Professional Documents
Culture Documents
Module 1
The Need for Security
Analysis
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Module Objective
This module
d l will
ill ffamiliarize
ili i you with:
ith
Th ft
Theft
Fraud/Forgery
Interception
te cept o oor Modification
od cat o o of Data
ata
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
So What are you Trying to
Protect?
Your Assets
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Why are Intrusions so Often
Successful?
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
What are the Greatest
Challenges?
g
Environment complexity
New technologies
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Environmental Complexity
Multiple
p p points of access:
• Wired/wireless
• Analog/remote
Multi-vendor environments:
• Cisco,, checkpoint,
p , ISS,, etc.
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
New Technologies
It’ often
It’s ft impossible
i ibl to
t evolve
l our network
t k iinfrastructure
f t t att th
the same rapid
id pace.
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
New Threats and Exploits
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Limited Focus
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Limited Expertise
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Tool: Data Loss Cost Calculator
http://www.tech-404.com/calculator.html
p // 4 4 /
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
How to Use
Enter the number of affected records in a data breach or identity theft incident
within the range of minimum 1000 and maximum 250,000.
250 000
The button next to the text box will increase or decrease the number of the
affected records by 500.
A user can switch the options “ON” or “OFF” according to their need.
Click each pie chart slice to check distribution of costs for each category.
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Data Loss Cost
Calculator Screenshot
Input
Graph
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Features of Data Loss
Cost Calculator
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Graphical Representation
of Total Loss
Notification/Crisis
Management
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Graphical Representation of
Loss of Each Category
g y
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
In Order to Ensure...
Accurate authentication
Proper authorization
Confidentiality of data
Integrity of data
Availability of data
Non-repudiation
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Authentication
A h i i is
Authentication i the
h process off verifying
if i the
h id
identity
i off an iindividual.
di id l
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Authorization
For example, some users may be authorized to view data, and others may
be authorized to delete data; both must be valid users, but they have
different capabilities.
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Confidentiality
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Availability
• Redundant systems’
y disk arrays
y and
Measures to clustered machines.
maintain data • Antivirus software to stop worms
availability may destroying our networks.
i l d
include: • Distributed
Di t ib t d denial-of-service
d i l f i
(DDoS) prevention systems.
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Non-Repudiation
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
We Must be Diligent
We have to secure:
The people.
The technology.
The processes.
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Threat Agents
Employees:
p y No physical security =
no security at all:
• Disgruntled employee • Unattended computer systems
• Lack of education: on the LAN
• Users • Unlocked doors or poorly
• Administrators secured server rooms or wiring
• Corporate espionage closets
• Misuse of IT privileges: • The bigger,
bigger the easier
• Internal
• External Organized threats:
• Fundamentalist groups
• Organized crime
• Government/foreign intelligence
• Terrorists
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Assessment Questions
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Risk
Risk is “the
the possibility of harm or loss
loss”.
It refers to the uncertainty about events and outcomes that could have an
undesirable
d i bl effect
ff t on th
the organization
i ti and d it
its goals.
l
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Simplifying Risk
R = Risk
A = Asset value
T = Perceived
d threat
h
V = Vulnerabilityy
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Risk Analysis
CRAMM.
SARAH.
VISART.
Delphi.
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Risk Assessment Answers
Seven Questions:
• What can go wrong? (threat events)
1
• How sure are the answers to the first three questions? (uncertainty)
4
• What can be done to remove, mitigate, or transfer risk? (safeguards and controls)
5
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Steps of Risk Assessment
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Steps of Risk Assessment
Step 5: Communication
Communicate results to the appropriate parties.
Step 6: Monitoring
Continuously analyze new threats and modify controls as necessary. Significant organizational
changes should lead to a new risk assessment.
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Risk Assessment Values
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Information Security Awareness
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Security Policies
• Encryption mechanisms.
• Access control devices.
• y
Authentication systems.
• Firewalls.
• Anti-virus systems.
• Websites.
• Gateways.
• Routers and switches.
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Security Policy Basics
(Cont d)
(Cont’d)
There are two types
yp of basic securityy p
policies:
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Types of Policies
P d tP
Prudent Policy
li Network Connection Policy
Network-Connection
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Permissive Policy
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Prudent Policy
Everything
y g is logged
gg
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Paranoid Policy
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Acceptable-Use Policy
Should users read and copy files that are not their own, but are accessible to them?
Should users modify files that they have write access to, but are not their own?
Should users make copies of system configuration files (for example, /etc/passwd
and SAM) for their own personal use or to provide to other people?
Should users be allowed to use .rhosts files? Which entries are acceptable?
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
User-Account Policy
Wh should
When h ld an accountt be
b disabled
di bl d and
d archived?
hi d?
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Remote-Access Policy
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Information-Protection Policy
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Firewall-Management Policy
Who may see the firewall configuration rules and access lists?
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Special-Access Policy
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Network-Connection Policy
Who must be notified that new devices are being added to the network?
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Data Classification
Policies
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Data Classification
Policies (cont’d)
( )
Are all backups handled with the same security precaution as that of
the original data?
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Intrusion Detection
Policies
Are the alarm and alert functions, as well as logging and monitoring
systems, working as intended?
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Virus Prevention Policies
U d t anti-virus
Update ti i software
ft as per th
the recommendation
d ti off th
the vendor.
d
S
Secure all
ll servers and
d workstations
k t ti that
th t are vulnerable
l bl tto viruses
i or worm attacks.
tt k
Scan headers of all incoming data including electronic mail for viruses by the email
server.
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Laptop Security Policy
L t mustt b
Laptop be secured
d when
h nott iin use.
• All the people related to the organization must protect their assets.
1.
• All the people must be trained about their responsibilities and organizations
2. information security.
• Chief security officer must implement system for security related issues.
5.
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Cryptography Policy
• Data classification
• Prevention, as well as detection
• Consumer request policies
• Consumer notification
• Employment
p y p
policies and p
procedures
• Data destruction policies
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
FACTA Policy (cont’d)
Data classification:
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
FACTA Policy (cont’d)
Consumer notification:
• Organization should have hiring policies that require drug screening, credit
checks or background checks, especially for key positions within the
organization.
• B
Businesses
i will
ill need
d to be
b able
bl to prove that
h they
h h have d
destroyed d sensitive
ii
documents or information to be FACTA compliant.
• Businesses should have a written program outlining how to maintain and shred
documents or destroy other data.
• Regularly
l l scheduled
h d l d paper shredding
h ddi and dddata di
disposall iis recommended
d d to
prevent the liability from storing excess records with personal information.
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Other Important Policies
A wireless
i l network
t k policy
li helps
h l secure wireless
i l networks,
t k including
i l di
which devices are allowed to be connected, what security measures
should be followed, and so forth.
A lab policy discusses how to protect the internal network from the
insecurities of a test lab.
The best option is to keep the test lab on a completely separate Internet
connection and not have it connected in any way to the internal corporate
network.
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Policy Statements
The policy is as effective as the policy statements that it contains. Policy statements
must be
b written
i iin a very clear
l and
d fformall style.
l
Good examples
p of p
policyy statements are:
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
ISO 17799
Many organizations and consulting firms use ISO 17799 as the baseline
for policy best practices.
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Domains of ISO 17799
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Domains of ISO 17799 (cont’d)
• Avoid breaches of any criminal or civil law; any statutory, regulatory, or contractual
obligations; and any security requirements
• Ensure compliance of systems with organizational security policies and standards
Compliance: • Maximize the effectiveness of — and minimize interference to and from — the system-
audit process
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Domains of ISO 17799 (cont’d)
Security policy:
• Provide management direction and support for information security
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
No Simple Solutions
Concentration on performance
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
U.S. Legislation
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
California SB 1386
In cases involving over 500,000 people, the organization can warn the
potential victims en masse through a website and by alerting the media.
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Sarbanes-Oxley 2002
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Sarbanes-Oxley 2002
Section 201:
• Relating to auditor independence, it is no longer allowed for your auditor to perform such
activities
i i i as financial
fi i l iinformation
f i systems d design
i and d iimplementation;
l i iinternall audit
di
outsourcing services; and legal services and expert services (including security).
Section 302:
• The CEOs and CFOs of the accounting company’s clients must sign statements verifying
the completeness and accuracy of financial reports.
Section 404:
• CEOs, CFOs, and auditors must report on and attest to the effectiveness of internal
controls for financial reporting. This report shall:
• State the responsibility of management for establishing and maintaining an adequate
internal control structure and procedures for financial reporting
• Contain an assessment,
assessment as of the end of the most recent fiscal year of the issuer
issuer, of the
effectiveness of the internal control structure and procedures of the issuer for financial
reporting
• Each registered public accounting firm that prepares or issues the audit report for the
issuer shall attest to, and report on, the assessment made by the management of the
i
issuer. An attestation
i made d under
d this
hi subsection
b i shall
h ll b
be made
d iin accordance
d with
ih
standards for attestation engagements issued or adopted by the Board. Any such
attestation shall not be the subject of a separate engagement
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Gramm-Leach-Bliley Act (GLBA)
Although the penalty is small, it is easy to see how it could impact a bank.
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Health Insurance Portability and
Accountabilityy Act ((HIPAA))
• An individual’s
individual s past
past, present
present, or future physical or mental health or condition.
condition
• An individual’s provision of health care.
• Past, present, or future payment for provision of health care to an individual.
The
h primary
i objective
bj i off the h security
i rule
l iis to protect the
h confidentiality,
fid i li
integrity, and availability of data when it is managed (i.e., stored, maintained, or
transmitted) by a health care provider.
Health care providers must provide notice of privacy policies and procedures to
patients, obtain consent and authorization for use of information, and tell how
information is g
generallyy shared and how p
patients can access, inspect,
p copy,
py and
amend their own medical records.
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
USA Patriot Act 2001
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
U.K. Legislation
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
The Data Protection Act 1998
The Data Protection Act 1998 came into force on March 11, 2000.
2000
Covering the use of personal data (data relating to identifiable living
individuals), it implements the European Directive on data protection
(95/46/EC) in U.K. law.
The act covers manual and computerized records and is concerned with
the processing of “personal data.” It works in two ways:
• Giving individuals (data subjects) certain rights over the way that their data is
processed.
• Requiring those who decide how and why personal data is processed (data
p about their use of that data and to comply
controllers) to be open p y with the data
protection principles in their information-handling practices.
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
The Data Protection Act 1998
A data controller must comply with the eight principles of good practice, which
require that personal information is:
• Processed
d ffor li
limited
i d purposes and
d not processed
d iin any manner iincompatible
ibl with
i h those
h purposes .
2
• Accurate.
4
• Kept secure.
7
Based on the European Convention on Human Rights, the Human Rights Act 1998
came into
i t force
f in
i October
O t b 2000. Under
U d A Article
ti l 8 off th
the C
Convention,
ti people
l are
afforded the right to privacy.
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Interception of Communications
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
The Freedom of Information
Act 2000
• Central government.
• Local authorities.
• NHS.
• Schools.
• Police departments.
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
The Audit Investigation and
Communityy Enterprise
p Act 2005
5
The Audit Investigation and Community Enterprise Act 2005 reinforces powers already in place from the
companies act. This law makes a director responsible for giving accurate information to auditors, liable
for prosecution for withholding relevant information of which the auditor is unaware, and signing off
audit reports attesting to that fact. This responsibility takes the form of a statement in the director’s
report to the effect that there is no relevant information that has not been disclosed to the auditors.
Should an inspector discover that information has been withheld, the directors will be liable to
imprisonment and/or a fine.
The act also contains a whistleblower protection clause that excludes liability for breach of confidence for
those who provide information to authorities.
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Summary
In this module, we’ve discussed the statistics and importance of vulnerabilities and
their impact on business.
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited
Copyright © by EC-Council
EC-Council All Rights
Copyright © 2004 EC-Council. All rights reserved worldwide. Reserved. Reproduction is Strictly Prohibited