Building Next Generation

Information Security
for an Enterprise

Ramesh Shanmuganathan
Senior Vice President / Group CIO
John Keells Group

30th June 2007

 Agenda

„ What is Information Security?

„ Current state of Information Security or
Insecurity
„ Global context for Nextgen Infosec
„ Integrated framework for Nextgen InfoSec
„ Building blocks of Nextgen InfoSec
„ Defense-in-depth solutions for NextGen
Infosec
„ Q&A
What is Information Security
(InfoSec) ?
Security is not a destination…
it is a never ending journey
Security Is Only As Strong As
The Weakest Link
 sw ord :
Pas
HS 1 7!
@
Current state of Information
Security or Insecurity ?
 A brief history of computing &
1
9
1
9
1
9
1
9
1
9
1
9
insecurity
1
9
1
9
1
9
1
9
1
9
1
9
1
9
1
9
1
9
1
9
1
9
1
9
1
9
1
9
1
9
1
9
1
9
2
0
2
0
2
0
2
0
2
0
2
0
7 7 7 8 8 8 8 8 8 8 8 8 8 9 9 9 9 9 9 9 9 9 9 0 0 0 0 0 0
7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
Standalone Systems – Disk/Diskette Sharing Client-server/PC-LAN Networks Internet Collaboration (Email, Web, IRC, IM, P2P, File Sharing)
• Apple II Computer • First Self-destruct • Slammer
• Commodore program (Richard • Blaster
• Atari Skrenta) • WeiChia
• TI-99 • First Self-replicate • Code Red
• TRS-80 program (Skrenta’s • Nimda
Elk Cloner) • Stealth virus (Whale)
• Variable Encryption (1260) • • MyDoom
• First Worm • Ken • ©Brain Virus • First Philippines’ • Sasser
developed in Thompson developed by “Concept” “I LOVE
Xerox Palo Alto demo first two Pakistanis’ Macro Virus Criminal Exploitation
YOU” virus• Melissa’s author
• Melissa
Trojan • Yale, virus ($80m) sentenced 20
Horse Cascade, • Phishing • Excel Macro months jail
• Fred
Cohen’s
Experimentation
Jerusalem, begins in Virus (cross
Lehigh, etc. AOL platform)
VAX Viruses • Morris’ Worm
Discovery • “Cukoo’s
Information Warfare

Egg” in LBL • “Solar Sunrise” - • DDoS on 13

• FBI arrest • Robert T • Kevin Two California “root” servers
“414s” Hacker Morris fined Mitnick Teens attack on
Group $10K, 3 years arrested, five 500 Military,
probation years Govt, & Private
• Phishing
imprisonment Computer
attacks
Systems
Protocol Weaknesses/Buffer overflow proliferated
• SPAM Mails
Insecure Default/Weak Security Techniques/Feature Misuse/Social Engineering • Spyware •
Computer Crimes • Bots Pharming
Cyber Crimes
attacks
UK Green Book to BS 7799 to ISO 17799 (DNS
poisoning)
Trusted Operating Systems (Orange Book) Trusted Network (Red Book) – ITSEC Common Criteria (ISO 15408)
 Security Threats Matrix

Natural
Human Threats
Disasters

Malicious Non-
Malicious

Outsiders Insiders Stuff Happens

Flood
Hackers Disgruntled Forgotten Passwords
Fire
Criminals or Former Lost Encryption Keys
Earthquake
Competitors Employees Accidental Deletion
Hurricane
Governments No/Bad Back-Ups
Cyber-terror
 The Attack Surface
Open Ports
Open File
Shares
Weak Port
Passwords Password Scanners
Cracking
Systems
Viruses too complex

Unknowns People Trojan Horses

Un-patched
Unused Services
Left On Process Web Server

Denial of
Service
Network
Spoofing
Technology Excessive privileges

Poisons No
(Packets, DNS, No Auditing
etc.) Policies
Worms Packet Sniffing
The Internal Threat Is Real
 Authentication,
Directory, Federation

Development
tools Policy, Code
for secure code (Identity,
Updates)

Isolation
(Firewall,
Quarantine)
Global Context for NextGen
InfoSec….
Business Is Changing
Yesterday Today
Internal Focus External Focus
Suppliers, customers, and
Access is granted to prospects all need some
employees only form of access

Centralized Assets Distributed Assets

Applications and data are Applications and data are
distributed across servers,
centralized in fortified IT locations, and business units
bunkers

Prevent Losses Generate Revenue

The goal of security is to The goal of security is to
protect against enable eCommerce
confidentiality breaches

IT Control Business Control

Security manager Business units want the
decides who gets access authority to grant access

Source: Forrester Research, Inc.

Today’s Business context…
„ Personalized access for any transaction,
anytime, anywhere, any media

„ Customers demanding consistency across all

communication channels, anywhere,
anytime

„ Businesses need to know customers to grow

their business

„ Existing investments protected - Open,

standards-based multi-vendor environment
 Technology context…
„ Mobility and wireless communications

„ Pervasiveness of technologies and devices

„ Convergence of technologies

„ Virtual, globally distributed, networked

enterprises

„ Wide acceptance and usage of the Internet

and IP
 Today’s Information
Technology context…
„ How do I align IT investments with Business
directions/objectives?

„ How do I build strong business service

delivery?

„ How do I ensure my information is secure?

„ How do I manage my enterprise architecture?

„ How do I build credibility for the value of IT

services?
 Today’s Information Security (IS)
context…
„ How do I secure my IT domain?

„ How do I ensure that the people who are

accessing the domain are the people who have
been authorized to do so?

„ How do I ensure that the authentication is non-

repudiatable?

„ How do I ensure that availability and assurance of

information access ?
 Today’s Information Security (IS)
context…
„ How do I ensure confidentiality and integrity of
information stored, accessed and distributed?

„ How do I audit and review my security policy in

light of an evolving and dynamic business
environment?

„ How do I manage misuse and abuse of privileges?

„ How do I manage external threats from hackers,

spams and viruses?
Nextgen Infosec has to address…

SEC Reporting Requirement?

Federal Version of SB 1386? PIPEDA

CA SB1386 EU Data Protection Act

SEC Regs
Sarbanes-Oxley
FISMA

HIPAA GLBA BASEL II

 IT Triad of Nextgen

Growth PC maintenance Malicious

Customer service Server sprawl attacks, viruses, spam,
etc.
Regulatory Legacy platforms
compliance Evolving threats
Deployment and
Device maintenance Patch management,
management VPN, etc.
Identity
Varying skill sets management Secure access
(employees, partners
Mobility Software updates and customers)
Integrated Framework for
NextGen InfoSec
 IT Maturity Model ( ITIL / ISO 15000) as
basis for continuous improvement
Basic Organized Optimized Dynamic

Centrally Managed Fully automated IT

Uncoordinated, IT Infrastructure Managed and management dynamic
manual with some consolidated IT resource usage and
automation Infrastructure business linked SLA's
infrastructure

Reduce
Objective React Manage complexity Agility

Ability to Slow, weeks to Weeks Days Minutes

Change months

High, As
Resource Unknown Known, poor Optimized needed
Utilization

Processes Policy-
Ad hoc Defined Mature based
& Automation

Arbitrary Class of Business

Business No SLAs
SLAs Service SLAs SLAs
Alignment

Role of Cost Center Efficient Business Strategic

IT Cost Center Enabler Asset
 Nextgen InfoSec Consideration

Efficiency & Effectiveness

GOALS

Scalability | Accessibility | Availability

RESULTS

Privacy | Integrity | Authenticity

PROCESSES
Authentication | Authorization | Audit
TOOLS
Firewall | Intrusion Detection | Cryptography | VPN | Virus protection
Why do we need an Integrated
Framework
„ Business Agility
„ Embracing IT enabled delivery channels
„ 360 view of customers - knowledge is power!
„ Effective roll-out of corporate/business
strategies
„ Better time to market

„ Return on Investment
„ Insurance analogy – security is a necessary evil?
„ Risk Management =F (Fear, Uncertainty,
Doubt)?
„ Confidentiality-Integrity-Availability(CIA) vs
Disclosure-Alteration-Distruction (DAD)
 The 3 “D”s and 5 steps for NextGen
InfoSec
„ 3 “D”s
„ Defense
„ Deterrence
„ Detection
„ 5 steps
„ Assets – What is to be protected?
„ Risks – What are the threats, vulnerabilities?
„ Protections – How will the assets be protected?
„ Tools – What will be done to protect them?
„ Priorities – In what order will the protective
steps be implemented ( multi-layered
methodology) ?
 NextGen InfoSec Framework
(Hybrid of ISO 27001 & CoBIT)

Business drivers

Information Security Policy

Information Security Organization

Asset evaluation, classifications and control

Blue printing, Control measures and management

Systems acquisition, Implementation, Delivery & Support

Security deployment , enforcement & risk mitigation

Access Control & incident management

Business Continuity & Compliance

 IT/IS Governance is baseline
„ It’s not security through Obscurity
„ It’s an alignment of business objectives/needs with IT investments
and services
„ It is as vital and important as Corporate / business governance
„ It needs commitment/endorsement from the C-level to be successful!

Governance of Information Technology /Information Security

B T
U Business / Technology E
IT
S User perspective & C
Perspective & POLICY MANAGEMENT Integration H
I Process management
N
N Management
User Security Systems O
E
Management Management Management L
S
Applications Infrastructure O
S
G
ICT Infrastructure Y
 IT/IS Governance will pave the way
for Nextgen
It will result in reduced costs, improved reliability, and
increased responsiveness across the entire IT life cycle

Faster, more efficient SLAs that are met or

Responsive, policy-driven
development resulting in IT exceeded resulting in
IT systems that are self managing,
systems that are satisfied business units and
reliable and cost effective
Designed for Operations productive end users
Integrated Approach is key!

o g y
o l

pr
Good IT governance
tec h

oc e s s
Comprehensive IT policy

Security Framework

eo
p

p le
Continuous Improvement is
inevitable!

Alignment Realignment
& &
Deployment Continuous
Improvements
Corporate IT
policy &
Governance

Management Assurance
& &
Review Risk Mitigation
Layered Security is the way
forward!

Security

Information Security

Physical Security | Network Security

OS Security | Computer Security | Device Security

Data Security | Application Security | Database Security

The challenge :Balancing the Act
Building blocks of NextGen
InfoSec
 Proactive Security Program
= Business Enabler
„ identify - ID Critical Assets and Assess Risk

„ plan - Develop a Proactive Security Program

„ act - Implement Tailored InfoSec Roadmap including

Policies, Training, and Technology

„ check - Ongoing Monitoring, Auditing, Updating, &

Adjusting
 Comprehensive Security Policy

• Blue Print for Good Security Program

• Standards Based – ISO 27001, CoBIT
• Management Buy In
• High Level to Technical
• Business Driven Not Vendor Driven
• Non-Static
 Rigid Enforcement of the Security
Policy
„ Minimize Exposure to Vulnerabilities
„ Prepare for Attacks on Our Systems
„ Manage Internal Staff Behavior
„ Manage External Access and Activity
„ Maintain Appropriate Security Configurations
& Response Strategies
„ Exploit Built-in Security Features
„ Measure and Record Patterns and Trends
for Future Security Planning
Classification of Information Assets

CORPORATE
CORPORATE
NETWORK
NETWORK
Assessment of IT infrastructure
Vulnerabilities
Web
Server Servers

Router Firewall

Networ
k

E-Mail Clients &

Server
Workstations
Assessment of Application
Vulnerabilities
E-Commerce
Web Server SAP Peoplesoft

Router Firewall

E-Mail
Server Web Browsers
Assessment of Database
Vunerabilities
Microsoft
Oracle SQL Server Sybase

Router Firewall

Databases
Assessment of Operating
Systems Vulnerabilities
Solaris
Windows NT HP-UX

Router Firewall

Networ
k

AIX
Windows 95 & NT

Operating Systems
Assessment of Network
Vulnerabilities
Web
Server Servers

Router Firewall

TCP/IP
Netware

E-Mail
Server

Networks
Layered Defence Schema

APPLICATIONS

DATABASES

OPERATING SYSTEMS

NETWORK SERVICES
Comprehensive Security Framework
 Full life-cycle Security Management

Operating Systems
Applications
Databases
Networks

Alarms Policy Violations

Corrective action Vulnerabilities
Active response Threats
Actionable Information
Vulnerability Management
corrective action report

Vulnerability: GetAdmin
Severity: High Risk
IP Address: 215.011.200.255
OS: Windows NT 4.0
Fix: From the Start menu, choose Programs/Administrative
Tools/User Manager. Under Policies/User Rights, check
the users who have admin privileges on that host.
Stronger action may be needed, such as reinstalling the
operating system from CD. Consider this host
compromised, as well as any passwords from any other
users on this host. In addition, Apply the post-SP3
getadmin patch, or SP4 when available. Also refer to
Microsoft Knowledge Base Article Q146965.txt.
 Threat Management

EMAIL
ALERT/
LOG

SESSION
ATTACK SESSION TERMINATED
DETECTED LOGGED

RECONFIGURE
FIREWALL/
ROUTER

ATTACK
DETECTED

INTERNAL RECORD
SESSION
Risk Management

Vulnerability
Enterprise SecurityData
Risk Profile
Threat Data
Vulnerabilities
Firewall/Router Logs

Internal Threats
PKI/Authentication Data

External Threats

Time
Defense-in-depth Solutions for
NextGen InfoSec
 Defense-in-depth Solution #1:
Blocking Network Attacks
YY oo uu rr FF iirrm
m ?? In te r n e t „ Filtering Router (NAT)
MSS
P r o v id e r
D D o S D e fe n s e „ Firewall and AntiVirus
P e rim e te r
/ Spyware Gateways
Secure E-Mail / Anti-
F ilte r in g

„
F ir e w a ll ID S /IP S R o u te r
O u ts id e
A V / S p y w a re

Spam
S e c u re W e b G a te w a y
F ilte r

Secure Web Filtering

ID S /IP S In s id e

„
In tr a n e t DMZ

D iiss cc o
& M
M iit iig
o vv e rr yy
g a ttiio
on
„ Discovery and
Mitigation
W o r k s t a t io n s
n
M a il F ilte r
A n ti-V ir u s
A n ti-S p a m

F ile

IDS / IPS
T ra n s fe r

D a ta b a s e
W e b S e rv e r
S e rv e r
„
F ile S e r v e r

Managed Security
D o m a in
M a il S e r v e r C o n tr o lle r
T e r m in a l
S e rv e r „
L a p to p s Services
„ DDoS Defense Tools
 Defense-in-Depth Solution #2:
Blocking Host Attacks

„ Host IPS
„ Spyware Removal
„ Personal Firewalls and Host IPS

Scan and Block Systems Personal

Firewall

„ Personal AntiVirus Personal

RootKit Detection and

AntiVirus
„
Removal Spyware
& RootKit
Removal
 Defense-in-depth solution #3:
Eliminating Security Vulnerabilities
Vulnerability
Testing „ Vulnerability
Management and
Penetration Testing
Intranet DMZ „ Patch and
Configuration
Workstations
Mail Filter
Anti-Virus
Management and
Compliance
Anti-Spam

File
Transfer

Application Security
Server

File Server
Database
Web Server
„
Mail Server
Domain
Controller
Terminal
Testing
Server

Laptops

Patch &
Configuration
Configuration
Management
Management
 Defense-in-depth solution #4:
Safely Supporting Authorized Users

„ ID and Access Management

„ File Encryption
„ Secure Communication
„ PKI
„ VPN
„ Secure Remote Access
„ Strong Authentication
 Defense-in-depth solution #5:
Minimizing Business Losses and
Maximizing Effectiveness
„ Secure Information Management
„ Fraud in Business Transactions
„ Security Skills Development
„ Forensics Tools
„ Regulatory Compliance Tools
„ Log Management
„ Business Recovery
„ Back-Up
Defense-in-depth Solution #6:
Reviewing all of the above

Customer
Need
 Real-life example..
Corporate Network

Restricted Network
Remediation System Health
Servers Servers

Here you go.

Can I have
updates? Ongoing policy
updates to Network
May I have access.
access? Policy Server
Requesting Should this client be
Here ’s my
Here current
’s my new restricted based
health status.
health status. on its health?

According to
You are given policy, the client is Network
Client Network
restricted access notto
up update.
to date. Policy
until fix-up. Access
Quarantine client, Server
Device
request
(DHCP, VPN) Client it to access to full intranet.
is granted
Grant access.
update.
 A parting thought……….

The pertinent question is not

how to do things right but, how to find the right things to
do , and concentrate resources and efforts on them.

- Peter F Drucker ( 1964)

Thank you!

Contact: ramesh@keells.com