2010-02 Building Security Architecture Framework

Mark Whitteker, MSIA, CISSP

Security Architect / Information Systems Security Officer

Cisco Systems, Inc.

Building a Comprehensive Security Architecture Framework

© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2

Mark Whitteker, MSIA, CISSP, GSNA, GCFA

 Security Architect and Information Systems Security Officer at Cisco Systems, Inc.

  15+ years of experience in secure solutions development, systems and network auditing, forensic discovery, vulnerability assessments, and security management.

 Extensive background in the application of commercial and US government regulations and requirements

 Can be reached at: [email protected] http://www.linkedin.com/pub/mark-whitteker/3/480/68b


Agenda

  The Problem

  The Solution

  The Dirty Details

 Q&A


Why do I need a security framework? Here’s a house built on a planned framework…

Framework Finished Product

The result: an efficient and elegant home!


Why do I need a security framework? Here’s a house built without a planned framework…

The result: I haven’t seen my wife and children in days!

© 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential

The Problem


Problem Description

  Few of us have the luxury of building our organization’s security architecture from the ground up

 Some security services already exist (hopefully)

 Your organization must comply with one or more industry standards

ISO 27001/27002 NIST SP 800-53 SOX PCI

 You need to demonstrate to auditors your compliance with the resulting requirements


Compliance with Requirements Can you say “Checkbox Security”?!?

 Auditors validate that all the checkboxes are complete

 Security professionals know (or should know) that: Compliance != Security

 Security is achieved by understanding the organization’s risks and implementing mitigation steps to reduce them to within management’s tolerance level

 So how do you show auditors compliance with requirements while actually improving your security posture?


If you keep going how you’ve always gone, you’ll end up where you’ve always been.


The Solution


Bring it all together!

 Map security services to industry standards through a comprehensive, end-to-end security framework

 Shows auditors how you are complying with industry standards

 Demonstrates to management the value of security services

Industry Standards

Security Services


The Dirty Details


Comprehensive Framework Diagram


Implementation Phases

Phase 1 Define

Requirements

Phase 2 Implement

Requirements

Phase 3 Measure Success

Rinse and Repeat


Phase 1 - Define Requirements


Industry Standards


Industry Standards Build a Requirements Crosswalk Matrix  Most industry standards, while different, are based

on the same security principles/requirements

 Determine where similarities exist and group them together

Industry Standard A Password Complexity

Requirement

Industry Standard B Password Complexity

Requirement

Organizational Password Complexity

Requirement


Crosswalk Example – Audit Logging

 Company must comply with ISO 27001/27002

 A business unit within the company provides government services and must comply with NIST SP 800-53 (per FISMA)

 Crosswalk matrix developed to integrate both sets of requirements into a single framework

ISO 27001 A.10.10.1

NIST SP 800-53

AU-1-5, 8, 11, 12

Organizational Audit Logging Requirements


Crosswalk Example – Continued

  ISO 27001/27002 – A.10.10.1 Audit logs recording user activities, exceptions, and information security events should be produced and kept for an agreed period to assist in future investigations and access control monitoring.

Includes a list of 12 relevant event types

 NIST SP 800-53 AU-1-AU-5, AU-8, AU-11, AU-12 Audit and Accountability Policy and Procedures, Auditable Events, Content of Audit Records, Audit Storage Capacity, Response to Audit Processing Failures, Time Stamps, Audit Record Retention, and Audit Generation


Crosswalk Example – Continued

 Organizational Audit Logging Requirements Combines requirements from both standards into a single set of organizational standards Where there are differences between the level of implementation/stringency, the most stringent requirement prevails

Example: 3 year log retention vs. 5 year log retention Organizational Requirement – 5 year retention

Where there are conflicts, the organization must determine which industry standard has precedence

May require the involvement of the legal department


Organizational Policies


Organizational Policies

  Developing policies and obtaining executive approval can be a cumbersome and time consuming process

  Keep policies high-level and solution agnostic Helps to ensure successful collaboration efforts among policy contributors Minimizes need to revisit policies as technology changes

2 year review cycle is usually sufficient

  Create as few policies as possible, but keep them domain specific

  Once the organizational requirements have been determined, the organization must now develop security policies


Organizational Policies Example

Source: Cisco’s Global Government Solutions Group – IT (GGSG-IT)

Acceptable Use Business

Continuity and Disaster Recovery

Contract Security for Information

Systems

Cryptographic Controls Data Classification

Data Protection Incident Management

Information Security

Management

Information System

Authorization and Account

Management

Information Systems Auditing

and Testing

IT Operations Security

Personnel Security for Information

Systems

Physical and Environmental

Security Risk Management

Security Compliance Management

Security Policy Architecture

Security Training and Awareness

Standardized Glossary – Taxonomy

System Development

Lifecycle Security

User Identification and Authentication


Organizational Policies Example (cont)

ISO 27001/27002 NIST SP 800-53

Rev 2 SECURITY POLICY

07.01.03, 11.02.03, 11.03.01, 11.03.02, 11.03.03 PL-4, PS-6 Acceptable Use

14.01.02, 14.01.03, 14.01.04, 14.01.05 CP-(1-10) Business Continuity and Disaster Recovery Plan

06.01.04, 06.02.03, 12.01, 12.05, 15.01.02 SA-(1,6,9) Contract Security for Information

12.03.01, 12.03.02, 15.01.06 IA-7, SC-(8,9,12,13) Cryptographic Controls

07.02, 07.02.01, 07.02.02, 10.07.03 AC-16, MP-3 Data Classification

06, 07.02.02, 09.01, 10, 11, 12, 15 MP-1, SC-(8,9), SI-(1,7) Data Protection

06.01.05, 06.01.06, 13.01.01, 13.01.02, 13.02 IR-(1-7) Incident Management

06.01.01, 06.01.02, 06.01.07, 06.01.08 PL-1 Information Security Management

06.02.01, 07.01.03, 08.02.01, 10.02, 10.10.03, 11.01.01, 11.04, 11.05, 11.06.02 AC-(1,2) Information System Authorization and Account

Management

06.02.01, 07.01.01, 10.01.03, 10.10.05, 15.02, 15.03

AU-(1-11), RA-(3-5), SA(5,11), CA-(1,2) AC-5, IR-3,

CP-4, SI-6 Information Systems Auditing & Testing


Organizational Policies Example (cont)

ISO 27001/27002 NIST SP 800-53

Rev 2 SECURITY POLICY

06.01.03, 10, 11, 12, 15 SC-1, SI-1 IT Operations Security

06.01.03, 06.01.05, 08.01, 08.02, 08.03, 13.01, 15.01, 15.02.01 PS-(1-8) Personnel Security for Information Systems

09.01, 09.02, 13.01.02, 14.01.03 PE-(1-17) Physical and Environmental Security

14.01.02, 08.02.02 RA-1 Risk Management

10.10.01, 10.10.02, 13.01.01, 13.02.03, 15.01, 15.02.01, 15.02.02

AC-1, AT-1, AU-1, CA-1, CM-1, CP-1, RA-1, MA-1,

MP-1, IA-1, IR-1, PE-1, PL-1, PS-(1,7), SA-(1,9), SC-1, SI-1

Security Compliance Management

05.01.01, 05.01.02 PL-1 Security Policy Architecture

05.01.02, 06.02.03, 08.02.02 AT-(1-4) Security Training and Awareness

07.01.02 , 07.02, 07.02.01 Appendix B Standardized Glossary - Taxonomy

10.01.04, 10.03.02, 10.07.04, 12.01.01, 12.04.02, 12.04.03, 12.05.01, 12.05.03 SA-(3,8,11) System Development Lifecycle Security

11.02, 11.04.02, 11.05.02 IA-(1,2) User Identification and Authentication


Policy Standards


Policy Standards

 Specific technical implementation requirements should be defined in policy standards

  The policies themselves contain hyperlinks and/or references to associated policy standards

 Policy standards do not require review/approval by senior management

Defined by organizational Subject Matter Experts (SMEs) Doesn’t require modification of the overarching policy

  Standards can be modified/updated as technology advances

  Should be reviewed by the SMEs at least yearly to ensure standards stay current with industry trends


Policy Standards Example


Policy Standards Example

 Cryptographic Controls policy states: Purpose: This policy governs the use of cryptographic controls and key management to protect the confidentiality & integrity of Cisco GGSG information assets, as well as to support non-repudiation.

 References multiple policy standards such as: Full disk encryption Mail, file and folder encryption Public Key Infrastructure (PKI)

 More than one policy may apply when defining standards

Data Protection policy also closely related to CC policy


Policy Standards Reality Check

 Often times there isn’t simply a 1:1 mapping between policies and standards

  In many cases multiple policies reference the same standards

Email Encryption Standard

Acceptable Use Policy

Cryptographic Controls Policy

Data Protection

Policy


Phase 2 - Implement Requirements


Policy Implementation Procedures


Policy Implementation Procedures

 While Policy Standards specify the technical implementation requirements necessary to comply with policies, Policy Implementation Procedures document the step-by-step instructions for implementing those standards

  They are: Specific Repeatable Thorough Validated Approved

 Assists in improving an organization’s CMM level


Procedures Example Installing the Secure Print Client (Windows XP): 1.  Open Windows Explorer.

2.  In the Address field, type (or cut & paste) \\Rtp-filer09a\wg-g\ggsg-apps\Published\Secure-Print\ and press <Enter>.

3.  Double-click on the spxpinstall.bat script from the folder you just opened.

4.  Enter your CEC credentials (if prompted).

5.  Click Open (if prompted).

6.  If necessary, click Yes on the Cisco Security Agent window to allow the script to run.

7.  A command window will open and display the installation progress.

8.  When the software is done installing, click OK.


Security Services


Security Services

 Security Services is the most ambiguous area of the framework

  It can be very simple (1-3 services), or very complex (dozens of services), depending on the size and scope of your organization

 Don’t reinvent the wheel!

  There are existing industry sources that can be used as a baseline

SSE-CMM: Secure Systems Engineering Capability Maturity Model NIST SP 800-35: Guide to Information Technology Security Services


Security Services Example Systems Security Engineering Capability Maturity Model

  Includes 11 security services: Administer Security Controls Assess Impact Assess Security Risks Assess Threats Assess Vulnerabilities Build Assurance Argument Coordinate Security Monitor Security Posture Provide Security Input Specify Security Needs Verify and Validate Security


Security Services Example NIST SP 800-35: Guide to Information Technology Security Services

  Includes 3 categories of services: Management, Operational and Technical

 Management Services Security Program, Security Policy, Risk Management, Security Architecture, Certification and Accreditation, and Security Evaluation of IT Projects

 Operational Services Contingency Planning, Incident Handling, Testing, and Training

  Technical Services Firewalls, Intrusion Detection/Prevention, and Public Key Infrastructure


Phase 3 – Measure Success


Measure Success

 How do you know if your security program is successful?


Risk Assessments

 Perform a risk assessment!

  There are 2 types of risk assessments: Qualitative

A subjective assessment of the organization’s risk, typically achieved through personnel interviews and surveys.

Quantitative A non-subjective assessment of the organization’s risk based on mathematical calculations using security metrics and monetary values of assets.

 Which one is right for your organization?


Qualitative Risk Assessments

  Pros Calculations are simple Not necessary to determine monetary value or threat frequency Not necessary to estimate cost of risk mitigation measures General indication of significant risks is provided

  Cons Subjective in both process and metrics Perception of asset/resource value may not reflect actual value No basis is provided for cost/benefit analysis

Not possible to track risk management performance

  Although this method is very subjective in nature, it can be very beneficial when an organization is young and still maturing


Quantitative Risk Assessments

  Pros Based on independently objective processes and metrics Value of information expressed in monetary terms is better understood Credible basis for cost/benefit assessment is provided Risk management performance can be tracked and evaluated Results are derived and expressed in management’s language

  Cons Calculations are complex Not practical to execute without automated tool and associated knowledge bases A substantial amount of information must be gathered

  Appropriate once an organization has reached a higher level of maturity, and now requires an assessment against standardized, objective measures


Other Items to Consider

 Establish a Compliance Management Program Configuration Management

Develop standard configurations Infrastructure Devices (network, hosts, etc.)

Data (databases, NAS, SAN, etc.)

Applications (web server, programming languages, protocols)

Change Management Any proposed change to your production environment should be recorded, reviewed and approved by an SME from each domain:

Security, Infrastructure, Data, Application, Operations, Support

Release Management Any changes that impact, or could potentially impact, the availability of a production service, should be released at scheduled intervals:

Weekly, Monthly, Quarterly, etc.


Visual Representation

Configuration Management

Release Management

Change Management

•  All systems must comply with configuration management standards

•  All changes must be submitted and performed through change management

•  Those changes that impact the availability of production systems or services must be bundled into a scheduled release


Q & A

2010-02 Building Security Architecture Framework

Technology

industry standards

policy standards

house built

rights reserved

nist sp 800

2010 cisco

security framework

subjective