1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior...

1

Vulnerability Management: Mitigating Your Company’s

Security Risks

Vulnerability Management: Mitigating Your Company’s

Security Risks

Matt Tolbert, CISSP

Senior Manager, Ernst & Young Security & Technology Solutions Group, New York City

2

AGENDA:

1. Where are today’s security risks?

2. What are today’s solutions to mitigate risk?

3. How are others managing their security vulnerabilities?

4. How do I manage my company’s vulnerabilities?

3

While simple is desirable…

4

…business processes are complex…

15. Go

od

s Is

su

e

Book MasterInc Stores

MTE

Vendors

MTDB, WDB,Fargo

SAP MMInventory - purchasing - goods receipt - goods issue - inventory mgnt

Web FrontEnd

PO Filedemand

driven

PO's(replenishment

)

Ve

nd

ors

24. paymentauthorization

25. Title

s

22. Inv

en

tory

lev

els

i2

16. Ja

me

sb

urg

Inv

en

tory

Customer

13. PO

's(d

em

an

d d

rive

n)

order shipment

Vendors

order shipment

17. PO

's to

SA

P(re

ple

nis

hm

en

t)

SAP CO/PA - Cost Center Accounting - Profitability Analysis

SAP MMConsumables - purchasing - goods receipt - goods issue

ITR

23. Goods receipt - to ITR

BN IncAP

18. PO

's to

EX

E(re

ple

nis

hm

en

t)

BN IncPurchasing

4. Sales/demand information

5. summarizedsales

BookazineBaker & TaylorIngram

System I

ExternalRetailer

2. w

eb

ord

er in

fo

ASN. Advance Shipment Notice15. Goods Receipt30. Product Updates32. PO's for BN Inc

OtherVendors

PO's

9. PO extract

System IMemphis

3. externalorders

Dayton

Jamesburg

26. Titles - System H

27. Titles/Inventory- BN Shop

28. Title

s - i2

29. Title

s - A

S 4

00

ASN

ASN

ASN

32

32

SAP FI- General Ledger- A/R- A/P- Inventory Accounts

text - functionality PwC will implementtext - functionality PwC will augmenttext - functionality that will be left as is

Existing BN.COM interface/system

Interface/system assumed to be inplace for May 1stSAP related interface/system forMay 1st

BN Inc

invoice

invoices

System IJamesburg -

shop

BN Store(MTE)

INC

39

. ord

er

sta

tus

1. MTE

AS 400Jamesburg - INC

purchasing for INCand COM

ship for INC

E-GateProduct IQ

30

30

8. request - order info/PO

10. yes/no - order status

8. request - order info/PO

10. yes/no - order status

37. B2

B C

us

t. Inv

oic

es

12. Ord

er S

hip

pin

g In

fo

11. Pic

kin

g R

eq

ue

sts

/Op

en

Ord

ers

21. Pic

kin

gc

on

firma

tion

36. Inv

en

tory

lev

els

31. RecommendedPO's

Electronic Invoice (A

/P)

Pay to$

Check

INC

19. Goods receipt

8. re

qu

es

t -

ord

er

info

/PO

10. y

es

/no

-s

hip

sta

tus

System IDayton -

shop/inductionand ship

EXE

43. Goods Issue for Returns to Vendor

System HDayton (issues),

Rockleigh (issuesand returnreceipts)

34. Inv. Adjustments

40. Tra

ns

sh

ipm

en

t AS

N's

14. Go

od

s R

ec

eip

ts

9. PO Extract

44. Go

od

s Is

su

e fo

r Re

turn

s to

Ve

nd

or

42. Go

od

s R

ec

eip

t from

Cu

sto

me

r Re

turn

41. Dro

p-S

hip

Co

nfirm

for S

tatis

tica

l Go

od

s R

ec

eip

t

47. Replenishment Catalog POs

5

…application architectures are extensive…

Web Server

Communication

Control

Query & Rpt.Fir

ewal

l / L

oad

Bal

anci

ng

Web “Contact” Services

Media Apps

Mail

Chat

Messaging

HTTP

Audit

Monitoring

Search & Index

Usage Statistics

Streaming Audio

Streaming Video

Application Services

Core Services

E-Commerce

Content Mgmt.

Fir

ewal

l

EAI

State / Session

Membership / Registration

Personalization//Localization

Rules Engine

Configurator

Credit Check

Fulfillment

Syndication

Translation / Mapping

XML

EDI

Content Mgmt/Delivery

Storefront / Catalog

Marketing / Promotion

CustomBusiness Logic

Data Services

File System

Structured

Unstructured

Legacy

RDBMS

ODBMS

Mail Store

Message Store

Mainframe

Midrange

SANS

Documents

Images

Browser

Client Services

HTML

DHTML

XML

Java

ActiveX

Client DevicesPC

Phone / CellPhone

Fax

Pager

PDA

HPC

ERP

Analysis

CRM

SCM

Corporate Services

SFA

Call Center

DW / DSS

Business Intelligence

Financials

Logistics

Human Resources

Procurement

Manufacturing

Order Processing

KMIndex / Retrieval

6

…and IT infrastructures are nontrivial…INTERNETACCESS

TIER

WEBPRESENTATION

TIER

WEBSERVICES

TIER

BUSINESSOPERATIONS

TIER

DSU/CSUConnection toISP & Internet

FirewallServers

LoadBalancers

Cache Servers

Gigabit EthernetBackbone Switch


EthernetSwitches

Web Servers

• Application Servers• Catalog Servers• Content Management Servers

DM

Z S

ubn

et

Inte

rnet A

ccess Sub

net

Prese

ntation

Su

bnets

Prese

ntation

Services S

ubne

t

EthernetSwitch

• ERP (Financials, Logistics, HR, etc.)• Data Warehouse/Data Mart• EAI (Messaging)• Warehouse Management

We

b Se

rvicesS

ubne

t

Op

eration

sS

ubne

t


FirewallServer

FirewallServer

7

…so the risk of exposure to securityvulnerabilities

are greater than ever.

8

1. TODAY’S SECURITY RISKS1. TODAY’S SECURITY RISKS

9

Where are Today’s Security Risks?

• Malevolent actions and attacks—internal and external

• Unintended consequences due tolack of internal controls

• Non-compliance with government regulations

• Competitive intelligence

• Pervasive computing

• Integration of systems and applications

1.1 Today’s Security Risks

10

Reported Security Incidents Growing

©2001 Carnegie Mellon University

25000

20000

15000

10000

5000

20001988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000

25000

20000

15000

10000

5000

20001988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000


11

Where Do These Incidents Originate?1.3 Today’s Security Risks

Internal &external sources ofrisks arenearlyequivalent

12

Cited Security Vulnerabilities1.4 Today’s Security Risks

13

What are the Consequences?

• Financial losses– Direct loss of revenue

– Costs to recover and remedy

– Insurance recovery and premiums

• Public perception and brand recognition

• Customer impact

• Government regulatory compliance– Fines

– Imprisonment


14

Financial Impact of Security Vulnerabilities1.6 Today’s Security Risks

15

Attack Trends

• Automated attacks through new tools

• Increasing sophistication of attack tools

• Faster discovery of vulnerabilities

• Increasing permeability of firewalls

• Increasingly asymmetric threats

• Increasing threat from infrastructure attacks


16

Speed of Attack: Honeypot Findings

• Server discovered in under 20 minutes

• Vulnerability scans commence in under 2 hours

• Concerted intrusion attempts in under 2-3 days

• Discovery of vulnerability after initial intrusion on average of 5 minutes


17

Likely Sources of Attack1.9 Today’s Security Risks

18

Sophistication of Attacks Increasing

©2001 Carnegie Mellon University

1980 1985 1990 1995 2002

High

Low

Intruder Knowledge

Attack Sophistication

Attackers

Tools

password guessing

self-replicating code

password crackingExploiting known vulnerabilities

burglariesHijacking sessions

Network mgmt. diagnostics

GUIAutomated probes/scans

www attacksDDOS attacks

“stealth”/advanced scanning techniques

Denial of servicePacket spoofingsniffers

sweepers

Back doors

Disabling audits


19

Internet the Most Common Point of Attack1.11 Today’s Security Risks

20

Attack Trends: Top Attack Categories

Protocol Violation

43%

Back Door1%

Pre-attack Probe

6%Denial of Service

10%

Suspicious Activity

18%

Unauthorized Access Attempt

22%

Internet Security Systems June 2002


21

Attack Trends: Top Attack Sources

United States38%

Other35%

Great Britain5%

China & Hong Kong

6%

Korea7%

Italy9%

United States41%

Taiwan4%

Canada6%Italy

4%

Great Britain4%

Japan3%

France6%

Germany8%

China11%

Korea13%

Riptech 3-4Q2001



22

Attack Trends: Top Declared Emergencies

Internet Stalking

18%

Denial of Service

9%

Hacker Intrusion

18%

Disgruntled Former

Employee10%

Fraud9%

Theft of information

9%Internet Extortion

27%



23

Attack Trends: Attacks by Industry

422 439477

520561 592 600

706 725

895961

0

200

400

600

800

1000

Atta

ck

s p

er C

om

pa

ny

Oth

er

Health

care

E-Com

mer

ceASP

Man

ufact

uring

Nonprofit

Busines

s Ser

vices

Med

ia-E

nterta

inm

ent

Power

& E

nergy

Finan

cial

Serv

ices

High T

ech

Riptech 3-4Q2001


24

Attack Trends: Severe Attacks by Industry

0.16 0.331.06 1.19 1.42 1.45

2.05 2.62

6.63

9.23

12.5

0

2

4

6

8

10

12

14

Se

ve

re A

ttac

ks

pe

r C

om

pa

ny

ASP

E-Com

mer

ce

Nonprofit

Med

ia/E

nterta

inm

ent

Oth

er

Health

care

Man

ufact

uring

Busines

s Ser

vices

High T

ech

Finan

cial

Indust

ry

Power

& E

nergy

Riptech 3-4Q2001


25

Attack Trends: Attacks by Company Size

560

905 901845

0

200

400

600

800

1000

Atta

ck

s p

er C

om

pa

ny

1-449

500-

999

1000

-499

9

5000

+

Riptech 3-4Q2001


26

Attack Trends: Top Destination Ports

Port 80 (Web/http)67%

Port 22 (ssh)2%

Port 69 (tftp)3%

Port 162 (snmp out)3%

Port 139 (netbios-ssn)2% Port 23 (telnet)

1%

Port 1433 (sql)3%

Port 25 (mail/smtp)5%

Port 21 (ftp)6%

Port 161 (snmp in)8%

Port 80 (Web/http)

Port 161 (snmp in)

Port 21 (ftp)

Port 25 (mail/smtp)

Port 1433 (sql)

Port 69 (tftp)

Port 22 (ssh)

Port 162 (snmp out)

Port 139 (netbios-ssn)

Port 23 (telnet)



27

Regulatory Compliance

• Electronic Signatures in Global & National Commerce Act (“E-Sign”)

• FDA 21 CFR Part 11

• Gramm-Leach-Bliley (GLB) Act of 1999

• Health Insurance Portability & Accountability Act (HIPAA) of 1996

• Uniform Computer Information Transactions Act (UCITA)

• USA Patriot Act of 2001

• U.S. Safe Harbor


28

Consequences of Non-Compliance

• Significant fines

• Imprisonment

• Increased insurance premiums

• Additional legal costs

• Higher costs for reacting to compliance audits

• Direct and indirect business loss


29

2. TODAY’S SOLUTIONS FORMITIGATING RISK

2. TODAY’S SOLUTIONS FORMITIGATING RISK

30

Resolving Security Risks2.1 Today’s Solutions for Mitigating Risk

31

Vulnerability Alerts

• CERT: www.cert.org

• eSecurityOnline: www.eSecurityOnline.com

• SecurityFocus: www.SecurityFocus.com

2.2 Today’s Solutions for Mitigating Risk

32

Security Technology Enablers

• Network– Firewalls– Intrusion detection (IDS)– Internal/external VPN– Wireless encryption

• Server– Intrusion detection (IDS)– Secure shell– Trusted system configuration– Enterprise antivirus software

• Entitlement Management– Directory services (LDAP)– Single sign-on (SSO)– Biometrics

• Integration– Encrypted EDI– Public key infrastructure (PKI)– IPSec


33

HP Security Solutions

• Atalla Network Security Processors For secure financial transactions (ATM, POS, EFT)

• HP-UX AAA authentication, authorization & accounting based on RADIUS protocol

• HP-UX Secure Shell

• HP-UX Trusted System

• HP Toptools Remote Security Management• HP IDS/9000

System-level intrusion detection

• Proliant-based VPN/Firewall Based on CheckPoint VPN-1 and Firewall-1 software

• HP-UX IPSec/9000• HP-UX IP Filter

Stateful firewall server


www.hp.com/security

34

HP IDS/9000 Example2.5 Today’s Solutions for Mitigating Risk

35

3. HOW OTHERS MANAGE THEIRSECURITY VULNERABILITIES

3. HOW OTHERS MANAGE THEIRSECURITY VULNERABILITIES

36

Characteristics of World-Class Vulnerability Management

1. Business and security objectives are aligned

2. Security programs are enterprise-wide

3. Vulnerability management is continuous

4. Response to vulnerabilities are proactive

5. Security programs are validated

6. Security frameworks are formalized

3.1 How Others Manage their Security Vulnerabilities

37

Security Readiness

Risk Intelligence

Time

Proactive

Traditional

Initial AssessmentOngoing Monitoring Periodic Assessment

3.2 How Others Manage their Security Vulnerabilities

©2001 Ernst & Young LLP

38

Vulnerability Management Model3.3 How Others Manage their Security Vulnerabilities


39

Security Technologies Used3.4 How Others Manage their Security Vulnerabilities

40

4. MANAGING MY ORGANIZATION’SVULNERABILITY

4. MANAGING MY ORGANIZATION’SVULNERABILITY

41

Vulnerability Scorecard

1. Do I know of all the IT assets I have?

2. Am I confident my critical IT assets are secure?

3. Am I monitoring my assets to detect virus attacks, external hacks, and internal intrusions?

4. Do I have updated policies and procedures addressing IT security?

5. Do I have current disaster and business continuity planning?

6. Do I know what my Business Partners are doing?

7. Does my Internal Audit group assess and validate my risk profile?

8. Am I fully compliant with government regulations?

YES NO

4.1 Managing My Organization’s Vulnerability

42

Approach to Vulnerability Management

1. Security Governance

2. IT Asset Management

3. Vulnerability Assessment

4. Vulnerability Management


43

Step 1: Security Governance4.3 Managing My Organization’s Vulnerability


44

Step 2: IT Asset Management

• Continuous process for managing IT assets

• Automated asset discovery software

• Detailed asset management database

• Change controls processes in place

• Integration with helpdesk services

• Self-service functions


45

Step 3: Vulnerability Assessment

• Implement a continuous assessment process

• Leverage detailed asset management database

• Business impact assessment to organization if vulnerability is realized

• Prioritization & alignment with organization goals and requirements


46

Step 4: Vulnerability Management

• Enterprise security strategy and standards

• Centralized management of monitoring and testing

• Proactive identification of vulnerabilities specific to your organization

– Asset management database– eSecurityOnline-type customized notification

• Computer Emergency Response Program (CERP)

• Mitigation of risks through technology enablers– Firewalls– Enterprise antivirus software and mail filters– Enterprise entitlement management – Intrusion detection systems


47

SUMMARY

• Know your risks so as to make informed decisions

• Align with business goals and requirements

• Establish security governance

• Enterprise-wide consistent approach

• Implement proactive and continuous processes as well as security technologies to manage vulnerabilities

48

Matt Tolbert, CISSP

Ernst & Young, LLP Security & Technology Solutions Group

(212) 773-5967 [email protected]

1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior...

Documents

Transcript of 1 Vulnerability Management: Mitigating Your Company’s Security Risks Matt Tolbert, CISSP Senior...