people, process, technology “back to the basics” security management serge bertini director...

People, Process, Technology“Back to the Basics”

Security Management

Serge BertiniDirector Security Solution

CA

3 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Agenda

- Identity in the News

- e-Identity Revolution

- Identity Risks and Rewards

- Best Practices and Compliance

- Identity Technology Update

Recent Security Surveys


Can you trust an ATM?

Cash machine fraud gang is jailed “A gang of illegal immigrants that admitted stealing more than £600,000 in a "sophisticated" cash machine scam has been ailed at Southwark Crown Court. ” BBC News July 1st, 2005

Fake ATM facades were used across London to record financial details and pillage accounts, the court heard. .


Phishing

Phishing pair jailed for ID fraud “A UK-based American citizen has been jailed for six years after stealing up to £6.5m through identity fraud.”BBC News July 1st, 2005

Douglas Havard, from Dallas, Texas, made fake credit cards with stolen bank details as part of a global syndicate. The scam relied on phishing - by which online account holders are induced to give away their personal details.


CSI/FBI Computer Crime and Security Survey (2006)

- “Unauthorized Access” showed a dramatic increase - second most significant contributor to computer crime losses- accounts for 24% of overall reported losses- showed a significant increase in average dollar loss

- 52% of organizations surveyed experienced unauthorized use of computer systems in the last 12 months

- 32% of attacks or misuse were related to unauthorized access to information

- Over 82% of large organizations reported an identified breach in the last year


CERT Insider Threat Survey (2005)

Majority of attacks due to:

- compromised computer accounts

- unauthorized backdoor accounts

- use of shared accounts


PWC Survey of Canadian Companies (2005)

- >55% of companies were victims of fraud

- Average loss of $1.7 million (US)

- >1/3 of companies reported that company reputation, brand equity and business relationships were negatively affected by the crime

- 61% of fraudsters were insiders

- One of top 3 reasons cited for fraud being committed is insufficient controls

- Survey showed that probability of uncovering economic fraud is strongly dependent on the number and effectiveness of control mechanisms in place


Agenda







B2C Customers, Partners

and Employees. Cable TV, Video on

demand, etc

Next GenerationThe world via their

mobile phone

EmployeesMultiple IDs

B2BEmployees and

PartnersMainstream adopters

here today

e-Identity Revolution

EmployeesSingle User ID

Leading edge adopters here today


Customer Service Enablement

- Challenge

- Provide individualized services and content,

- To 10’s of millions of customers,

- On Demand, Reliably, and Securely.

- Examples

- Bank planning management of 100 Million customer. US Cable TV/ISP with 5.3 Million subscribers.

- Canadian Cable TV with over 2 Million subscribers.


Challenges

-Managing Risk

-New ways to commit Fraud, Theft

-Compliance with Laws and Regulations

-Governance, Privacy, & Freedom of Information

-Financial Discipline

-Too much Labour, Under Utilized Capital


Agenda







Perceived Major Causes of Risk

0% 20% 40% 60% 80% 100%

Human incompetence, threat from disgruntledemployee

Computer, network or software failure

Increasingly clever methods of attack, e.g.more complex viruses, spyware

Theft of corporate equipment

Extension of corporate network throughremote working, wireless access

Hacking or competitor espionage

Terrorist Threat, natural disaster, fire

Now Future Not a major issue

IT Security Strategy – Review of Attitudes, Activities and Plans, (June 2004) Jon Collins, Quocirca Ltd


Deployed IT Security Technology

IT Security Strategy – Review of Attitudes, Activities and Plans, (June 2004) Jon Collins, Quocirca Ltd

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Anti-virus and Spyware protection

SPAM protection

Intrusion protection

Virtual Private Network

Software patch management

Single sign on, authentication, passwordmanagement

Vulnerability assessment

Centralised security event management

Identity and access management, applicationprovisioning

In Place Piloting/limited rollout Actively considering Future optionNot planned Outsourced Status unclear


Identity and Risk

- Individual

- Financial Loss

- Inconvenience

- Loss of privacy

- Loss of reputation

- Reduced Creditworthiness

- Arrest by law enforcement

- Criminal charges

- Organization

- Loss of proprietary information

- Loss of confidential information

- Loss due to Theft and Fraud

- Loss of reputation

- Damage to brand

- Damage to share value

- Fines and sanctions

- Criminal charges


Identity Theft – Risk to Organization

Thousands hit by US identity theft“Politicians have stepped up their calls for greater regulation of the data collection industry in the wake of a security breach that may have led to more than 140,000 Americans having their identities stolen.”Daily Telegraph by David Litterick in New York (Filed: February 24th, 2005)

“ChoicePoint, a data warehousing company, is facing a raft of lawsuits after it admitted that thieves, apparently using identities already stolen, created what appeared to be legitimate debt-collecting and cheque-cashing businesses seeking ChoicePoint's services. They then opened 50 accounts and received volumes of data on consumers, including names, addresses, social security numbers and credit reports.”

.


Employee Fraud – Risk to Organization

Rerouted: Former Cisco Accountants sent up the river Former finance department workers swindled networking specialist out of $7.8 millionStephen Taub, CFO.com, November 28th, 2001

Two former CISCO Systems Inc. accountants are heading to prison….Geoffery Osowski, 30 and Wilson Tang, 35 were each sentenced to 34 months in prison for transferring $7.8 million in company stock to their personal brokerage accounts. The maximum sentence for the crime is five years.The two accountants illegally accessed Cisco’s programs for managing stock-option disbursements and granted themselves 230,550 shares over six months starting in October 2000, according to wire service reports, citing prosecutors.


E-Identity / IT Asset Protection: What is it?

Asset Protection – Protecting critical corporate

resources, of all types, against unauthorized (inadvertent or malicious) access. Requires effective management of all users and their access rights.

Let’s look at the types of assets that need protection.....


Asset Protection

Web User

Admin

Unix

Windows

Mainframe

Enterprise Apps(ERP/CRM)

User


Asset Protection

Web User

Admin

Unix

Windows

Mainframe


User

Web Apps & Web Services


Asset Protection

Web User

Admin

Unix

Windows

Mainframe


User


Enterprise Apps(SAP, PS, etc.)


Asset Protection

Web User

Admin

Unix

Windows

Mainframe


User



Servers– User accounts– System files– Critical DBs– System processes– Log/Audit files


Asset Protection

Web User

User

Admin

Unix

Windows

Mainframe




Servers– User accounts– System files– Critical DBs– System processes– Log/Audit filesAdmin Rights

– Root access rights– Control system

processes


Agenda


- e-Identity Evolution





Top 10 Control Deficiencies*#10 System documentation does not match actual process#9 Procedures for manual processes do not exist or are not followed#8 Custom programs, tables & interfaces are not secured#7 Posting periods not restricted within GL application#6 Terminated employees or departed consultants still

have access#5 Large number of users with access to “super user”

transactions in production#4 Development staff can run business transactions in

production#3 Database (e.g. Oracle) access controls supporting

financial applications (e.g. SAP, Oracle, Peoplesoft, JDE) not secure

#2 Operating System (e.g. Unix) access controls supporting financial applications or Portal not secure

#1 Unidentified or unresolved segregation of duties issues

* Ken Vander Wal, National Quality Leader, E&Y ISACA Sarbanes Conference, 4/6/04

7 of Top 10 Deficiencies relate to the management of user identities and access


Return on Negligence

Cost of Doing NothingT

angi

ble

Cos

ts Intangible Costs

Avoidable Risks

• Unfulfilled potential revenue• Loss of potential customers

• Damage by unauthorized access• Damage by Fraud• Damage to information systems• Damage by data theft

Missed Opportunities

• Reduction in administration costs• Reduction in help desk costs• Increased end user productivity• Reduction in IT purchasing costs

• Smooth interaction with partners, suppliers and customers

• Ability to transact securely• Centralised administration• Coherent approach to access


Standards and Compliance- Normally government regulations do not specify in detail

what is required to comply. Useful standards are:- COSO

- The Committee of Sponsoring Organizations of the Treadway Commission (COSO) report: Internal Control—Integrated Framework.

- COBIT - Control Objectives for Information and related Technology (COBIT)

introduced in 1996, is a framework of generally applicable and accepted Information Technology (IT) governance and control practices.

- ISO 17799 - “A comprehensive set of controls comprising best practices in

information security” - An internationally recognized generic information security standard.

- ITIL - The IT Integration Library developed in 1983 by a U.K. government

agency to evaluate IT operations of government contractors; defines the processes and activities to support IT services


CoBiT and BS7799 - Identity Considerations

CoBiT BS7799DS 3.5 Technology Standards 10.1 Security Requirements of Systems

PO 4.1 Segregation of Duties 8.1 Operational Procedures and Responsibilities

PO 4.6 Responsibility for Security 4.1 Manage Information Security

PO 4.7 Ownership and Custodianship 5.1 Accountability for Assets

DS 5.2 Identification, Authentication and Access 9.4, 9.5. 9.6 Network, OS and Application Access Control

DS 5.3 Security of Online Access to Data 9.1 Business Requirement for Access Control

DS 5.4 User Account Management 9.2 User Access Management

DS 5.5 Management Review of User Accounts 9.2.4 Review of User Access Rights

DS 5.6 User Control of User accounts 9.3 User Responsibilities

DS 5.7 Security Surveillance 9.7 Monitoring System Access and Use

DS 5.8 Data Classification 5.2 Information Classification

DS 5.9 Central Identification and Access Rights Mgt 9.2 User Access Management

5.10 Violation and Security Activity Reports 9.7 Monitoring System Access and Use

4.2 Security of Third Party Access


DS 5.4 - User Account managementBS7799 - 9.2 User Access Management

Maturity Process Technology Support

1 Manual account management process documented and owners defined

Virtual User DirectoryPassword Management tools

2 Provisioning and delegated account management processes defined

Provisioning Workflow systemMaster provisioning source (HR)Reporting toolset

3 Role definition owners and processes defined.Application security conformance to identity standards review

Role based provisioning and administration systemApplication integration

4 Processes for partners managing accounts federated trust relationships defined

Federated provisioning.


DS 5.6 -User Control of User Accounts BS7799 - 9.3 User Responsibilities

Maturity Process Technology Support

1 Self service password reset, forgotten password and account unlock process documented and owners defined

Self service password/account management

2 Processes defined for self administration of user accounts and access requests.

Workflow system allowing end users to raise requests and track progress.

3 Processes defined for self service registration and administration of enterprise users.

Workflow and Role based self administration systemApplication integration

4 Processes defined for self service registration and administration of partner users based on federated trust relationships

Delegated administration of federated users.


Agenda







Identity and Access Management

- Managing who can do what is at the very core of security

- Authentication

- Authorisation

- Auditing

- Administration

Employees

Partners Customers


Identity Lifecycle Technology Maturity

Single Sign-onFlexible

AuthenticationRBACLegacy

Web DesktopNo change

Extranet Access Management

Web authenticationRole based access

controlWeb single sign-onUser self-service

Server Access Management

Role based access control

Administration -Separation of Duties

Server hardening

Enterprise Infrastructure

HR System

Help Desk

Physical Badges

Building accessZone access

DeskTelephone

Mobile phonePDA

IS Platforms Windows Domain

EmailMainframe

DBMSPortal

Applications

IS Applications CRMERPSCMSAP

WebsphereWebLogic

….

InternetIntranet

EmployeesAssociatesContractorsTemps

CustomersPartnersSupply chain

Authentication Service

Used by applications

Policy ServiceUsed by Applications

Partner IdentityFederation

ProvisioningApplications

SAMLSPML

XACML

Common User

DirectoryUsed by

applications

AuditingAdmin Activity

Change ReportsWho has what

XMLSPML

Provisioning Administration

Role BasedID Provisioning

WorkflowDelegated Admin

Self ServicePassword Mgt


Identity Management Maturity Model

Initial Identity

ManagementTechnology and

Initial IntegratedRole &

EntitlementsManagement

Responsive

Gap

FederatedIdentity

Management

BusinessDriven

Gap

ConsolidatedIdentity

Management

Efficient

Gap

PasswordManagement

Active

Gap


Identity Lifecycle Process MaturityC

om

po

nen

t L

evel

Tec

hn

ical

Cap

abili

ties

IT O

rgan

izat

ion

al

Ch

arac

teri

stic

s

VirtualIdentity

Directory

• Focused on Traditional Services

• Slow to Handle Change

• Silo-ed Administration

• Informal and Reactive Processes

Active

EnterpriseIdentity

Inventory

PasswordPolicy

Enforcement

CentralizedPassword

Management

Self-servePassword

Reset

Centralized Password

Management

System/AppLevel

Mgt of Users

ConsistentCross-platformWeb Interface

Manual UserExport fromHR System

PasswordManagement

Efficient

• Change in Business Priorities

• IT Change Driven by Cost / Regulatory Pressure

• Commitment to Centralization and Automation

• Adopts ITIL Svc Mgt to Formalize Processes

Automated Identity

Provisioning

WorkflowProcess

Automation

Correlation withAuthoritative

Source (i.e. HR)

Entitlement &Change Report

Generation

Web/DesktopPassword

Reset

IdentityManagement

System

Workflow EngineWeb forms,

Rules

IdentityReportingSystem

DelegatedUser

Administration

Feeds fromHR Authoritative

Source

Integration With Key

Identity Systems

Consolidated IdentityManagement

• IT Now Involved in Business Change Planning

• Manages to SLA and Controls

• Integrated Enterprise-wide IT Management

• Tracks Performance of Processes

Responsive

Automated Identity & Role

Processing

EntitlementsExceptionReporting

Syncs MultipleAuthoritative Srcs(e.g. Contractors)

Self-serveRegistration

Process

RoleManagement

System

Feeds fromAll Authoritative

Sources

BusinessApplicationProvisioning

Workflow forApplication

Security Review

Role-based EntitlementsManagement

ApplicationDirectory

Integration

Integration WithBusiness Apps& Infrastructure

EntitlementSynchronization

System

Integrated Role & Entitlements Management

Business-Driven

• Ready for Business-Driven Change

• Rapidly Support New Services and Customers

• Enables Support for Growing Partner Ecosystem

• Automated Process Improvement

Web ServicesSecurity

Interoperabilityw/SPML &

Enabling SAML

AutomatedResource

Provisioning

FederatedTrust

Management

ProvisioningAuthenticationTechnologies

Web ServicesBusiness

Integration

Integration With Building

Access Systems

PartnerIdentity

Management

IntegratedBusiness

Processes

CMDBIntegration

Federated IdentityManagement

Taking small steps first

Securing your UNIX, Linux environment


UNIX Audit Issues

- Use of Non-Essential Services- Network Access- Use of Unauthorized root access- No monitoring of access to the root account- Inappropriate password and password parameters- Removal of idle user accounts- Use of Generic Admin ID’s- Umask Setting Improperly set- Root Password not regularly Changed

Audit &Monitoring

NetworkControl

Root Access

PasswordQuality

AccountManagement

41 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.HR Dept.

DBMS Admin

Sales Dept.

Internal/External Hackers

Access Control

Web, database and application servers

require server security

Servers need protection at the host level,

regulating all accesses

XX


OS KERNEL USR1 REQUESTSread (more) /finance/data

read

open

exec

setuid

etcetc

1

2

SYSCALLTABLE

UNIX file permission

-rw-r--r-- 1 root sys 661 Feb 26 00:18 /finance/data

Native Security Architecture

- Native Access Control


UNIX KERNEL

USERAUTHORIZED

1

REQUEST APPROVED

2

REQUEST DENIED

USR1 REQUESTSread (more) /finance/dataread

open

exec

setuid

SYSCALLTABLE

AccessCtrl

AccessCtrl

Access Control Rules

Database

etcetc

usr1read

usr3none

usr2write

usr1none

/finance/data

/market/data

defaccess=NONE

defaccess=ALL

Access Control Security Enhancement

USR1 REQUESTSread (more) /market/data2


Tracking the Real User

- eTrust Access Control tracks original login id

Method to Change ID Unix eTrust Access Control

Initial log Bill Real id (Bill) Login id (Bill)

Bill su’s to Ted Effective id (Ted) Login id (Bill)

Bill runs a root setuid program

Program owner (root)

Login id (Bill)

Bill runs unregistered login program to become Ted

Real id (Ted) Login id (Bill)


Audit and Reporting

Security Command Center(Dashboard and Reporting)


Top Five Benefits

- Regulatory compliance (data confidentiality)

- Role separation enforcement

- Ease of cross platform management

- Least privilege model realization

- Audit log integrity assurance


eTrust Access Control

- Know

- Who: can access resources

- What: they can do with the resources

- When: access is allowed

- Where: access is allowed from

- Why: access is needed

- Role-based Access Control- Data Confidentiality Protection- Host-based Intrusion Prevention (HIP) - Centralized Security Management- Secure Auditing

Security Management“Back to the basics”

- QUESTIONS?

- Thank You.

people, process, technology “back to the basics” security management serge bertini director...

Documents

respective companies

identity fraud

trade names

services marks

compliance slide

year slide

csifbi computer crime

identity risk