Tivoli Now

1 © 2006 IBM Corporation

Hot security issues that Australian
businesses face today
– IT Security Trends and Solution Approach

Brett Paskin
Chief Enterprise Security Architect, CISSP
Managing Certified Consultant
IBM Security & Privacy
 Tivoli Now

Agenda
ƒ Security Trends
¾ Business Model
¾ Current Trends
¾ 2006 Threat Predictions
¾ Regulations
ƒ Comprehensive Approach
¾ Component Model – a Solution Framework
¾ Capability Model – an Information Security
Roadmap

3 © 2006 IBM Corporation

 Tivoli Now

What changes have supported or led to the current

security trends?

Old Model Today's Model

Increased need for
• Distance between security, privacy• User interacts using IT
business & IT & trust
business • Operational risk and
• Traditional process business information risk
business models process converging
• User interacts with IT • Global reach extended
IT
department
• E-business and e-
• Security is Government models use
purchased as B2B & B2C
component by Increased
project or IncreasedRisk
Risk • Security viewed as
enterprise-wide need
department
• Physical & IT security
information information
converging
User departme User department
technology technology
nt

4 © 2006 IBM Corporation

 Tivoli Now

A number of security trends …

• Rise of security appliances (content filtering, anti-spam, etc.)
• Consolidation of security functions (firewalls, antivirus, etc)
• Proactive controls (Intrusion Prevention Systems, Compliance
• Continued industry consolidation
• More focus on security architecture
• Policies, and processes and training more important
• Security skills harder to find
• Focus on ROI and improvements to business processes
• Solution Partnering
• Priority - Data protection, Compliance and Identity information p
5 © 2006 IBM Corporation
 Tivoli Now

Potential Trends – Security Threats

IBM's Global Business Security Index report includes an early view of potential trends in 2005 –
2006*

1. Malware – more sophisticated, focused, botnet and blended

2. Instant Messaging – virus, spam, command & control

3. VoIP – eavesdropping, Vishing, remote denial of service

4. Mobile Devices – viruses, spam, theft, loss, network access

5. Identity Theft – Spear Phishing attacks, Lost, Stolen or Given Away

6*. Blogging – inadvertent leakage

7*. Insider Attacks – Social Engineering, looser allegiance, unclosed accounts

8*. Emerging Markets – Poor international cooperation

6 © 2006 IBM Corporation

 Tivoli Now

Regulations are increasing compliance

requirements.
Examples of Regulation
• Spam Act 2003
• up to $220,000 for a single day’s contraventions – repetition up to $1
• Privacy Act 1988 and 2001
• Cybercrime Act 2001
• Electronic transactions Act
• Anti-Discrimination Act (1991) Workplace health and safety

Other Specific Industry

• CLERP 9 (July 2004) ASX Listing and Corporate Governanc
• USA associated companies: Sarbanes-Oxley (SOX)
• Individual penalty up to USD$20million – 5yrs
• PCI-DSS (MasterCard, Visa, JCB, AMEX)
• Finance & Insurance: Basel II (APRA)
7 © 2006 IBM Corporation
 Tivoli Now

To enable trusted on-demand environment, a

comprehensive security component model is
needed

Security Component Model

Process Enablement
Security Framework

Application Security

Security Architecture

Security Capabilities

8 © 2006 IBM Corporation

 Tivoli Now

To enable trusted on-demand environment, a

comprehensive security component model is
needed

Security Framework
Security Component What do we do ?
Model
How we deliver it ?
Process Enablement What level of maturity?
Security Framework

What approach to adopt

Application Security and use ?

Enables departments and

Security Architecture agencies to partner and

provide on-demand services

Security Capabilities for user and other groups
• Governance, compliance,
process, maturity, change,
9 communications ….© 2006 IBM Corporation
 Tivoli Now

To enable trusted on-demand environment, a

comprehensive security component model is
needed

Process Enablement
Security Component How do you link to and
Model
support the business
Process Enablement processes?
Security Framework

Enables security within the

Application Security departmental/agency

process and applications.

Security Architecture • Risk Management, Information
Asset Profile, Fraud, Event
Correlation, profiling, on/off
Security Capabilities boarding, Identity reconciliation
….

10 © 2006 IBM Corporation

 Tivoli Now

To enable trusted on-demand environment, a

comprehensive security component model is
needed

Application Security
Security Component How
Modeldo you ensure new
projects don’t introduce
Process Enablement new risks?
Security Framework

Integrates security into

Application Security project lifecycle to assure

risk levels.
Security Architecture
• Systems Development Life
Cycle, standards, design
Security Capabilities
solutions, patterns, controls,
services integration
11 © 2006 IBM Corporation
 Tivoli Now

To enable trusted on-demand environment, a

comprehensive security component model is
needed

Security Architecture
Security Component How do you supply
Model
services? Consistency and
Process Enablement integration of the services.
Security Framework

(SOA)
Application Security • Design principles,
Portal B2B Finance ERP
cost/risk/service, self-serve,
Security Architecture
roadmaps, compliance ..

Security Services Bus

Security Capabilities

12 © 2006 IBM Corporation

 Tivoli Now

To enable trusted on-demand environment, a

comprehensive security component model is
needed

Security Capabilities
Security Component How do you delivery
Model
operational capability?
Process Enablement Ensure operational coverage
Security Framework

and compliance.
Application Security • Identity Management
• Threat Management
Security Architecture
• Privacy
• Logical Asset protection
• Transaction Security
Security Capabilities • Border Protection

13 © 2006 IBM Corporation

 Tivoli Now

Delivery of each capability is achieved through

multiple integrated Components

Security Component Model

h
Principles ow
a n d
Process Enablement
t i e s Policy h?
l i c
Security Framework

a b i e a
Application Security
c a p fo r
ch e s t

Standards
h i i nv Process Architecture
Security Architecture
ut w o I
B h d
u c Procedure Product
Security Capabilities m

14 © 2006 IBM Corporation

 Tivoli Now

Capability reference model – to assess capability

need
ƒ High-level reference architecture
ƒ Security best practices based on Risk
ƒ Assessment of security themes:
¾ Governance
¾ Privacy
¾ Threat mitigation
¾ Transaction and data integrity
¾ Identity and access management
¾ Application security
¾ Physical security
¾ Personnel security

ƒ Let’s take a closer look …

15 © 2006 IBM Corporation

 Tivoli Now

IBM Information Security Framework

ƒStrategy
• Information security policy
• Enterprise security architecture
ƒGovernance framework
• Governance structure
ƒInformation security advisory
• Consulting and advisory services
ƒ Privacy and information management strategy
• Define privacy information strategy
• Requirements and compliance process
• Incident response
ƒGovernance
ƒSecurity risk management framework
• Threat risk assessment
• Information asset profile
• Project risk assessment
• Security risk management
ƒPrivacy
ƒPolicy, practices and controls
• Policy taxonomy and glossary
• Policy rules definitions
• Privacy impact assessment (proactive)
• Privacy audit (reactive)
• Awareness and training
ƒCompliance program
• Regulatory compliance
• Technical, policy and standards compliance
• Health checking
• Internal audit and response
ƒData, rules and objects
• Privacy data taxonomy and classification
• Privacy business process model
• Data usage compliance process

ƒThreat mitigation ƒTransaction and data integrity

ƒNetwork segmentation and
boundary protection
• Network zone management and
boundary security infrastructure
• Remote access infrastructure
• Intrusion defense
• Network security infrastructure
ƒContent checking
• Virus protection
• Content filtering
ƒIdentity and access management
ƒIdentity proofing
• Background screening
• Identity establishment
ƒAccess management
• Single sign-on
• Authentication services
• Access control services
ƒPhysical security
ƒSite security
• Site planning
• Site management
16
ƒVulnerability management
• Standard operating environment
• Patch management
• Vulnerability scanning and
assessment
•Incident management
• Incident management
• Event correlation
• Forensics
ƒIdentity lifecycle management
• User provisioning
• Other entity provisioning
• Identity credential management
ƒPhysical asset management
• Asset management
• Document management
ƒBusiness process ƒSecure storage
transaction security • Data retrieval
• Fraud detection • Data storage protection
• Data transaction security • Data destruction
ƒDatabase security • Archiving
• Database configuration •Systems integrity
• Master data control • Security in systems management
ƒMessage protection • Security in business continuity
• Public key infrastructure planning
• Message protection security
ƒApplication security
ƒSystems development ƒApplication development
lifecycle (SDLC) ƒenvironment
• Security in the SDLC process • Secure coding practices
• Operational application support
environment
• Design patterns
ƒPersonnel security
ƒWorkforce security
• Awareness and training • Employment lifecycle
• Code of conduct management
© 2006 IBM Corporation
 Tivoli Now

The IBM Security Capability Assessment Model

provides a foundation for measurement

Capability Model describes

ƒ 5 levels that identify a security
posture
ƒ The current posture for each
capability
ƒ The level of accepted business
risk associated with each level
ƒ List of tasks to close gaps

17 © 2006 IBM Corporation

 Tivoli Now
Step 1 - Capability Model – Current posture
Initial Basic Capable
• Limited if any content • Implementation of off • Implementation of off
filtering solution in the shelf software, the shelf software,
place, hardware and tools for hardware and tools for
inbound filtering of inbound and out-bound
inappropriate content. filtering of
Regular updates of inappropriate /
filtering rules. unauthorised content.
Regular update of
filtering rules.
• Coverage of enterprise • Inconsistent • Application of product
access channels application across and hardware
limited. existing access capabilities where the
channels. technology can exist,
however not all access
channels may be
filtered.
• Consolidation of
access requirements
through specific
channels and content
filtering services (e.g.
outbound web proxy)
• New access methods
are identified,
threats/risks analysed
and mitigating controls
implemented.
• Generally no regular • Reviews are • Reviews are
review of results conducted on a regular scheduled and
basis to check conducted periodically.
compliance with Results are reported
policies. and changes to
standards/policy are
18
Efficient Optimizing
• Customised/tailored • Customised/tailored
software and tools for software and tools for
automatic filtering of content analysis.
inbound and outbound • Automatic update of
content. content policies and
enterprise wide
implementation.
• Tight integration
between content
management solution,
network segmentation,
data classification /
asset value, access
control and
encryption/data
management tools.
• Use of measures
described above to
restrict capabilities of
remaining access
channels where
content filtering
technology cannot
exist.
• Content management
solution manages
information based on
asset value and usage.
•
© 2006 IBM Corporation
 Tivoli Now

Step 2 - Residual Risk –Business risk acceptability ?

Initial Basic Capable Efficient Optimizing
• Inability to identify • Inappropriate content • Limited capacity to • Inability of identifying • Dependence on
inappropriate use of still accessible via manage out bound inappropriate human interaction and
business resources internal network. May high value confidential distribution of supporting processes
• High level of result in a financial or assets confidential • Environmental
vulnerability to content HR issue / cost. • Limited capacity to information changes and new
based attacks that • Network could be used identify enterprise wide • Update of content technologies /
could disrupt business to deliver unsolicited issues and respond policy and content techniques
operations. May result content to others accordingly. management rules is • Social Engineering
in major systems or (outbound filtering), • Content management slow and dependant • Infrequent system
operational outages. resulting in a moderate policies and rules are on human input problems, service
• Customer and breach of privacy or not based on • Minor slowing / operations, little or no
business interruption information security. threat/risk assessment interruptions of impact to the customer
may be above • No means of and asset value. network, service or or business.
acceptable costs or managing outbound • Limited integration systems. • Rare / one off
limits. high value assets between other breaches by internal
• High level of (confidential supporting processes staff members. May
vulnerability to information). reduces the only affect internal
sensitive or • Limited capacity to effectiveness and security. No external
competitive quickly identify increases cost of breach.
information leaks may significant issues and managing data. • Infrequent slowing of
result in negative respond. network or service.
customer / media • High risk of virus and
impact. other attacks coming
• Management of through the network,
incidents/issues is unsolicited content or
inefficient and inappropriate use..
expensive. Delays may be
• Significant network experienced, with
bandwidth is work-arounds
consumed by non implemented to reduce
business traffic, impact.
resulting in delays in • Lack of user
service or system awareness or content
availability, with high policy and appropriate
likelihood of impact to use of information
customers. assets

19 © 2006 IBM Corporation

 Tivoli Now

Step 3 - Capability Matrix – Tasks to close the gap

Architecture

Procedure
Standards
Principle

Process

Product
Capability - Level 1 to 2

Policy
Implementation of off the shelf software and tools for inbound filtering of inappropriate
9 9
content. Regular update of filtering rules.
Content policy established. Policy established on the use of unauthorised software and un-
9
trusted sites.
Incident tracking and reporting functions are established, with regular reporting of results and
9
significant issues.
Retrospective analysis of significant incidents. 9
Maturity Capability - Level 2 to 3
Reviews are conducted on a regular basis to check compliance with policies, architectures
9 9
and standards.
Deviations from policy/standards are managed and non compliance investigated. 9 9
Implement enterprise wide awareness and training programs. 9 9 9
Tight integration with support functions/teams 9
Detection and repair tools are deployed as part of standards platform configuration. 9
New threats and vulnerabilities are monitored, underlying weaknesses are identified with
preventative measures established and standardised 9 9 9
Capability - Level 3 to 4
Customised/tailored software and tools for automatic detection and repair. 9 9
Implement pre-emptive measures through analysis, trends, research and external advice to
9 9
mitigate specific threats/risks.
Strategic real-time security monitoring of critical enterprise wide business process and high
value information assets. 9 9 9 9
Capability - Level 4 to 5
Customised/tailored software and tools for pre-emptive detection and prevention of new
9
threats.
Automatic update of security policies and enterprise wide implementation. 9 9 9
Strategic real-time event correlation and pre-emptive risk/threat identification. 9 9 9 9
All critical processes employ automated response capabilities. 9 9

20 © 2006 IBM Corporation

 Tivoli Now

The result: a pragmatic, applicable roadmap to

drive an effective enterprise security program

1
2
Assessment tool

Assessment tool
Reference library

Create roadmap for

Roadmap
security enhancement program

21 © 2006 IBM Corporation

 Tivoli Now

Information Security must be managed across

the total environment

ƒ Threat profiles are constantly changing

¾ Standing still is no longer an option
ƒ There is no such thing as ‘Zero Risk’
¾ Understand and balance - risk and control capability
across the total spectrum
ƒ Security needs to be risk mitigant and enabler
¾ Actions need to be purposefully managed, focused,
effective and efficient.

Thank you
22 © 2006 IBM Corporation
 Tivoli Now

23 © 2006 IBM Corporation

 Tivoli Now

Disclaimers and Trademarks

ƒNo part of this document may be reproduced or transmitted in any form without written permission from IBM Corporation.
ƒProduct data has been reviewed for accuracy as of the date of initial publication. Product data is subject to change without notice. Any statements
regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.
ƒTHE INFORMATION PROVIDED IN THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IBM
EXPRESSLY DISCLAIMS ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. IBM
products are warranted according to the terms and conditions of the agreements (e.g. IBM Customer Agreement, Statement of Limited Warranty,
International Program License Agreement, etc.) under which they are provided.
ƒIBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's sole responsibility to obtain advice of
competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer's
business and any actions the customer may need to take to comply with such laws.
ƒThe following terms are trademarks or registered trademarks of the IBM Corporation in either the United States, other countries or both: DB2, e-business
logo, eServer, IBM, IBM eServer, IBM logo, Lotus, Tivoli, WebSphere, Rational, z/OS, zSeries, System z.
ƒJava and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States and/or other countries.
ƒMicrosoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other
countries.
ƒUNIX is a registered trademark of The Open Group in the United States and other countries.
ƒLinux is a trademark of Linus Torvalds in the United States and other countries.
ƒOther company, product, or service names may be trademarks or service marks of others.
ƒITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S.
Patent and Trademark Office.
ƒIT Infrastructure Library® is a Registered Trademark of the Central Computer and Telecommunications Agency which is now part of the Office of
Government Commerce.

24 © 2006 IBM Corporation