Transcript Slide 1

People, Process, Technology
“Back to the Basics”
Security Management
Serge Bertini
Director Security Solution
CA
Agenda
- Identity in the News
- e-Identity Revolution
- Identity Risks and Rewards
- Best Practices and Compliance
- Identity Technology Update
3
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Recent Security Surveys
Can you trust an ATM?
Cash machine fraud gang is jailed
“A gang of illegal immigrants that admitted stealing more
than £600,000 in a "sophisticated" cash machine scam has
been ailed at Southwark Crown Court. ”
BBC News July 1st, 2005
Fake ATM facades were used across London to record financial
details and pillage accounts, the court heard. .
5
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Phishing
Phishing pair jailed for ID fraud
“A UK-based American citizen has been jailed for six years
after stealing up to £6.5m through identity fraud.”
BBC News July 1st, 2005
Douglas Havard, from Dallas, Texas, made fake credit cards
with stolen bank details as part of a global syndicate. The scam
relied on phishing - by which online account holders are
induced to give away their personal details.
6
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
CSI/FBI Computer Crime and Security
Survey (2006)
- “Unauthorized Access” showed a dramatic increase
- second most significant contributor to computer crime losses
- accounts for 24% of overall reported losses
- showed a significant increase in average dollar loss
- 52% of organizations surveyed experienced unauthorized use of computer
systems in the last 12 months
- 32% of attacks or misuse were related to unauthorized access to
information
- Over 82% of large organizations reported an identified breach in the last
year
7
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
CERT Insider Threat Survey (2005)
Majority of attacks due to:
-compromised computer accounts
-unauthorized backdoor accounts
-use of shared accounts
8
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
PWC Survey of Canadian Companies
(2005)
- >55% of companies were victims of fraud
- Average loss of $1.7 million (US)
- >1/3 of companies reported that company reputation, brand equity
and business relationships were negatively affected by the crime
- 61% of fraudsters were insiders
- One of top 3 reasons cited for fraud being committed is insufficient
controls
- Survey showed that probability of uncovering economic fraud is
strongly dependent on the number and effectiveness of control
mechanisms in place
9
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Agenda
- Identity in the News
- e-Identity Revolution
- Identity Risks and Rewards
- Best Practices and Compliance
- Identity Technology Update
10
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
e-Identity Revolution
Next Generation
The world via their
mobile phone
B2C
B2B
Employees
Employees
Single User ID
Multiple IDs
Employees and
Partners
Customers, Partners
and Employees.
Cable TV, Video on
demand, etc
Mainstream adopters
here today
Leading edge adopters
here today
11
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Customer Service Enablement
- Challenge
-Provide individualized services and content,
-To 10’s of millions of customers,
-On Demand, Reliably, and Securely.
- Examples
-Bank planning management of 100 Million
customer. US Cable TV/ISP with 5.3 Million
subscribers.
-Canadian Cable TV with over 2 Million
subscribers.
12
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Challenges
-Managing Risk
-New ways to commit Fraud, Theft
-Compliance with Laws and Regulations
-Governance, Privacy, & Freedom of
Information
-Financial Discipline
-Too much Labour, Under Utilized Capital
13
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Agenda
- Identity in the News
- e-Identity Revolution
- Identity Risks and Rewards
- Best Practices and Compliance
- Identity Technology Update
14
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Perceived Major Causes of Risk
0%
20%
40%
60%
80%
Human incompetence, threat from disgruntled
employee
Computer, network or software failure
Increasingly clever methods of attack, e.g.
more complex viruses, spyware
Theft of corporate equipment
Extension of corporate network through
remote working, wireless access
Hacking or competitor espionage
Terrorist Threat, natural disaster, fire
Now
15
Future
Not a major issue
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
IT Security Strategy – Review of Attitudes, Activities and Plans, (June 2004) Jon Collins, Quocirca Ltd
100%
Deployed IT Security Technology
0%
10%
20%
30%
40%
50%
60%
70%
80%
90% 100%
Anti-virus and Spyware protection
SPAM protection
Intrusion protection
Virtual Private Network
Software patch management
Single sign on, authentication, password
management
Vulnerability assessment
Centralised security event management
Identity and access management, application
provisioning
In Place
Not planned
16
Piloting/limited rollout
Outsourced
Actively considering
Status unclear
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Future option
IT Security Strategy – Review of Attitudes, Activities and Plans, (June 2004) Jon Collins, Quocirca Ltd
Identity and Risk
- Individual
- Financial Loss
- Inconvenience
- Loss of privacy
- Loss of reputation
- Reduced Creditworthiness
- Arrest by law enforcement
- Criminal charges
- Organization
- Loss of proprietary
information
- Loss of confidential
information
- Loss due to Theft and Fraud
- Loss of reputation
- Damage to brand
- Damage to share value
- Fines and sanctions
- Criminal charges
17
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Identity Theft – Risk to Organization
Thousands hit by US identity theft
“Politicians have stepped up their calls for greater regulation
of the data collection industry in the wake of a security
breach that may have led to more than 140,000 Americans
having their identities stolen.”
Daily Telegraph by David Litterick in New York
(Filed: February 24th, 2005)
“ChoicePoint, a data warehousing company, is facing a raft of
lawsuits after it admitted that thieves, apparently using
identities already stolen, created what appeared to be
legitimate debt-collecting and cheque-cashing businesses
seeking ChoicePoint's services. They then opened 50 accounts
and received volumes of data on consumers, including names,
addresses, social security numbers and credit reports.”
.
18
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Employee Fraud – Risk to Organization
Rerouted: Former Cisco Accountants sent up the river Former
finance department workers swindled networking specialist
out of $7.8 million
Stephen Taub, CFO.com, November 28th, 2001
Two former CISCO Systems Inc. accountants are heading
to prison….
Geoffery Osowski, 30 and Wilson Tang, 35 were each
sentenced to 34 months in prison for transferring $7.8
million in company stock to their personal brokerage
accounts. The maximum sentence for the crime is five
years.
The two accountants illegally accessed Cisco’s programs
for managing stock-option disbursements and granted
themselves 230,550 shares over six months starting in
October 2000, according to wire service reports, citing
prosecutors.
19
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
E-Identity / IT Asset Protection:
What is it?
Asset Protection – Protecting critical corporate
resources, of all types, against unauthorized
(inadvertent or malicious) access. Requires effective
management of all users and their access rights.
Let’s look at the types of assets that need protection.....
20
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Asset Protection
Enterprise Apps
(ERP/CRM)
Web User
Unix
User
Windows
Admin
21
Mainframe
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Asset Protection
Web Apps &
Web Services
Enterprise Apps
(ERP/CRM)
Web User
Unix
User
Windows
Admin
22
Mainframe
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Asset Protection
Web Apps &
Web Services
Enterprise Apps
(ERP/CRM)
Web User
Unix
User
Windows
Admin
23
Mainframe
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Enterprise Apps
(SAP, PS, etc.)
Asset Protection
Web Apps &
Web Services
Enterprise Apps
(ERP/CRM)
Enterprise Apps
(SAP, PS, etc.)
Web User
Unix
User
Windows
Admin
24
Mainframe
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Servers
– User accounts
– System files
– Critical DBs
– System processes
– Log/Audit files
Asset Protection
Web Apps &
Web Services
Enterprise Apps
(ERP/CRM)
Enterprise Apps
(SAP, PS, etc.)
Web User
Unix
User
Admin Rights
– Root access rights
– Control system
processes
25
Windows
Admin
Mainframe
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Servers
– User accounts
– System files
– Critical DBs
– System processes
– Log/Audit files
Agenda
- Identity in the News
- e-Identity Evolution
- Identity Risks and Rewards
- Best Practices and Compliance
- Identity Technology Update
26
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Top 10 Control Deficiencies*
#10
System documentation does not match actual process
#9
Procedures for manual processes do not exist or are not followed
#8
Custom programs, tables & interfaces are not secured
#7
Posting periods not restricted within GL application
#6
Terminated employees or departed consultants still have
access
#5
Large number of users with access to “super user”
transactions in production
#4
Development staff can run business transactions in
production
#3
Database (e.g. Oracle) access controls supporting
financial
applications (e.g. SAP, Oracle, Peoplesoft, JDE) not
secure
#2
Operating System (e.g. Unix) access controls supporting
financial
applications or Portal not secure
#1
Unidentified or unresolved segregation of duties issues
7 of Top 10 Deficiencies relate to the
management of user identities and access
* Ken
27
Vander Wal, National Quality Leader, E&Y ISACA Sarbanes Conference, 4/6/04
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Cost of Doing Nothing
• Damage by unauthorized access
• Damage by Fraud
• Damage to information systems
• Damage by data theft
• Unfulfilled potential revenue
• Loss of potential customers
Return on
Negligence
• Reduction in administration costs
• Reduction in help desk costs
• Increased end user productivity
• Reduction in IT purchasing costs
• Smooth interaction with partners,
suppliers and customers
• Ability to transact securely
• Centralised administration
• Coherent approach to access
Missed Opportunities
28
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Intangible Costs
Tangible Costs
Avoidable Risks
Standards and Compliance
- Normally government regulations do not specify in detail
what is required to comply. Useful standards are:
- COSO
- The Committee of Sponsoring Organizations of the Treadway
Commission (COSO) report: Internal Control—Integrated Framework.
- COBIT
- Control Objectives for Information and related Technology (COBIT)
introduced in 1996, is a framework of generally applicable and
accepted Information Technology (IT) governance and control
practices.
- ISO 17799
- “A comprehensive set of controls comprising best practices in
information security”
- An internationally recognized generic information security standard.
- ITIL
- The IT Integration Library developed in 1983 by a U.K. government
agency to evaluate IT operations of government contractors; defines
the processes and activities to support IT services
29
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
CoBiT and BS7799 - Identity
Considerations
CoBiT
BS7799
DS 3.5 Technology Standards
10.1 Security Requirements of Systems
PO 4.1 Segregation of Duties
8.1 Operational Procedures and Responsibilities
PO 4.6 Responsibility for Security
4.1 Manage Information Security
PO 4.7 Ownership and Custodianship
5.1 Accountability for Assets
DS 5.2 Identification, Authentication and Access
9.4, 9.5. 9.6 Network, OS and Application Access Control
DS 5.3 Security of Online Access to Data
9.1 Business Requirement for Access Control
DS 5.4 User Account Management
9.2 User Access Management
DS 5.5 Management Review of User Accounts
9.2.4 Review of User Access Rights
DS 5.6 User Control of User accounts
9.3 User Responsibilities
DS 5.7 Security Surveillance
9.7 Monitoring System Access and Use
DS 5.8 Data Classification
5.2 Information Classification
DS 5.9 Central Identification and Access Rights Mgt
9.2 User Access Management
5.10 Violation and Security Activity Reports
9.7 Monitoring System Access and Use
4.2 Security of Third Party Access
30
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DS 5.4 - User Account management
BS7799 - 9.2 User Access Management
Maturity
31
Process
Technology Support
1
Manual account management process
documented and owners defined
Virtual User Directory
Password Management tools
2
Provisioning and delegated account
management processes defined
Provisioning Workflow system
Master provisioning source (HR)
Reporting toolset
3
Role definition owners and processes
defined.
Application security conformance to
identity standards review
Role based provisioning and
administration system
Application integration
4
Processes for partners managing
accounts federated trust relationships
defined
Federated provisioning.
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DS 5.6 -User Control of User Accounts
BS7799 - 9.3 User Responsibilities
Maturity
32
Process
Technology Support
1
Self service password reset, forgotten
password and account unlock process
documented and owners defined
Self service password/account
management
2
Processes defined for self
administration of user accounts and
access requests.
Workflow system allowing end
users to raise requests and track
progress.
3
Processes defined for self service
registration and administration of
enterprise users.
Workflow and Role based self
administration system
Application integration
4
Processes defined for self service
registration and administration of
partner users based on federated
trust relationships
Delegated administration of
federated users.
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Agenda
- Identity in the News
- e-Identity Revolution
- Identity Risks and Rewards
- Best Practices and Compliance
- Identity Technology Update
33
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Identity and Access Management
Employees
- Managing who can do
what is at the very core
of security
- Authentication
- Authorisation
- Auditing
- Administration
Partners
34
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Customers
Identity Lifecycle Technology Maturity
Employees
Associates
Contractors
Temps
Intranet
Provisioning
Administration
Help Desk
HR System
Customers
Partners
Supply chain
XML
SPML
Role Based
ID Provisioning
Workflow
Delegated Admin
Self Service
Password Mgt
Common
User
Directory
Single Sign-on
Flexible
Authentication
RBAC
Legacy
Web Desktop
No change
Server Access
Management
Extranet Access
Management
Role based access
control
Administration Separation of Duties
Server hardening
Web authentication
Role based access
control
Web single sign-on
User self-service
Partner Identity
Federation
Provisioning
Applications
Policy Service
Used by Applications
Authentication
Service
Used by applications
Enterprise Infrastructure
Used by
applications
Physical
35
Internet
SAML
SPML
XACML
IS Platforms
IS Applications
Badges
Windows Domain
CRM
Building access
Email
ERP
Zone access
Mainframe
SCM
Desk
DBMS
SAP
Telephone
Portal
Websphere
Mobile phone
Applications
WebLogic
© 2005 Computer Associates International,PDA
Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. ….
Auditing
Admin Activity
Change Reports
Who has what
Identity Management Maturity Model
Initial
Initial
Identity
Management
Technology and
36
Gap
Active
Gap
Efficient
Password
Management
Gap
Responsive
Consolidated
Identity
Management
Gap
Business
Driven
Integrated
Role &
Entitlements
Management
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Federated
Identity
Management
Identity Lifecycle Process Maturity
Efficient
Component Level
Technical Capabilities
IT Organizational
Characteristics
Active
Business-Driven
Responsive
• Focused on Traditional Services
• Change in Business Priorities
• IT Now Involved in Business Change Planning
• Ready for Business-Driven Change
• Slow to Handle Change
• IT Change Driven by Cost / Regulatory Pressure
• Manages to SLA and Controls
• Rapidly Support New Services and Customers
• Silo-ed Administration
• Commitment to Centralization and Automation
• Integrated Enterprise-wide IT Management
• Enables Support for Growing Partner Ecosystem
• Informal and Reactive Processes
• Adopts ITIL Svc Mgt to Formalize Processes
• Tracks Performance of Processes
• Automated Process Improvement
Self-serve
Password
Reset
Enterprise
Identity
Inventory
Automated
Identity
Provisioning
Delegated
User
Administration
Automated
Identity & Role
Processing
Entitlements
Exception
Reporting
Automated
Resource
Provisioning
Partner
Identity
Management
Centralized
Password
Management
Password
Policy
Enforcement
Entitlement &
Change Report
Generation
Correlation with
Authoritative
Source (i.e. HR)
Self-serve
Registration
Process
Syncs Multiple
Authoritative Srcs
(e.g. Contractors)
Integration
With Building
Access Systems
Provisioning
Authentication
Technologies
Business
Application
Provisioning
Workflow for
Application
Security Review
Federated
Trust
Management
Integrated
Business
Processes
Consistent
Cross-platform
Web Interface
Workflow
Process
Automation
Web Services
Business
Integration
Role-based
Entitlements
Management
Centralized
Password
Management
Virtual
Identity
Directory
System/App
Level
Mgt of Users
Manual User
Export from
HR System
Password
Management
37
Identity
Management
System
Workflow Engine
Web forms,
Rules
Web/Desktop
Password
Reset
Identity
Reporting
System
Feeds from
HR Authoritative
Source
Integration
With Key
Identity Systems
Consolidated Identity
Management
Application
Directory
Integration
Role
Management
System
Entitlement
Synchronization
System
Feeds from
All Authoritative
Sources
Interoperability
w/SPML &
Enabling SAML
Web Services
Security
CMDB
Integration
Integration With
Business Apps
& Infrastructure
Integrated Role &
Entitlements Management
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Federated Identity
Management
Taking small steps first
Securing your
UNIX, Linux
environment
UNIX Audit Issues
- Use of Non-Essential Services
- Network Access
- Use of Unauthorized root access
- No monitoring of access to the root account
- Inappropriate password and password parameters
- Removal of idle user accounts
- Use of Generic Admin ID’s
- Umask Setting Improperly set
- Root Password not regularly Changed
Network
Control
40
Audit &
Monitoring
Account
Management
Password
Quality
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Root
Access
Access Control
Servers need protection
at the host level,
regulating all accesses
Web, database and
application servers
require server security
Sales Dept.
DBMS
Admin
X
41
Internal/External Hackers
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
HR Dept.
Native Security Architecture
- Native Access Control
OS KERNEL
2
read
open
exec
USR1 REQUESTS
read (more) /finance/data
SYSCALL
1
TABLE
setuid
etc
UNIX file permission
-rw-r--r-- 1 root sys 661 Feb 26 00:18 /finance/data
42
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Access Control Security Enhancement
USR1
USR1 REQUESTS
REQUESTS
read
read (more)
(more) /market/data
/finance/data
UNIX KERNEL
read
2
open
exec
1
SYSCALL
TABLE
USER
AUTHORIZED
setuid
etc
Access
Ctrl
REQUEST
APPROVED
Access
Control
Rules
Database
43
/finance/data
defaccess=NONE
/market/data
defaccess=ALL
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
REQUEST
DENIED
usr1 usr2
read write
usr1 usr3
none none
Tracking the Real User
- eTrust Access Control tracks original login id
Method to Change ID
Unix
eTrust Access Control
Initial log Bill
Real id (Bill)
Login id (Bill)
Bill su’s to Ted
Effective id (Ted)
Login id (Bill)
Bill runs a root setuid
program
Program owner
(root)
Login id (Bill)
Bill runs unregistered
Real id (Ted)
login program to become
Ted
44
Login id (Bill)
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Audit and Reporting
Security Command Center
(Dashboard and Reporting)
45
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Top Five Benefits
- Regulatory compliance (data confidentiality)
- Role separation enforcement
- Ease of cross platform management
- Least privilege model realization
- Audit log integrity assurance
46
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
eTrust Access Control
- Know
- Who: can access resources
- What: they can do with the resources
- When: access is allowed
- Where: access is allowed from
- Why: access is needed
- Role-based Access Control
- Data Confidentiality Protection
- Host-based Intrusion Prevention (HIP)
- Centralized Security Management
- Secure Auditing
47
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Security Management
“Back to the basics”
- QUESTIONS?
- Thank You.