PHYS-403_final

PHYS-403 - Case Study:PHYS-403 - Case Study: ID's, Cameras, Action - Converged SecurityConverged Security Steve Vinsik, VP Critical Infrastructure Protection Unisys Corporation 04/24/09 | Session ID: PHYS – 40304/24/09 | Session ID: PHYS 403 Session Classification: Intermediate Agenda What is a Secure Business Environment Why Provide A Secure Business Environment: A Pl ibl S iA Plausible Scenario P l P T h lPeople – Process - Technology Case Study Insert presenter logo here on slide master 2 What Is A SecureWhat Is A Secure Business E i tEnvironment Security In Context • Customer Challenges – Five Forces of Globalization C li• Compliance • Communication • Collaboration • Competition • Complexity Responding to As mmetric Threats– Responding to Asymmetric Threats • Acts of Cybercrime • Acts of Nature • Acts of Terrorism – Defending national assets and critical infrastructure B l i ili d Insert presenter logo here on slide master 4 – Balancing agility and assurance Security Industry Integration Perspective IT Security Protecting Information & IT Infrastructure Physical Security Protecting People, Places and Things Security and Risk Assessment/Advisory Services Integrated Threat Analysis & Pattern Recognition Security & Vulnerability M t Goods/Assets Tracking and A th ti itManagement Authenticity Secure Content & Threat Management Location/ Perimeter Surveillance & Securityg y Identity & Access Management Identification & Credentialing Identity Management Managed Security Services Insert presenter logo here on slide master 5 What Is A Secure Business Environment? • A best-practice, defense-in-depth layered security model and implementation methodology, for the protection of sensitive and/or at riskfor the protection of sensitive and/or at-risk assets, inclusive of Physical (facilities), IT/Communications, Personnel, and Process safeguards. • But more importantly: • It is a new security modality, that looks at the whole security picture rather than just one piece of the puzzle, and integrates elements from different areas to ensure the highest possible level of security Insert presenter logo here on slide master 6 level of security. A Next Generation Security Model • The security model for the Secure Business Environment is process- centric, placing the secured business process as the core element of a defense- in-depth implementation that addresses Personnel, Facilities, the IT/Communications Infrastructure, and the Process itself. Insert presenter logo here on slide master 7 Why Is This Important? • In the current environment, risk assessment within a corporation is heavily focused on Programs and Processes; other elements that have a potential to introduce risk are generally handled separately – often by different departments. • This siloed view of security leaves many gaps that canleaves many gaps that can be exploited. Insert presenter logo here on slide master 8 Why Is This Important? • By placing the business process at the core of the model, and implementing a risk assessment methodology that takes the full spectrum of risks into consideration, it is possible to close the gaps in security, and significantly improve the risk profile of a company. Insert presenter logo here on slide master 9 Why Provide AWhy Provide A Secure Business E i t?Environment? A Plausible Scenario • A financial institution has an Electronic Funds Transfer (EFT) business process The financialTransfer (EFT) business process. The financial institution uses process specific safeguards to secure this asset. Examples of these f dsafeguards are: – Co-signing of transfers by a manager A li ti li it d t ifi t i l– Application limited to specific terminals – Login requires secure password – Audit trail of activity within the EFT applicationAudit trail of activity within the EFT application • How secure is this critical business process? Insert presenter logo here on slide master 11 Act I – He’s A Nice Guy • Meet William S d h hi d– Screened once when hired – Works in accounting department – Nice guy … everyone likes himNice guy … everyone likes him Insert presenter logo here on slide master 12 Act II – The Hook • William Likes to Gamble – Used to go to casino only occasionally – Got hooked by online gaming a year ago Now he has some big debts and big– Now he has some big debts and big problems Insert presenter logo here on slide master 13 Act III – We’re Not Alone • William thinks he’s the only one who knows O ft h t i t il• One afternoon he gets a private email • Someone has been watching his online activities Insert presenter logo here on slide master 14 Act IV – Just One Little Favor • They don’t ask much… J t i t ll t k iff th t• Just install a network sniffer on the corporate network Th ff E h t t Will t f t bl• The payoff…Enough to get Will out of trouble Insert presenter logo here on slide master 15 Act V – Will’s Debt Free! • The network sniffer, over time, captures the managers passwordg p • Since Will is a trusted employee he has access to the building, which also gives him access to the e bu d g, c a so g es access o e managers’ office • Will now has everything he needs to transfer funds o as e e yt g e eeds to t a s e u ds to an unauthorized bank account Insert presenter logo here on slide master 16 We Never Saw It Coming • It could take weeks – or months before anyone even realizes that something went wrong By then it’swrong. By then, it s too late. Insert presenter logo here on slide master 17 So What Went Wrong • If only … … Will had been screened more often Hi bli d bt ld h b di d– His gambling debts would have been discovered … they had monitoring to detect unauthorized applicationspp – The network sniffer would have been detected …the facility security was integrated with application itsecurity – Will would not have access to the manager’s office they required stronger authentication to the…they required stronger authentication to the application (smartcards and/or biometrics) – Will would not be able to co-sign the transfer Insert presenter logo here on slide master 18 …And Who Is To Blame • It’s easy to point fingers, and say that it was one person who went bad – but the truth is that the problem is bigger than thatproblem is bigger than that. • The Secure Business Environment is structured upon the idea of defense-in-depth providingupon the idea of defense in depth, providing multiple integrated safeguards that make it much more difficult to breach security. • It is always possible for systems to fail. It is always possible for people to fail. By providing a L d S i A hi iLayered Security Architecture, corporations can greatly enhance their Security Posture. Insert presenter logo here on slide master 19 People – Process -People Process Technology Comprehensive Planning Process Risk Assessment and Treatment Security PolicySecurity Policy Organization of Information Security Asset Management Risk Strategy Technology Design Security Blueprinting ISO 27000 Assessment Vulnerability and Architecture Assessment Security Roadmap Human Resources Security Physical Security Communications and Operations Management Access Control Information Systems Acquisition, Development, Maintenance Information Security Incident M t *ISO/IEC 27002 Management Business Continuity Compliance Ties together operations, strategy, and technology Architecture to provide a comprehensive view of a organization’s capabilities to perform business securely. Insert presenter logo here on slide master 21 ISO/IEC 27002 Personnel Security • Personnel requirements address three vital areas:areas: – Identity Management (IdM); – Employee Screening – Employee Awareness and security training. Insert presenter logo here on slide master 22 Process • The process is at the core of the Architectural model and the primary element being protectedmodel, and the primary element being protected. • Determine if: P it lf i– Process itself is secure – Safeguards are effectively implemented Insert presenter logo here on slide master 23 Technology • Facilities Infrastructure specifications are intended to prevent as well as detect visualintended to prevent as well as detect visual, acoustical, technical, and physical access by unauthorized persons. • Draws upon US Government standards: Director of Central Intelligence Directive No. 6/9 (DCID 6/9) titl d “Ph i l S it St d d f6/9), titled “Physical Security Standards for Sensitive Compartmented Information Facilities”. Insert presenter logo here on slide master 24 Technology Insert presenter logo here on slide master 25 Security Convergence And Unification Insert presenter logo here on slide master 26 Case StudyCase Study Compelling Reasons • In banking, the most important asset is trust. M j l f d i id t t B i B k DAIWA Alli d– Major employee fraud incidents at Barings Bank, DAIWA, Allied Irish Bank, Sumitomo, Bank of Montreal and SG – Fine for BNP Paribas for lax security in England (no incident) • Compliance with security regulations • Face new evolving threats effectivelyFace new evolving threats effectively • Maintaining competitive advantage Insert presenter logo here on slide master 28 Project Approach • Project phases: P j t t t– Project start – Feasibility study – Program developmentProgram development – Specification and design – Implementation of IT-components and IdM in sandbox i tenvironment – Test and acceptance – DeploymentDeployment Insert presenter logo here on slide master 29 Feasibility Study • Feasibility study, including process selection and clearly stating the overall goal. – Experiential workshops to set the requirements – Modeling and simulation Process risk assessment– Process risk assessment • Result: blueprint document What is the most at risk process– What is the most at-risk process – Which elements should the project comprise – Project requirements definitionProject requirements definition Insert presenter logo here on slide master 30 Program Development • Program development – Setting the project scope, division in phases – Identify and set up the required “global” project organization including description for each of the streams and their goals • Result: proposal document• Result: proposal document – Elaboration of the starting point: Layered and Defense-in-Depth Security; Service Oriented Architecture (SOA) with “loose” integration – replaceable components with no or minimal impact on the system as areplaceable components with no or minimal impact on the system as a whole • Allowing extensive reuse of existing components • Allowing a tailored scopeAllowing a tailored scope – Holistic security control – Division of subprojects Insert presenter logo here on slide master 31 Specification and Design • An integrated system of processes, policies and technologies to facilitate and control • Use of a single ID-card • Central Identity Managementy g • Single-step Identity/Card enrollment U ifi d S it E t M it i C l ti• Unified Security Event Monitoring, Correlation, and Analysis Insert presenter logo here on slide master 32 Specification and Design • Project streams: – Facilities – IT infrastructure – Identity & Access Management HR/ Personnel– HR/ Personnel – Documentation of support processes – Managed Security Services (SOC)Managed Security Services (SOC) • Process specific: – Business processBusiness process – Applications (workflow) Insert presenter logo here on slide master 33 Specification and Design • Facilities: – Walls, steel plates, metal detectors, tinted glass, EMI/EMF paintpaint… – Entrance/Exit (Mantraps, doors, anti tailgating sensors) – Layered Approach (zoning)y pp ( g) – Strong multi-factor Authentication – Video Management System including Cameras and Encoders (CCTV)Encoders (CCTV) – Integrated Physical Access Control – Audio Systems (recording)Audio Systems (recording) – Acoustical Masking System – Wireless Intrusion Detection System Insert presenter logo here on slide master 34 Specification and Design • Infrastructure: – Firewalls with Intrusion Detection and Prevention – Secure Switches/Routers/Gateways – Anti Virus/Spy-ware Fiber Optic Connecti it– Fiber Optic Connectivity – Thin Clients – Secure Copiers/PrintersSecure Copiers/Printers – NACS – Network Access Control System – Biometrics Authentication (fingerprint) – Certificate-based Authorization – Secure VoIP with Call Monitoring and Recording S F / M il i h C Ch ki d L i Insert presenter logo here on slide master 35 – Secure Fax/e-Mail with Content Checking and Logging Specification and Design • Identity and Access Management – Identity Management • Policies, Roles, Rules, Workflows, (de)-Provisioning and Audit engines – Strong Authentication (biometrics) – CredentialingCredentialing • Enrollment (3D-Face, Fingerprint) • Smart Card Management – Issuance and Personalization PKI d C tifi ti Di t ib ti (CA CRL)– PKI and Certification Distribution (CA, CRL) – Integrated Physical Access Control (Logical) • Building Control System, Surveillance System, Access Control Systemg y , y , y Insert presenter logo here on slide master 36 Specification and Design • Human Resources/Personnel – Roles and Responsibilities of Bunker employees • Dual control (reporting through different lines) • 4/6 eyes principles – Privacy issues (biometrics)y ( ) – Personnel Security and Screening – Security Awareness – Training – Policy Implications A d li– Awareness and policy program governance Insert presenter logo here on slide master 37 Specification and Design • Documentation Support processes – Describing all program-processes • “New employee” • “Hardware Maintenance visit” • “Card lost” • “Possible security breach detected” • “etc…” Insert presenter logo here on slide master 38 Specification and Design • Managed Security Services (SOC) – 24 x 365 monitoring – Secure Connectivity and Data Encryption – Firewall, Antivirus, IDS, IPS Services and Reporting Asset In entor– Asset Inventory – Vulnerability Scanning (Detection, Remediation, Reporting) – Content SecurityContent Security – Unified Event Monitoring, Correlation, Analysis, and Reporting (System Wide) P bl /I id t M t Business Event Management – Problem/Incident Management Server Infrastructure Applications Operations Event Management Event Management Event Management Holistic View Insert presenter logo here on slide master 39 Network Infrastructure Server Infrastructure Event Management Specification and Design • Business Process • Business Process Reengineering from a security perspective Baseline and exception handling• Baseline and exception handling • Vulnerability assessment on the process • Identification of mitigation methods N d fi i i• New process definitions • Workflow Application Development (programming language and methodology)• Development (programming language and methodology) • Data management (DBMS and data access control) • Runtime (OS, server and network architecture) S• Source code management • Interfaces with other programs and end-users • Etc. Insert presenter logo here on slide master 40 Specification and Design Insert presenter logo here on slide master 41 Summary • Involve all appropriate organizational entities in security discussions • Physical security systems are riding your networks today…make sure they’re secure • Leverage technologies that cross over both physical and logical security • Secure the process not just the technology • A truly secure environment takes into account y people, process, and technology. Insert presenter logo here on slide master 42 Apply • Identify a business process within your organization and analyze the logical and physical security protocols in placephysical security protocols in place. • Determine what physical security assets are running on your IP network and document/verifyrunning on your IP network and document/verify access control rights. • Review what alerts/alarm conditions are• Review what alerts/alarm conditions are received from your NOC/SOC and your facilities security office and share the results with each organization. Insert presenter logo here on slide master 43 PHYS-403 - Case Study:PHYS-403 - Case Study: ID's, Cameras, Action - Converged SecurityConverged Security Thank You Steve Vinsik, VP Critical Infrastructure Protection Steven.Vinsik@Unisys.com