BLUE KAIZEN CENTER OF IT SECURITY
Cairo Security Camp 2010
Reduce Security Compliance Costs Using Open Source
Subject :
This document gives the user an introduction to Information Security Compliance, Why Comply ?, Compliance Costs, Open Source Definition, Why Consider Open Source ?,
Open Source Software useful for Security Compliance, Open Source References and Case Study, Facing Open Source Challenges and Open Source Software Selection
Reduce Security Compliance Costs
Using Open Source
Mostafa Ibrahim Security Meter CTO
CISA, ISO 27001 LA, RHCE
AGENDA 1 2 3 4 Compliance Costs
Information Security Compliance Why Comply ?
5
Open Source Definition
6
Why Consider Open Source ?
Open Source Software useful for Security Compliance
AGENDA 7
8 9
Conclusion
Facing Open Source Challenges
Open Source Software Selection Criteria
10
AGENDA
Information Security Compliance
•
Forcing companies to put their infrastructure in order
•
In many cases face stiff penalties if dead line are not
met
•
Prescribe Policies and Procedures that
> Cover minimum standards for use of IT equipment, > Cover definitions of misuse
> Cover rules for enforcing the standards that have been set. > Protect the company's IT equipment, data, and other assets. > Include security and other business policies
Standards vs Regulations
•
Standards:
– Issued by national or international bodies e.g. BSI, ISO. – Codes of practice (e.g. ISO 27001, ISO 9001, ISO 20000) – Sanctions: none
•
Regulations:
– Issued by government agencies, markets or sectoral bodies – Gov. Agencies e.g. FISMA for U.S. federal government
agency Markets Sectorals e.g. Basel II for Banks, HIPAA for Health Care / Insurance, PCI-DSS for Payment Card Industry, SOX for American Public Companies.
AGENDA
Why Comply ?
•
Helps management:
“You can’t manage what you can’t
measure”
•
Enables benchmarking internally and with others
•
Builds trust with partners and customers
•
Enables trend analysis:
“Are things getting better or
worse?”
•
Audits usually increases visibility on business processes
and IT infrastructure
•
Avoid losing business because of being non compliant
Why Comply ?
•
TJX Scandal
– One of the biggest retailers dealing with more than 60 banks – Considered to be the largest data breach ever.
– At least 94 million Visa and MasterCard accounts may have been
exposed
– The company reported a spend of $202 million in response to the breach – Wireless Security Issue in one of its remote branches
•
Heartland Data Breach
– One of the largest processors of credit and debit card transactions in the
U.S
– Estimates of more than 100 million accounts may have been exposed – Planting a malware capable of sniffing out payment card data as it
moved across the company's network, and then to have spirited it out of Heartland's systems in encrypted data streams.
1.
Determine the scope precisely (In terms
of assets and business processes)
2.
Reduce scope by segmenting the
network
3.
Baseline your environment against the
standard to identify gaps.
4.
For all gaps determine remediation
actions with associated effort.
5.
Develop a prioritized plan to address
gaps.
AGENDA
Cost of Compliance
U.S. public companies are spending $4.36 million each,
on average, to comply with Section 404 of
Sarbanes-Oxley (March 2005 survey conducted by Financial
Executives International).
Entities are typically spending between at $2 and $8
million each to comply with PCI-DSS. (From our
experience in the region)
AGENDA
Open Source Definition
What exactly Open Source Software ?
Open Source is about granting users the freedom to run, copy, distribute, study, change and improve the software. OSS is any software that
provided the following freedoms. The freedom to:
Run the program, for any purpose (freedom 0)
Study how the program works, and adapt it to your needs (freedom 1).
Redistribute copies so you can help your neighbor (freedom 2)
Improve the program, and release your improvements to the public, so that the whole community benefits (freedom 3).
The OSS makes sure that software and their derivative works stay free through adequate license obligations.
Open Source vs. Other Types
•
Closed Source
•
The source is private and owned by someone.
Usually you’d have to pay for the source code if its
even for sale.
•
Freeware
•
Free software. It has nothing to do with the source
code being available or not.
•
Source Available
•
The source is available to look at, but not modify or
distribute. Allows users to understand how the
AGENDA
Why Consider Open Source ?
Avoid Vendor Lock In
Open Source allows for many people to find and fix
security or efficiency problems
Ease of Customization
Deep Understanding for underlying Technology
AGENDA
6 Open Source Software useful for Security
Open Source Software Useful for Security
Compliance
•
Firewall
•
Network IDS / IPS
•
File Integrity Monitoring / HIDS
•
Web Application Firewall
•
Log Management
•
Encryption (at Rest, Motion)
•Change Management
•
Vulnerability Scanning
•
Penetration Testing
•
Business Continuity
Firewall
•
PCI-DSS
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
•
ISO 27k
A 10.6.1 Networks shall be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit.
Open Source Firewalls
•Netfilter / Iptables
http://www.netfilter.org
•Endian Firewall
http://www.endian.com
ClearOS http://www.clearfoundation.com/ Zeroshell http://www.zeroshell.netIDS / IPS
•
PCI-DSS
Requirement 11.4 Use intrusion-detection systems,
and/or intrusion-prevention systems to monitor all
traffic
•
ISO 27k
A 10.6.1 Networks shall be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit.
Open Source IDS / IPS
Snort
Snort has become the de facto standard for IPS http://www.snort.org
Base Basic Analysis and Search Engine
http://base.secureideas.net
Web Interface for Snort providing a reporting, analysis capabilities to Snort
Sguil
http://sguil.sourceforge.net
intuitive GUI that provides access to realtime events, session data, and raw packet capture
HIDS / File Integrity Monitoring
•
PCI-DSS
Requirement 11.5 Deploy file-integrity monitoring
software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file
comparisons at least weekly.
•
ISO 27k
A.10.4 Protection against malicious and mobile code Objective: To protect the integrity of software and
Open Source HIDS / File Integrity
Monitoring
•
OSSEC
Runs on almost all popular OS Linux, MacOS, Solaris, HP-UX, AIX and Windows.
Has its own web interface http://www.ossec.net
Samhain
Beltane is an intuitive Web Interface for Samhain http://www.la-samhna.de/
Osiris
Web Application Firewall
•
PCI-DSS
Requirement 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by Installing a web-application firewall in front of public-facing web applications
Open Source Web Application Firewall
•
ModSecurity
The most widely used Web Application Firewall Over 10,000 deployment
Log Management
•
PCI-DSS
Requirement 10.2 Implement automated audit trails for all system components.
10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts
•
ISO 27k
A.10.10.1 Audit logging security events shall be produced and kept for an agreed period to assist in future
investigations and access control monitoring.
A.10.10.3 Protection of log information Logging facilities and log information shall be protected against tampering
Open Source Log Management Solutions
•
Syslog-NG
http://sourceforge.net/projects/syslog-ng/
Php-syslog-ng
Web Interface for Syslog-NG
http://sourceforge.net/projects/php-syslog-ng
Snare
Collecting windows logs and send them as a syslog messages
http://www.intersectalliance.com
OSSIM
Open Source Security Information Management. Much more than a basic log Management Solution
Encryption
•
PCI-DSS
3.4 Render PAN, at minimum,
unreadable anywhereit is stored
4.1 Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.
•
ISO 27k
A.12.3 Cryptographic controls
Objective: To protect the confidentiality, authenticity or integrity of information by cryptographic means.
Open Source Encryption Solutions
•
TrueCrypt
Disk Encryption
Windows 7/Vista/XP, Mac OS X, and Linux http://www.truecrypt.org
OpenSwan
IPSec VPN http://www.openswan.org OpenVPN
SSL VPN http://www.openvpn.net OpenSSH
Change Management
•
PCI-DSS
Requirement 6.4 Follow change control procedures for all changes to system components.
•
ISO 27k
A.12.5.1
Change control procedures. The implementationof changes shall be controlled by the use of formal change control procedures.
Open Source Change Management
Solution
•
OTRS
Open source Ticket Request System
ITIL-compatible change management system http://www.otrs.org
Vulnerability Scan
•
PCI-DSS
Requirement 11.2 Run internal and external network vulnerability scans at least quarterly and after any
significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
•
ISO 27k
A.12.6 Technical Vulnerability Management
Objective: To reduce risks resulting from exploitation of published technical vulnerabilities.
Open Source Vulnerability Scanner
• The short and wrong answer is Nessus
This is valid before 2005. However they are still having a free version.
http://www.nessus.org
OpenVAS
Nessus Open Source Replacement http://www.openvas.org/
Nmap Security Scanner
Penetration Testing
•
PCI-DSS
11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a subnetwork added to the environment, or a web server added to the environment).
•
ISO 27k
A.12.6.1 Control of technical vulnerabilities systems being used shall be obtained, the organization's exposure to
such vulnerabilities evaluated, and appropriate measures taken to address the associated risk.
Open Source PenTesting Tools
•
Metasploit
The world's largest database of public, tested exploits http://www.metasploit.com
Nikto
http://cirt.net/nikto2
W3af Web Application Attack and Audit Framework
http://w3af.sourceforge.net/ Backtrack
Complete Linux Distribution Focused on Penetration Testing. Almost all Open Source Security Testing Tools http://backtrack.offensivesecurity.com
Business Continuity
•
BS25999
The whole standard is talking about Business Continuity
•
ISO 27k
•
Linux HA High Availability Cluster
http://www.linux-ha.org
Linux Virtual Server
Load Balancing and High Availability Clusters for
Web Servers or Web Application Servers
http://www.linuxvirtualserver.org/
•
Firewall
•
Network IDS / IPS
•
File Integrity Monitoring / HIDS
•
Web Application Firewall
•
Log Management
•
Encryption (at Rest, Motion)
•Change Management
•
Vulnerability Scanning
•
Penetration Testing
•
Business Continuity
Open Source Software Useful for Security
Compliance
AGENDA
Open Source References
•
Snort IDS/IPS
Has 300,000 Registered Users 4 million downloads
DARPA, FBI, Pentagon, Other US Government Agencies are using snort
Amazon Cloud Computing using snort
OTRS
Supports 27 languages Used by 80,000 corporate Lot of European Banks
Open Source Case Study
•
Advanced Operations Technology
Application Service Provider hosting 12 Saudi brokers Having more than 400 Servers running Open Source
solutions over Linux OS
22 servers running Firewall (Iptables), IPS (Snort), VPN (OpenSwan). 11 Pairs of High Availability Cluster using (keepalived)
11 Web Load Balancer (Linux Virtual Server)
Modsecurity Web Application Firewall installed on all Web Servers.
OTRS is used as ticketing system and change management system
Open Source Case Study
•
Advanced Operations Technology
Syslog-NG, Php-Syslog-NG acting as centralized log management collecting logs from all systems, network devices, applications.
OpenLDAP acting as centralized directory service I-DOIT acting as a centralized CMDB for all system
configurations.
Nagios provides performance monitoring for all systems and network devices
Trucrypt is being used to encrypt disks having confidential data stored
AGENDA
Facing Open Source Challenges
Major Challenges are lake of Professional services,
Support, and Training.
Facing these challenges can only be through:
Hire and build a highly qualified open source team
Able to dig into sourcecode when needed
Able to deal with open-source communities and
mailing lists
Build a LAB / Testing environment and have a
small R&D department (one or 2 guys)
Short list the companies providing open source
AGENDA
Open Source Software Selection Criteria
Reputation
Ongoing effort
Standards and interoperability
Support (Community / Commercial)
Version
Documentation
Skill set
AGENDA
Conclusion
•
Extreme claims
–
“OSS is always more secure”
–
“Proprietary is always more secure”
•
Reality: Neither OSS nor proprietary always better
–
Some
specific
OSS programs
are
more secure
than their competing proprietary competitors
–
Include OSS options when acquiring, then
evaluate
Conclusion
We are not open source fans
We are not claiming that open source is better
than clos
ed source
in all aspects
We are just trying to convince you to consider
Thank You
Mostafa Ibrahim Security Meter CTO
CISA, ISO 27001 LA, RHCE