Upload
mahmoud-eladawi
View
101
Download
0
Embed Size (px)
DESCRIPTION
ECSAv4 Module 01 the Need for Security Analysis_NoRestriction
Citation preview
Advanced Penetration Testing and Security Testing and Security
Analysis
Module 1The Need for Security
Analysis
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
This d l ill f ili i ith
• What are we Concerned About?
This module will familiarize you with:
• So What are you Trying to Protect?• Why are Intrusions so Often Successful?• What are the Greatest Challenges?• Threat Agents• Assessment Questions• Risk
Info mation Sec it A a eness• Information Security Awareness• Security Policies• ISO 17799• U S Legislation
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
U.S. Legislation• U.K. Legislation
What are we Concerned About?
Th ftTheft
Fraud/Forgery
Unauthorized Information Access
Interception or Modification of Data
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
te cept o o od cat o o ata
So What are you Trying to Protect?
Your Assets
Your Network Infrastructure
Availability of Your Network
Confidential Personal Data
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Why are Intrusions so Often Successful?Successful?
Poor detection, response, and escalation
No formal policies or non-existent procedures for [pro]active auditing, and/or event management
Limited use of authentication and/or authorization systems
Ignorance of logical and/or organizational boundaries within a network infrastructure
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
What are the Greatest Challenges?g
Environment complexityEnvironment complexity
New technologiesNew technologies
New threats and exploitsNew threats and exploits
Limited focus on securityy
Limited security expertise
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
y p
Environmental Complexity
Multiple points of access:p p
• Wired/wireless• Analog/remote
Insecure network design:
• Ineffective or non-existent Ineffective or non existent DMZ(s)
• Single-layer security design
Multi-vendor environments:
• Cisco, checkpoint, ISS, etc.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
, p , ,
New Technologies
Technology is advancing rapidly.
New technologies make old techniques ineffective or insufficient.
Security technologies change almost every day.
It’ ft i ibl t l t k i f t t t th id It’s often impossible to evolve our network infrastructure at the same rapid pace.
Tunneling software makes it easier to bypass access controls.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
New Threats and Exploits
The average age of malicious attackers isThe average age of malicious attackers isat its lowest.
This significantly increases the number ofpotential threats, as every teenager with apotential threats, as every teenager with abroadband connection can be a suspect.
New exploits are being discovered asfrequently as every 4 hours -- and thisnumber is growing ever smaller!
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
number is growing ever smaller!
Limited Focus
IT security is often allocated a small portion of overall IT budgets
(on average, less than 3%; new statistics say around 6%)statistics say around 6%).
Few managers see the need for it til ft tt k h security until after an attack has
occurred, and by then, it’s often too little, too late.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Limited Expertise
Organizations don’t want to spend money on expensive security personnel.
Most often, ‘Security Administrators’ are actually overworked and under-trained actually overworked and under-trained Network Administrators.
Information security is a complex and specialized field, and engineers need specialized training.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Data Loss Cost Calculatorhttp://www.tech-404.com/calculator.html
Darwin Professional Underwriters Inc., has developed an online data loss
p // 4 4 /
cost calculator that allows companies to estimate their financial risk from data theft.
This calculator provides companies with a no-cost, easy-to-use, and interactive tool to assess the impact of a data breach or identify theft data loss incident.
This calculator can be used to immediately estimate financial exposure of the organizations in three major categories:categories:
• Internal investigation expenses.• Customer notification/crisis management expenses. • Regulatory/compliance expenses.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Regulatory/compliance expenses.
How to Use
Enter the number of affected records in a data breach or identity theft incident within the range of minimum 1000 and maximum 250 000within the range of minimum 1000 and maximum 250,000.
Avoid using commas when entering a number.
The button next to the text box will increase or decrease the number of the affected records by 500.
A user can switch the options “ON” or “OFF” according to their need.
Click the “Graph” icon to generate a pie chart.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Click each pie chart slice to check distribution of costs for each category.
Data Loss Cost Calculator Screenshot
Input
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Graph
Features of Data Loss Cost Calculator
Helps to calculate the data loss cost appro imatelHelps to calculate the data loss cost approximately
Range between 1000 and 250,000 is used
Graphical representation makes the calculation easy and simple to understand
Each category can be studied in detail with the help of advance pie chart option
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Graphical Representation of Total Loss
Notification/Crisis Management
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Graphical Representation of Loss of Each Categoryg y
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
In Order to Ensure...
Accurate authentication
Proper authorization
Confidentiality of data
Integrity of data
Availability of data
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Non-repudiation
Authentication
A h i i i h f if i h id i f i di id lAuthentication is the process of verifying the identity of an individual.
Logging on to a computer is a two-stage process; typically, you will enter your:
• Username: This is for the identifying process.• Password: This is for the authenticating process It authenticates • Password: This is for the authenticating process. It authenticates
or proves your identity as posited in the username stage.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Authorization
Authorization is the process that establishes whether a given identity or Authorization is the process that establishes whether a given identity or subject can perform a given function against a given object.
For example, some users may be authorized to view data, and others may be authorized to delete data; both must be valid users, but they have different capabilities.
Authorization or access control is typically defined by Access Control Lists (ACLs).
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Confidentiality
Confidentiality is the requirement that particular information be restricted to the appropriate people.to the appropriate people.
Mechanisms that are often used to maintain confidentiality include:
• The process of labeling information so that people understand who is allowed to see it and who isn’t.Data Classification:
• Information is often encrypted to maintain confidentiality; only people with the right key are authorized and able to Encryption:decrypt it.
• Formatting disks seven times, degaussing tapes, shredding
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
paper, and sanding CD-ROMs are all activities to protect confidentiality when we throw away information storage.
Equipment Disposal:
Integrity
Integrity is the principle that requires information to maintain its precisionmaintain its precision.
Measures to maintain data integrity may include:
• A checksum is a number produced by a mathematical function to verify that a given block of data hasn’t been changed.
Checksums:
• By ensuring that only the correct people can update, add, and delete data, we can protect its integrity.
Access control:
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Availability
The availability principle ensures that our data will be available in a The availability principle ensures that our data will be available in a timely manner. This principle underpins the whole principle of redundant systems.
• Redundant systems’ disk arrays and y yclustered machines.
• Antivirus software to stop worms destroying our networks. Di t ib t d d i l f i
Measures to maintain data
availability may i l d • Distributed denial-of-service
(DDoS) prevention systems.include:
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Non-Repudiation
Non-repudiation effectively defines a principle or state that ensures that an action or transaction cannot be denied:
• Non-repudiation of receipt: The sender can prove that the d li d h i h message was delivered to the right person.
• Non-repudiation of sender: This is the most common case; the sender’s message appears to be from, say, Mark Osborne, but can we really be sure when dealing with such a fickle character? y g
• Non-repudiation of time No one denies receiving or sending anything; they just deny getting it at a time that makes it meaningful.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
We Must be Diligent
We have to secure:We have to secure:
The people.
The technology.
The processes.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Threat Agents
Employees: No physical security =
• Disgruntled employee• Lack of education:
p y
• Unattended computer systems on the LAN
no security at all:
• Users• Administrators
• Corporate espionageMisuse of IT privileges:
• Unlocked doors or poorly secured server rooms or wiring closets
• The bigger the easier• Misuse of IT privileges:• Internal• External
• The bigger, the easier
Organized threats:
• Fundamentalist groups• Organized crime• Government/foreign intelligence
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Terrorists
Assessment Questions
Here are some questions for you to ponder:
• How easy would it be for someone to steal our corporate information? H ld it b f t h t k?
q y p
• How easy would it be for someone to crash our network? • What vulnerabilities exist at our Internet connection? • What is the likelihood that we will be hacked by someone? • What damage could they do? • What damage could they do? • What could one of our employees do with unauthorized access
privileges? • How easy is it to circumvent these access controls? • Is it easier for insiders than someone trying to come in from the
Internet? • How much should we spend on our IT security program?
Who is responsible for protecting our IT and informational
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Who is responsible for protecting our IT and informational resources?
How Much Security is Enough?
• How much do you have to l ?lose?
• What is your level of exposure/risk?
First, we have to d t d
p /• How are you vulnerable?• How can these risks be
mitigated?
understand risk:
mitigated?
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Risk
Risk is “the possibility of harm or loss” Risk is the possibility of harm or loss .
It refers to the uncertainty about events and outcomes that could have an d i bl ff t th i ti d it lundesirable effect on the organization and its goals.
The central element of risk is uncertainty, the probability of experiencing loss as a result of a threat eventloss as a result of a threat event.
The outcome is uncertain, but the threat is very real.
Risk = Loss * Exposure factor.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Simplifying Risk
R = Risk
A = Asset value
d hT = Perceived threat
V = Vulnerability
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
y
Risk Analysis
There are many types of risk analysis.
Common security risk analysis methods and tools include:
CRAMM.
SARAH.
IS1 and IS3.
VISART.
Delphi.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Risk Assessment Answers Seven Questions:Seven Questions:
1• What can go wrong? (threat events)
2• If it happened, how bad could it be? (single-loss exposure value)
3• How often might it happen? (frequency)
4• How sure are the answers to the first three questions? (uncertainty)
4
5• What can be done to remove, mitigate, or transfer risk? (safeguards and controls)
6• How much will it cost? (safeguard and control costs)
• How efficient is it? (cost/benefit or return on investment [ROI] analysis)
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
7• How efficient is it? (cost/benefit, or return on investment [ROI] analysis)
Steps of Risk Assessment
Step 1: Inventory, Definition, and Requirements
Phase 1: Identify critical business processes.
Phase 2: Create a list of assets used by those critical
processes.
Phase 3: Place a value on the assets, or somehow
quantify their importance.
Step 2: Vulnerability and Threat Assessment
Phase 1: Run automated security tools to start process analysis.
Phase 2: Follow up with a manual review.
Step 3: Evaluation of Controls
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Identify potential safeguards and controls, as well as their associated cost.
Steps of Risk Assessment
Step 4: Analysis, Decision, and Documentation
Phase 1: Analyze a list of control options for each threat.
Phase 2: Decide which control is best to implement
for each threat.
Phase 3: Document the assessment process and
results.
Step 5: Communication
Communicate results to the appropriate parties.
Step 6: Monitoring
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Continuously analyze new threats and modify controls as necessary. Significant organizational changes should lead to a new risk assessment.
Risk Assessment Values
The RAV is defined as the degradation of security (or escalation of risk) over a specific life cycle based on best practices for periodic testing.practices for periodic testing.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Information Security Awareness
Information security is all about people.
If people understand and appreciate the dangers and risks associated with mismanaging information, the exposures become measurably reducedreduced.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Security Policies
Security policies are the foundation of your security infrastructure. Without them you cannot protect your company from possible lawsuits Without them, you cannot protect your company from possible lawsuits, lost revenue, and bad publicity, not to mention basic security attacks.
A security policy is a document or set of documents that describes, at a high level, the security controls that will be implemented by the company.
Policies are not technology specific and do three things for a company:
• Reduce or eliminate legal liability to employees and third parties.• Protect confidential, proprietary information from theft, misuse,
unauthorized disclosure, or modification.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
u aut o ed d sc osu e, o od cat o .• Prevent waste of company computing resources.
Security Policy Basics
A security policy should determine rules and regulations for the following systems:
• Encryption mechanisms.• Access control devices.• Authentication systems.y• Firewalls.• Anti-virus systems.• Websites.• Gateways.• Routers and switches.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Security Policy Basics (Cont’d)(Cont d)
There are two types of basic security policies:
• Technical security policies: Include how technology should be configured and used.
yp y p
• Administrative security policies: Include how people (both end-users and management) should behave/respond to security.
Persons responsible for the implementation of the security policies are:
• Director of Information Security. • Chief Security Officer.• Director of Information Technology.• Chief Information Officer.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Chief Information Officer.
Types of Policies
Promiscuous Policy Firewall-Management Policy
Permissive Policy
P d t P li
Special-Access Policy
Network Connection PolicyPrudent Policy
Paranoid Policy
Network-Connection Policy
Business-Partner Policy
Acceptable-Use Policy
User-Account Policy
Data Classification Policy
Intrusion Detection PolicyUser-Account Policy
Remote-Access Policy
y
Virus Prevention Policy
O h li i
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Information-Protection PolicyOther Important Policies
Promiscuous Policy
No restrictions on Internet/remote access
• Good luck to your network administrator, you have our blessings...
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Permissive Policy
Known dangerous services/attacks blocked
Policy begins wide open
Known holes plugged/known dangers stopped
Impossible to keep up with current exploits; administrators always playing catch-up
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Prudent Policy
Provides maximum security while allowing known, but necessary, dangers
All services are blocked; nothing is allowedAll services are blocked; nothing is allowed
Safe/necessary services are enabled individuallySafe/necessary services are enabled individually
Non-essential services/procedures that cannot be made safe are NOT ll dallowed
Everything is logged
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
y g gg
Paranoid Policy
No Internet Users find ways Everything is
forbiddenconnection, or
severely limited Internet usage
yaround overly
severe restrictions
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Acceptable-Use Policy
Should users read and copy files that are not their own, but are accessible to them?Should users read and copy files that are not their own, but are accessible to them?
Should users modify files that they have write access to, but are not their own?
Should users make copies of system configuration files (for example, /etc/passwd and SAM) for their own personal use or to provide to other people?
Should users be allowed to use .rhosts files? Which entries are acceptable?
Should users be allowed to share accounts?
Should users have the ability to make copies of copyrighted software?
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Should users have the ability to make copies of copyrighted software?
User-Account Policy
Who has the authority to approve account requests?
Who (employees, spouses, children, company visitors, for example) is allowedto use the computing resources?
May users have multiple accounts on a single system?
May users share accounts?
What are the users' rights and responsibilities?
Wh h ld t b di bl d d hi d?
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
When should an account be disabled and archived?
Remote-Access Policy
• Who is allowed to have remote access?
• What specific methods (such as cable modem/DSL or dial-up) does the company support?
• Are dial-out modems allowed on the internal network?
• Are there any extra requirements, such as mandatory anti-virus and security software, on the remote system?
• May other members of a household use the company network?
• Do any restrictions exist on what data may be accessed remotely?
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Do any restrictions exist on what data may be accessed remotely?
Information-Protection Policy
What are the sensitivity levels of information?What are the sensitivity levels of information?
Who may have access to sensitive information?Who may have access to sensitive information?
How is sensitive information stored and transmitted?How is sensitive information stored and transmitted?
What levels of sensitive information may be printed in publici t ?printers?
How should sensitive information be deleted from storage media( h ddi bbi h d d i d i di k t )?
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
(paper shredding, scrubbing hard drives, degaussing disks, etc.)?
Firewall-Management Policy
Who has access to the firewall systems?y
Who should receive requests to make a change to the firewall fi ti ?configuration?
Who may approve requests to make a change to the firewall fi i ?configuration?
Who may see the firewall configuration rules and access lists?Who may see the firewall configuration rules and access lists?
How often should the firewall configuration be reviewed?
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
How often should the firewall configuration be reviewed?
Special-Access Policy
• Who should receive requests for special access?
• Who may approve requests for special access?
• What are the password rules for special-access accounts?
• How often are passwords changed?
• What are the reasons or situations that would lead to revocation of special-access privileges?
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
revocation of special access privileges?
Network-Connection Policy
Who may install new resources on the network?Who may install new resources on the network?
Who must approve the installation of new devices?Who must approve the installation of new devices?
Who must be notified that new devices are being added to the network?Who must be notified that new devices are being added to the network?
Who should document network changes?Who should document network changes?
Do any security requirements exist for the new devices being added to the
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
y y q gnetwork?
Business-Partner Policy
Is each company required to have a written security policy?
Should each company have a firewall or other perimetersecurity device?
How will communications occur (virtual private networking[VPN] over the Internet, leased line, and so forth)?
How will access to the partner's resources be requested?
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Classification Policies
There is the need to classify data according to its use, sensitivity, and importance.
Thus, data is classified into three classes:
• High risk: Data that attracts legal penalties if lost or damaged.• Confidential: Data that is to be protected against unauthorized
disclosure.• Public: Data that is freely available.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Classification Policies (cont’d)( )
Do data owners determine the data classification and ensure data protection?
Is high risk data encrypted during transmission over insecure channels?
Is confidential data encrypted during transmission over insecure h l ?channels?
Is all data backed up?p
Are all backups handled with the same security precaution as that of the original data?
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
the original data?
Intrusion Detection Policies
Is intrusion detection implemented on all servers and workstations that pcontain high risk data?
Are the alarm and alert functions, as well as logging and monitoring systems, working as intended?
Do the intrusion detection tools ensure safety of the data?
Are the server, firewall, and critical system logs secure?
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Virus Prevention Policies
Attempts of willful introduction of computer viruses or disruptive/destructive programs into the organization environment are prohibited and subject to programs into the organization environment are prohibited and subject to prosecution.
Protect all desktop systems with an approved and licensed anti virus software Protect all desktop systems with an approved and licensed anti-virus software.
U d t ti i ft th d ti f th dUpdate anti-virus software as per the recommendation of the vendor.
S ll d k t ti th t l bl t i tt kSecure all servers and workstations that are vulnerable to viruses or worm attacks.
Scan headers of all incoming data including electronic mail for viruses by the email
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Scan headers of all incoming data including electronic mail for viruses by the email server.
Laptop Security Policy
User must agree to take shared responsibility for the security of laptopsecurity of laptop.
User must protect laptop from installing unlicensed or malicious software.
A strong password must be used to login.
L t t b d h t i Laptop must be secured when not in use.
Encryption techniques should be used to save important documents.documents.
Backups for all sensitive data should be maintained.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Standard anti-virus software must be used.
Personal Security Policy
1.• All the people related to the organization must protect their assets.
2.• All the people must be trained about their responsibilities and organizations
information security.
3.• Employee handbook must consists of information about the security responsibilities.
4.• All employees must sign organizations non-disclosure agreement.
4.
5.• Chief security officer must implement system for security related issues.
6.• Human resource manager must ensure background checks of the employees.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Cryptography Policy
Cryptography secures data and protects privacy of the organization.
People of the organization should know about cryptographic techniques and how to implement them to cryptographic techniques and how to implement them to get data secured.
Strong cryptographic algorithms should be selected, Strong cryptographic algorithms should be selected, subjected to applicable law, and implemented.
National and international cryptographic policies are to be National and international cryptographic policies are to be implemented in private and public sectors.
International trade can be facilitated by promoting cost-
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
y p geffective, interoperable, portable, and mobile cryptographic methods.
Fair and Accurate Credit Transactions Act of 2003 (FACTA)Transactions Act of 2003 (FACTA)
FACTA policies are divided into the following categories:
• Data classification• Prevention, as well as detection• Consumer request policies• Consumer notification• Employment policies and proceduresp y p p• Data destruction policies
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
FACTA Policy (cont’d)
Data classification:
• According to FACTA, organizations should protect consumer information throughout.P t t ll id tifi bl d t d t th t b i t d l l
Data classification:
• Protects personally identifiable data, or data that can be associated clearly with one individual.
Prevention as well as detection:
• Adopt procedures designed to prevent identity theft before it occurs.
Prevention, as well as detection:
• Under new FACTA provisions, a consumer may dispute inaccurate information directly with a furnisher.
Consumer request policies:
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
o at o d ect y w t a u s e .• Furnisher must investigate and provide a timely response to the inquiry.
FACTA Policy (cont’d)
Consumer notification:
• A new provision of FACTA is that consumers are to receive notification prior to or within 30 days of “negative” information being reported to a credit bureau.
Employment policies and procedures:
• Organization should have hiring policies that require drug screening, credit checks or background checks, especially for key positions within the organization.
Employment policies and procedures:
organization.
B i ill d b bl h h h d d i i
Data destruction policies:
• Businesses will need to be able to prove that they have destroyed sensitive documents or information to be FACTA compliant.
• Businesses should have a written program outlining how to maintain and shred documents or destroy other data.
l l h d l d h ddi d d di l i d d
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Regularly scheduled paper shredding and data disposal is recommended to prevent the liability from storing excess records with personal information.
Other Important Policies
A i l t k li h l i l t k i l diA wireless network policy helps secure wireless networks, includingwhich devices are allowed to be connected, what security measuresshould be followed, and so forth.
A lab policy discusses how to protect the internal network from theinsecurities of a test lab.insecurities of a test lab.
The best option is to keep the test lab on a completely separate InternetThe best option is to keep the test lab on a completely separate Internetconnection and not have it connected in any way to the internal corporatenetwork.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Policy Statements
The policy is as effective as the policy statements that it contains. Policy statements b i i l d f l lmust be written in a very clear and formal style.
Good examples of policy statements are:
• All computers must have antivirus protection activated to provide real-time, continuous protection.
p p y
• All servers must be configured with the minimum of services to perform their designated functions.
• All access to data will be based on a valid business need and subject to a formal approval process.
• All computer software must always be purchased by the IT department in accordance with the organization’s procurement policy.
• A copy of the backup and restoration media must be kept with the off-site backups.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• While using the Internet, no person is allowed to abuse, defame, stalk, harass, or threaten any other person or violate local or international legal rights.
Basic Document Set of Information Security Policies y
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ISO 17799
Another option when you are developing policies is to follow the internationally recognized International Standards Organization (ISO) 17799, a set of recommendations organized into 10 major sections covering all facets of information systems policies and procedures.
Many organizations and consulting firms use ISO 17799 as the baseline for policy best practices.for policy best practices.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Domains of ISO 17799
lBusiness continuity planning:
• Counteract interruptions to business activities and to critical business processes from the effects of major failures or disastersprocesses from the effects of major failures or disasters
System access control:
• Control access to information• Prevent unauthorized access to information systems
h f k d• Ensure the protection of networked services• Prevent unauthorized computer access• Detect unauthorized activities
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Ensure information security when traveling and telecommuting
Domains of ISO 17799 (cont’d)
• Ensure security is built into operational systemsP t l difi ti i f d t i li ti t
System development and
• Prevent loss, modification, or misuse of user data in application systems• Protect the confidentiality, authenticity, and integrity of information• Ensure that information technology (IT) projects and support activities are
conducted in a secure manner• Maintain the security of application system software and data
maintenance:Maintain the security of application system software and data
Physical and
• Prevent unauthorized access and damage to and interference with business premises and information
• Prevent loss or compromise of assets and interruption to business activitiesPhysical and
environmental security:
• Prevent compromise or theft of information and information-processing facilities
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Domains of ISO 17799 (cont’d)
• Avoid breaches of any criminal or civil law; any statutory, regulatory, or contractual obligations; and any security requirements
Compliance:
• Ensure compliance of systems with organizational security policies and standards• Maximize the effectiveness of — and minimize interference to and from — the system-
audit process
Personnel
• Reduce risks of human error, theft, fraud, or misuse of facilities• Ensure that users are aware of information security threats and concerns, and are
equipped to support the corporate security policy in the course of their normal work• Minimize the damage from security incidents and malfunctions and learn from such Personnel
security:Minimize the damage from security incidents and malfunctions and learn from such incidents
• Manage information security within the organization
Security organization:
g y g• Maintain the security of organizational information-processing facilities and information
assets accessed by third parties• Maintain the security of information when the responsibility for information processing
has been outsourced to another organization
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Domains of ISO 17799 (cont’d)
Computer and network management:
• Ensure the correct and secure operation of information-processing facilities• Minimize the risk of systems failures• Protect the integrity of software and information• Maintain the integrity and availability of information processing and communication• Ensure the safeguarding of information in networks and the protection of the supporting
infrastructure• Prevent damage to assets and interruptions to business activitiesg p• Prevent loss, modification, or misuse of information exchanged between organizations
Asset classification and control:
i i i i f d h i f i • Maintain appropriate protection of corporate assets and ensure that information assets receive an appropriate level of protection
Security policy:
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Provide management direction and support for information security
No Simple Solutions
Rapid emergence of new exploits
Most vendors don’t take security seriously
Complex network infrastructure
Concentration on performance
Hurried OS and application deployment
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
U.S. Legislation
U.S. legislation has begun to set the standard for information security legislation i di t d i ti
• California SB 1386 • Sarbanes-Oxley 2002
in a very direct and prescriptive way:
• Gramm-Leach-Bliley Act (GLBA)• Health Insurance Portability and Accountability Act
(HIPAA)USA P t i t A t 2001 • USA Patriot Act 2001
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
California SB 1386
Currently, it applies only to data of California residents, but a federal version is reportedly in the pipeline.
In short, this act makes reputational risk of poor security a reality because it requires public disclosure of any security breach that involves q p y ypersonal information if it is unencrypted or if it is reasonably believed that the information has been acquired by an unauthorized person.
In cases involving over 500,000 people, the organization can warn the potential victims en masse through a website and by alerting the media.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sarbanes-Oxley 2002
At the beginning of the new century, a plethora of informal recommendations came down from the Securities and Exchange Commission (SEC) about auditor independence after a number of well-ppublicized cases of false reporting. With the full extent of the Enron case coming to light, the Sarbanes-Oxley Act was introduced.
As an instrument for accounting reform and investor protection, this legislation was intended to reestablish investor confidence. It also was intended to reduce the stranglehold that the ‘Big Six’ accounting firms intended to reduce the stranglehold that the Big Six accounting firms had on professional services in larger corporations.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sarbanes-Oxley 2002
• Relating to auditor independence, it is no longer allowed for your auditor to perform such i i i fi i l i f i d i d i l i i l di
Section 201:
activities as financial information systems design and implementation; internal audit outsourcing services; and legal services and expert services (including security).
Section 302:
• The CEOs and CFOs of the accounting company’s clients must sign statements verifying the completeness and accuracy of financial reports.
Section 404:
• CEOs, CFOs, and auditors must report on and attest to the effectiveness of internal controls for financial reporting. This report shall:• State the responsibility of management for establishing and maintaining an adequate
internal control structure and procedures for financial reporting• Contain an assessment as of the end of the most recent fiscal year of the issuer of the • Contain an assessment, as of the end of the most recent fiscal year of the issuer, of the
effectiveness of the internal control structure and procedures of the issuer for financial reporting
• Each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the i i d d hi b i h ll b d i d i h
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement
Gramm-Leach-Bliley Act (GLBA)
The objective of the Gramm-Leach-Bliley Act was to ease the transfer of financial information between institutions and banks while making the rights of the individual through security requirements more specific.
Key points include:
• Protecting consumers’ personal financial information held by financial institutions and their service providers.
• The officers and directors of the financial institution shall be subject t d ll li bl f i il lt f t th $ to, and personally liable for, a civil penalty of not more than $10,000 for each violation.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Although the penalty is small, it is easy to see how it could impact a bank.
Health Insurance Portability and Accountability Act (HIPAA)y ( )
The Health Insurance Portability and Accountability Act universally known as The Health Insurance Portability and Accountability Act, universally known as HIPAA, deals with health personal data, which is defined as:
• An individual’s past present or future physical or mental health or condition• An individual s past, present, or future physical or mental health or condition.• An individual’s provision of health care.• Past, present, or future payment for provision of health care to an individual.
h i bj i f h i l i h fid i liThe primary objective of the security rule is to protect the confidentiality, integrity, and availability of data when it is managed (i.e., stored, maintained, or transmitted) by a health care provider.
Health care providers must provide notice of privacy policies and procedures to patients, obtain consent and authorization for use of information, and tell how information is generally shared and how patients can access, inspect, copy, and
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
g y p p pyamend their own medical records.
USA Patriot Act 2001
Introduced as a direct result of the events of September 11, 2001, the USA p , ,Patriot Act has had a huge impact on how government agencies could obtain information on private individuals.
1• Wiretap orders now can be obtained pertaining to a person rather
than individual circuits.
2• Internet service providers (ISPs) may volunteer information that
they believe is of national importance, without fear of prosecution.
3• Mailbox information can be obtained by subpoena rather than
wiretap order.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
U.K. Legislation
The Computer Misuse Act 1990 creates three distinct criminal The Computer Misuse Act 1990 creates three distinct criminal offenses:
• Unauthorized access to computers, including the illicit copying of software h ld i Thi i l f i h ’ held in any computer. This carries a penalty of up to six months’ imprisonment or up to a £5000 fine and will be dealt with by a magistrate. This covers hobby hacking and, potentially, penetration testing.
• Unauthorized access with intent to commit or facilitate commission of further Unauthorized access with intent to commit or facilitate commission of further offenses (such as fraud or theft), which covers more serious cases of hacking with a criminal intent. This has a penalty of up to five years’ imprisonment and an unlimited fine. Because it is a serious offense, it will be a trial by jury.U th i d difi ti f t t i l hi h i l d th • Unauthorized modification of computer material, which includes the intentional and unauthorized destruction of software or data; the circulation of “infected” materials online (“viruses”); and the unauthorized addition of a password to a data file (“crypto viruses”). This offense also carries a penalty of
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
up to five years’ imprisonment and an unlimited fine. It is also a serious offense, so it too will be a trial by jury.
How Does This Law Affect a Security Officer? Security Officer?
Your security policy must contain an AUP and be communicated to all employees.
Your systems should contain logon banners t ti th t i f th i d l stating that access is for authorized personnel
only and must not contain a “welcome”.
Penetration tests should be accompanied by appropriate paperwork.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The Data Protection Act 1998
The Data Protection Act 1998 came into force on March 1 2000 The Data Protection Act 1998 came into force on March 1, 2000. Covering the use of personal data (data relating to identifiable living individuals), it implements the European Directive on data protection (95/46/EC) in U.K. law.
The act covers manual and computerized records and is concerned with The act covers manual and computerized records and is concerned with the processing of “personal data.” It works in two ways:
Giving individuals (data subjects) certain rights over the way that their data is • Giving individuals (data subjects) certain rights over the way that their data is processed.
• Requiring those who decide how and why personal data is processed (data controllers) to be open about their use of that data and to comply with the data
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
p p yprotection principles in their information-handling practices.
The Data Protection Act 1998
A data controller must comply with the eight principles of good practice, which require that personal information is:
1• Fairly and lawfully processed.
d f li i d d d i i ibl i h h2
• Processed for limited purposes and not processed in any manner incompatible with those purposes .
3• Adequate, relevant, and not excessive.
4• Accurate.
5• Not kept for longer than is necessary.
6• Processed in accordance with the data subject’s rights.
7• Kept secure.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8• Not transferred to countries without adequate protection for the information.
The Human Rights Act 1998
Based on the European Convention on Human Rights, the Human Rights Act 1998 i t f i O t b U d A ti l 8 f th C ti l came into force in October 2000. Under Article 8 of the Convention, people are
afforded the right to privacy.
Thi l i hil l i h k l i l li il This not only covers privacy while people are in the workplace, it also applies to email communications, Internet use, and telephone calls. Bottom line: If you are going to monitor employees, you must let people know in advance.
• Your security policy must be communicated to employees and include a warning that systems may be monitored for security purposes. Monitoring would include:
How Does This Law Affect a Security Officer?
• Pen tests.• IDS. • Mail scanning.• Packet sniffers.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Interception of Communications
The Telecommunications Regulations 2000 provided that an employer retains the right to carry out monitoring despite the fact the employee has not given his or her express consent, if fact the employee has not given his or her express consent, if such monitoring is required to carry out the following:
• Recording evidence of business transactions.• Ensuring compliance with regulatory or self-regulatory guidelines.• Maintaining the effective operation of the employer’s systems (for
example, preventing viruses).• Monitoring standards of training and service.• Preventing or detecting criminal activity.• Preventing the unauthorized use of the computer or telephone system.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The Freedom of Information Act 2000
The Freedom of Information Act 2000 was implemented on January 1, 2005.
It gives private individuals the right to access information held by public authorities, including:
• Central government.• Local authorities.• NHS.• Schools. • Police departments.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The Audit Investigation and Community Enterprise Act 2005y p 5
The Audit Investigation and Community Enterprise Act 2005 reinforces powers already in place from the companies act. This law makes a director responsible for giving accurate information to auditors, liable for prosecution for withholding relevant information of which the auditor is unaware, and signing off audit reports attesting to that fact. This responsibility takes the form of a statement in the director’s report to the effect that there is no relevant information that has not been disclosed to the auditors.report to the effect that there is no relevant information that has not been disclosed to the auditors.
Should an inspector discover that information has been withheld, the directors will be liable to Should an inspector discover that information has been withheld, the directors will be liable to imprisonment and/or a fine.
The act also contains a whistleblower protection clause that excludes liability for breach of confidence for those who provide information to authorities.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
In this module, we’ve discussed the statistics and importance of vulnerabilities and their impact on business.
We have reviewed the various challenges against security.
We’ve discussed the challenges and how to simplify risk.
We have discussed security policies and postures.
We have discussed ISO 17799 standard for security policies.
Last, but not least, we went over a few important laws and regulations related to
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
p ginformation security.
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited