Blog Host: Puneet Mehta - Security Architect, SDG Corporation READ ENTIRE BIO

Here are some key security principles that organizations and security professionals should follow in regards to information security:

• Understand your networks and the business objectives they support.

• Develop a thorough and achievable security policy. Implement it and update it at regular intervals.

• Enhance point solutions, such as firewalls. Authentication and encryption with adaptive technology maximizes effectiveness and helps prevent premature obsolescence.

• Logs are your best friends -- they help you find answers. Enable logging on all the key devices.

• Incident handling is an important part of security strategy, but is commonly ignored. Don't ignore it.

• A well-thought-out disaster recovery plan is a must for business continuity.

• Continued training and education is a MUST.

• Purchase infrastructure products and assessment tools from different manufacturers.

• An independent source of products assessment is much more likely to provide an unbiased evaluation of overall e-business security performance.

• Consider outsourcing some or all security management operations. Doing so allows an organization to focus internal resources more directly on core business competencies.

• Shun complexity. Keep it simple. And finally…

• As I always say: Never have a false sense of security.

• Policy compliance and vulnerability management
• Intrusion detection and incident response
• Enterprise security management and decision support
• Managed security services
• Risk management and e-commerce insurance coverage

• Delegated administration and self-service: Delegated administration allows organizations to transfer administration responsibility across departments; business units and/or corporate boundaries, enabling administrators, department managers or even HR to effectively manage users, policies and other objects within their respective namespace.

  An enterprise can enhance its security administration through Web-based self–services modes like self-registration, self-administration and self-service password management. While a self-registration allows users (internal and external) to register and request for application access, self-administration allows users to authenticate themselves and then update their personal information. This eliminates the need for any administrative intervention and increases productivity.

  Password management is an important element of security administration, as most of the attacks are targeted towards passwords. According to a study, more than 65% of the help desk calls refer to password problems. A self-service password management provides an administrative interface that allows users to change/reset their passwords, once they are successfully authenticated. This also allows users to recover forgotten passwords upon successfully confirming their identity by correctly responding to the challenge questions chosen at the time of the user registration process. Furthermore, it helps in enforcing strong password policies, synchronization and ensures compliance of security policies. This practically eliminates the need for an administrator or help-desk worker's involvement, saving both time and money.

• Integration: Integration is the key to a successful identity management deployment. A typical organization maintains a number of different user data stores ranging from networks, operating system, applications and HR systems to e-mail solutions, but most of these system lack cross-directory or cross-data store management capability. The increasing demand for interoperability has made vendors adopt directory services approach. Meta-directories are becoming extremely popular among organizations and are enabling data synchronization. Meta-directories allow an enterprise to combine data from distributed data sources into a single directory construct, thereby providing a unified view of enterprise user data. Furthermore, it provides a universal method of access that allows naming, searching, joining and updating data across multiple data sources. Provisioning systems are now being directory-enabled to provide interoperability. Most of them include a built-in workflow engine that allows for managing the changes associated with user profiles, enabling role-based access control. Both meta-directory and provisioning tools are powerful and need to be efficiently integrated. The XML-based architecture is now being used to create automated, interoperable communication between meta-directory join engines and provisioning systems, which enables secure identity creation.

• Auditing and reporting: Audit is an integral part of identity management because it ensures effectiveness and compliance of security policies. A comprehensive identity auditing and reporting tool allows detection of security risks and enable organizations to deal with them proactively.

Let's discuss the key components of identity management from a functional viewpoint:

• Enterprise directory services: These services play a crucial role in an enterprise information architecture and are emerging as a cornerstone for identity management. A directory service allows a single view of the entity by providing user profile services, thereby eliminating the need to manage and secure separate authentication databases, increasing overall system security.

• Provisioning: User provisioning is undoubtedly the most important component of identity management framework. It's a process of deploying user's access rights based on the business policies -- be it employees, customers or business associates -- throughout their life cycles in corporate IT systems.

• Authentication: For an identity management to be effective, it needs to be able to establish trust in an organization's online environment, especially in identities. To establish this trust, there must exist binding of unique attributes or credentials to a unique identity and this binding must be proven by authentication.

• Access control: Once the trust is established in digital identities, policies should be enforced to control access to protected resources. This approach not only simplifies administration, it also provides the maximum amount of flexibility for each user since an individual's unique set of roles translates into a unique set of access privileges. This ensures that a user is granted the level of access that is appropriate for every role and/or business function that individual is responsible for.

• Workflow management: Workflow is an integral part of provisioning, which enables management of identity change-request approval process. In an organization, a typical workflow process could involve enrollment of new employees, access to applications or network resources, as well as computer systems that allow the construction of a workflow approval framework. This integrated approval process enables secure and effective provisioning of users by attaching correct user privileges, access rights and other security settings to individual's profile based on his/her job function.

The layered approach is both a technical strategy, requiring adequate measures be put in place at different levels within your network infrastructure, and an organizational strategy.

The layered-security approach center focuses on maintaining appropriate security measures and procedures at five different levels within your IT environment:

1. Perimeter
   • Firewall
   • Network-based antivirus
   • VPN encryption
2. Network
   • Intrusion detection system (IDS)/Intrusion prevention system (IPS)
   • Vulnerability management system/security testing
   • Endpoint security compliance
   • Access control system/Authentication system
3. Host
   • Host-based intrusion detection system
   • Host vulnerability assessment
   • Endpoint security compliance
   • Access control/user authentication
   • Antivirus
4. Application
   • Host-based intrusion detection system
   • Host vulnerability assessment
   • Access control/user authentication
   • Input validation/code security
5. Data
   • Encryption
   • Access control/user authentication

Before the OSSTMM, no documents existed that addressed the needs of security professionals by providing an open, publicly available standardized guide for formal security testing.

The OSSTMM changes all of this -- offering participants a consistent framework and clearly quantifiable results, thereby affording a level of assurance of the output quality, accuracy and validity of the tests that end users have not yet seen in the security industry. Security testing thus becomes quantifiable, constant and repeatable, visibly thorough and compliant to a global range of individual and local laws.

Each of the modules of the OSSTMM outputs a dataset, which can then be classified in terms of Risk Assessment Values (RAV). RAVs serve to quantify the results of each module, which in turn tell security testers how long information remains useful and "current." In real world terms, a relative risk value is assigned to systems under test -- each end user is willing to accept different levels of risk, and this allows them to determine how often they want regular testing to be carried out and how much risk they are willing to take on board.

OSSTMM Modules

Network surveying Port scanning System fingerprinting Services probing Automated vulnerability scanning Exploit research Manual vulnerability testing and verification Application testing Firewall and access control list testing

Intrusion detection system (IDS) testing Security policy review Document grinding (Electronic Dumpster Diving) Competitive intelligence Trusted systems testing Password cracking Denial of service testing Privacy policy review IDS and server logs review

Posted by Puneet Mehta Network security basics
01 SEP 2005 05:26 EDT (09:26, GMT)
Network security is about computer systems and network access control, as well as detection and response to unwanted incursions. The risks from poor security are tremendous: theft, interruptions of service, physical damage, compromised system integrity and unauthorized disclosure of proprietary corporate information.

To secure network access paths, start with the basics, such as locking computers that are not in use. Beyond the basics, more robust solutions include key card access, hardware tokens or biometric access to especially sensitive areas.

Firewalls are an essential part of network security. Firewalls restrict access from one network to another and inspect and restrict all traffic flowing through the network. Firewalls should restrict access from the Internet and from one internal network (e.g., application servers) to another network (e.g., database). It is necessary to carefully construct the IP address ranges and the ports to which the firewall will open access. In addition, it's recommended to use multiple layers of firewalls for distinctly different functional portions of the network -- one for the demilitarized zone (DMZ), a second for the Web server, a third for the application server and perhaps a fourth for the database layers.

Intrusion detection systems watch for attacks, parse audit logs, alert administrators as attacks are happening, protect system files, expose a hacker's techniques, illustrate which vulnerabilities need to be addressed and help to track down perpetrators of attacks.

Another must-have is up-to-date antivirus and Trojan-checking software on all client machines. There are thousands of viruses, and each new one is more sophisticated and more damaging than its predecessor. A tremendous and costly amount of damage has been done by the last few worldwide e-mail-based viruses. A particularly robust solution is the server-based virus software that runs on e-mail transfer machines (such as Microsoft Exchange) to prevent infected messages from moving on to users or from leaving one client to infect others.

Finally, the simplest but most powerful thing of all -- ensure every security patch for all operating systems and applications is applied on all systems as soon as they come out.

To conclude, as I always say --"never have a false sense of security."
Posted by Puneet Mehta Enabling secure relationships
31 AUG 2005 05:26 EDT (09:26, GMT)
Secure relationships are the building blocks of all the business processes and interactions. Businesses today deal with millions of customers, many of whom they don't even see face to face. To offer the highest standards of service and convenience, companies need to provide their customers with secure Web access to the back-office systems, enabling status assessment, purchases and much more. Also, business partners may require access to systems in a distributed network environment. As a result, companies end up sharing portions of internal systems, applications and knowledge bases with business partners.

An enterprise must keep certain goals in mind when implementing a new security solution. These include:

• Management of security risks
• Privacy: protecting personal and corporate information
• Faster deployment of secure e-business initiative
• Management of ROI

• Identity management
• Authentication
• Authorization
• Auditing
• Asset protection
• Administration
• Assurance
• Availability
• Privacy and trust
• System integration

So, what is this security process and what does it do?
In simple terms, it's the method an organization uses to implement and achieve its security objectives. Basically, the whole process is designed to identify, measure, manage and control the risks to systems; the core principles of confidentiality, data integrity and data availability; and ensure accountability for system actions. The process is built around five components or areas and work as a framework. They are:

• Information security risk assessment is the process to identify threats, vulnerabilities, attacks, probabilities of occurrence and outcomes. Risk assessment is a critical first step in the information security lifecycle.

• Information security strategy is the plan to mitigate risk that integrates technology, policies, procedures and training.

• Security controls implementation is the deployment of appropriate risk controls. This involves both technology and people.

• Security testing is the method of ensuring that risks are appropriately assessed and mitigated. Different testing methodologies are used to verify that implemented controls are effective and are performing as intended.

• Monitoring and updating is the process of continuously gathering and analyzing information regarding new threats and vulnerabilities, actual attacks on the institution or others combined with the effectiveness of the existing security controls. This information is used to update risk assessment, strategy and controls. Monitoring and updating makes the process continuous instead of a one-time event.

Information security is the process by which an organization protects and secures systems, media and facilities that process and maintains information vital to its operations. But information security is often inaccurately perceived as the state or condition of controls at a point in time. Security is an ongoing process, and organizations need to continually assess its posture and react appropriately in the face of rapidly changing threats, technologies and business conditions.

"Security is continuum, not an absolute."

To be truly effective, information security should continuously integrate processes, people and technology to mitigate risk in accordance with risk assessment and acceptable risk tolerance levels. Simply put, a good security process is the one that identifies risks, helps form a strategy to manage the risks, enables implementation of the strategy, tests the implementation and monitors the environment to control the risks.

So, what are the security objectives?

• Confidentiality
• Integrity
• Availability
• Accountability
• Assurance

• The National Institute of Standards and Technology (NIST)
• The International Organization for Standardization (ISO) with specific standards, such as
  • The code of practice for information security management (ISO/IEC 17799) and
  • Information Security -- Security techniques -- Evaluation criteria for IT security (ISO/IEC 15408)
• The Information Systems Audit and Control Association (ISACA) -- Control Objectives for Information Technology (CobiT)

• Access control systems and methodology
• Network Security
• Security Management practices
• Application and system development security
• Cryptology
• Security architecture and models
• Operations Security
• Business continuity planning (BCP)
• Laws, regulatory standards and guidelines
• Physical Security

Hello, everyone!

I am Puneet Mehta, your information security expert on call on the Expert Answer Center from Aug. 29-Sept. 9, 2005. I am available to answer any security-related queries that you or your organization may have. Be it network security, regulatory compliance, encryption technology or any other security issue that's keeping you awake at night. I am here to help you understand and meet those challenges. So let's get it started. :-)
Posted by Puneet Mehta