Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

20130425 Security Standards The Trusted Framework, Alan McBride


Published on

Alan McBride from CISSP's presentation on Security Standards - The Trust Framework, Business Case For Standards Adoption

Published in: Technology
  • Be the first to comment

  • Be the first to like this

20130425 Security Standards The Trusted Framework, Alan McBride

  2. 2. 2 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ‘Providing assurance to your customers that you are applying standards-based security best-practices can build trust and can differentiate you in your market’ STANDARDS AND THE TRUST FRAMEWORK PRIMARY TAKEAWAY
  3. 3. 3 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. • The Threat Landscape • The Security Standards Landscape • Adopting Security Standards • Conclusion SECURITY STANDARDS AGENDA
  4. 4. 4 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ALCATEL-LUCENT WHO WE ARE – AT A GLANCE 400G photonicDSL vectoring Carrier cloud lightRadio™400G IP XRS Core routerMotive Customer Experience 1000+ CUSTOMERS (NETWORK OPERATOR) 1M+ NETWORKS 500K+ CUSTOMERS (ENTERPRISE) VDSL2 vectoring 3G/4G wireless, broadband access, ethernet, IP, optics, applications, services, cloud Collaborate with 250+ universities ~72,000 employees TR50 Most Innovative Companies 2012 2012 revenues €14.4b 7 Nobel prizes More than 2,900 patents in 2012 More than 30,700 active patents Bell Labs In 7 countries Including Ireland
  5. 5. 5 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. THE THREAT LANDSCAPE RECENT SECURITY INCIDENTS 11 JAN 2013 ‘U.S. warns on Java software as security concerns escalate The U.S. Department of Homeland Security urged computer users to disable Oracle Corp's Java software...’ 30 JAN 2013 ‘Hackers in China Attacked The Times for Last 4 Months The hackers tried to cloak the source of the attacks on The Times by first penetrating computers at United States universities and routing the attacks through them...’ 1 MAR 2013 ‘More companies reporting cybersecurity incidents At least 19 financial institutions have disclosed to investors in recent weeks that their computers were targets of malicious cyberassaults...’ 9 APRI 2013 ‘Fourth LulzSec Member Pleads Guilty to Hacking Sony ... carried out attacks on the websites of the Arizona State Police, Sony, News Corp.’s Twentieth Century Fox, the U.K.’s National Health Service and technology-security company HBGary Inc...’ 30 AUG 2012 ‘State-sponsored cyber espionage projects now prevalent, say experts At least four government-sponsored programmes to deploy cyber-espionage software like the Flame, Duqu and Stuxnet software – the latter used against computers in Iran – are in progress around the world...’ 21 MAR 2013 Logic Bomb Set Off South Korea Cyberattack ‘Cyberattack that wiped the hard drives of computers belonging to banks and broadcasting companies in South Korea this week was set off by a logic bomb...’
  6. 6. 6 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. • 97% of breaches were avoidable through simple or intermediate controls • 98% were primarily due to external agents • 96% were motivated by financial or personal gain • 85% of breaches took weeks or more to discover • 92% of incidents were discovered by a third party • 69% of breaches involved malware (e.g. Keyloggers) • 81% involved hacking (e.g. Use of default or guessable credentials) • 77% of SMBs think strong security posture is good for their brand • 59% of SMBs have no contingency plan for data breach • 65% of SMBs do not use encryption or DLP to protect confidential data • 62% of SMBs do not routinely back up data THE THREAT LANDSCAPE SOME STATISTICS 2012 Data Breach Investigations Report (note: IRISSCERT was a contributor)
  7. 7. 7 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. THE THREAT LANDSCAPE EVOLVING SECURITY RISKS Internet Mobile Always-on, Ubiquitous Connectivity Apps & Social Media Device proliferation Virtualization & Cloud Everything- as-a-Service Machine- to- Machine Smart Grid, Smart Cities Advanced Persistent Threats (APTs) Viruses, Trojans, Worms Insider Threats Targeted Malware (e.g. Stuxnet) Fraud, Extortion, Cybercrime Rootkits, Botnets Distributed Denial-of- Service Web Threats - XSS, SQL injection Identity Theft Infected Mobile Apps Password Cracking Threat Agents Hacktivist Cyber-criminal Insider Threat Vectors Internet Internal Access Mobile Devices Supply Chain Innovation timeline Escalating Threat Sophistication Nation State
  8. 8. 8 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. THE STANDARDS LANDSCAPE CONTROLS AND BEST PRACTICES Threat Agents (e.g. Cybercriminal) Risks Vulnerabilities (e.g. Inadequate access controls) Controls (e.g. Role-based access controls) Assets (e.g. Your data) exploit of resulting in mitigated by attack protect Technical (e.g. Encryption) Procedural (e.g. Training) Physical (e.g. Locks) Preventative (e.g. Firewall) Detective (e.g. IDS) Corrective (e.g. Security patch) Security standards specify controls to mitigate risks of exposure of assets to threats resulting from inherent vulnerabilities. Controls can be (often a combination of) preventative, detective or corrective in purpose. Controls can be technical, physical or procedural in classification.
  9. 9. 9 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. THE STANDARDS LANDSCAPE KEY STANDARDS BODIES International Jurisdictional Domain-specific ITU: International Telecommunication Union ISO: International Organization for Standardization IEC: International Electro technical Commission IETF: Internet Engineering Task Force ETSI: European Telecommunications Standards Institute 3GPP: Third Generation Partnership Project ATIS: Alliance for Telecommunications Industry Solutions ENISA: European Network & Information agency 3GPP - Third Generation Partnership Project NIST: National Institute of Standards and Technology ANSI: American National Standards Institute OASIS: Advancing Open Standards for the Information Society OMA: Open Mobile Alliance CSA: Cloud Security Alliance TISPAN: Telecommunications & Internet converged Services and Protocols for Advanced Networking
  10. 10. 10 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. • Security Management Standards • ISO27K • CobiT 4.x • IETF RFC 2196 • NIST 800-53 • Technical Security Standards • Cryptography: AES, RSA, DSA, PKI • Secure Protocols: TLS, Ipsec, HTTPS, SFTP • Identity Management & AAA: RADIUS, SAML, Oauth, OpenID, XACML • Vulnerability Management Standards • ITU-T X.1520 CVEs • Mitre CVSS, CWE THE STANDARDS LANDSCAPE EXAMPLE SECURITY STANDARDS • Security Assurance Standards • ISO 15408 •Regional and Domain-specific • Energy domain: NERC 1300 (CIP) • IACS domain: ISA/IEC 6 • Payments domain: PCI • Cloud domain: CSA
  11. 11. 11 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. THE STANDARDS LANDSCAPE RELEVANCE TO THREATS Web server Application server Database server SQL injection vulnerability allowing malware insertion Inadequate segregation – no DMZ or firewall between web and app servers Encryption keys stored on same server as encrypted data Use of default passwords, and excessive access for admin accounts Out-of-date versions of software such as Apache, TLS, SSH etc Inadequate data classification and segregation – confidential data stored together with other data ISO 27K Controls: A.10.4 Protection Against Mobile and Malicious Code A.12.6.1 Technical Vulnerability Management A.12.2 Correct Processing in Applications A.11.2 User Access Management A.7.2 Information Classification A.11.4 Network Access Control A.12.3 Cryptographic Controls This threat scenario illustrates the relevance of example ISO27K controls to common vulnerabilities in a typical three-tier system
  12. 12. 12 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ADOPTING SECURITY STANDARDS ISSUES WITH ADOPTION APPLICABILITY & SUITABILITY • Some may be too high-level, others too prescriptive • May be too generic or too specific • Delay in addressing emerging technologies (e.g. cloud) COST • Adoption requires planning, training and implementation • Additional costs if certification is required • Additional cost if directly involved with standards development OVERLAPPING OR COMPETING STANDARDS • Different standards may address the same area and may not be consistent • Particularly a problem for enterprises operating in multiple jurisdictions NO SILVER BULLET • Compliance can give a false sense of security • Standards will always lag emerging threats - coverage can never be absolute INFLEXIBILITY • Compliance with standards could potentially inhibit agility
  13. 13. 13 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. • Initially you can be informed by standards • Standards are an important source of best-practices to inform your practices • Standards generally have good coverage – a ‘checklist’ or ‘cookbook’ approach • Alignment with standards can be phased over time • E.g. Risk-based choice of controls to implement under ISO27K • Eventual target can be full compliance • Ultimately certification can be sought where applicable ADOPTING SECURITY STANDARDS PRAGMATIC ADOPTION Informed Aligned Compliant Certified
  14. 14. 14 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. • Standard for Information Security Management System • Protection of Confidentiality, Integrity and Availability (CIA) of Information Assets • Plan-Do-Check-Act (PDCA) • Identify assets and security requirements • Assess risks to assets • Select and implement controls to mitigate risks • Monitor, maintain and improve on an ongoing basis • 11 Control Areas, 133 Controls • E.g. ‘Information Security Policy Document’ • E.g. ‘Inventory of Assets’ • E.g. ‘Key Management’ ADOPTING SECURITY STANDARDS FOCUS ON ISO27K Technology Process People
  15. 15. 15 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. 1. Recognized as the best practice standard 2. To gain competitive advantage 3. To ensure legal and regulatory compliance 4. Requirement when tendering 5. Mandated by customer 6. Competitors already certified Size of organization adopting ISO27K; • 27% < 50 employees • 50% < 200 employees • 62% < 500 employees ADOPTING SECURITY STANDARDS REASONS FOR ADOPTION OF ISO27K Source:
  16. 16. 16 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. • Payment Card Industry – Data Security Standard • Proprietary standard – owned by PCISSC • Defines minimum security controls for securing payment systems and data • Compliance is required in US, but validation of compliance is not mandatory ADOPTING SECURITY STANDARDS ANOTHER EXAMPLE STANDARD - PCI DSS
  17. 17. 17 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. • Do you have a CSO/CISO? • Do you have a security policy and do all of your employees know about it? • Do you address security aspects with your suppliers? • Do you know the security posture of your competitors? • Do you know what regulations or standards apply to your market and jurisdiction? • Do you have a mobile device policy? • Do you have basic security hygiene including firewall, antivirus, secured backups, timely patching and adequate access controls? • Do your employees undergo security training including guidelines on passwords, email risks and protection of company data on mobile devices? ADOPTING SECURITY STANDARDS PRAGMATIC CHECKLIST Your answers can help you decide whether you need to consider standards such as ISO27K
  18. 18. 18 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. CSA STAR: Cloud Security Alliance – Security Trust & Assurance Registry • Cloud providers assess themselves against CSA security controls • Transparency is achieved through publishing the results in the registry • Customers can read and compare the security posture of potential providers • Validity is addressed through public scrutiny • You can freely browse the open submissions now from multiple providers including Amazon, Microsoft, Symantec and Terremark • This self-assessment foundation is evolving now to include third-party assessment and certification under CSA Open Certification Framework (OCF) • Can help lower costs by avoiding per-customer RFx responses or audits • This is illustrative of how open and transparent security posture can improve trust with the customer, and how businesses can compete by differentiating in security domain ADOPTING SECURITY STANDARDS TRUST THROUGH TRANSPARENCY An example of how standards compliance can be part of trust framework
  19. 19. 19 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ADOPTING SECURITY STANDARDS OUR EXPERIENCE AT ALCATEL-LUCENT Involved with Standards Development • Active participation in key standards bodies such as ISO, ITU, 3GPP • Drawing on Bell Labs research • Also involved with regional bodies such as ATIS (US), ENISA (Europe) Applying Standards Internally • Global company – many relevant standards as input to internal practices • Applying security standards in development of networking products • Combining best-practices with internal Bell Labs expertise Applying Standards in External Engagements • Applying standards in security assessments – e.g. Smart Grid networks • Applying standards in network design and security architecture services Contact: John Hickey ( - convener of NSAI ICTSCC/SC10 and representative on ISO SG27
  20. 20. 20 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ADOPTING SECURITY STANDARDS APPLYING STANDARDS IN PRACTICE Risk-oriented analysis to determine threats, attack vectors, vulnerabilities and countermeasures Evaluate architecture and implementation against standards, recommendations, and best-practices – e.g. NIST, ISO, NERC CIP etc - to Identify strengths and gaps Assess results from vulnerability scanning and penetration testing tools Assess use of technical security enablers such as firewalls, IPS, AAA, encryption, VPN to evaluate current security architecture and areas of improvement Threat Analysis Baseline Evaluation Tools AnalysisArchitecture Evaluation Target of Evaluation NISTIR 7628 194 NERC CIP 110 ISO 27001 133 NIST 800-53 197 SANS CAG 20 US DHS 236 Standard controls; Real-world example: how we at Alcatel-Lucent have used standards in assessing security of Smart Grid Utility Networks globally (c.f. Bell Labs Technical Journal December, 2012)
  21. 21. 21 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. • SANS - System Administration, Networking and Security Institute • CSIS: 20 Critical Controls for Effective Cyber Defence • OWASP – Open Web Application Security Project • Top Ten Project – The Ten Most Critical Web Application Security Risks • NIST – National (US) Institute of Standards and technology • NISTIR 7621 – Small Business Information Security: The Fundamentals • ISF – Information Security Forum • SoGP – Standard of Good Practice • CSA - Cloud Security Alliance • Cloud Security Guidance ADOPTING SECURITY STANDARDS OTHER SOURCES OF SECURITY GUIDANCE
  22. 22. 22 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. • Cost versus Benefit • Implementing standard controls can protect assets and avoid costs • Standards-based approaches can streamline the management of security • Risk Management • Proactive and structured approaches to managing risk • Good foundation for ensuring comprehensive coverage • Regulatory Compliance • Where applicable, regulations generally share common ground with standards • Standards can also improve readiness for future regulations • Market and Competitive Aspects • Market differentiation • Customer trust as a competitive advantage ADOPTING SECURITY STANDARDS BUSINESS CASE FOR ADOPTION
  23. 23. 23 COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED. ‘Providing assurance to your customers that you are applying standards-based security best-practices can build trust and can differentiate you in your market’ STANDARDS AND THE TRUST FRAMEWORK CONCLUSION