Gerard Verweij

1
Gerard Verweij Partner Information Security
2
The Security audit

• Security requirements, issues and challenges
• Security Framework
• Policies and Standards
• Tips

3
A Framework for understanding Information
Security

• Lets start with a definition of Information
  Security

Information security includes the people,
processes and technology necessary to ensure the
confidentiality, integrity and availability of an
organizations Information resources in whatever
form those resources exist
4
Security requirements, issues and challenges
5
Current key Questions to Ask

• How vulnerable / exposed is your organization to
  security threats and interruptions? How would
  you know that you were exposed or under attack?
• What is your organization's ability to respond to
  security incidents? (i.e., denial of service,
  cyber-crime)
• Are you getting value for your security dollar
  spent? Are there any cost or efficiency
  opportunities?
• How well is security integrated into new business
  and technology initiatives?
• Are you taking your business to the Internet?
  Have you thought through the security
  ramifications?
• How well does your current security
  infrastructure (i.e., organization, process,
  policy, technology) match your future business
  strategy and business needs/requirements?
• How do you compare to your peers? Your industry?

6
Defining the Business Problem

• The key question is not whether to deploy
  internet technology companies have no choice if
  they want to stay competitive but how to deploy
  it.
• Strategy and the Internet
• Harvard Business Review
• March 01

The medium and longer-term outlook for security
remains strong - Companies will increasingly
employ the Internet as a means for competitive
advantage - Companies are finding that chronic
under-investment in security is hampering the
implementation of their Internet initiatives
7
Security . . . the Threat
8
How do you manage the users identity and
credentials across the enterprise application
landscape?
9
e-Business Security Challenges

• Protect corporate network resources against
  internal and external threats
• Provide worldwide connectivity for mobile and
  remote employees and customers
• Use the Internet to lower wide area data
  communication costs
• Provide business partners with selective
  network access through a secure extranet
• Guarantee secure networks performance,
  reliability and availability
• Define and enforce user-level security policies
  across the network
• Immediately detect and respond to attacks and
  suspicious activity against the network
• Securely and efficiently manage the networks
  IP address infrastructure
• Implement and open security solution that
  allows integration with other applications
• Manage the total cost of ownership across the
  secure network

10
The Five Worst Security Mistakes End Users Make

• 1) Opening unsolicited email attachments without
  verifying their source and checking their
  content first.
• 2) Failing to install security patches,
  especially MS Office, IE and Netscape.
• 3) Installing screen savers or games without
  safety guarantees.
• 4) Not making and testing backups.
• 5) Connecting a modem to a phone line while the
  same computer is connected to a LAN.

11
The Ten Worst Mistakes Information Technology
People Make

• 1) Connecting systems to the Internet before
  hardening them. (removing unnecessary devices and
  patching necessary ones).
• 2) Connecting test systems to the Internet with
  default accounts and passwords.
• 3) Failing to update systems when security
  vulnerabilities are found and patches or upgrades
  are available.
• 4) Using telnet and other unencrypted protocols
  for managing systems, routers, firewalls and PKI
  (Public Key Infrastructure).
• 5) Giving users passwords over the phone, or
  changing passwords in response to telephone or
  personal request when the requester is not
  authenticated.
• 6) Failing to maintain and test backups.
• 7) Running unnecessary services, especially ftpd,
  telnetd, finger, rpc, mail, rservices (some of
  these are Unix specific).
• 8) Implementing firewalls with rules that allow
  malicious or dangerous traffic - incoming or
  outgoing.
• 9) Failing to implement or update virus detection
  software.
• 10)Failing to educate users on that to look for
  and what to do when they see a potential security
  problem.

12
The Seven Worst Security Mistakes Senior
Executives Make

• 1) Assigning untrained people to maintain
  security and providing neither the training
  nor the time to make it possible to learn and do
  the job.
• 2) Failing to understand the relationship of
  information security to the business problem -
  they understand physical security but do not see
  the consequences of poor information security.
• 3) Failing to deal with the operational aspects
  of security making a few fixes and then not
  allowing the follow through necessary to ensure
  that problems stay fixed.
• 4) Relying primarily on a firewall.
• 5) Failing to realize how much money their
  information and organizational reputations are
  worth.
• 6) Authorizing reactive, short term fixes so
  problems re-emerge rapidly.
• 7) Pretending the problem will go away if they
  ignore it.

13
Enterprise Security Architecture

• Lack of a comprehensive security framework leads
  to dysfunctional, disconnected, and/or
  ineffective security organizations.
• Inconsistently applied policies and standards
  across domains (inter- and extra-enterprise) can
  open an organization up to security
  vulnerabilities.
• Need for a centralized security content
  management system and intuitive user interface to
  content.
• Limited ability to enforce security policies,
  procedures, and standards.
• Lack of awareness of good security hygiene.

14
Security Monitoring and Management is Challenging

• Requires skilled security experts
• Technology infrastructure to support them
• Significant resources researching and tracking
  latest threats and vulnerabilities
• There is a rise in web server and virus attacks
• Must be done 24 x 7 x 365

15
Security Monitoring and Management is expensive
8 - 5
Personnel cost alone for setting up a starter
monitoring operation with problem resolution will
run at least 60,000 per month Forrester
Research
16
What Security Problems Create Financial Losses?
Source Information Week
17
Types of Cybercrimes
Information Week Global Security Survey conducted
by PricewaterhouseCoopers
18
And Its Probably Worse Than We Think...

• DoD Controlled Study
• Machines Attacked 38,000
• Machine Penetrated 24,700 (65)
• Attacks Detected 988 (4)
• Attacks Reported 267 (27)

18
19
So what does this all mean?

• There are new security challenges almost every
  day
• Security has shifted from keeping people out to
  letting people in
• Its becoming more and more challenging to
  provide adequate security
• Its becoming more and more challenging to
  perform adequate security audits
• Security audits are needed to determine where
  major concerns are, what the specific issues are,
  and how risks can be mitigated

20
Security Framework
21
PricewaterhouseCoopers Information Security
Framework
Security Vision and Strategy
Risk Drivers
Requirements, Standards Alignment
Architecture Solutions
People, Process Methodology
Information Security Management Structure
22
Framework Cornerstones

• Security Vision and Strategy
• Mission statement, guiding principles and
  philosophy
• Strategy for addressing information protection
• Security Committee as an authoritative decision
  and communication vehicle
• Senior Management Commitment
• Commitment in principle and in practice
• Support through policy, directives and resource
  allocation
• Determination of risk tolerance
• Training and Awareness Program
• Communication covers all levels of an
  organization and aspects of information security
• Continuous, pervasive and an integral part of
  training curriculum
• Security Management Structure
• Centralized and decentralized resource deployment
• Cross functional roles and responsibilities

23
The Framework and security audits

• State of Security perform an overall gap
  analysis
• Where are my major concerns?
• How do I compare to standards, best practices and
  peers?
• Do I get value for money?
• Perform detailed security audits for certain
  areas in the Security Framework

24
Policies and standards
25
Policy provides the cornerstone of your
information security program
26
Information Security Policy

• Policies
• Management instructions on how an organization is
  to be run
• A collection of related standards
• Mandatory conditions that the organization
  requires
• Standards
• Independent thoughts or ideas relating to
  security
• Make specific reference of technologies and
  methodologies
• Different from Controls
• Technical Controls
• Technology specific control requirements that
  provide platform specific instructions to policy
  and standards compliance
• Focused at the technology level, Win 2K, Solaris,
  MVS, etc

27
What Policy Framework Should you Use?

• There are many examples of Policies and Standards
  that can be deployed within an organization
• While there are similarities in many of the
  components of these standards there are important
  differences as well.
• Examples of Information Technology Control
  Standards
• Carnegie Mellons Capability Maturity ModelÒ
• ISO 17799 Security Standard adopted from British
  Standard 7799
• SSEs Capability Maturity ModelÒ for system
  security
• ISACAs COBIT
• Standards can be substituted or supplemented by
  best practices

28
Tips
29
Take a top down approach

• Perform an objective comprehensive assessment of
  the current State of Security
• Get an understanding of how effectively security
  has linked in to business and technology
  initiatives
• Get an understanding of where the major risks and
  concerns are, and what the issues and root causes
  are
• Zoom in on the areas of concern

30
Develop a state of the art and objective
standards framework

• Choose the appropriate framework
• ISO
• Cobit
• CMM
• Best practices
• Tailor the standards framework to specific needs

31
Security doesnt stop at the assessment plan for
the full security lifecycle
Awareness
Lessons Learned
Assess
Information Assets
Recovery
Design Counter- measures
Limitation
Implement
Investigate
Monitor
Incident
32
Ensure all ingredients for an effective and
efficient audit are in place

• Trained security auditors
• Subject Matter Experts
• Methodologies
• A Framework
• Standards and best practices
• Tools
• A follow up plan