorized Modification of Stored andTransmitted Data”
Checksums, CRCs,… Message integrity codes Hashes Digital signatures Anti-virus programs
Choice of protocol (SSL, IPSEC,..) Choice of strength (Key/algorithm) Performance (hardware versus
software) Security of keys (hardware versus
software) Scalability (key management) Ease of implementing, ease of use
© 2013 IBM Corporation24
IBM Security
Security services: Non-repudiation
Non-Repudiation
ISSUES: Examples:
“Proof of: Origin Receipt Transmission . of a message”
Digital signature being written into laws
Security of keys (hardware versus software)
Scalability (key management) Integrating into existing middleware/
applications
Message Authentication Codes (MACs)
Digital signatures Audit Trusted Time
© 2013 IBM Corporation25
IBM Security
Security services: Security management (1 of 2)
Management
ISSUES: Examples:
“Administering, Auditing, and Controlling SecurityPolicy, Processes, Mechanisms, and Events”
Security management ideally fits into overall enterprise management approach
Scalability Centralized management
Ability to tightly link business policy, authorization policy and enterprise security policy
Defining and controlling security policy (authentication, access control,…)
Administering user identities (certificates, user IDs)
Controlling passwords Auditing
© 2013 IBM Corporation26
IBM Security
Security services: Security management (2 of 2)
BoundaryNetworkSystemApplication
Authentication
Access Control
Confidentiality
RESOURCES
SERVICES
Data Integrity
Non-Repudiation
Security Management
© 2013 IBM Corporation27
IBM Security
Integration of security services results in auditability
Executive dashboards Digital signature being written into
laws Industry regulatory reporting
End user authentication Digital signatures Database vulnerability assessment Data labels for specific regulations
ISSUES: Examples:
© 2013 IBM Corporation28
IBM Security
Which security service is employed? (1 of 2)
1. Which type of security service is employed when a user is asked to enter a login ID and password to enter an application?
a. Data integrity
b. Authentication
c. Confidentiality
2. Which security service involves protecting transmitted or stored data from unauthorized disclosure?
a. Data integrity
b. Authentication
c. Confidentiality
d. Access control
e. Non-repudiation
© 2013 IBM Corporation29
IBM Security
Which security service is employed? (2 of 2)
Edith needs to send a highly confidential message to Jim ensuring that her name is associated with the data exchange.
She creates a hash of the message and encrypts the hash using her private key before sending the message.
Jim uses Edith’s public key to decrypt the hash, calculates the hash of the message, which is well-known, and compares the two results. Since they match, Jim is sure that the message came from Edith and the message was not altered.
Which security mechanism did Edith employ to successfully send the message as per the requirements?
a. Checksum
b. Data masking
c. Digital signature
© 2013 IBM Corporation30
IBM Security
What makes the hash function an effective cryptographic tool?
Which of the following features make hash an effective cryptographic tool?
a. It is infeasible to compute the original message from the hash.
b. It is infeasible to compute any message that, when hashed with the same hashing technique, will produce a value equal to a given hash value.
c. a & b
© 2013 IBM Corporation31
IBM Security
Agenda
Evolution of information infrastructure security
Security services measures and categories
Security concerns
Vulnerability management
Summary and resources
© 2013 IBM Corporation32
IBM Security
95752:1-32
Motivations to violate security
Greed
Ego
Curiosity
Revenge
Competition
Political and ideological
© 2013 IBM Corporation33
IBM Security
Software security concerns
Theft
Modification
Deletion
Misplacement
© 2013 IBM Corporation34
IBM Security
Exposure: “actual harm or possible harm”
Vulnerability: “weakness that may be exploited”
Attack: “human originated perpetration”
Threat: “potential for exposure”
Control: “preventative measure”
Security terminology
© 2013 IBM Corporation35
IBM Security
Threats are continuously evolving
Difficult to assign asset valuations of resources
Damage to public image deters openness
Legal implications often vague or non-existent
Legal prosecution is difficult
Many subtle technical issues
Insider trust is a pre-requisite
Why is enforcing and measuring security difficult?
© 2013 IBM Corporation37
IBM Security
Consider this…
A network with 10,000 IP devices, each with 10 vulnerabilities
That’s 100,000 different ways loss can occur
But of course, not all vulnerabilities cause the same amount of loss, and their likelihood of being exploited will differ
So the challenges are:
How do you figure out what’s at risk?
How do you prioritize the work?
Risk & vulnerability analysis
© 2013 IBM Corporation38
IBM Security
Different groups will have their own use for the results (which is good if you’re the one rolling this out!)
For the Network and Firewall Engineer: show me any errors in my configurations
For the Security Manager: show me the top 10 most vulnerable devices
For the IT Manager: show me the most common vulnerabilities
For the Auditor: show me all machines that are out of SOX / PCI compliance
Prioritization is contextual
© 2013 IBM Corporation39
IBM Security
Methods of defense
Overlapping controls:
Authentication
Encryption
Integrity control
Firewalls
Network configuration
Application configuration
Policy
© 2013 IBM Corporation40
IBM Security
Vulnerability management life cycle
Stop the spread
Establish OLAs
Automate
Mitigate
Leverage ITprocesses
Assess risks
Prioritize vulnerabilities
Scoping systems
Detecting
Validate
1) Identification and Validation
2) Risk Assessment and Prioritization 3) Remediation 4) Continual
Improvement
© 2013 IBM Corporation41
IBM Security
Scoping systems: Find all the networks; wireless, backup, transit, admin, test, production. Identify and document them all, even if you won’t be scanning them immediately.
Detecting vulnerabilities (vuln): All IT assets should be scanned or monitored, (even printers!). Scanners actively probe devices whereas monitoring passively checks networks or hosts.
Validating findings: Once you have the (mountain of) data, validate the results to weed out false positives.
Vulnerability management life cycle 1) Identification and validation
© 2013 IBM Corporation42
IBM Security
Assessing risks: Perform a quick risk assessment.
For example: Risk = threat likelihood * vuln severity * asset value.
Take note of security controls that limit or mitigate the actual risk of the vulns.
Prioritization: Prioritize the remaining vulns according to their risk and the effort (cost) required to fix them.
Also consider how past incidents occurred, this may affect the prioritization.
For example, perhaps all past breaches occurred from 3rd party network connectivity.
Vulnerability management life cycle 2) Risk assessment and prioritization
© 2013 IBM Corporation43
IBM Security
The challenge is: How to affect change when the motivations of the group finding the vulnerabilities aren’t (necessarily) those of the group fixing them?
Leverage (not circumvent) existing IT processes by delivering fixes as just another stock of planned work, that is, Change Management.
IT can then test and coordinate the fixes as necessary. It may not be done as fast, but it will get done.
For critical vulnerabilities: Use the emergency change request process (most organizations will have one. If not, you can create it).
Vulnerability management life cycle 3) Remediation
© 2013 IBM Corporation44
IBM Security
Vulnerability management life cycle4) Continual improvement
Stopping the spread: Incorporate changes or patches of current findings into future system builds.
Setting expectations: By setting proper SLAs, both parties have clear expectations as to what can be done when.
Automation: Much of the efficiency and effectiveness can be achieved through automation of detection, reporting, and remediation (if possible).
© 2013 IBM Corporation45
IBM Security
Vulnerability management metrics (1 of 2)
Metric Description
Percent of systems scanned Measures completeness of an organization’s VM solution
Number of unique vulnerabilities Measures the amount of variability -- and therefore -- risk of IT systemsAny disadvantages with zero variation (complete uniformity)?
Percent of total systems tracked by Configuration Management
Measures degree to which an organization is aware (and has control) of devices on its network
Tracking of vulnerability metrics is key to keeping a handle on how one improves their security posture
© 2013 IBM Corporation46
IBM Security
Vulnerability management metrics (2 of 2)
Metric Description
Percentage of SLAs that have been met Measures efficiency of the organization’s VM efforts
Number of security incidents (period of time)
A proxy for effectiveness of the organization’s VM efforts
Impact of security incidents Measures the full cost due to vulnerable systems
© 2013 IBM Corporation47
IBM Security
How to measure vulnerability management?
Which of the following metric is used to measure the efficiency of the organization’s vulnerability management efforts?
a. Percent of systems scanned
b. Number of security incidents
c. Percentage of SLAs that have been met
d. Percent of total systems tracked by configuration management
© 2013 IBM Corporation48
IBM Security
What activities are involved in vulnerability management life cycle?
Setup: Form four teams and assign each team with one of the following parts of vulnerability management life cycle:
1. Identification and validation
2. Risk assessment and prioritization
3. Remediation
4. Continual improvement
Duration: 10-15 mins
Task: Each team should identify the steps involved in each part of the cycle assigned to them and explain why.
© 2013 IBM Corporation49
IBM Security
Agenda
Evolution of information infrastructure security
Security services: Measures and categories
Security concerns
Vulnerability management
Summary and resources
© 2013 IBM Corporation50
IBM Security
Summary
In this presentation, we have examined the responses to:
How to secure information in today's data explosion scenario?
How IT security has evolved into a business process?
How do we measure “Security”?
What are the various categories of security services?
Why is enforcing security difficult?
How can we manage vulnerabilities?
© 2013 IBM Corporation51
IBM Security
IBM Security Services Cyber Security Intelligence Index
Analysis of cyber security attack and incident data from IBM worldwide security operationsHelp understand and prepare for security breaches
Highlights:Key insights to the depth and breadth of cyber security attacksReview attack rates and incidents by category, including type, industry, and individualLearn which industries are experiencing the most and least rate of incidentsSee why incidents were possible in the first place
EXTERNAL DOWNLOAD LINK
© 2013 IBM Corporation52
IBM Security
Responding to—and recovering from—sophisticated security attacks Use this compelling new White Paper to talk your clients about the reputational and financial risk they carry if they are not prepared to withstand and respond to cyber attacks.
Learn the four proactive steps your clients can—and should—take to keep their business safe:Step 1: Prioritize business objectives and set risk toleranceStep 2: Protect your organization with a proactive security planStep 3: Prepare a response to the inevitable: a sophisticated attackStep 4: Promote and support a culture of security awareness
Whitepaper
EXTERNAL DOWNLOAD LINK
© 2013 IBM Corporation54
IBM Security
Additional whitepapers
Finding a Strategic Voice
IBM 2012 CISO Assessment
IBM 2012 Global Chief Executive Officer StudySecurity Intelligence and Compliance Analytics
IBM Institute for Advanced SecurityGlobal Security Leaders Share intelligence and collaborate
© 2013 IBM Corporation55
IBM Security
X-Force Report Deliverables
URL – http://ibm.co/xforce12
URL – http://www.ibm.com/common/ssi/cgi-bin/ssialias?subtype=XB&infotype=PM&appname=SWGE_WG_WG_USEN&htmlfid=WGE03020USEN&attachment=WGE03020USEN.PDFPartnerWorld URL – http://www.ibm.com/partnerworld/wps/servlet/ContentHandler/WGE03020USEN
Executive Summary
Full Report
© 2013 IBM Corporation56
IBM Security
© 2013 IBM Corporation57
IBM Security
ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.