Post on 21-Jan-2016
1
Vulnerability Management: Mitigating Your Company’s
Security Risks
Vulnerability Management: Mitigating Your Company’s
Security Risks
Matt Tolbert, CISSP
Senior Manager, Ernst & Young Security & Technology Solutions Group, New York City
2
AGENDA:
1. Where are today’s security risks?
2. What are today’s solutions to mitigate risk?
3. How are others managing their security vulnerabilities?
4. How do I manage my company’s vulnerabilities?
3
While simple is desirable…
4
…business processes are complex…
15. Go
od
s Is
su
e
Book MasterInc Stores
MTE
Vendors
MTDB, WDB,Fargo
SAP MMInventory - purchasing - goods receipt - goods issue - inventory mgnt
Web FrontEnd
PO Filedemand
driven
PO's(replenishment
)
Ve
nd
ors
24. paymentauthorization
25. Title
s
22. Inv
en
tory
lev
els
i2
16. Ja
me
sb
urg
Inv
en
tory
Customer
13. PO
's(d
em
an
d d
rive
n)
order shipment
Vendors
order shipment
17. PO
's to
SA
P(re
ple
nis
hm
en
t)
SAP CO/PA - Cost Center Accounting - Profitability Analysis
SAP MMConsumables - purchasing - goods receipt - goods issue
ITR
23. Goods receipt - to ITR
BN IncAP
18. PO
's to
EX
E(re
ple
nis
hm
en
t)
BN IncPurchasing
4. Sales/demand information
5. summarizedsales
BookazineBaker & TaylorIngram
System I
ExternalRetailer
2. w
eb
ord
er in
fo
ASN. Advance Shipment Notice15. Goods Receipt30. Product Updates32. PO's for BN Inc
OtherVendors
PO's
9. PO extract
System IMemphis
3. externalorders
Dayton
Jamesburg
26. Titles - System H
27. Titles/Inventory- BN Shop
28. Title
s - i2
29. Title
s - A
S 4
00
ASN
ASN
ASN
32
32
SAP FI- General Ledger- A/R- A/P- Inventory Accounts
text - functionality PwC will implementtext - functionality PwC will augmenttext - functionality that will be left as is
Existing BN.COM interface/system
Interface/system assumed to be inplace for May 1stSAP related interface/system forMay 1st
BN Inc
invoice
invoices
System IJamesburg -
shop
BN Store(MTE)
INC
39
. ord
er
sta
tus
1. MTE
AS 400Jamesburg - INC
purchasing for INCand COM
ship for INC
E-GateProduct IQ
30
30
8. request - order info/PO
10. yes/no - order status
8. request - order info/PO
10. yes/no - order status
37. B2
B C
us
t. Inv
oic
es
12. Ord
er S
hip
pin
g In
fo
11. Pic
kin
g R
eq
ue
sts
/Op
en
Ord
ers
21. Pic
kin
gc
on
firma
tion
36. Inv
en
tory
lev
els
31. RecommendedPO's
Electronic Invoice (A
/P)
Pay to$
Check
INC
19. Goods receipt
8. re
qu
es
t -
ord
er
info
/PO
10. y
es
/no
-s
hip
sta
tus
System IDayton -
shop/inductionand ship
EXE
43. Goods Issue for Returns to Vendor
System HDayton (issues),
Rockleigh (issuesand returnreceipts)
34. Inv. Adjustments
40. Tra
ns
sh
ipm
en
t AS
N's
14. Go
od
s R
ec
eip
ts
9. PO Extract
44. Go
od
s Is
su
e fo
r Re
turn
s to
Ve
nd
or
42. Go
od
s R
ec
eip
t from
Cu
sto
me
r Re
turn
41. Dro
p-S
hip
Co
nfirm
for S
tatis
tica
l Go
od
s R
ec
eip
t
47. Replenishment Catalog POs
5
…application architectures are extensive…
Web Server
Communication
Control
Query & Rpt.Fir
ewal
l / L
oad
Bal
anci
ng
Web “Contact” Services
Media Apps
Chat
Messaging
HTTP
Audit
Monitoring
Search & Index
Usage Statistics
Streaming Audio
Streaming Video
Application Services
Core Services
E-Commerce
Content Mgmt.
Fir
ewal
l
EAI
State / Session
Membership / Registration
Personalization//Localization
Rules Engine
Configurator
Credit Check
Fulfillment
Syndication
Translation / Mapping
XML
EDI
Content Mgmt/Delivery
Storefront / Catalog
Marketing / Promotion
CustomBusiness Logic
Data Services
File System
Structured
Unstructured
Legacy
RDBMS
ODBMS
Mail Store
Message Store
Mainframe
Midrange
SANS
Documents
Images
Browser
Client Services
HTML
DHTML
XML
Java
ActiveX
Client DevicesPC
Phone / CellPhone
Fax
Pager
PDA
HPC
ERP
Analysis
CRM
SCM
Corporate Services
SFA
Call Center
DW / DSS
Business Intelligence
Financials
Logistics
Human Resources
Procurement
Manufacturing
Order Processing
KMIndex / Retrieval
6
…and IT infrastructures are nontrivial…INTERNETACCESS
TIER
WEBPRESENTATION
TIER
WEBSERVICES
TIER
BUSINESSOPERATIONS
TIER
DSU/CSUConnection toISP & Internet
FirewallServers
LoadBalancers
Cache Servers
Gigabit EthernetBackbone Switch
Gigabit EthernetBackbone Switch
EthernetSwitches
Web Servers
• Application Servers• Catalog Servers• Content Management Servers
DM
Z S
ubn
et
Inte
rnet A
ccess Sub
net
Prese
ntation
Su
bnets
Prese
ntation
Services S
ubne
t
EthernetSwitch
• ERP (Financials, Logistics, HR, etc.)• Data Warehouse/Data Mart• EAI (Messaging)• Warehouse Management
We
b Se
rvicesS
ubne
t
Op
eration
sS
ubne
t
Gigabit EthernetBackbone Switch
FirewallServer
FirewallServer
7
…so the risk of exposure to securityvulnerabilities
are greater than ever.
8
1. TODAY’S SECURITY RISKS1. TODAY’S SECURITY RISKS
9
Where are Today’s Security Risks?
• Malevolent actions and attacks—internal and external
• Unintended consequences due tolack of internal controls
• Non-compliance with government regulations
• Competitive intelligence
• Pervasive computing
• Integration of systems and applications
1.1 Today’s Security Risks
10
Reported Security Incidents Growing
©2001 Carnegie Mellon University
25000
20000
15000
10000
5000
20001988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000
25000
20000
15000
10000
5000
20001988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000
1.2 Today’s Security Risks
11
Where Do These Incidents Originate?1.3 Today’s Security Risks
Internal &external sources ofrisks arenearlyequivalent
12
Cited Security Vulnerabilities1.4 Today’s Security Risks
13
What are the Consequences?
• Financial losses– Direct loss of revenue
– Costs to recover and remedy
– Insurance recovery and premiums
• Public perception and brand recognition
• Customer impact
• Government regulatory compliance– Fines
– Imprisonment
1.5 Today’s Security Risks
14
Financial Impact of Security Vulnerabilities1.6 Today’s Security Risks
15
Attack Trends
• Automated attacks through new tools
• Increasing sophistication of attack tools
• Faster discovery of vulnerabilities
• Increasing permeability of firewalls
• Increasingly asymmetric threats
• Increasing threat from infrastructure attacks
1.7 Today’s Security Risks
16
Speed of Attack: Honeypot Findings
• Server discovered in under 20 minutes
• Vulnerability scans commence in under 2 hours
• Concerted intrusion attempts in under 2-3 days
• Discovery of vulnerability after initial intrusion on average of 5 minutes
1.8 Today’s Security Risks
17
Likely Sources of Attack1.9 Today’s Security Risks
18
Sophistication of Attacks Increasing
©2001 Carnegie Mellon University
1980 1985 1990 1995 2002
High
Low
Intruder Knowledge
Attack Sophistication
Attackers
Tools
password guessing
self-replicating code
password crackingExploiting known vulnerabilities
burglariesHijacking sessions
Network mgmt. diagnostics
GUIAutomated probes/scans
www attacksDDOS attacks
“stealth”/advanced scanning techniques
Denial of servicePacket spoofingsniffers
sweepers
Back doors
Disabling audits
1.10 Today’s Security Risks
19
Internet the Most Common Point of Attack1.11 Today’s Security Risks
20
Attack Trends: Top Attack Categories
Protocol Violation
43%
Back Door1%
Pre-attack Probe
6%Denial of Service
10%
Suspicious Activity
18%
Unauthorized Access Attempt
22%
Internet Security Systems June 2002
1.12 Today’s Security Risks
21
Attack Trends: Top Attack Sources
United States38%
Other35%
Great Britain5%
China & Hong Kong
6%
Korea7%
Italy9%
United States41%
Taiwan4%
Canada6%Italy
4%
Great Britain4%
Japan3%
France6%
Germany8%
China11%
Korea13%
Riptech 3-4Q2001
Internet Security Systems June 2002
1.13 Today’s Security Risks
22
Attack Trends: Top Declared Emergencies
Internet Stalking
18%
Denial of Service
9%
Hacker Intrusion
18%
Disgruntled Former
Employee10%
Fraud9%
Theft of information
9%Internet Extortion
27%
Internet Security Systems June 2002
1.14 Today’s Security Risks
23
Attack Trends: Attacks by Industry
422 439477
520561 592 600
706 725
895961
0
200
400
600
800
1000
Atta
ck
s p
er C
om
pa
ny
Oth
er
Health
care
E-Com
mer
ceASP
Man
ufact
uring
Nonprofit
Busines
s Ser
vices
Med
ia-E
nterta
inm
ent
Power
& E
nergy
Finan
cial
Serv
ices
High T
ech
Riptech 3-4Q2001
1.15 Today’s Security Risks
24
Attack Trends: Severe Attacks by Industry
0.16 0.331.06 1.19 1.42 1.45
2.05 2.62
6.63
9.23
12.5
0
2
4
6
8
10
12
14
Se
ve
re A
ttac
ks
pe
r C
om
pa
ny
ASP
E-Com
mer
ce
Nonprofit
Med
ia/E
nterta
inm
ent
Oth
er
Health
care
Man
ufact
uring
Busines
s Ser
vices
High T
ech
Finan
cial
Indust
ry
Power
& E
nergy
Riptech 3-4Q2001
1.16 Today’s Security Risks
25
Attack Trends: Attacks by Company Size
560
905 901845
0
200
400
600
800
1000
Atta
ck
s p
er C
om
pa
ny
1-449
500-
999
1000
-499
9
5000
+
Riptech 3-4Q2001
1.17 Today’s Security Risks
26
Attack Trends: Top Destination Ports
Port 80 (Web/http)67%
Port 22 (ssh)2%
Port 69 (tftp)3%
Port 162 (snmp out)3%
Port 139 (netbios-ssn)2% Port 23 (telnet)
1%
Port 1433 (sql)3%
Port 25 (mail/smtp)5%
Port 21 (ftp)6%
Port 161 (snmp in)8%
Port 80 (Web/http)
Port 161 (snmp in)
Port 21 (ftp)
Port 25 (mail/smtp)
Port 1433 (sql)
Port 69 (tftp)
Port 22 (ssh)
Port 162 (snmp out)
Port 139 (netbios-ssn)
Port 23 (telnet)
Internet Security Systems June 2002
1.18 Today’s Security Risks
27
Regulatory Compliance
• Electronic Signatures in Global & National Commerce Act (“E-Sign”)
• FDA 21 CFR Part 11
• Gramm-Leach-Bliley (GLB) Act of 1999
• Health Insurance Portability & Accountability Act (HIPAA) of 1996
• Uniform Computer Information Transactions Act (UCITA)
• USA Patriot Act of 2001
• U.S. Safe Harbor
1.19 Today’s Security Risks
28
Consequences of Non-Compliance
• Significant fines
• Imprisonment
• Increased insurance premiums
• Additional legal costs
• Higher costs for reacting to compliance audits
• Direct and indirect business loss
1.20 Today’s Security Risks
29
2. TODAY’S SOLUTIONS FORMITIGATING RISK
2. TODAY’S SOLUTIONS FORMITIGATING RISK
30
Resolving Security Risks2.1 Today’s Solutions for Mitigating Risk
31
Vulnerability Alerts
• CERT: www.cert.org
• eSecurityOnline: www.eSecurityOnline.com
• SecurityFocus: www.SecurityFocus.com
2.2 Today’s Solutions for Mitigating Risk
32
Security Technology Enablers
• Network– Firewalls– Intrusion detection (IDS)– Internal/external VPN– Wireless encryption
• Server– Intrusion detection (IDS)– Secure shell– Trusted system configuration– Enterprise antivirus software
• Entitlement Management– Directory services (LDAP)– Single sign-on (SSO)– Biometrics
• Integration– Encrypted EDI– Public key infrastructure (PKI)– IPSec
2.3 Today’s Solutions for Mitigating Risk
33
HP Security Solutions
• Atalla Network Security Processors For secure financial transactions (ATM, POS, EFT)
• HP-UX AAA authentication, authorization & accounting based on RADIUS protocol
• HP-UX Secure Shell
• HP-UX Trusted System
• HP Toptools Remote Security Management• HP IDS/9000
System-level intrusion detection
• Proliant-based VPN/Firewall Based on CheckPoint VPN-1 and Firewall-1 software
• HP-UX IPSec/9000• HP-UX IP Filter
Stateful firewall server
2.4 Today’s Solutions for Mitigating Risk
www.hp.com/security
34
HP IDS/9000 Example2.5 Today’s Solutions for Mitigating Risk
35
3. HOW OTHERS MANAGE THEIRSECURITY VULNERABILITIES
3. HOW OTHERS MANAGE THEIRSECURITY VULNERABILITIES
36
Characteristics of World-Class Vulnerability Management
1. Business and security objectives are aligned
2. Security programs are enterprise-wide
3. Vulnerability management is continuous
4. Response to vulnerabilities are proactive
5. Security programs are validated
6. Security frameworks are formalized
3.1 How Others Manage their Security Vulnerabilities
37
Security Readiness
Risk Intelligence
Time
Proactive
Traditional
Initial AssessmentOngoing Monitoring Periodic Assessment
3.2 How Others Manage their Security Vulnerabilities
©2001 Ernst & Young LLP
38
Vulnerability Management Model3.3 How Others Manage their Security Vulnerabilities
©2001 Ernst & Young LLP
39
Security Technologies Used3.4 How Others Manage their Security Vulnerabilities
40
4. MANAGING MY ORGANIZATION’SVULNERABILITY
4. MANAGING MY ORGANIZATION’SVULNERABILITY
41
Vulnerability Scorecard
1. Do I know of all the IT assets I have?
2. Am I confident my critical IT assets are secure?
3. Am I monitoring my assets to detect virus attacks, external hacks, and internal intrusions?
4. Do I have updated policies and procedures addressing IT security?
5. Do I have current disaster and business continuity planning?
6. Do I know what my Business Partners are doing?
7. Does my Internal Audit group assess and validate my risk profile?
8. Am I fully compliant with government regulations?
YES NO
4.1 Managing My Organization’s Vulnerability
42
Approach to Vulnerability Management
1. Security Governance
2. IT Asset Management
3. Vulnerability Assessment
4. Vulnerability Management
4.2 Managing My Organization’s Vulnerability
43
Step 1: Security Governance4.3 Managing My Organization’s Vulnerability
©2001 Ernst & Young LLP
44
Step 2: IT Asset Management
• Continuous process for managing IT assets
• Automated asset discovery software
• Detailed asset management database
• Change controls processes in place
• Integration with helpdesk services
• Self-service functions
4.4 Managing My Organization’s Vulnerability
45
Step 3: Vulnerability Assessment
• Implement a continuous assessment process
• Leverage detailed asset management database
• Business impact assessment to organization if vulnerability is realized
• Prioritization & alignment with organization goals and requirements
4.5 Managing My Organization’s Vulnerability
46
Step 4: Vulnerability Management
• Enterprise security strategy and standards
• Centralized management of monitoring and testing
• Proactive identification of vulnerabilities specific to your organization
– Asset management database– eSecurityOnline-type customized notification
• Computer Emergency Response Program (CERP)
• Mitigation of risks through technology enablers– Firewalls– Enterprise antivirus software and mail filters– Enterprise entitlement management – Intrusion detection systems
4.6 Managing My Organization’s Vulnerability
47
SUMMARY
• Know your risks so as to make informed decisions
• Align with business goals and requirements
• Establish security governance
• Enterprise-wide consistent approach
• Implement proactive and continuous processes as well as security technologies to manage vulnerabilities
48
Matt Tolbert, CISSP
Ernst & Young, LLP Security & Technology Solutions Group
(212) 773-5967 Matthew.Tolbert@ey.com