Layered Security: Protecting Your Data in Today's Threat Landscape

12
WHITE PAPER BRIAN HONAN, BH CONSULTING LAYERED SECURITY PROTECTING YOUR DATA IN TODAY’S THREAT LANDSCAPE IT SECURITY AND COMPLIANCE AUTOMATION SOLUTIONS SECURITY BREACHES

Transcript of Layered Security: Protecting Your Data in Today's Threat Landscape

Page 1: Layered Security: Protecting Your Data in Today's Threat Landscape

SECURITY BREACHES NERC INSIDER THREATS PCI FAILED AUDITS FDCC REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSIDER THREATS PCI FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI HIPAA COMPLIANCE NERC INSIDER THREATS SECURITY BREACHES PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACHES NERC INSIDER THREATS PCI FAILED AUDITS FDCC REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSIDER THREATS PCI FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI SECURITY BREACHES NERC INSIDER THREATS PCI FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA SECURITY BREACHES NERC INSIDER THREATS SOX FAILED AUDITS PCI REGULATORY VIOLATIONS BASEL II SYSTEM OUTAGES MiFID SECURITY BREACHES COBIT INSIDER THREATS FDCC FAILED AUDITS PCI REGULATORY VIOLATIONS ISO27001 SYSTEM OUTAGES GLBA

WHITE PAPER

BRIAN HONAN, BH CONSULTING

LAYERED SECURITYPROTECTING YOUR DATA IN TODAY’S THREAT LANDSCAPE

IT SECURITY AND COMPLIANCE AUTOMATION SOLUTIONS

SECURITY BREACHES

Page 2: Layered Security: Protecting Your Data in Today's Threat Landscape

Layered Security: Protecting Your Data in Today’s Threat Landscape2

EXECUTIVE SUMMARYInformat!on !s the l!feblood of many organ!zat!ons, and thanks to modern comput!ng technology, that !nformat!on can be eas!ly shared w!th colleagues, cl!ents and suppl!ers" As our dependency on computers and technology deepens, so do the r!sks and threats to those systems" These threats range from cur!ous teenagers to d!sgruntled employees, act!v!sts, cr!m!nals, !ndustr!al and state sponsored sp!es, terror!sts and even nat!on states engaged !n warfare"

To ensure the secur!ty of a com-pany’s bus!ness-cr!t!cal !nformat!on, !t !s essent!al to develop a cohes!ve mult!-layered strategy to address the threats" Trad!t!onally, organ!zat!ons focus the!r defens!ve controls at the per!meter !n the bel!ef that th!s makes !t d!ff!cult for attackers to penetrate systems" However, once th!s per!meter !s breached, the attackers have rela-t!vely free re!gn w!th!n the network" Hardened, per!meter defenses alone also fa!l to manage the threat from !nternal sources"

Organ!zat!ons need to develop a mult!-layered secur!ty strategy that focuses on the conf!dent!al!ty, !ntegr!ty and ava!lab!l!ty of the !nformat!on be!ng protected" A mult!-layered approach to secur!ty ensures that !f one layer fa!ls or !s comprom!sed, other layers w!ll compensate and ma!nta!n the secur!ty of that !nformat!on" In turn, each of these layers should have mul-t!ple controls deployed to preserve the conf!dent!al!ty, !ntegr!ty and ava!lab!l-!ty of the !nformat!on" Some of these more cr!t!cal controls !nclude system conf!gurat!on harden!ng, f!le !ntegr!ty mon!tor!ng, and log management"

Th!s paper w!ll exam!ne the var!ous threat sources of protected !nforma-t!on, along w!th the d!fferent secur!ty layers and controls that can be !mple-mented to tackle those threats" It also d!scusses the dependenc!es and sources of fa!lure to cons!der when !mplement!ng these layers and con-trols, and how to pr!or!t!ze them"

EVOLUTION OF THREATSEver s!nce comput!ng began systems have been under threat, e!ther by those w!th mal!c!ous !ntent, or from m!stakes by well-!ntent!oned people" As the bus!-ness use of computers evolved over the years, so have the threats fac!ng them"

In!t!ally, external threats were l!m!ted predom!nantly to those !nterested !n break!ng !nto computer systems out of cur!os!ty to determ!ne how computers worked" In the ma#or!ty of cases, the mot!vat!on was cur!os!ty and fame, not mal!c!ous !ntent"

The !ntroduct!on of personal comput-ers and the Internet resulted !n much greater data shar!ng, wh!ch allowed organ!zat!ons to be more effect!ve and commun!cate better w!th the!r customers" Wh!le the threat posed by those who were s!mply cur!ous st!ll

rema!ned, a new threat emerged from those mot!vated by f!nanc!al ga!n" Th!s new group saw the explos!on of systems onto the Internet as an opportun!ty to make money by explo!t!ng weak system secur!ty" Others saw the Internet as a med!um for act!v!sm and attacked sys-tems to ga!n notor!ety for the!r cause, ma!nly by defac!ng webs!tes of organ!-zat!ons w!th wh!ch they d!d not agree"

The explos!on of the Internet as a platform for commerce !n the f!rst decade of the 21st century added a new threat" Organ!zat!ons now store and transm!t ever-!ncreas!ng amounts of sens!t!ve data on the!r computer sys-tems, !nclud!ng conf!dent!al company !nformat!on, customer data, cred!t card !nformat!on or !ntellectual property" Just as computers and the Internet prov!de organ!zat!ons opportun!t!es to reach new markets, they also prov!de organ!zed cr!m!nal gangs new oppor-tun!t!es to explo!t weak secur!ty" These gangs often reap f!nanc!al ga!ns w!th l!ttle r!sk of be!ng prosecuted"

$omputer v!ruses and other mal-ware have also evolved over the past decades" Although the f!rst computer v!ruses were relat!vely ben!gn, over the years they have grown more soph!st!-cated and destruct!ve" Today malware !s a ma#or tool !n the arsenal of computer cr!m!nals and other threat actors"

Just as computers and networks have evolved to enable organ!zat!ons to be more product!ve, so have the threats" The trad!t!onal !ns!der threat st!ll rema!ns, and as technology progress-es, so have the knowledge, capab!l!t!es, soph!st!cat!on and prof!les of the external threat sources" Understand!ng what you are try!ng to protect and your threat sources !s cr!t!cal to deploy-!ng the cr!t!cal controls that protect aga!nst those threats":. Hardened, perimeter defenses alone also fail to manage the threat

from internal sources. :.

Page 3: Layered Security: Protecting Your Data in Today's Threat Landscape

Layered Security: Protecting Your Data in Today’s Threat Landscape 3

THREAT SOURCESThreats to !nformat!on secur!ty can come from many sources" %enerally threat sources can be spl!t !nto two ma!n categor!es& external and !nternal sources" External threat sources can range from state-sponsored foes to !ndustr!al esp!onage, organ!zed cr!m!nals, and !nd!v!duals hack!ng out of cur!os!ty or act!v!sm" Internal threats can come from employees or contractors w!th mal!c!ous !ntent"

Any organ!zat!on w!ll face a var!ety of types of threats, some more ser!ous than others" For example, an organ!za-t!on work!ng on government defense contracts w!ll face d!fferent threats than a small local bus!ness w!th a webs!te w!th no e-commerce capab!l!t!es" An onl!ne reta!ler process!ng thousands of cred!t card deta!ls w!ll face d!fferent threats than a news webs!te"

EXTERNAL THREAT SOURCESNumerous external threat sources can !mpact on the secur!ty of your !nforma-t!on and systems" Wh!le attackers can

be categor!zed !nto d!fferent groups, some attackers can be !n more than one group, wh!le others may move from one group to another as the!r sk!lls and mot!vat!ons evolve" External threat sources can broadly be categor!zed !nto the follow!ng groups&

EXTERNAL TAR!ETED THREAT SOUR"E

# FOR PROFITPredom!nantly dr!ven by cr!m!nal groups, for-prof!t threats focus on mak!ng money through the!r act!v!t!es" Act!v!t!es range from extort!ng money

from system owners by threaten!ng to take the!r systems off l!ne, to break!ng !nto systems to steal f!nanc!al !nforma-t!on—the organ!zat!ons’ own onl!ne bank!ng systems or f!nanc!al !nforma-t!on of customers, such as cred!t card !nformat!on" The !nfamous TJX breach !s an example of such a threat"1

# $HAOTI$Those mot!vated by a cause w!ll use the!r techn!cal sk!lls to attack webs!tes and systems of organ!zat!ons they have a gr!evance w!th" These attacks can range from defac!ng webs!tes or break!ng !nto systems to steal !nformat!on that could embarrass the target organ!zat!on" Others attack organ!zat!ons s!mply for thr!lls and enterta!nment" Anonymous and Lulzsec are pr!me examples"2

STATE SPONSOREDState-sponsored threats generally have much greater fund!ng and more resources than other threat sources, and as a result they are harder to detect, respond and defend aga!nst" Some nat!on states may also engage cr!m!nal gangs to carry out the!r attacks to prov!de a certa!n level of plaus!ble den!ab!l!ty should the attack be detect-ed" The two ma!n threat sources !n th!s category are&

# STATE SPONSORED ESPIONA%EHost!le nat!ons, or contractors work-!ng for that government, w!ll attempt w!ll attempt to break !nto the computer systems of fore!gn governments to steal sens!t!ve !nformat!on"

# STATE SPONSORED ATTA$KSHost!le nat!ons may also d!rectly attack aga!nst computer systems of a target government" Attacks may be aga!nst m!l!tary or c!v!l!an targets, w!th the a!m to d!srupt or cause those systems to fa!l" Attacks may also break !nto a target country’s systems to spread

NATIONAL INTEREST

PERSONAL GAIN

PERSONAL FAME

CURIOSITY

Students Script kiddies

Crime Gangs

Spies

Hackers

19881980 1993 1998 2005

:. FIG. 1 The evolution of threat sources

Page 4: Layered Security: Protecting Your Data in Today's Threat Landscape

Layered Security: Protecting Your Data in Today’s Threat Landscape4

false !nformat!on that results !n confu-s!on and chaos" The development of tools, or cyber weapons, to enable such attacks !s a key concern" Although no government or group has been ass!gned respons!b!l!ty for the Stuxnet worm3, many speculate that !t was a state-sponsored attack because !t was a!med at the Iran!an government’s pluton!um enr!chment program"

EXTERNAL OPPORTUNISTI" THREAT SOUR"EWh!le certa!n attacks from external sources are a!med at spec!f!c organ!za-t!ons, many other attacks are s!mply opportun!st!c w!th no, d!st!nct target" These threats are&

# MALWARE AND BOTNETSModern malware, such as v!ruses, worms and Tro#ans, !s typ!cally not wr!tten w!th a spec!f!c target !n m!nd" Rather, these attacks a!m to !nfect as many computers as poss!ble to steal sens!t!ve f!nanc!al data such as cred!t card !nformat!on" They may also be a!med at creat!ng a network of comput-ers (a botnet) that cr!m!nals can control"

Botnets prov!de cr!m!nals w!th the ab!l-!ty to !ndustr!al!ze the!r efforts, allow!ng them to&

» Perform DDoS attacks aga!nst a target system and demand payment from the system owner to prevent further attacks'

» Send spam ema!ls promot!ng act!v!-t!es the cr!m!nal gang may be !nvolved !n, such as !ll!c!t pharmaceut!cals, adult webs!tes or !llegal goods'

» Send ph!sh!ng ema!ls to customers of f!nanc!al !nst!tut!ons !n order to har-vest the!r f!nanc!al deta!ls' or

» Spread other malware to the !nfected systems or to !nfect other systems to !ncrease the s!ze, and therefore capa-b!l!ty, of the botnet"

$r!m!nal gangs also prov!de the!r bot-nets for h!re, enabl!ng those w!thout the techn!cal sk!lls to eas!ly get !nvolved !n onl!ne cr!m!nal act!v!ty"4

# $OMPROMISED WEBSITES$r!m!nals w!ll often break !nto the webs!tes or systems of unsuspect!ng organ!zat!ons to host the!r ph!sh!ng s!tes, spread malware to unsuspect!ng users v!s!t!ng that s!te, or store and d!str!bute !llegal mater!al" These webs!tes w!ll not be not!ceably altered, as the longer the comprom!se goes undetected, the longer the cr!m!nals can use the s!te to carry out the!r act!v!t!es"

# INEXPERIEN$ED ATTA$KERSNot all attackers have soph!st!cated comput!ng sk!lls" Those less techn!cally capable can download and use tools

developed by more sk!lled attackers" The!r !nd!scr!m!nate use of these tools and lack of techn!cal knowledge means that th!s type of attacker (der!s!vely referred to as a “scr!pt-k!dd!e”) can potent!ally, and often un!ntent!onally, cause damage to systems desp!te the!r !nexper!ence"

INTERNAL NON$MALI"IOUS THREAT SOUR"EMany employees !n an organ!zat!on do not w!sh to cause any damage or harm to the systems they use as part of the!r day-to-day #obs" Most s!mply use com-puters as a tool to help them get the!r #ob done" Somet!mes however, even the most well-!ntent!oned employee can pose a threat to the secur!ty of an organ!zat!on’s system"

THE “PYRAMID OF PAIN”

Government OrganizationsDefense Contractors

High-value R&D OrganizationsCritical Network Infrastructure

Financial InstitutionsTechnology Companies with IP

NGOsPolitical Organizations

Advocacy Organizations

All Organizations

LAYER 3THREATS

MolesState-sponsored

Attacks and Espionage

LAYER 2 THREATSFor-profit External Attackers

LAYER 1 THREATSDisgruntled or Ex-employees, Malware and Botnets,

Inexperienced Attackers, Careless Users,Compromised Websites, Accidental Disruption, Accidental Victim

:. FIG. 2 Types of threat by organization type

Page 5: Layered Security: Protecting Your Data in Today's Threat Landscape

Layered Security: Protecting Your Data in Today’s Threat Landscape 5

# A$$IDENTAL DISRUPTIONUsers who are not tra!ned or unfam!l!ar w!th a certa!n system may m!stakenly alter or delete !nformat!on un!ntent!on-ally" For example, they could delete a f!le or f!les on a server or corrupt system !nformat!on by overwr!t!ng or alter!ng certa!n f!les"

# A$$IDENTAL VI$TIMEmployees may v!s!t webs!tes laced w!th malware that the s!te’s owner or a cr!m!nal added" The malware, wh!ch has been des!gned to explo!t bugs or vulner-ab!l!t!es !n browsers, !nadvertently gets downloaded onto and !nfects vulnerable computers"

In other cases an external attacker may dupe the employee to cl!ck a l!nk !n an ema!l or prov!de the!r logon credent!als over the phone, wh!ch results !n the attacker ga!n!ng access to the organ!za-t!on’s systems"

# THE $ARELESS USERSome users w!ll comprom!se systems by s!mply not follow!ng or !gnor!ng the adv!ce they have been g!ven !n how to perform the!r role securely" Th!s could range from send!ng conf!dent!al !nfor-mat!on over !nsecure channels such as ema!l, download!ng sens!t!ve !nformat!on onto portable med!a such as a $D or USB key, los!ng a laptop, or wr!t!ng down the!r logon credent!als on a p!ece of paper"

INTERNAL MALI"IOUS THREAT SOUR"ESThe mal!c!ous !ns!der threat !s one that can cause the greatest damage, as the !ns!der !s a trusted !nd!v!dual w!th access to systems conta!n!ng sens!t!ve data and !n-depth knowledge of the weaknesses !n those systems" The act!ons taken by Jérôme Kerv!el, a #un!or equ!t!es trader !n Soc!été %énérale who caused a loss of $7"2 b!l-l!on !n 2008, !llustrates a pr!me example of an !nternal threat"

%enerally the mal!c!ous !ns!der can be broken !nto three categor!es&

# THE MOLEThe mole !s an !nd!v!dual who has target-ed a spec!f!c organ!zat!on by becom!ng a member of staff or an employee of a company prov!d!ng serv!ces to the target organ!zat!on, w!th the sole purpose of ga!n!ng access to sens!t!ve !nformat!on or d!srupt!ng systems" Typ!cally th!s type of threat source targets government agenc!es, pr!vate compan!es work!ng on sens!t!ve government contracts, or organ!zat!ons develop!ng solut!ons w!th h!gh-value !ntellectual property"

Alternat!vely the mole may be an ex!st-!ng employee who !s persuaded by someone else, e!ther by coerc!on or br!bery, to comprom!se sens!t!ve sys-tems or !nformat!on"

Due to the h!gh-r!sk nature of be!ng caught and the value of the targeted systems, a mole !s typ!cally sponsored or supported by a well-funded adversary such as a nat!on state, organ!zed cr!me or an aggress!ve compet!tor"

# DIS%RUNTLED EMPLOYEEAn employee may become d!sgruntled for a var!ety of reasons" In retal!at!on for perce!ved sl!ghts, the employee may attempt to steal !nformat!on (!n order to sell !t to !nterested th!rd part!es) or seek revenge by destroy!ng data or shutt!ng down systems, as !n the case of a UBS employee !n 2002"6

It’s also poss!ble that some employees who are e!ther !n the process of leav-!ng the organ!zat!on, or feel the!r role !s under threat through redundancy or mergers, w!ll copy sens!t!ve data to use !n the!r new place of employment or sell to others"

# FORMER EMPLOYEESAnother form of d!sgruntled employee !s the former employee who may feel aggr!eved because the!r employment was term!nated" However, !n some cases the former employee’s system access may not be revoked or they may know and use the logon credent!als of a former colleague to remotely access and com-prom!se the systems and !nformat!on" An example of such an attack !s that of a former employee of %ucc! Amer!ca"7

:. Understanding what you are trying to protect and your threat sources is critical to deploying the critical controls that protect against those threats. :.

Page 6: Layered Security: Protecting Your Data in Today's Threat Landscape

Layered Security: Protecting Your Data in Today’s Threat Landscape6

SECURITY LAYERSRely!ng on a s!ngle secur!ty layer !s no longer prudent !n today’s threat landscape" Organ!zat!ons need to focus on the !nformat!on they are protect!ng and bu!ld layers of secur!ty around !t" In effect, they need to create a defense-!n-depth solut!on"

DEPENDENCIES/SOURCES OF SECURITY FAILURESAs prev!ously ment!oned, many organ!za-t!ons focus the!r secur!ty controls on the per!meter of the!r networks" When those controls are breached, the attackers have relat!vely easy access to sens!t!ve systems and data w!th!n the network" Th!s !s commonly known as “M&M secur!ty,” as the secur!ty structure of the system !s s!m!lar to M&M candy—hard on the outs!de, but soft on the !ns!de" Once the attacker has breached the hard

per!meter and !s !ns!de the network, they ga!n access to any number of sys-tems because they are now v!ewed as a trusted user—or are completely !nv!s!ble to the organ!zat!on"

When an organ!zat!on focuses !ts secu-r!ty controls on one layer of protect!on, such as the per!meter layer, !ts ent!re secur!ty can be dependent on those controls work!ng effect!vely at all t!mes aga!nst all threats" Should one of those controls fa!l, the ent!re secur!ty layer

can be bypassed" %!ven today’s threats, secur!ty profess!onals need to bu!ld secur!ty !n defens!ve layers so that !f one layer !s breached, the other layers con-t!nue to prov!de secur!ty" Many secur!ty breaches are the result of !ncorrectly conf!gured systems, out-of-date soft-ware patches, !nappropr!ate user access perm!ss!ons, lack of awareness of the secur!ty threats, or !nadequate pol!c!es, processes and procedures"

Often an !nformat!on secur!ty manage-ment system fa!ls when !nd!v!dual controls fa!l and no other controls are !n place to mon!tor, detect and/or com-pensate for that fa!lure" Th!s s!tuat!on !s exacerbated when those controls are developed !n !solat!on' !n such cases, they prov!de no overlapp!ng protect!on and cannot commun!cate w!th each other" W!thout the ab!l!ty to mon!tor the effect!veness of the!r secur!ty controls, organ!zat!ons cannot even determ!ne !f the controls are appropr!ate" W!thout mon!tor!ng, an organ!zat!on also won’t know when they have suffered a secu-r!ty !nc!dent" Th!s !n turn can lead to !neffect!ve !nc!dent response, as the organ!zat!on does not know the source, target or extent of the breach"

$learly organ!zat!ons must take a layered approach when des!gn!ng the!r secur!ty system" Th!s approach should ensure !t protects the conf!dent!al!ty, !ntegr!ty and ava!lab!l!ty of that !nfor-mat!on" It should also ensure that all secur!ty controls are !ntegrated and focused on manag!ng the var!ous levels of r!sk posed aga!nst key !nformat!on and systems" Focus!ng on controls such as f!rewalls, ant!-v!rus software or other techn!cal controls !s not the answer" More technology w!ll not secure the !nformat!on' a comb!nat!on of better management and the r!ght technology w!ll"

LAYERED SECURITY MATRIX

SECURITY LAYER

PREVENTIVE CONTROLS DETECTIVE CONTROLS

User

Acc

ess C

ontr

ol

Netw

ork A

cces

s Con

trol

Encr

yptio

n

Syst

em H

arde

ning

Soft

ware

Pat

chin

g and

Upd

ates

Malw

are D

etec

tion/

Prev

entio

n

Secu

rity A

ware

ness

Trai

ning

Polic

ies &

Pro

cedu

res

Chan

ge C

ontr

ol

Secu

rity C

onfig

urat

ion M

anag

emen

t

Log M

onito

ring

File

Inte

grity

Mon

itorin

g

Vuln

erab

ility

Man

agem

ent

Inci

dent

Ale

rtin

g

Physical Layer

Network Perimeter

Local Area Network

Wide Area Network

Virtualization Hypervisor

Virtualization Virtual Network

Host System

Application

Intellectual Property

Entrusted Data (e.g. PII)

Sensitive Databases

Sensitive Files

:. FIG. 3 Typical security layers organizations should consider

Page 7: Layered Security: Protecting Your Data in Today's Threat Landscape

Layered Security: Protecting Your Data in Today’s Threat Landscape 7

APPROACHES TO PRIORITIZATIONImplement!ng a layered secur!ty program !s s!m!lar to !mplement!ng any other bus!ness !n!t!at!ve& execut!ves contend w!th a lack of staff and budget and there-fore cannot !mplement everyth!ng they want" Therefore, organ!zat!ons must take a r!sk-based approach to !dent!fy!ng and !mplement!ng the var!ous !nformat!on secur!ty controls, and should focus on the !nformat!on be!ng protected"

The follow!ng steps are key for develop-!ng th!s r!sk-based approach&

STEP 1% IDENTIFY KEY INFORMATIONThe adage “you cannot protect what you do not know” !s espec!ally true !n !nformat!on secur!ty" Therefore, the f!rst step !s to !dent!fy what !nformat!on !s !mportant to the organ!zat!on and where that !nformat!on !s located"

STEP 2% "ATE!ORIZE INFORMATIONOnce !dent!f!ed, the !nformat!on should be categor!zed !n accordance w!th !ts !mportance to the organ!zat!on" Th!s !mportance can have a monetary value or an abstract valuat!on based on the !mpact the loss of that !nformat!on would have on the organ!zat!on’s bus!-ness operat!ons or reputat!on"

STEP 3% IDENTIFY THREATSThe organ!zat!on should next look at the var!ous threats—and source of threats—that are posed aga!nst the !dent!f!ed, and now categor!zed !nformat!on" For exam-ple, a government-funded threat source w!ll pose a greater threat than a casual attacker" Whether an organ!zat!on needs to worry about government-sponsored attacks w!ll be dependent on the nature of the!r bus!ness"

STEP 4% ASSESS VULNERABILITIESOnce the threats have been !dent!f!ed, the organ!zat!on should next !dent!fy vulnerab!l!t!es !n ex!st!ng secur!ty con-trols and ascerta!n the l!kel!hood that they w!ll be explo!ted" For example, a vulnerab!l!ty that !s techn!cally d!ff!cult to explo!t !s potent!ally of less concern than an eas!ly explo!ted one"

STEP 5% ASSESS THE RISKSOnce the above has been ascerta!ned, the !nformat!on secur!ty r!sks posed aga!nst the organ!zat!on can be determ!ned by exam!n!ng the var!ous threats, the!r sources, the l!kel!hood of a threat mater!al!z!ng, and the !mpact a threat w!ll have on the protected !nformat!on" These r!sks can then be categor!zed based on the!r potent!al !mpact to the organ!zat!on" By fol-low!ng th!s process, an organ!zat!on can then pr!or!t!ze what r!sks requ!re add!t!onal secur!ty controls to better protect !ts !nformat!on and systems"

STEP 6% IDENTIFY "ONTROLSAt th!s po!nt, the organ!zat!on can !den-t!fy what spec!f!c secur!ty controls !t needs at the var!ous layers to ensure all r!sks are at a level acceptable to the bus!ness" Beg!n by !dent!fy!ng controls that address the h!ghest rated r!sks" The focus should start w!th the controls at the !nformat!on layer, proceed!ng to the controls needed at the var!ous outer layers" But beyond the !mplementat!on of techn!cal controls, the organ!za-t!on must ensure that proper pol!c!es, processes and procedures are !n place and adhered to" Such adherence may requ!re tra!n!ng of personnel"

STEP 7% IMPLEMENT "ONTROLSThe organ!zat!on should now beg!n !mplement!ng the controls, ensur!ng a layered approach !s taken so that !f one control fa!ls, the organ!zat!on !s aware of the fa!lure and other controls can com-pensate" As controls are !mplemented, they should be tested to ver!fy that they both work as planned and address the r!sk they are supposed to manage"

STEP 8% MONITOR "ONTINUOUSLYOver t!me bus!ness requ!rements change, new systems are added to the network, and the technology used on systems changes and gets updated regularly" As such, !t !s !mportant that th!s r!sk-based approach be a cont!nuous process that evolves w!th the bus!ness" Learn!ng from past m!stakes and !dent!-f!ed weaknesses !n the secur!ty controls, whether from people, process or tech-nology, w!ll enable the secur!ty controls protect!ng cr!t!cal assets to mature !n l!ne w!th the bus!ness’s requ!rements"

:. Focusing on controls such as firewalls, anti-virus software or other technical controls is not the answer. More technology will not secure the information; a combination of better management and the right technology will. :.

Page 8: Layered Security: Protecting Your Data in Today's Threat Landscape

Layered Security: Protecting Your Data in Today’s Threat Landscape8

LAYERED SECURITY CONTROLSNumerous secur!ty controls can be !mplemented when an organ!zat!on !s des!gn!ng a mult!-layered secur!ty !nfrastructure" These controls generally fall !nto prevent!ve and detect!ve categor!es"

PREVENTIVE SECURITY CONTROLSThe follow!ng are some of the ma!n prevent!ve controls that an organ!zat!on should cons!der&

MALWARE DETE"TION/PREVENTION%!ven the h!gh prevalence of malware, all computer systems should have software !nstalled that !dent!f!es and prevents !t" It !s equally !mportant to ensure that the ant!-malware software !s kept up to date so !t can prevent the latest vers!ons of malware from attack!ng the systems"

SOFTWARE PAT"HIN! AND UPDATESKeep!ng cr!t!cal software patched and up to date makes !t more d!ff!cult for attackers to break !nto those systems" Therefore !t’s cr!t!cal to cons!stently update systems w!th the latest software releases and patches"

SYSTEM HARDENIN!Typ!cal default conf!gurat!ons for most appl!cat!ons and operat!ng systems enables them to work !n the ma#or!ty of env!ronments" However, these gener!c conf!gurat!ons are often the least secure, so systems should be hardened" Th!s process !nvolves tak!ng steps such as remov!ng default user accounts and pass-words, remov!ng unnecessary serv!ces, and ad#ust!ng perm!ss!ons"

USER A""ESS "ONTROLThe access r!ghts set on systems and other resources should reflect the level of access d!fferent users requ!re to con-duct the!r #obs" For example, people !n sales and market!ng do not need access to the payroll system" L!kew!se, w!th!n the payroll system a manager should

have a d!fferent access level than an adm!n!strat!ve person"

NETWORK A""ESS "ONTROLHow systems access the network should be str!ctly controlled" Th!s can be done by !solat!ng sens!t!ve systems from the ma!n network !nto ded!cated secure segments, w!th access to those network segments controlled v!a f!rewalls conf!g-ured w!th str!ct access rules" Per!meter defenses should !nclude mechan!sms such as f!rewalls, !ntrus!on detect!on systems and network traff!c f!lter!ng"

SE"URITY AWARENESS TRAININ!It !s !mportant to tra!n employees so that they are fully aware of the r!sks and threats posed aga!nst the systems

and !nformat!on they use" It !s equally !mportant to ensure they understand the secur!ty controls that are !n place" Part!cular focus should be placed on tra!n!ng users on how to recogn!ze attempts to el!c!t sens!t!ve !nformat!on from them v!a ema!ls, phone calls or other means"

POLI"IES AND PRO"EDURESWell-wr!tten, clear and conc!se pol!c!es and procedures help ensure that every-one !s fully aware of the !mportance of !mplement!ng the var!ous secur!ty con-trols, each user’s role !n ensur!ng those secur!ty controls are effect!ve, and the consequences of those controls be!ng !gnored or bypassed"

EN"RYPTIONEncrypt!ng sens!t!ve !nformat!on, whether !t !s at rest or !n trans!t, can ensure that only author!zed personnel have access to !t" Should the encrypted !nformat!on be cop!ed or stolen, !t w!ll be unreadable and therefore of no value"

DATA LAYERUser access control, Encryption

APPLICATION LAYERSoftware patching & updates, System hardening

HOST LAYERSystem hardening, Software patching & updates, User acccess Control, Malware detection/prevention

NETWORK LAYERNetwork access control, Encryption, System hardening, Malware detection/prevention

PHYSICAL LAYERSecurity awareness training, Policies & procedures

PREVENTIVE CONTROLS

:. FIG. 4 The most effective Preventive Controls within a multi-layered security strategy

Page 9: Layered Security: Protecting Your Data in Today's Threat Landscape

Layered Security: Protecting Your Data in Today’s Threat Landscape 9

DETECTIVE SECURITY CONTROLS

Prevent!ve controls alone are not enough' threats change and evolve da!ly, and !t !s essent!al to constantly mon!tor and rev!ew controls to ensure they are work!ng as !ntended and prov!d!ng effect!ve secur!ty" More !mportantly, !t !s essent!al the organ!-zat!on !s aware when controls fa!l so that they can react accord!ngly"

"HAN!E "ONTROLWhen changes to systems are man-aged and planned, the!r !mpact can be m!n!m!zed and any adverse effects on secur!ty can be qu!ckly !dent!f!ed and remed!ed" Unplanned changes can !ntroduce vulnerab!l!t!es !nto systems" If these vulnerab!l!t!es go unnot!ced, they could be explo!ted by a threat source" When attack!ng systems, attackers often make changes that allow them to better !nf!ltrate the network or extract targeted !nformat!on" Act!vely mon!tor-!ng for unauthor!zed changes on key systems can qu!ckly !dent!fy a potent!al weakness or attack"

FILE INTE!RITY MONITORIN!Know!ng that changes have been made to cr!t!cal f!les can help organ!zat!ons determ!ne when they are be!ng mod!f!ed for mal!c!ous reasons" For example, a computer v!rus !nfect!ng a system w!ll replace or change cr!t!cal system f!les" Regularly mon!tor!ng the !ntegr!ty of these cr!t!cal f!les can help prov!de a clear and early warn!ng when the secu-r!ty of a system may have been breached"

LO! MONITORIN!One of the most effect!ve yet underut!-l!zed tools for secur!ng a system are the log f!les generated by appl!cat!ons, operat!ng systems and network dev!ces" Log f!les conta!n valuable !nforma-t!on on what happened on a system, who d!d !t, when !t happened and from

where !t occurred" Mon!tor!ng log f!les for unusual entr!es or certa!n secur!ty events can qu!ckly alert the organ!zat!on to a secur!ty breach so that they can respond accord!ngly"

VULNERABILITY MANA!EMENTRegular vulnerab!l!ty test!ng of secur!ty controls !s a cr!t!cal step !n secur!ng systems" Ident!fy!ng wh!ch vulner-ab!l!t!es ex!st, whether they are !n the software, system conf!gurat!on, process or human layers, enables appropr!ate steps to be taken to address them"

SE"URITY "ONFI!URATION MANA!EMENTOnce the organ!zat!on has des!gned and !mplemented secure conf!gurat!ons for var!ous systems, !t !s essent!al to act!vely manage those conf!gurat!ons" W!th effect!ve secur!ty conf!gurat!on management !n place, new systems or appl!cat!ons that are added to the !nfra-structure can be qu!ckly secured to the appropr!ate level" In add!t!on, changes

to systems can be qu!ckly !dent!f!ed, and the appropr!ate secure conf!gurat!on appl!ed !n a t!mely manner to ensure the system’s ongo!ng secur!ty"

IN"IDENT ALERTIN!Respond!ng to a suspected secur!ty !nc!dent !n a t!mely manner !s essent!al to m!n!m!z!ng the !nc!dent’s !mpact on the organ!zat!on" Be!ng able to !dent!fy susp!c!ous act!v!ty and be alerted to !t !n a t!mely and !nformed manner helps ensure that the appropr!ate response can be taken"

DATA LAYERFile integrity monitoring, Change control, Log monitoring

APPLICATION LAYERFIM, Change control, Log monitoring, Vulnerability mgmt

HOST LAYERSecurity configuration mgmt, Change control, FIM, Log monitoring, Vulnerability Mgmt, Incident Alerting

NETWORK LAYERSecurity configuration mgmt, Change control, FIM, Log monitoring, Vulnerability Mgmt, Incident Alerting

PHYSICAL LAYERSecurity awareness training, Policies & procedures

DETECTIVE CONTROLS

:. FIG. 5 The most effective Detective Controls within a multi-layered security strategy

Page 10: Layered Security: Protecting Your Data in Today's Threat Landscape

Layered Security: Protecting Your Data in Today’s Threat Landscape10

SUMMARYIn today’s bus!ness world, !nformat!on !s the key to success" Yet now more than ever, that !nformat!on faces threats to !ts secur!ty" For th!s reason, !t !s essent!al that !nformat!on be secured so that !t !s only ava!lable to those author!zed to access !t" Th!s !ncreas!ng threat env!ronment, coupled w!th a more !nterconnected world, mob!le and remote workforces, and ease of !nformat!on shar!ng means our trad!t!onal per!meter-centr!c v!ew of secur!ty !s no longer val!d" There !s no a s!ngle per!meter or layer beh!nd wh!ch all th!ngs are secure"

The evolv!ng nature of the secu-r!ty threats many organ!zat!ons face requ!res organ!zat!ons to cease the!r rel!ance on a s!ngle layer of secur!ty to protect the!r sens!t!ve data and sys-tems" Instead, a mult!-layered approach needs to be taken—one !n wh!ch the secur!ty controls are selected and !mplemented w!th !nformat!on as !ts core" Th!s approach should also ensure that the selected controls are !ntegrated to enable the organ!zat!on to better v!sual!ze and manage potent!al threats"

In turn, th!s w!ll ensure that the orga-n!zat!on can obta!n and act on more accurate !ntell!gence to better manage bus!ness r!sks"

Now more than ever, !nformat!on secur!ty can no longer be a set-and-forget solu-t!on, but !nstead needs to be effect!vely developed, thoughtfully !mplemented, and cont!nuously managed" Only then can organ!zat!ons have conf!dence that the !nformat!on that they and the!r cus-tomers rely on !s protected"

ABOUT BRIAN HONANBr!an Honan !s an !ndependent secur!ty consultant based !n Dubl!n, Ireland, and !s a recogn!zed as an !nformat!on secu-r!ty !ndustry expert" He has addressed a number of ma#or conferences relat!ng to the management and secur!ng of !nformat!on technology, such as RSA Europe, Bru$ON, Source Barcelona and numerous others" Br!an !s $OO of the $ommon Assurance Matur!ty Model and founder and head or IRISS$ERT, wh!ch !s Ireland’s f!rst $ERT" Br!an also

s!ts on the Techn!cal Adv!sory Board for a number of !nnovat!ve !nforma-t!on secur!ty compan!es, and !s on the board of the UK and Ir!sh $hapter of the $loud Secur!ty All!ance" Br!an !s author of the book “ISO 27001 !n a W!ndows Env!ronment”, !s regularly publ!shed !n a number of !ndustry recogn!zed pub-l!cat!ons, and serves as the European Ed!tor for the SANS Inst!tute’s weekly SANS NewsB!tes, a sem!-weekly elec-tron!c newsletter"

1 http&//www"w!red"com/threatlevel/2010/03/t#x-sentenc!ng/

2 http&//www"pcmag"com/art!-cle2/0,2817,2387396,00"asp

3 http&//www"symantec"com/content/en/us/enterpr!se/med!a/secur!ty_response/wh!tepapers/w32_stuxnet_doss!er"pdf

4 http&//www"msnbc"msn"com/!d/43978739/ns/technology_and_sc!ence-secur!ty/

5 http&//www"ft"com/!ntl/cms/s/0/e50df9b4-d613-11dc-b9f4-0000779fd2ac"html#axzz1UTcuS0nI

6 http&//www"!ndependent"co"uk/news/bus!ness/news/d!sgruntled-worker-tr!ed-to-cr!pple-ubs-!n-protest-over-32000-bonus-481515"html

7 http&//onl!ne"ws#"com/art!cle/SB10001424052748703712504576243312850500374"html

Page 11: Layered Security: Protecting Your Data in Today's Threat Landscape

Layered Security: Protecting Your Data in Today’s Threat Landscape 11

Page 12: Layered Security: Protecting Your Data in Today's Threat Landscape

:. Tripwire is a leading global provider of IT security and compliance solutions for enterprises, government agencies and service providers who need to protect their sensitive data on critical infrastructure from breaches, vulnerabilities, and threats. Thousands of customers rely on Tripwire’s critical security controls like security configuration management, file integrity monitoring, log and event management. The Tripwire® VIA™ platform of integrated controls provides unprecedented visibility and intelligence into business risk while automating complex and manual tasks, enabling organizations to better achieve continuous compliance, mitigate business risk and help ensure operational control. :.

LEARN MORE AT WWW.TRIPWIRE.COM OR FOLLOW US !TRIPWIREINC ON TWITTER.

©2011 Tripwire, Inc. Tripwire, VIA, Change IQ and Log Center are trademarks or registered trademarks of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved.WPLS1o 201109