people, process, technology “back to the basics” security management serge bertini director...
TRANSCRIPT
People, Process, Technology“Back to the Basics”
Security Management
Serge BertiniDirector Security Solution
CA
3 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Agenda
- Identity in the News
- e-Identity Revolution
- Identity Risks and Rewards
- Best Practices and Compliance
- Identity Technology Update
Recent Security Surveys
5 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Can you trust an ATM?
Cash machine fraud gang is jailed “A gang of illegal immigrants that admitted stealing more than £600,000 in a "sophisticated" cash machine scam has been ailed at Southwark Crown Court. ” BBC News July 1st, 2005
Fake ATM facades were used across London to record financial details and pillage accounts, the court heard. .
6 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Phishing
Phishing pair jailed for ID fraud “A UK-based American citizen has been jailed for six years after stealing up to £6.5m through identity fraud.”BBC News July 1st, 2005
Douglas Havard, from Dallas, Texas, made fake credit cards with stolen bank details as part of a global syndicate. The scam relied on phishing - by which online account holders are induced to give away their personal details.
7 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
CSI/FBI Computer Crime and Security Survey (2006)
- “Unauthorized Access” showed a dramatic increase - second most significant contributor to computer crime losses- accounts for 24% of overall reported losses- showed a significant increase in average dollar loss
- 52% of organizations surveyed experienced unauthorized use of computer systems in the last 12 months
- 32% of attacks or misuse were related to unauthorized access to information
- Over 82% of large organizations reported an identified breach in the last year
8 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
CERT Insider Threat Survey (2005)
Majority of attacks due to:
- compromised computer accounts
- unauthorized backdoor accounts
- use of shared accounts
9 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
PWC Survey of Canadian Companies (2005)
- >55% of companies were victims of fraud
- Average loss of $1.7 million (US)
- >1/3 of companies reported that company reputation, brand equity and business relationships were negatively affected by the crime
- 61% of fraudsters were insiders
- One of top 3 reasons cited for fraud being committed is insufficient controls
- Survey showed that probability of uncovering economic fraud is strongly dependent on the number and effectiveness of control mechanisms in place
10 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Agenda
- Identity in the News
- e-Identity Revolution
- Identity Risks and Rewards
- Best Practices and Compliance
- Identity Technology Update
11 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
B2C Customers, Partners
and Employees. Cable TV, Video on
demand, etc
Next GenerationThe world via their
mobile phone
EmployeesMultiple IDs
B2BEmployees and
PartnersMainstream adopters
here today
e-Identity Revolution
EmployeesSingle User ID
Leading edge adopters here today
12 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Customer Service Enablement
- Challenge
- Provide individualized services and content,
- To 10’s of millions of customers,
- On Demand, Reliably, and Securely.
- Examples
- Bank planning management of 100 Million customer. US Cable TV/ISP with 5.3 Million subscribers.
- Canadian Cable TV with over 2 Million subscribers.
13 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Challenges
-Managing Risk
-New ways to commit Fraud, Theft
-Compliance with Laws and Regulations
-Governance, Privacy, & Freedom of Information
-Financial Discipline
-Too much Labour, Under Utilized Capital
14 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Agenda
- Identity in the News
- e-Identity Revolution
- Identity Risks and Rewards
- Best Practices and Compliance
- Identity Technology Update
15 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Perceived Major Causes of Risk
0% 20% 40% 60% 80% 100%
Human incompetence, threat from disgruntledemployee
Computer, network or software failure
Increasingly clever methods of attack, e.g.more complex viruses, spyware
Theft of corporate equipment
Extension of corporate network throughremote working, wireless access
Hacking or competitor espionage
Terrorist Threat, natural disaster, fire
Now Future Not a major issue
IT Security Strategy – Review of Attitudes, Activities and Plans, (June 2004) Jon Collins, Quocirca Ltd
16 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Deployed IT Security Technology
IT Security Strategy – Review of Attitudes, Activities and Plans, (June 2004) Jon Collins, Quocirca Ltd
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Anti-virus and Spyware protection
SPAM protection
Intrusion protection
Virtual Private Network
Software patch management
Single sign on, authentication, passwordmanagement
Vulnerability assessment
Centralised security event management
Identity and access management, applicationprovisioning
In Place Piloting/limited rollout Actively considering Future optionNot planned Outsourced Status unclear
17 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Identity and Risk
- Individual
- Financial Loss
- Inconvenience
- Loss of privacy
- Loss of reputation
- Reduced Creditworthiness
- Arrest by law enforcement
- Criminal charges
- Organization
- Loss of proprietary information
- Loss of confidential information
- Loss due to Theft and Fraud
- Loss of reputation
- Damage to brand
- Damage to share value
- Fines and sanctions
- Criminal charges
18 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Identity Theft – Risk to Organization
Thousands hit by US identity theft“Politicians have stepped up their calls for greater regulation of the data collection industry in the wake of a security breach that may have led to more than 140,000 Americans having their identities stolen.”Daily Telegraph by David Litterick in New York (Filed: February 24th, 2005)
“ChoicePoint, a data warehousing company, is facing a raft of lawsuits after it admitted that thieves, apparently using identities already stolen, created what appeared to be legitimate debt-collecting and cheque-cashing businesses seeking ChoicePoint's services. They then opened 50 accounts and received volumes of data on consumers, including names, addresses, social security numbers and credit reports.”
.
19 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Employee Fraud – Risk to Organization
Rerouted: Former Cisco Accountants sent up the river Former finance department workers swindled networking specialist out of $7.8 millionStephen Taub, CFO.com, November 28th, 2001
Two former CISCO Systems Inc. accountants are heading to prison….Geoffery Osowski, 30 and Wilson Tang, 35 were each sentenced to 34 months in prison for transferring $7.8 million in company stock to their personal brokerage accounts. The maximum sentence for the crime is five years.The two accountants illegally accessed Cisco’s programs for managing stock-option disbursements and granted themselves 230,550 shares over six months starting in October 2000, according to wire service reports, citing prosecutors.
20 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
E-Identity / IT Asset Protection: What is it?
Asset Protection – Protecting critical corporate
resources, of all types, against unauthorized (inadvertent or malicious) access. Requires effective management of all users and their access rights.
Let’s look at the types of assets that need protection.....
21 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Asset Protection
Web User
Admin
Unix
Windows
Mainframe
Enterprise Apps(ERP/CRM)
User
22 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Asset Protection
Web User
Admin
Unix
Windows
Mainframe
Enterprise Apps(ERP/CRM)
User
Web Apps & Web Services
23 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Asset Protection
Web User
Admin
Unix
Windows
Mainframe
Enterprise Apps(ERP/CRM)
User
Web Apps & Web Services
Enterprise Apps(SAP, PS, etc.)
24 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Asset Protection
Web User
Admin
Unix
Windows
Mainframe
Enterprise Apps(ERP/CRM)
User
Web Apps & Web Services
Enterprise Apps(SAP, PS, etc.)
Servers– User accounts– System files– Critical DBs– System processes– Log/Audit files
25 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Asset Protection
Web User
User
Admin
Unix
Windows
Mainframe
Enterprise Apps(ERP/CRM)
Web Apps & Web Services
Enterprise Apps(SAP, PS, etc.)
Servers– User accounts– System files– Critical DBs– System processes– Log/Audit filesAdmin Rights
– Root access rights– Control system
processes
26 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Agenda
- Identity in the News
- e-Identity Evolution
- Identity Risks and Rewards
- Best Practices and Compliance
- Identity Technology Update
27 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Top 10 Control Deficiencies*#10 System documentation does not match actual process#9 Procedures for manual processes do not exist or are not followed#8 Custom programs, tables & interfaces are not secured#7 Posting periods not restricted within GL application#6 Terminated employees or departed consultants still
have access#5 Large number of users with access to “super user”
transactions in production#4 Development staff can run business transactions in
production#3 Database (e.g. Oracle) access controls supporting
financial applications (e.g. SAP, Oracle, Peoplesoft, JDE) not secure
#2 Operating System (e.g. Unix) access controls supporting financial applications or Portal not secure
#1 Unidentified or unresolved segregation of duties issues
* Ken Vander Wal, National Quality Leader, E&Y ISACA Sarbanes Conference, 4/6/04
7 of Top 10 Deficiencies relate to the management of user identities and access
28 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Return on Negligence
Cost of Doing NothingT
angi
ble
Cos
ts Intangible Costs
Avoidable Risks
• Unfulfilled potential revenue• Loss of potential customers
• Damage by unauthorized access• Damage by Fraud• Damage to information systems• Damage by data theft
Missed Opportunities
• Reduction in administration costs• Reduction in help desk costs• Increased end user productivity• Reduction in IT purchasing costs
• Smooth interaction with partners, suppliers and customers
• Ability to transact securely• Centralised administration• Coherent approach to access
29 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Standards and Compliance- Normally government regulations do not specify in detail
what is required to comply. Useful standards are:- COSO
- The Committee of Sponsoring Organizations of the Treadway Commission (COSO) report: Internal Control—Integrated Framework.
- COBIT - Control Objectives for Information and related Technology (COBIT)
introduced in 1996, is a framework of generally applicable and accepted Information Technology (IT) governance and control practices.
- ISO 17799 - “A comprehensive set of controls comprising best practices in
information security” - An internationally recognized generic information security standard.
- ITIL - The IT Integration Library developed in 1983 by a U.K. government
agency to evaluate IT operations of government contractors; defines the processes and activities to support IT services
30 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
CoBiT and BS7799 - Identity Considerations
CoBiT BS7799DS 3.5 Technology Standards 10.1 Security Requirements of Systems
PO 4.1 Segregation of Duties 8.1 Operational Procedures and Responsibilities
PO 4.6 Responsibility for Security 4.1 Manage Information Security
PO 4.7 Ownership and Custodianship 5.1 Accountability for Assets
DS 5.2 Identification, Authentication and Access 9.4, 9.5. 9.6 Network, OS and Application Access Control
DS 5.3 Security of Online Access to Data 9.1 Business Requirement for Access Control
DS 5.4 User Account Management 9.2 User Access Management
DS 5.5 Management Review of User Accounts 9.2.4 Review of User Access Rights
DS 5.6 User Control of User accounts 9.3 User Responsibilities
DS 5.7 Security Surveillance 9.7 Monitoring System Access and Use
DS 5.8 Data Classification 5.2 Information Classification
DS 5.9 Central Identification and Access Rights Mgt 9.2 User Access Management
5.10 Violation and Security Activity Reports 9.7 Monitoring System Access and Use
4.2 Security of Third Party Access
31 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DS 5.4 - User Account managementBS7799 - 9.2 User Access Management
Maturity Process Technology Support
1 Manual account management process documented and owners defined
Virtual User DirectoryPassword Management tools
2 Provisioning and delegated account management processes defined
Provisioning Workflow systemMaster provisioning source (HR)Reporting toolset
3 Role definition owners and processes defined.Application security conformance to identity standards review
Role based provisioning and administration systemApplication integration
4 Processes for partners managing accounts federated trust relationships defined
Federated provisioning.
32 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DS 5.6 -User Control of User Accounts BS7799 - 9.3 User Responsibilities
Maturity Process Technology Support
1 Self service password reset, forgotten password and account unlock process documented and owners defined
Self service password/account management
2 Processes defined for self administration of user accounts and access requests.
Workflow system allowing end users to raise requests and track progress.
3 Processes defined for self service registration and administration of enterprise users.
Workflow and Role based self administration systemApplication integration
4 Processes defined for self service registration and administration of partner users based on federated trust relationships
Delegated administration of federated users.
33 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Agenda
- Identity in the News
- e-Identity Revolution
- Identity Risks and Rewards
- Best Practices and Compliance
- Identity Technology Update
34 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Identity and Access Management
- Managing who can do what is at the very core of security
- Authentication
- Authorisation
- Auditing
- Administration
Employees
Partners Customers
35 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Identity Lifecycle Technology Maturity
Single Sign-onFlexible
AuthenticationRBACLegacy
Web DesktopNo change
Extranet Access Management
Web authenticationRole based access
controlWeb single sign-onUser self-service
Server Access Management
Role based access control
Administration -Separation of Duties
Server hardening
Enterprise Infrastructure
HR System
Help Desk
Physical Badges
Building accessZone access
DeskTelephone
Mobile phonePDA
IS Platforms Windows Domain
EmailMainframe
DBMSPortal
Applications
IS Applications CRMERPSCMSAP
WebsphereWebLogic
….
InternetIntranet
EmployeesAssociatesContractorsTemps
CustomersPartnersSupply chain
Authentication Service
Used by applications
Policy ServiceUsed by Applications
Partner IdentityFederation
ProvisioningApplications
SAMLSPML
XACML
Common User
DirectoryUsed by
applications
AuditingAdmin Activity
Change ReportsWho has what
XMLSPML
Provisioning Administration
Role BasedID Provisioning
WorkflowDelegated Admin
Self ServicePassword Mgt
36 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Identity Management Maturity Model
Initial Identity
ManagementTechnology and
Initial IntegratedRole &
EntitlementsManagement
Responsive
Gap
FederatedIdentity
Management
BusinessDriven
Gap
ConsolidatedIdentity
Management
Efficient
Gap
PasswordManagement
Active
Gap
37 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Identity Lifecycle Process MaturityC
om
po
nen
t L
evel
Tec
hn
ical
Cap
abili
ties
IT O
rgan
izat
ion
al
Ch
arac
teri
stic
s
VirtualIdentity
Directory
• Focused on Traditional Services
• Slow to Handle Change
• Silo-ed Administration
• Informal and Reactive Processes
Active
EnterpriseIdentity
Inventory
PasswordPolicy
Enforcement
CentralizedPassword
Management
Self-servePassword
Reset
Centralized Password
Management
System/AppLevel
Mgt of Users
ConsistentCross-platformWeb Interface
Manual UserExport fromHR System
PasswordManagement
Efficient
• Change in Business Priorities
• IT Change Driven by Cost / Regulatory Pressure
• Commitment to Centralization and Automation
• Adopts ITIL Svc Mgt to Formalize Processes
Automated Identity
Provisioning
WorkflowProcess
Automation
Correlation withAuthoritative
Source (i.e. HR)
Entitlement &Change Report
Generation
Web/DesktopPassword
Reset
IdentityManagement
System
Workflow EngineWeb forms,
Rules
IdentityReportingSystem
DelegatedUser
Administration
Feeds fromHR Authoritative
Source
Integration With Key
Identity Systems
Consolidated IdentityManagement
• IT Now Involved in Business Change Planning
• Manages to SLA and Controls
• Integrated Enterprise-wide IT Management
• Tracks Performance of Processes
Responsive
Automated Identity & Role
Processing
EntitlementsExceptionReporting
Syncs MultipleAuthoritative Srcs(e.g. Contractors)
Self-serveRegistration
Process
RoleManagement
System
Feeds fromAll Authoritative
Sources
BusinessApplicationProvisioning
Workflow forApplication
Security Review
Role-based EntitlementsManagement
ApplicationDirectory
Integration
Integration WithBusiness Apps& Infrastructure
EntitlementSynchronization
System
Integrated Role & Entitlements Management
Business-Driven
• Ready for Business-Driven Change
• Rapidly Support New Services and Customers
• Enables Support for Growing Partner Ecosystem
• Automated Process Improvement
Web ServicesSecurity
Interoperabilityw/SPML &
Enabling SAML
AutomatedResource
Provisioning
FederatedTrust
Management
ProvisioningAuthenticationTechnologies
Web ServicesBusiness
Integration
Integration With Building
Access Systems
PartnerIdentity
Management
IntegratedBusiness
Processes
CMDBIntegration
Federated IdentityManagement
Taking small steps first
Securing your UNIX, Linux environment
40 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
UNIX Audit Issues
- Use of Non-Essential Services- Network Access- Use of Unauthorized root access- No monitoring of access to the root account- Inappropriate password and password parameters- Removal of idle user accounts- Use of Generic Admin ID’s- Umask Setting Improperly set- Root Password not regularly Changed
Audit &Monitoring
NetworkControl
Root Access
PasswordQuality
AccountManagement
41 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.HR Dept.
DBMS Admin
Sales Dept.
Internal/External Hackers
Access Control
Web, database and application servers
require server security
Servers need protection at the host level,
regulating all accesses
XX
42 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
OS KERNEL USR1 REQUESTSread (more) /finance/data
read
open
exec
setuid
etcetc
1
2
SYSCALLTABLE
UNIX file permission
-rw-r--r-- 1 root sys 661 Feb 26 00:18 /finance/data
Native Security Architecture
- Native Access Control
43 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
UNIX KERNEL
USERAUTHORIZED
1
REQUEST APPROVED
2
REQUEST DENIED
USR1 REQUESTSread (more) /finance/dataread
open
exec
setuid
SYSCALLTABLE
AccessCtrl
AccessCtrl
Access Control Rules
Database
etcetc
usr1read
usr3none
usr2write
usr1none
/finance/data
/market/data
defaccess=NONE
defaccess=ALL
Access Control Security Enhancement
USR1 REQUESTSread (more) /market/data2
44 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Tracking the Real User
- eTrust Access Control tracks original login id
Method to Change ID Unix eTrust Access Control
Initial log Bill Real id (Bill) Login id (Bill)
Bill su’s to Ted Effective id (Ted) Login id (Bill)
Bill runs a root setuid program
Program owner (root)
Login id (Bill)
Bill runs unregistered login program to become Ted
Real id (Ted) Login id (Bill)
45 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Audit and Reporting
Security Command Center(Dashboard and Reporting)
46 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Top Five Benefits
- Regulatory compliance (data confidentiality)
- Role separation enforcement
- Ease of cross platform management
- Least privilege model realization
- Audit log integrity assurance
47 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
eTrust Access Control
- Know
- Who: can access resources
- What: they can do with the resources
- When: access is allowed
- Where: access is allowed from
- Why: access is needed
- Role-based Access Control- Data Confidentiality Protection- Host-based Intrusion Prevention (HIP) - Centralized Security Management- Secure Auditing
Security Management“Back to the basics”
- QUESTIONS?
- Thank You.