Date post: | 19-Oct-2014 |
Category: |
Technology |
View: | 302 times |
Download: | 1 times |
1
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
BUSINESS CASE FOR STANDARDS ADOPTION SECURITY STANDARDS - THE TRUST FRAMEWORK Alan McBride, CISSP [email protected] April 2013
2
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
‘Providing assurance to your customers that you are applying
standards-based security best-practices can build trust and can
differentiate you in your market’
STANDARDS AND THE TRUST FRAMEWORK PRIMARY TAKEAWAY
3
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
• The Threat Landscape
• The Security Standards Landscape
• Adopting Security Standards
• Conclusion
SECURITY STANDARDS AGENDA
4
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
ALCATEL-LUCENT WHO WE ARE – AT A GLANCE
400G photonic DSL vectoring Carrier cloud lightRadio™ 400G IP XRS Core router Motive Customer
Experience
1000+ CUSTOMERS
(NETWORK OPERATOR)
1M+ NETWORKS
500K+ CUSTOMERS
(ENTERPRISE)
VDSL2
vectoring
3G/4G wireless, broadband access, ethernet, IP, optics, applications, services, cloud
Collaborate
with
250+ universities
~72,000employees
TR50
Most
Innovative Companies 2012
2012
revenues
€14.4b
7 Nobel
prizes
More than
2,900 patents in 2012
More than
30,700 active patents
Bell Labs
In 7 countries
Including Ireland
5
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
THE THREAT LANDSCAPE RECENT SECURITY INCIDENTS
11 JAN 2013
‘U.S. warns on Java software as security concerns escalate The U.S. Department of Homeland Security urged computer users to disable Oracle Corp's Java software...’
30 JAN 2013
‘Hackers in China Attacked The Times for Last 4 Months The hackers tried to cloak the source of the attacks on The Times by first penetrating computers at United States universities and routing the attacks through them...’
1 MAR 2013
‘More companies reporting cybersecurity incidents At least 19 financial institutions have disclosed to investors in recent weeks that their computers were targets of malicious cyberassaults...’
9 APRI 2013
‘Fourth LulzSec Member Pleads Guilty to Hacking Sony ... carried out attacks on the websites of the Arizona State Police, Sony, News Corp.’s Twentieth Century Fox, the U.K.’s National Health Service and technology-security company HBGary Inc...’
30 AUG 2012
‘State-sponsored cyber espionage projects now prevalent, say experts At least four government-sponsored programmes to deploy cyber-espionage software like the Flame, Duqu and Stuxnet software – the latter used against computers in Iran – are in progress around the world...’
21 MAR 2013
Logic Bomb Set Off South Korea Cyberattack ‘Cyberattack that wiped the hard drives of computers belonging to banks and broadcasting companies in South Korea this week was set off by a logic bomb...’
6
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
• 97% of breaches were avoidable through simple or intermediate controls
• 98% were primarily due to external agents
• 96% were motivated by financial or personal gain
• 85% of breaches took weeks or more to discover
• 92% of incidents were discovered by a third party
• 69% of breaches involved malware (e.g. Keyloggers)
• 81% involved hacking (e.g. Use of default or guessable credentials)
• 77% of SMBs think strong security posture is good for their brand
• 59% of SMBs have no contingency plan for data breach
• 65% of SMBs do not use encryption or DLP to protect confidential data
• 62% of SMBs do not routinely back up data
THE THREAT LANDSCAPE SOME STATISTICS
2012 Data Breach Investigations Report (note: IRISSCERT was a contributor)
7
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
THE THREAT LANDSCAPE EVOLVING SECURITY RISKS
Internet
Mobile
Always-on, Ubiquitous
Connectivity
Apps & Social Media
Device proliferation
Virtualization & Cloud
Everything-as-a-Service
Machine-to-
Machine
Smart Grid, Smart Cities
Advanced Persistent
Threats (APTs)
Viruses, Trojans, Worms
Insider Threats
Targeted Malware
(e.g. Stuxnet)
Fraud, Extortion,
Cybercrime
Rootkits, Botnets
Distributed Denial-of-
Service
Web Threats - XSS,
SQL injection
Identity Theft
Infected Mobile Apps
Password Cracking
Threat Agents
Hacktivist Cyber-criminal Insider
Threat Vectors
Internet Internal Access Mobile Devices Supply Chain
Innovation timeline
Escalating Threat Sophistication
Nation State
8
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
THE STANDARDS LANDSCAPE CONTROLS AND BEST PRACTICES Threat Agents
(e.g. Cybercriminal)
Risks
Vulnerabilities (e.g. Inadequate access controls)
Controls (e.g. Role-based access controls)
Assets (e.g. Your data)
exploit
of
resulting in
mitigated by
attack
protect
Technical (e.g. Encryption)
Procedural (e.g. Training)
Physical (e.g. Locks)
Preventative (e.g. Firewall)
Detective (e.g. IDS)
Corrective (e.g. Security patch)
Security standards specify controls to mitigate risks of exposure of assets to threats resulting from inherent vulnerabilities. Controls can be (often a combination of) preventative, detective or corrective in purpose. Controls can be technical, physical or procedural in classification.
9
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
THE STANDARDS LANDSCAPE KEY STANDARDS BODIES
International
Jurisdictional
Domain-specific
ITU: International Telecommunication Union
ISO: International Organization for Standardization
IEC: International Electro technical Commission
IETF: Internet Engineering Task Force
ETSI: European Telecommunications Standards Institute
3GPP: Third Generation Partnership Project
ATIS: Alliance for Telecommunications Industry Solutions
ENISA: European Network & Information agency
3GPP - Third Generation Partnership Project
NIST: National Institute of Standards and Technology
ANSI: American National Standards Institute
OASIS: Advancing Open Standards for the Information Society
OMA: Open Mobile Alliance
CSA: Cloud Security Alliance
TISPAN: Telecommunications & Internet converged Services and Protocols for Advanced Networking
10
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
• Security Management Standards
• ISO27K
• CobiT 4.x
• IETF RFC 2196
• NIST 800-53
• Technical Security Standards
• Cryptography: AES, RSA, DSA, PKI
• Secure Protocols: TLS, Ipsec, HTTPS, SFTP
• Identity Management & AAA: RADIUS, SAML, Oauth, OpenID, XACML
• Vulnerability Management Standards
• ITU-T X.1520 CVEs
• Mitre CVSS, CWE
THE STANDARDS LANDSCAPE EXAMPLE SECURITY STANDARDS
• Security Assurance Standards
• ISO 15408
•Regional and Domain-specific
• Energy domain: NERC 1300 (CIP)
• IACS domain: ISA/IEC 6
• Payments domain: PCI
• Cloud domain: CSA
11
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
THE STANDARDS LANDSCAPE RELEVANCE TO THREATS
Web server
Application server
Database server
SQL injection vulnerability allowing malware insertion
Inadequate segregation – no DMZ or firewall between web and app servers
Encryption keys stored on same server as encrypted data
Use of default passwords, and excessive access for admin accounts
Out-of-date versions of software such as Apache, TLS, SSH etc
Inadequate data classification and segregation – confidential data stored together with other data
ISO 27K Controls:
A.10.4 Protection Against Mobile and Malicious Code
A.12.6.1 Technical Vulnerability Management
A.12.2 Correct Processing in Applications
A.11.2 User Access Management
A.7.2 Information Classification
A.11.4 Network Access Control
A.12.3 Cryptographic Controls
This threat scenario illustrates the relevance of example ISO27K controls to common vulnerabilities in a typical three-tier system
12
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
ADOPTING SECURITY STANDARDS ISSUES WITH ADOPTION
APPLICABILITY & SUITABILITY
• Some may be too high-level, others too prescriptive • May be too generic or too specific • Delay in addressing emerging technologies (e.g. cloud)
COST
• Adoption requires planning, training and implementation • Additional costs if certification is required • Additional cost if directly involved with standards development
OVERLAPPING OR COMPETING STANDARDS
• Different standards may address the same area and may not be consistent • Particularly a problem for enterprises operating in multiple jurisdictions
NO SILVER BULLET
• Compliance can give a false sense of security • Standards will always lag emerging threats - coverage can never be absolute
INFLEXIBILITY
• Compliance with standards could potentially inhibit agility
13
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
• Initially you can be informed by standards
• Standards are an important source of best-practices to inform your practices
• Standards generally have good coverage – a ‘checklist’ or ‘cookbook’ approach
• Alignment with standards can be phased over time
• E.g. Risk-based choice of controls to implement under ISO27K
• Eventual target can be full compliance
• Ultimately certification can be sought where applicable
ADOPTING SECURITY STANDARDS PRAGMATIC ADOPTION
Informed Aligned Compliant Certified
14
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
• Standard for Information Security Management System
• Protection of Confidentiality, Integrity and Availability (CIA) of Information Assets
• Plan-Do-Check-Act (PDCA)
• Identify assets and security requirements
• Assess risks to assets
• Select and implement controls to mitigate risks
• Monitor, maintain and improve on an ongoing basis
• 11 Control Areas, 133 Controls
• E.g. ‘Information Security Policy Document’
• E.g. ‘Inventory of Assets’
• E.g. ‘Key Management’
ADOPTING SECURITY STANDARDS FOCUS ON ISO27K
Technology
Process
People
15
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
1. Recognized as the best practice standard
2. To gain competitive advantage
3. To ensure legal and regulatory compliance
4. Requirement when tendering
5. Mandated by customer
6. Competitors already certified
Size of organization adopting ISO27K;
• 27% < 50 employees
• 50% < 200 employees
• 62% < 500 employees
ADOPTING SECURITY STANDARDS REASONS FOR ADOPTION OF ISO27K
Source:
16
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
• Payment Card Industry – Data Security Standard
• Proprietary standard – owned by PCISSC
• Defines minimum security controls for securing payment systems and data
• Compliance is required in US, but validation of compliance is not mandatory
ADOPTING SECURITY STANDARDS ANOTHER EXAMPLE STANDARD - PCI DSS
17
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
• Do you have a CSO/CISO?
• Do you have a security policy and do all of your employees know about it?
• Do you address security aspects with your suppliers?
• Do you know the security posture of your competitors?
• Do you know what regulations or standards apply to your market and jurisdiction?
• Do you have a mobile device policy?
• Do you have basic security hygiene including firewall, antivirus, secured backups, timely patching and adequate access controls?
• Do your employees undergo security training including guidelines on passwords, email risks and protection of company data on mobile devices?
ADOPTING SECURITY STANDARDS PRAGMATIC CHECKLIST
Your answers can help you decide whether you need to consider standards such as ISO27K
18
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
CSA STAR: Cloud Security Alliance – Security Trust & Assurance Registry
• Cloud providers assess themselves against CSA security controls
• Transparency is achieved through publishing the results in the registry
• Customers can read and compare the security posture of potential providers
• Validity is addressed through public scrutiny
• You can freely browse the open submissions now from multiple providers including Amazon, Microsoft, Symantec and Terremark
• This self-assessment foundation is evolving now to include third-party assessment and certification under CSA Open Certification Framework (OCF)
• Can help lower costs by avoiding per-customer RFx responses or audits
• This is illustrative of how open and transparent security posture can improve trust with the customer, and how businesses can compete by differentiating in security domain
ADOPTING SECURITY STANDARDS TRUST THROUGH TRANSPARENCY
An example of how standards compliance can be part of trust framework
19
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
ADOPTING SECURITY STANDARDS OUR EXPERIENCE AT ALCATEL-LUCENT
Involved with Standards Development
• Active participation in key standards bodies such as ISO, ITU, 3GPP • Drawing on Bell Labs research • Also involved with regional bodies such as ATIS (US), ENISA (Europe)
Applying Standards Internally
• Global company – many relevant standards as input to internal practices • Applying security standards in development of networking products • Combining best-practices with internal Bell Labs expertise
Applying Standards in External Engagements
• Applying standards in security assessments – e.g. Smart Grid networks • Applying standards in network design and security architecture services
Contact: John Hickey ([email protected]) - convener of NSAI ICTSCC/SC10 and representative on ISO SG27
20
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
ADOPTING SECURITY STANDARDS APPLYING STANDARDS IN PRACTICE
Risk-oriented analysis to determine threats, attack vectors, vulnerabilities and countermeasures
Evaluate architecture and implementation against standards, recommendations, and best-practices – e.g. NIST, ISO, NERC CIP etc - to Identify strengths and gaps
Assess results from vulnerability scanning and penetration testing tools
Assess use of technical security enablers such as
firewalls, IPS, AAA, encryption, VPN to evaluate current security architecture and areas of improvement
Threat Analysis
Baseline Evaluation
Tools Analysis Architecture Evaluation
Target of Evaluation
NISTIR 7628 194
NERC CIP 110
ISO 27001 133
NIST 800-53 197
SANS CAG 20
US DHS 236
Standard controls;
Real-world example: how we at Alcatel-Lucent have used standards in assessing security of Smart Grid Utility Networks globally (c.f. Bell Labs Technical Journal December, 2012)
21
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
• SANS - System Administration, Networking and Security Institute
• CSIS: 20 Critical Controls for Effective Cyber Defence
• OWASP – Open Web Application Security Project
• Top Ten Project – The Ten Most Critical Web Application Security Risks
• NIST – National (US) Institute of Standards and technology
•NISTIR 7621 – Small Business Information Security: The Fundamentals
• ISF – Information Security Forum
• SoGP – Standard of Good Practice
• CSA - Cloud Security Alliance
• Cloud Security Guidance
ADOPTING SECURITY STANDARDS OTHER SOURCES OF SECURITY GUIDANCE
22
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
• Cost versus Benefit
• Implementing standard controls can protect assets and avoid costs
• Standards-based approaches can streamline the management of security
• Risk Management
• Proactive and structured approaches to managing risk
• Good foundation for ensuring comprehensive coverage
• Regulatory Compliance
• Where applicable, regulations generally share common ground with standards
• Standards can also improve readiness for future regulations
• Market and Competitive Aspects
• Market differentiation
• Customer trust as a competitive advantage
ADOPTING SECURITY STANDARDS BUSINESS CASE FOR ADOPTION
23
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
‘Providing assurance to your customers that you are applying
standards-based security best-practices can build trust and can
differentiate you in your market’
STANDARDS AND THE TRUST FRAMEWORK CONCLUSION
24
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
25
COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.