BUSINESS CASE FOR STANDARDS ADOPTION SECURITY STANDARDS - THE TRUST FRAMEWORK

Transcription

1 BUSINESS CASE FOR STANDARDS ADOPTION SECURITY STANDARDS - THE TRUST FRAMEWORK Alan McBride, CISSP alan.mcbride@alcatel-lucent.com April

2 STANDARDS AND THE TRUST FRAMEWORK PRIMARY TAKEAWAY Providing assurance to your customers that you are applying standards-based security best-practices can build trust and can differentiate you in your market 2

3 SECURITY STANDARDS AGENDA The Threat Landscape The Security Standards Landscape Adopting Security Standards Conclusion 3

4 ALCATEL-LUCENT WHO WE ARE AT A GLANCE CUSTOMERS (NETWORK OPERATOR) 500K+ CUSTOMERS (ENTERPRISE) 1M+ NETWORKS 2012 revenues 14.4b ~72,000 employees TR50 Most Innovative Companies Nobel prizes More than 2,900 patents in 2012 More than 30,700 active patents Collaborate with 250+ universities Bell Labs In 7 countries Including Ireland 400G IP DSL vectoring Carrier cloud Motive Customer lightradio Experience 400G photonic XRS Core router 3G/4G wireless, broadband access, ethernet, IP, optics, applications, services, cloud VDSL2 vectoring 4

5 THE THREAT LANDSCAPE RECENT SECURITY INCIDENTS 1 MAR 2013 More companies reporting cybersecurity incidents At least 19 financial institutions have disclosed to investors in recent weeks that their computers were targets of malicious cyberassaults JAN 2013 Hackers in China Attacked The Times for Last 4 Months The hackers tried to cloak the source of the attacks on The Times by first penetrating computers at United States universities and routing the attacks through them JAN 2013 U.S. warns on Java software as security concerns escalate The U.S. Department of Homeland Security urged computer users to disable Oracle Corp's Java software MAR 2013 Logic Bomb Set Off South Korea Cyberattack Cyberattack that wiped the hard drives of computers belonging to banks and broadcasting companies in South Korea this week was set off by a logic bomb... 9 APRI 2013 Fourth LulzSec Member Pleads Guilty to Hacking Sony... carried out attacks on the websites of the Arizona State Police, Sony, News Corp. s Twentieth Century Fox, the U.K. s National Health Service and technology-security company HBGary Inc AUG 2012 State-sponsored cyber espionage projects now prevalent, say experts At least four government-sponsored programmes to deploy cyber-espionage software like the Flame, Duqu and Stuxnet software the latter used against computers in Iran are in progress around the world... 5

6 THE THREAT LANDSCAPE SOME STATISTICS 97% of breaches were avoidable through simple or intermediate controls 98% were primarily due to external agents 96% were motivated by financial or personal gain 85% of breaches took weeks or more to discover 92% of incidents were discovered by a third party 2012 Data Breach Investigations Report (note: IRISSCERT was a contributor) 69% of breaches involved malware (e.g. Keyloggers) 81% involved hacking (e.g. Use of default or guessable credentials) 77% of SMBs think strong security posture is good for their brand 59% of SMBs have no contingency plan for data breach 65% of SMBs do not use encryption or DLP to protect confidential data 62% of SMBs do not routinely back up data 6

7 THE THREAT LANDSCAPE EVOLVING SECURITY RISKS Threat Agents Hacktivist Cyber-criminal Nation State Insider Viruses, Trojans, Worms Web Threats - XSS, SQL injection Distributed Denial-of- Service Advanced Persistent Threats (APTs) Fraud, Extortion, Cybercrime Escalating Threat Sophistication Password Cracking Rootkits, Botnets Identity Theft Infected Mobile Apps Insider Threats Targeted Malware (e.g. Stuxnet) Innovation timeline Internet Mobile Always-on, Ubiquitous Connectivity Apps & Social Media Device proliferation Virtualization & Cloud Everythingas-a-Service Machine- to- Machine Smart Grid, Smart Cities Threat Vectors Internet Internal Access Mobile Devices Supply Chain 7

8 THE STANDARDS LANDSCAPE CONTROLS AND BEST PRACTICES Threat Agents (e.g. Cybercriminal) attack Security standards specify controls to mitigate risks of exposure of assets to threats resulting from inherent vulnerabilities. exploit Vulnerabilities (e.g. Inadequate access controls) of Assets (e.g. Your data) Controls can be (often a combination of) preventative, detective or corrective in purpose. Controls can be technical, physical or procedural in classification. protect resulting in Risks Preventative (e.g. Firewall) Detective (e.g. IDS) mitigated by Controls (e.g. Role-based access controls) Technical (e.g. Encryption) Procedural (e.g. Training) Corrective (e.g. Security patch) Physical (e.g. Locks) 8

9 THE STANDARDS LANDSCAPE KEY STANDARDS BODIES International Jurisdictional Domain-specific ITU: International Telecommunication Union ISO: International Organization for Standardization IEC: International Electro technical Commission IETF: Internet Engineering Task Force ETSI: European Telecommunications Standards Institute 3GPP: Third Generation Partnership Project ATIS: Alliance for Telecommunications Industry Solutions ENISA: European Network & Information agency 3GPP - Third Generation Partnership Project NIST: National Institute of Standards and Technology ANSI: American National Standards Institute OASIS: Advancing Open Standards for the Information Society OMA: Open Mobile Alliance CSA: Cloud Security Alliance TISPAN: Telecommunications & Internet converged Services and Protocols for Advanced Networking 9

10 THE STANDARDS LANDSCAPE EXAMPLE SECURITY STANDARDS Security Management Standards ISO27K CobiT 4.x IETF RFC 2196 NIST Technical Security Standards Cryptography: AES, RSA, DSA, PKI Secure Protocols: TLS, Ipsec, HTTPS, SFTP Identity Management & AAA: RADIUS, SAML, Oauth, OpenID, XACML Vulnerability Management Standards ITU-T X.1520 CVEs Mitre CVSS, CWE Security Assurance Standards ISO Regional and Domain-specific Energy domain: NERC 1300 (CIP) IACS domain: ISA/IEC 6 Payments domain: PCI Cloud domain: CSA 10

11 THE STANDARDS LANDSCAPE RELEVANCE TO THREATS SQL injection vulnerability allowing malware insertion Out-of-date versions of software such as Apache, TLS, SSH etc Inadequate segregation no DMZ or firewall between web and app servers ISO 27K Controls: A.10.4 Protection Against Mobile and Malicious Code Web server A Technical Vulnerability Management A.12.2 Correct Processing in Applications A.11.2 User Access Management A.7.2 Information Classification A.11.4 Network Access Control A.12.3 Cryptographic Controls Application server Use of default passwords, and excessive access for admin accounts Encryption keys stored on same server as encrypted data Database server Inadequate data classification and segregation confidential data stored together with other data This threat scenario illustrates the relevance of example ISO27K controls to common vulnerabilities in a typical three-tier system 11

12 ADOPTING SECURITY STANDARDS ISSUES WITH ADOPTION APPLICABILITY & SUITABILITY Some may be too high-level, others too prescriptive May be too generic or too specific Delay in addressing emerging technologies (e.g. cloud) COST Adoption requires planning, training and implementation Additional costs if certification is required Additional cost if directly involved with standards development OVERLAPPING OR COMPETING STANDARDS Different standards may address the same area and may not be consistent Particularly a problem for enterprises operating in multiple jurisdictions NO SILVER BULLET Compliance can give a false sense of security Standards will always lag emerging threats - coverage can never be absolute INFLEXIBILITY Compliance with standards could potentially inhibit agility 12

13 ADOPTING SECURITY STANDARDS PRAGMATIC ADOPTION Initially you can be informed by standards Standards are an important source of best-practices to inform your practices Standards generally have good coverage a checklist or cookbook approach Alignment with standards can be phased over time E.g. Risk-based choice of controls to implement under ISO27K Eventual target can be full compliance Ultimately certification can be sought where applicable Informed Aligned Compliant Certified 13

14 ADOPTING SECURITY STANDARDS FOCUS ON ISO27K Standard for Information Security Management System Protection of Confidentiality, Integrity and Availability (CIA) of Information Assets Plan-Do-Check-Act (PDCA) Identify assets and security requirements Assess risks to assets Select and implement controls to mitigate risks People Monitor, maintain and improve on an ongoing basis 11 Control Areas, 133 Controls Process E.g. Information Security Policy Document E.g. Inventory of Assets Technology E.g. Key Management 14

15 ADOPTING SECURITY STANDARDS REASONS FOR ADOPTION OF ISO27K 1. Recognized as the best practice standard 2. To gain competitive advantage 3. To ensure legal and regulatory compliance 4. Requirement when tendering 5. Mandated by customer 6. Competitors already certified Source: Size of organization adopting ISO27K; 27% < 50 employees 50% < 200 employees 62% < 500 employees 15

16 ADOPTING SECURITY STANDARDS ANOTHER EXAMPLE STANDARD - PCI DSS Payment Card Industry Data Security Standard Proprietary standard owned by PCISSC Defines minimum security controls for securing payment systems and data Compliance is required in US, but validation of compliance is not mandatory 16

17 ADOPTING SECURITY STANDARDS PRAGMATIC CHECKLIST Do you have a CSO/CISO? Do you have a security policy and do all of your employees know about it? Do you address security aspects with your suppliers? Do you know the security posture of your competitors? Do you know what regulations or standards apply to your market and jurisdiction? Do you have a mobile device policy? Do you have basic security hygiene including firewall, antivirus, secured backups, timely patching and adequate access controls? Do your employees undergo security training including guidelines on passwords, risks and protection of company data on mobile devices? Your answers can help you decide whether you need to consider standards such as ISO27K 17

18 ADOPTING SECURITY STANDARDS TRUST THROUGH TRANSPARENCY CSA STAR: Cloud Security Alliance Security Trust & Assurance Registry Cloud providers assess themselves against CSA security controls Transparency is achieved through publishing the results in the registry Customers can read and compare the security posture of potential providers Validity is addressed through public scrutiny You can freely browse the open submissions now from multiple providers including Amazon, Microsoft, Symantec and Terremark This self-assessment foundation is evolving now to include third-party assessment and certification under CSA Open Certification Framework (OCF) Can help lower costs by avoiding per-customer RFx responses or audits This is illustrative of how open and transparent security posture can improve trust with the customer, and how businesses can compete by differentiating in security domain An example of how standards compliance can be part of trust framework 18

19 ADOPTING SECURITY STANDARDS OUR EXPERIENCE AT ALCATEL-LUCENT Involved with Standards Development Active participation in key standards bodies such as ISO, ITU, 3GPP Drawing on Bell Labs research Also involved with regional bodies such as ATIS (US), ENISA (Europe) Applying Standards Internally Global company many relevant standards as input to internal practices Applying security standards in development of networking products Combining best-practices with internal Bell Labs expertise Applying Standards in External Engagements Applying standards in security assessments e.g. Smart Grid networks Applying standards in network design and security architecture services Contact: John Hickey - convener of NSAI ICTSCC/SC10 and representative on ISO SG27 19

20 ADOPTING SECURITY STANDARDS APPLYING STANDARDS IN PRACTICE Threat Analysis Risk-oriented analysis to determine threats, attack vectors, vulnerabilities and countermeasures Architecture Evaluation Assess use of technical security enablers such as firewalls, IPS, AAA, encryption, VPN to evaluate current security architecture and areas of improvement Target of Evaluation Tools Analysis Assess results from vulnerability scanning and penetration testing tools Standard controls; NISTIR NERC CIP 110 Baseline Evaluation Evaluate architecture and implementation against standards, recommendations, and best-practices e.g. NIST, ISO, NERC CIP etc - to Identify strengths and gaps ISO NIST SANS CAG 20 US DHS 236 Real-world example: how we at Alcatel-Lucent have used standards in assessing security of Smart Grid Utility Networks globally (c.f. Bell Labs Technical Journal December, 2012) 20

21 ADOPTING SECURITY STANDARDS OTHER SOURCES OF SECURITY GUIDANCE SANS - System Administration, Networking and Security Institute CSIS: 20 Critical Controls for Effective Cyber Defence OWASP Open Web Application Security Project Top Ten Project The Ten Most Critical Web Application Security Risks NIST National (US) Institute of Standards and technology NISTIR 7621 Small Business Information Security: The Fundamentals ISF Information Security Forum SoGP Standard of Good Practice CSA - Cloud Security Alliance Cloud Security Guidance 21

22 ADOPTING SECURITY STANDARDS BUSINESS CASE FOR ADOPTION Cost versus Benefit Implementing standard controls can protect assets and avoid costs Standards-based approaches can streamline the management of security Risk Management Proactive and structured approaches to managing risk Good foundation for ensuring comprehensive coverage Regulatory Compliance Where applicable, regulations generally share common ground with standards Standards can also improve readiness for future regulations Market and Competitive Aspects Market differentiation Customer trust as a competitive advantage 22

23 STANDARDS AND THE TRUST FRAMEWORK CONCLUSION Providing assurance to your customers that you are applying standards-based security best-practices can build trust and can differentiate you in your market 23

24 24

25 25