INFORMATION SECURITY ISSUES,THREATS,SOLUTION & STANDRADS

kIF YOU THINK TECHNOLOGY CAN SOLVE YOUR SECURITY PROBLEMS , THEN YOU DONjT UNDERSTAND THE PROBLEMS & YOU DONjT UNDERSTAND THE TECHNOLOGY.l cBruce Schenier

Nature of Business ²
‡ High Risk ± High Gain ‡ Deals with sensitive Information in High Volumes ‡ All Business Process generate, operate and process Information ‡ A News Item can move stock prices

Nature of Business ²
‡ ‡ Every Sector / Vertical have faced Information Security Risk Cyber Terrorism is real and rising (Planned cyber attacks prior / after 9/11) Countries of origin responsible for 75% of intrusions USA, China, Romania, Germany More than 2/3rd express their inability to determine ³Whether my systems are currently compromised?´ Information Governance pushed through Compliance

‡

‡

‡

Threat Agents
‡ ‡ ‡ ‡ Media / Competition / Government Ex-employee Third Party Insider Employee

‡ More than 70% of Threats are Internal ‡ More than 60% culprits are First Time fraudsters

Security Impacts
‡ ‡ ‡ ‡ ‡ Embarrassment Loss of confidential and sensitive information Loss of strategic advantage and resources Non availability of systems in combat situations Time and efforts spent creating µIntellectual Property¶ ‡ National Security, when information is misused by terrorists/miscreants

Recent cases Cases ± India Specific
‡ MPhasis BFL - Pune ‡ CEO ± Bazee.com ‡ Theft and Sale of Customer Data ± Delhi ‡ Arrest of GM of reputed corporate for Cheating NRI in Dubai ‡ Attack on Web Sites ± BARC, Cyber cell Mumbai ‡ War Room Leak - Navy

Introduction to Information Security

³Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected´
BS ISO 17799:20000

Introduction to Information Security

Lifecycle of Information 
       Created Stored Processed Transmitted Used ± (For proper & improper purposes) Lost Corrupted Destroyed

Introduction to Information Security
Ensuring that information is accessible only to those authorized to have Safeguarding the access accuracy and Confidentiality completeness of information and Ensuring that authorized processing methods Integrity users have access to information and associated assets when required Availability

Information Security Trends

Information Security

People Process

IT Security

Technology

‡ Information security ± a broad term encompassing the protection of information from accidental or intentional misuse by persons inside or outside an organization ‡ This plug-in discusses how organizations can implement information security lines of defense through people first and technology second

INTRODUCTION

Security is everyone¶s responsibility

‡ Information Security is ³Organizational Problem´
rather than ³IT Problem´

‡ Biggest Risk : People ‡ Biggest Asset : People

Who are these Attackers? Attackers?

Who are Attackers? ² What are they doing? Intruders are ‡ Building up technical knowledge and skills ‡ Becoming more skilled at removing of trail ‡ Interested in µresults¶ than experience of hacking ‡ Exploit weakest link

Types of Hackers

Sophistication of Attacks ‡ No of hackers - 1980 : Handful ‡ No of hackers - 2006 : Thousands ‡ Time require to prepare ± 1980 : Months ‡ Time require to prepare ± 2006 : Hours ‡ No. of Machines affected ± 1980 : Hundreds ‡ No. of Machines affected ± 2006 : Millions ‡ Geographical Spread ± 1980 : LAN / Network ‡ Geographical Spread ± 2006 : Internet

Sophistication of Attacks
³stealth´ / advanced scanning techniques

Tools
DDOS attacks

High
Intruder Knowledge

packet spoofing denial of service sniffers sweepers www attacks automated probes/scans GUI network mgmt. diagnostics

back doors disabling audits

Attack Sophistication

hijacking burglaries sessions exploiting known vulnerabilities password cracking self-replicating code password guessing

Low
1980

Attackers
1995 2000

1985

1990

Damaging forms of security threats
‡ ‡ Malicious code ± includes a variety of threats such as viruses, worms, and Trojan horses Hoaxes ± attack computer systems by transmitting a virus hoax, with a real virus attached Spoofing ± the forging of the return address on an e-mail so that the e-mail message appears to come from someone other than the actual sender Sniffer ± a program or device that can monitor data traveling over a network

‡

‡

Types of Viruses

Steps to create Information Security Plan
1. 2. 3. 4. 5. Develop the information security policies Communicate the information security policies Identify critical information assets and risks Test and reevaluate risks Obtain stakeholder support

Suggested Roadmap for IT Security ‡ Build Responsible Team Apex Committee Security Forum Task Force ‡ Conduct Thorough Risk Assessment Information Assets IT Infrastructure / Network Applications / Data Storage ‡ Risk Treatment a. Mitigate b. Transfer c. Avoid d. Accept

Suggested Roadmap for IT Security

Implementation of Controls Policy Technology Training Monitoring effectiveness of controls Preventive / Corrective Actions Continual Improvement

The First Line of Defense - People
‡ The first line of defense an organization should follow to help combat insider issues is to develop information security policies and an information security plan
‡ Information security policies ± identify the rules required to maintain information security ‡ Information security plan ± details how an organization will implement the information security policies

People Readiness

The Second Line of Defense Technology
‡ Three primary information security areas:
1. Authentication and authorization 2. Prevention and resistance 3. Detection and response

Suggested Technologies

Data Application Host Internal Network Perimeter Physical Security Policies, Procedures, & Awareness

ACL, Encryption, Database Hardening Application hardening, Role Based Access, Multi Factor Authentication, PKI OS hardening, Patch management, HIDS VLAN, NIDS, TACACS, NMS Firewalls (Stateful, Deep packet inspection, Application layer), VPN, Gateway Anti Virus Guards, CCTV, Biometric Management Framework, Training

AUTHENTICATION AND AUTHORIZATION
‡ ‡ Authentication ± a method for confirming users¶ identities The most secure type of authentication involves a combination of the following:
1. Something the user knows such as a user ID and password 2. Something the user has such as a smart card or token 3. Something that is part of the user such as a fingerprint or voice signature

AUTHENTICATION
‡ ‡

‡ ‡

Most common method of authentication is User ID and Password. This is the most common way to identify individual users and typically contains a user ID and a password This is also the most ineffective form of authentication Over 50 percent of help-desk calls are password related.

Identity Thefts

Better Forms of Authentication
‡
‡ ‡

Smart cards and tokens are more effective than a user ID and a password
Tokens ± small electronic devices that change user passwords automatically Smart card ± a device that is around the same size as a credit card, containing embedded technologies that can store information and small amounts of software to perform some limited processing

‡ The identification of a user based on a physical characteristic, such as a fingerprint, iris, face, voice, or handwriting ‡ This is by far the best and most effective way to manage authentication ‡ Unfortunately, this method can be costly and intrusive

Biometrics

PREVENTION AND RESISTANCE
‡ ‡ Downtime can cost an organization anywhere from $100 to $1 million per hour. Technologies available to help prevent and build resistance to attacks include:
1. Content filtering 2. Encryption 3. Firewalls

Content Filtering
‡

Organizations can use content filtering technologies to filter e-mail and prevent emails containing sensitive information from transmitting and stop spam and viruses from spreading.
Content filtering ± occurs when organizations use software that filters content to prevent the transmission of unauthorized information Spam ± a form of unsolicited e-mail

‡

‡

ENCRYPTION
‡

If there is an information security breach and the information was encrypted, the person stealing the information would be unable to read it
Encryption ± scrambles information into an alternative form that requires a key or password to decrypt the information

‡

FIREWALLS
‡
‡

One of the most common defenses for preventing a security breach is a firewall
Firewall ± hardware and/or software that guards a private network by analyzing the information leaving and entering the network

FIREWALLS
‡

Sample firewall architecture connecting systems located in Chicago, New York, and Boston

DETECTION AND RESPONSE
‡

If prevention and resistance strategies fail and there is a security breach, an organization can use detection and response technologies to mitigate the damage

‡

Antivirus software is the most common type of detection and response technology

Security Policy
1. Information assets and IT assets to be protected against unauthorized access. 2. Information is not to be disclosed to unauthorized persons through deliberate or careless action. 3. Information is to be protected from unauthorized modification. 4. Information is to be available to authorized users when needed. 5. Applicable regulatory and legislative requirements are to be met. 5. All breaches of information security are to be reported and investigated. 6. Violations of policies are to be dealt with through a formal disciplinary process.

Well Known Frameworks
What Frameworks say? Information in all forms is an Asset (Digital/Non-digital) Security is a Process (and not only technology) Risk Based Approach (Prevent, Detect, Correct) Security should be measurable (Effectiveness, Efficiency) Controls include People, Process and Technology Top Management Commitment (Define Acceptable level of Risk, Allocate Resources, Implement Policy)

Well Known Frameworks

1. COBIT Framework for Auditing Controls (Control OBjectives in Information and related Techniques) 1. ISO 27001 (BS 7799) IS Management Framework 2. ISO 17799 3. ITIL Implementation guidance on IS Controls

IT Service Management Processes ITSM Management Framework

4. ISO 20000 (BS 15000)

Scope of ISO 20000 Certification
‡ Supports the provision of all IT Services including the following : ‡ Enterprise Planning System (SAP) ‡ Infrastructure ‡ Application and Data Centre Management Services to all its customers at all the locations.

1. Sustained pressure to deliver high quality IT Service at minimum cost. (SLA definition, penalty clause) 2. IT services, are not aligned with the needs of the business and its customers. (Requirements gathering .) 3. ISO 20k implementation, will ensure standard and proactive (trend analysis etc.) working practices. (e.g. there is
no concept of CPA, ISO will ensure the implementation, tracking and closure of CPAs.)

Why ISO 20000?

4. would enhance the quality of IT Service delivered to their customers/users 5. Increase Effectiveness of the business operation 6. Hard evidence that quality of ITSM is taken seriously

Cyber Law of India ‡ ‡ ‡ ‡ Electronic record Digital Signature Certifying Authority Penalty for damage to information System ± Section 47 ± Up to 1 Crore
‡ Unauthorized Access, Tampering, Damage

‡ Penalty for failure to furnish Information ± up to ten thousand a day ‡ Offences
‡ ‡ ‡ ‡ Section 65 ± Tampering : 3 Yrs / 2 Lacs Section 66 ± Hacking : 3 Yrs / 2 Lacs Section 67 ± Obscene Information : 5 Yrs / 1 Lac Section 72 ± Breach of Confidentiality / Privacy : 2 yrs / 1 Lac

Post Security Implementation Benefits

At the organizational level ± Commitment At the legal level ± Compliance At the operating level - Risk management At the commercial level - Credibility and confidence ‡ At the financial level - Reduced costs ‡ At the human level - Improved employee awareness

‡ ‡ ‡ ‡

IT Security Stakeholder Summary
Information Security Policy Compliance Organisation Security Asset Management

Bus. Continuity Planning

Integrity

Confidentiality

Security Incident Management System Development & Maint. Access Controls

Information

Human Resource Security

Availability Physical Security Communication & Operations Mgmt

Sign up to vote on this title
UsefulNot useful