480 likes | 521 Views
Information systems Security & IT auditing. Dr. Ir. Paul Overbeek RE 06-53786475 October 2007 Paul.Overbeek@ois-NL.EU. Paul Overbeek Paul.Overbeek@OIS-NL.EU 06-53786475 Universities Eindhoven, Tilburg, Amsterdam Rotterdam, Nijenrode, Antwerpen and Dauphin/Parijs
E N D
Information systemsSecurity & IT auditing Dr. Ir. Paul Overbeek RE06-53786475October 2007 Paul.Overbeek@ois-NL.EU
Paul OverbeekPaul.Overbeek@OIS-NL.EU06-53786475Universities Eindhoven, Tilburg, Amsterdam Rotterdam, Nijenrode, Antwerpen and Dauphin/Parijs Partner OIS Information Risk & Security Management Information Risk & Security Management, Compliance & Privacybescherming
Monitor Integrate Assess Architect PEOPLE PROCESS Applicatie - ICT Agenda You are here: • Business • Application Information • Technique Agenda Who am I and who are you? Identity • Perspective of the IT auditor • IT Security • Challenges • Some Cases • Future watch: what is going to hit us next
6 pin-codes • 15 business passwords • 40 private internet passwords • Identity: • 1 person • 40 roles • Identity: who’s who where and when • How you are recognized by others • Passport • Driving license • 12 Identity cards • 3 telephones • 6 personnel-IDs • 10 club cards • Digid • SoFi • 06-53786475 • 3883582 • P044921 Identity
Authorization & Access management Ten’s of identities One man So, is this a problem? • Could proper IT-security design have prevented this in, say: • 1960 • 1970 • 1980 • 1990 • 2000 • No future without past: Innovation & Change create history and legacy Even more roles
Improvement needed Agenda • Who am I and who are you? Identity • Perspective of the IT auditor • IT Security • Challenges • Some Cases • Future watch: what is going to hit us next
IT-auditing: to provide assurance Providing assurance re objectives • How ‘sure’: limited, conditional, reasonable, absolute • ‘Absolute’ assurance seldom needed Objectives • Meeting business objectives: ‘From SOX to Semiconductor’ IT Auditing is: • An independent and unbiased assessment • Against specific, agreed upon or industry standards • Objectives are related to • confidentiality, integrity, availability • Effectiveness, efficiency, manageability and transparency Objects include: • Organisation, management en ICT • Information systems, architectures • Development… Sponsors for IT-auditing: • Usually top management or business process management • IT management • Other stakeholders: external oversight bodies, financial auditors (accountants), public, …
Skills • A good IT-auditor is • Expertise both technical and some business knowledge • Unbiased • Socially capable • Communicative • Empathy towards his object • Theory & Practice • 2 years Post Master, 3 Years practice, Code of Conduct, Registered
Objects for auditing • ICT: many views exist • Applications, middleware, OS, networks, components, architectures • Individual, the ‘bubble’, the chain or the unknown. • Organization: • Business alignment, ICT-management, development, maintenance, sourcing • HRM, Facilities, IM, MT, Finance, Admin, Legal,… • Involved partners: • Customers/clients, own personnel, IT-managers, developers, partners • Top management, oversight, accountant, public interest, stock holders, … • Where are the risks? • How to deal with risk in a responsible manner • Information Security, Risk Management & Compliance
From Control Objectives to Controls Controls are designed such that control objectives are met Monitor Integrate Assess Control objective A: Control A.1 Control A.2 Control A.3 Control objective B: Control B.1 Control B.2 Control A.3 Control objective C: Control A.2 Control B.1 Architect PEOPLE PROCESS Applicatie - ICT ICT-security
Imagine… In the ideal world • People are honest and do not make mistakes and know what to do • Business and IT-management processes are well designed and understood • Hardware does not fail and software is well designed, reliable, well maintained and… • Serves business purposes & risks In the ideal world, auditing would not be needed. • But… people make mistakes, processes hamper • While controls build in in ICT are of constant quality… • So… when and wherever possible, ICT controls are preferred
Main Technical controls Identification & Authentication Authorization Logical Access control Integrity controls (input controls) Confidentiality controls (classification) Continuity controls / load balancing Cryptography Monitoring, logging/audit trails, vulnerability analysis, IDS & alerting Backup / alternate resourcing / restore And …. Hardening do not forget this one! Controls should be balanced
WoW of the IT-auditor (1/3) To assess security • Standards (applied risk or CO-based) • Code of Practice for Information Security Management • COBIT • Hardening standards • Legal requirement • Company / branch specific • Checklists, interviews, observation, testing, and…
WoW (2/3) • Tools – general IT infra / Networks • Penetration testing tool boxes & services (good guys hacking) • Outside in, inside in, black/white • Mostly used for outside in & general infrastructure • Interception of communication (sniffers) and reuse authentication info • Honey pots • Mimic trustworthy machines and use proxy opportunities • Use ‘scouts’: agents / Trojans / non-destructive viruses • Listen to wireless networks • Stress-testing DOS • Known 1st day Exploits, X-site scripting, bugs • Vulnerability scanners • Automated tools that check policies (‘settings’) against known vulnerabilities • SOC
WoW (3/3) • Tools – specific • Toolkits for SAP, Oracle, Peoplesoft, … check for common vulnerabilities and • Check for possible SoD conflicts • ICT-management tools • Aim at management processes and tools, e.g. HP-openview, CA,… • Confuse them, blind them, make them look somewhere else
Monitor Integrate Assess Architect PEOPLE PROCESS Applicatie - ICT Agenda Agenda • Who am I and who are you? Identity • Perspective of the IT auditor • IT Security • Challenges & trends • Some Cases to discuss • Future watch: what is going to hit us next
Some challenges Positive: • Security technology starts to become mandatory and to be fully integrated in new Apps Open questions • Major challenges for the next generation IS’s: • Horizontal & vertical integration of security functionality • Handling Spaghetti-type information systems • How to work with components in different phases of the maturity cycle • Current security technology inflexible for changes (nor in business, nor in IS’s) • ‘The information system’ as we used to know it doesn’t really exist anymore: • Ever changing configuration of the a Chain of partners, technology and locations • Tomorrow’s architectures for security (CIA) of information and ICT
Some Challenges Network • Network boundaries are vanishing: Deperimeterisation • Jericho: bring controls towards • the information itself (self contained info & applications) • The platforms • Assume a hostile environment • From prevention to detect/correct • Instead of ‘keeping the bad guys out’ • ‘bring good guys in and control behavior’ • See Jericho-forum
Identity & access management • Aha, see intro
Platforms • Virtualization • The OS does not know where the hardware is • The SAN could be in Poland • The CPUs in India • Fundamental authentication problems • No approach towards sw integrity • Failure –is- an option
Applications • Assume safe underlying infrastructure • Authorization chaos • Cross application • Align to the real use / business needs New IT is coming much closer to your soul • See future watch How to design ‘secure’ information systems How to design safe ICT environments (designing architectures in spaghetti and lasagna view)
Monitor Integrate Assess Architect PEOPLE PROCESS Applicatie - ICT Agenda Agenda • Who am I and who are you? Identity • Perspective of the IT auditor • IT Security • Challenges & trends • Some Cases to discuss • Future watch: what is going to hit us next
Past: B2C or B2A or Some B2B Characteristics 1-2-1 Single place of storage Asymmetric trust relationship PEOPLE PEOPLE PROCESS PROCESS Applicatie - ICT Applicatie - ICT Case: Current Web
Value Chain: B2B2B…. (Sinatra) Trusted networks of partners: BmBmB (BeeGees) Normal business rules apply From unilateral to multilateral communication Trust but verify Consistency in trusted sources of information Discover and develop fruitful relationships Transforming Relationships into transactions Conditions: transparency in service offering, authenticity of involved parties, integrity of transactions PEOPLE PEOPLE PEOPLE PEOPLE PEOPLE PEOPLE PEOPLE PEOPLE PEOPLE PROCESS PROCESS PROCESS PROCESS PROCESS PROCESS PROCESS PROCESS PROCESS Applicatie - ICT Applicatie - ICT Applicatie - ICT Applicatie - ICT Applicatie - ICT Applicatie - ICT Applicatie - ICT Applicatie - ICT Applicatie - ICT Future Web x.y B2B2B BmBmB
PEOPLE PEOPLE PROCESS PROCESS Applicatie - ICT Applicatie - ICT Web x.y: Common Controls required Control objectives are not that different between parties
Transactions: Integrity Volume Confidentiality/privacy Traceability Non repudiation Identification and Authenticity Natural / legal Authorization Access control Monitoring transactions Relational integrity Transparency Costs Service, delivery, … Return, storno Complaints Assurance … Which control objectives applyECP.NL + Thuiswinkel.org draft list of control objectives address a.o:
Case 2: Auction • Relationship • One transaction or…. 5? • Which authorization context applies?
Case 3 Relationship • Who is the owner of this information • Who is responsible for what • Who has the right or obligation to make changes • Is this a public or a private space…
Case 4: Virtual world or real…? • Who owns this environment • Who is responsible for what • Who is who • Enforce or correct behavior • Detect mall-usage • Rules of the game and their enforcement
Examples • Consumer should have a list of current outstanding transactions • Transactions should be traceable and monitorable • Responsibilities clear • Pseudonimity • Authenticationof the real source
New ICT-security challenges • Balancing controls • Control objectives: common set • Emphasis on controls in web-applications • Common set of controls to be defined • “Terms of engagement” • Key: relationship, transaction, ownership
Future watch Agenda • Some Cases • Future watch: what is going to hit us next
Personal Real close In, around, with you You and your friends…
Digital paper,foldable key boards and screens 3d input and presentation
Summary We ain’t seen nothing yet Thanks & Enjoy