Beruflich Dokumente
Kultur Dokumente
Page 2
Page 3
200+ Mainframes
276+ Open System Business
Critical Applications
37 000 Desktops
2500 support servers
6000 main network devices
165 Terabytes of data
storage 50%+ a year
Several Million Transactions/sec
Page 4
Page 5
Page 6
Page 7
Page 8
Physical
Process
Content
Page 9
Ubiquitous
Trusted
Affective
Social
Advisory
Always on
Main Frame
Organizations
(command and control)
Client Server
focus
Individuals
(cooperation, coordination,
and communication)
Page 10
Page 11
Pablo Picasso. Guernica. 1937. Oil on canvas. Museo del Prado, Madrid, Spain
Page 12
Zero-day virus
Slammer 30 minutes later
Page 13
Security
Information
The debate
Page 14
Page 16
Page 17
Page 18
Page 19
LAYERS
TELECOM
OPERATIONS
LAYER
Billing &
Resource
Planning
UTILITIES
FINANCIAL
GOV
Sector
Dependent
Layers
TECHNICAL
APLICATION
LAYER
CONTROL
LAYER
Common
Layers
Billing &
Resource
Planning
Load
Balancing
Reliability
Grid /
Pipeline
Monitoring &
Control
SS7
SCADA
Billing &
Payment
Internet
Banking
Stock / Financial
Exchanges
POS Terminals
ATMs
Financial
Services
Utilities
Legislation
Taxation
Law - Order
Hospitals
Labs &
Clinics
Pharmacies
HL7
Services
FEATURE LAYER
TERRAIN LAYER
Billing
Administration
Diagnostics
Electronic
Records
Secure
channels
HEALTH
CARE
Page 21
Hackers
Script kiddies
Industrial espionage
Cyber-terrorists,
Competitors
Suppliers
16
16new
newmalware
malwareproducts
products
launched
every
day:
launched every day:
viruses,
viruses,worms,
worms,trojan
trojan
horses,
spyware
etc
horses, spyware etc
77new
newvulnerabilities
vulnerabilities
discovered
discoveredevery
everyday
day
20
20minutes
minutesguaranty
guaranty
Probes
Probesagainst
againstFinancial
Financial
Institutions
web
Institutions websites
sites
launched
every
6
launched every 6seconds
seconds
Social
Socialengineering
engineeringisison
on
the
rise:
People
are
the
the rise: People are the
weak
weaklink
link
Page 22
Page 23
Page 24
Source:
Page 26
Hacking Beliefs
Identity Theft
One of the fastest growing crimes.
Statistics Canada reports 13,359
cases, $21.5 million losses in 2003
Account takeover (credit cards, bank
accounts)
Application fraud (open new accounts
with victims ID)
Industry needs improved identity
management solutions and strong
public awareness
Phishing (using email scams to collect
confidential information)
Key issues: detection, shutting down
bogus sites, customer awareness
Banks are posting warnings on their
public sites, and updating security
page information with Q&A type of
information.
Page 27
Page 28
Structuring Risks
An Organizational Risk Categorization Taxonomy
Page 29
Structuring Risks
Regulatory Environment: where are the controls ?
Privacy
Security
Page 30
Some Potential
Penalties
Potential Fines
SOA
20 years in prison
$15 million
Basel II
Regulatory agency
penalties: vary by G-20
country
Regulatory agency
fines: vary by G-20
country
HIPAA
10 years in prison
$250,000
GLBA
10 years in prison
$1 million
Patriot Act
20 years in prison
$1 million
Dod 5015.2
Contract penalties
California SB 1386
Suspension/expulsion
$1 million+
Page 31
Emergent Behaviors:
An Ecological View of Organizational Risk
Environment
priorities
priorities
standards
standards
projects
projects
+
+
Network
Network
Security
Security
Council
Council
laws
laws
Inet, etc
Ipt,
ARB,
ARB, etc
threats
threats
New
New
Technology
Technology
Governance
Governance
bodies
bodies
Inet,
Ipt,
+
-
compliance
compliance
resources
resources
The
The
market
market
Drivers
Drivers
practices
practices
Organizational accumulated
technical residual risk =
The
The
information
information
infrastructur
infrastructur
ee
Tech
Residual
Tech
Risks
Residual
Risks
IPC
IPC
Tech
Tech
Residual
Residual
Risks
Risks
audit
audit
Active
Active
Information
Information
Security
Security
Strategy
Strategy
+
Education
Education
awareness
awareness
Risk
Risk
mangt
mangt
RCSA
RCSA
Data
Data
Classif.
Classif.
reviews
reviews
Identity
Identity
mangt
mangt
Vulner.
Vulner.
Analysis
Analysis
Alerts
Alerts
outsourcing
outsourcing
Lob RISK
Lob RISK
officers
officers
Capital
Capital
AtRisk
AtRisk
Certificates
Certificates
Access
Access
mangt
mangt
escalations
escalations
Crypto
Crypto
policy
policy
Page 32
The Knowledge
Transfer Cycle
High
Digital Rights
Management
Security Functions
Organizational
Complexity/Capability
Technical Threats
Low
Passive
Real time
Page 33
Knowledge transfer
FIRST
CBA
Vendors
BMO
IS
wireless
High
Organizational
Complexity/Capability
PSECP
Digital Rights
Management
Security Functions
FI CIRT
& other
Banks
Projects
Clients
and
Businesses
Telecom
CANCERT
Info/infra
structure
Utilities
Health
Knowledge networks
Vulnerability Analysis
The Knowledge
Transfer Cycle 2
Low
Passive
Real time
Page 34
Clients/Users
Content control
Digital Signatures
Info
structure
Object Integrity
User Access
Infra
structure
Access
Management
Business
Applications
Operational
Support
Perimeter
Protection
Security
Page 35
STRATEGIC
OPERATIONAL
RISK/COST
Risk curves
Business
Requirements
Design
Development
Implementation
STRATEGIC
TACTICAL
OPERATONAL
Governance
and policies
Application/system
development and
deployment
Active security
posture
Policies
Standards
Procedures
Guidelines
Awareness
Research
Design reviews
IS solutions
Due care
Risk acceptance
New technology insertion
Antivirus
management
Vulnerability
assessments
Intrusion
detection
Incident
response
Operations
OPERATONAL
IS services
Access
management
Key
management
Security token
management
Other
operational
services
Page 36
per system
per person
per incident
Tycho Brahe (1546-1601)
Page 37
40
20
0
Q3 2003
Q4 2003
Q12004
Q2 2004
Q3 2004
100
90
70
500
60
400
50
40
300
30
200
20
100
10
0
Q3 2003
Q4 2003
Q1 2004
Q2 2004
Q3 2004
Number of Projects
Number of Issues
80
80
600
% Complete
700
Patch Announced
Zero days elapsed
100
60
Advisory upgraded
(exploit emerges)
40
Sasser wormemerges
17 days elasped
20
0
1
11
16
Days Elapsed
Page 38
Patch Announced
Zero days elapsed
% Complete
100
Proposed "Accelerated"
Threshold
7 days elapsed
80
60
Advisory upgraded
(exploit emerges)
40
Sasser wormemerges
17 days elasped
20
0
1
"Accelerated" Threshold
2 days elapsed
11
Days Elapsed
16
"Normal" Threshold
2 weeks elapsed
Emergency
Accelerated
Accelerated
Accelerated
Accelerated
Normal
Accelerated
Normal
Normal
Note:
April 2004 release required 4
separate patches
Page 39
Major Networks
Year/Quarter
Capital Markets
CWAN
BWAN
Nesbitt
Burns
Capital
Market
s
Harris
2001
1.84
2.91
6.04
3.35
2002 Q1
2.53
3.38
5.34
2.04
2002 Q2
2.08
2002 Q3
2.93
3.19
4.77
2002 Q4
3.01
2003 Q1
2.63
1.84
2.41
2.35
2.98
3.59
Nesbitt Burns
Page 40
Security
Practices &
Technology
Information
Protection
Centre
Information
Security
Operations
Business
Analytics
Information Security
Service
Details
on
Page
Enterprise
Posture
Forecast
Last Q
Project Assessments
Training
Anti Virus
11
Vulnerability Assessment
12
Intrusion Detection
13
Response/Management
14
Key Management
15
Encryption (PKI)
16
=positive trend
Access Management
17
=negative trend
CSPIN (devices)
18
Remote Access
19
= unsatisfactory
Analytics/ reporting
20
= fully satisfactory
21
Legend
=Key Issues
=stable
Page 41
?
Security Investments
Incidents Costs
Page 42
Security services
Intrusion
detection
Application
security
IT processes
Anti-Virus
Availability
Project
assessment
Application
development
Architecture
Problem management
Capacity
Patches
IT Service
continuity
Access
management
Vulnerability
Assessments
Firewall rules
Key
management
Incident
management
Incident
management
Configuration
Service level
Change
management
Page 43
Phase
0. Absence
1. Initiation
Description
Nothing present
Concrete evidence of development
Characteristics:
2. Awareness
3. Control
Resources allocated
Formalized
4. Integration
5. Optimization
visible results
management reports
task/authorities defined
active rather than reactive
documentation
formal planning
Page 44
Page 45
Page 46
Organizational focus
The objective
is to lower the
overall risk
through
capability
maturity
framework
integration
Bus. Req.
Design
Development Implementation
Operations
ITIL
ISO 17799
Packet
Level
Integrity
Closed
Business
systems
Perimeter
Control
IP level
Protocol aware
Perimeter based
Closed API
Limited to # of User
Single Admin
Simple Provisioning
Node Based
Heterogeneous
Island of security
Under-maintained
Application
Level
Assurances
XML Based
Application Control
Content Aware
Higher value
Integrated
Business
Systems
Accessible API
Many Users
Multiple connections
Cross organization
access
Managed
Security
Services
Integrated Network
View
Consistent Policies
Tiered
Administration
Remote monitoring
and management
Business
Automation
Number of
Digital IDs
Partners
(B2B)
Company
(B2E)
Customers
(B2C)
ROLES
Mobility
p
Ap
tio
a
lic
s
nInternet
Growth of
unstructured Documents
Client Server
CONTENT
Mainframe
Page 49
Michael C. Daconta
Page 50
Where are the risk coming from the rise of the infostructure
Where is the locus of control outside the
boundaries of the organization ?
Policy: Rules
XML
Infostructure: Content
Infrastructure: Technology
Web
Application
Provisioning Engine
Content request
Application
Cell
Web Server
Profiles
Rights and Privileges
PDA
Rules
Content response
Content Management
System
Syndication
Server
Static
Content
Style
Sheets
Application
Application
Data
Server
Page 52
Standards
NetBiz
RosetaNet
Offerings
Resources
Transactions
References
Locations
Policy and
regulations
Directions
Contracts Finances
Markets
E-Content
Life Cycle
Management
Syntax
XML
Topic Maps
RDF
UDDI
XBRL
Outcomes
Quality
Of
Service
Risk
Assessment
Content Classification
Sensitivity
Data
Quality
Information
Life cycle
Knowledge
ROI on
Intellectual Capital
Taxonomies
Organizations
Business
Applications
Roles
Page 53
Public
Examples of content
News clippings
Market Data
Internal
Policy documents
Routine Procedures
Log files
Broad Access Control
Passwords lists
Content
Content lifecycle
lifecycle
management
management
Customer Names
Separation of Duties
Project documentation
Customer Snapshots
Identity
Identity
Management
Management
Digital
Digital Rights
Rights
Management
Management
Services
Services
Confidential
Account Numbers
Customer public
identification associated
with account information
Strategic Plans
Page 54
HR
HRReporting
Reporting
Hierarchy
Hierarchy
Employee
Employee
Generates
Applies to
Has a
Is Granted
Application
Application
System
System
Enterprise
Enterprise
Asset
Asset
User
UserInterface
Interface
(Desktop)
(Desktop)
Identifies access
needs of role
Is part
of
Role
Role
Position
Position
Includes
Right
Right/ /
Privilege
Privilege
Has a
Actual
Actual
Target
Target
Is needed to
access
Application
Application
User
UserID
ID
Is a
Individual
Individual
Position
Position
Updates
Activity
Activity
EnID Maps to
Requires
NonNonEmployee
Employee
Individual
Individual
Occupies
Is a
Is part
of
Provision
Provision
Role
RoleGroup
Group
CPM
CPM
Role
RoleGroup
Group
Reports to
Position
Position
Hierarchy
Hierarchy
Is at a
Org
OrgUnit
Unit/ /
Location
Location
Standard
Standard
Target
Target
Targets are
based on
Page 55
Organizational Complexity/Capability
Semantic Management
Content Management
Infostructure
Architecture
High
XML Firewalls
Digital Rights
Management
Security Functions
Role base identity
Access management
Daconta
Infrastructure
Architecture
Firewalls
Low
Real
time
Passive
Page 56
B2B models
Taxonomies and ontologies
XML Protocols
WS-Security standards
Page 57
2.
3.
4.
5.
6.
Page 58
Pink Floyd
Norbert Wiener
Page 60
Page 61
Colophon
Page 62
Thank you
Page 63