Top 10 Security Challenges

Top 10 Security Challenges/Issues 2006 Jorge Sebastião Founder and CEO [email_address] www.esgulf.com

Can if face the Challenge?

Top 10 Challenges

Security Awareness & End Users

Google Exposure

Standards Compliance & Regulations Updates to ISO27001

Vulnerability Management

Change Management & Coordination Mgmt

Patch Management

Effective Security Monitoring

Incidence Response

Managing Outsourcing Risk

Disaster Recovery & Business Continuity, Crisis Management

1. Security Awareness & End Users

The #1 threat to security is people.

Cause : Large growing user population, friendly applications. People weakness are caused by lack of knowledge.

Threat : Illiteracy in how the internet works. Allows social engineering.

Social Engineering-Risk

… 70 percent of those asked said they would reveal their computer passwords for a …

Schrage, Michael. 2005. Retrieved from http://www.technologyreview.com/articles/05/03/issue/review_password.asp?p=1 Bar of chocolate

Phishing Stats

Phishing 101

Security & people is a complex processes Is doesn’t matter how strong you build a fortress there’s always a way around

2. Google Exposure

Google is #1 hackers tool.

Cause : Any information posted or disseminated through internet can easily be recorded, indexed.

Threat : Exposure of corporate as well as personal confidentiality.

Advanced Operators: “Filetype:”

Google Hacking-Filetype

Advanced Operators “Intitle:”

Intitle: search_term

Find search term within the title of a Webpage

Example:

Find directory list:

Intitle: Index.of “parent directory”

Google Hacking-intitle

Personal Mailbox

Intitle: Index.of inurl: Inbox (456) (mit mailbox)

After several clicks , got the private email messages

Google Hacking-Mailbox

3. Standards Compliance & Regulations Updates to ISO27001

Examples: BS7799 now ISO27001, Basel1-Basel II, EMV2, HIPAA, AML, SOX…

Cause : Compliance is not always a corporate priority (carrot and stick).

Threat : Potential major regulators and government penalties and loss of corporate image. New regulations in various sectors such as financial, health, transportation

Multitude of changes to Governance

ISO27001, before (ISO17799, BS7799)

ISO20000 (before BS15000)

EMV 2 (EMV)

Basel 2 (Basel)

SOX

AML

ISO90000

CoBIT

PAS56 (new ISO…)

HIPAA

...

Control Areas

Plan-Do-Check-Act Model

PLAN:

1. Establish Security Policy and Objectives

2. Conduct Risk Analysis

DO: 3. Implement Controls/Safeguards 4. Educate the Organisation CHECK: 5. Continuously Monitor and Review ACT: 6. Continuously Improve * The PDCA model is the strategy used in ISO9001 and ISO27001

Summary of Changes

Basel 2 - Time Table

4. Vulnerability Management

“ 99% of intrusions result from exploitation of known vulnerabilities or configuration errors where countermeasures were available”

Cause : Large growing set of vulnerabilities

and system weakness are caused by disclosure

Threat : Vulnerabilities can be exploited and cause loss of Confidentiality, Integrity, Availability

Vulnerability/Exploit Life Cycle

Compromise is Costly

Compromised systems may not be immediately identified

To fully recover a compromised system, it must be taken offline

Downtime of critical servers

Time invested by administrators

To restore the integrity of the system it must be validated

Forensics may take days to complete

Reinstall operating system and applications & all security patches

Back-ups may contain altered data making it useless during recovery activities

Continuous Vulnerability Testing

Overview Audit

5. Change Management & Coordination Mgmt

We are always introducing change into the IT infrastructure in a uncontrolled way

Cause : Large growing complexity of network, new technologies, new applications. Change forced from Vulnerability / Patch Management

Threat : Unavailability of IT Infrastructure, potential lack of integrity. Potential loss of confidentiality

Change Management

Release Management

Change Mgmt Operation: Stabilize & Deploy Countermeasures

New or changed countermeasures

Track Plan Analyze Control Identify 1 2 3 5 4 Risk Statement

6. Patch Management

The high number of vulnerabilities results in high number of patches and patching cycles.

Cause : Mandatory changes required to the make emergency correction in IT environment

Threat : Patch Management can result in System integrity and Availability loss.

Patch Management Requires Processes People Technology Products, tools, and automation Consistent and Repeatable Skills, roles, and responsibilities

Patch Management Process 1. Assess Environment Tasks A. Baseline of systems B. Assess architecture C. Review configuration D. Discovery and Inventory 1. Assess 2. Identify 4. Deploy 3. Plan 2. Identify Patches Tasks A. Identify new patches B. Patch relevance C. Verify authenticity & integrity 3. Plan Patch Deployment Tasks A. Approval to deploy patch B. Risk assessment C. Plan release process D. Acceptance testing 4. Deploy Tasks A. Distribute & install patch B. Report on progress C. Handle exceptions D. Review deployment

7. Effective Security Monitoring

Cause : Lack of formal, integrated security monitoring for security events and potential incidents

Threat : Un-ability to understand the level of exposure when being attacked.

Lack of effective Monitoring “… Close to 30% of companies indicated they would not be aware that their core business information had been altered until 12 to 24 hours later and roughly 30% would not be aware of a compromise for more than 2 days .” Source: CIO Magazine

Effective Monitoring requires Integrated Process Organization IT SOC SOC Logging 1. Integrated Log File 5. Respond 2. Encrypted Log Data 3. Analysis 6. (Ongoing) Vulnerability Test Pen Test Patching Incidence Response Knowledge 4. Alerting

Security Event Must be Correlated

8. Incidence Response

Cause : Lack of formal security incidence response process.

Threat : Facilitated generally lack of integration of systems security. Unable to respond to attacks in timely manner.

Incidence Response Incident Response Analyse Contain Eliminate Restore Lessons Policy Refine Policy Continuous Monitoring T-1 T 0 T 1 T 1 T 3 T 4 T N Communicate

Incidence Response Functions

Triage

Incident

Notification

Escalation

Incident Lifecycle

Incidence Response Workflow Event Correlation Event Database Security Analyst Incident Alert Form HelpDesk DATABASE Automatic Incident Alert Generation Security Analyst

Incident Response Lifecycle New Incident Reported by Analyst Reported by Customer Detected by Event Correlation Helpdesk DATABASE Tracking Number IR0012885 Tracking Number Assigned Progression Through Different Stages/States Security Analyst  Automatic Notification/Escalation

9. Managing Outsourcing Risk

Cause : Lack of formal analysis and measurement process to outsourcing risk management

Threat : High level of risk exposure, run away uncontrolled risk. Complete loss of business.

Outsourcing Risk: Example1-Credit Card Fiasco

Disclosure of 40Million Credit and Debit Cards

Visa Stops Processing with CardSystem Solutions

Judge: Visa and MasterCard won't have to inform customers that their personal details were exposed in a high-profile data security breach

Credit bureaus to adopt data protection standards

Credit card makers forced to scrutinize security

Outsourcing Risk: Example2- Call Center Leaks Credit Cards

The Sun organized a sting where they caught a call center employee selling credit cards

yet another incident where call center staffer was selling personal data. The data consisted of banking details of British customers, and was sold by people at an outsourced call center in India

There are security risks to outsourcing, and there are security risks to offshore outsourcing. But the risk illustrated in this story is the risk of malicious insiders

Do you have an integrated risk mgmt plan?

10. Disaster Recovery & Business Continuity, Crisis Management

Cause : Lack of formal business continuity or disaster recovery process, crisis Management.

Threat : Unable to respond to major disruptions or attacks causing complete system or organization unavailability.

Business Continuity Management EMERGENCY MANAGEMENT IT DISASTER RECOVERY FACILITIES MANAGEMENT HUMAN RESOURCES PHYSICAL SECURITY COMMUNICATIONS & PR KNOWLEDGE MANAGEMENT SUPPLY CHAIN MANAGEMENT BCM Scope – provides a Unifying Process QUALITY MANAGEMENT CRISIS MANAGEMENT RISK MANAGEMENT ENVIRONMENTAL MANAGEMENT Source: BSI PAS56

Assessment Executive Review Source :Dr David J Smith 2002

Mobile Response to Disaster

Are u ready for security?