People, Process, Technology “Back to the Basics” Security Management Serge Bertini Director Security Solution CA
Agenda - Identity in the News - e-Identity Revolution - Identity Risks and Rewards - Best Practices and Compliance - Identity Technology Update 3 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Recent Security Surveys
Can you trust an ATM? Cash machine fraud gang is jailed “A gang of illegal immigrants that admitted stealing more than £ 600, 000 in a "sophisticated" cash machine scam has been ailed at Southwark Crown Court. ” BBC News July 1 st, 2005 Fake ATM facades were used across London to record financial details and pillage accounts, the court heard. . 5 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Phishing pair jailed for ID fraud “A UK-based American citizen has been jailed for six years after stealing up to £ 6. 5 m through identity fraud. ” BBC News July 1 st, 2005 Douglas Havard, from Dallas, Texas, made fake credit cards with stolen bank details as part of a global syndicate. The scam relied on phishing - by which online account holders are induced to give away their personal details. 6 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
CSI/FBI Computer Crime and Security Survey (2006) - “Unauthorized Access” showed a dramatic increase - second most significant contributor to computer crime losses - accounts for 24% of overall reported losses - showed a significant increase in average dollar loss - 52% of organizations surveyed experienced unauthorized use of computer systems in the last 12 months - 32% of attacks or misuse were related to unauthorized access to information - Over 82% of large organizations reported an identified breach in the last year 7 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
CERT Insider Threat Survey (2005) Majority of attacks due to: - compromised computer accounts - unauthorized backdoor accounts - use of shared accounts 8 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
PWC Survey of Canadian Companies (2005) - >55% of companies were victims of fraud - Average loss of $1. 7 million (US) - >1/3 of companies reported that company reputation, brand equity and business relationships were negatively affected by the crime - 61% of fraudsters were insiders - One of top 3 reasons cited for fraud being committed is insufficient controls - Survey showed that probability of uncovering economic fraud is strongly dependent on the number and effectiveness of control mechanisms in place 9 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Agenda - Identity in the News - e-Identity Revolution - Identity Risks and Rewards - Best Practices and Compliance - Identity Technology Update 10 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
e-Identity Revolution Next Generation The world via their mobile phone B 2 C B 2 B Employees Single User ID Employees Multiple IDs Employees and Partners Customers, Partners and Employees. Cable TV, Video on demand, etc Mainstream adopters here today Leading edge adopters here today 11 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Customer Service Enablement - Challenge - Provide individualized services and content, - To 10’s of millions of customers, - On Demand, Reliably, and Securely. - Examples - Bank planning management of 100 Million customer. US Cable TV/ISP with 5. 3 Million subscribers. - Canadian Cable TV with over 2 Million subscribers. 12 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Challenges -Managing Risk -New ways to commit Fraud, Theft -Compliance with Laws and Regulations -Governance, Privacy, & Freedom of Information -Financial Discipline -Too much Labour, Under Utilized Capital 13 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Agenda - Identity in the News - e-Identity Revolution - Identity Risks and Rewards - Best Practices and Compliance - Identity Technology Update 14 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Perceived Major Causes of Risk 15 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. IT Security Strategy – Review of Attitudes, Activities and Plans, (June 2004) Jon Collins, Quocirca Ltd
Deployed IT Security Technology 16 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. IT Security Strategy – Review of Attitudes, Activities and Plans, (June 2004) Jon Collins, Quocirca Ltd
Identity and Risk - Individual - Financial Loss - Inconvenience - Loss of privacy - Loss of reputation - Reduced Creditworthiness - Arrest by law enforcement - Criminal charges - Organization - Loss of proprietary information - Loss of confidential information - Loss due to Theft and Fraud - Loss of reputation - Damage to brand - Damage to share value - Fines and sanctions - Criminal charges 17 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Identity Theft – Risk to Organization Thousands hit by US identity theft “Politicians have stepped up their calls for greater regulation of the data collection industry in the wake of a security breach that may have led to more than 140, 000 Americans having their identities stolen. ” Daily Telegraph by David Litterick in New York (Filed: February 24 th, 2005) “Choice. Point, a data warehousing company, is facing a raft of lawsuits after it admitted that thieves, apparently using identities already stolen, created what appeared to be legitimate debt-collecting and cheque-cashing businesses seeking Choice. Point's services. They then opened 50 accounts and received volumes of data on consumers, including names, addresses, social security numbers and credit reports. ” . 18 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Employee Fraud – Risk to Organization Rerouted: Former Cisco Accountants sent up the river Former finance department workers swindled networking specialist out of $7. 8 million Stephen Taub, CFO. com, November 28 th, 2001 Two former CISCO Systems Inc. accountants are heading to prison…. Geoffery Osowski, 30 and Wilson Tang, 35 were each sentenced to 34 months in prison for transferring $7. 8 million in company stock to their personal brokerage accounts. The maximum sentence for the crime is five years. The two accountants illegally accessed Cisco’s programs for managing stock-option disbursements and granted themselves 230, 550 shares over six months starting in October 2000, according to wire service reports, citing prosecutors. 19 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
E-Identity / IT Asset Protection: What is it? Asset Protection – Protecting critical corporate resources, of all types, against unauthorized (inadvertent or malicious) access. Requires effective management of all users and their access rights. Let’s look at the types of assets that need protection. . . 20 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Asset Protection Enterprise Apps (ERP/CRM) Web User Unix User Windows Admin 21 Mainframe © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Asset Protection Web Apps & Web Services Enterprise Apps (ERP/CRM) Web User Unix User Windows Admin 22 Mainframe © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Asset Protection Web Apps & Web Services Enterprise Apps (ERP/CRM) Web User Unix User Windows Admin 23 Mainframe © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Enterprise Apps (SAP, PS, etc. )
Asset Protection Web Apps & Web Services Enterprise Apps (ERP/CRM) Enterprise Apps (SAP, PS, etc. ) Web User Unix User Windows Admin 24 Mainframe © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Servers – User accounts – System files – Critical DBs – System processes – Log/Audit files
Asset Protection Web Apps & Web Services Enterprise Apps (ERP/CRM) Enterprise Apps (SAP, PS, etc. ) Web User Unix User Admin Rights – Root access rights – Control system processes 25 Windows Admin Mainframe © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Servers – User accounts – System files – Critical DBs – System processes – Log/Audit files
Agenda - Identity in the News - e-Identity Evolution - Identity Risks and Rewards - Best Practices and Compliance - Identity Technology Update 26 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Top 10 Control Deficiencies* #10 System documentation does not match actual process #9 Procedures for manual processes do not exist or are not followed #8 Custom programs, tables & interfaces are not secured #7 Posting periods not restricted within GL application #6 Terminated employees or departed consultants still have access #5 Large number of users with access to “super user” transactions in production #4 Development staff can run business transactions in production #3 Database (e. g. Oracle) access controls supporting financial applications (e. g. SAP, Oracle, Peoplesoft, JDE) not secure #2 Operating System (e. g. Unix) access controls supporting financial applications or Portal not secure #1 Unidentified or unresolved segregation of duties issues 7 of Top 10 Deficiencies relate to the management of user identities and access * Ken 27 Vander Wal, National Quality Leader, E&Y ISACA Sarbanes Conference, 4/6/04 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Cost of Doing Nothing • Damage by unauthorized access • Damage by Fraud • Damage to information systems • Damage by data theft • Unfulfilled potential revenue • Loss of potential customers Return on Negligence • Reduction in administration costs • Reduction in help desk costs • Increased end user productivity • Reduction in IT purchasing costs • Smooth interaction with partners, suppliers and customers • Ability to transact securely • Centralised administration • Coherent approach to access Missed Opportunities 28 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Intangible Costs Tangible Costs Avoidable Risks
Standards and Compliance - Normally government regulations do not specify in detail what is required to comply. Useful standards are: - COSO - The Committee of Sponsoring Organizations of the Treadway Commission (COSO) report: Internal Control—Integrated Framework. - COBIT - Control Objectives for Information and related Technology (COBIT) introduced in 1996, is a framework of generally applicable and accepted Information Technology (IT) governance and control practices. - ISO 17799 - “A comprehensive set of controls comprising best practices in information security” - An internationally recognized generic information security standard. - ITIL - The IT Integration Library developed in 1983 by a U. K. government agency to evaluate IT operations of government contractors; defines the processes and activities to support IT services 29 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Co. Bi. T and BS 7799 - Identity Considerations Co. Bi. T BS 7799 DS 3. 5 Technology Standards 10. 1 Security Requirements of Systems PO 4. 1 Segregation of Duties 8. 1 Operational Procedures and Responsibilities PO 4. 6 Responsibility for Security 4. 1 Manage Information Security PO 4. 7 Ownership and Custodianship 5. 1 Accountability for Assets DS 5. 2 Identification, Authentication and Access 9. 4, 9. 5. 9. 6 Network, OS and Application Access Control DS 5. 3 Security of Online Access to Data 9. 1 Business Requirement for Access Control DS 5. 4 User Account Management 9. 2 User Access Management DS 5. 5 Management Review of User Accounts 9. 2. 4 Review of User Access Rights DS 5. 6 User Control of User accounts 9. 3 User Responsibilities DS 5. 7 Security Surveillance 9. 7 Monitoring System Access and Use DS 5. 8 Data Classification 5. 2 Information Classification DS 5. 9 Central Identification and Access Rights Mgt 9. 2 User Access Management 5. 10 Violation and Security Activity Reports 9. 7 Monitoring System Access and Use 4. 2 Security of Third Party Access 30 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DS 5. 4 - User Account management BS 7799 - 9. 2 User Access Management Maturity Technology Support 1 Manual account management process documented and owners defined Virtual User Directory Password Management tools 2 Provisioning and delegated account management processes defined Provisioning Workflow system Master provisioning source (HR) Reporting toolset 3 Role definition owners and processes defined. Application security conformance to identity standards review Role based provisioning and administration system Application integration 4 31 Processes for partners managing accounts federated trust relationships defined Federated provisioning. © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DS 5. 6 -User Control of User Accounts BS 7799 - 9. 3 User Responsibilities Maturity Technology Support 1 Self service password reset, forgotten password and account unlock process documented and owners defined Self service password/account management 2 Processes defined for self administration of user accounts and access requests. Workflow system allowing end users to raise requests and track progress. 3 Processes defined for self service registration and administration of enterprise users. Workflow and Role based self administration system Application integration 4 32 Processes defined for self service registration and administration of partner users based on federated trust relationships Delegated administration of federated users. © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Agenda - Identity in the News - e-Identity Revolution - Identity Risks and Rewards - Best Practices and Compliance - Identity Technology Update 33 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Identity and Access Management Employees - Managing who can do what is at the very core of security - Authentication - Authorisation - Auditing - Administration Partners 34 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Customers
Identity Lifecycle Technology Maturity Employees Associates Contractors Temps Customers Partners Supply chain Intranet Internet SAML SPML XACML Partner Identity Federation Provisioning Applications Provisioning Administration Help Desk HR System XML SPML Role Based ID Provisioning Workflow Delegated Admin Self Service Password Mgt Common User Directory Flexible Authentication RBAC Legacy Web Desktop No change Server Access Management Role based access control Administration Separation of Duties Server hardening Extranet Access Management Web authentication Role based access control Web single sign-on User self-service Physical IS Platforms Policy Service Used by Applications Authenticati on Service Used by applications Enterprise Infrastructure Used by applications 35 Single Sign-on IS Applications Badges Windows Domain CRM Building access Email ERP Zone access Mainframe SCM Desk DBMS SAP Telephone Portal Websphere Mobile phone Applications Web. Logic © 2005 Computer Associates International, PDA All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. …. Inc. (CA). Auditing Admin Activity Change Reports Who has what
Identity Management Maturity Model Initial Identity Management Technology and 36 Gap Active Gap Efficient Password Management Gap Responsive Consolidated Identity Management Gap Business Driven Integrated Role & Entitlements Management © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Federated Identity Management
Identity Lifecycle Process Maturity Efficient Component Level Technical Capabilities IT Organizational Characteristics Active Business-Driven Responsive • Focused on Traditional Services • Change in Business Priorities • IT Now Involved in Business Change Planning • Ready for Business-Driven Change • Slow to Handle Change • IT Change Driven by Cost / Regulatory Pressure • Manages to SLA and Controls • Rapidly Support New Services and Customers • Silo-ed Administration • Commitment to Centralization and Automation • Integrated Enterprise-wide IT Management • Enables Support for Growing Partner Ecosystem • Informal and Reactive Processes • Adopts ITIL Svc Mgt to Formalize Processes • Tracks Performance of Processes • Automated Process Improvement Self-serve Password Reset Enterprise Identity Inventory Automated Identity Provisioning Delegated User Administration Automated Identity & Role Processing Entitlements Exception Reporting Automated Resource Provisioning Partner Identity Management Centralized Password Management Password Policy Enforcement Entitlement & Change Report Generation Correlation with Authoritative Source (i. e. HR) Self-serve Registration Process Syncs Multiple Authoritative Srcs (e. g. Contractors) Integration With Building Access Systems Provisioning Authentication Technologies Business Application Provisioning Workflow for Application Security Review Federated Trust Management Integrated Business Processes Consistent Cross-platform Web Interface Workflow Process Automation Web Services Business Integration Role-based Entitlements Management Centralized Password Management Virtual Identity Directory System/App Level Mgt of Users Manual User Export from HR System Identity Management System Workflow Engine Web forms, Rules 37 Identity Reporting System Feeds from HR Authoritative Source Password Management Web/Desktop Password Reset Integration With Key Identity Systems Consolidated Identity Management Application Directory Integration Role Management System Entitlement Synchronization System Feeds from All Authoritative Sources Interoperability w/SPML & Enabling SAML Web Services Security CMDB Integration With Business Apps & Infrastructure Integrated Role & Entitlements Management © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Federated Identity Management
Taking small steps first
Securing your UNIX, Linux environment
UNIX Audit Issues - Use of Non-Essential Services - Network Access - Use of Unauthorized root access - No monitoring of access to the root account - Inappropriate password and password parameters - Removal of idle user accounts - Use of Generic Admin ID’s - Umask Setting Improperly set - Root Password not regularly Changed Network Control 40 Audit & Monitoring Account Management Password Quality © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Root Access
Access Control Servers need protection at the host level, regulating all accesses Web, database and application servers require server security Sales Dept. DBMS Admin X 41 Internal/External Hackers © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. HR Dept.
Native Security Architecture - Native Access Control OS KERNEL read open exec 2 USR 1 REQUESTS read (more) /finance/data SYSCALL 1 TABLE setuid etc UNIX file permission -rw-r--r-- 1 root sys 661 Feb 26 00: 18 /finance/data 42 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Access Control Security Enhancement USR 1 REQUESTS read (more) /market/data read (more) /finance/data UNIX KERNEL read open exec setuid etc 2 1 SYSCALL TABLE USER AUTHORIZED Access Ctrl REQUEST APPROVED Access Control Rules Database 43 /finance/data defaccess=NONE /market/data defaccess=ALL © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. REQUEST DENIED usr 1 usr 2 read write usr 1 usr 3 none
Tracking the Real User - e. Trust Access Control tracks original login id 44 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Audit and Reporting Security Command Center (Dashboard and Reporting) 45 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Top Five Benefits - Regulatory compliance (data confidentiality) - Role separation enforcement - Ease of cross platform management - Least privilege model realization - Audit log integrity assurance 46 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
e. Trust Access Control - Know - Who: can access resources - What: they can do with the resources - When: access is allowed - Where: access is allowed from - Why: access is needed - Role-based Access Control - Data Confidentiality Protection - Host-based Intrusion Prevention (HIP) - Centralized Security Management - Secure Auditing 47 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Security Management “Back to the basics” - QUESTIONS? - Thank You.
Скачать презентацию People Process Technology Back to the Basics Security
3f801addf6442325177590a6a104b706.ppt