Вы находитесь на странице: 1из 24

1

Tivoli Now

1 Tivoli Now © 2006 IBM Corporation

© 2006 IBM Corporation

Hot security issues that Australian businesses face today

– IT Security Trends and Solution Approach

Brett Paskin

Chief Enterprise Security Architect, CISSP Managing Certified Consultant IBM Security & Privacy

3

Tivoli Now

Agenda Security Trends

Business Model Current Trends 2006 Threat Predictions Regulations

Comprehensive Approach

Component Model – a Solution Framework Capability Model – an Information Security Roadmap

Component Model – a Solution Framework Capability Model – an Information Security Roadmap © 2006 IBM

© 2006 IBM Corporation

Tivoli Now What changes have supported or led to the current security trends? Today's Model

Tivoli Now

What changes have supported or led to the current security trends?

Today's Model

Increased need for security, privacy • User interacts using IT & trust

• Operational risk and information risk converging

• Global reach extended

• E-business and e- Government models use B2B & B2C

• Security viewed as enterprise-wide need

• Physical & IT security

information

converging

department

technology

Old Model • Distance between business & IT business • Traditional business models process business
Old Model
• Distance between
business & IT
business
• Traditional
business models
process
business
process
• User interacts with
department
IT
IT
• Security is
purchased as
component by
project or
department
Increased Increased Risk Risk
information
User
departme
User
technology

nt

4

© 2006 IBM Corporation

Tivoli Now A number of security trends … • R i s e o f

Tivoli Now

A number of security trends …

Rise of security appliances (content filtering, anti-spam, etc.)

•Consolidation of security functions (firewalls, antivirus, etc)

•Proactive controls (Intrusion Prevention Systems, Compliance

controls (Intrusion Prevention Systems, Compliance •Continued industry consolidation •More focus on

•Continued industry consolidation •More focus on security architecture •Policies, and processes and training more important •Security skills harder to find •Focus on ROI and improvements to business processes •Solution Partnering

•Priority - Data protection, Compliance and Identity information p

5

© 2006 IBM Corporation

Tivoli Now Potential Trends – Security Threats IBM's Global Business Security Index report incl udes

Tivoli Now

Potential Trends – Security Threats

IBM's Global Business Security Index report includes an early view of potential trends in 2005 –

incl udes an early view of pot ential trends in 2005 – 2006* 1. Malware –

2006*

1. Malware – more sophisticated, focused, botnet and blended

2. Instant Messaging – virus, spam, command & control

3. VoIP – eavesdropping, Vishing, remote denial of service

4. Mobile Devices – viruses, spam, theft, loss, network access

5. Identity Theft – Spear Phishing attacks, Lost, Stolen or Given Away

6*. Blogging – inadvertent leakage 7*. Insider Attacks – Social Engineering, looser allegiance, unclosed accounts 8*. Emerging Markets – Poor international cooperation

6

© 2006 IBM Corporation

7

7 Tivoli Now Regulations are increasing compliance requirements. Examples of Regulation • Spam Act 2003 •

Tivoli Now

Regulations are increasing compliance requirements.

Examples of Regulation

Spam Act 2003

• up to $220,000 for a single day’s contraventions – repetition up to $1

Privacy Act 1988 and 2001

Cybercrime Act 2001

Electronic transactions Act

Anti-Discrimination Act (1991) Workplace health and safety

Other Specific Industry

CLERP 9 (July 2004) ASX Listing and Corporate Governan

USA associated companies: Sarbanes-Oxley (SOX)

• Individual penalty up to USD$20million – 5yrs

PCI-DSS (MasterCard, Visa, JCB, AMEX)

Finance & Insurance: Basel II (APRA)

– 5yrs PCI-DSS (MasterCard, Visa, JCB, AMEX) Finance & Insurance: Basel II (APRA) © 2006 IBM

© 2006 IBM Corporation

Tivoli Now

Tivoli Now To enable trusted on-demand environment, a comprehensive security component model is needed Security

To enable trusted on-demand environment, a comprehensive security component model is needed

Security Component Model Process Enablement Application Security Security Architecture Security Capabilities Security
Security Component Model
Process Enablement
Application Security
Security Architecture
Security Capabilities
Security Framework

8

© 2006 IBM Corporation

Tivoli Now

Tivoli Now To enable trusted on-demand environment, a comprehensive security component model is needed 9 Process

To enable trusted on-demand environment, a comprehensive security component model is needed

9

Process Enablement Application Security and use ? Security Architecture Security Capabilities Security Framework
Process Enablement
Application Security
and use
?
Security Architecture
Security Capabilities
Security Framework

Security Framework Security Component What Model do we do ? How we deliver it ? What level of maturity?

What approach to adopt

Enables departments and agencies to partner and

provide on-demand services for user and other groups

• Governance, compliance, process, maturity, change, communications ….

© 2006 IBM Corporation

Tivoli Now

Tivoli Now To enable trusted on-demand environment, a comprehensive security component model is needed 10 Process

To enable trusted on-demand environment, a comprehensive security component model is needed

10

Process Enablement Enables Application Security Security Architecture Security Capabilities …. Security Framework
Process Enablement
Enables
Application Security
Security Architecture
Security Capabilities
….
Security Framework

Process Enablement Security Component How Model do you link to and support the business processes?

security within the

departmental/agency

process and applications.

• Risk Management, Information Asset Profile, Fraud, Event

Correlation, profiling, on/off boarding, Identity reconciliation

© 2006 IBM Corporation

Tivoli Now

Tivoli Now To enable trusted on-demand environment, a comprehensive security component model is needed 11 projects

To enable trusted on-demand environment, a comprehensive security component model is needed

11

projects Process Enablement new risks? Integrates Application Security risk levels. Security Architecture Security
projects
Process Enablement
new risks?
Integrates
Application Security
risk levels.
Security Architecture
Security Capabilities
solutions,
services
Security Framework

Application Security

Security Component How Model do you ensure new

don’t introduce

security into

project lifecycle to assure

• Systems Development Life

Cycle, standards, design

patterns, controls, integration

© 2006 IBM Corporation

Tivoli Now

Tivoli Now To enable trusted on-demand environment, a comprehensive security component model is needed Security

To enable trusted on-demand environment, a comprehensive security component model is needed

Security Architecture Security Component How Model do you supply services? Consistency and Process Enablement
Security Architecture
Security Component How Model do you supply
services? Consistency and
Process Enablement
integration
of the services.
(SOA)
Application Security
• Design principles,
Portal
B2B
Finance ERP
cost/risk/service, self-serve,
roadmaps, compliance
Security Architecture
Security Services Bus
Security Capabilities
Security Framework

12

© 2006 IBM Corporation

Tivoli Now

Tivoli Now To enable trusted on-demand environment, a comprehensive security component model is needed 13 Process

To enable trusted on-demand environment, a comprehensive security component model is needed

13

Process Enablement Application Security • Privacy Security Architecture Security Capabilities Security Framework
Process Enablement
Application Security
• Privacy
Security Architecture
Security Capabilities
Security Framework

Security Capabilities Security Component How Model do you delivery

operational capability? Ensure operational coverage

and compliance.

• Identity Management

• Threat Management

• Logical Asset protection

• Transaction Security

• Border Protection

© 2006 IBM Corporation

Tivoli Now Delivery of each capability is achieved through multiple integrated Components Principles Policy Process

Tivoli Now

Delivery of each capability is achieved through multiple integrated Components

Principles Policy Process Architecture Product Procedure which do capabilities how But much I invest for
Principles
Policy
Process
Architecture
Product
Procedure
which do capabilities
how
But much
I invest for and
each?
Standards
how But much I invest for and each? Standards Security Framework Security Component Model Process

Security Framework

Security Component Model

Process Enablement

Application Security

Security Architecture

Security Capabilities

14

© 2006 IBM Corporation

Tivoli Now Capability reference model – to assess capability need High-level reference architecture Security best

Tivoli Now

Capability reference model – to assess capability need

High-level reference architecture Security best practices based on Risk Assessment of security themes:

Governance Privacy Threat mitigation Transaction and data integrity Identity and access management Application security Physical security Personnel security

Application security Physical security Personnel security Let’s take a closer look … 15 © 2006 IBM

Let’s take a closer look …

Application security Physical security Personnel security Let’s take a closer look … 15 © 2006 IBM

15

© 2006 IBM Corporation

Tivoli Now   IBM Information Security Framework   Governance   Information security policy

Tivoli Now

 

IBM Information Security Framework

 

Governance

 

Information security policy

Enterprise security architecture Governance framework

Governance structure

Information security advisory

Consulting and advisory services

Security risk management framework

Threat risk assessment

Information asset profile

Project risk assessment

Security risk management

 

Privacy

Privacy and information management strategy

Define privacy information strategy

Requirements and compliance process

Incident response

Policy, practices and controls

Policy taxonomy and glossary

Privacy impact assessment (proactive)

Privacy audit (reactive)

Awareness and training

 
     

Strategy

Threat mitigation

Vulnerability management

Standard operating environment

Patch management

Vulnerability scanning and assessment

Incident management

Incident management

Identity and access management

Identity lifecycle management

User provisioning

Other entity provisioning

Identity credential management

Network segmentation and boundary protection

Network zone management and boundary security infrastructure

Remote access infrastructure

Intrusion defense

Network security infrastructure Content checking

Virus protection

Content filtering

Compliance program

Regulatory compliance

Technical, policy and standards compliance

Health checking

Internal audit and response

Data, rules and objects

Privacy data taxonomy and classification

Privacy business process model

Data usage compliance process

Transaction and data integrity

Business process transaction security

Fraud detection

Data transaction security Database security

Database configuration

Master data control

Message protection

Public key infrastructure

Message protection security

Data storage protection

Security in systems management

Security in business continuity planning

Application security

Systems development lifecycle (SDLC)

Security in the SDLC process

Application development environment

Secure coding practices

Operational application support environment

Design patterns

   

Identity proofing

Background screening

Identity establishment

Access management

Single sign-on

Authentication services

Access control services

 
 

Physical security

Personnel security

Site security

Physical asset management

Asset management

Document management

Site planning

Site management

Workforce security

Awareness and training

Code of conduct

Employment lifecycle management

16

 

© 2006 IBM Corporation

17

17 Tivoli Now The IBM Security Capability Assessment Model provides a foundation for measurement Capability Model

Tivoli Now

The IBM Security Capability Assessment Model provides a foundation for measurement

Capability Model describes

a foundation for measurement Capability Model describes 5 levels that identify a security posture The current

5 levels that identify a security posture

The current posture for each capability

The level of accepted business risk associated with each level

List of tasks to close gaps

© 2006 IBM Corporation

18

Tivoli Now Step 1 - Capability Model – Current posture Initial Basic Capable Efficient Optimizing
Tivoli Now
Step 1 - Capability Model – Current posture
Initial
Basic
Capable
Efficient
Optimizing
• Limited if any content
filtering solution in
place,
Implementation of off
the shelf software,
hardware and tools for
inbound filtering of
inappropriate content.
Regular updates of
filtering rules.
Implementation of off
the shelf software,
hardware and tools for
inbound and out-bound
filtering of
inappropriate /
unauthorised content.
Regular update of
filtering rules.
Customised/tailored
software and tools for
automatic filtering of
inbound and outbound
content.
Customised/tailored
software and tools for
content analysis.
Automatic update of
content policies and
enterprise wide
implementation.
• Coverage of enterprise
access channels
limited.
Inconsistent
application across
existing access
channels.
• Application of product
and hardware
capabilities where the
technology can exist,
however not all access
channels may be
filtered.
Tight integration
between content
management solution,
network segmentation,
data classification /
asset value, access
control and
• Consolidation of
access requirements
through specific
channels and content
filtering services (e.g.
outbound web proxy)
encryption/data
management tools.
Use of measures
described above to
restrict capabilities of
remaining access
• New access methods
are identified,
threats/risks analysed
and mitigating controls
implemented.
channels where
content filtering
technology cannot
exist.
Content management
solution manages
information based on
asset value and usage.
• Generally no regular
review of results
Reviews are
conducted on a regular
basis to check
compliance with
policies.
Reviews are
scheduled and
conducted periodically.
Results are reported
and changes to
standards/policy are
© 2006 IBM Corporation
Tivoli Now Step 2 - Residual Risk –Business risk acceptability ? Efficient Optimizing Initial Basic

Tivoli Now

Step 2 - Residual Risk –Business risk acceptability ?

Efficient
Efficient

Optimizing

Initial

Basic

Capable

Inability to identify inappropriate use of business resources

High level of vulnerability to content based attacks that could disrupt business operations. May result in major systems or operational outages.

Customer and business interruption may be above acceptable costs or limits.

High level of vulnerability to sensitive or competitive information leaks may result in negative customer / media impact.

Management of incidents/issues is inefficient and expensive.

Significant network bandwidth is consumed by non business traffic, resulting in delays in service or system availability, with high likelihood of impact to customers.

Inappropriate content still accessible via internal network. May

result in a financial or HR issue / cost.

Limited capacity to manage out bound high value confidential assets

Limited capacity to

Inability of identifying inappropriate distribution of confidential

information

Update of content policy and content management rules is

slow and dependant on human input

Minor slowing / interruptions of network, service or

systems.

identify enterprise wide issues and respond accordingly. • • Content management policies and rules are
identify enterprise wide
issues and respond
accordingly.
• Content management
policies and rules are
not based on
threat/risk assessment
and asset value.
• Limited integration
between other
supporting processes
reduces the
effectiveness and
increases cost of
managing data.

Network could be used to deliver unsolicited content to others (outbound filtering), resulting in a moderate

breach of privacy or information security.

No means of managing outbound high value assets

(confidential information).

Limited capacity to quickly identify significant issues and respond.

High risk of virus and other attacks coming

through the network, unsolicited content or inappropriate use Delays may be

experienced, with work-arounds implemented to reduce impact.

Lack of user awareness or content policy and appropriate use of information assets

Dependence on human interaction and supporting processes

Environmental changes and new

technologies /

techniques

Social Engineering

Infrequent system problems, service

operations, little or no impact to the customer or business.

Rare / one off breaches by internal staff members. May only affect internal security. No external breach.

Infrequent slowing of network or service.

© 2006 IBM Corporation

19

Product Procedure Process Standards Architecture Policy Tivoli Now Principle Capability - Level 1 to 2
Product
Procedure
Process
Standards
Architecture
Policy
Tivoli Now
Principle
Capability - Level 1 to 2
Implementation of off the shelf software and tools for inbound filtering of inappropriate
content. Regular update of filtering rules.
Content policy established. Policy established on the use of unauthorised software and un-
trusted sites.
Incident tracking and reporting functions are established, with regular reporting of results and
significant issues.
Retrospective analysis of significant incidents.
Maturity Capability - Level 2 to 3
Reviews are conducted on a regular basis to check compliance with policies, architectures
and standards.
Deviations from policy/standards are managed and non compliance investigated.
Implement enterprise wide awareness and training programs.
Tight integration with support functions/teams
Detection and repair tools are deployed as part of standards platform configuration.
New threats and vulnerabilities are monitored, underlying weaknesses are identified with
preventative measures established and standardised
Capability - Level 3 to 4
Customised/tailored software and tools for automatic detection and repair.
Implement pre-emptive measures through analysis, trends, research and external advice to
mitigate specific threats/risks.
Strategic real-time security monitoring of critical enterprise wide business process and high
value information assets.
Capability - Level 4 to 5
Customised/tailored software and tools for pre-emptive detection and prevention of new
threats.
Automatic update of security policies and enterprise wide implementation.
Strategic real-time event correlation and pre-emptive risk/threat identification.
All critical processes employ automated response capabilities.
critical processes employ automated response capabilities. Step 3 - Capability Matrix – Tasks to close the

Step 3 - Capability Matrix – Tasks to close the gap

20

© 2006 IBM Corporation

21

Tivoli Now The result: a pragmatic, applicable roadmap to drive an effective enterprise security program
Tivoli Now
The result: a pragmatic, applicable roadmap to
drive an effective enterprise security program
1
2
Assessment tool
Assessment tool
Reference library
Roadmap
Create roadmap for
security enhancement program
© 2006 IBM Corporation

22

22 Tivoli Now Information Security must be managed across the total environment Threat profiles are constantly

Tivoli Now

Information Security must be managed across the total environment

Threat profiles are constantly changing

Standing still is no longer an option

There is no such thing as ‘Zero Risk’

Understand and balance - risk and control capability across the total spectrum

Security needs to be risk mitigant and enabler

Actions need to be purposefully managed, focused, effective and efficient.

Thank you

© 2006 IBM Corporation

23

Tivoli Now

23 Tivoli Now © 2006 IBM Corporation
23 Tivoli Now © 2006 IBM Corporation

© 2006 IBM Corporation

Tivoli Now Disclaimers and Trademarks No part of this document may be reproduced or transmitted

Tivoli Now

Disclaimers and Trademarks

No part of this document may be reproduced or transmitted in any form without written permission from IBM Corporation.

Product data has been reviewed for accuracy as of the date of initial publication. Product data is subject to change without notice. Any statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.

THE INFORMATION PROVIDED IN THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IBM EXPRESSLY DISCLAIMS ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements (e.g. IBM Customer Agreement, Statement of Limited Warranty, International Program License Agreement, etc.) under which they are provided.

IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer's business and any actions the customer may need to take to comply with such laws.

The following terms are trademarks or registered trademarks of the IBM Corporation in either the United States, other countries or both: DB2, e-business logo, eServer, IBM, IBM eServer, IBM logo, Lotus, Tivoli, WebSphere, Rational, z/OS, zSeries, System z.

other

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States and/or other countries.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States and/or countries.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Linux is a trademark of Linus Torvalds in the United States and other countries.

Other company, product, or service names may be trademarks or service marks of others.

ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office.

IT Infrastructure Library® is a Registered Trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.

24

© 2006 IBM Corporation