View
642
Download
0
Category
Preview:
DESCRIPTION
Presentation given in August 2008, at the Launch of Secure Pakistan Initiative by NetSol Technologies Inc.
Citation preview
1
Information SecurityChallenges and Opportunities
M. Faisal Naqvi, CISSP, CISAMS (E-Com) Gold (PU), CMA inter (ICMA)
27001 A (IRCA, UK), 27001 Implr (IT Gov, UK)Associate Member of Business Continuity Institute
Senior Consultant – Information Security
© 2008 NetSol Technologies, Inc. All rights reserved2
Information Security (A-I-C)
Availability Integrity Confidentiality
© 2008 NetSol Technologies, Inc. All rights reserved3
Dependence on IT
Almost every Government Department Banks including ATM network, Stock
Exchanges & Brokers Telecommunication & Mobile Companies Electronic and Print Media Software houses and Call centers Other Private companies including MNCs
© 2008 NetSol Technologies, Inc. All rights reserved4
Challenges to Information Availability ATM Network/Credit Card Mobile Network/Mobile Card Charging Sys Call Centers TV Channels Internet Service Provider Stock Exchange Application
© 2008 NetSol Technologies, Inc. All rights reserved5
Attacks on Availability of Information Denial of Service (DoS) Attacks Distributed DoS (D-DoS) Attacks Malicious act by disgruntled employee Power Failure Natural/Man-made Disasters like Fire,
Flood, Storm, Earthquake, Strike and Terrorism
© 2008 NetSol Technologies, Inc. All rights reserved6
Challenges to Information Integrity
Balance of Rs.9,000/- in bank is changed to Rs.9,000,000/-
Tempering of NADRA records Changing CSS exam results Changing ownership of Vehicle / Land in E-
Records Tempering Share Prices of Stock Phishing Electronic Stalking Salami Attacks
© 2008 NetSol Technologies, Inc. All rights reserved7
Attacks on Information Integrity
Hacking SQL injection Insiders / Employees Weak cryptographic algorithms Buffer overflow Malicious Code
© 2008 NetSol Technologies, Inc. All rights reserved8
Challenges to Confidentiality of Information Source Code/Trade Secret Theft Tenders Quotation Disclosure Clients Information Stealing Govt. Sensitive Information Leakage Mobile Usage and Personal Information Online Bank Account Password ATM Pins
© 2008 NetSol Technologies, Inc. All rights reserved9
Attacks on Confidentiality of Information Employees Social Engineering Hacking SQL Injection Key Loggers (software/hardware)
© 2008 NetSol Technologies, Inc. All rights reserved10
Getting ATM cards & pins
© 2008 NetSol Technologies, Inc. All rights reserved11
Getting ATM cards & pins (cont…)
© 2008 NetSol Technologies, Inc. All rights reserved12
Getting ATM cards & pins (cont…)
© 2008 NetSol Technologies, Inc. All rights reserved13
Getting ATM cards & pins (cont…)
© 2008 NetSol Technologies, Inc. All rights reserved14
Getting ATM cards & pins (cont…)
© 2008 NetSol Technologies, Inc. All rights reserved15
How to Overcome these challenges
Pro-active approach rather than Reactive Preventive Controls rather than Corrective
© 2008 NetSol Technologies, Inc. All rights reserved16
Opportunities to ensure Availability of Information Firewalls Intrusion Detection Systems Intrusion Prevention Systems Anomaly Detection Systems Antivirus Business Continuity Management Disaster Recovery Planning
© 2008 NetSol Technologies, Inc. All rights reserved17
Opportunities to ensure Integrity of Information Application Security Segregation and Rotation of Duties Strong Cryptography Access Control Application Vulnerability Assessment Application Penetration Testing
© 2008 NetSol Technologies, Inc. All rights reserved18
Opportunities to ensure Confidentiality of Information Access Control Training and Awareness Anti spy ware Extrusion Prevention Systems
© 2008 NetSol Technologies, Inc. All rights reserved19
Opportunities to ensure overall Information Security Strength of overall Information Security is not
more than one weakest element Need for a system which can ensure the A-I-C in
a comprehensive manner ISO-27001 Information Security Management
System (ISMS) ISMS 133 countermeasures to control all
possible Threats and Vulnerabilities
© 2008 NetSol Technologies, Inc. All rights reserved20
Opportunities to ensure overall Information Security Periodic Audits and Assessments through
independent neutral organizations Vulnerability Assessments Penetration Tests through Ethical Hackers
© 2008 NetSol Technologies, Inc. All rights reserved21
Opportunities to ensure overall Information Security by Govt. Electronic Transaction Ordinance (ETO), 2002 Prevention of Electronic Crime Ordinance
(PECO) 2007 National Response Centre for Cyber Crimes
(NR3C), FIA Information & Communication Technology (ICT)
Tribunals
© 2008 NetSol Technologies, Inc. All rights reserved22
Electronic Transaction Ordinance
36. Violation of privacy of information
Protects Confidentiality
37. Damage to information system, etc.
Protects Integrity and Availability
© 2008 NetSol Technologies, Inc. All rights reserved23
Prevention of Electronic Crime Ordinance (Crimes)3. Criminal Access4. Criminal Data Access5. Data Damage6. System Damage7. Electronic Fraud8. Electronic Forgery9. Misuse of Electronic System or Device 10. Unauthorized access to code
© 2008 NetSol Technologies, Inc. All rights reserved24
Prevention of Electronic Crime Ordinance11. Misuse of Encryption12. Malicious Code13. Cyber Stalking14. Spamming15. Spoofing16. Unauthorized interception17. Cyber Terrorism18. Enhanced punishment for offences involving
electronic systems
© 2008 NetSol Technologies, Inc. All rights reserved25
?
© 2008 NetSol Technologies, Inc. All rights reserved26
Thank You
Recommended