TEXTUR~21 ibm_white_logo_300dpi IBM IDC Brno © 2006 IBM Corporation OnDemand_wh_bl IS/IT outsourcing services - VUT FI 18.5.2010 IS/IT outsourcing services - VUT FI 18.5.2010 IS/IT outsourcing services Ing. Milan Jedlička To replace the title / subtitle with your own: Click on the title block -> select all the text by pressing Ctrl+A -> press Delete key -> type your own text 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 2 IS/IT outsourcing services - VUT FI 18.5.2010 CONTENTS §Introduction in Security wintin Service Oriented Organization §Internal and Customer Security Standards §Internal Processes within the Service oriented Organization 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 3 IS/IT outsourcing services - VUT FI 18.5.2010 Motivation §§ 257a - Poškození a zneužití záznamu na nosiči informací §Kdo v úmyslu způsobit jinému škodu nebo jinou újmu nebo získat sobě nebo jinému neoprávněný prospěch získá přístup k nosiči informací a –takových informací neoprávněně užije, –informace zničí, poškodí nebo učiní neupotřebitelnými, nebo –učiní zásah do technického nebo programového vybavení počítače, bude potrestán odnětím svobody až na jeden rok nebo zákazem činnosti nebo peněžitým trestem nebo propadnutím věci. § §Odnětím svobody na šest měsíců až tři léta bude pachatel potrestán, spáchá-li čin uvedený v odstavci 1 jako člen organizované skupiny, nebo způsobí-li takovým činem značnou škodu nebo získá-li sobě nebo jinému značný prospěch. §Odnětím svobody na jeden rok až pět let bude pachatel potrestán, způsobí-li činem uvedeným v odstavci 1 škodu velkého rozsahu nebo získá-li sobě nebo jinému prospěch velkého rozsahu. § §Czech republic law: § 257a - Missuse of connectivity or benefiting from unathorized access to data medium or information –imprisonment for six months to three years –imprisonment for one to five years - large-scale damage – MCj02925760000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 4 IS/IT outsourcing services - VUT FI 18.5.2010 Why to be interested in security Data Loss Unauthorized data modification Shutdown Service Unauthorized access to data Unauthorized access to resources MCj01335010000[1] MCj02108920000[1] MCj04059800000[1] MCj03261740000[1] MCj02903610000[1] MCj02979870000[1] Loss of reputation and trust Limmited service or production Criminal actity issue MCj01119280000[1] MCj03969380000[1] MCj04414360000[1] MCj04414360000[1] MCj04414250000[1] MCj04414360000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 5 IS/IT outsourcing services - VUT FI 18.5.2010 Why to be interested in security MCj01495190000[1] MCj04348270000[1] MCBD06922_0000[1] MCj04378330000[1] MCj02908650000[1] MCj02345390000[1] MCj03657980000[1] MCj04348790000[1] MCj03008260000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 6 IS/IT outsourcing services - VUT FI 18.5.2010 Prevention §Education of responsible and interested §Set roles and access rights §Appropriate software §Regular software updates §Following basic rules §Regular inspection §Active inspection §Physical security §D / R procedure MCj04396070000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 7 IS/IT outsourcing services - VUT FI 18.5.2010 Education of responsible and interested §Education of responsible persons §User Traning §Information for Customer §Maintaining a high level of knowledge §Current status §Warning against current threats MCj04352470000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 8 IS/IT outsourcing services - VUT FI 18.5.2010 Set roles and access rights §Set roles and access rights based on business need §User roles and groups to lower the security maintenance cost §Remember non- PC devices –Network –Mobile devices –Printers –Restricted areas §Follow internal processes MCj04420060000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 9 IS/IT outsourcing services - VUT FI 18.5.2010 Appropriate software §Appropriate OS §Security policy SW §Firewalls §Antivirus SW §Further SW based on need (anti-spam, anti-spyware, monitors, etc.) §SW needed for production which support security § MCj04348280000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 10 IS/IT outsourcing services - VUT FI 18.5.2010 Regular software updates §Regular OS update §Regular SW update §Regular Antivirus DB update §Regular maintenance of DB with user roles and access rights § MCj04248260000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 11 IS/IT outsourcing services - VUT FI 18.5.2010 Following basic rules §Any security rules are useless if the people inside the company behave irresponsibly §Good password §Personal responsibility §Social engineering § MCj03206360000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 12 IS/IT outsourcing services - VUT FI 18.5.2010 Regular inspection §It is necessary to regularly check –System –users and roles DB Setting of key applications §Found deviations must be quickly removed §All checks must be properly documented MMj02347000000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 13 IS/IT outsourcing services - VUT FI 18.5.2010 Active inspection §Monitoring of network traffic §Monitoring of System operation §Ethical hacking § § MMj02830200000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 14 IS/IT outsourcing services - VUT FI 18.5.2010 Physical security §Possible threats –Unauthorized access –Damage –Theft –Unintentional injury –Damage by fire or natural disaster MCBD19778_0000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 15 IS/IT outsourcing services - VUT FI 18.5.2010 Physical security §Placing HW into rooms with a dedicated access §Fire Security §Backup power §Backups location in another place §Minimize the movement of foreign persons in buildings §Use of electronic security, cameras, security agencies MCj03984910000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 16 IS/IT outsourcing services - VUT FI 18.5.2010 D / R procedure §Regular Backups §Secure Data Storage §Plan in the event of failure or damage § MCPE01647_0000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 17 IS/IT outsourcing services - VUT FI 18.5.2010 Internal and customer security standards and policies §Examples of standards and policies: –Internal (company) •ITCS300 - Basic IT staff rules •ITCS104 - IT Security Rules •CIO104 - IT Security •LEG116 - Classification and management of IBM Materials –Public •ISO / IEC DTR 13335-1 Information technology •ITIL - Security Management – – MCj04123960000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 18 IS/IT outsourcing services - VUT FI 18.5.2010 Internal and customer security standards and policies §Identification §Authentication §Authorization §Privacy and confidentiality of information §Reliability and availability of services §Audit §Review §Reporting and management of security incidents §Managing physical access MCj04398180000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 19 IS/IT outsourcing services - VUT FI 18.5.2010 Internal and customer security standards and policies §Identification –Unique key for each user –Digital Certificates created and validated by CA § §Group 1: Key applications and data storages needed for core bussiness §Group 2: SWs or data storages with clasified informations, parts of key processes or subject of certification (audit) § Group 3: Other BAU SW §Group 4: Traninf, test and development systems. MCj03265760000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 20 IS/IT outsourcing services - VUT FI 18.5.2010 Internal and customer security standards and policies §Authentication –User-authentication system •Verification of user identity •Passwords must meet prescribed rules •Times applicable passwords must be protected •Authentication tokens must be protected –System-system authentication •Can be used neexpirující password MCj02931420000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 21 IS/IT outsourcing services - VUT FI 18.5.2010 Internal and customer security standards and policies §Authorization –Access must be authorized by owner of the application with regard to the actual needs of access, but access to the application having access to restricted information must be separately approved. –Access by a third party to internal services must be authorized by the corporate management, in parallel with providing only the strictly necessary access rights. §Remote access for employees –Remote access to corporate networks must be carried out only in an approved manner. §Warning –When you log into the internal company network must be displayed warning and guidance. §User Resources –Service provider must set the initial provision of the means provided by users. –Application and data storage that allows users to manage access rights to their own resources, must contain a tool to perform this management. MCj04421620000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 22 IS/IT outsourcing services - VUT FI 18.5.2010 Internal and customer security standards and policies §Protection and confidentiality of information –Is a set of technical and procedural measures designed for the purpose of preventing unauthorized access to protected corporate data, personal information of employees, business partners, customers and site visitors. –Media containing sensitive data must be properly labeled. §Residual information –It is necessary to ensure illegibility residual classified or personal data in ways suitable for the medium. §Encryption –Company information relevant to an unpublished technology, business plans, financial information and nonpublic personal information such as credit card numbers, financial or medical records must be zakryptovány when sent through the Internet. § MCj04413170000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 23 IS/IT outsourcing services - VUT FI 18.5.2010 Internal and customer security standards and policies §Reliability and availability of services §Managing system resources –System resources must be protected from normal users –Regular user permissions must be based on the business needs, determined by service provider or owner of the application. §Malware –It is necessary to have an active technical tools to prevent the spread and run malicious code. –Application developers must provide written assurance that the antivirus test conducted as part of the final tests. §Monitoring weaknesses –According to the type of network you have to choose tools, timing and extent of monitoring weaknesses. §Warning system - security patches –Is necessary to set the process for timely installation of patches. –It is must to upgrade OS to a supported OS with respect to the end of support for the OS. This upgrade may be delayed for extended support for security patches. §Modification Center –Any modification of application software must be approved by corporate management and the installation of such software must go through the approval process. §Availability of –It is necessary to have an active technical tools to prevent the DoS attack –It is necessary to have an active technical tools to prevent and detect unlimited number of unsuccessful attempts to log on to the service. –It is necessary to have a process for detecting and processing of systematic attack. MCj04260480000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 24 IS/IT outsourcing services - VUT FI 18.5.2010 Internal and customer security standards and policies §Setup Audit §For systems, applications, data storage, network equipment, where it is technically possible it is necessary to log an alert : –successful and unsuccessful login attempt –Modification of system resources –Attempt to read system resources, which will be labeled as an exception. –Attempt to run system resources that will be labeled as an exception. All activities conducted with Security Administrator authority. Successful assignment and allocation of IP addresses. §For internal services should be alert for: –All attempts to remote access to internal company network. §Internal log cannot be stored on customer environment. §Audit records must include the date, time, type a user identification §Audit records must be stored for 60 days. § § MCj04414260000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 25 IS/IT outsourcing services - VUT FI 18.5.2010 Internal and customer security standards and policies – §Health check –It is necessary to carry out a health check at regular intervals. § §Verification of the security procedures –Security procedures must be regularly checked on representative samples § §In-house acreditations and certification –The method and implementation of tests and checks must be changed whenever a service is changed. –It is necessary to carry out an annual recertification for all intra-company services. MCHH00062_0000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 26 IS/IT outsourcing services - VUT FI 18.5.2010 Internal and customer security standards and policies §Reporting and management of security incidents §It is necessary to contact the responsible person and inform them of: –Contact persons for the management and technical area. –Description of the problem, the extent of systems or data that have been affected by the incident, already performend activities. §Immediately create a record containing all information regarding the incident. For each piece of information is necessary to state the date and time. §Technical support must begin actions to mitigate the consequences, without delay. §Responsible persons will provide information and instructions on how to proceed. § §It Is wrong: –Conduct investigations on your own. Risk may be premature disclosure of an investigation or modifying records. –Contact the persons or companies suspected of causing the incident, without direct instruction responsible person. –Try to go attack the attacker (the System). Such behavior is easily reaches beyond the law. –Try to clean up (delete data), without direct instruction responsible person. Risk could be loss of data necessary to discover the cause. MCj01570110000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 27 IS/IT outsourcing services - VUT FI 18.5.2010 Internal and customer security standards and policies §Managing physical access §Physical protection of systems and networks –System and network equipment must be protected against damage and theft. –Each entry into the protected area must be secured. §Physical protection and inventory of media –Media containing key data, backups, archive data and D / R must be physically protected from unauthorized access, theft and damage. –Protected library media must be inspected at least once a year. – MCj03054310000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 28 IS/IT outsourcing services - VUT FI 18.5.2010 Internal and customer security standards and policies §Operating Systems –AIX Platforms –Linux Servers –Microsoft Windows 2008 Servers –Microsoft Windows 2003 Servers –Microsoft Windows 2000 Servers –Microsoft Windows NT Servers –Novell Netware –OS/2 based OS –OS/400 Platforms –zOS, OS390 and MVS Platforms –z/VM and VM Platforms –VMWare ESX/GSX Servers § §Application software / middleware –Apache Web Servers –DB2 Universal Databases –Lotus Domino Servers –Netview –OS/2 LAN Servers –Websphere Application Server –SSH Servers –Samba §Network infrastructure –Local Area Network (LAN) equipment –Wireless Equipment –Firewalls §Voice infrastructure –Avaya Media Server –Cisco Call Manager –Call Management System §Other devices –Printers –Industrial devices –Remote terminals MCj04339060000[1] MCj03985310000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 29 IS/IT outsourcing services - VUT FI 18.5.2010 Internal and customer security standards and policies §The process is –Long time –event driven –structured sequence of activities that require a •People •Information •Technology §in order to achieve the objective. 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 30 IS/IT outsourcing services - VUT FI 18.5.2010 Internal and customer security standards and policies BD18189_ Internet ISP Provided Access Router Internet Access Packet Filter Internet Server Firewall Firewall Firewall Intranet Data Access Application server Data/Support server IHP Internet Hosting Provider ICO Internet Content Owner Red Zone (or Internet access LAN) §Under physical control of ISP §No security control Yellow Zone (or Internet server LAN) §Under physical control of Vendor §Separated from Intranet by Firewall §Separated from Red zone at least by Packet filter Green Zone (or Internet server LAN) §Under physical control of Vendor §Separated from Yellow by Firewall Internet user 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 31 IS/IT outsourcing services - VUT FI 18.5.2010 Internal and customer security standards and policies §Physical security controls –Areas –Devices –Prints –Responsibility only for own premises, not the customer's premises MCj03077080000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 32 IS/IT outsourcing services - VUT FI 18.5.2010 Internal and customer security standards and policies §Encryption –Secure method –Performance and recovery issues –Law restrictions MCj04347270000[1] 21 21 IBM IDC Brno © 2003 IBM Corporation ibm_light_gray_logo_300dpi ‹#› IS/IT outsourcing services - VUT FI 18.5.2010 OnDemand_wh_bl 33 IS/IT outsourcing services - VUT FI 18.5.2010 Questions? § § § MCj04348590000[1]