Security Policy, Trends and Requirements

1

• Security Policy, Trends and Requirements
• Council for Electronic Revenue Communication
  Advancement
• CERCA
• October 26, 2004
• George J. Jakabcin, Director Modernization
  Systems Security Engineering
• Internal Revenue Service

2
Agenda

• The Business Landscape
• Security Privacy Statement
• What? Me Worry!
• Minimizing Risk
• Summary
• Questions Comments

Security Is An Enabling Capability
3
The Business Landscape

• Electronic Transmittal
• Improved Availability Of Resources Has Resulted
  In Greater Agency User Effectiveness
• Has Also Accelerated Level Of Urgency To Resolve
  Issues
• Electronic Filing
• Has Dramatically Improved Processing Operations
• 70 Million Electronic Returns And Climbing
• Huge Reduction In Work Loads At Service Centers
• A Forced Return To Paper Processing Will Crush
  The System
• Introduction And Use Of New Technologies
• XML
• SOAP- Simple Object Access Protocol
• Wireless

4
Security Privacy StatementThe Commercial
MASSs Goal Proactive Project Support
System Developers
Business Owners

• Encourages Interaction Between Stakeholders
• Ensures That Risks Are Viewed From Multiple
  Perspectives
• Promotes Synergy Among Stakeholders
• Early Engagement With Stakeholders Avoids
  Surprises Later

Solution
Operations
Mission Assurance
5
Why Worry About Security?

• Most Computer Attacks Against IRS Systems
  Originate From The Internet (70 per Gartner)
• Firewalls Dont Stop Many Attacks
• Applications Bear More Of The Security Burden
• Defense-in-Depth
• More Automated Tools Remotely Probe Applications
  For Vulnerabilities
• IRS Must Adhere To Federal Agency Security
  Guidelines

6
Why Worry About Security?

• IRS Is A Service Agency
• Our Performance And Our Approaches Must
  Demonstrate This
• Taxpayer Perception Is Tremendously Important
• Our Program Must Satisfy Legal Standards And
  Guidelines
• Life Cycle Security Engineering
• Certification And Accreditation Program
• Security Controls Refinement
• Government Regulations Guidance
• Third Parties Are Now Part Of The Agency Model Of
  Trust
• The Business Relationship We Share Is Now Part Of
  The Agency Identity
• Lines Are Blurring In The Cyber World
• A Single Failure Equals A Massive Loss Of
  Confidence
• Will Manifest In A Swift Undoing Of Credibility
• Failure Will Impact Both Sides Of Our
  Relationship

7
Why Worry About Security?

• Third Parties Are Now The Front Door To Taxpayer
  Service
• Shared Responsibilities For Ensuring Security Is
  Working
• Improvements To Security Posture Can Be Achieved
  Through Synergy
• Bad Results Will Have A Detrimental Impact
• Privacy Of Data Is Now A Firm Metric Of
  Performance
• IRS And Third Parties Now Share The Same Level Of
  Expectation
• Third Parties Must Embrace Same Sense Of
  Responsibility
• Our Security Postures Are Interdependent
• Our Approaches And Solutions Must Complement One
  Another
• The Bottom Line
• Third Party Practices Have A Direct Impact On IRS
  Security
• Critically Important To Keep Public Confidence
  High For All Tax Processing Operations
• Constantly Seeking Improved Methods To Validate
  And Reinforce This
• Insider Attacks Include Attacks From Trusted 3rd
  Parties

8
Customer Perceptions
Why Worry About Security?
Percent Of Notified Customers That Will Leave
After
Source 2004 Ponemon Institute Trust Survey
9
Customer Perceptions
Why Worry About Security?
Percent Of Notified Customers That Will Leave
After
Source 2004 Ponemon Institute Trust Survey
10
Customer Perceptions
Why Worry About Security?
Percent Of Notified Customers That Will Leave
After
Source 2004 Ponemon Institute Trust Survey
11
Security Facts

• SSL Does Nothing To Protect Web Sites From
  Attacks
• 1550 web sites are hacked / day 2004
• Increased Phishing Attacks
• gt2000 / month
• Increased Unwanted or Malicious E-Mail
• 75

Source TruSecure Corp.
12
Security Issues

• Many Hacks Exploit Coding Errors
• Code Reviews
• Developing Secure Code Is Getting Harder
• Its More Than Removing Gets() From Your Code
• Object Oriented Software Makes Good Coding More
  Important
• Develop Once Use Often / Applies to Security As
  Well!

13
The Danger of XML

• XML will reopen 70 of the attack paths closed
  by firewalls over the past decade. They can
  carry virtually any payload over port 80 and the
  firewall is virtually incapable of stopping
  it. Gartner Group 2003

14
Client Threats Spyware and Bots

• PHISHING ATTACKS!

• Spyware Monitors Computer Use And Sends Data To A
  3rd Party.
• Spyware Can Be Delivered Via On-line Games Or Web
  Sites
• Spyware Often Takes Full Control Of A Computer,
  Exposing Data To Criminals
• Bots Are Control Programs That Allow Remote
  Control Of Client Computers.
• Worms Often Install Bot Code To Control Systems
• Attack Vector For These Devices

Source TruSecure, Corp.
15
So What Do We Do?
16
Or As Forrest Gump Would Say ... It happens!
17
What IRS Must Do To Minimize Risk

• Formulate Effective Approaches Reflected In Law
• Driven By FISMA, Sarbanes-Oxley, Gramm-Leach
  Bliley, Public Laws, Presidential Directives, and
  others
• Ensure Ownership And Accountability Of
  Information Systems
• Assigning Designated Accrediting Authorities
  (DAAs) To Each Major Information System
• Based On Span Of Management Control
• DAAs Must Understand And Assume The Risk
• Ensure Boundaries Are Established And
  Acknowledged
• Physical Boundaries Do Not Necessarily Dictate
  System Boundaries
• When Boundaries Are Identified, Ownership Is
  Clear
• Security Coverage Must Be Reflected In Project
  Records

18
What IRS Must Do To Minimize Risk (cont.)

• Build Toward Efficient Utilization Of Resources
• Processes Must Be Consistent, Verifiable, And
  Repeatable
• Digest And Apply Insight Gained From The Process
  Itself
• Solve Critical Agency Issues
• Bringing Shape And Form To Enterprise Risk
• Steward Management Collaboration Across
  Organizational Boundaries For Risk Mitigation
• Ensure Awareness And Organizational Adoption Of
  New Processes
• Stakeholders Must Perceive Value In Mitigating Or
  Reducing Risk Across The Infrastructure
• User Buy-in Creates Stronger Stakeholder
  Commitments

19
Repeatable Risk Management Process
Program Management
Project Management Procedures
Change Management
QA Process
20
Repeatable Risk Management Process
Process
Time
21
The NIST Framework Is Critical In Developing The
IRS CA Process

22
Risk Mitigation

• IRS Will Check All Electronic Submissions For
  Viruses And Malicious Code.
• 3rd Party Business Partners Should Mitigate Risk
  Independently
• 3rd Party Business Partners Held To Same
  Standards as Government Entities

23
Implicit Trust Demands Repeatability

• Controls - Management, Operational, Technical
• Be Consistent Across The Infrastructure
• Enforce Policy While Enabling Security In A
  Uniform Manner
• Employ COTS Where Possible And Custom Code Only
  If Necessary
• Be Aware Of Trade-offs, Risks, Vulnerabilities,
  As Well As Advantages And Compromises
• Build Common Security Services For IRS-specific
  Requirements
• Negative TIN Check, UNAX
• Custom-Built Security Must Be Kept In Check
• Reduction In Implementation Costs And Maintenance
• Complexity Of Deployments Must Be Minimized
• Goal Is To Reduce Risk And Security
  Vulnerabilities

24
Repeatability (cont.)

• Configurations
• Limit Number Of Accepted Operating Systems
• Enforce Common Configurations
• Use Tools To Check Compliance And Communicate
  Results
• Majority Of IRS Systems Identified Through GSS
  CA Comprise A General Support System (GSS)
  Backbone
• Separating Special Situations From Backbone
  Network
• Special Purpose Systems Need Greater Security
  On Separate Networks

25
Influencing Third Party Development

• The importance of IT security can not be
  over-emphasized because the stakes are too
  high!
• Commissioner Everson, July 22, 2005
• See Your Business As A Stakeholder In IRS Success
• Shared Destiny
• Shared Fate
• Shared Risk
• Make Security Engineering A Complementary Effort
• Security Must Contain Awareness Of Risk On Both
  Sides
• Technical Approaches And Solutions Must Converge
• Transform Your Business Practices
• Be Guided By What IRS Must Do To Meet Its Mission
• Build Toward The Shared Successful End State
• Infuse The Idea Of Shared Risk Into Your
  Practices

26
Reinforcing Points

• Complexities Of Effort Grow As The Enterprise
  Does
• Efforts Need To Be Committed To Maintain
  Advantage
• Learning From Experience Helps To Streamline
  Efforts
• Security Practice Should Be Transforming, Not
  Just Repetitive
• Ability To Be Adaptive Is Crucial To Taxpayer
  Confidence
• Trusted Third Parties Are Subject To Same
  Considerations
• New Solutions Means Coping With Greater
  Functionality
• Selecting Controls And Gauging Risk In An Ongoing
  Manner
• Collaborative Approach To Deploying Common
  Controls
• Every Situation Is A Chance To Reaffirm Program
  Integrity
• Practices And Approaches To Security Must Be
  Constantly Re-validated, And Lessons Learned
  Communicated
• Unified IRS Community Perspective Will Help
  Minimize Risk

27
Summary

• Aim For Effective Security - Integrated
  Throughout The Entire Lifecycle
• Bake In Security, Dont Paint It On
• Layered Defenses
• Effective Responsiveness is as Important as
  Prevention
• Rapid
• Reliable
• Intelligent / Adaptive
• Security Is A Continuous Process Not A Definitive
  Event
• Momentary Lapse Can Have Catastrophic Consequences

28
Opinions, Comments Questions
George Jakabcin, Director IRS Modernization
Systems Security Engineering ltgeorge.j.jakabcin_at_ir
s.govgt