Information Security & Quality Assurance - Matunda · Information Security & Quality Assurance Realities & Challenges Matunda Nyanchama, CISSP, PhD Delivery Leader, SI&P Services

Security, Identity & Privacy Services

© Copyright IBM Corporation 2005

IBM Global Services

Information Security & Quality Assurance

Realities & ChallengesMatunda Nyanchama, CISSP, PhD

Delivery Leader, SI&P ServicesIBM Global Services, CanadaKeynote Speech made at the 2005 Annual Quality Assurance Conference of the Kitchener-Waterloo Software Quality Association, April 20, 2005

Software Insecurity & Quality Assurance – Realities & Challenges 2

Security, Identity & PrivacyIBM Global Services, Canada


Matunda Nyanchama – Short Bio

Delivery Leader: Security, Identity & Privacy Delivery, IBM Global Services (CAN)Experience: - 10+ years in Information Security: consulting, financial services and security

product development- 7+ years in telecommunication engineering

Formerly of: Moneris Solutions, Bank of Montreal Financial Group, Intellitactics Inc., Ernst & Young LLP & Kenya Posts & Telecommunications Corporation (Kenya)Certified Information Security Professional (CISSP)MSc. & PhD, Computer Science (UWO)Bsc Electrical Engineering, University of Nairobi, Kenya e-mail: [email protected]




Agenda

BackgroundRealities – Food for ThoughtSoftware Insecurity & Quality AssuranceSoftware Security – the challenges- The Profession- The “Great Divide”- The Economics of Information Security- The Regulations




BackgroundBackground




Information Security – Some Definitions

Confidentiality – to prevent improper disclosure, accidental or otherwise, of sensitive information

Integrity – to protect against deliberate or accidental modification of information

Availability – to protect against unavailability of information to authorized users where & when they need it

Other related terms:

Privacy – ensuring the protection of personal information and its used based on owner’s consent




Realities Food for ThoughtRealities Food for Thought




Information Security Risks & Potential ImpactsRisks

Unauthorized disclosure of informationViolation of PrivacyUnauthorized Modification of InformationDenial of Service

http://www.it.isy.liu.se/studentinfo/TSIT84/Risk_analysis.pdf

Direct Business Impact LossesLoss of Productivity- The time spent by technical personnel to

contain & repair incident damage, and restore service

- Downtime for personnel dependent of the impacted systems’ availability to conduct business

Indirect Business Impact LossesLoss of reputationCompliance penaltiesPotential liabilities




Sample HeadlinesHave hackers recruited your PC? - BBC April 2005Have hackers recruited your PC? - BBC April 2005

Hackers target SA universities08/08/2003 10:08 - (SA)

Hackers target SA universities08/08/2003 10:08 - (SA)

Security Drives Spending On Data And Hosting ServicesJuly 15th 2003

Security Drives Spending On Data And Hosting ServicesJuly 15th 2003

Hacker causes havoc for websites – BBC 2003

Hacker causes havoc for websites – BBC 2003

Hackers threaten news sites' IntegrityBy Craig Saila, September 21, 2001

Hackers threaten news sites' IntegrityBy Craig Saila, September 21, 2001

Oracle, Microsoft Warn of Database Flaws By Lisa VaasJuly 24, 2003

Oracle, Microsoft Warn of Database Flaws By Lisa VaasJuly 24, 2003

Security Alert: DB2 Flaws Surface By Larry SeltzerOctober 5, 2004

Security Alert: DB2 Flaws Surface By Larry SeltzerOctober 5, 2004

MySQL Criticized in Wake of MySpoolerWorm By Lisa VaasFebruary 4, 2005

MySQL Criticized in Wake of MySpoolerWorm By Lisa VaasFebruary 4, 2005

Exploits Circulating for MySQL Flaws By Ryan NaraineMarch 11, 2005

Exploits Circulating for MySQL Flaws By Ryan NaraineMarch 11, 2005

Trojan Masquerades as Microsoft Security Update By Ryan Naraine, April 11, 2005

Trojan Masquerades as Microsoft Security Update By Ryan Naraine, April 11, 2005




The Threat of Terrorism

“It is very important to concentrate on hitting the US economy through all possible means. …look for the key pillars of the US economy. The key pillars of the enemy should be struck…” Osama Bin Ladin, Leader of al-Qaida, 12/27/01; Source:“Security in the Information Age: New Challenges, New Strategies Joint Economic Committee United States Congress”

Terrorists will look for weaknesses they can exploit




The Interconnected Societies: the critical Infrastructure

TELECOM SERVICES LAYER

TRANSPORT SERVICES LAYER

TERRAIN LAYER

FEATURE LAYER

PHYSICAL BACKBONE LAYER

GEOGRAPHICAL MAP LAYER

OPERATIONSLAYER

TECHNICALAPLICATION

LAYER

CONTROLLAYER

(Geo-political boundaries)

(Elevation)

(Land Use, Cities, Buildings, Towers)

(Cables, Fiber Routes, Satellites)

(SONET Rings, ATM, PSTN)

(Internet, Data, Voice, Fax)

Sector

Dependent

Layers

Common

Layers

TELECOM UTILITIES

Billing &ResourcePlanning

LoadBalancingReliability

SS7 SCADA

Billing &ResourcePlanning

FINANCIAL

Billing &PaymentInternetBanking

FinancialServicesUtilities

Stock / FinancialExchanges

POS TerminalsATMs

GOVHEALTH

CARE

BillingAdministration

DiagnosticsElectronicRecords

HospitalsLabs & Clinics

Pharmacies

HL7

LAYERS

LegislationTaxation

Law - Order

Secure channels

Prov, and Fed

Services

Grid / Pipeline

Monitoring &Control

Source: Between Chaos and Order. Emerging Risks in Organizations by Robert Garigue, BMOFG




A Porous/Leaky Infrastructure

WAN

LANRouters & Circuits

TelephonyFirewalls & Switches Servers

USER

Head Seat Desktop Laptop Phone PDA LMR

Source: An Industry Partnership - Survival Guide. A TSA Case Study - FCW 1st Annual Program Manager Summit - 2003




The Cost of Insecurity – Expenditure per Employee

Source: 2004 CSI/FBI Computer Crime and Security Survey

Substantial sums of money are spent addressing insecurity




$ Losses by Type

Source: 2004 CSI/FBI Computer Crime and Security Survey

Highest degree of losses associated with virus attacks




Malware-related Costs

Source – Trend Micro/NetScreen. “Virus Protection Across the Enterprise. Nov 2003




Increasing Costs of Security

Source: "Weathering the Sea-State Change in Cybersecurity" By Richard Clarke

Some estimates suggest up to a 12-fold yearly increase in security costs to businesses




Identity Theft – Industry Numbers

According to Statistics Canada there were close to 9000 identity theft complaints estimates to have caused more than $14 billion compared with 8000 with estimated losses of $9 billion in 2003.

$8,829,378.45 8178$14,107,864.90 8817TOTALS

$1,100.001$3,0002NU

$02$01YT

$1,160,533.441644$2,428,490.312372QC

$02$01NT

$2,183.4216$2,150.0010PE

$24,855.2046$84,015.5661NF

$138,932.62185$84,569.68139NS

$130,455.19131$219,119.47119NB

$1,235.00144$13,842.6650UNKNOWN

$54,747.82106$289,478.41125SK

$165,953.92196$165,565.52133MB

$593,599.25635$806,745.84724AB

$912,680.401042$925,418.841206BC

$5,643,102.194028$9,085,468.613874ON

$ LOSSVICTIMS

$ LOSSVICTIMSPROVINCES

2002200220032003

Identity Theft Complaints & Losses

Source Statistics Canadahttp://www.phonebusters.com/Eng/Statistics/idtheft_canada_stats_2002.html




Indicators and warningsExternal environment : the rates of evolutions

HackersScript kiddies

Industrial espionageCyber-terrorists,

CompetitorsSuppliers

16 new malware products launched every day: viruses, worms, trojanhorses, spyware etc

7 new vulnerabilities discovered every day

20 minutes guaranty

Probes against Financial Institutions web sites launched every 6 seconds

Social engineering is on the rise: People are the weak link





Software Vulnerabilities Realities - I

Software vulnerabilities are a reality of life; cannot demonstrate that a piece of code is error-free; we test for known vulnerabilities

SE practices emphasize functionality over safetyand security

SE is labour intensive; hence prone to human error

The need to cut software development expenses impacts formal design, verification and testing




Software Vulnerabilities – A reality of Life - II

Time to market pressures impact negatively on comprehensive secure specification, design, implementation and testing

Up to 50% of security-related attacks relate to flaws in software development; - Examples: input and access validation errors (Wei Li)

Module reuse amplifies error impacts whenever a faulty module is reused




Software Insecurity – The Facts

Security exploits are due to software flawsFor each exploit, there is a root causeCauses can be preventedPrevention is always better than cureA substantial degree of prevention can be realized with quality assuranceBuild security into the SDLC and ensure it is a component of quality assurance




• Credit card fraud• Source Code Reengineering• Bank Account fraud• Extortion• Identity Theft•Vandalism• Etc..

• Credit card fraud• Source Code Reengineering• Bank Account fraud• Extortion• Identity Theft•Vandalism• Etc..

Exploiting Vulnerabilities

•IP Spoofing•Trojan logons•Packet relaying•Social engineering•Packet modification•Stealing password files/cracking/Sniffing•Electronic Harassment of personnel•Probing for new vulnerabilities•Prediction of Sequences•Manipulation of data•Denial of services•Worms/virus/Trojans

•IP Spoofing•Trojan logons•Packet relaying•Social engineering•Packet modification•Stealing password files/cracking/Sniffing•Electronic Harassment of personnel•Probing for new vulnerabilities•Prediction of Sequences•Manipulation of data•Denial of services•Worms/virus/Trojans




Software Insecurity &Software Insecurity &Quality AssuranceQuality Assurance




Software Quality

Software quality affects, and is affected by, all aspects of the SDLC, including specification, design, development, support, revision, and maintenance.

Quality Assurance covers all activities from requirements specifications, design, development, testing, production, installation, maintenance and documentation.

Software quality attributes include usability, functionality, performance, reliability, efficiency, safety, security, maintainability, and portability.

A general rule of quality assurance: do it right first time




Some Misconceptions About Application Security

Building security as a common service, external to the application- This architecture does not work well. May address large portion

of the requirements, but every application is inevitably different- Content protection often not addressed- Seldom sufficiently comprehensive (e.g. what about the

database?)“Application Security is very expensive…”- Customers understand the cost/benefit of quality. Need a way to

quantify cost/benefit of security- What is the cost of a “stressful event” vs. the cost to prevent it?

Security is another type of quality attribute. Integration of security methods and activities within quality assurance means that in most cases, security will represent relatively small incremental costs.

Source: Sharon Hagi, Engineering e-Business Applications for Security, Whitepaper, IBM Canada Ltd




SiSi

Designing for Security – Pervasive Scope.


Software Insecurity & Quality Assurance – Realities & Challenges



Corrective Action is paid for Once,

Whereas Failure to take corrective action maybe paid for over and over again.

The Cost of Quality - Corrective Action vs Failure

Source: L.Daniel Crowley Introduction to Cost of Quality. IDX Seattle




Cost of Fixing a Bug

Fixing a bug

Cos

t of F

ixin

g a

Bug

Stage in SDLC




Dealing with Security Flaws

Understand the value of software flaw reduction

Define strategy for reduction of software flaws, with a view to minimizing them;

Invest in proper quality assurance that includes security considerations throughout the SDLC

Continuously evaluate process effectiveness to gain further improvements




Enterprise Security program

Glo

bal S

ervi

ces

Met

hods

DesignHigh/Low

Development

IntegrationImplementation

Testing

Maintenance

App

licat

ion

Secu

re P

roce

ss D

evel

opm

ent

Application Security Architecture

App

licat

ion

Secu

rity

Proc

ess

Rev

iew

Application Security Solution Design

App

licat

ion

Secu

rity

Con

trol

s R

evie

w

App

licat

ion

Secu

rity

Ris

k R

evie

w

App

licat

ion

Secu

rity

Test

ing

(Hac

king

)

Syst

em D

evel

opm

ent L

ife C

ycle

Application Framework

Network, HW, StorageInfrastructure Hacking

Application Code Security Review

Lear

ning

Ser

vice

s

IntelligenceServiceOS, Java, Virtual Machine

Architecture

Arc

hite

ctur

e

Delivery Plan - Integrated Application Security Model





The ChallengesThe Challenges




Application Insecurity - a Multi-headed “Monster”

Software Engineering Practitioners- Software Engineering Education- Software Engineering Profession

Software Engineering Process- Security as integral to quality assurance in the SDLC- Total Quality Assurance

Software Engineering Industry Culture- Vendor Accountability

Quality Assurance Tools- To support efficient/effective quality assurance practices/processes

The Law & Public Accountability- Compliance legislation, e.g.

Canadian Bill C-198 & the Sarbanes-Oxley (SOX)GLBA HIPAA State of California Privacy Legislation (SB 1386) California




Towards Secure Software – An Approach

Fix the ProfessionBridge the “Great Divide” security & IT processesEconomics of Information SecurityAppropriate Regulations




Fixing the Software Engineering ProfessionFixing the Software Engineering Profession




Software Engineering Education

- Education with emphasis on: - Not just effective technical solutions but also economic, social concerns &

legal concerns- Ethical conduct and social responsibility- Continuous learning culture

Example from IEE-CS/ACM Joint Task Force on Computing Curricula.…3. Reconcile conflicting project objectives, finding acceptable

compromises within limitations of cost, time, knowledge, existing systems, and organizations.

4. Design appropriate solutions in one or more application domains using software engineering approaches that integrate ethical, social, legal, and economic concerns.




The Software Engineering Profession

Compare & Contrast: an engineer vs a software engineer- Engineers have to undergo a common body of

knowledge to qualify as engineers; - not so for software engineers

- Engineers have to be certified before being licensed to practice– not so for programmers

- A faulty building/bridge design would impact public safety; in SE a company could lose millions or people could be hurt;

- An engineer can be held liable for failure to observe standard engineering practices – not obvious for the software engineers




Software Engineering Code of Ethics

1. Public - Software engineers shall act consistently with the public interest.2. Client & Employer - Software engineers shall act in a manner that is in the best

interests of their client and employer consistent with the public interest.3. Product - Software engineers shall ensure that their products and related modifications

meet the highest professional standards possible.4. Judgment - Software engineers shall maintain integrity and independence in their

professional judgment.5. Management - Software engineering managers and leaders shall subscribe to and

promote an ethical approach to the management of software development and maintenance.

6. Profession - Software engineers shall advance the integrity and reputation of the profession consistent with the public interest.

7. Colleagues - Software engineers shall be fair to and supportive of their colleagues.8. Self - Software engineers shall participate in lifelong learning regarding the practice of

their profession and shall promote an ethical approach to the practice of the profession.Source: Software Engineering Code of Ethics and Professional Practice.




The Great Divide!The Great Divide!




The Security Challenge: Alignment

Project assessment

The Digital DivideTwo solitudes, in virtual isolation

Security services

Anti-Virus

Patches

VulnerabilityAssessments

Incident management

Intrusion detectionApplication

security

Access management

Keymanagement

Firewall rules

Availability

IT processes

Application development

Architecture

Problem management

Incident management

ChangemanagementService level

Configuration

Capacity

IT Service continuity





The Great “Divide” – Gem of HopeAn Integrated Risk Management Approach

The objective is to lower the overall risk through capability maturity framework integration

Bus. Req. Design Development OperationsImplementation

ITILSEI CMMISO Project ISO 17799

Risk Management through Maturity Framework alignment

Organizational focus

Information and technical Architecture





The Plan-DO-Check-Act Cycle

Monitor & Continuously Review Monitor & Continuously Review Program PerformanceProgram Performance

Maintain & Improve Maintain & Improve Vulnerability Vulnerability

Management ProgramManagement Program

Establish A Vulnerability Establish A Vulnerability Management ProgramManagement Program

Implement Vulnerability Implement Vulnerability Management ProgramManagement Program

ACT

CHECK

DO

PLAN

Development, Development, Maintenance Maintenance

& Improvement of a & Improvement of a Vulnerability Vulnerability

Management ProgramManagement Program

Lessons & Industry Leading Practices

Continuously learn and adopt Continuously learn and adopt industry leading practicesindustry leading practices

Source: M. Nyanchama. Enterprise Vulnerability Management. To Appear in Information Systems Security




The Economics of Information SecurityThe Economics of Information Security




Security as an Externality – A reality of Life

Vulnerabilities are a negative externalityPolluters will go on producing pollution until the costs to the polluter outweigh the benefits. Those who abuse personal data will go on until the costs to the abuser outweigh the benefits.

Secure systems offer positive externalitiesLojack causes neighborhood auto theft to go down because it is not detectableHigh levels of trust increase Internet use and value

Source: Jean L. Camp. Economics of Information Security

Vulnerabilities are a negative externalityVendors will continue producing insecure applications until the costs to them outweigh the benefitsSoftware engineers will continue writing insecure code until the costs to the engineers outweigh the benefitsHackers will continue attacking insecure systems until the costs to the hackers become prohibitive

Secure systems offer positive externalitiesSecure systems would cause system attacks to fall to undetectable levels




Gems of Hope

Microsoft- The publication and launch of the Trustworthy Computing Initiative- Internal focus on secure coding awareness and training- Launch of security certification & risk assessment services

The Law!- State of California privacy legislation SB 1386

Legally obligated to inform clients of privacy breaches- SEC Sarbanes-Oxley (SOX)

Ensuring strength in internal controls to ensure accuracy of financial statements

- Others: HIPAA, GLBA, and the Basel II AccordACM/IEEE-CS Code of ethicsACM/IEEE-CS curriculumACM/IEEE-CS Certification




Summary

Software insecurity has real costs to - The individual, - Businesses and - Society – opportunity cost/critical infrastructure

Quality Assurance as a major role to play - Incorporate security in the SDLC as a component of QA

Other challenges- Appropriate education in preparation for software engineering careers- Fixing the profession of Software Engineering, including certification, licensing and

self-regulation- Removing the divide between security practitioners and IT processes- Proper legal process and vendor accountability- Getting the economics of insecurity right!




Food for Thought

Running a company by profit alone is like driving a car by looking in the rearview mirror. It tells you where you’ve been, not where you are going! - Dr. E. Deming

“One resists the invasion of armies; one does not resist the invasion of ideas,” which is often paraphrased as:“There is one thing stronger than all the armies in the world, and that is an idea whose time has come." – Victor Hugo (Source: Histoire d'un Crime (History of a Crime) (written 1852, published 1877)

“You can take the cattle to the watering hole; you cannot make them drink” – one Gusii Wisdom




Question?




AbstractAbstractSecurity breaches make headlines on an ongoing basis while companies lose valuable time and incur losses in responding to security incidents following the exploitation of software flaws. According to the 2004 CSI/FBI Computer Crime and Security Survey, viruses caused industry-wide losses of more than $55 billion. In 2003 worldwide losses of $1.1 billion (see Computer Economics) were attributed to the SoBig malware. These are some of the reported losses. Risks associated with security flaws are much larger and will likely increase with growth of electronic commerce and software controlled systems. Be it in healthcare, transportation, energy, aviation and other critical infrastructures, production of secure software is key. This has focused attention on application security and the means of building security into the systems development life cycle. With respect to quality assurance, security comes as natural extension and building it early in the SDLC and making it an element of total quality assurance in development will assure reduced risks and save retrofitting costs. This talk will focus on the necessity for secure software development. The need for accountability and governance in software development and quality assurance will be discussed. We will talk about the role of professionals and the need for (a) more encompassing education, (b) ethical conduct and (c) accountability. We will share war stories and compare examples from professions such as engineering and medicine.




ReferencesWei Li. Security Model for Open Source Software.http://www.cs.helsinki.fi/u/campa/teaching/oss/papers/wei.pdfFred Cohen. Risk Management: Concepts and Frameworks. The Burton Group, Directory and Security Strategies. July 18, 2003.Noorpus Davis et al. Processes for Producing Secure Software, a Summary of the US National Cybersecuirty Summit Subgroup Report. IEEE Security & Privacy, Volume 2, Number 3, May/June 2004.IEEE-CS/ACM Joint Task Force on Software Engineering Ethics and Professional Practices and Jointly approved by the ACM and the IEEE-CS. Software Engineering Code of Ethics and Professional Practice. See http://www.computer.org/certification/ethics.htmIEE-CS/ACM Joint Task Force on Computing Curricula. Software Engineering 2004. Curriculum Guidelines for Undergraduate Degree Programs in Software Engineering. A Volume of the Computing Curricula Series. August 23, 2004; http://sites.computer.org/ccse/SE2004Volume.pdfEngineering Principles for IT Security - A baseline for achieving security; Recommendations of the National Institute of Standards and Technology (NIST)”.The National Strategy to Secure Cyberspace; http://www.whitehouse.gov/pcipb/An Industry Partnership - Survival Guide. A TSA Case Study - FCW 1st Annual Program Manager Summit 2003Jean L. Camp. Economics of Information SecuritySharon Hagi, Engineering e-Business Applications for Security, Whitepaper, IBM Canada Ltd.L.Daniel Crowley. Introduction to Cost of Quality. IDX Seattle; www.sasqag.org/pastmeetings/CostOfQuality.pptJohn Earles. Software Engineering - Myth or Reality?; www.cbd-hq.com/articles/2000/000515je_softwareengineering.aspKenneth H. Newman. Application Security - Attackers Won’t Stop at the Firewall (Why should you).Matunda Nyanchama. Enterprise Vulnerability Management. To Appear in Information Systems Security

Documents

Information Security & Quality Assurance - Matunda · Information Security & Quality Assurance Realities & Challenges Matunda Nyanchama, CISSP, PhD Delivery Leader, SI&P Services