metholodogies and security standards

Developing the infrastructures that enable e-business ®

www.sia.es

Security Standards & Methodologies

FIST November/Madrid 2003 @ UPSAM

Vicente Aceituno

Most standards are the result of agreements on the behaviour of a component or the connection between components.

Using standards a company can create products and services that work well with others, without any previous agreement between the product makers.

Standards enable “teamwork” without permanent coordination, becoming a “coordination by default”.

What are standards good for?

International Organization for Standardization.

International Electrotechnical Commission.

British Standards Institute.

Internet Engineering Task Force.

ISACA.

International Information Security Foundation.

National Institute of Standards and Technology (USA)

AENOR (Spain)

AICPA.

BSI.

Software Engineering Institute.

ISECOM

W3C

IETF

Private companies.

ISSA...and so on.

Who makes standards?

Benchmarks.

Algorithms.

Products.

Operations.

Management.

Organization.

Auditing.

What is covered by standards?

Andrew Tanenbaum famously quipped that “The good thing about standards is that there are so many to choose from”.

The reasons are manifold. Politics, Economics and other interests...

Why there are so many standards?

Clear concepts framework.

Provides guidance to move from theory to practice.

Compliance can be tested.

It scales: It can be used both for small and large organizations, enterprises and government.

It considers the environment where the organization operates.

What is a perfect standard?

ISO 17799 based on BS 7799 of the British Standards Institute.

ISO/IEC TR 13335-4 by ISO/IEC Joint Technical Committee 1.

RFC2196 by Internet Engineering Task Force.

Cobit by ISACA.

800-14 GAASP by National Institute of Standards and Technology.

ISO15408 - Common Criteria from National Institute of Standards and Technology.

Standard of Good Practice for Information Security from ISF.

SysTrust by AICPA.

IT Baseline Protection Manual from BSI.

OCTAVE by Software Engineering Institute.

CSEAT Review Criteria from National Institute of Standards and Technology.

OSSTMM from ISECOM.

RFC2078 GSS API by Internet Engineering Task Force.

RFC3365 by Internet Engineering Task Force.

RSA PKCS.

GAISP by ISSA.

Some Security Standards

ISO 17799 based on BS 7799 of the British Standards Institute.

ISO/IEC TR 13335-4 by ISO/IEC Joint Technical Committee 1.

Cobit by ISACA.

800-14 GAASP by National Institute of Standards and Technology.

Standard of Good Practice for Information Security from ISF.

SysTrust by AICPA.

Information Security Management

IT Baseline Protection Manual from BSI

OCTAVE by Software Engineering Institute.

CSEAT Review Criteria.

OSSTMM from ISECOM.

Testing and Auditing

Products: ISO15408 - Common Criteria.

API: RFC2078 - Generic Security Service Application Program Interface.

Protocols: RFC3365 - Strong Security Requirements for Internet Engineering Task Force Standard Protocols.

PKI: PKCS, X.509

Encryption: Advanced Encryption Standard (FIPS 197)

XML:XML encryption (Xenc)

XML signatures (XML-SIG)

XML key management specification (XKMS)

Security assertion markup language (SAML)

eXtensible access control markup language (XACML)

...just too many to tell them all.

Technology

It is based on BS 7799-1.

BS 77991-1 is a Code of Practice provides 127 security controls; It contains requirements of a general nature.

BS 77991-2 is a information security management system. It provides a formal methodology for setting up an Information Security Management System.

ISO 17799:2000

•http://www.bsi-global.com/Training/Infosec/index.xalter

ISO/IEC Technical Report 13335 - Guidelines for the management of IT Security

1996 -- Part 1: Concepts and models for IT Security.

1997 -- Part 2: Managing and planning IT Security .

1998 -- Part 3: Techniques for the management of IT Security.

2000 -- Part 4: Selection of safeguards.

2001 -- Part 5: Management guidance on network Security.

•http://www.iso.org/iso/en/ISOOnline.frontpage

COBIT

The purpose of COBIT is to provide an Information Technology (IT) governance model that helps managing the risks associated with IT.

COBIT aims to make a clear and distinct link between information technology and business goals

The COBIT framework identifies 318 detailed control objectives contained within this classification.

Quality Control Components: Quality, Cost and Delivery

Fiduciary Control Components: Effectiveness, Efficiency, Reliability of information, Compliance.

Security Control Components: Confidentiality, Integrity and Availability

•http://www.isaca.org/

GAISP & 800-14

It’s just a series of principles.

It doesn’t provide a way to test if the principles are being followed.

It’s been used a information source for other standards.

•http://csrc.nist.gov/publications/nistpubs/

•http://web.mit.edu/security/www/gassp1.html

•http://www.issa.org/gaisp.html

Standard of Good Practice

This standard is being pushed as “the standard” by the proponents, with scarce results.

•http://www.isfsecuritystandard.com/index_ns.htm

SysTrust/WebTrust

Focused on systems reliability for e-commerce activities.

•http://www.cica.ca/index.cfm/ci_id/635/la_id/1.htm

Describes organizational, personnel, infraestructure and technical standards.

Globally assumed threat scenario.

Detailed descriptions of safeguards.

Description of the process involved in maintaining an appropriate level of IT security.

Procedure for ascertaining the level of IT security.

IT Baseline protection

•http://www.bsi.bund.de/gshb/english/menue.htm

OCTAVE

Involves internal personnel, providing security awareness and understanding of the business continuity needs.

Introduces extensible project management techniques.

It’s supposed to facilitate adaption to security requirements evolution.

•http://www.cert.org/octave/

CSEAT Review Criteria

Big list of things to do.

Provides no conceptual framework.

•http://csrc.nist.gov/cseat/

Methodology for Penetration Testing.

GNU-FDL Licenced.

Open Source Security Testing Methodology Manual

•http://www.isecom.org/projects/osstmm.shtml

Security Standards & Methodologies

FIST November/Madrid 2003

Vicente Aceituno

Developing the infrastructures that enable e-business ®