designing infrastructure that contains security at all levels by jason witty, cissp director, global...
TRANSCRIPT
Designing Infrastructure that Contains Security at All Levels
Designing Infrastructure that Contains Security at All Levels
By
Jason Witty, CISSPDirector, Global Security Architecture
Aon Services Corporation
By
Jason Witty, CISSPDirector, Global Security Architecture
Aon Services Corporation
A Little About Aon…..A Little About Aon…..
Fortune 250 Insurance Services and Human Capital Management Company
54,000 employees1458 separate operating companies500+ offices world-wide130+ countries~ $8 Billion in revenue8 Major lines of business, each with it’s own
CIO / technology team
Fortune 250 Insurance Services and Human Capital Management Company
54,000 employees1458 separate operating companies500+ offices world-wide130+ countries~ $8 Billion in revenue8 Major lines of business, each with it’s own
CIO / technology team
Presentation OverviewPresentation Overview
How can we sell security?Statistics and screenshotsRegulatory issuesHow can we ensure security exists at all
levels?What is the importance of governance?How do you measure security success?
How can we sell security?Statistics and screenshotsRegulatory issuesHow can we ensure security exists at all
levels?What is the importance of governance?How do you measure security success?
Security Selling PrinciplesSecurity Selling Principles
Done right, appropriate levels of Information Security can:
Give your company a serious competitive advantage Improve system uptime and employee productivity Enhance your reputation in the eyes of your customers
and business partners Demonstrate compliance to local, federal and
international regulatory statutes Ensure viable long term e-Commerce capabilities
Done right, appropriate levels of Information Security can:
Give your company a serious competitive advantage Improve system uptime and employee productivity Enhance your reputation in the eyes of your customers
and business partners Demonstrate compliance to local, federal and
international regulatory statutes Ensure viable long term e-Commerce capabilities
Security: Selling TacticsSecurity: Selling Tactics
StatisticsDemonstrationsRegulatory RequirementsMeasurements and MetricsCompetitive AdvantageStoriesROI?????
Remember: Politics trump technology, but dollars always trump politics….
StatisticsDemonstrationsRegulatory RequirementsMeasurements and MetricsCompetitive AdvantageStoriesROI?????
Remember: Politics trump technology, but dollars always trump politics….
Selling Tactics: Some Quick StatisticsSelling Tactics: Some Quick Statistics
General Internet attack trends are showing a 64% annual rate of growth – Symantec
The average company experiences 32 cyber-attacks per week – Symantec
The average measurable cost of a serious security incident in Q1/Q2 2002 was approximately $50,000 – UK Dept of Trade & Industry
Identify theft related personal information is selling for $50-$100 per record – LOMA Resource 12/02
Average of 79 new vulnerabilities per week in 2002!!
General Internet attack trends are showing a 64% annual rate of growth – Symantec
The average company experiences 32 cyber-attacks per week – Symantec
The average measurable cost of a serious security incident in Q1/Q2 2002 was approximately $50,000 – UK Dept of Trade & Industry
Identify theft related personal information is selling for $50-$100 per record – LOMA Resource 12/02
Average of 79 new vulnerabilities per week in 2002!!
Security: Why?
More Statistics – Attack Propagation SpeedMore Statistics – Attack Propagation Speed
Initial Compromise Rate Code Red (2001) 1.8 hosts / hour
Slammer (2003) 420 hosts / hour
Infected Pop. Doubling Time Code Red 37 min.
Slammer 8.5 sec.
Single Host Scan Rate Code Red 11 probes / sec.
Slammer 26,000 probes / sec
Vulnerable Population Saturation
Code Red 24 hours
Slammer 30 minutes
More vulnerabilities = higher likelihood of attack Faster attack propagation = less time to react
A Total Novice Can be a Hacker TodayA Total Novice Can be a Hacker Today
Over Time, Attacks have Gotten More Complex, While Knowledge Required to Attack has Gone WAY Down
0
2
4
6
8
10
Level of DamageCapable
Level of Knowledgerequired
Security: Why?
Selling Tactics: DemonstrationsSelling Tactics: Demonstrations
Security: Why?
http://www.packetstormsecurity.org has tens of
thousands of free hacker tools available for download
Selling Tactics: Regulatory EnvironmentSelling Tactics: Regulatory Environment
CA: Personal Information Protection and Electronic Documents Act (2001)US: HIPAA US: Gramm Leach Bliley (GLBA)US: California: SB 1386 – mandates public
disclosure of computer-security breaches in which confidential information may have been compromised. Becomes active on July 1, 2003.
EU: European Data Directive 95/46/ECUK: Data Protection Act of 1998http://www.privacyinternational.org/countries/index.html
CA: Personal Information Protection and Electronic Documents Act (2001)US: HIPAA US: Gramm Leach Bliley (GLBA)US: California: SB 1386 – mandates public
disclosure of computer-security breaches in which confidential information may have been compromised. Becomes active on July 1, 2003.
EU: European Data Directive 95/46/ECUK: Data Protection Act of 1998http://www.privacyinternational.org/countries/index.html
Security: Why?
Assuming management buys in to having an appropriate security posture…..
Assuming management buys in to having an appropriate security posture…..
How Do We Ensure Security Exists at All Levels?How Do We Ensure Security Exists at All Levels?
1. Know your business2. Partner with the business (vs. being a “road-
block” or adversary)3. Gain the trust of your business4. Partner with audit, legal, HR, PR,
compliance, project management, etc.5. Build relationships with key IT resources6. Pick a model to measure against7. Implement the model8. Measure and report metrics (scorecards, etc.)
1. Know your business2. Partner with the business (vs. being a “road-
block” or adversary)3. Gain the trust of your business4. Partner with audit, legal, HR, PR,
compliance, project management, etc.5. Build relationships with key IT resources6. Pick a model to measure against7. Implement the model8. Measure and report metrics (scorecards, etc.)
Things to ConsiderThings to Consider
You need to balance operational risks with security risks
Security controls should always be appropriate to the level of risk being managed
What is good for operations is good for security
Availability (as opposed to Confidentiality or Integrity) is usually the most important to the business
Security can be an enabler / profit center / competitive advantage
You need to balance operational risks with security risks
Security controls should always be appropriate to the level of risk being managed
What is good for operations is good for security
Availability (as opposed to Confidentiality or Integrity) is usually the most important to the business
Security can be an enabler / profit center / competitive advantage
Picking a Model: What Level of Security is Appropriate?Picking a Model: What Level of Security is Appropriate?
Environmental & PhysicalSecurity
Classification& Controlof Assets
SystemAccess
Controls
BusinessContinuity
Planning
Computer & NetworkManagement
Compliance
SecurityPolicy
PersonnelSecurity
SystemDevelopment& Maintenance
SecurityOrganization
1 2
3 4
5 6
87
9 10
12 3 4
5
6789
10
ISO 17799 (Best Practices)
67
8910
5432
1
How much is Enough?
Source: Forsythe Solutions, used with permission
Security: How Much?
Layers of Information Security ControlsLayers of Information Security Controls
Lay
ers
Dim
ensi
ons
Network ISO 17799:Sections 4.2, 8.5, 9.4, 9.8
Perimeter Protection, Network Security Monitoring, Secure Remote Access
Platform ISO 17799:Sections 5.1, 8.2, 9, 10
Minimum Baseline Standards, Operational Procedures, Standardized Configurations
Application ISO 17799:Sections 3, 8, 9.6, 10
Identity & Access Management, Secure Coding Practices
Physical ISO 17799:Sections 7, 8.6, 9.3
Data Center Security, Office Access Security, Desktop & Server Controls
People / Process ISO 17799:Sections 3-12
Security Awareness Program, Policies & Standards, Security Risk Management Program
Regulatory / Legal
ISO 17799:Sections 3, 12
Privacy & Security Steering Committee, eBusiness Insurance, Contract Reviews
Security: Where?
Security Tips: Network LayerSecurity Tips: Network Layer
Technologies: Firewalls, ACLs, NIDS, NAV, Proxies, VPNs, Intrusion Prevention, Asset Databases, and Authentication Services
Technologies: Firewalls, ACLs, NIDS, NAV, Proxies, VPNs, Intrusion Prevention, Asset Databases, and Authentication Services
Try to minimize the number of network entry points you have to manageInsert security reviews into change control processesCompartmentalize the network as much as is reasonableMake vulnerability assessments mandatory for production services (accreditation)Access controls for VPNs
Security: Where and How?
Security Tips: Platform LayerSecurity Tips: Platform Layer
Implement minimum baseline security standardsEnsure adequate patch management tools existHave standard desktop & server images Insert security reviews into change control processesEnsure systems administrators receive both IT and
security trainingMake vulnerability assessments
mandatory for all production services
Implement minimum baseline security standardsEnsure adequate patch management tools existHave standard desktop & server images Insert security reviews into change control processesEnsure systems administrators receive both IT and
security trainingMake vulnerability assessments
mandatory for all production services
Technologies: Filesystem permissions, encryption, patch application tools, auditing & logging, anti-virus, HIDS
Technologies: Filesystem permissions, encryption, patch application tools, auditing & logging, anti-virus, HIDS
Security: Where and How?
Security Tips: Application LayerSecurity Tips: Application Layer
Publish samples of secure code and minimum application security requirements
Ensure security is consulted early and frequently in the systems development lifecycle
Make sure developers understand network architecture constraints
Conduct application level vulnerability assessments Conduct source code security reviews
Publish samples of secure code and minimum application security requirements
Ensure security is consulted early and frequently in the systems development lifecycle
Make sure developers understand network architecture constraints
Conduct application level vulnerability assessments Conduct source code security reviews
Technologies: SSL/HTTPS, PKI, Middleware, .Net, J2EE, CORBA, C++, PERL, Application Firewalls, source code and application scanners
Technologies: SSL/HTTPS, PKI, Middleware, .Net, J2EE, CORBA, C++, PERL, Application Firewalls, source code and application scanners
Security: Where and How?
Security Tips: Physical LayerSecurity Tips: Physical Layer
Conduct datacenter security certifications and audits Ensure information security policies include
provisions for: Infrastructure equipment placement Clean work area / desk standards Data destruction and deletion Locking screen saver Boot passwords
Ensure integrity of asset management and inventory control databases
Photo ID badges for office access Ensure you have access to building access logs Have video surveillance at key locations
Conduct datacenter security certifications and audits Ensure information security policies include
provisions for: Infrastructure equipment placement Clean work area / desk standards Data destruction and deletion Locking screen saver Boot passwords
Ensure integrity of asset management and inventory control databases
Photo ID badges for office access Ensure you have access to building access logs Have video surveillance at key locations
Security: Where and How?
Security Tips: People DimensionSecurity Tips: People Dimension
Have a security awareness program with clear executive sponsorship Policies & standards Social engineering General security principals Developer workshops Data classification standards & examples Education & training
Ensure written policies exist and are well communicated Vulnerability Assessments & Penetration Testing Quarterly Audits Incident Response Plans / Procedures & Forensics Metrics
Ensure proper governance is established around policies, standards, and procedures
Ensure Security is included in Application and Project Lifecycles Ensure IT staff receive both technical and security training
Have a security awareness program with clear executive sponsorship Policies & standards Social engineering General security principals Developer workshops Data classification standards & examples Education & training
Ensure written policies exist and are well communicated Vulnerability Assessments & Penetration Testing Quarterly Audits Incident Response Plans / Procedures & Forensics Metrics
Ensure proper governance is established around policies, standards, and procedures
Ensure Security is included in Application and Project Lifecycles Ensure IT staff receive both technical and security training
Security: Where and How?
Security Tips: Legal DimensionSecurity Tips: Legal Dimension
Know your regulatory environment Limit downstream liability Limit “Standard” e-Commerce Risks
Repudiation Torts: Defamation (slander/liable), Other False Advertising Brand Dilution, etc.
HR Procedures Contract & RFP Reviews Ongoing e-Law Research Due Care / Due Diligence
Know your regulatory environment Limit downstream liability Limit “Standard” e-Commerce Risks
Repudiation Torts: Defamation (slander/liable), Other False Advertising Brand Dilution, etc.
HR Procedures Contract & RFP Reviews Ongoing e-Law Research Due Care / Due Diligence
Security: Where and How?
Security Tips: GovernanceSecurity Tips: Governance
Build strong relationships with business stakeholders– Gain trust and buy-in
Establish review and approval processesEstablish governance team(s) - committees
– Schedule regular meetings– Report issues and exceptions to senior management
Ensure security value proposition exists and is well communicated to senior management
Build strong relationships with business stakeholders– Gain trust and buy-in
Establish review and approval processesEstablish governance team(s) - committees
– Schedule regular meetings– Report issues and exceptions to senior management
Ensure security value proposition exists and is well communicated to senior management
Security: Governance Ties it Together
Utopian World Or: How You Know You’ve Done it RightUtopian World Or: How You Know You’ve Done it Right
A cross-functional executive committee regularly reviews and approves corporate security policies
Employees are regularly trained, and understand all security policies and responsibilities
Metrics are captured to regularly measure and report program efficiency– Incidents are tracked– Regular vulnerability assessments are conducted– All exceptions are rated by risk level and regularly reviewed &
corrected in a timely fashion Management buys in to security’s value proposition
A cross-functional executive committee regularly reviews and approves corporate security policies
Employees are regularly trained, and understand all security policies and responsibilities
Metrics are captured to regularly measure and report program efficiency– Incidents are tracked– Regular vulnerability assessments are conducted– All exceptions are rated by risk level and regularly reviewed &
corrected in a timely fashion Management buys in to security’s value proposition
Security: Governance Ties it Together
How You Know You’ve Done It Right - 2How You Know You’ve Done It Right - 2
Repeatable processes ensure security is inserted very early and frequently in project and systems lifecycles
Security is built into corporate culture and is viewed as a competitive advantage
Executive buy-in is obvious – videos, regular emails, posters, etc.
Your company is not seriously impacted by the newest viruses and attacks
Repeatable processes ensure security is inserted very early and frequently in project and systems lifecycles
Security is built into corporate culture and is viewed as a competitive advantage
Executive buy-in is obvious – videos, regular emails, posters, etc.
Your company is not seriously impacted by the newest viruses and attacks
Questions?Questions?