PHYS-403 - Case Study:PHYS-403 - Case Study:
ID's, Cameras, Action -
Converged SecurityConverged Security
Steve Vinsik, VP Critical Infrastructure Protection
Unisys Corporation
04/24/09 | Session ID: PHYS – 40304/24/09 | Session ID: PHYS 403
Session Classification: Intermediate
Agenda
What is a Secure Business Environment
Why Provide A Secure Business Environment:
A Pl ibl S iA Plausible Scenario
P l P T h lPeople – Process - Technology
Case Study
Insert presenter logo
here on slide master 2
What Is A SecureWhat Is A Secure
Business
E i tEnvironment
Security In Context
• Customer Challenges
– Five Forces of Globalization
C li• Compliance
• Communication
• Collaboration
• Competition
• Complexity
Responding to As mmetric Threats– Responding to Asymmetric Threats
• Acts of Cybercrime
• Acts of Nature
• Acts of Terrorism
– Defending national assets and critical infrastructure
B l i ili d
Insert presenter logo
here on slide master 4
– Balancing agility and assurance
Security Industry Integration Perspective
IT Security
Protecting Information & IT Infrastructure
Physical Security
Protecting People, Places and Things
Security and Risk Assessment/Advisory Services
Integrated Threat Analysis & Pattern Recognition
Security & Vulnerability
M t
Goods/Assets Tracking and
A th ti itManagement Authenticity
Secure Content & Threat
Management
Location/ Perimeter Surveillance
& Securityg y
Identity & Access Management Identification & Credentialing
Identity Management
Managed Security Services
Insert presenter logo
here on slide master 5
What Is A Secure Business Environment?
• A best-practice, defense-in-depth layered
security model and implementation methodology,
for the protection of sensitive and/or at riskfor the protection of sensitive and/or at-risk
assets, inclusive of Physical (facilities),
IT/Communications, Personnel, and Process
safeguards.
• But more importantly:
• It is a new security modality, that looks at the
whole security picture rather than just one piece
of the puzzle, and integrates elements from
different areas to ensure the highest possible
level of security
Insert presenter logo
here on slide master 6
level of security.
A Next Generation Security Model
• The security model for the
Secure Business
Environment is process-
centric, placing the secured
business process as the
core element of a defense-
in-depth implementation
that addresses Personnel,
Facilities, the
IT/Communications
Infrastructure, and the
Process itself.
Insert presenter logo
here on slide master 7
Why Is This Important?
• In the current environment,
risk assessment within a
corporation is heavily
focused on Programs and
Processes; other elements
that have a potential to
introduce risk are generally
handled separately – often
by different departments.
• This siloed view of security
leaves many gaps that canleaves many gaps that can
be exploited.
Insert presenter logo
here on slide master 8
Why Is This Important?
• By placing the business
process at the core of the
model, and implementing a
risk assessment
methodology that takes the
full spectrum of risks into
consideration, it is possible
to close the gaps in
security, and significantly
improve the risk profile of a
company.
Insert presenter logo
here on slide master 9
Why Provide AWhy Provide A
Secure Business
E i t?Environment?
A Plausible Scenario
• A financial institution has an Electronic Funds
Transfer (EFT) business process The financialTransfer (EFT) business process. The financial
institution uses process specific safeguards to
secure this asset. Examples of these
f dsafeguards are:
– Co-signing of transfers by a manager
A li ti li it d t ifi t i l– Application limited to specific terminals
– Login requires secure password
– Audit trail of activity within the EFT applicationAudit trail of activity within the EFT application
• How secure is this critical business process?
Insert presenter logo
here on slide master 11
Act I – He’s A Nice Guy
• Meet William
S d h hi d– Screened once when hired
– Works in accounting department
– Nice guy … everyone likes himNice guy … everyone likes him
Insert presenter logo
here on slide master 12
Act II – The Hook
• William Likes to Gamble
– Used to go to casino only occasionally
– Got hooked by online gaming a year ago
Now he has some big debts and big– Now he has some big debts and big
problems
Insert presenter logo
here on slide master 13
Act III – We’re Not Alone
• William thinks he’s the only one who knows
O ft h t i t il• One afternoon he gets a private email
• Someone has been watching his online activities
Insert presenter logo
here on slide master 14
Act IV – Just One Little Favor
• They don’t ask much…
J t i t ll t k iff th t• Just install a network sniffer on the corporate
network
Th ff E h t t Will t f t bl• The payoff…Enough to get Will out of trouble
Insert presenter logo
here on slide master 15
Act V – Will’s Debt Free!
• The network sniffer, over time, captures the
managers passwordg p
• Since Will is a trusted employee he has access to
the building, which also gives him access to the e bu d g, c a so g es access o e
managers’ office
• Will now has everything he needs to transfer funds o as e e yt g e eeds to t a s e u ds
to an unauthorized bank account
Insert presenter logo
here on slide master 16
We Never Saw It Coming
• It could take weeks –
or months before
anyone even realizes
that something went
wrong By then it’swrong. By then, it s
too late.
Insert presenter logo
here on slide master 17
So What Went Wrong
• If only …
… Will had been screened more often
Hi bli d bt ld h b di d– His gambling debts would have been discovered
… they had monitoring to detect unauthorized
applicationspp
– The network sniffer would have been detected
…the facility security was integrated with application
itsecurity
– Will would not have access to the manager’s office
they required stronger authentication to the…they required stronger authentication to the
application (smartcards and/or biometrics)
– Will would not be able to co-sign the transfer
Insert presenter logo
here on slide master 18
…And Who Is To Blame
• It’s easy to point fingers, and say that it was one
person who went bad – but the truth is that the
problem is bigger than thatproblem is bigger than that.
• The Secure Business Environment is structured
upon the idea of defense-in-depth providingupon the idea of defense in depth, providing
multiple integrated safeguards that make it much
more difficult to breach security.
• It is always possible for systems to fail. It is
always possible for people to fail. By providing a
L d S i A hi iLayered Security Architecture, corporations can
greatly enhance their Security Posture.
Insert presenter logo
here on slide master 19
People – Process -People Process
Technology
Comprehensive Planning Process
Risk Assessment and Treatment
Security PolicySecurity Policy
Organization of Information
Security
Asset Management
Risk Strategy Technology Design
Security
Blueprinting
ISO 27000
Assessment
Vulnerability
and
Architecture
Assessment
Security
Roadmap
Human Resources Security
Physical Security
Communications and
Operations Management
Access Control
Information Systems Acquisition,
Development, Maintenance
Information Security Incident
M t
*ISO/IEC 27002
Management
Business Continuity
Compliance
Ties together operations, strategy, and technology
Architecture to provide a comprehensive view of a
organization’s capabilities to perform business securely.
Insert presenter logo
here on slide master 21
ISO/IEC 27002
Personnel Security
• Personnel requirements address three vital
areas:areas:
– Identity Management (IdM);
– Employee Screening
– Employee Awareness and security training.
Insert presenter logo
here on slide master 22
Process
• The process is at the core of the Architectural
model and the primary element being protectedmodel, and the primary element being protected.
• Determine if:
P it lf i– Process itself is secure
– Safeguards are effectively implemented
Insert presenter logo
here on slide master 23
Technology
• Facilities Infrastructure specifications are
intended to prevent as well as detect visualintended to prevent as well as detect visual,
acoustical, technical, and physical access by
unauthorized persons.
• Draws upon US Government standards: Director
of Central Intelligence Directive No. 6/9 (DCID
6/9) titl d “Ph i l S it St d d f6/9), titled “Physical Security Standards for
Sensitive Compartmented Information Facilities”.
Insert presenter logo
here on slide master 24
Technology
Insert presenter logo
here on slide master 25
Security Convergence And Unification
Insert presenter logo
here on slide master 26
Case StudyCase Study
Compelling Reasons
• In banking, the most important asset is trust.
M j l f d i id t t B i B k DAIWA Alli d– Major employee fraud incidents at Barings Bank, DAIWA, Allied
Irish Bank, Sumitomo, Bank of Montreal and SG
– Fine for BNP Paribas for lax security in England (no incident)
• Compliance with security regulations
• Face new evolving threats effectivelyFace new evolving threats effectively
• Maintaining competitive advantage
Insert presenter logo
here on slide master 28
Project Approach
• Project phases:
P j t t t– Project start
– Feasibility study
– Program developmentProgram development
– Specification and design
– Implementation of IT-components and IdM in sandbox
i tenvironment
– Test and acceptance
– DeploymentDeployment
Insert presenter logo
here on slide master 29
Feasibility Study
• Feasibility study, including process selection and
clearly stating the overall goal.
– Experiential workshops to set the requirements
– Modeling and simulation
Process risk assessment– Process risk assessment
• Result: blueprint document
What is the most at risk process– What is the most at-risk process
– Which elements should the project comprise
– Project requirements definitionProject requirements definition
Insert presenter logo
here on slide master 30
Program Development
• Program development
– Setting the project scope, division in phases
– Identify and set up the required “global” project organization
including description for each of the streams and their goals
• Result: proposal document• Result: proposal document
– Elaboration of the starting point: Layered and Defense-in-Depth
Security; Service Oriented Architecture (SOA) with “loose” integration –
replaceable components with no or minimal impact on the system as areplaceable components with no or minimal impact on the system as a
whole
• Allowing extensive reuse of existing components
• Allowing a tailored scopeAllowing a tailored scope
– Holistic security control
– Division of subprojects
Insert presenter logo
here on slide master 31
Specification and Design
• An integrated system of processes, policies and
technologies to facilitate and control
• Use of a single ID-card
• Central Identity Managementy g
• Single-step Identity/Card enrollment
U ifi d S it E t M it i C l ti• Unified Security Event Monitoring, Correlation,
and Analysis
Insert presenter logo
here on slide master 32
Specification and Design
• Project streams:
– Facilities
– IT infrastructure
– Identity & Access Management
HR/ Personnel– HR/ Personnel
– Documentation of support processes
– Managed Security Services (SOC)Managed Security Services (SOC)
• Process specific:
– Business processBusiness process
– Applications (workflow)
Insert presenter logo
here on slide master 33
Specification and Design
• Facilities:
– Walls, steel plates, metal detectors, tinted glass, EMI/EMF
paintpaint…
– Entrance/Exit (Mantraps, doors, anti tailgating sensors)
– Layered Approach (zoning)y pp ( g)
– Strong multi-factor Authentication
– Video Management System including Cameras and
Encoders (CCTV)Encoders (CCTV)
– Integrated Physical Access Control
– Audio Systems (recording)Audio Systems (recording)
– Acoustical Masking System
– Wireless Intrusion Detection System
Insert presenter logo
here on slide master 34
Specification and Design
• Infrastructure:
– Firewalls with Intrusion Detection and Prevention
– Secure Switches/Routers/Gateways
– Anti Virus/Spy-ware
Fiber Optic Connecti it– Fiber Optic Connectivity
– Thin Clients
– Secure Copiers/PrintersSecure Copiers/Printers
– NACS – Network Access Control System
– Biometrics Authentication (fingerprint)
– Certificate-based Authorization
– Secure VoIP with Call Monitoring and Recording
S F / M il i h C Ch ki d L i
Insert presenter logo
here on slide master 35
– Secure Fax/e-Mail with Content Checking and Logging
Specification and Design
• Identity and Access Management
– Identity Management
• Policies, Roles, Rules, Workflows, (de)-Provisioning and Audit engines
– Strong Authentication (biometrics)
– CredentialingCredentialing
• Enrollment (3D-Face, Fingerprint)
• Smart Card Management – Issuance and Personalization
PKI d C tifi ti Di t ib ti (CA CRL)– PKI and Certification Distribution (CA, CRL)
– Integrated Physical Access Control (Logical)
• Building Control System, Surveillance System, Access Control Systemg y , y , y
Insert presenter logo
here on slide master 36
Specification and Design
• Human Resources/Personnel
– Roles and Responsibilities of Bunker employees
• Dual control (reporting through different lines)
• 4/6 eyes principles
– Privacy issues (biometrics)y ( )
– Personnel Security and Screening
– Security Awareness
– Training
– Policy Implications
A d li– Awareness and policy program governance
Insert presenter logo
here on slide master 37
Specification and Design
• Documentation Support processes
– Describing all program-processes
• “New employee”
• “Hardware Maintenance visit”
• “Card lost”
• “Possible security breach detected”
• “etc…”
Insert presenter logo
here on slide master 38
Specification and Design
• Managed Security Services (SOC)
– 24 x 365 monitoring
– Secure Connectivity and Data Encryption
– Firewall, Antivirus, IDS, IPS Services and Reporting
Asset In entor– Asset Inventory
– Vulnerability Scanning (Detection, Remediation, Reporting)
– Content SecurityContent Security
– Unified Event Monitoring, Correlation, Analysis, and
Reporting (System Wide)
P bl /I id t M t
Business Event Management
– Problem/Incident Management
Server Infrastructure
Applications
Operations
Event Management
Event Management
Event Management
Holistic View
Insert presenter logo
here on slide master 39
Network Infrastructure
Server Infrastructure
Event Management
Specification and Design
• Business Process
• Business Process Reengineering from a security perspective
Baseline and exception handling• Baseline and exception handling
• Vulnerability assessment on the process
• Identification of mitigation methods
N d fi i i• New process definitions
• Workflow Application
Development (programming language and methodology)• Development (programming language and methodology)
• Data management (DBMS and data access control)
• Runtime (OS, server and network architecture)
S• Source code management
• Interfaces with other programs and end-users
• Etc.
Insert presenter logo
here on slide master 40
Specification and Design
Insert presenter logo
here on slide master 41
Summary
• Involve all appropriate organizational entities in
security discussions
• Physical security systems are riding your
networks today…make sure they’re secure
• Leverage technologies that cross over both
physical and logical security
• Secure the process not just the technology
• A truly secure environment takes into account y
people, process, and technology.
Insert presenter logo
here on slide master 42
Apply
• Identify a business process within your
organization and analyze the logical and
physical security protocols in placephysical security protocols in place.
• Determine what physical security assets are
running on your IP network and document/verifyrunning on your IP network and document/verify
access control rights.
• Review what alerts/alarm conditions are• Review what alerts/alarm conditions are
received from your NOC/SOC and your facilities
security office and share the results with each
organization.
Insert presenter logo
here on slide master 43
PHYS-403 - Case Study:PHYS-403 - Case Study:
ID's, Cameras, Action -
Converged SecurityConverged Security
Thank You
Steve Vinsik, VP Critical Infrastructure Protection
Steven.Vinsik@Unisys.com