1 Session 3 - Overview Insuring that a company is able to continue day-to-day operations is a core...
23
1 Session 3 - Overview Insuring that a company is able to continue day- to-day operations is a core function of the IT organization. Security is a vital element that contributes to smooth operations. Tools, processes and management engagement are attributes of a quality security management framework.
-
Upload
nelson-king -
Category
Documents
-
view
214 -
download
1
Transcript of 1 Session 3 - Overview Insuring that a company is able to continue day-to-day operations is a core...
1
Session 3 - Overview Insuring that a company is able to continue day-to-day operations is
a core function of the IT organization. Security is a vital element that contributes to smooth operations. Tools, processes and management engagement are attributes of a
quality security management framework.
2
Current key Questions to Ask
How vulnerable / exposed is your organization to security threats and interruptions? How would you know that you were exposed or under attack?
What is your organization's ability to respond to security incidents? (i.e., denial of service, cyber-crime)
Are you getting value for your security dollar spent? Are there any cost or efficiency opportunities?
How well is security integrated into new business and technology initiatives?
Are you taking your business to the Internet? Have you thought through the security ramifications?
How well does your current security infrastructure (i.e., organization, process, policy, technology) match your future business strategy and business needs/requirements?
How do you compare to your peers? Your industry?
3
Security Strategy Framework The various components of the
architecture and strategy combine to form the Security Framework. The Framework is a unified representation of the people, process and technology components that need to be addressed in the development of an enterprise security program.
The Framework consists of several interconnected components, each of which contains a specific set of requirements and deliverables that contribute to the overall architecture and strategy. Once each component has been implemented, the Framework will enable a company to proactively reduce risk, adhere to regulatory, security, and privacy standards, and enable secuirty to effectively support its business requirements.
The objective, represented by the circle on the framework is.. Availability, Confidentiality, and Integrity.
Source: © Ernst & Young LLP
4
Security Strategy & Architecture Security Strategy Drivers
Compliance with applicable legislation, standards and regulations (management controls, privacy, etc)
Protecting the company’s image and reputation Information security – Confidentiality, Integrity, Availability Protection from internal and external threats
– Unauthorized access– Loss of intellectual property– Malicious software– Business interruption
Maintain technical currency Business efficiencies (bottom line ROI) Business interests in high-risk regions, countries, expanding
market segments (e.g., gov’t) Extended enterprise models (business partner arrangements,
networking requirements) Portable computing variations (on-site, remote, wireless)
Drivers
We must enable the business to evolve and operate effectively while maintaining a secure, compliant environment.
Source: © Ernst & Young LLP
5
Governance Policies & Standards Principles (Policies & Standards):
– Policies and standards for all key aspects of IT security:
• are defined and reviewed/updated on a regular basis,
• balance risk with business needs,• are aligned with process and technology
capabilities,• are consistent with industry practices, and• are communicated and followed.
Governance Policies& Standards
Source: © Ernst & Young LLP
6
Governance Policies & Standards (cont’d) Principles (Governance):
• IT Security is a fundamental responsibility of every employee. Governance to ensure compliance is the responsibility of IT.
• The governance of IT security will integrate with the overall governance model for IT,
• Frequent Security Control Meetings are used as the primary governing mechanism.
Governance Policies& Standards
Source: © Ernst & Young LLP
7
Asset Profiling Principles:
– All physical IT Assets are:• known, authorized and compliant with policies and
standards,• classified according to criticality and the
sensitivity/importance of the information assets they support,
• secured and managed consistent with their classification,
• maintained/patched to minimize risks/vulnerabilities, and
• supported by appropriate security service levels.– Critical information assets are identified, owned and
protected
Asset Profiling
Source: © Ernst & Young LLP
8
Technical Security Architecture Principles:
• Provide a framework for incorporation of security into the IT Architecture that promotes the use of standardized components across the infrastructure
• Maintain effective security of the environment in the most effective manner and with the least amount of complexity.
• Provide a security infrastructure that supports a ubiquitous, high-availability environment
– Enforce the utilization of strong security baseline controls for all infrastructure elements
– Prevent the use of unauthorized systems on the Lucent infrastructure
– Provide defenses against the use and proliferation of harmful application and traffic on the network
Technical Security Architecture
Source: © Ernst & Young LLP
9
Processes and Operational Practices
Principles:• Security is an integral part of the IT delivery model
and security must be “baked in” rather than “layered on” wherever possible.
• Security processes are clearly defined, managed and measured, with a clear understanding of risks, control activities and required control evidence documentation.
People and Organizational Management
Source: © Ernst & Young LLP
10
Technical Specifications Principles:
• Technical Specifications (i.e. Minimum Security Baseline Standards) are defined, maintained, and consistent with industry practice.
• Compliance with Technical Specifications is verified as part of the design/implementation of Applications and Infrastructure.
• Technical Specifications are developed/modified to consider applicable risks, operational and technical feasibility.
• Exceptions are handled through a formal Non-Compliance Exception process.
Technical Specifications
Source: © Ernst & Young LLP
11
People And Organizational Management Principles:
– Security Organizational design consist of key areas• Security Strategy & Architecture • Security Work Intake & Client Engagement• Security Management Controls and Oversight • Security Operational Controls (Change, Incident, Release,
Problem) • Application Design & Implementation (incl. security design/test) • Infrastructure Design & Implementation (incl. security design/test) • Applications Support and Minor Enhancements• Security Incident Management & Monitoring
– Separation of Duties is evident in role definition, execution
People and Organizational Management
Source: © Ernst & Young LLP
12
Security Program Compliance and Reporting Principles:
• Compliance with Security Policies, Standards and Procedures is mandatory and must be enforced.
• Security Compliance is managed as part of a company’s overall compliance program.
• Security compliance is verified by a variety of mechanisms including mandatory training/compliance modules, automated monitoring, and compliance checklists.
• Exceptions are handled through a formal Non-Compliance Exception process.Security Program Compliance and Reporting
Source: © Ernst & Young LLP
13
IT Security Architecture Principles• Provide a framework for incorporation of security into
the IT Architecture that promotes the use of standardized components across the infrastructure
• Maintain effective security of the environment in the most effective manner and with the least amount of complexity.
• Provide a security infrastructure that supports a ubiquitous, high-availability environment
– Enforce the utilization of strong security baseline controls for all infrastructure elements
– Prevent the use of unauthorized systems on the infrastructure
– Provide defenses against the use and proliferation of harmful application and traffic on the network
14
IT Security Architecture Attributes
Defense in Depth
Separation of Risks
LeastPrivilege
RBAC
Monitoring
Placement of successive defense layers– Each layer complements, fortifies other layers
Minimize single points of failure
Placement of successive defense layers– Each layer complements, fortifies other layers
Minimize single points of failure
Segmentation of infrastructure into security “zones”
Enhanced protection for critical areas
Restrictive access between zones
Prevent cascading failure
Segmentation of infrastructure into security “zones”
Enhanced protection for critical areas
Restrictive access between zones
Prevent cascading failure
Access to resources based on business roles & functions
Promote confidentiality and accountability for critical resources
Access to resources based on business roles & functions
Promote confidentiality and accountability for critical resources
Compliance Checking
Continuous monitoring and event correlation
Enforces policy compliance
Enhances incident prevention and response capabilities
Compliance Checking
Continuous monitoring and event correlation
Enforces policy compliance
Enhances incident prevention and response capabilities
15
Management Plane
IT Security Architecture – FrameworkITU X.805 Security Model
Au
the
ntic
atio
n
No
n-R
epu
dia
tion
Da
ta C
on
fide
ntia
lity
Co
mm
uni
catio
ns
Se
curi
ty
Da
ta In
teg
rity
Ava
ilab
ility
Pri
vacy
Acc
ess
Co
ntro
l
Security Dimensions
Vulnerabilities
Control Plane
Applications Security
Services Security
Infrastructure Security
Security LayersThreats
Attacks
Destruction
Corruption
Removal
Disclosure
Interruption
SecurityPlanes
End User Plane
16
Management Plane
Control Plane
Applications Security
Services Security
Infrastructure Security
Security Layers
Security Architecture – Layers Framework
Anti-Malware Control
Role-Based Access Control
Po
licies
Network Level Access Control
Partnership Network Connectivity Standards
Infrastructure Partitioning
Monitoring, Detection, & Response
Physical Security Controls
Identity Management
Directory Services
Authentication (Token/SmartCard)
PKI
Encryption (Desktop, Messaging, Storage)
Encryption (Network Layer - IPSec/VPN/SSL)
Web Services Security
End User Plane
17
Areas to studyFunctional Area Reasoning
Compliance Monitoring Inventory and software update management. Used to generate patch compliance reports.
Application Firewall Used to protect some eBusiness applications.
Vulnerability Scanning Use to scan DMZ applications and provide some vulnerability assessment capabilities
Intrusion Detection – Personal Firewall
Block unwanted inbound and outbound ports along with detecting suspicious traffic.
Identity Mgmt Provides access control to systems and applications
Event Correlation Provides event correlation for across the various security tools.
Vulnerability Scanning Provides automated network vulnerability assessment across servers, desktops, and infrastructure devices.
Intrusion Detection – Network and Host
Provides enterprise class intrusion detection.
18
Areas to Study – Cntd.
Functional Area Reasoning
Certificate Mgmt Better integration with Windows products (I.E., Operating system and IIS).
Authentication / Single Sign-On
Authenticates users against AD and LDAP.
Remote Access Mgmt The combination of all three components provides a comprehensive remote access solution.
Anti-Malware – Exchange Industry leading anti-virus/malware solution for Microsoft Exchange servers. It leverages 3 industry leading virus scan engines in combination to scan all emails..
Anti-Malware – Internet Gateway
Enterprise class UNIX based virus protection system, that forms part of a 3 tiered approach to virus protection.
19
e-Business Security Challenges
• Protect corporate network resources against internal and external threats
• Provide worldwide connectivity for mobile and remote employees and customers
• Use the Internet to lower wide area data communication costs
• Provide business partners with selective network access through a secure extranet
• Guarantee secure network’s performance, reliability and availability
• Define and enforce user-level security policies across the network
• Immediately detect and respond to attacks and suspicious activity against the network
• Securely and efficiently manage the network’s IP address infrastructure
• Implement and open security solution that allows integration with other applications
• Manage the total cost of ownership across the secure network
20
The Five Worst Security Mistakes End Users Make:
1) Opening unsolicited email attachments without verifying their source and checking their content first.
2) Failing to install security patches.
3) Installing screen savers or games without safety guarantees.
4) Not making and testing backups.
21
The Ten Worst Mistakes Information Technology People Make:
1) Connecting systems to the Internet before hardening them. (removing unnecessary devices and patching necessary ones).
2) Connecting test systems to the Internet with default accounts and passwords.
3) Failing to update systems when security vulnerabilities are found and patches or upgrades are available.
4) Using telnet and other unencrypted protocols for managing systems, routers, firewalls and PKI (Public Key Infrastructure).
5) Giving users passwords over the phone, or changing passwords in response to telephone or personal request when the requester is not authenticated.
6) Failing to maintain and test backups.
7) Running unnecessary services, especially ftpd, telnetd, finger, rpc, mail, rservices (some of these are Unix specific).
8) Implementing firewalls with rules that allow malicious or dangerous traffic - incoming or outgoing.
9) Failing to implement or update virus detection software.
10)Failing to educate users on that to look for and what to do when they see a potential security problem.
22
The Seven Worst Security Mistakes Senior Executives Make:
1) Assigning untrained people to maintain security and providing neither the training nor the time to make it possible to learn and do the job.
2) Failing to understand the relationship of information security to the business problem - they understand physical security but do not see the consequences of poor information security.
3) Failing to deal with the operational aspects of security: making a few fixes and then not allowing the follow through necessary to ensure that problems stay fixed.
4) Relying primarily on a firewall.
5) Failing to realize how much money their information and organizational reputations are worth.
6) Authorizing reactive, short term fixes so problems re-emerge rapidly.
7) Pretending the problem will go away if they ignore it.
23
Enterprise Security ArchitectureA comprehensive security framework
leads to dysfunctional, disconnected, and/or ineffective security organizations.
Consistently applied policies and standards across domains (inter- and extra-enterprise).
Need for a centralized security content management system and intuitive user interface to content.
Ability to enforce security policies, procedures, and standards.
Awareness of good security hygiene.
