The Information Security JigsawThe Technical perspective

John Carr

Senior Manager Information Security

Cap Gemini Ernst & Young

What kind of jigsaw?

Procedural Security

Risk Management Physical & Personnel Security

Technical Security

Security Operations

Content

• Introduction

• Why its so important

• The risks

• Is it for real?

• What happens if it goes wrong

• The Solutions on offer

• Conclusions

Introduction

• Security is now in the forefront of corporate planning and management

• No sectors can exclude themselves now• Need to communicate means proliferation of

external connectivity on a global scale• Greater need to establish the risks• Need for a mix of solutions - this is the

technical component!

Why Security is so important

• Security is a key business enabler, particularly in e-space• All enterprises are at risk to and this is increasing• Business change can be a dangerous venture without considering security risks• Public facing organisations require evidence of due diligence• If there are problems people will find out• Management accountability is high, so is peace of mind• Preventing problems is cheaper than fixing them or recovering from them

The Risks (1)• Risks to the network

– Threats - Hacking, Leakage, DOS, Malicious Code, Misuse of Resources, Abuse

– Vulnerabilities (weaknesses in O/S protocols, degree of resistance to attack)

– Impacts (frauds, modification)– Privacy issues (browsing, cookies, logs)

• Use of Wireless LANs

The Risks (2)

• Risks of connecting with other peoples networks– You have no Control; Back doors to hostile

environments; Different architectures; Difficulties in securing the links.

• Other Risks– Human errors

– Other theft

– Sabotage

– Environmental failure

Is it for Real?

In the News• The White House

• Marks & Spencer

• Barclays On-line

• Amazon (Privacy)

• Consumers Association (Which)

• Yahoo

• Norwich Union

Case Studies• City Financial Institution

– The virus attack from hell !

• Global Media Corporation – All comms traffic through a

single multiplexor without access control !

• Global Automotive Co. – What do you mean this

technical architecture won’t work - its costing us ££ !

Is it for Real?

An infection occurred despite tight anti-virus controls, multiple products & platforms, strong management and a strict culture

Yet a virus still got in and infected 30 odd PCs internally before clean up

Thankfully, one of their exiting gateways picked it up and stripped it out of approximately 100 mails bound for clients, business associates etc etc. Phew!!!!!!

But it put a note to that effect in the message! ARRGGH!!

• The cause of the problem?

Real Events do Happen!

• Use of Web based mail hosts

• Use of Web based mail hosts which don’t scan for viruses either coming in or going out

• Use of Web based mail hosts that use SSL to encrypt the session!

• So the incoming checker couldn’t identify the virus!

What Happens if it goes wrong?• If your information is corrupted, you can’t do billing or

other financial work• If bill presentment was compromised then key customers

could be lost• If your information is out of date or inaccurate you may

injure individuals or mislead clients • If your information is disclosed without authority you

could face legal or regulatory penalties• If you contract a network virus, you may have to close

your entire network and be almost unable to operate • If your systems fail then you can’t do business transactions

• IF YOU DON’T PROTECT YOURSELF YOU MAY NOT HAVE ANYTHING LEFT TO PROTECT

Solutions!

• Anti Virus Regimes

• Intrusion Detection Systems

• Artificial intelligence

• Use of trusted products & services

• Audit collection, analysis and interpretation

• Firewalls & routers

• PKI???

• Wireless LANs…………...

Anti-Virus regimes

• Scanners are not enough on their own

• Function specific and different

• Culture need

• Update capabilities

• Holistic software

• AI??

Intrusion Detection Systems

• Perimeter monitoring

• System tools

• Interception

• Intrusion alert

• Configuration critical

• Overheads

Artificial intelligence!

• Is here now!

• Systems to detect irregular patterns in system activity

• Machine created profile/footprint

• Alert capability

• Not able yet to detect right and wrong

Trusted Products

• Old Orange book from US

• UK ITSEC for government

• Common Criteria now for EU, US Canada, Australia etc.

• Kite Mark equivalent for anti-virus s/w

• Commercial schemes?

Audit

• Collection capabilities long standing

• Real time monitoring and alert possible

• Analysis tools available

• Tight regimes are labour or machine intensive

• Need for interpretation (AI??)

Firewalls & Routers

• Network protection

• Filtering capabilities

• Intelligent routers

• Positioning

• Configuration

• Degree of trust

PKI

• The great saviour?

• Digital Certificates - authentication OK but alternatives exist

• Digital Signatures - trust, assurance OK

• Encryption - confidentiality - not really!

• Too costly to implement and manage

• Uncertain future

Wireless LAN’s

• The great issue at the moment.

• How to secure something that does not lend itself to security?

• Short range repeaters

• Screening - Ugh!!!

• Back door bolted

• MAC Address filtering

Conclusions

• There are many technical risks and they are increasing and evolving.

• There are solutions but not panaceas

• You can only defend against that which you know

• Technical security is not enough on its own

• The future is uncertain - we can only do our best but it must be the best!