Foundations of Information Security Webcast - ABA
Download
Report
Transcript Foundations of Information Security Webcast - ABA
ABA WEBCAST BRIEFING
Foundations of Information
Security
Presented by:
Peter S. Browne
Principal Manager
Peter Browne & Associates, LLC
Projected B2B eCommerce
Growth
2004 Predictions
In Billions
$8,000
Gartner
$7,000
7.3 Trillion
$6,000
Forrester
6.3 Trillion
$5,000
Goldman
$4,000
3.2 Trillion
$3,000
emarketer
$2,000
2.8 Trillion
$1,000
Ovum
$0
2001
1.4 Trillion
2002
2003
2004
Internet Users Worldwide
(Millions)
350
320
300
228
250
200
170
132
150
97
100
50
69
14
38
0
1995
1996
1997
1998
1999
2000
2001
2002
Source: IDC
Risk Management In
Perspective - Drivers
New Technologies
– Web presence
– Online transactions
– Delivery of professional services via the Internet
New Risks
– Cyber-extortion
– Network security breaches
– Litigation
– Loss of “intangible” information
Dependence on third party service providers
The Problem
85% of Companies report at least one Computer
Security Breaches last year
90% report Vandalism attacks
78% report Denial of Service attacks
64% Acknowledged financial losses due to these
attacks
Average loss: $2,000,000
– Melissa = $80 million total
– Denial of Service (Mafia Boy) = $1.2 billion
– Love Bug - $10 billion
Statistical data provided by CSI/FBI 2001 report
The Computer Attack Risks
Loss or damage to Data
Legal Liability to Others
Loss or damage to Reputation
Loss of Market capitalization and resulting
Shareholder lawsuits
Foundations
Managing risk includes the following
components:
– Accept
– Mitigate
– Transfer a portion of the risk to an insurance
underwriter
Electronic Commerce: A
Paradigm Shift
Traditional Commerce
Centralized systems
in glass house
Economy of scale
Managed risk
Security says NO
Electronic Commerce
Distributed systems
everywhere
Economy of
dispersion
Distributed risk
Security is an
enabler
Business Drivers for Security
The effect of the Internet on banking and financial
services
Movement from information “silos” to
information integration
Holistic view of risk management
Increasing global regulatory oversight
– Effect of GLBA
– Increasingly proactive regulatory agencies and audits
More pervasive and complex technologies
The Four Foundations of
Protection
People
– Board and management commitment, dedicated technical
personnel, crisis management team all in place and active!
Process
– Enterprise ISO7799 ready, on-going management, employee
education and regular training, patch management.
Technology
– Monitoring/log review, DMZ zones, firewall, anti-virus
software, intrusion detection systems, remote access two
factor authentication, audit trails.
The Overriding Objective
Security should be at the table
whenever the technology or the
business strategy changes, whether
the technology is managed in-house
or it is outsourced to third parties
11
People Success Factors
1. Set up the right organization
Organizational Placement of IT
Security
Report separately from IT (Audit, Security,
Legal, Finance)
Report directly to CIO/Head of Technology
Report into CTO/Operations
Part time function
Split function
Roles and Responsibilities
Set policy/standards/guidance
Act as internal consultant
Perform system/security operations
Provide oversight over outsourced/third
party technology providers
Conduct/manage assessments and audits
Ownership
What to centralize:
– Policy, standards, guidance
– Test and validation of security
– Cross-enterprise coordination
– System-wide administration
What to decentralize:
– Accountability
– Risk acceptance
– User access administration
People Success Factors
1. Set up the right organization
2. Get good people and train them
adequately
Security Must Add Value
Facilitate, don’t obfuscate
Be a perpetual student
Provide solutions to business needs
Communicate, communicate, communicate
Be an agent of change
Focus on operational excellence
Treat risk as part of the business equation
Clearly articulate what is expected
What Is the Scope?
Make security enterprise-wide… and coordinated
with all business units
Focus early in the product/software life cycle
Enlist allies:
–
–
–
–
Business units
Legal
Operations
Risk management
Earn your budget!
Preach Security Awareness
Educated management
Understand risk
– To the enterprise
– To the given business
– To the individual
Application of security standards
– In the software development life cycle
– In the management of platforms
People Success Factors
1. Set up the right organization
2. Get the good people and train them
adequately
3. Get management commitment
Articulate Risk in Business
Terms
Value of the asset
Probability of a loss
Probability of Occurrence
Likely cost over time
0 Value of Fraud
Control Analogy: ATM versus
Internet
Known and limited number of customer entry points
Two-factor authentication required (card plus PIN)
Camera recording all activity
Limited amount of cash available for withdrawal
Full audit trail of all activity
Physical limits to bulk fraud
Customer cannot stop an initiated transaction
Settlement and problem resolution processes in place
Customer has receipt to verify transaction
ATM
Internet
Yes
No
Yes
No
Yes
No
Yes
Maybe
Yes
Maybe
Yes
No
Yes
No
Yes
Maybe
Yes
Maybe
Management Involvement
Top-level steering committee
Task force
Advisory board
Reporting key performance indicators
Reporting incidents
Compliance checking
Process Success Factors
1. Put policy and standards in place
Security Life Cycle Steps
Ensure compliance
with standards
Implement guidelines
on systems
Translate standards into
security guidelines
Develop and document
"baseline" security standard
Update policies
Assess current security state
Top-level Policy
Policy
Standards
Guidelines
Procedures
Practice
Broad statement of intent
Sets the expectations for compliance
Must acknowledge individual accountability
Culture-dependent
Must cover appropriate use
Must be enforced
Standards
Policy
Standards
Guidelines
Procedures
Practice
Describe what to do, not how to do it
Explain the application of policy
Cover all elements of information security
Use existing models (I4 & ISF)
Provide the cornerstone for compliance
Guidelines
Policy
Standards
Guidelines
Procedures
Tell how to meet standards
Are platform- or technology-specific
Provide examples and configuration
recommendations
Must be kept up to date
Practice
Process Success Factors
1. Put policy and standards in place
2. Build a robust program
Desired State of Security
Desired state of security: The level of security controls
needs to correspond to the value/sensitivity of the
underlying information asset: “risk-based”
Security must:
–
–
–
–
Be incorporated into the development process
Be part of the overall architecture
Be part of the project management and implementation process
Be part of system administrators’ and network planners’ job
function
– Keep current with technologies because they evolve rapidly. What
worked yesterday may not be valuable today (digital certificates,
application proxy firewalls, biometrics, IDS)
Process Success Factors
1. Put policy and standards in place
2. Build a robust program
3. Track metrics for accountability
Platform Compliance
Average Percent Compliance to Guidelines
97%
95%
93%93%
98%
96%
94%
90%
90%90%90%90%
92%
90%
88%
89%
86%
DEC
86%
84%
82%
80%
Compliance Score
Jul-98
Aug-98
Goal
Sep-98
Oct-98
Nov-98
Dec-98
Security Awareness
Month
Score
Goal
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
10
8
6
4
2
0
Jan
Average Score
on Scale of 1 10
Security Awareness Survey
Results
Operational Statistics
90%
91%
86%
86%
100%
88%
88%
91%
90%
79%
2,500
2,000
89%
74%
80%
81%
78%
70%
60%
1,500
50%
40%
1,000
30%
20%
500
10%
-
Month
# of rqsts
% comp w/in 24 hrs
Dec
Nov
Oct
Sept
August
July
June
May
April
March
February
0%
Percent of requests
completed within
24 hours
3,000
January
Number of requests
Service Level Agreement =
90% of all requests completed within 24 hours
Technology Success Factors
1. Protect the perimeter
Perimeter Control
Firewall technology in place to protect
Concept of a DMZ
Intrusion Detection
– Network based
– Host based
Standardized system configuration
Middleware
Call Center
AOL
Internet
Tandem
Web Servers
Third Party
ATM Nets
Kiosks
VRU
Hosts
(system
of record)
Vendors
Middleware
Home
Phone
PFM
PFM
Network
Bank Systems
Vendors
Technology Success Factors
1. Protect the perimeter
2. Provide consistent security services
Consistent Security Services
Remote access authentication and
authorization
– Remote dial in access
– Internet access
– Business to business links
System management
– Lockdown of access
– File protection
– Security patches
Technology Success Factors
1. Protect the perimeter
2. Provide consistent security services
3. Capture audit data
Audit Trails
What to capture
– All access to systems
– All intrusion attempts
– Financial transactions
– Access to sensitive data
Uses
– Digital forensics
– Monitoring of security
– Improving performance
Information Security as the
Foundation for Electronic
Commerce
The people are the critical components, but they
must be supported by management and trained
The process starts with the policy, and concludes
with implementation
The technology must be put in place to manage and
enforce security
Management commitment is not difficult… if
Metrics: If you can’t measure it, you can’t control it
Information security bridges the business and the
technology
The Future
In the future, there’ll be just two kinds of banks —
the ones on the Internet
and the ones who never saw it coming.