Risk base approach for security management fujitsu-fms event 15 aug 2011
Download as PPTX, PDF1 like1,096 views
The document provides an overview of Fujitsu's risk-based approach to security management. It discusses the evolving security landscape and challenges organizations face. Fujitsu's approach involves 3 steps: 1) Conducting risk and vulnerability assessments to understand threats. 2) Visualizing security data through logs consolidation and SIEM solutions to provide situational awareness. 3) Using investigation tools to gain visibility into system behavior and provide intelligence to inform security operations. The approach is aligned with security frameworks like COBIT and ISO and aims to balance security, compliance, and business needs through a coordinated and layered enterprise security architecture.
Risk base approach for security management fujitsu-fms event 15 aug 2011
- 1. Risk Base Approach Security Management 15th August 2011 Lam Kwok Wing – CISSP, CISM lam.kwokwing@sg.fujitsu.com
- 2. Agenda Today’s Security Situation Organization’s Challenges Fujitsu Approach 2
- 3. Before 2006 3
- 4. 2006 - The Year Hacking Became A Business 2006 was the year hacking stopped being a hobby and became a lucrative profession practiced by underground of computer software developers and sellers. It was the year when cyber-criminals targeted everything from MySpace to Facebook. Are you one of the victim in June? 4
- 5. We archived 1,419,202 web-sites deface-ments Attacks by month Year 2010 Jan 53,915 Feb 57,867 Mar 73,712 Apr 95,078 May 83,182 Jun 81,865 Jul 87,364 Aug 63,367 Sep 185,741 Oct 194,692 Nov 258,355 Dec 184,064 Total 1,419,202 5
- 6. After 2006 6
- 7. Zombie Hacker Will Hack No More Associated Press 01.23.06 SAN FRANCISCO -- A 20-year-old hacker pleaded guilty Monday to surreptitiously seizing control of hundreds of thousands of internet-connected computers, using the zombie network to serve pop-up ads and renting it to people who mounted attacks on websites and sent out spam. Jeanson James Ancheta, of Downey, California, pleaded guilty in Los Angeles federal court to four felony charges for crimes, including infecting machines at two U.S. military sites, that earned him earned him more than $61,000, more than $61,000, said federal prosecutor James Aquilina said. Prosecutors called the case the first to target profits derived from use of "botnets," large numbers of computers that hackers commandeer and marshal for various nefarious deeds, their owners unaware that parasitic programs have been installed are being run by remote control. profits derived from use of "botnets,“ Botnets are being used increasingly to overwhelm websites with streams of data, often by extortionists. They feed off of vulnerabilities in computers that run Microsoft's Windows operating system, typically machines whose owners haven't bothered to install security patches. A website Ancheta maintained included a schedule of prices he charged people who hundreds of thousands of wanted to rent out the machines, along with guidelines on how many bots were required to bring down a particular type of website. internet-connected computers, Prosecutors say Ancheta and SoBe then installed the ad software from the two companies -- Gamma Entertainment of Montreal, Quebec, and Loudcash, whose parent company was acquired last year by 180 Solutions of Bellevue, Washington -- on the bots they controlled, pocketing more than $58,000 in 13 months. 7
- 8. Hacking as Business Hacking isn't a kid's game anymore It had price …$$$... The Black Market USD Trojan program to steal online account information $980-$4,900 Credit card number with PIN $490 Billing data, including account number, address, $78-$294 Social Security number, home address, and birth date Driver's license $147 Birth certificate $147 Social Security card $98 Credit card number with security code and expiration $6-$24 date PayPal account logon and password $6 Data source: Trend Micro 8
- 9. Hacking as Services DDoS attacks The price usually depends on the attack time: 1 hour - US$10-20 (depends on the seller) 2 hours - US$20-40 1 day - US$100 + 1 day - From US$200 (depends on the complexity of the job) It is worth highlighting that they normally offer 10 minutes testing, this means that if you are interested, you tell them the server and they will perform a DoS attack for 10 minutes, so that you can evaluate the ‘service’. Spam Hosting: US$200 Dedicated spam server US$500 10,000,000 Mails per day US$600 SMS spam (per message) US$0.2 ICQ (1,000,000) US$150 Hiding of executable files. To avoid antivirus programs and firewalls (They guarantee that the files won’t be detected even by the antivirus updates of the date of purchase): From US$1 to US$5 per executable file (cheap, isn’t it?) RapidShare premium accounts: (Server hosting) 1 month - US$5, 2 months - US$8, 3 months - US$12, 6 months - US$18, 1 year - US$28 9
- 10. Hacking as Organized Crime Cyber Criminals have become an organized bunch. they use peer-to-peer payment systems just like they're buying and selling on eBay, and they're not afraid to work together. Software as a Service for criminals Attackers use sophisticated trading interfaces to classify the stolen accounts by the FTP server’s country of origin and the compromised site’s Google page ranking. This information enables attackers to determine cost of the compromised FTP credentials for resale to cybercriminals or to leverage themselves in an attack against the more prominent Web sites. Malware that encrypts data and then demands money to provide the decryption key – FileFixPro 10
- 11. Federal websites knocked out by online botnet attack Computerworld UK - July 08, 2009 By Robert McMillan A botnet comprised of about 50,000 infected computers has knocked out the 50,000 Infected Computers websites of several government agencies, and caused headaches for businesses in the US and South Korea. The attack started 20 - 40and security experts have credited it with Saturday, Gps Bandwidth knocking the US Federal Trade Commission's (FTC's) website offline for parts of Monday and Tuesday. Several other government websites have also been targeted, including the US Department of Transportation (DOT). Consuming 20 to 40 gigabytes of bandwidth per second On Saturday and Sunday the attack was consuming 20 to 40 gigabytes of bandwidth per second, about 10 times the rate of a typical DDoS attack. Security experts estimate the size of the botnet at somewhere between 30,000 and 60,000 computers. 11
- 12. Date Site Year 2011 2011-04-04 2011-04-20 Anonymous Engages in Sony DDoS Attacks Over GeoHot PS3 Lawsuit Sony PSN Offline 2011-04-26 PSN Outage caused by Rebug Firmware 2011-04-26 PlayStation Network (PSN) Hacked 2011-04-27 Ars readers report credit card fraud, blame Sony 2011-04-28 Sony PSN hack triggers lawsuit Sony says SOE Customer Data Safe SONY Cases - April-June 2011 2011-05-02 2011-05-03 Sony Online Entertainment (SOE) hacked SOE Network Taken Offline Sony Online Entertainment (SOE) issues breach notification letter 2011-05-05 Sony Brings In Forensic Experts On Data Breaches Anonymous leaks Bank of America 2011-05-06 2011-05-07 2011-05-14 Sony Networks Lacked Firewall, Ran Obsolete Software: Testimony Sony succumbs to another hack leaking 2,500 "old records" Sony resuming PlayStation Network, Qriocity services e-mails 2011-05-17 2011-05-18 PSN Accounts still subject to a vulnerability Prolexic rumored to consult with Sony on security 2011-05-20 Phishing site found on a Sony server 2011-05-21 Hack on Sony-owned ISP steals $1,220 in virtual cash 2011-05-22 Sony BMG Greece the latest hacked Sony site 2011-05-23 LulzSec leak Sony's Japanese Websites 2011-05-23 PSN breach and restoration to cost $171M, Sony estimates 2011-05-24 Sony says hacker stole 2,000 records from Canadian site (Sony Erricson) 2011-06-02 LulzSec versus Sony Pictures 2011-06-02 Sony BMG Belgium (sonybmg.be) database exposed 2011-06-02 Sony BMG Netherlands (sonybmg.nl) database exposed Lulz Security hackers target Sun website 2011-06-02 2011-06-03 Sony, Epsilon Testify Before Congress Sony Europe database leaked 2011-06-05 Latest Hack Shows Sony Didn't Plug Holes 2011-06-05 Sony Pictures Russia (www.sonypictures.ru) databases leaked Hong Kong Stock Exchange Website 2011-06-06 2011-06-06 2011-06-08 LulzSec Hackers Post Sony Computer Entertainment Developer Network (SCE Devnet) LulzSec hits Sony BMG, leaks internal network maps> Sony Portugal latest to fall to hackers Hacked, Impacts Trades 2011-06-08 2011-06-11 2011-06-20 Spoofing lead to fraud via shopping coupons at Sonisutoa / My Sony Club (Google Translation) Spain Arrests 3 Suspects in Sony Hacking Case SQLI on sonypictures.fr 2011-06-23 Class Action Lawsuit Filed Against Sony/SCEA 2011-06-28 Sony CEO asked to step down on heels of hacking fiasco 12
- 13. Agenda Today’s Security Situation Organization’s Challenges Fujitsu Approach 14
- 14. Security – A Confusing Picture Data Loss Protection Multi Layer Firewall Network Security Host IDS Content Monitoring and Filtering is the first Line of Network Infrastructure Load Balancer Defense NAC Incident Management System Security policies File Access Control List fine-grain access control System Infrastructure Government regulations operational process System compliance central log server from a single console Security Standards Operation/ Password Management visibility to Administration Authorization API security threats AD Authentication Access Control Keystore Management policy-based authorization Web Services Manager Engine Security Breaches Alert ID lifecycle management Delegated administration Entitlements Server Middleware & compliance Breaches Alert 4A’s Security Services System Services delegated administration Application Security approval workflows is the last Line of Role-base access Business Services Defense 2FA Authentication Independent 3rd Party Audit 15
- 15. The Military Model for Security Issues Threat Avoidance: Security is the IT department’s business - Security is the Security Expert’s Jobs Security is an absolute - Figure out what the threats are, and avoid them - Either you’re secure or you’re not Follows a computer engineering mentality - Find and solve it - Deploy point solution Security becomes a barrier to business 16
- 16. Visibility of Malware vs. Malicious Intent -- Invisible -- Source from : Douwe.Leguit@govcert.nl April 2007 17
- 17. Fujitsu Coordinated & Layered Approach Enterprise Security Architecture End Point Security Network System Data Application Security Security Security Security Operational Security Physical / Data Center Security Personnel Security Security Management 18
- 18. Security Management Framework CobiT ITIL ISO/IEC 27001 NIST SP800-53A 19
- 19. PPT for Security Triad Confidentiality Security Triad Integrity Availability 20
- 20. ISACA–Business Model for Information PPTX is the latest version today? Security Source: Adapted from the USC Marshall School of Business Institute for Critical Information Infrastructure Protection http://www.isaca.org/Content/ContentGroups/Research1/Deliverables/An_Introduction_to_the_Business_Model_for_Information_Security1.htm 21
- 21. Risk Base Approach for Security Management Risk Management : The Business Model Security is relative: - Many risks and Many solutions Security is everyone’s Business Security is a process - Things fail all the time Variety of options: - Accept the risk - Mitigate the risk with People/Procedure/Technology - Transfer the risk 22
- 22. Agenda Today’s Security Situation Organization’s Challenges Fujitsu Approach 23
- 23. Fujitsu Approach - 3 Steps for Better Security Step 1 : Know your risks Internal Regulatory And And External Compliance Threats Force Business ROSI System Data Cost of Doing (Return on Security Asset Business Investment) Application and Process Vulnerability - Risk Assessment / Compliance Assessment - Vulnerability Assessment - Web Application Assessment / PenTest 24
- 24. Fujitsu Approach - 3 Steps for Better Security Step 2 : Visualize your situation 25
- 25. Fujitsu Approach - 3 Steps for Better Security The Enterprise Today - Mountains of data, many stakeholders Malicious Code Detection Real-Time Monitoring Spyware detection Troubleshooting Access Control Enforcement Configuration Control Privileged User Management Lockdown enforcement Unauthorized False Positive Service Detection Reduction IP Leakage Web server Web cache & proxy logs User Monitoring SLA Monitoring activity logs Content management logs Switch logs IDS/IDP logs VA Scan logs Router logs Windows Windows logs VPN logs domain logins Firewall logs Wireless access logs Linux, Unix, Oracle Financial Windows OS logs Logs Mainframe Client & file DHCP logs logs server logs San File VLAN Access Database Logs Access & Control logs Logs Sources from RSA 26
- 26. Fujitsu Approach - 3 Steps for Better Security Step 2 : Visualize your situation System Monitoring Intelligent Logs and Consolidation Correlation SIEM Security Information & Solution Event Management SOC Security Operation Center Incident Management ITIL Process 27
- 27. Fujitsu Approach - 3 Steps for Better Security Step 3 : Knowing your enemy’s behavior You need an Investigation Tools • for pervasive visibility into content and behavior • Providing precise and actionable intelligence 28
- 28. Arts of War (Sun Zi) Section III: Investigation Attack by Stratagem If you know yourself and know the Visualization enemy, you need not fear the result of a hundred battles. 孫子兵法 謀攻第三: 知己知彼,百戰不殆 Remediation 29
- 29. Thank you 30
Editor's Notes
- #8: Associated Press 01.23.06 SAN FRANCISCO -- A 20-year-old hacker pleaded guilty Monday to surreptitiously seizing control of hundreds of thousands of internet-connected computers, using the zombie network to serve pop-up ads and renting it to people who mounted attacks on websites and sent out spam.Jeanson James Ancheta, of Downey, California, pleaded guilty in Los Angeles federal court to four felony charges for crimes, including infecting machines at two U.S. military sites, that earned him more than $61,000, said federal prosecutor James Aquilina said.Under a plea agreement, which still must be approved by a judge, Ancheta will receive from 4 years to 6 years in prison, forfeit a 1993 BMW and more than $58,000 in profit and pay $19,000 in restitution to the federal government, according to court documents. He is to be sentenced May 1.Prosecutors called the case the first to target profits derived from use of "botnets," large numbers of computers that hackers commandeer and marshal for various nefarious deeds, their owners unaware that parasitic programs have been installed are being run by remote control.Botnets are being used increasingly to overwhelm websites with streams of data, often by extortionists. They feed off of vulnerabilities in computers that run Microsoft's Windows operating system, typically machines whose owners haven't bothered to install security patches.A November indictment charged Ancheta with 17 counts of conspiracy, fraud and other crimes connected to a 14-month hacking spree that started in June 2004 and that authorities say continued even after FBI agents raided his house the following December."Part of what's most troubling about those who commit these kinds of offenses is they think they'll never be caught," said Aquilina, who spent more than a year investigating Ancheta and several of Ancheta's online associates who remain uncharged co-conspirators.Ancheta's attorney, federal public defender Greg Wesley, did not immediately return phone calls seeking comment.The guilty plea comes less than a week after the FBI released a report that estimates viruses, worms and Trojan horse programs like the ones Ancheta employed cost U.S. organizations $11.9 billion each year.November's 52-page indictment, along with papers filed last week, offer an unusually detailed glimpse into a shadowy world where hackers, often not old enough to vote, brag in online chat groups about their prowess in taking over vast numbers of computers and herding them into large armies of junk mail robots and arsenals for so-called denial of service attacks on websites.Ancheta one-upped his hacking peers by advertising his network of "bots," short for robots, on internet chat channels.A website Ancheta maintained included a schedule of prices he charged people who wanted to rent out the machines, along with guidelines on how many bots were required to bring down a particular type of website.In July 2004, he told one chat partner he had more than 40,000 machines available, "more than I can handle," according to the indictment. A month later, Ancheta told another person he controlled at least 100,000 bots, and that his network had added another 10,000 machines in a week and a half.In a three-month span starting in June 2004, Ancheta rented out or sold bots to at least 10 "different nefarious computers users," according to the plea agreement. He pocketed $3,000 in the process by accepting payments through the online PayPal service, prosecutors said.Starting in August 2004, Ancheta turned to a new, more lucrative method to profit from his botnets, prosecutors said. Working with a juvenile in Boca Raton, Florida, whom prosecutors identified by his internet nickname "SoBe," Ancheta infected more than 400,000 computers.Ancheta and SoBe signed up as affiliates in programs maintained by online advertising companies that pay people each time they get a computer user to install software that displays ads and collects information about the sites a user visits.Prosecutors say Ancheta and SoBe then installed the ad software from the two companies -- Gamma Entertainment of Montreal, Quebec, and Loudcash, whose parent company was acquired last year by 180Solutions of Bellevue, Washington -- on the bots they controlled, pocketing more than $58,000 in 13 months."It's immoral, but the money makes it right," Ancheta told SoBe during one online chat, according to the indictment."I just hope this (Loudcash) stuff lasts a while so I don't have to get a job right away," SoBe told Ancheta during a different conversation.Aquilina, the assistant U.S. attorney prosecuting the case, wouldn't say whether authorities plan to charge SoBe or any of the people accused of renting out Ancheta's bots, many of whom are described as "unindicted co-conspirators."During the course of their scheme, Ancheta and SoBe infected U.S. military computers at the China Lake Naval Air Facility and the Defense Information System Agency headquartered in Falls Church, Virginia, according to a sworn declaration signed by Ancheta.
- #16: Security must be pervasive. Every aspect of a company should be security conscious. Security Policies, Standards And ProceduresPersonnel SecurityPhysical SecurityNetwork SecuritySystems SecuritySystem AuditRisk ManagementApplications Security - Authentication - Access ControlAudit LogsIncident ManagementDisaster Recovery And Business ContinuitySecurity AssuranceSecurity Training And Awareness Requirements
- #17: Security and Risk ManagementAsk any network administrator what he needs security for, and he can describe the threats: web site defacements, corruption and loss of data due to network penetrations, denial-of-service attacks, viruses and trojans. The list seems endless, and an endless series of news stories proves that the threats are real.Asl that same network administrators how security technologies help. And he’ll discuss avoiding the the threats. This is the traditional paradigm of computer security, born out of a computer science memtality: figure out what the threats are, and build technologies to avoid them. The conceit is that technologies can somehow “solve” computer security, and the end result is a security program that becomes an expense and a barrier to business. How many times has a security officer said: “You can’t do that; it would be insecure?”.The paradigm is wrong. Security is a people problem, not a technology problem. There is no computer security product-of even suite of pfoducts-that acts as magical security dust, imbuing a network with the property of “secure”. It can’t be done. And it’s not the way business works. Business manage risks. They manage all sorts of risks; network security is just another one. And there are many different ways to manage risks. The ones you choose in a particular situation depend on the detail of that situation. And failures happen regularly; many business manage their risks improperly, pay for their mistakes, and soldier on. Businesses are remarkably resilient.To take a concrete example, consider a physical store and the risk of shoplifting. Most grocery stores accept the risk as a cost of doing business. Clothing stores might put tags on all their garments and sensors at the doorways; they mitigate the risk with a technology. A jewelry sotre might mitigate the risk through procedures: all merchandise stays locked up, customers are not allowed to handle anything unattended, etc. And that same jewelry store will carry theft insurance, another risk management tool. More security isn’t always better. You could improve the security of a bank by strip-searching everyone who walks through the front door. But if you did this, you would have no business. Studies show that most shoplifting at department stores occurs in dressing rooms. You could improve security by removing the dress rooms, but the losses in sales would more than make up for the decrease in shoplifting. What all of these business are looking for is adequate security at a reasonable cost. This is what we need on the internet as well-security that allows a company to offer new services, to expand into new markets, and to attract and retain new customers. And the particular computer security solutions they choose depend on who they are and what they are doing.
- #21: Security is not a single solution. Security is a pervasive, ongoing process of reviewing and revising based on changes to the environment. It is the culmination of interaction between People, process, and technology. 1. People – People are the most important security component. People define Policy and process and procedures. Often, People are weakest link in any security infrastructure. Educating users on security awareness, and rewarding them when they follow you procedures, is a great way to build a security-conscious environment. 2. Process – “Security is a process, not a product”. Security product is only a one-step process. As the corporate environment change, these products should be analyzed and reconfigured. Overall, security is not something you can “get”. There is not out-of-the-box, plug-and-play solutions that provide you with an adequate security infrastructure. Building an effective security infrastructure requires analysis and planning along with the development of policies and procedures and a little help from security products. Policies form the foundation of your security infrastructure. Policies define how a company approaches security, how employees should handle security, and how certain situations will be addressed. Without strong policies implemented in the company and reviewed on a regular basis, you do not have a security infrastructure. 3. Technology – You might have a few security products installed, but you do not have and infrastructure because you do not have the foundation to build on. Surprisingly, technology is the least import component of a security infrastructure. All technology does is provide you with the means to implement your policies. I am not saying that technology is not import, but it is less important than strong policies and security-conscious employees. Now that people are aligned, and the process developed and clarified, technology can be applied to ensure consistently in the process and to provide the thin guiding rails to keep the process on track - to make it easier to follow the process than not do so.Security must be pervasive. Every aspect of a company should be security conscious. Employees need to understand the importance of security and the role they play in maintaining and effective security infrastructure. Management should realize that security is critical to the success of the company and set an example for all employees to follow regarding security consciousness.
- #23: Security and Risk ManagementAsk any network administrator what he needs security for, and he can describe the threats: web site defacements, corruption and loss of data due to network penetrations, denial-of-service attacks, viruses and trojans. The list seems endless, and an endless series of news stories proves that the threats are real.Asl that same network administrators how security technologies help. And he’ll discuss avoiding the the threats. This is the traditional paradigm of computer security, born out of a computer science memtality: figure out what the threats are, and build technologies to avoid them. The conceit is that technologies can somehow “solve” computer security, and the end result is a security program that becomes an expense and a barrier to business. How many times has a security officer said: “You can’t do that; it would be insecure?”.The paradigm is wrong. Security is a people problem, not a technology problem. There is no computer security product-of even suite of pfoducts-that acts as magical security dust, imbuing a network with the property of “secure”. It can’t be done. And it’s not the way business works. Business manage risks. They manage all sorts of risks; network security is just another one. And there are many different ways to manage risks. The ones you choose in a particular situation depend on the detail of that situation. And failures happen regularly; many business manage their risks improperly, pay for their mistakes, and soldier on. Businesses are remarkably resilient.To take a concrete example, consider a physical store and the risk of shoplifting. Most grocery stores accept the risk as a cost of doing business. Clothing stores might put tags on all their garments and sensors at the doorways; they mitigate the risk with a technology. A jewelry sotre might mitigate the risk through procedures: all merchandise stays locked up, customers are not allowed to handle anything unattended, etc. And that same jewelry store will carry theft insurance, another risk management tool. More security isn’t always better. You could improve the security of a bank by strip-searching everyone who walks through the front door. But if you did this, you would have no business. Studies show that most shoplifting at department stores occurs in dressing rooms. You could improve security by removing the dress rooms, but the losses in sales would more than make up for the decrease in shoplifting. What all of these business are looking for is adequate security at a reasonable cost. This is what we need on the internet as well-security that allows a company to offer new services, to expand into new markets, and to attract and retain new customers. And the particular computer security solutions they choose depend on who they are and what they are doing.