Designing Infrastructure that Contains Security at All Levels

1
Designing Infrastructure that Contains Security
at All Levels

• By
• Jason Witty, CISSP
• Director, Global Security Architecture
• Aon Services Corporation

2
A Little About Aon..

• Fortune 250 Insurance Services and Human Capital
  Management Company
• 54,000 employees
• 1458 separate operating companies
• 500 offices world-wide
• 130 countries
• 8 Billion in revenue
• 8 Major lines of business, each with its own CIO
  / technology team

3
Presentation Overview

• How can we sell security?
• Statistics and screenshots
• Regulatory issues
• How can we ensure security exists at all levels?
• What is the importance of governance?
• How do you measure security success?

4
Security Selling Principles

• Done right, appropriate levels of Information
  Security can
• Give your company a serious competitive advantage
• Improve system uptime and employee productivity
• Enhance your reputation in the eyes of your
  customers and business partners
• Demonstrate compliance to local, federal and
  international regulatory statutes
• Ensure viable long term e-Commerce capabilities

5
Security Selling Tactics

• Statistics
• Demonstrations
• Regulatory Requirements
• Measurements and Metrics
• Competitive Advantage
• Stories
• ROI?????
• Remember Politics trump technology, but dollars
  always trump politics.

6
Selling Tactics Some Quick Statistics

• General Internet attack trends are showing a 64
  annual rate of growth
• Symantec
• The average company experiences 32 cyber-attacks
  per week
• Symantec
• The average measurable cost of a serious security
  incident in Q1/Q2 2002 was approximately 50,000
• UK Dept of Trade Industry
• Identify theft related personal information is
  selling for 50-100 per record
• LOMA Resource 12/02
• Average of 79 new vulnerabilities per week in
  2002!!

Security Why?
7
More Statistics Attack Propagation Speed
More vulnerabilities higher likelihood of
attack Faster attack propagation less time to
react
Initial Compromise Rate Code Red (2001) 1.8 hosts / hour
Initial Compromise Rate Slammer (2003) 420 hosts / hour
Infected Pop. Doubling Time Code Red 37 min.
Infected Pop. Doubling Time Slammer 8.5 sec.
Single Host Scan Rate Code Red 11 probes / sec.
Single Host Scan Rate Slammer 26,000 probes / sec
Vulnerable Population Saturation Code Red 24 hours
Vulnerable Population Saturation Slammer 30 minutes
8
A Total Novice Can be a Hacker Today
Security Why?
9
Selling Tactics Demonstrations
http//www.packetstormsecurity.org has tens of
thousands of free hacker tools available for
download
Security Why?
10
Selling Tactics Regulatory Environment

• CA Personal Information Protection
• and Electronic Documents Act (2001)
• US HIPAA
• US Gramm Leach Bliley (GLBA)
• US California SB 1386 mandates public
  disclosure of computer-security breaches in which
  confidential information may have been
  compromised. Becomes active on July 1, 2003.
• EU European Data Directive 95/46/EC
• UK Data Protection Act of 1998
• http//www.privacyinternational.org/countries/inde
  x.html

Security Why?
11

• Assuming management buys in to having an
  appropriate security posture..

12
How Do We Ensure Security Exists at All Levels?

1. Know your business
2. Partner with the business (vs. being a
   road-block or adversary)
3. Gain the trust of your business
4. Partner with audit, legal, HR, PR, compliance,
   project management, etc.
5. Build relationships with key IT resources
6. Pick a model to measure against
7. Implement the model
8. Measure and report metrics (scorecards, etc.)

13
Things to Consider

• You need to balance operational risks with
  security risks
• Security controls should always be appropriate to
  the level of risk being managed
• What is good for operations is good for security
• Availability (as opposed to Confidentiality or
  Integrity) is usually the most important to the
  business
• Security can be an enabler / profit center /
  competitive advantage

14
Picking a Model What Level of Security is
Appropriate?
ISO 17799 (Best Practices)
1
2
How much is Enough?
3
4
5
6
Classification Control of Assets
7
8
Environmental Physical Security
9
8
6
10
7
1
5
4
2
3
9
10
Source Forsythe Solutions, used with permission
Security How Much?
15
Layers of Information Security Controls
Network ISO 17799 Sections 4.2, 8.5, 9.4, 9.8 Perimeter Protection, Network Security Monitoring, Secure Remote Access
Platform ISO 17799 Sections 5.1, 8.2, 9, 10 Minimum Baseline Standards, Operational Procedures, Standardized Configurations
Application ISO 17799 Sections 3, 8, 9.6, 10 Identity Access Management, Secure Coding Practices
Physical ISO 17799 Sections 7, 8.6, 9.3 Data Center Security, Office Access Security, Desktop Server Controls
People / Process ISO 17799 Sections 3-12 Security Awareness Program, Policies Standards, Security Risk Management Program
Regulatory / Legal ISO 17799 Sections 3, 12 Privacy Security Steering Committee, eBusiness Insurance, Contract Reviews
Layers
Dimensions
Security Where?
16
Security Tips Network Layer

• Try to minimize the number of network entry
  points you have to manage
• Insert security reviews into change control
  processes
• Compartmentalize the network as much as is
  reasonable
• Make vulnerability assessments mandatory for
  production services (accreditation)
• Access controls for VPNs

• Technologies Firewalls, ACLs, NIDS, NAV,
  Proxies, VPNs, Intrusion Prevention, Asset
  Databases, and Authentication Services

Security Where and How?
17
Security Tips Platform Layer

• Implement minimum baseline security standards
• Ensure adequate patch management tools exist
• Have standard desktop server images
• Insert security reviews into change control
  processes
• Ensure systems administrators receive both IT and
  security training
• Make vulnerability assessments
  mandatory for all production services

Technologies Filesystem permissions, encryption,
patch application tools, auditing logging,
anti-virus, HIDS
Security Where and How?
18
Security Tips Application Layer

• Publish samples of secure code and minimum
  application security requirements
• Ensure security is consulted early and frequently
  in the systems development lifecycle
• Make sure developers understand network
  architecture constraints
• Conduct application level vulnerability
  assessments
• Conduct source code security reviews

Technologies SSL/HTTPS, PKI, Middleware, .Net,
J2EE, CORBA, C, PERL, Application Firewalls,
source code and application scanners
Security Where and How?
19
Security Tips Physical Layer

• Conduct datacenter security certifications and
  audits
• Ensure information security policies include
  provisions for
• Infrastructure equipment placement
• Clean work area / desk standards
• Data destruction and deletion
• Locking screen saver
• Boot passwords
• Ensure integrity of asset management
  and inventory control databases
• Photo ID badges for office access
• Ensure you have access to building access logs
• Have video surveillance at key locations

Security Where and How?
20
Security Tips People Dimension

• Have a security awareness program with clear
  executive sponsorship
• Policies standards
• Social engineering
• General security principals
• Developer workshops
• Data classification standards examples
• Education training
• Ensure written policies exist and are well
  communicated
• Vulnerability Assessments Penetration Testing
• Quarterly Audits
• Incident Response Plans / Procedures Forensics
• Metrics
• Ensure proper governance is established around
  policies, standards, and procedures
• Ensure Security is included in Application and
  Project Lifecycles
• Ensure IT staff receive both technical and
  security training

Security Where and How?
21
Security Tips Legal Dimension

• Know your regulatory environment
• Limit downstream liability
• Limit Standard e-Commerce Risks
• Repudiation
• Torts Defamation (slander/liable), Other
• False Advertising
• Brand Dilution, etc.
• HR Procedures
• Contract RFP Reviews
• Ongoing e-Law Research
• Due Care / Due Diligence

Security Where and How?
22
Security Tips Governance

• Build strong relationships with business
  stakeholders
• Gain trust and buy-in
• Establish review and approval processes
• Establish governance team(s) - committees
• Schedule regular meetings
• Report issues and exceptions to senior management
• Ensure security value proposition exists and is
  well communicated to senior management

Security Governance Ties it Together
23
Utopian World Or How You Know Youve Done it
Right

• A cross-functional executive committee regularly
  reviews and approves corporate security policies
• Employees are regularly trained, and understand
  all security policies and responsibilities
• Metrics are captured to regularly measure and
  report program efficiency
• Incidents are tracked
• Regular vulnerability assessments are conducted
• All exceptions are rated by risk level and
  regularly reviewed corrected in a timely
  fashion
• Management buys in to securitys value proposition

Security Governance Ties it Together
24
How You Know Youve Done It Right - 2

• Repeatable processes ensure security is inserted
  very early and frequently in project and systems
  lifecycles
• Security is built into corporate culture and is
  viewed as a competitive advantage
• Executive buy-in is obvious videos, regular
  emails, posters, etc.
• Your company is not seriously
  impacted by the newest viruses
  and attacks

25
Questions?