Integrating Physical And Logical Security

Integrating Physical & Logical Security Jorge Sebastião, CISSP, ISP, BSLA Founder and CEO “ Security is:… a continuous skilled process which safeguards your business value…” Jorge S., 1999

Security

Protection systems

Safeguard assets

Safeguard of personnel

Integrate People, Process, Technology

Two major types:

Physical Security

Information Security (infosec)

Physical Security-Focus

Protection of physical assets

Personnel

Buildings

Computing Facilities

Physical Access Control

Power

Information Security-Focus

Protection of information assets

Computer Systems

Data Networks

Databases, Applications

Logical Access Control

Disaster Recovery

Signal also applies to cars of other colors

Scenario

CFO Traveling abroad for 2 weeks

Normally in Riyadh HQ Office

Now in Dubai visiting

Non-Integrated, non-compatible physical access control

Trusted employee uses CFO password to access confidential data in Riyadh

Normal working hours

Sensitive files shared with competitors

No Alarm raised by system???

No violation in either physical sec or infosec systems

Data Center

Threats and risks Human faults Operational disruptions Software Faults In-compatability Fraud Forgery Access Control Espionage Illegal copying Virus Natural phenomena Fire, Smoke, Explosion Destruction, Sabotage Power Failure Water Damage Leakage Theft Vandalism Delivery Problem Service Disruption Loss of Key personnel Notice to quit, Sickness

Security as: TPP Technology Process People

Attack-NCR, IBM ATMs

UAE Bank Attack May-June 2003

Exploits ATM Vulnerabilities

Special Device capture cards

Physical Security

1.5-?.? Million Dhs

Technology

Microsoft

SQL Slammer Worm 25/01/2003

Exploits SQL Server 2000 Vulnerabilities

Document since July 2002

Traveled Globe in 15 min

Process

Verisign

Verisign 22/03/2001 Someone tricked digital security specialist VeriSign ( VRSN ) , which authenticates parties in e-commerce transactions, into issuing two digital certificates with Microsoft's name on them. The certificates could be used by a malicious poseur to spread viruses or other harmful programs by camouflaging them as Microsoft software.

People

PDR

Defence in Depth (layered security)

No Single Point of Vulnerability

Centralized Security Management

Heterogeneous

Effective

Process

Implement Protection, Detection, Response

PROTECTION DETECTION RESPONSE FORENSICS

Security = Time Protection Detection Response SECURITY P>D+R Anti-virus VPN Access Control Firewall Intrusion Prevention Managed Services CIRT Patch Mgmt Vulnerability Testing Intrusion Detection CCTV Log Correlation

Securing the System Effective security requires a balanced application of all methods Personnel System Security Computer Security Physical Security Process Encryption

Security Continuous process ASSESS ARCHITECT APPLY ADMINISTER Business Risk Controls Maturity

Integrated Security Management Business Security Management Physical Security Management ICT Security Management

Security Management Processes

Convergence APPLY

Identity and Access Management Strategic Context Physical Security Network / System Application / Data Suppliers, Partners, Customers Employees

New Boundaries

Platforms

Data Center

Laptops

PDA

Mobiles

Distributed Access

Dialup, ADSL, VPN

VSAT

Wifi, WiMax

GPRS/3G

Communication Centric Applications

Web

Email

IPM

VoIP

Multiple Networks

Intranet

Extranet

Internet

Users

Employees

Partners

Suppliers

Customers

Consumers/Prospects

Location

Office

Internet Café/Restaurants

Airport

Hotels

Home

Identity and Access Management Interoperability Control Loosely-coupled, Dynamic exterior Tightly-coupled, Persistent interior Intranet Extranets Customers Partners/Suppliers Employees Consumers Internet

Identity and Access Management Flexibility Intranet Extranets Internet Control Customers Partners/Suppliers Employees Consumers Federation, Cooperation Integration

Physical Security Physical Security Sprinkler hallon Alarm System UPS CCTV System Intrusion Detection Intercom Evacuation Physical Access Control Elevator Fire HVAC Lighting Power Mgmt

Physical Security Architecture

Biometrics Example

Storage SMART CCTV + biometrics Corporate LAN / WAN / VLAN Internet

Records Physical Protection

Physical Security

Info warfare C4

Command, Control, Communications, Computers

Logical Security Physical Security Data Encryption Host Intrusion Detection Antivirus Perimeter Security Network Intrusion Detection Remote Client VPN Access Control Remote Clientless HTTPS Disaster Recovery Content Filtering Anti-spam Intrusion Prevention Wireless Security Network / System Application/Data

Architecture Layers Extended Perimeter Perimeter Layer Control Layer Resource Layer Identity & Access Mgmt Physical Security Integrated Directory Security Management Policy Management Remote Employees Consumers Partners Customers Suppliers

Identity and Access Management Context Business policy: legal, liability, assurance for transactions Relationships to organization Applications/Services: access control and authorization Identity and information Presentation/Personalization: Identification Relationships Authentication: Identity (Person)

Architecture and Infrastructure Directory Access Mgmt Portal/Device Identity Mgmt Policy Propagation Administration Control Access Resources Authentication Authorization User Device? Applications Platforms Databases Physical Services

SSO~~Security

SSO and security

Reducing sign-on a goal

S ingle sign on is a risk in security compromise

Standard authentication infrastructure is good

SSO is not always realistic

Different applications

Different security

Different application states

Policy drives

No single credential should give access to everything

Where to spend? High Low Excessive Exposure Low High R I S K SECURITY INVESTMENT Excessive Cost Appropriate Security

Return On Investment (ROI)? ROI Curve Security Investment ROI design= 21% ROI implementation= 21% ROI testing= 12% ROI

Security Architecture Incidence Response Operational Monitoring Administration Change Procedures Guidelines Roles and Responsibilities Incident Reporting Physical Dynamic Controls Selection Policy Configurations Baselines Standards Awareness Education Training Logical BIA Mapping Perimeter Architecture InfoSec Policy Security Organization Conceptual P > D + R Strategy Scope Executive InfoSec Policy Steering Committee Contextual Time (Risk Management) Technology Process People

Beyond Technology

Knowledge Base Incidence Response Applying the Knowledge Incidence Response Multiple Sources of Information Partners, Vendors, CERT ,… Internal Security Research Internet, Mailing lists and other sources ADMINISTER

Integrated P+D+R Enterprise Security Management Routers Switches Firewall N-IDS H-IDS IPS Hosts Antivirus Access Ctrl Biometrics Smart Cards Power UPS Fire CCTV P-IDS Alarms Others…. 1.Logs 5. Response 2. Encrypted Logs 3. Analysis 6. (Ongoing) Patching Incidence Response Knowledge 4. Alerting

Incidence Response Incident Response Analyse Contain Eliminate Restore Lessons Policy Refine Policy Continuous Monitoring T-1 T 0 T 1 T 1 T 3 T 4 T N Communicate

Integrated Infosec Framework Vulnerability & Risk Assessment Assess, Audits VA, Pen-Testing, Risk Technology Strategy & Usage Technology, Tools Policy Insfosec Policy, Standards Security Architecture and Technical Standards Technical Architecture Technical Standards, Baselines Security Model Information Classification and Controls Administrative and End-User Guidelines and Procedures Implementation and Configurations Administration Guidelines and Procedures Recovery Processes Incidence Response Processes Enforcement Processes Compliance Mgmt Processes CEO, Senior Management ISMS, Information Assets, IT Infrastructure Awareness, Training, Education Monitoring Processes Monitoring Processes Security Strategy Business Initiatives & Processes Business Initiatives & Processes Vulnerabilities Threats

Benefits of integration