1 IT Security & Privacy MIS 6800 Group Six MIS 6800 Group Six Professor: Dr. Mary Lacity Professor: Dr. Mary Lacity Group Members Group Members Liang LiuLiang

11

IT Security & PrivacyIT Security & Privacy MIS 6800 Group SixMIS 6800 Group Six

Professor: Dr. Mary LacityProfessor: Dr. Mary Lacity

Group MembersGroup Members• Liang Liu Liang Liu • Timothy BeecherTimothy Beecher• Kadambari GoelKadambari Goel• Jonathan RiekJonathan Riek• Wilfrid HutagalungWilfrid Hutagalung

Fall 2005, UMSLFall 2005, UMSL

22

What Keeps CIO's up at NightWhat Keeps CIO's up at NightSecurity

…

Survey on CIO's concernsSurvey on CIO's concerns

On ManagementOn Management::

No. 3 in 2004, 2003No. 3 in 2004, 2003

On Applications:On Applications:

No. 1 in 2004No. 1 in 2004

Luftman, J., and McLean, E., “Key Issues for IT Executives,” MISQ Executive, Vol. 4, 2, 2005, pp. pp.269-286

33

AgendaAgenda

Introduction Introduction – Liang Liu– Liang Liu Case StudiesCase Studies

ConclusionConclusion - Wilfrid Hutagalung- Wilfrid Hutagalung

Threat and Vulnerability AssessmentThreat and Vulnerability Assessment Tim Beecher: Interviewed Kathy Forrester, Tim Beecher: Interviewed Kathy Forrester, CIO at Fleishman Hillard CIO at Fleishman Hillard

Strategy, Architecture and DesignStrategy, Architecture and DesignKadambari Goel: Interviewed Gaurav Huria, Kadambari Goel: Interviewed Gaurav Huria, Project Manager at AT&TProject Manager at AT&T

Threat and Vulnerability ManagementThreat and Vulnerability ManagementJonathan Riek: Interviewed John Todd, Senior Jonathan Riek: Interviewed John Todd, Senior LAN Administrator at First Data CorporationLAN Administrator at First Data Corporation

44

IntroductionIntroduction

DefinitionDefinition

ImportanceImportance

RelationshipRelationship

Functional InventoryFunctional Inventory

CISOCISO

Legal and RegulatoryLegal and Regulatory

55

DefinitionsDefinitions

IT Security IT Security is to provide protection of information is to provide protection of information systems against unauthorized access to or modification of systems against unauthorized access to or modification of information, whether in storage, processing or transit, and information, whether in storage, processing or transit, and against the denial of service to authorized users or the against the denial of service to authorized users or the provision of service to unauthorized users, including those provision of service to unauthorized users, including those measures necessary to detect, document, and counter measures necessary to detect, document, and counter such threats such threats

PrivacyPrivacy • The right “to be left alone” – 1890The right “to be left alone” – 1890• Informational self-determination – CurrentInformational self-determination – Current

Source for Security: U.S. National Information Systems Security Glossary Source for Privacy: Warren, S. D. and Brandeis, L. D. (1890): Harvard Law Review, 5, pp 205Source for Privacy: Warren, S. D. and Brandeis, L. D. (1890): Harvard Law Review, 5, pp 205

66

Importance of Security & PrivacyImportance of Security & Privacy

Build Customer TrustBuild Customer Trust – Vital to E-Commerce– Vital to E-Commerce

Laws and Regulations Laws and Regulations – Federal & State– Federal & State

Part of IT InfrastructurePart of IT Infrastructure – Most systems – Most systems

cannot run without security: Abz insurance system 7 weeks cannot run without security: Abz insurance system 7 weeks outage due to the Siennax subcontracting with BlueX – outage due to the Siennax subcontracting with BlueX – VerisignVerisign

Can be CostlyCan be Costly – Losses and Expenditures– Losses and Expenditures

77Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn and Robert Richardson, 2005 CSI/FBI

10th Computer Crime and Security Survey.





1010

Relationship between Security Relationship between Security and Privacyand Privacy

ComplementaryComplementary – Reinforces each other– Reinforces each other

ContradictoryContradictory - Conflicts each other- Conflicts each other

Which one is more important?Which one is more important?• Privacy – CustomersPrivacy – Customers• Security - CorporationsSecurity - Corporations

Avoid two extremesAvoid two extremes• Complete Lack of SecurityComplete Lack of Security• Complete PrivacyComplete Privacy

1111Key Elements of an Information Security Program. Presentation by Bryant Tow,

Director North America Managed Security Solutions for Unisys, copyright Unisys 2004

1212

CISOCISO (CSO) (CSO) More Jobs for CISOMore Jobs for CISO

• 2005 – 40% Companies2005 – 40% Companies• 2004 – 31% Companies2004 – 31% Companies• Weakness in Strategic Planning and Regulatory Weakness in Strategic Planning and Regulatory

ComplianceCompliance

CISO is NOT just for IT - protect all business’s info assetsCISO is NOT just for IT - protect all business’s info assets

Best report to CEOBest report to CEO

Think like a CFOThink like a CFO

Implement a Process-Oriented Portfolio StrategyImplement a Process-Oriented Portfolio Strategy

IDG’s CIO Magazine & Price Waterhouse Coopers Survey September 2005

1313

Legal and RegulatoryLegal and Regulatory Major Federal and State LawsMajor Federal and State Laws

• Gramm-Leach-Bliley Act Gramm-Leach-Bliley Act The Financial Modernization Act of 1999 or GLBThe Financial Modernization Act of 1999 or GLB

• Sarbanes-Oxley Act (2002)Sarbanes-Oxley Act (2002)• Patriot Act (2001 after 9/11)Patriot Act (2001 after 9/11)• HIPAA – Health Insurance Portability & Accountability Act HIPAA – Health Insurance Portability & Accountability Act

(1996)(1996)• California’s SB 1386 (July, 2003)California’s SB 1386 (July, 2003)

CIO MagazineCIO Magazine• 38% Co. not in compliance with Sarbanes-Oxley38% Co. not in compliance with Sarbanes-Oxley• 23% Co. not in compliance with HIPAA23% Co. not in compliance with HIPAA• 15% not in compliance with California’s SB 138615% not in compliance with California’s SB 1386

IDG’s CIO Magazine & Price Waterhouse Coopers Survey September 2005

1414

Threat & Vulnerability AssessmentThreat & Vulnerability Assessment

1515

Global communications agency with offices in 59 cities Global communications agency with offices in 59 cities around the worldaround the world

2,000 employees rely on the quality of its data to address a 2,000 employees rely on the quality of its data to address a wide range of client needs, from new product introductions wide range of client needs, from new product introductions and marketing promotions to crisis managementand marketing promotions to crisis management

Staffers need remote connectivityStaffers need remote connectivity

Fleishman-Hillard- OverviewFleishman-Hillard- Overview

1616

Fleishman-Hillard- CIO ProfileFleishman-Hillard- CIO Profile

Kathy ForresterKathy Forrester - Chief Information Officer, Senior Vice - Chief Information Officer, Senior Vice President, and Senior Partner President, and Senior Partner

Oversees the company's worldwide informationOversees the company's worldwide informationservice groups and supporting informationservice groups and supporting informationtechnology needs, including network/datatechnology needs, including network/datacenter services for the company's core linescenter services for the company's core linesof businessof business

With Fleishman-Hillard for the past 10 yearsWith Fleishman-Hillard for the past 10 years

Has an IT budget of 7-8 million dollars and 4% goes directly to IT Security

1717

Average Daily Data UsageAverage Daily Data Usage Fleishman Hillard Fleishman Hillard

• 4 Terabytes4 Terabytes• Terabyte - 1024 GB, 1,048,576 MB, 8,388,608 KB, Terabyte - 1024 GB, 1,048,576 MB, 8,388,608 KB,

1,099,511,627,776 Bytes and 8,796,093,022,208 bits1,099,511,627,776 Bytes and 8,796,093,022,208 bits

AT&TAT&T

• 1.6 Petabytes1.6 Petabytes• Petabyte - 1024 TB, 1,048,576 GB, 1,073,741,824 MB, Petabyte - 1024 TB, 1,048,576 GB, 1,073,741,824 MB,

1,099,511,627,776 KB, 1,125,899,906,842,624 Bytes 1,099,511,627,776 KB, 1,125,899,906,842,624 Bytes and 9,007,199,254,740,992 bitsand 9,007,199,254,740,992 bits

http://www.glossary-tech.com/byte.htm

1818

Fleishman Hillard - ServicesFleishman Hillard - Services

Internet ProtectInternet Protect

Firewall ServicesFirewall Services

Intrusion DetectionIntrusion Detection

Secure E-MailSecure E-Mail

Kathy Forrester, CIO of Fleishman-HIllard,Interviewed in person by Jim Beecher, October 26, 2005.

1919

Common ThreatsCommon Threats

UserUser

• Giving out passwordsGiving out passwords• Leaving workstationsLeaving workstations• Leaving laptops at airportsLeaving laptops at airports

Outsourcing/Sub-ContractorsOutsourcing/Sub-Contractors

• Sloppy codingSloppy coding• AuditAudit

HackersHackers

• Career Data BaseCareer Data Base

Kathy Forrester, CIO of Fleishman-HillardInterviewed in person by Jim Beecher, October 26, 2005.

2020

Common Threats- continuedCommon Threats- continued

VirusesViruses• TrojansTrojans• I love you virusI love you virus

SpidersSpiders• Continually attacking the firewallContinually attacking the firewall

Distributed Denial of Service (DDoS)Distributed Denial of Service (DDoS)• DDoS attacks can overwhelm web servers and saturate DDoS attacks can overwhelm web servers and saturate

a company's Internet connections thus resulting in the a company's Internet connections thus resulting in the inability to maintain efficient communications, inability to maintain efficient communications, commerce, and ultimately connectivitycommerce, and ultimately connectivity


2121

Proactive AssessmentProactive Assessment

Perform threat analysisPerform threat analysis of current and emerging of current and emerging solutions to detect, trace and filter the unwanted traffic solutions to detect, trace and filter the unwanted traffic as soon as possibleas soon as possible

User TrainingUser Training - 20 & 40 minute training sessions on the - 20 & 40 minute training sessions on the common threats & risks to all employees, clients, common threats & risks to all employees, clients, subcontractorssubcontractors

Hackers, Viruses, Spiders, DDosHackers, Viruses, Spiders, DDos• The only real proactive activities are to learn from The only real proactive activities are to learn from

past encounters and to implement/invest in the best past encounters and to implement/invest in the best firewalls and anti-virusfirewalls and anti-virus

Outsourcing/Sub-ContractorsOutsourcing/Sub-Contractors • ResearchResearch• Actively monitorActively monitor• Ensure they know your systemEnsure they know your system

Kathy Forrester, CIO of Fleishman-HillardInterviewed in person by Jim Beecher, October 26, 2005.Cullen, S., Seddon, P., and Willcocks, “Managing Outsourcing: The Life Cycle Imperative,” MIS Quarterly

Executive, March 2005, pp. 229-246

2222

Reactive AssessmentReactive Assessment Provide near real time threat analysis of current Provide near real time threat analysis of current

attacks attacks

Early Warning - allows most real-time attacks Early Warning - allows most real-time attacks (viruses, worms and DDoS attacks) to be addressed (viruses, worms and DDoS attacks) to be addressed and mitigated before a hacker releases them and mitigated before a hacker releases them

Once help desk lights up is usually when most Once help desk lights up is usually when most security departments discover that there has been security departments discover that there has been a breacha breach

Communicate threat information through training Communicate threat information through training sessions to establish active threat levels for sessions to establish active threat levels for organizationsorganizations


2323

Reactive Assessment- continuedReactive Assessment- continued

Information is one of the most valuable assets of any Information is one of the most valuable assets of any companycompany

Security breaches can happen everyday to anyone - Security breaches can happen everyday to anyone - whether you're a large enterprise or a small businesswhether you're a large enterprise or a small business

StepsSteps1.1.Quick detection and mitigation techniques Quick detection and mitigation techniques 2.2.Building and keeping network security Building and keeping network security

infrastructure updated against newer infrastructure updated against newer vulnerabilitiesvulnerabilities

3.3.Enforce security policiesEnforce security policies4.4.Review data gathered during security incidentsReview data gathered during security incidents


2424


UsersUsers• Giving out passwordsGiving out passwords

Fingerprint scans instead of numeric Fingerprint scans instead of numeric passwordspasswords

ID cards that changes passwords every secondID cards that changes passwords every second• Leaving workstationsLeaving workstations

Setting a screen saver to appear when Setting a screen saver to appear when computer is inactive for 30sec and can only be computer is inactive for 30sec and can only be activated with a passwordactivated with a password

• Leaving laptops at airportsLeaving laptops at airports Future plan is to try to disable the device Future plan is to try to disable the device

remotelyremotely Hackers Hackers

• Find and report themFind and report them


2525


Viruses, Spiders & DDoSViruses, Spiders & DDoS• Find and isolate affected areas Find and isolate affected areas • Contact anti-virus companies to see if they can Contact anti-virus companies to see if they can

help but usually they are too slow and have a guy help but usually they are too slow and have a guy in-house that can write a code to get ride of the in-house that can write a code to get ride of the virus or spidervirus or spider

Outsourcing/Sub-ContractorsOutsourcing/Sub-Contractors• Sloppy code - Correct their work to ensure that Sloppy code - Correct their work to ensure that

breaches will not happen again breaches will not happen again


2626

Architecture and DesignArchitecture and Design

2727

IT Security In DemandIT Security In Demand

Recent IDC SurveyRecent IDC Survey

Number of computer security specialists will grow 3 Number of computer security specialists will grow 3 times than the IT field as a wholetimes than the IT field as a whole

Survey of more than 5,000 Security Managers Survey of more than 5,000 Security Managers worldwide indicated growth of nearly 15% during worldwide indicated growth of nearly 15% during 20042004

Hiring is expected to increase by nearly 14% during Hiring is expected to increase by nearly 14% during each of the next 4 yearseach of the next 4 years

Overall Growth in the IT Professional ranks at about Overall Growth in the IT Professional ranks at about 5%5%

Nikki Swartz- Information Management Journal: Jan/Feb 2005 Vol. 39, Issue 1, pg 18Nikki Swartz- Information Management Journal: Jan/Feb 2005 Vol. 39, Issue 1, pg 18

2828

Security Efforts Still LackingSecurity Efforts Still Lacking

Architecture & Design Expenditures account for over 58% Architecture & Design Expenditures account for over 58% of an Organization’s IT Budget & is growing at 11% a yearof an Organization’s IT Budget & is growing at 11% a year

Financial Institutions, Energy Companies spend the most Financial Institutions, Energy Companies spend the most on their Architecture & Design Budget as compared to on their Architecture & Design Budget as compared to Manufacturing IndustriesManufacturing Industries

41% Respondents spend about 5-10% (Unsecure) 41% Respondents spend about 5-10% (Unsecure)

73% Reviewed their Disaster Recovery Planning after 9/11 73% Reviewed their Disaster Recovery Planning after 9/11 But Only 1 in 10 said it was Top Priority But Only 1 in 10 said it was Top Priority

Nikki Swartz- Information Management Journal: Jan/Feb 2003 Vol. 37, Issue 1, pg 15Nikki Swartz- Information Management Journal: Jan/Feb 2003 Vol. 37, Issue 1, pg 15Bruce R Lewis, Terry Anthony Byrd - European Journal of Information Systems: June 2003 Vol. 12, Issue 2, pg 93Bruce R Lewis, Terry Anthony Byrd - European Journal of Information Systems: June 2003 Vol. 12, Issue 2, pg 93

2929

Need for Architecture & DesignNeed for Architecture & Design

Quick decision making has led to Fast and Open Access Quick decision making has led to Fast and Open Access to corporate networks increasing Security Threatsto corporate networks increasing Security Threats

New Weapon in developing sustained Competitive New Weapon in developing sustained Competitive AdvantageAdvantage

Ensures Availability, Confidentiality & Integrity of Ensures Availability, Confidentiality & Integrity of Information SystemsInformation Systems

Foundation for Managing Information Assets & Foundation for Managing Information Assets & Tangible Benefits for Continuity of Business PracticesTangible Benefits for Continuity of Business Practices

Provides Support for Global Business Strategies & Provides Support for Global Business Strategies & Catalyst for Globalization ProcessCatalyst for Globalization Process

Bruce R Lewis, Terry Anthony Byrd - European Journal of Information Systems: June 2003 Vol. 12, Issue 2, pg 93Bruce R Lewis, Terry Anthony Byrd - European Journal of Information Systems: June 2003 Vol. 12, Issue 2, pg 93

3030

Network Security Architecture & Network Security Architecture & DesignDesign

From Reactive to Proactive Approach From Reactive to Proactive Approach

Authentication : Authentication : “Who are you?” “Who are you?” Process of verifying Process of verifying the Identity of a Participant the Identity of a Participant

Authorization : Authorization : “Should you be doing that.” “Should you be doing that.” Process Process of determining whether a Participant may use or of determining whether a Participant may use or access a resource access a resource

Analysis of Current and Emerging SolutionsAnalysis of Current and Emerging Solutions

Design Technological Information Security Controls Design Technological Information Security Controls for Business Solutionsfor Business Solutions

Impact of Design Requirements on User ExperienceImpact of Design Requirements on User Experience

Gaurav Huria, Project Manager, AT&T, Interviewed in person by Kadambari Goel, October 17Gaurav Huria, Project Manager, AT&T, Interviewed in person by Kadambari Goel, October 17 thth 2005 2005

3131

AT&T - OverviewAT&T - OverviewThird-Quarter 2005 Earnings: October 21Third-Quarter 2005 Earnings: October 21stst 2005 2005 Third-quarter earnings per diluted share of $0.64 Third-quarter earnings per diluted share of $0.64 Consolidated revenue of $6.6 billion Consolidated revenue of $6.6 billion Operating income of $955 million Operating income of $955 million Third-quarter cash from operating activities of $1.4 billion Third-quarter cash from operating activities of $1.4 billion Increased full-year 2005 revenue and operating margin Increased full-year 2005 revenue and operating margin

guidanceguidance Major products the company sellsMajor products the company sells Internet Protocol & Enhanced Services (IP&E-services) Internet Protocol & Enhanced Services (IP&E-services) Data ServicesData Services LD and Local Voice LD and Local Voice Outsourcing, Professional Services & Other Outsourcing, Professional Services & Other Characteristics of their customersCharacteristics of their customers Bundled Services Bundled Services Standalone LD, Transactional & Other Services Standalone LD, Transactional & Other Services Local Customers Local Customers

www.att.comwww.att.com, viewed October 30, viewed October 30thth, 2005, 2005

3232

Organization ChartOrganization Chart

Hossein EslambolchiHossein Eslambolchi joined AT&T Bell joined AT&T BellLabs in 1986 Labs in 1986

Became CTO & President of AT&T Labs Became CTO & President of AT&T Labs in Sept 2001in Sept 2001

Company CIO in 2002 Company CIO in 2002 Earns more than $4.2 million a year, Earns more than $4.2 million a year,

making him one of the highest-paid CIO's in making him one of the highest-paid CIO's in the worldthe world

Allocates roughly 20% of his time to Allocates roughly 20% of his time to operations, 25% to labs, 25% to CTO job & operations, 25% to labs, 25% to CTO job & 30% to CIO issues 30% to CIO issues

Has more than 300 patents granted or Has more than 300 patents granted or pending pending

24-by-7 kind of guy who operates at 100 24-by-7 kind of guy who operates at 100 miles an hourmiles an hour

Presented by Information Week, Networking PipelinePresented by Information Week, Networking PipelineNov 29, 2004 "IP Will Eat Everything" By Paul Travis Nov 29, 2004 "IP Will Eat Everything" By Paul Travis

E V E N T M A N A G E R

T E C H N IC A L S P E C IA L IS T

P R O JE C T M A N A G E R

G R O U P M A N A G E R

D IR E C T O R

V IC E P R E S ID E N T

P R E S ID E N T -G N T S A T & T C T O & C IO

P R E S ID E N T & C O O A T & T

C H A IR M A N /C E O

3333

Dealing With ThreatsDealing With Threats

Commonly Faced Risks Commonly Faced Risks DDoS AttacksDDoS Attacks Unauthorized Data AccessUnauthorized Data Access VIRUSVIRUS WORMSWORMS TrojansTrojans

Security Services OfferedSecurity Services Offered Internet ProtectInternet Protect Firewall ServicesFirewall Services Intrusion DetectionIntrusion Detection Secure E-Mail GatewaySecure E-Mail Gateway Token Authentication Token Authentication

ServicesServices


3434

Service Offering from AT&TService Offering from AT&T Internet Protect as a Leading Security Offer for Internet Protect as a Leading Security Offer for

Preventing Attacks before they MaterializePreventing Attacks before they Materialize

Proactive Approach for Malicious Intruders & Proactive Approach for Malicious Intruders & Unauthorized Activities by providing a Robust, all Unauthorized Activities by providing a Robust, all Inclusive Information Security PortalInclusive Information Security Portal

Distributed Denial of Service (DDoS) Defense Attacks Distributed Denial of Service (DDoS) Defense Attacks for the most Nefarious Activities passing on the for the most Nefarious Activities passing on the Internet next to Worms & VirusesInternet next to Worms & Viruses

Quality of Data Analysis carrying over 1.6 Petabytes Quality of Data Analysis carrying over 1.6 Petabytes of data dailyof data daily

Advanced Intelligence GatheringAdvanced Intelligence Gathering


3535

Details of ServiceDetails of Service Internet ProtectSMInternet ProtectSM is a security Alerting and Notification is a security Alerting and Notification

service that offers advanced information regarding service that offers advanced information regarding potential Real-Time attacks that are in the early formation potential Real-Time attacks that are in the early formation stagesstages

This service This service Detects and MitigatesDetects and Mitigates DDoS & other Flood DDoS & other Flood attacks to Customer Systems within the core of the IP attacks to Customer Systems within the core of the IP backbonebackbone

First step involves First step involves Identification of an attackIdentification of an attack & then & then Mitigating the detected attackMitigating the detected attack before traffic reaches before traffic reaches the Customer’s Networkthe Customer’s Network

In DDoS DefenseIn DDoS Defense if a denial of service attack is detected, if a denial of service attack is detected, the traffic is routed to a network mitigation farm, where the traffic is routed to a network mitigation farm, where the malicious DDoS attack packets are identified and the malicious DDoS attack packets are identified and dropped while the valid traffic is allowed to passdropped while the valid traffic is allowed to pass


3636

Functioning of ServiceFunctioning of Service

Gaurav Huria, Project Manager, AT&T, Interviewed in personGaurav Huria, Project Manager, AT&T, Interviewed in person

by Kadambari Goel, October 17by Kadambari Goel, October 17thth 2005 2005

Detecting & Alerting: Current detection devices detect denial of service attacks and alert the customer Routing & Scrubbing: Routing change instructs (triggers) the facility to re-route customer traffic to the scrubbing facility. Scrubbing can be initiated by the customers, From backbone devices, manually or automatically from remote detection devices

3737

Benefits & ChallengesBenefits & Challenges

BenefitsBenefits Early Warning Early Warning Advanced IntelligenceAdvanced Intelligence Gathering, Detecting & MitgationGathering, Detecting & Mitgation Detection & Trace Back of AttacksDetection & Trace Back of Attacks Filtering techniques for different types of AttacksFiltering techniques for different types of Attacks

ChallengesChallenges Time consuming Time consuming Cost AssociatedCost Associated Real Time MonitoringReal Time Monitoring


3838

Security ModelSecurity Model

Create a Policy Statement beginning with assessing Create a Policy Statement beginning with assessing the risk to the network and building a team to the risk to the network and building a team to respond respond

Conduct a Risk Analysis by identifying portions of Conduct a Risk Analysis by identifying portions of your network, assign a threat rating to each portion, your network, assign a threat rating to each portion, and apply an appropriate level of securityand apply an appropriate level of security

Establish a Security Team with participants from Establish a Security Team with participants from each of your company's operational areas each of your company's operational areas

Approve Security Changes which is defining changes Approve Security Changes which is defining changes to network equipment that have a possible impact to network equipment that have a possible impact on the overall security of the network (firewall on the overall security of the network (firewall configuration)configuration)

Monitor Security of Your Network detecting changes Monitor Security of Your Network detecting changes in the network that indicate a security violationin the network that indicate a security violation

3939

Security Model- continuedSecurity Model- continued

Implement changes to prevent further access to the Implement changes to prevent further access to the violationviolation

Restore normal network operationsRestore normal network operations Define and implement controls to limit risk of Define and implement controls to limit risk of

identified vulnerabilityidentified vulnerability Develop and maintain effective disaster recovery Develop and maintain effective disaster recovery

planplan Review the process as a final effort in creating and Review the process as a final effort in creating and

maintaining a security policymaintaining a security policy Ensure that information security program activities Ensure that information security program activities

align with organizational goalsalign with organizational goals

Key Elements of an Information Security Program. Presentation by Bryant Tow, Director North America Managed Security Solutions for Unisys, copyright Unisys 2004

www.cisco.com, www.cisco.com, viewed October 30viewed October 30thth, 2005, 2005

4040

AT&TAT&T

Good Security Policy detailing outline to Users' Roles & Good Security Policy detailing outline to Users' Roles & Responsibilities Responsibilities

Incident Response Team in case of Threat Incident Response Team in case of Threat

Auditing the NetworkAuditing the Network

Risk AnalysisRisk Analysis

Upgrading the Network from New VulnerabilitiesUpgrading the Network from New Vulnerabilities

Gaurav Huria, Project Manager, AT&T, Interviewed in person Gaurav Huria, Project Manager, AT&T, Interviewed in person by Kadambari Goel, October 17by Kadambari Goel, October 17thth 2005 2005

4141

Threat & Vulnerability ManagementThreat & Vulnerability Management

4242

Ongoing Management ProcessOngoing Management Process

Assessment showed us what we need, why we Assessment showed us what we need, why we need it, and how to learn from incidentsneed it, and how to learn from incidents

Architecture and Design illustrated key Architecture and Design illustrated key components and capabilities of a solid strategycomponents and capabilities of a solid strategy

Management will show the day to day processes, Management will show the day to day processes, communication, and departmental interactioncommunication, and departmental interaction

4343

First Data CorporationFirst Data Corporation Third largest payment processing company in the Third largest payment processing company in the

world world

Oldest portion of business – Western Union, founded Oldest portion of business – Western Union, founded in 1871in 1871

First company to process both Visa and MasterCard First company to process both Visa and MasterCard transactions in 1976 transactions in 1976

Now: 1100 financial transactions per second, and 36 Now: 1100 financial transactions per second, and 36 billion transactions to datebillion transactions to date

Manage over 406 million cardholder accountsManage over 406 million cardholder accounts

http://ir.firstdata.com/profile.cfm, viewed November 2, 2005

4444

First Data - Company ProfileFirst Data - Company Profile

Customers Include:Customers Include: 4.1 million retail locations, such as Wal-Mart or grocery stores4.1 million retail locations, such as Wal-Mart or grocery stores 1400 individual credit card issuers1400 individual credit card issuers Subsidiaries: TeleCheck check processing, Western Union, etc.Subsidiaries: TeleCheck check processing, Western Union, etc. Handles payment processing, customer service, account setups, and Handles payment processing, customer service, account setups, and

more for credit card companies and card issuersmore for credit card companies and card issuers

Divisions:Divisions: Commercial Services – Handles customersCommercial Services – Handles customers Resources – IT, Programming, HR, supply, etc.Resources – IT, Programming, HR, supply, etc. Corporate OfficesCorporate Offices

Year ending Dec 31 2000 2001 2002 2003 2004

Revenues (millions) $5,922 $6,602 $7,503 $8,400 $10,013

Net Income (millions) $1,027 $989 $1,232 $1,394 $1,868

EPS $1.24 $1.25 $1.60 $1.86 $2.22

Cash Flow (millions) $1,181 $1,400 $1,889 $1,958 $2,327

http://ir.firstdata.com/profile.cfm, viewed November 2, 2005http://ir.firstdata.com/ar2004v2/firstdata_final/index.htm, viewed November 2, 2005

4545

First Data - CIO ProfileFirst Data - CIO Profile

Guy BattistaGuy Battista - Chief Information Officer and - Chief Information Officer andExecutive Vice PresidentExecutive Vice President

Overseeing the company's InformationOverseeing the company's InformationServices Group and supporting informationServices Group and supporting informationtechnology needs, including network/datatechnology needs, including network/datacenter services for the company's core linescenter services for the company's core linesof businessof business

More than 30 years of IT background, 14 More than 30 years of IT background, 14 years at First Datayears at First Data

Annual compensation unknown, but stockAnnual compensation unknown, but stockoptions alone in 2004 totaled $3.3 millionoptions alone in 2004 totaled $3.3 million

http://www.firstdata.com/abt_bio_battista.jsp , viewed November 2, 2005http://www.forbes.com/finance/mktguideapps/personinfo/FromPersonIdPersonTearsheet.jhtml?passedPersonId

=391436,Viewed November 2, 2005

4646

Vulnerability Management - Vulnerability Management - ProactiveProactive

PoliciesPolicies• Serve as a guide, deterrent, or bothServe as a guide, deterrent, or both• User or hardware / software basedUser or hardware / software based• User example – password security policiesUser example – password security policies• Hardware / Software example: Wireless access Hardware / Software example: Wireless access

(802.11)(802.11)

Monitoring and ReportingMonitoring and Reporting• Constant and consistent tracking of key areas for Constant and consistent tracking of key areas for

vulnerability or weaknessvulnerability or weakness• Monitoring often done by remote from a home office Monitoring often done by remote from a home office

location or by outsourced firm to reduce biaslocation or by outsourced firm to reduce bias

Jill R. Aitoro, “Cyber Security -- Federal cybersecurity: a work in progress”,VARbusiness July 11, 2005, Iss. 2115; pg. G.23

4747

Proactive - continuedProactive - continued Business Continuation / Disaster Recovery (BC/DR)Business Continuation / Disaster Recovery (BC/DR)

• Mirrored data centers – real time remote replication of Mirrored data centers – real time remote replication of datadata

• Traditional “Point-in-Time” backups Traditional “Point-in-Time” backups Example – tape backupsExample – tape backups

• Monitoring and ManagementMonitoring and Management Backup team monitoring backup completeness, links Backup team monitoring backup completeness, links

between data centers, etc.between data centers, etc.• Prevent loss of backup dataPrevent loss of backup data

Updates to key componentsUpdates to key components• Antivirus and Anti SpamAntivirus and Anti Spam• Operating System updatesOperating System updates• Firmware updates for firewalls / network hardwareFirmware updates for firewalls / network hardware

Data Protection and Disaster Recovery of Local and Remote File ServersJulie Herd Goodman. Computer Technology Review. Los Angeles: Aug/Sep 2005.Vol.25, Iss. 5; pg. 29, 2 pgs

4848

Incident Response - ReactiveIncident Response - Reactive

Dedicated response team with vast resourcesDedicated response team with vast resources

Follow a prescribed plan – work carefully Follow a prescribed plan – work carefully through a set plan to ensure that resources are through a set plan to ensure that resources are brought online in the right order, and that all brought online in the right order, and that all critical data is present.critical data is present.

Prioritization of resources – ensure that Prioritization of resources – ensure that business critical systems are given prioritybusiness critical systems are given priority

James Ryan, Alex Rosenbaum, Scott Carpenter. “Getting a Handle on Incidents”, Security Management. Arlington: April 2005. Vol.49, Iss. 4; pg. 66, 7 pgs

4949

Education and CommunicationEducation and Communication Ethics and awareness trainingEthics and awareness training

• Helps to prevent Social Engineering - the process of Helps to prevent Social Engineering - the process of obtaining confidential information by manipulation of obtaining confidential information by manipulation of legitimate userslegitimate users

• Ongoing training for all users on common schemes and Ongoing training for all users on common schemes and weaknesses, proper password handling, importance of data weaknesses, proper password handling, importance of data privacy, etc.privacy, etc.

• First Data does this through regular required online First Data does this through regular required online classroom sessions, with follow-up testing and user trackingclassroom sessions, with follow-up testing and user tracking

Issue reportingIssue reporting• Open line to company users to report a potential or real time Open line to company users to report a potential or real time

vulnerabilityvulnerability

Reporting to senior managementReporting to senior management• Important policy changesImportant policy changes• Business Continuation and Disaster Recovery plansBusiness Continuation and Disaster Recovery plans• Realistic perspective and likelihood of threat and potential Realistic perspective and likelihood of threat and potential

impact on business operationsimpact on business operations

Robert P Moffie, David L Baumer, Ralph B Tower. “Identity Theft and Data Security”, Internal Auditing. Sept/Oct 2005. Vol.20, Iss. 5; pg. 29, 9 pgs

5050

Policies, Procedures & StandardsPolicies, Procedures & Standards Software / Hardware enforced policies:Software / Hardware enforced policies:

• USB storage devicesUSB storage devices• Password renewal and complexity policyPassword renewal and complexity policy• Remote access policiesRemote access policies• Encryption policiesEncryption policies

User based policies:User based policies:• Focus on areas that cannot easily or completely be limited Focus on areas that cannot easily or completely be limited

by technologyby technology• No viewing of consumer data on laptops around non-FDC No viewing of consumer data on laptops around non-FDC

employeesemployees• Restriction on editing of sensitive code with family or Restriction on editing of sensitive code with family or

friends in the roomfriends in the room• Internet browsing policyInternet browsing policy

Written principles and standardsWritten principles and standards• Emphasis on protective behavior overall cuts down on risk Emphasis on protective behavior overall cuts down on risk

of social engineeringof social engineering

George V Hulme. “Data Breaches: Turn Back The Tide”,Business Credit. New York: October 2005. Vol.107, Iss. 9; pg. 34, 5 pgs

5151

Organizational InteractionOrganizational Interaction Departments or entities typically involved:Departments or entities typically involved:

• Physical SecurityPhysical Security• Vendors and PartnersVendors and Partners• Legal / PrivacyLegal / Privacy• OperationsOperations• Audit / Global ComplianceAudit / Global Compliance• Human ResourcesHuman Resources

Physical Security at First Data: Physical Security at First Data: • Electronic security pass cardsElectronic security pass cards• Video surveillanceVideo surveillance• GuardsGuards

Human Resources at First DataHuman Resources at First Data• Responsible for distributing and tracking all trainingResponsible for distributing and tracking all training

George V Hulme. “Data Breaches: Turn Back The Tide”,Business Credit. New York: October 2005. Vol.107, Iss. 9; pg. 34, 5 pgs

5252

Performance & Effectiveness Performance & Effectiveness EvaluationEvaluation

Track number and type of incidents that occur, find ways to Track number and type of incidents that occur, find ways to avoidavoid

Regularly test user awareness and knowledgeRegularly test user awareness and knowledge

Oversight BoardOversight Board• Group of users and managers from all areas of the companyGroup of users and managers from all areas of the company• Can provide valuable input on ease of use, alignment with Can provide valuable input on ease of use, alignment with

organizational goals, and moreorganizational goals, and more• Security process should be a business enabler, not disabler, Security process should be a business enabler, not disabler,

and a confidence builder to usersand a confidence builder to users

Uses of results:Uses of results:• Ongoing reassessmentOngoing reassessment• Design modificationsDesign modifications• Real time training enhancements or changesReal time training enhancements or changes

Key Elements of an Information Security Program. Presentation by Bryant Tow, Director North America Managed Security Solutions for Unisys, copyright Unisys 2004

5353

First Data – Ongoing ChallengesFirst Data – Ongoing Challenges

Overall Mindset – Improved focus on the proactiveOverall Mindset – Improved focus on the proactive

Learning for previous challengesLearning for previous challenges

Heightened focus on consumer data securityHeightened focus on consumer data security

Stronger hardware and software based policiesStronger hardware and software based policies

5454

Management Best PracticesManagement Best Practices

5555

InfoSec Management Best PracticeInfoSec Management Best Practice 1. 1. Security PolicySecurity Policy - Demonstrate management - Demonstrate management

commitment to, and support for information securitycommitment to, and support for information security

2. 2. Organizational SecurityOrganizational Security - Develop a management - Develop a management framework for the coordination and management of framework for the coordination and management of information security in the organization; allocate information security in the organization; allocate information security responsibilityinformation security responsibility

3. 3. Asset Classification & ControlAsset Classification & Control -Maintain an -Maintain an appropriate level of protection for all critical or sensitive appropriate level of protection for all critical or sensitive assetsassets

4. 4. Personnel SecurityPersonnel Security - Reduce the risk of error, theft, - Reduce the risk of error, theft, fraud, or misuse of computer resources by promoting user fraud, or misuse of computer resources by promoting user training and awareness regarding risks and threats to training and awareness regarding risks and threats to informationinformation

Information Security Management Best Practice Based on ISO/IEC 177799Information Security Management Best Practice Based on ISO/IEC 177799Information Management Journal, Jul/Aug 2005 Vol. 39 Iss. 4

5656

Best Practice- continuedBest Practice- continued 5. 5. Physical & Environmental SecurityPhysical & Environmental Security - Prevent - Prevent

unauthorized access to information processing facilities and unauthorized access to information processing facilities and prevent damage to information and to the organization's prevent damage to information and to the organization's premisespremises

6.6. Communications & Operations ManagementCommunications & Operations Management - - Reduce the risk of failure and its consequences by ensuring Reduce the risk of failure and its consequences by ensuring the proper and secure use of information processing the proper and secure use of information processing facilities and by developing incident response proceduresfacilities and by developing incident response procedures

7. 7. Access ControlAccess Control - Control access to information to - Control access to information to ensure the protection of networked systems and the ensure the protection of networked systems and the detection of unauthorized activities.detection of unauthorized activities.


5757

Best Practice- continuedBest Practice- continued 8. 8. Systems Development and MaintenanceSystems Development and Maintenance - Prevent - Prevent

the loss, modification, or misuse of information in operating the loss, modification, or misuse of information in operating systems and application softwaresystems and application software

9. 9. Business Continuity ManagementBusiness Continuity Management - Ability to react - Ability to react rapidly to the interruption of critical activities resulting from rapidly to the interruption of critical activities resulting from failures, incidents, natural disasters, or catastrophesfailures, incidents, natural disasters, or catastrophes

10. 10. ComplianceCompliance - Ensure that all laws and regulations are - Ensure that all laws and regulations are respected and that existing policies comply with the respected and that existing policies comply with the security policy in order to ensure that the objectives laid security policy in order to ensure that the objectives laid out by senior management are metout by senior management are met


5858

Mapping The Cases Into Best Mapping The Cases Into Best PracticesPractices

Don't bring home Zip drives, USB devices Don't bring home Zip drives, USB devices

Not allowed to pingNot allowed to ping

Instant messaging tools kept minimumInstant messaging tools kept minimum

Blocking unwanted web pages and port numbersBlocking unwanted web pages and port numbers

Examples of Security Policy Implementation

5959

Mapping-continuedMapping-continued

Establish joint security teamEstablish joint security team

Creation of Chief Information Security OfficerCreation of Chief Information Security Officer

Assign threat ratings to portions of customer's Assign threat ratings to portions of customer's network systemnetwork system

Asset Classification and Control

Organizational Security Management Framework

6060


Building User Awareness Building User Awareness (eg. through training)

Using Password-protected screen saver, ID cards Using Password-protected screen saver, ID cards with auto-changing password with auto-changing password

Early Warning System & Communicating Threat Early Warning System & Communicating Threat InformationInformation

Personnel Security

-Physical and Environmental Security-Access Control

Communications and Operations Management

6161


Continuously analyze Threats and Implement most Continuously analyze Threats and Implement most updated Security Technologyupdated Security Technology

Make the needed Security ChangesMake the needed Security Changes

Automatically Routing the oncoming attack to a Automatically Routing the oncoming attack to a Network Mitigation FarmNetwork Mitigation Farm

Mirrored data centersMirrored data centers

Systems Development and Maintenance

Business Continuity Management

6262

CONCLUSIONCONCLUSION

Information security threat increases as computer Information security threat increases as computer and network systems are growing more complex and and network systems are growing more complex and more business processes are integrating with more business processes are integrating with computer/network systemscomputer/network systems

Information Security is a real and significant aspect Information Security is a real and significant aspect in IT/IS systems all over the worldin IT/IS systems all over the world

It has become mandatory by law (It has become mandatory by law (Sarbanes-Oxley Act) instead of just an optional facilityinstead of just an optional facility

Best Practice Frameworks are available that can be Best Practice Frameworks are available that can be used to help organizations build a good and sound used to help organizations build a good and sound information security systeminformation security system

6363

??

Documents

1 IT Security & Privacy MIS 6800 Group Six MIS 6800 Group Six Professor: Dr. Mary Lacity Professor: Dr. Mary Lacity Group Members Group Members Liang LiuLiang