• No results found

Reduce Security Compliance Costs Using Open Source

N/A
N/A
Protected

Academic year: 2021

Share "Reduce Security Compliance Costs Using Open Source"

Copied!
53
0
0

Loading.... (view fulltext now)

Full text

(1)

BLUE KAIZEN CENTER OF IT SECURITY

Cairo Security Camp 2010

Reduce Security Compliance Costs Using Open Source

Subject :

This document gives the user an introduction to Information Security Compliance, Why Comply ?, Compliance Costs, Open Source Definition, Why Consider Open Source ?,

Open Source Software useful for Security Compliance, Open Source References and Case Study, Facing Open Source Challenges and Open Source Software Selection

(2)

Reduce Security Compliance Costs

Using Open Source

Mostafa Ibrahim Security Meter CTO

CISA, ISO 27001 LA, RHCE

(3)

AGENDA 1 2 3 4 Compliance Costs

Information Security Compliance Why Comply ?

5

Open Source Definition

6

Why Consider Open Source ?

Open Source Software useful for Security Compliance

(4)

AGENDA 7

8 9

Conclusion

Facing Open Source Challenges

Open Source Software Selection Criteria

10

(5)

AGENDA

(6)

Information Security Compliance

Forcing companies to put their infrastructure in order

In many cases face stiff penalties if dead line are not

met

Prescribe Policies and Procedures that

> Cover minimum standards for use of IT equipment, > Cover definitions of misuse

> Cover rules for enforcing the standards that have been set. > Protect the company's IT equipment, data, and other assets. > Include security and other business policies

(7)

Standards vs Regulations

Standards:

– Issued by national or international bodies e.g. BSI, ISO. – Codes of practice (e.g. ISO 27001, ISO 9001, ISO 20000) – Sanctions: none

Regulations:

– Issued by government agencies, markets or sectoral bodies – Gov. Agencies e.g. FISMA for U.S. federal government

agency Markets Sectorals e.g. Basel II for Banks, HIPAA for Health Care / Insurance, PCI-DSS for Payment Card Industry, SOX for American Public Companies.

(8)

AGENDA

(9)

Why Comply ?

Helps management:

“You can’t manage what you can’t

measure”

Enables benchmarking internally and with others

Builds trust with partners and customers

Enables trend analysis:

“Are things getting better or

worse?”

Audits usually increases visibility on business processes

and IT infrastructure

Avoid losing business because of being non compliant

(10)

Why Comply ?

TJX Scandal

– One of the biggest retailers dealing with more than 60 banks – Considered to be the largest data breach ever.

– At least 94 million Visa and MasterCard accounts may have been

exposed

– The company reported a spend of $202 million in response to the breach – Wireless Security Issue in one of its remote branches

Heartland Data Breach

– One of the largest processors of credit and debit card transactions in the

U.S

– Estimates of more than 100 million accounts may have been exposed – Planting a malware capable of sniffing out payment card data as it

moved across the company's network, and then to have spirited it out of Heartland's systems in encrypted data streams.

(11)

1.

Determine the scope precisely (In terms

of assets and business processes)

2.

Reduce scope by segmenting the

network

3.

Baseline your environment against the

standard to identify gaps.

4.

For all gaps determine remediation

actions with associated effort.

5.

Develop a prioritized plan to address

gaps.

(12)

AGENDA

(13)

Cost of Compliance

U.S. public companies are spending $4.36 million each,

on average, to comply with Section 404 of

Sarbanes-Oxley (March 2005 survey conducted by Financial

Executives International).

Entities are typically spending between at $2 and $8

million each to comply with PCI-DSS. (From our

experience in the region)

(14)

AGENDA

(15)

Open Source Definition

What exactly Open Source Software ?

Open Source is about granting users the freedom to run, copy, distribute, study, change and improve the software. OSS is any software that

provided the following freedoms. The freedom to:

 Run the program, for any purpose (freedom 0)

 Study how the program works, and adapt it to your needs (freedom 1).

 Redistribute copies so you can help your neighbor (freedom 2)

 Improve the program, and release your improvements to the public, so that the whole community benefits (freedom 3).

The OSS makes sure that software and their derivative works stay free through adequate license obligations.

(16)

Open Source vs. Other Types

Closed Source

The source is private and owned by someone.

Usually you’d have to pay for the source code if its

even for sale.

Freeware

Free software. It has nothing to do with the source

code being available or not.

Source Available

The source is available to look at, but not modify or

distribute. Allows users to understand how the

(17)

AGENDA

(18)

Why Consider Open Source ?

Avoid Vendor Lock In

Open Source allows for many people to find and fix

security or efficiency problems

Ease of Customization

Deep Understanding for underlying Technology

(19)

AGENDA

6 Open Source Software useful for Security

(20)

Open Source Software Useful for Security

Compliance

Firewall

Network IDS / IPS

File Integrity Monitoring / HIDS

Web Application Firewall

Log Management

Encryption (at Rest, Motion)

Change Management

Vulnerability Scanning

Penetration Testing

Business Continuity

(21)

Firewall

PCI-DSS

 Requirement 1: Install and maintain a firewall configuration to protect cardholder data

ISO 27k

 A 10.6.1 Networks shall be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit.

(22)

Open Source Firewalls

Netfilter / Iptables

http://www.netfilter.org

Endian Firewall

http://www.endian.com

 ClearOS  http://www.clearfoundation.com/  Zeroshell  http://www.zeroshell.net

(23)

IDS / IPS

PCI-DSS

Requirement 11.4 Use intrusion-detection systems,

and/or intrusion-prevention systems to monitor all

traffic

ISO 27k

 A 10.6.1 Networks shall be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit.

(24)

Open Source IDS / IPS

Snort

 Snort has become the de facto standard for IPS  http://www.snort.org

Base Basic Analysis and Search Engine

http://base.secureideas.net

 Web Interface for Snort providing a reporting, analysis capabilities to Snort

 Sguil

 http://sguil.sourceforge.net

 intuitive GUI that provides access to realtime events, session data, and raw packet capture

(25)

HIDS / File Integrity Monitoring

PCI-DSS

 Requirement 11.5 Deploy file-integrity monitoring

software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file

comparisons at least weekly.

ISO 27k

 A.10.4 Protection against malicious and mobile code Objective: To protect the integrity of software and

(26)

Open Source HIDS / File Integrity

Monitoring

OSSEC

 Runs on almost all popular OS Linux, MacOS, Solaris, HP-UX, AIX and Windows.

 Has its own web interface  http://www.ossec.net

Samhain

 Beltane is an intuitive Web Interface for Samhain  http://www.la-samhna.de/

Osiris

(27)

Web Application Firewall

PCI-DSS

 Requirement 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by Installing a web-application firewall in front of public-facing web applications

(28)

Open Source Web Application Firewall

ModSecurity

 The most widely used Web Application Firewall  Over 10,000 deployment

(29)

Log Management

PCI-DSS

 Requirement 10.2 Implement automated audit trails for all system components.

 10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts

ISO 27k

 A.10.10.1 Audit logging security events shall be produced and kept for an agreed period to assist in future

investigations and access control monitoring.

 A.10.10.3 Protection of log information Logging facilities and log information shall be protected against tampering

(30)

Open Source Log Management Solutions

Syslog-NG

 http://sourceforge.net/projects/syslog-ng/

Php-syslog-ng

 Web Interface for Syslog-NG

 http://sourceforge.net/projects/php-syslog-ng

Snare

 Collecting windows logs and send them as a syslog messages

 http://www.intersectalliance.com

 OSSIM

 Open Source Security Information Management.  Much more than a basic log Management Solution

(31)

Encryption

PCI-DSS

3.4 Render PAN, at minimum,

unreadable anywhere

it is stored

 4.1 Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.

ISO 27k

 A.12.3 Cryptographic controls

Objective: To protect the confidentiality, authenticity or integrity of information by cryptographic means.

(32)

Open Source Encryption Solutions

TrueCrypt

 Disk Encryption

 Windows 7/Vista/XP, Mac OS X, and Linux  http://www.truecrypt.org 

OpenSwan

 IPSec VPN  http://www.openswan.org 

OpenVPN

 SSL VPN  http://www.openvpn.net 

OpenSSH

(33)

Change Management

PCI-DSS

 Requirement 6.4 Follow change control procedures for all changes to system components.

ISO 27k

A.12.5.1

Change control procedures. The implementation

of changes shall be controlled by the use of formal change control procedures.

(34)

Open Source Change Management

Solution

OTRS

 Open source Ticket Request System

 ITIL-compatible change management system  http://www.otrs.org

(35)

Vulnerability Scan

PCI-DSS

 Requirement 11.2 Run internal and external network vulnerability scans at least quarterly and after any

significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).

ISO 27k

 A.12.6 Technical Vulnerability Management

Objective: To reduce risks resulting from exploitation of published technical vulnerabilities.

(36)

Open Source Vulnerability Scanner

• The short and wrong answer is Nessus

 This is valid before 2005. However they are still having a free version.

 http://www.nessus.org

OpenVAS

 Nessus Open Source Replacement  http://www.openvas.org/

Nmap Security Scanner

(37)

Penetration Testing

PCI-DSS

 11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a subnetwork added to the environment, or a web server added to the environment).

ISO 27k

 A.12.6.1 Control of technical vulnerabilities systems being used shall be obtained, the organization's exposure to

such vulnerabilities evaluated, and appropriate measures taken to address the associated risk.

(38)

Open Source PenTesting Tools

Metasploit

 The world's largest database of public, tested exploits  http://www.metasploit.com

Nikto

 http://cirt.net/nikto2

W3af Web Application Attack and Audit Framework

 http://w3af.sourceforge.net/

 Backtrack

 Complete Linux Distribution Focused on Penetration Testing. Almost all Open Source Security Testing Tools  http://backtrack.offensivesecurity.com

(39)

Business Continuity

BS25999

 The whole standard is talking about Business Continuity

ISO 27k

(40)

Linux HA High Availability Cluster

http://www.linux-ha.org

Linux Virtual Server

Load Balancing and High Availability Clusters for

Web Servers or Web Application Servers

http://www.linuxvirtualserver.org/

(41)

Firewall

Network IDS / IPS

File Integrity Monitoring / HIDS

Web Application Firewall

Log Management

Encryption (at Rest, Motion)

Change Management

Vulnerability Scanning

Penetration Testing

Business Continuity

Open Source Software Useful for Security

Compliance

(42)

AGENDA

(43)

Open Source References

Snort IDS/IPS

 Has 300,000 Registered Users  4 million downloads

 DARPA, FBI, Pentagon, Other US Government Agencies are using snort

 Amazon Cloud Computing using snort

OTRS

 Supports 27 languages  Used by 80,000 corporate  Lot of European Banks

(44)

Open Source Case Study

Advanced Operations Technology

 Application Service Provider hosting 12 Saudi brokers  Having more than 400 Servers running Open Source

solutions over Linux OS

 22 servers running Firewall (Iptables), IPS (Snort), VPN (OpenSwan). 11 Pairs of High Availability Cluster using (keepalived)

 11 Web Load Balancer (Linux Virtual Server)

 Modsecurity Web Application Firewall installed on all Web Servers.

 OTRS is used as ticketing system and change management system

(45)

Open Source Case Study

Advanced Operations Technology

 Syslog-NG, Php-Syslog-NG acting as centralized log management collecting logs from all systems, network devices, applications.

 OpenLDAP acting as centralized directory service  I-DOIT acting as a centralized CMDB for all system

configurations.

 Nagios provides performance monitoring for all systems and network devices

 Trucrypt is being used to encrypt disks having confidential data stored

(46)

AGENDA

(47)

Facing Open Source Challenges

Major Challenges are lake of Professional services,

Support, and Training.

Facing these challenges can only be through:

Hire and build a highly qualified open source team

Able to dig into sourcecode when needed

Able to deal with open-source communities and

mailing lists

Build a LAB / Testing environment and have a

small R&D department (one or 2 guys)

Short list the companies providing open source

(48)

AGENDA

(49)

Open Source Software Selection Criteria

Reputation

Ongoing effort

Standards and interoperability

Support (Community / Commercial)

Version

Documentation

Skill set

(50)

AGENDA

Conclusion

(51)

Extreme claims

“OSS is always more secure”

“Proprietary is always more secure”

Reality: Neither OSS nor proprietary always better

Some

specific

OSS programs

are

more secure

than their competing proprietary competitors

Include OSS options when acquiring, then

evaluate

(52)

Conclusion

We are not open source fans

We are not claiming that open source is better

than clos

ed source

in all aspects

We are just trying to convince you to consider

(53)

Thank You

Mostafa Ibrahim Security Meter CTO

CISA, ISO 27001 LA, RHCE

References

Related documents

The significance of this study was the potential to improve business practices by providing information manufacturing leaders might use regarding how employee- perceived FLM

Market Basket Analysis (MBA) is a data mining technique which is widely used in the consumer package goods (CPG) industry to identify which items are purchased together and,

Drawing on the theoretical stock of literature on contracting, controlling, trust and relational signalling in inter-firm relationships, we try to provide theoretical

Refusals Refused to participate in survey 305 Participant - equipment owner Owns lawn and garden equipment 92 Participant - no equipment Does not own lawn and garden equipment

With increasing contact time, only significant increases in concentrations of Al, Cr and Ni were indicated in the outflow of system T15 (HC–SGW; 7–day) (Table 4.8 and Figure 4.7).

Franklin Oliveira, comes over to Britain in February 1998, he will have the opportunity to discuss business terms with senior figures within British Tour Operators with a view

Conclusions were that research experience was associated with greater agreement with the TCPS’s principles, with ethics issues, and with REB experience; that by their own admission