Security Overview - Updates and Trends In Detail
MohanArumugam24
23 views
42 slides
Sep 12, 2024
Slide 1 of 42
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
About This Presentation
Security Overview - Updates and Trends In Detail
Slide Content
Security Overview: Trends
Rafal Lukawiecki
Strategic Consultant
Project Botticelli Ltd
[email protected]
Rafal Lukawiecki
Strategic Consultant
Project Botticelli Ltd
[email protected]
22
Objectives
Overview a process-oriented approach to
security
Discuss the recent trends in approaching
security issues
Objectives
Overview a process-oriented approach to
security
Discuss the recent trends in approaching
security issues
33
Session Agenda
Frameworks, Processes and Concepts
Issues
Trends
Session Agenda
Frameworks, Processes and Concepts
Issues
Trends
44
The Problem
We have (more than enough) security
technologies, but we do not know how (and if)
we are secure
The Problem
We have (more than enough) security
technologies, but we do not know how (and if)
we are secure
55
Security
Frameworks
Security
Frameworks
66
Security
Definition (Cambridge Dictionary of English)
Ability to avoid being harmed by any risk, danger or
threat
…therefore, in practice, an impossible goal
What can we do then?
Be as secure as needed
Ability to avoid being harmed too much by reasonably
predictable risks, dangers or threats (Rafal’s Definition)
Security
Definition (Cambridge Dictionary of English)
Ability to avoid being harmed by any risk, danger or
threat
…therefore, in practice, an impossible goal
What can we do then?
Be as secure as needed
Ability to avoid being harmed too much by reasonably
predictable risks, dangers or threats (Rafal’s Definition)
77
Adequate Security
CERT usefully suggests:
“A desired enterprise security state is the condition where the
protection strategies for an organization's critical assets and
business processes are commensurate with the organization's
risk appetite and risk tolerances.” –
www.cert.org/governance/adequate.html
Risk Appetite – defined through executive decision, influences
amount of risk worth taking to achieve enterprise goals and
missions
Relates to risks that must be mitigated and managed
Risk Tolerance – residual risk accepted
Relates to risk for which no mitigation would be in place
Adequate Security
CERT usefully suggests:
“A desired enterprise security state is the condition where the
protection strategies for an organization's critical assets and
business processes are commensurate with the organization's
risk appetite and risk tolerances.” –
www.cert.org/governance/adequate.html
Risk Appetite – defined through executive decision, influences
amount of risk worth taking to achieve enterprise goals and
missions
Relates to risks that must be mitigated and managed
Risk Tolerance – residual risk accepted
Relates to risk for which no mitigation would be in place
88
Approaches for Achieving Security
Two approaches are needed:
Active, dynamic, transient
Implemented through behaviour and pattern analysis
Passive, static, pervasive
Implemented through cryptography
Approaches for Achieving Security
Two approaches are needed:
Active, dynamic, transient
Implemented through behaviour and pattern analysis
Passive, static, pervasive
Implemented through cryptography
99
Holistic View of Security
Security should be:
Static + Active
Across
All Your Assets
Based On
Ongoing Threat Risk Assessment
Holistic View of Security
Security should be:
Static + Active
Across
All Your Assets
Based On
Ongoing Threat Risk Assessment
1010
Framework 1: Defense in Depth
Using a layered approach:
Increases an attacker’s risk of detection
Reduces an attacker’s chance of success
Policies, Procedures, &
Awareness
OS hardening, update management, OS hardening, update management,
authenticationauthentication
Firewalls, VPN quarantineFirewalls, VPN quarantine
Guards, locks, tracking devices, Guards, locks, tracking devices,
HSMHSM
Network segments, IPSec, NIDSNetwork segments, IPSec, NIDS
Application hardening, antivirusApplication hardening, antivirus
ACL, encryptionACL, encryption
User education against social User education against social
engineeringengineering
Physical Security
Perimeter
Internal Network
Host
Application
Data
Framework 1: Defense in Depth
Using a layered approach:
Increases an attacker’s risk of detection
Reduces an attacker’s chance of success
Policies, Procedures, &
Awareness
OS hardening, update management, OS hardening, update management,
authenticationauthentication
Firewalls, VPN quarantineFirewalls, VPN quarantine
Guards, locks, tracking devices, Guards, locks, tracking devices,
HSMHSM
Network segments, IPSec, NIDSNetwork segments, IPSec, NIDS
Application hardening, antivirusApplication hardening, antivirus
ACL, encryptionACL, encryption
User education against social User education against social
engineeringengineering
Physical Security
Perimeter
Internal Network
Host
Application
Data
1111
Secure Environment
A secure environment is a combination of:
Hardened hosts (nodes)
Intrusion Detection System (IDS)
Operating Processes
Standard and Emergency
Threat Modelling and Analysis
Dedicated Responsible Staff
Chief Security Officer (CSO) responsible for all
Continuous Training
Users and security staff – against “social engineering”
Secure Environment
A secure environment is a combination of:
Hardened hosts (nodes)
Intrusion Detection System (IDS)
Operating Processes
Standard and Emergency
Threat Modelling and Analysis
Dedicated Responsible Staff
Chief Security Officer (CSO) responsible for all
Continuous Training
Users and security staff – against “social engineering”
1212
Framework 2: OCTAVE
Operationally Critical Threat, Asset and
Vulnerability Evaluation
Carnegie-Mellon University guidance
Origin in 2001
Used by US military and a growing number of larger
organisations
www.cert.org/octave
Framework 2: OCTAVE
Operationally Critical Threat, Asset and
Vulnerability Evaluation
Carnegie-Mellon University guidance
Origin in 2001
Used by US military and a growing number of larger
organisations
www.cert.org/octave
1313
Concept of OCTAVE
Workshop-based analysis
Collaborative approach
Guided by an 18-volume publication
Very specific, with suggested timings, personnel selection etc.
www.cert.org/octave/omig.html
Smaller version, OCTAVE-S, for small and medium
organisations
www.cert.org/octave/osig.html
Concept of OCTAVE
Workshop-based analysis
Collaborative approach
Guided by an 18-volume publication
Very specific, with suggested timings, personnel selection etc.
www.cert.org/octave/omig.html
Smaller version, OCTAVE-S, for small and medium
organisations
www.cert.org/octave/osig.html
1414
OCTAVE Process
Progressive Series of Workshops
Phase 1
Organizational
View
Phase 2
Technological
View
Phase 3
Strategy and Plan
Development
Tech. Vulnerabilities
Planning
Assets
Threats
Current Practices
Org. Vulnerabilities
Security Req.
Risks
Protection Strategy
Mitigation Plans
OCTAVE Process
Progressive Series of Workshops
Phase 1
Organizational
View
Phase 2
Technological
View
Phase 3
Strategy and Plan
Development
Tech. Vulnerabilities
Planning
Assets
Threats
Current Practices
Org. Vulnerabilities
Security Req.
Risks
Protection Strategy
Mitigation Plans
1515
Framework 3: Security Risk Analysis
A simplified approach, taking into account your
assets exposure to security risks
Requires:
1.Identifying your assets
2.Assesing risks and their impact, probability and
exposure
3.Formulating plans to reduce overall risk exposure
Framework 3: Security Risk Analysis
A simplified approach, taking into account your
assets exposure to security risks
Requires:
1.Identifying your assets
2.Assesing risks and their impact, probability and
exposure
3.Formulating plans to reduce overall risk exposure
1616
Risk Impact Assessment
For each asset and risk attach a measure of impact
Monetary scale if possible (difficult) or relative numbers
with agreed meaning
E.g.: Trivial (1), Low (2), Medium (3), High (4), Catastrophic
(5)
Ex:
Asset: Internal MD mailbox
Risk: Access to content by press
Impact: Catastrophic (5)
Risk Impact Assessment
For each asset and risk attach a measure of impact
Monetary scale if possible (difficult) or relative numbers
with agreed meaning
E.g.: Trivial (1), Low (2), Medium (3), High (4), Catastrophic
(5)
Ex:
Asset: Internal MD mailbox
Risk: Access to content by press
Impact: Catastrophic (5)
1717
Risk Probability Assessment
Now for each entry measure probability the loss
may happen
Real probabilities (difficult) or a relative scale
(easier) such as: Low (0.3), Medium, (0.6), and
High (0.9)
Ex:
Asset: Internal MD mailbox
Risk: Access to content by press
Probability: Low (0.3)
Risk Probability Assessment
Now for each entry measure probability the loss
may happen
Real probabilities (difficult) or a relative scale
(easier) such as: Low (0.3), Medium, (0.6), and
High (0.9)
Ex:
Asset: Internal MD mailbox
Risk: Access to content by press
Probability: Low (0.3)
1818
Risk Exposure and Risk List
Multiply probability by impact for each entry
Exposure = Probability x Impact
Sort by exposure
High-exposure risks need very strong security measures
Lowest-exposure risks can be covered by default mechanisms
or ignored
Example:
Press may access MD mailbox:
Exposure = P(Low=0.3) x I(Catastrophic=5) = 1.5
By the way, minimum exposure is 0.3 and maximum is 4.5 is our
examples
Risk Exposure and Risk List
Multiply probability by impact for each entry
Exposure = Probability x Impact
Sort by exposure
High-exposure risks need very strong security measures
Lowest-exposure risks can be covered by default mechanisms
or ignored
Example:
Press may access MD mailbox:
Exposure = P(Low=0.3) x I(Catastrophic=5) = 1.5
By the way, minimum exposure is 0.3 and maximum is 4.5 is our
examples
1919
Mitigation and Contingency
For high-exposure risks plan:
Mitigation: Reduce its probability or impact (so
exposure)
Transfer: Make someone else responsible for the risk
Avoidance: avoid the risk by not having the asset
Contingency: what to do if the risk becomes reality
Mitigation and Contingency
For high-exposure risks plan:
Mitigation: Reduce its probability or impact (so
exposure)
Transfer: Make someone else responsible for the risk
Avoidance: avoid the risk by not having the asset
Contingency: what to do if the risk becomes reality
2020
Framework 4: Threat Modeling
Structured analysis aimed
at:
Finding infrastructure
vulnerabilities
Evaluating security threats
Identify countermeasures
Originated from software
development security threat
analysis
1. Identify Assets
2. Create an Architecture Overview
3. Decompose the System
4. Identify the Threats
5. Document the Threats
6. Rate the Threats
Framework 4: Threat Modeling
Structured analysis aimed
at:
Finding infrastructure
vulnerabilities
Evaluating security threats
Identify countermeasures
Originated from software
development security threat
analysis
1. Identify Assets
2. Create an Architecture Overview
3. Decompose the System
4. Identify the Threats
5. Document the Threats
6. Rate the Threats
2121
STRIDE
A Technique for Threat Identification (Step 4)
Type of Threat
Examples
Spoofing
Forging Email Message
Replaying Authentication
Tampering
Altering data during transmission
Changing data in database
Repudiation
Delete critical data and deny it
Purchase product and deny it
Information disclosure
Expose information in error messages
Expose code on web site
Denial of Service
Flood web service with invalid request
Flood network with SYN
Elevation of Privilege
Obtain Administrator privileges
Use assembly in GAC to create acct
STRIDE
A Technique for Threat Identification (Step 4)
Type of Threat
Examples
Spoofing
Forging Email Message
Replaying Authentication
Tampering
Altering data during transmission
Changing data in database
Repudiation
Delete critical data and deny it
Purchase product and deny it
Information disclosure
Expose information in error messages
Expose code on web site
Denial of Service
Flood web service with invalid request
Flood network with SYN
Elevation of Privilege
Obtain Administrator privileges
Use assembly in GAC to create acct
2222
Threat Tree
Inside Attack
Enabled
Attack domain
controller
from inside
SQL Injection
An application
doesn’t validate
user’s input and
allows evil texts
Dev Server
Unhardened
SQL server
used by internal
developers
Messenger Xfer
Novice admin
uses an instant
messenger on a
server
Trojan Soc Eng
Attacker sends
a trojan
masquerading
as network util
OR
AND AND
Threat Tree
Inside Attack
Enabled
Attack domain
controller
from inside
SQL Injection
An application
doesn’t validate
user’s input and
allows evil texts
Dev Server
Unhardened
SQL server
used by internal
developers
Messenger Xfer
Novice admin
uses an instant
messenger on a
server
Trojan Soc Eng
Attacker sends
a trojan
masquerading
as network util
OR
AND AND
2323
Current Security
Issues
Current Security
Issues
2424
Industry Issues for 2005-2006
Without undue generalisation:
Mobile security at data layer
Malware/spyware
Compliance auditing
Identity management
Patch/update management
Application defence
Intrusion detection
Industry Issues for 2005-2006
Without undue generalisation:
Mobile security at data layer
Malware/spyware
Compliance auditing
Identity management
Patch/update management
Application defence
Intrusion detection
2525
Mobile Security at Data Layer
Laptops and PDAs are rarely protected against
physical data extraction
Encryption with removable keys is very effective,
though deployment requires planning and is
sometimes cumbersome
Smartcards plus EFS or an alternative system, such
as PGP etc. can be applied
Data recovery needs (legal and practical)
complicate the matter greatly
Mobile Security at Data Layer
Laptops and PDAs are rarely protected against
physical data extraction
Encryption with removable keys is very effective,
though deployment requires planning and is
sometimes cumbersome
Smartcards plus EFS or an alternative system, such
as PGP etc. can be applied
Data recovery needs (legal and practical)
complicate the matter greatly
2626
Spyware (Malware) Protection
90% machines have malicious software, on average 28 separate
spyware programs (report by Earthlink & Webroot)
Zombies
Network bandwidth and CPU degradation
Commercial secrets leaked
Privacy destroyed
3
rd
party liability arises
Best practice:
SpyBot Search and Destroy (www.spybot.info)
Microsoft AntiSpyware (in beta)
AdAware
Limit use of administrative privileges for end-users
Spyware (Malware) Protection
90% machines have malicious software, on average 28 separate
spyware programs (report by Earthlink & Webroot)
Zombies
Network bandwidth and CPU degradation
Commercial secrets leaked
Privacy destroyed
3
rd
party liability arises
Best practice:
SpyBot Search and Destroy (www.spybot.info)
Microsoft AntiSpyware (in beta)
AdAware
Limit use of administrative privileges for end-users
2727
Compliance Auditing
An area of rapid growth, primarily due to
Sarbannes/Oxley (“Sarbox”, or “Sox”) and EU
Data Privacy regulation
In hands of specialised providers, mainly
consulting business
Microsoft Operations Manager (MOM) can be
applied for this purpose
Compliance Auditing
An area of rapid growth, primarily due to
Sarbannes/Oxley (“Sarbox”, or “Sox”) and EU
Data Privacy regulation
In hands of specialised providers, mainly
consulting business
Microsoft Operations Manager (MOM) can be
applied for this purpose
2828
Identity Management
Heterogeneity of authentication and security
measures is a common fact
Don’t fight it, integrate it
Synchronisation between directories, no matter
how different, is becoming a reality with
solutions build on systems such as MIIS (Identity
Integration Server)
Alternatively, converge onto a client-solution, such
as smartcards or OTP/tokens
Identity Management
Heterogeneity of authentication and security
measures is a common fact
Don’t fight it, integrate it
Synchronisation between directories, no matter
how different, is becoming a reality with
solutions build on systems such as MIIS (Identity
Integration Server)
Alternatively, converge onto a client-solution, such
as smartcards or OTP/tokens
2929
Patch and Update Management
As of Sept 2005, Microsoft Update is fully functioning,
and integrates, at present:
Windows OS updates
Office
SQL Server
Exchange
More Microsoft products being added over the next
months
Enterprise solutions, however, will still benefit from a
fully-managed software distribution system, such as
SMS (Systems Management Server)
Patch and Update Management
As of Sept 2005, Microsoft Update is fully functioning,
and integrates, at present:
Windows OS updates
Office
SQL Server
Exchange
More Microsoft products being added over the next
months
Enterprise solutions, however, will still benefit from a
fully-managed software distribution system, such as
SMS (Systems Management Server)
3030
Application Defence
As networks and hosts become well protected,
application-level attacks are on the increase
Other than for very new in-house applications,
development security has rarely been a concern
This is a major area of worry from both perspectives of
an insider and outside attacks
Approaches:
Prove it’s safe (threat modelling)
Isolate-and-monitor
Replace
Application Defence
As networks and hosts become well protected,
application-level attacks are on the increase
Other than for very new in-house applications,
development security has rarely been a concern
This is a major area of worry from both perspectives of
an insider and outside attacks
Approaches:
Prove it’s safe (threat modelling)
Isolate-and-monitor
Replace
3131
Treating Unproven Applications
Until proven to be secure, treat all applications as “evil”
Restrict access only to users on need-to-use basis
Restrict remote use
Isolate to dedicated application servers
Restrict servers through IPSec policies to only allow
communication that applications explicitly require
Monitor usage pattern to establish a baseline and raise alarm
when patterns vary
Enable stringent auditing
Request a formal threat analysis if above restrictions are too
severe
Treating Unproven Applications
Until proven to be secure, treat all applications as “evil”
Restrict access only to users on need-to-use basis
Restrict remote use
Isolate to dedicated application servers
Restrict servers through IPSec policies to only allow
communication that applications explicitly require
Monitor usage pattern to establish a baseline and raise alarm
when patterns vary
Enable stringent auditing
Request a formal threat analysis if above restrictions are too
severe
3232
Intrusion Detection
Intrusion Detection Systems (IDS) are still fairly
basic, though sophistication grew at network-
level detection
Honeypots, i.e. monitored vulnerable servers
exposed as “bait” are still very effective, though
may pose legal problems
Intrusion Detection
Intrusion Detection Systems (IDS) are still fairly
basic, though sophistication grew at network-
level detection
Honeypots, i.e. monitored vulnerable servers
exposed as “bait” are still very effective, though
may pose legal problems
3333
Trends for 2006
Trends for 2006
3434
Network Security – IPv6
A major development for 2006+ will be gradual
replacement of IPv4 with IPv6
Amongst many benefits of this move, a crucial
introduction of compulsory IPSec6 will provide much
needed authentication and confidentiality of data at wire-
level
Interesting issues still remain to be solved, but now is a
very good time to seriously evaluate the technology
Windows Vista comes with a new IPv6 stack, as part of
the entirely rewritten TCP/IP substrate, called “Next
Generation TCP/IP”
Network Security – IPv6
A major development for 2006+ will be gradual
replacement of IPv4 with IPv6
Amongst many benefits of this move, a crucial
introduction of compulsory IPSec6 will provide much
needed authentication and confidentiality of data at wire-
level
Interesting issues still remain to be solved, but now is a
very good time to seriously evaluate the technology
Windows Vista comes with a new IPv6 stack, as part of
the entirely rewritten TCP/IP substrate, called “Next
Generation TCP/IP”
3535
Network Device Port Protection
Though long awaited, “802.1x for wired
networks” is off to a confused start, as many
basic devices, such as switches, are unlikely to
support the technology as expected
With new infrastructure this technology might be
useful in high-risk areas, especially exposed
networks
Network Device Port Protection
Though long awaited, “802.1x for wired
networks” is off to a confused start, as many
basic devices, such as switches, are unlikely to
support the technology as expected
With new infrastructure this technology might be
useful in high-risk areas, especially exposed
networks
3636
Smartcards
While not a new technology, Microsoft’s support
in Windows Vista promises a serious approach
to solving deployment, manageability and
developer issues
Infocard specification for developers
Alacris acquisition (20 Sept) for smartcard lifecycle
management
Axalto deal for smartcard infrastructure
Windows Vista re-write of smartcard functionality
Smartcards
While not a new technology, Microsoft’s support
in Windows Vista promises a serious approach
to solving deployment, manageability and
developer issues
Infocard specification for developers
Alacris acquisition (20 Sept) for smartcard lifecycle
management
Axalto deal for smartcard infrastructure
Windows Vista re-write of smartcard functionality
3737
Biometrics
Overhyped: be careful and sceptical
Useful as a secondary protection of a private encryption
key on a smartcard in a controlled environment
Advantage:
Simple and works in some environments, e.g. immigration
control or secondary authentication of staff
Weakness:
Not useful for at-home, remote etc. applications as no way to
ensure it is your real fingerprint, iris, retina etc. being scanned
Biometric data can be stolen and can be used to fake identity
– no way to change it later
Too many positive and negative false matches
Biometrics
Overhyped: be careful and sceptical
Useful as a secondary protection of a private encryption
key on a smartcard in a controlled environment
Advantage:
Simple and works in some environments, e.g. immigration
control or secondary authentication of staff
Weakness:
Not useful for at-home, remote etc. applications as no way to
ensure it is your real fingerprint, iris, retina etc. being scanned
Biometric data can be stolen and can be used to fake identity
– no way to change it later
Too many positive and negative false matches
3838
Application-level Protection
With .NET Framework 2.0 and SQL Server 2005
developers can use a plethora of security technologies –
easily
Developers are increasingly seen as responsible for
security
This extends even to database developers, previously unlikely
to engage in cryptography or ACL management
It is very important that all in-house and vertical solution-
provider application developers undergo security training
Refresher courses or workshops are a good idea
Community participation helps
Application-level Protection
With .NET Framework 2.0 and SQL Server 2005
developers can use a plethora of security technologies –
easily
Developers are increasingly seen as responsible for
security
This extends even to database developers, previously unlikely
to engage in cryptography or ACL management
It is very important that all in-house and vertical solution-
provider application developers undergo security training
Refresher courses or workshops are a good idea
Community participation helps
3939
Summary
Summary
4040
Summary
Viewing security holistically combines
perspectives of people, processes, technologies
and requires ongoing research and education
Security goals oppose those of usability
Frameworks enable achieving security goals
without facing unexpected costs
Network and host protections are fairly mature
Developer-oriented solutions to prevent
application-level attacks must be employed
Summary
Viewing security holistically combines
perspectives of people, processes, technologies
and requires ongoing research and education
Security goals oppose those of usability
Frameworks enable achieving security goals
without facing unexpected costs
Network and host protections are fairly mature
Developer-oriented solutions to prevent
application-level attacks must be employed
4141
© 2005 Project Botticelli Ltd & Microsoft Corporation. All rights reserved. This presentation is for informational
purposes only. PROJECT BOTTICELLI AND MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN
THIS SUMMARY. You must verify all the information presented before relying on it. E&OE.
© 2005 Project Botticelli Ltd & Microsoft Corporation. All rights reserved. This presentation is for informational
purposes only. PROJECT BOTTICELLI AND MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN
THIS SUMMARY. You must verify all the information presented before relying on it. E&OE.
Tags
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 23
- Slides 42
- Age 457 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
67 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
64 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
55 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
52 views
21
Know for Certain
DaveSinNM
29 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
33 views