20130425 Security Standards The Trusted Framework, Alan McBride

1

COPYRIGHT © 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.

BUSINESS CASE FOR STANDARDS ADOPTION SECURITY STANDARDS - THE TRUST FRAMEWORK Alan McBride, CISSP [email protected] April 2013

2


‘Providing assurance to your customers that you are applying

standards-based security best-practices can build trust and can

differentiate you in your market’

STANDARDS AND THE TRUST FRAMEWORK PRIMARY TAKEAWAY

3


• The Threat Landscape

• The Security Standards Landscape

• Adopting Security Standards

• Conclusion

SECURITY STANDARDS AGENDA

4


ALCATEL-LUCENT WHO WE ARE – AT A GLANCE

400G photonic DSL vectoring Carrier cloud lightRadio™ 400G IP XRS Core router Motive Customer

Experience

1000+ CUSTOMERS

(NETWORK OPERATOR)

1M+ NETWORKS

500K+ CUSTOMERS

(ENTERPRISE)

VDSL2

vectoring

3G/4G wireless, broadband access, ethernet, IP, optics, applications, services, cloud

Collaborate

with

250+ universities

~72,000employees

TR50

Most

Innovative Companies 2012

2012

revenues

€14.4b

7 Nobel

prizes

More than

2,900 patents in 2012

More than

30,700 active patents

Bell Labs

In 7 countries

Including Ireland

5


THE THREAT LANDSCAPE RECENT SECURITY INCIDENTS

11 JAN 2013

‘U.S. warns on Java software as security concerns escalate The U.S. Department of Homeland Security urged computer users to disable Oracle Corp's Java software...’

30 JAN 2013

‘Hackers in China Attacked The Times for Last 4 Months The hackers tried to cloak the source of the attacks on The Times by first penetrating computers at United States universities and routing the attacks through them...’

1 MAR 2013

‘More companies reporting cybersecurity incidents At least 19 financial institutions have disclosed to investors in recent weeks that their computers were targets of malicious cyberassaults...’

9 APRI 2013

‘Fourth LulzSec Member Pleads Guilty to Hacking Sony ... carried out attacks on the websites of the Arizona State Police, Sony, News Corp.’s Twentieth Century Fox, the U.K.’s National Health Service and technology-security company HBGary Inc...’

30 AUG 2012

‘State-sponsored cyber espionage projects now prevalent, say experts At least four government-sponsored programmes to deploy cyber-espionage software like the Flame, Duqu and Stuxnet software – the latter used against computers in Iran – are in progress around the world...’

21 MAR 2013

Logic Bomb Set Off South Korea Cyberattack ‘Cyberattack that wiped the hard drives of computers belonging to banks and broadcasting companies in South Korea this week was set off by a logic bomb...’

http://www.reuters.com/sectors/industries/overview?industryCode=174&lc=int_mb_1001

http://www.guardian.co.uk/world/espionage

6


• 97% of breaches were avoidable through simple or intermediate controls

• 98% were primarily due to external agents

• 96% were motivated by financial or personal gain

• 85% of breaches took weeks or more to discover

• 92% of incidents were discovered by a third party

• 69% of breaches involved malware (e.g. Keyloggers)

• 81% involved hacking (e.g. Use of default or guessable credentials)

• 77% of SMBs think strong security posture is good for their brand

• 59% of SMBs have no contingency plan for data breach

• 65% of SMBs do not use encryption or DLP to protect confidential data

• 62% of SMBs do not routinely back up data

THE THREAT LANDSCAPE SOME STATISTICS

2012 Data Breach Investigations Report (note: IRISSCERT was a contributor)

7


THE THREAT LANDSCAPE EVOLVING SECURITY RISKS

Internet

Mobile

Always-on, Ubiquitous

Connectivity

Apps & Social Media

Device proliferation

Virtualization & Cloud

Everything-as-a-Service

Machine-to-

Machine

Smart Grid, Smart Cities

Advanced Persistent

Threats (APTs)

Viruses, Trojans, Worms

Insider Threats

Targeted Malware

(e.g. Stuxnet)

Fraud, Extortion,

Cybercrime

Rootkits, Botnets

Distributed Denial-of-

Service

Web Threats - XSS,

SQL injection

Identity Theft

Infected Mobile Apps

Password Cracking

Threat Agents

Hacktivist Cyber-criminal Insider

Threat Vectors

Internet Internal Access Mobile Devices Supply Chain

Innovation timeline

Escalating Threat Sophistication

Nation State

8


THE STANDARDS LANDSCAPE CONTROLS AND BEST PRACTICES Threat Agents

(e.g. Cybercriminal)

Risks

Vulnerabilities (e.g. Inadequate access controls)

Controls (e.g. Role-based access controls)

Assets (e.g. Your data)

exploit

of

resulting in

mitigated by

attack

protect

Technical (e.g. Encryption)

Procedural (e.g. Training)

Physical (e.g. Locks)

Preventative (e.g. Firewall)

Detective (e.g. IDS)

Corrective (e.g. Security patch)

Security standards specify controls to mitigate risks of exposure of assets to threats resulting from inherent vulnerabilities. Controls can be (often a combination of) preventative, detective or corrective in purpose. Controls can be technical, physical or procedural in classification.

9


THE STANDARDS LANDSCAPE KEY STANDARDS BODIES

International

Jurisdictional

Domain-specific

ITU: International Telecommunication Union

ISO: International Organization for Standardization

IEC: International Electro technical Commission

IETF: Internet Engineering Task Force

ETSI: European Telecommunications Standards Institute

3GPP: Third Generation Partnership Project

ATIS: Alliance for Telecommunications Industry Solutions

ENISA: European Network & Information agency

3GPP - Third Generation Partnership Project

NIST: National Institute of Standards and Technology

ANSI: American National Standards Institute

OASIS: Advancing Open Standards for the Information Society

OMA: Open Mobile Alliance

CSA: Cloud Security Alliance

TISPAN: Telecommunications & Internet converged Services and Protocols for Advanced Networking

http://www.oasis-open.org/

http://www.ansi.org/

10


• Security Management Standards

• ISO27K

• CobiT 4.x

• IETF RFC 2196

• NIST 800-53

• Technical Security Standards

• Cryptography: AES, RSA, DSA, PKI

• Secure Protocols: TLS, Ipsec, HTTPS, SFTP

• Identity Management & AAA: RADIUS, SAML, Oauth, OpenID, XACML

• Vulnerability Management Standards

• ITU-T X.1520 CVEs

• Mitre CVSS, CWE

THE STANDARDS LANDSCAPE EXAMPLE SECURITY STANDARDS

• Security Assurance Standards

• ISO 15408

•Regional and Domain-specific

• Energy domain: NERC 1300 (CIP)

• IACS domain: ISA/IEC 6

• Payments domain: PCI

• Cloud domain: CSA

11


THE STANDARDS LANDSCAPE RELEVANCE TO THREATS

Web server

Application server

Database server

SQL injection vulnerability allowing malware insertion

Inadequate segregation – no DMZ or firewall between web and app servers

Encryption keys stored on same server as encrypted data

Use of default passwords, and excessive access for admin accounts

Out-of-date versions of software such as Apache, TLS, SSH etc

Inadequate data classification and segregation – confidential data stored together with other data

ISO 27K Controls:

A.10.4 Protection Against Mobile and Malicious Code

A.12.6.1 Technical Vulnerability Management

A.12.2 Correct Processing in Applications

A.11.2 User Access Management

A.7.2 Information Classification

A.11.4 Network Access Control

A.12.3 Cryptographic Controls

This threat scenario illustrates the relevance of example ISO27K controls to common vulnerabilities in a typical three-tier system

12


ADOPTING SECURITY STANDARDS ISSUES WITH ADOPTION

APPLICABILITY & SUITABILITY

• Some may be too high-level, others too prescriptive • May be too generic or too specific • Delay in addressing emerging technologies (e.g. cloud)

COST

• Adoption requires planning, training and implementation • Additional costs if certification is required • Additional cost if directly involved with standards development

OVERLAPPING OR COMPETING STANDARDS

• Different standards may address the same area and may not be consistent • Particularly a problem for enterprises operating in multiple jurisdictions

NO SILVER BULLET

• Compliance can give a false sense of security • Standards will always lag emerging threats - coverage can never be absolute

INFLEXIBILITY

• Compliance with standards could potentially inhibit agility

13


• Initially you can be informed by standards

• Standards are an important source of best-practices to inform your practices

• Standards generally have good coverage – a ‘checklist’ or ‘cookbook’ approach

• Alignment with standards can be phased over time

• E.g. Risk-based choice of controls to implement under ISO27K

• Eventual target can be full compliance

• Ultimately certification can be sought where applicable

ADOPTING SECURITY STANDARDS PRAGMATIC ADOPTION

Informed Aligned Compliant Certified

14


• Standard for Information Security Management System

• Protection of Confidentiality, Integrity and Availability (CIA) of Information Assets

• Plan-Do-Check-Act (PDCA)

• Identify assets and security requirements

• Assess risks to assets

• Select and implement controls to mitigate risks

• Monitor, maintain and improve on an ongoing basis

• 11 Control Areas, 133 Controls

• E.g. ‘Information Security Policy Document’

• E.g. ‘Inventory of Assets’

• E.g. ‘Key Management’

ADOPTING SECURITY STANDARDS FOCUS ON ISO27K

Technology

Process

People

15


1. Recognized as the best practice standard

2. To gain competitive advantage

3. To ensure legal and regulatory compliance

4. Requirement when tendering

5. Mandated by customer

6. Competitors already certified

Size of organization adopting ISO27K;

• 27% < 50 employees



ADOPTING SECURITY STANDARDS REASONS FOR ADOPTION OF ISO27K

Source:

16


• Payment Card Industry – Data Security Standard

• Proprietary standard – owned by PCISSC

• Defines minimum security controls for securing payment systems and data

• Compliance is required in US, but validation of compliance is not mandatory

ADOPTING SECURITY STANDARDS ANOTHER EXAMPLE STANDARD - PCI DSS

17


• Do you have a CSO/CISO?

• Do you have a security policy and do all of your employees know about it?

• Do you address security aspects with your suppliers?

• Do you know the security posture of your competitors?

• Do you know what regulations or standards apply to your market and jurisdiction?

• Do you have a mobile device policy?

• Do you have basic security hygiene including firewall, antivirus, secured backups, timely patching and adequate access controls?

• Do your employees undergo security training including guidelines on passwords, email risks and protection of company data on mobile devices?

ADOPTING SECURITY STANDARDS PRAGMATIC CHECKLIST

Your answers can help you decide whether you need to consider standards such as ISO27K

18


CSA STAR: Cloud Security Alliance – Security Trust & Assurance Registry

• Cloud providers assess themselves against CSA security controls

• Transparency is achieved through publishing the results in the registry

• Customers can read and compare the security posture of potential providers

• Validity is addressed through public scrutiny

• You can freely browse the open submissions now from multiple providers including Amazon, Microsoft, Symantec and Terremark

• This self-assessment foundation is evolving now to include third-party assessment and certification under CSA Open Certification Framework (OCF)

• Can help lower costs by avoiding per-customer RFx responses or audits

• This is illustrative of how open and transparent security posture can improve trust with the customer, and how businesses can compete by differentiating in security domain

ADOPTING SECURITY STANDARDS TRUST THROUGH TRANSPARENCY

An example of how standards compliance can be part of trust framework

19


ADOPTING SECURITY STANDARDS OUR EXPERIENCE AT ALCATEL-LUCENT

Involved with Standards Development

• Active participation in key standards bodies such as ISO, ITU, 3GPP • Drawing on Bell Labs research • Also involved with regional bodies such as ATIS (US), ENISA (Europe)

Applying Standards Internally

• Global company – many relevant standards as input to internal practices • Applying security standards in development of networking products • Combining best-practices with internal Bell Labs expertise

Applying Standards in External Engagements

• Applying standards in security assessments – e.g. Smart Grid networks • Applying standards in network design and security architecture services

Contact: John Hickey ([email protected]) - convener of NSAI ICTSCC/SC10 and representative on ISO SG27

mailto:[email protected]



20


ADOPTING SECURITY STANDARDS APPLYING STANDARDS IN PRACTICE

Risk-oriented analysis to determine threats, attack vectors, vulnerabilities and countermeasures

Evaluate architecture and implementation against standards, recommendations, and best-practices – e.g. NIST, ISO, NERC CIP etc - to Identify strengths and gaps

Assess results from vulnerability scanning and penetration testing tools

Assess use of technical security enablers such as

firewalls, IPS, AAA, encryption, VPN to evaluate current security architecture and areas of improvement

Threat Analysis

Baseline Evaluation

Tools Analysis Architecture Evaluation

Target of Evaluation

NISTIR 7628 194

NERC CIP 110

ISO 27001 133

NIST 800-53 197

SANS CAG 20

US DHS 236

Standard controls;

Real-world example: how we at Alcatel-Lucent have used standards in assessing security of Smart Grid Utility Networks globally (c.f. Bell Labs Technical Journal December, 2012)

21


• SANS - System Administration, Networking and Security Institute

• CSIS: 20 Critical Controls for Effective Cyber Defence

• OWASP – Open Web Application Security Project

• Top Ten Project – The Ten Most Critical Web Application Security Risks

• NIST – National (US) Institute of Standards and technology

•NISTIR 7621 – Small Business Information Security: The Fundamentals

• ISF – Information Security Forum

• SoGP – Standard of Good Practice

• CSA - Cloud Security Alliance

• Cloud Security Guidance

ADOPTING SECURITY STANDARDS OTHER SOURCES OF SECURITY GUIDANCE

22


• Cost versus Benefit

• Implementing standard controls can protect assets and avoid costs

• Standards-based approaches can streamline the management of security

• Risk Management

• Proactive and structured approaches to managing risk

• Good foundation for ensuring comprehensive coverage

• Regulatory Compliance

• Where applicable, regulations generally share common ground with standards

• Standards can also improve readiness for future regulations

• Market and Competitive Aspects

• Market differentiation

• Customer trust as a competitive advantage

ADOPTING SECURITY STANDARDS BUSINESS CASE FOR ADOPTION

23


‘Providing assurance to your customers that you are applying

standards-based security best-practices can build trust and can

differentiate you in your market’

STANDARDS AND THE TRUST FRAMEWORK CONCLUSION

24


25


Date post:	19-Oct-2014
Category:	Technology
View:	302 times
Download:	1 times