Enterprise under attack dealing with security threats and compliance

1

Enterprises under Attack: Dealing with security threats and compliance

Sponsored by: SPAN Systems Corporation

Produced and Presented by: The Outsourcing Institute

2

The Outsourcing Institute• Located at outsourcing.com – Over 70,000 Executive Members Globally

• Trends, Best Practices, Case Studies

• Training Through OI University

• Specialize in Low Cost Alternatives for Outsourcing Buyers Needing Assistance with RFP Development and/or Vendor Selection:– Outsourcing RFP Builder Software – Matchmaker Service

 • Qualified Demand Generation Programs

• Outsourcing Jobs Opportunities and Recruiting Services Through CMS Inc.

• Local, Intimate and Interactive Outsourcing Road Show

• Sponsorship and New Business Development Opportunities & Programs

For more information contact us at: [email protected] or 516-279-6850 ext. 712

3

Today’s Speakers

www.spansystems.com 3Copyright: SPAN Systems Corporation

Amit Singh,PartnerAvasant

Vinay Ambekar,Senior Vice President, Engineering,Lavante Inc.

Pramod Grama,Co-founder and Executive Vice President,SPAN Infotech (India) Pvt. Ltd.

Lakshminarasimha Manjunatha Mohan,Solution Architect,SPAN Infotech (India) Pvt. Ltd.

4

Compliance

Network Security

Physical Security

Operational Security

PCI-DSS

FISMA

HIPAA

SOX

Enterprise Security

Application Security

Topics

Enterprise Security Stature

Enterprise Security Landscape

Value of Enterprise Security

Dealing with Security Threats and Compliances

Application Security

Infrastructure Security

Compliances Validation

Budgeting for Security

5

Enterprise Security Stature

Source: 2013 INFORMATION SECURITY BREACHES SURVEY - Published by The Department for Business, Innovation and Skills (BIS), UK

• Human Errors and systems glitches caused nearly two-thirds of data breaches globally in 2012

• Malicious or criminal attacks are the most costly threats at an average of $157 per compromised record

Source: 2013 Cost of a Data Breach: Global Analysis, Ponemon Institute and Symantec, June 2013

• Through 2016, the financial impact of cybercrime will grow 10% per year, due to the continuing discovery of new vulnerabilities

• By 2016, 40% of enterprises will make proof of independent security testing a precondition for using any type of cloud service

Source: Gartner Top Predictions for 2012: Control Slips Away, Gartner, December 2011

Security is an ever moving Target

Attack

ed by

an un

autho

rized

outsi

der

Hit by d

enial

-of-s

ervic

e atta

cks

Networ

k pen

etrati

on by

outsi

ders

IP an

d Con

fiden

tial D

ata T

heft

63%

23%15%

9%

41%

15%7% 4%

Security Breach Statistics – Small Organizations

2012 2011

Attack

ed by

an un

autho

rized

outsi

der

Hit by d

enial

-of-s

ervic

e atta

cks

Networ

k pen

etrati

on by

outsi

ders

IP an

d Con

fiden

tial D

ata T

heft

78%

39%

20%14%

73%

30%

15% 12%

Security Breach Statistics - Large Organizations

2012 2011

6

Enterprise Security Landscape

Application Security

Enterprises must address Security Threats in order to conduct the business safely

• Injection

• Broken Authentication and Session

Management

• Cross-Site Scripting (XSS)

• Insecure Direct Object References

• Security Misconfiguration

• Sensitive Data Exposure

• Missing Function Level Access Control

• Cross-Site Request Forgery (CSRF)

• Using Components with Known Vulnerabilities

• Unvalidated Redirects and Forwards

Firewall Web server Firewall Application Server

DatabaseServer

• Router

• Firewall

• Switch

Host Security• Patches and Updates

• Services

• Protocols

• Accounts

• Files and Directories

• Shares

• Ports

• Registry

• Auditing and Logging

Network Security

Infrastructure Security

7

Dealing with Security Threats and CompliancesSecurity is a not a product, but a process.

Pre-Production Security Testing

Application Security Tests

Enterprise Security – Approach

Post-Production Security Testing

Infrastructure Security Tests

Periodic Security AuditsCompliance Validations

Managed Security Monitoring and Operations

Establish Enterprise Security Baseline• Applications Security Testing• Infrastructure Security Testing• Compliance Validations

Maintain Baseline Security Stature• Security Validation across SDLC• Security Monitoring and Operational Security • Periodic Security Audits and Compliance Validations

8

Infrastructure Security

Source: http://hackmageddon.com

Threats + Motives + Tools and Techniques + Vulnerabilities = Attack

9

Infrastructure Security

The Department of Homeland Security released this map showing the locations of 7,200 key industrial control systems that appear to be directly linked to the Internet and vulnerable to attack.http://money.cnn.com/2013/01/09/technology/security/infrastructure-cyberattacks/http://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Oct-Dec2012.pdf

10

Infrastructure Security

• Plan to secure the infrastructure (Network, Servers, Desktops and Mobile)

• Perform Attack Surface Analysis and design a Secure Architecture

• Consider both Internal and External Penetration tests to address internal abuse and external intrusion

• Plan for Operational Security through Managed Security Services such as Unified Threat Management

Elicitate Security

Requirements

Threat Modeling and Attack Surface

Analysis

VulnerabilityAssessment

Penetration Testing

Ethical Hacking

Enterprise Network Security

z

Operations Security & Monitoring

ThreatManagement

IncidentManagement

LogManagement

Security breaches lead directly to financial fraud, identity theft, regulatory fines, brand damage, lawsuits, downtime, malware propagation and loss of customers.

11

Application SecurityAbout 90% of the applications tested by SPAN revealed at least one HIGH RISK vulnerability (Source: SPAN Security Testing Metrics)

(Source: SPAN Security Testing Metrics)

Applications Vulnerability Distribution - OWASP Top 10 Vulnerabilities

12

Application Security

• Assess the required Security Level for the application based on the

data sensitivity and threat exposure

• Employ vulnerability management and plan to preempt the

vulnerabilities from occurring. Left Shift from detection to prevention

• Plan for application Security for every release.

• Plan for required level of security verification for the release based

on the quantum and criticality of the change in code

• Ensure that the Security Team has qualified Ethical Hackers, Secure

Programmers and Security Architects

• Ensure to follow methodologies widely accepted by industry such as

OWASP Application Security Verification Standards

• Ensure to plan for testing all the components with identified rigor.

• There is no tool in the industry that can identify all the vulnerabilities.

Leverage on Skilled exploratory testing by ethical hackers along

with the power and speed of the tools

Need is for more secure software, NOT more Security software

Elicitate Security

Requirements(Evil Stories)

Threat Modeling and Attack Surface

Analysis

Security Code Review

VulnerabilityAssessment

Penetration Testing

Ethical Hacking

Requirements Design Development Deployment

Post-Deployment

Application Security

13

• Establish Compliance Requirements – Regulatory,

Standards and Legal

• Plan for Pre - Audits

• Establish Compliance Metrics Dashboard and keep track

• Perform a Statistical Analysis and Implement Lessons

Learned

Compliance Validation

Example Security Compliance Dashboard

Enterprise Security

Compliances

Physical Security

• Access Control & Management

Application Security

• Secure Design

• Secure Development

• Vulnerability Management

• Periodic Penetration Testing

Infrastructure Security

Process Security

• Secured Data Centers

• Threat Management

• Events and Log Management

• Incident Management

• Periodic Penetration Testing

• Change Control Management

• Policies and Procedures

Source: http://www.isaca.org/

14

Enterprise Security

Security Test Methodology Penetration Testing

Information Gathering

Threat Modeling and Attack Surface Analysis

Vulnerability Analysis

Exploitation

Advancing Exploitation

Reporting

Enterpr ise Informat ion Secur i ty Frame

Application/System Security

Network SecurityIdentity and Access

Control

Physical Security Threat ManagementLogs and Event

Management

Incident Management

Requirements Gathering

Threat ProfilingSecurity Testing

Periodic Testing

Compliance Validation

It is far preferable to do something NOW to avert and minimize harm before disaster strikes

15

Enterprise Application Security Plan

16

Enterprise Compliance Validation Plan

17

Security Verification Level Selection

The sensitivity of the application is identified based on the sensitivity of the data processed by the application and the

impact on the business by the application.

Identify what is BEST for you; all best practices are contextual

Category Highly Sensitive Moderately Sensitive Low Sensitive

Application exposed over

internet for public• Threat Modeling & Attack Surface Analysis

• Static Code Analysis

• Security Code Review

• Vulnerability Assessment

• Application Penetration Testing

• Static Code Analysis

• Security Code Review

• Vulnerability Assessment

• Application Penetration Testing

• Static Code Analysis

• Security Code Review

• Vulnerability Assessment

• Application Penetration

Testing

Application exposed to

legitimate users over Intranet

or Dedicated Channels

• Threat Modeling & Attack Surface Analysis

• Static Code Analysis

• Security Code Review

• Application Penetration Testing

• Static Code Analysis

• Security Code Review

• Vulnerability Assessment

• Application Penetration Testing

• Static Code Analysis

• Vulnerability Assessment

18

Operational View of Security Testing

Security Testing – Operational Overview

Pre Production Security Testing Production Security Testing

Automated Static Code Analysis -Security

Manual Security Code Review

Sta

tic S

ecur

ity

Test

ing

Automated Vulnerability Scanning

Penetration Testing

Dyn

amic

Sec

urity

Te

stin

g

Ethical Hacking

Compliance Validation

Security Monitoring

Th

rea

t M

od

elin

g a

nd

Att

ack

Su

rfa

ce A

na

lysi

s

Secure Enterprise

19

Budgeting for Security

Source: 2013 INFORMATION SECURITY BREACHES SURVEY - Published by The Department for Business, Innovation and Skills (BIS), UK

Enterprises must plan to protect the brand, attain compliance and avert costly breaches

Protecting other assets (e.g. Cash) from theft

Improving efficiency /cost reduction

Enabling business opportunities

Protecting intellectual property

Business continuity in a disaster situation

Protecting customer information

Preventing downtime and outages

Complying with laws/regulations

Protecting the organisation’s reputation

Maintaining data integrity

Information Security ExpenditureBusiness Drivers for Information Security Expenditure

10%of IT budget is spent on an average on security (up from 8% a year ago)

16%of IT budget is spent on an average on security, where security is a very high priority (up from 11% a year ago)

92%of respondents expect to spend at least the same on security next year (and 47% expect to spend more)

20

Value of Enterprise SecurityProtect the brand, attain compliance and avert costly breaches.

Save Money and Business

• Avoid the potential penalties due to non-conformance to security compliances• Avoid the losses due to financial fraud, identity theft, regulatory fines

G��‘

Better Protection of Assets and Business

• Proactively respond to the real world security threats• Comply to different standards and regulatory compliances

“

Gain competitive advantage• Increased TRUST of users and customer• Avoid Brand Damage, downtime and loss of customerû%

21

Summary

Enterprises are under attack due to continuous discovery of vulnerabilities

Enterprises can deal with security threats and meet the regulatory compliance demands

by employing

• Plan for securing assets

• Assess gaps and establish a baseline security

• Maintain security by employing Application Security, Infrastructure Security and Operations Security measures

• Achieve Compliance by Pre-Audits and continuous management of trend

Protect Business, Save Money and Gain Competitive Advantage by ensuring

Enterprise Security

22Copyright: SPAN Systems Corporation www.spansystems.com 22

SPAN Systems Corporation

U.S. ‘C’ Corporation 1993 incorporated

Wholly owned by EVRY (www.evry.com), a $2.3 Billion Nordic company

Ranked #7 Best IT Places to Work For in India; Historically low attrition

CMMI5, ISO 9001 and ISO 27001 certifications

Strong Relationship Management

Customers range from Fortune 5 to SMEs

23

Poll Questions

Copyright: SPAN Systems Corporation www.spansystems.com

How important is security testing for you

Critical

Very Important

Important

Not Important

Can’t say

Do you have a security solution in place for your enterprise if not would like to implement one?

Have NO security solution and want to implement immediately

Have a reasonable security solution and want to look at options to strengthen the solution

Have a very secure solution would not want to make any changes

Have NO security solution and do not want to implement any security measures

24

Thank you for joining

Enterprises under Attack: Dealing with security threats and compliance

This webinar was sponsored by SPAN Systems Corporation in conjunction with The Outsourcing Institute.

Amit singh,PartnerAvasant

Vinay Ambekar,Senior Vice President,

Engineering,Lavante Inc.

Pramod Grama,Co-founder and

Executive Vice President,SPAN Infotech (India) Pvt. Ltd.

Lakshminarasimha Manjunatha Mohan,

Solution Architect,SPAN Infotech (India) Pvt. Ltd.