Date post: | 28-Jan-2016 |
Category: |
Documents |
Upload: | jocelyn-brown |
View: | 222 times |
Download: | 0 times |
Information Security Information Security Challenges & Best PracticesChallenges & Best Practices
Meng-Chow Kang, CISA, CISSPMeng-Chow Kang, CISA, CISSP
Chief Security & Privacy AdvisorChief Security & Privacy Advisor
Microsoft Asia PacificMicrosoft Asia Pacific
A Framework ApproachA Framework Approach
Mission and Vision
Principles of Operation & Management
Decision & Prioritization Model
Implementation Tactics
Th
reats
& V
uln
era
bili
ties
Landsc
ape
People
, Pro
cess
es,
& T
ools
What constitutes an effective strategy?
Understanding the Understanding the LandscapeLandscape
Author
National InterestNational Interest
Personal GainPersonal Gain
Personal FamePersonal Fame
CuriosityCuriosity
Script-KiddieScript-Kiddie HobbyistHobbyistHackerHacker
ExpertExpert SpecialistSpecialist
Vandal
Thief
Spy
Trespasser
An Evolving ThreatAn Evolving Threat
National InterestNational Interest
Personal GainPersonal Gain
Personal FamePersonal Fame
CuriosityCuriosity
HobbyistHobbyistHackerHacker
ExpertExpert SpecialistSpecialist
Largest Largest area by area by volumevolume
Largest area by $ Largest area by $ lostlost
Script-KiddieScript-Kiddie
Largest segment Largest segment by by $ spent on $ spent on defensedefense
Fastest Fastest growingrowing g segmensegmentt
AuthorVandal
Thief
Spy
Trespasser
Regional e-Security Index
1,682
1,490
-
200
400
600
800
1,000
1,200
1,400
1,600
1,800
2,000
M-03 J-03 J-03 A-03 S-03 O-03 N-03 D-03 J-04 F-04 M-04 A-04 M-04
Index
Sca
le - B
ase
Mon
th July
200
1
Monthly Index 2003/4
3 Month Moving Average Index
E-SECURITY INDEX 12 month high: 1,776 (Aug’03) 12 month median: 1,350
May’s Index = 1,682 12 month low: 972 (May’03) 12 month mean: 1,383
Regional e-Security Index
1,776
1,303
1,7501,682
1,442
1,347
1,4081,353
1,309
1,242
1,007
862
958
820
789
482
1,207
991
935
637
816
1,201
948
567
730
916
559
1,139
783
906
1,028
972
R2 = 66%
-
200
400
600
800
1,000
1,200
1,400
1,600
1,800
2,000
S-01
O-01
N-01
D-01
J-02
F-02
M-02
A-02
M-02
J-02
J-02
A-02
S-02
O-02
N-02
D-02
J-03
F-03
M-03
A-03
M-03
J-03
J-03
A-03
S-03
O-03
N-03
D-03
J-04
F-04
M-04
A-04
M-04Month
Inde
x Sc
ale
(Bas
e M
onth
- Ju
ly 2
001)
e-Security Index
Poly. (e-Security Index)
e-Cop’s e-Security Index has been tracking an average weighted monthly increase of about 8% in security incidents since Sep 2001
Nimda.B
Maldal.D
Klez.H Bugbear
Sobig E.
HackerCompetition
Blaster & Sobig F.Sasser
Source: e-Cop
Originating Attack Sources - April 2004
SouthAmerica
1%
ASEAN23%
NorthAmerica
28%
Japan13%
ANZ12%
NorthAsia11%
SouthAsia3%
Russia3%
Korea1%Western Europe
3%
EasternEurope
2%
* North Asia excludes Japan & South Korea Source: e-Cop
24%21%
18%10%
8%5%
3%
3%
2%
6%
0% 5% 10% 15% 20% 25%
% of Total Recorded
Microsoft Machines Service Vulnerabilities Attacks & Probes
ICMP information gathering techniques
HTTP Service Vulnerabilities Attacks & Probes
SMTP Service and Vulnerabilities Attacks & Probes
DNS Service and Vulnerabilities Attacks & Probes
TCP 2745 Service Vulnerabilities Attacks & Probes
TCP 123 Service Vulnerabilities Attacks & Probes
TCP 1025 Service Vulnerabilities Attacks & Probes
TCP 2967 Service Vulnerabilities Attacks & Probes
Others
Top 10 Attack Types & Patterns - April 2004
Source: e-Cop
Most attacks Most attacks occur hereoccur here
SituationSituation
Hackers rely on patches to develop exploitsHackers rely on patches to develop exploits
Some security researchers are still disclosing Some security researchers are still disclosing vulnerabilities irresponsiblyvulnerabilities irresponsibly
Product Product shipship
VulnerabilityVulnerabilitydiscovereddiscovered
ComponentComponentmodifiedmodified
Patch Patch releasedreleased
Patch Patch deployeddeployed
at customer at customer sitesite
Why does this Why does this gap exist?gap exist?
Lack-of or ineffective patch management processLack-of or ineffective patch management process
Lack-of defense-in-depth and configuration Lack-of defense-in-depth and configuration management in infrastructure securitymanagement in infrastructure security
Exploit TimelineExploit TimelineProcess, Guidance, Tools Process, Guidance, Tools CriticalCritical
Days From Patch To ExploitDays From Patch To ExploitHave decreased so that Have decreased so that patching is not a defense in patching is not a defense in large organizationslarge organizations
Average 9 days for patch to Average 9 days for patch to be reverse engineered to be reverse engineered to identify vulnerabilityidentify vulnerability
IIProduct Product
shipship
IIVulnerabilityVulnerabilitydiscovereddiscovered
IIVulnerabilityVulnerabilitymade public/made public/
Component fixedComponent fixed
IIFix Fix
deployeddeployed
IIFix deployedFix deployedat customer at customer
sitesite
Why does this Why does this gap exist?gap exist?
exploitexploitcodecodepatchpatch
Days between patch & exploitDays between patch & exploit
151151180180
331331
BlasterBlasterWelchia/ Welchia/ NachiNachi
NimdaNimda
2525SQL SQL
SlammerSlammer
SydneySydney
Chofu & OtemachiChofu & Otemachi
Les UlisLes UlisThames Valley Park Thames Valley Park
DublinDublinBeneluxBenelux
MadridMadrid
DubaiDubai
SingaporeSingapore
JohannesburgJohannesburg
Sao PauloSao Paulo
90,000 90,000 mailboxesmailboxes
Canyon Park,Canyon Park,RedmondRedmond
Las ColinasLas ColinasCharlotteCharlotte
ChicagoChicagoMilanMilan
StockholmStockholm
MunichMunich
400+ 400+ supported supported Microsoft Microsoft sites sites worldwideworldwide
3M+ e-mail messages per 3M+ e-mail messages per dayday
300,000+ network 300,000+ network devicesdevices6,000 data-center 6,000 data-center serversservers
110 110 Exchange Exchange servers/36 servers/36 mailbox mailbox serversservers
Silicon ValleySilicon Valley
400 primary LOB applications400 primary LOB applications26 million voice calls per 26 million voice calls per monthmonth55,000 employees55,000 employees
Microsoft IT EnvironmentMicrosoft IT Environment
What’s your Technology Profile?What’s your Technology Profile?What’s your Threat environment?What’s your Threat environment?
What’s your Risk Profile?What’s your Risk Profile?
Mission and Vision
Principles of Operation & Management
Decision & Prioritization Model
Implementation Tactics
Th
reats
& V
uln
era
bili
ties
Landsc
ape
People
, Pro
cess
es,
& T
ools
MissionMissionAssess Assess
RiskRisk
DefinDefine e
PolicPolicyy
MonitorMonitor
AuditAudit
Prevent malicious or Prevent malicious or unauthorized use that results in unauthorized use that results in the loss of Microsoft intellectual the loss of Microsoft intellectual property or productivity by property or productivity by systematically assessing, systematically assessing, communicating, and mitigating communicating, and mitigating risks to digital assetsrisks to digital assets
An IT environment comprised of An IT environment comprised of services, applications, and services, applications, and infrastructure that implicitly infrastructure that implicitly provides availability, privacy, provides availability, privacy, and security to any clientand security to any client
Five Trustworthy Five Trustworthy AssurancesAssurances
My identity is not My identity is not compromisedcompromisedResources are secure Resources are secure and availableand availableData and Data and communications are communications are privateprivateRoles and accountability Roles and accountability are clearly definedare clearly definedThere is a timely There is a timely response to risks and response to risks and threatsthreats
VisionVision
Other Business DriversOther Business Drivers
Online Business EnablementOnline Business Enablement
Reducing Operational CostsReducing Operational Costs
Security Risk ManagementSecurity Risk Management
Reducing cost of unexpected security Reducing cost of unexpected security eventseventsReducing losses from frauds and security Reducing losses from frauds and security failuresfailures
Reducing cost of unexpected security Reducing cost of unexpected security eventseventsReducing losses from frauds and security Reducing losses from frauds and security failuresfailures
Reducing exposures to technology threatsReducing exposures to technology threatsPreventing computer-related fraudsPreventing computer-related fraudsEnforce policies and improve audit Enforce policies and improve audit capabilitycapability
Reducing exposures to technology threatsReducing exposures to technology threatsPreventing computer-related fraudsPreventing computer-related fraudsEnforce policies and improve audit Enforce policies and improve audit capabilitycapability
Integrate Partners in Supply ChainIntegrate Partners in Supply ChainConnect with CustomersConnect with CustomersEmpower the information workersEmpower the information workers
Integrate Partners in Supply ChainIntegrate Partners in Supply ChainConnect with CustomersConnect with CustomersEmpower the information workersEmpower the information workers
Regulatory ComplianceRegulatory Compliance HIPAAHIPAAGramm-Leach-Bliley Gramm-Leach-Bliley Sarbane-Oxley ActSarbane-Oxley Act
HIPAAHIPAAGramm-Leach-Bliley Gramm-Leach-Bliley Sarbane-Oxley ActSarbane-Oxley Act
Mission and Vision
Principles of Operation & Management
Decision & Prioritization Model
Implementation Tactics
Th
reats
& V
uln
era
bili
ties
Landsc
ape
People
, Pro
cess
es,
& T
ools
Security Principles Security Principles
Management commitmentManagement commitmentManage risk according to business objectivesManage risk according to business objectives
Define organizational roles and responsibilitiesDefine organizational roles and responsibilities
Users and dataUsers and dataManage to practice of least privilegeManage to practice of least privilege
Strictly enforce privacy and privacy rulesStrictly enforce privacy and privacy rules
Application and system developmentApplication and system developmentBuild security into development life cycle (Build security into development life cycle (Microsoft SD3+C Microsoft SD3+C FrameworkFramework))
Create layered defense and reduce attack surface (Create layered defense and reduce attack surface (Defense-Defense-in-depthin-depth))
Operations and maintenanceOperations and maintenanceIntegrate security into operations frameworkIntegrate security into operations framework
Align monitor, audit, and response functions to operational Align monitor, audit, and response functions to operational functionsfunctions
Watchful, constant vigilance, readiness, and responsivenessWatchful, constant vigilance, readiness, and responsiveness
Strategies for Security Strategies for Security PoliciesPolicies
Root your security policy in well-known Root your security policy in well-known industry standards or regulations industry standards or regulations
ISO 17799 – Security Management Best ISO 17799 – Security Management Best Practices Practices ISC2 Common Book of Knowledge ISC2 Common Book of Knowledge RFC 2196 – Site Security Handbook RFC 2196 – Site Security Handbook
Security policies have to start from the Security policies have to start from the top down top down
Illustrate the value of security policy to Illustrate the value of security policy to management management Get corporate legal and HR departments Get corporate legal and HR departments to assist youto assist you
Environment conducive for Environment conducive for protectionprotection
Protection ready versus attackers’ Protection ready versus attackers’ friendlyfriendly
Laws and regulationsLaws and regulations
EnforcementsEnforcements
Rewards and penaltiesRewards and penalties
Think and do securityThink and do security
Mission and Vision
Principles of Operation & Management
Decision & Prioritization Model
Implementation Tactics
Th
reats
& V
uln
era
bili
ties
Landsc
ape
People
, Pro
cess
es,
& T
ools
Enterprise Risk ModelEnterprise Risk Model
HigHighh
LowLow HigHighh
Imp
act
to B
usin
ess
Imp
act
to B
usin
ess
(Defi
ned
by B
usin
ess
(Defi
ned
by B
usin
ess
Ow
ner)
Ow
ner)
LowLow
Acceptable Risk
Unacceptable Risk
Probability of ExploitProbability of Exploit(Defined by Corporate (Defined by Corporate
Security)Security)
Risk assessment drives to acceptable risk
Risk Management Risk Management Process and RolesProcess and Roles
33 44
SecuritySecuritySolutions Solutions
&&InitiativesInitiatives
Sustained Sustained OperationsOperations
Cross-IT Cross-IT TeamsTeams
Corporate SecurityCorporate Security
TacticalTacticalPrioritizationPrioritization
11
PrioritizeRisks
22
Security Policy
55
Compliance
Corrective ActionsCorrective Actions
Continuous Risk Continuous Risk AssessmentsAssessments
Network Infrastructure Risk Assessment
Platform Infrastructure Risk Assessment
Continuous Application Risk Assessment
Risk ProfileRisk ProfileRemediation Projects
Tactical Action Plans
A Risk-based ApproachA Risk-based Approach
Self AssementSelf AssementReportsReports
LOB’s Control Self Assessment
AuditAuditReportsReports
Not available yet.
Review of issues accuracy & action plans quality
Awareness ProgramAwareness Program
IT Control Policies
Focused Programs
Where/what are the risks?
How are they affecting the Organization?
What are we doing about them?
TS
/LO
BA
LL
GAD’s Audit Program
ALL
Regulators’ Inspection Progress scorecard used.
Security ServicesSecurity Services
Ext Connectivity
Network Certification
OSP
Project SecurityProject Security
New applications & infrastructure projectsA
LL
Mission and Vision
Principles of Operation & Management
Decision & Prioritization Model
Implementation Tactics
Th
reats
& V
uln
era
bili
ties
Landsc
ape
People
, Pro
cess
es,
& T
ools
Representative Risks and Representative Risks and TacticsTactics
Tactical SolutionsTactical SolutionsEnterprise RisksEnterprise Risks
EmbodyTrustworthyComputing
Secure Environmental Secure Environmental RemediationRemediation
Secure Environmental Secure Environmental RemediationRemediationUnpatched DevicesUnpatched DevicesUnpatched DevicesUnpatched Devices
Network Segmentation Network Segmentation Through IPSecThrough IPSec
Network Segmentation Network Segmentation Through IPSecThrough IPSecUnmanaged DevicesUnmanaged DevicesUnmanaged DevicesUnmanaged Devices
Secure Remote UserSecure Remote UserSecure Remote UserSecure Remote UserRemote and Mobile Remote and Mobile UsersUsers
Remote and Mobile Remote and Mobile UsersUsers
Two-Factor for Remote Two-Factor for Remote Access and Access and
AdministratorsAdministrators
Two-Factor for Remote Two-Factor for Remote Access and Access and
AdministratorsAdministrators
Single-Factor Single-Factor AuthenticationAuthenticationSingle-Factor Single-Factor
AuthenticationAuthentication
Managed Source Managed Source InitiativesInitiatives
Managed Source Managed Source InitiativesInitiatives
Focus Controls Focus Controls Across Key AssetsAcross Key Assets
Focus Controls Focus Controls Across Key AssetsAcross Key Assets
Defense in DepthDefense in DepthUsing a layered approachUsing a layered approach
Increases attacker’s risk of detection Increases attacker’s risk of detection
Reduces attacker’s chance of successReduces attacker’s chance of success
Policies, Procedures, and Awareness
Policies, Procedures, and Awareness
OS hardening, OS hardening, authentication, authentication, patch patch managementmanagement, HIDS, HIDS
Firewalls, VPN quarantineFirewalls, VPN quarantine
Guards, locks, tracking Guards, locks, tracking devicesdevices
Network segments, IPSec, Network segments, IPSec, NIDSNIDS
Application hardening, Application hardening, antivirusantivirus
ACL, encryptionACL, encryption
User educationUser education
Physical SecurityPhysical Security
PerimeterPerimeter
Internal NetworkInternal Network
HostHost
ApplicationApplication
DataData
Mission and Vision
Principles of Operation & Management
Decision & Prioritization Model
Implementation Tactics
Th
reats
& V
uln
era
bili
ties
Landsc
ape
People
, Pro
cess
es,
& T
ools
Corporate Security Group Corporate Security Group OrganizationOrganization
Corporate Security GroupCorporate Security Group
Threat, RiskThreat, RiskAnalysis, and Analysis, and PolicyPolicy
Assessment Assessment andandComplianceCompliance
Monitoring, Monitoring, Intrusion Intrusion Detection, and Detection, and Incident Incident ResponseResponse
Shared Shared ServicesServicesOperationsOperations
Threat and Threat and RiskRiskAnalysisAnalysisPolicyPolicyDevelopmentDevelopment
ProductProductEvaluationEvaluation
DesignDesignReviewReview
StructureStructureStandardsStandards
SecuritySecurityManagementManagement
SecuritySecurityAssessmentAssessment
Compliance Compliance andandRemediationRemediation
Monitoring Monitoring andandIntrusion Intrusion DetectionDetectionRapid Rapid ResponseResponseand and ResolutionResolutionForensicsForensics
ITITInvestigationsInvestigations
Physical andPhysical andRemote Remote AccessAccessCertificateCertificateAdministratioAdministrationnSecuritySecurityToolsTools
InitiativeInitiativeManagementManagement
Processes and ToolsProcesses and Tools
Driven (influenced) largely by policies and Driven (influenced) largely by policies and strategystrategy
Common challengesCommon challengesInformation security/risk budget normally not Information security/risk budget normally not covering cost of devising and implementing covering cost of devising and implementing security processes and tools, in particular, security processes and tools, in particular, tools required for risk analysis and tools required for risk analysis and performance measurementperformance measurement
Spreadsheets as database of control statusSpreadsheets as database of control status
Checklist remains predominantly tool of Checklist remains predominantly tool of choicechoice
Quality of answers vs completion of checklist Quality of answers vs completion of checklist questionsquestions
No linkages to organization’s No linkages to organization’s technology/information inventorytechnology/information inventory
Security ReadinessSecurity Readiness
Risk management does not Risk management does not guarantee risk eliminationguarantee risk elimination
Exploits increasingly sophisticatedExploits increasingly sophisticated
Ready to act, ready to changeReady to act, ready to change
Education and trainingEducation and training
Scenarios planningScenarios planning
Drills, drills, drills …Drills, drills, drills …
Security Response PlanSecurity Response Plan
Information on Information on security incident security incident
receivedreceived
Vulnerability Vulnerability detected by detected by
auditaudit
Decision to Decision to begin Response begin Response
Plan by IT Plan by IT SecuritySecurity
Risk ratingRisk rating
Response Response team team
assembledassembled
Ticket openedTicket opened
RESPONSE PLANRESPONSE PLAN
EvaluationEvaluation
Isolate and contain threatIsolate and contain threat
Analyze and respondAnalyze and respond
Alert others as requiredAlert others as required
Begin system remediationBegin system remediation
OOnn gg oo ii nn gg ee vv aa
ll uu aa tt ii oo nn aa nn dd rr ee ss pp oo nn ss ee rr ee vv ii ss ii oo nn ssOO
nn gg ooii nn gg aa uu dd ii tt
De-escalation De-escalation return to return to normal normal
operationsoperations
Post-incident Post-incident review ticket review ticket
closedclosed
Determining Determining the Risk the Risk Rating of Rating of the the Incident/VulIncident/Vulnerability nerability Involves:Involves:Severity of the Severity of the eventeventOverall business Overall business impactimpactCriticality of Criticality of vulnerable/attacvulnerable/attacked assetsked assetsPublic Public availability of availability of informationinformationScope of Scope of exposureexposure
Determine remediationDetermine remediation
SummarySummary
No silver bulletNo silver bullet
Understand and keep in tap of the changing threat Understand and keep in tap of the changing threat environmentenvironment
Develop a cybersecurity strategy with clear mission and Develop a cybersecurity strategy with clear mission and vision, adopting a decision and prioritization model, with vision, adopting a decision and prioritization model, with strong security principles to guide implementation and strong security principles to guide implementation and selection of solutions selection of solutions
Combine technology, procedures, and proper use of Combine technology, procedures, and proper use of personnel to reduce vulnerabilitiespersonnel to reduce vulnerabilities
A preventative approach toward critical security issues is A preventative approach toward critical security issues is less expensive than correcting vulnerabilities after systems less expensive than correcting vulnerabilities after systems have been compromisedhave been compromised
Constant vigilance and readiness to response at all timeConstant vigilance and readiness to response at all time
Mission and Vision
Principles of Operation & Management
Decision & Prioritization Model
Implementation Tactics
Th
reats
& V
uln
era
bili
ties
Landsc
ape
People
, Pro
cess
es,
& T
ools
Security is a Security is a journey, not a journey, not a destinationdestination
© 2004 Microsoft Corporation. All rights reserved.© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.