Information Security2

8/6/2019 Information Security2

1/46

INFORMATION SECURITY

ISSUES,THREATS,SOLUTION

& STANDARDS


2/46

IF YOU THINK TECHNOLOGY CAN SOLVE YOURSECURITY PROBLEMS , THEN

YOU DONT UNDERSTAND THE PROBLEMS

&

YOU DONT UNDERSTAND THE TECHNOLOGY.Bruce Schenier


3/46

High Risk High Gain

Deals with sensitive Information in High Volumes

All Business Process generate, operate and processInformation

A News Item can move stock prices

Nature of BusinessNature of Business


4/46

Nature of BusinessNature of Business

Every Sector / Vertical have faced Information Security Risk

Cyber Terrorism is real and rising (Planned cyber attacks prior /

after 9/11)

Countries of origin responsible for 75% of intrusions

USA, China, Romania, Germany

More than 2/3rd express their inability to determine Whether my

systems are currently compromised?

Information Governance pushed through Compliance


5/46

Who areWho are these Attackersthese Attackers??


6/46

Media / Competition / Government Ex-employee Third Party Insider Employee

More than 70% of Threats are Internal

More than 60% culprits are First Time fraudsters

Threat AgentsThreat Agents


7/46

Who are Attackers?Who are Attackers? What are they doing?What are they doing?

Intruders are

Building up technical knowledge and skills Becoming more skilled at removing of trail

Interested in results than experience of hacking

Exploit weakest link


8/46

Types of Hackers


9/46

Embarrassment

Loss of confidential and sensitive information

Loss of strategic advantage and resources

Non availability of systems in combat situations

Time and efforts spent creating IntellectualProperty

National Security, when information is misused byterrorists/miscreants

Security ImpactsSecurity Impacts


10/46

Cases India Specific

MPhasis BFL - Pune

CEO Bazee.com

Theft and Sale of Customer Data Delhi Arrest of GM of reputed corporate for CheatingNRI in Dubai

Attack on Web Sites BARC, Cyber cell Mumbai

War Room Leak - Navy

Recent casesRecent cases


11/46

Introduction to Information SecurityIntroduction to Information Security

Information is an asset which, like otherimportant business assets, has value toan organization and consequently needsto be suitably protected

BS ISO 17799:20000


12/46


Lifecycle of Information

Created Stored

Processed Transmitted Used (For proper & improper purposes) Lost Corrupted

Destroyed


13/46


Confidentiality

Integrity

Availability

Ensuring that

information isaccessible only to those

authorized to haveaccessSafeguarding the

accuracy and

completeness ofinformation and

processing methodsEnsuring that authorizedusers have access to

information and

associated assets whenrequired


14/46

Information Security TrendsInformation Security Trends

IT Security

Information

Security

Technology

Process

People


15/46

INTRODUCTION Information security a broad term

encompassing the protection of informationfrom accidental or intentional misuse bypersons inside or outside an organization

This plug-in discusses how organizations canimplement information security lines of defense

through people first and technology second


16/46

Security is everyones responsibility

Information Security is Organizational Problemrather than IT Problem

Biggest Risk : People

Biggest Asset : People


17/46

Damaging forms of security threats Malicious code includes a variety of threats

such as viruses, worms, andTrojan horses Hoaxes attack computer systems by

transmitting a virus hoax, with a real virusattached

Spoofing the forging of the return address onan e-mail so that the e-mail message appears tocome from someone other than the actual sender

Sniffer a program or device that can monitor

data traveling over a network


18/46

Types of Viruses


19/46

Sophistication of AttacksSophistication of Attacks

No of hackers - 1980 : Handful

No of hackers - 2006 : Thousands

Time require to prepare 1980 : Months

Time require to prepare 2006 : Hours

No. of Machines affected 1980 : Hundreds

No. of Machines affected 2006 : Millions

Geographical Spread 1980 : LAN / Network

Geographical Spread 2006 : Internet


20/46

Sophistication of AttacksSophistication of Attacks

Intruder

Knowledge

Attack

Sophistication

High

Low

1980 1985 1990 1995 2000

password guessing

self-replicating code

password cracking

exploiting known vulnerabilities

disabling auditsback doors

hijacking

sessions

sweepers

sniffers

packet spoofing

GUIautomated probes/scans

denial of service

www

attacks

Tools

Attackers

stealth / advanced

scanning techniques

burglaries

network mgmt. diagnostics

DDOS

attacks


21/46

Steps to create Information Security

Plan

1. Develop the information security policies2. Communicate the information security policies

3. Identify critical information assets and risks

4. Test and reevaluate risks5. Obtain stakeholder support


22/46

Suggested Roadmap for IT Security

Build Responsible Team

Apex CommitteeSecurity Forum

Task Force

Conduct Thorough Risk Assessment

Information AssetsIT Infrastructure / Network

Applications / Data Storage

Risk Treatment

a. Mitigate

b. Transfer

c. Avoid

d. Accept


23/46

Suggested Roadmap for IT Security

Implementation of ControlsPolicyTechnologyTraining

Monitoring effectiveness of controls

Preventive / Corrective Actions

Continual Improvement


24/46

The First Line of Defense - People The first line of defense an organization should

follow to help combat insider issues is todevelop information security policies and aninformation security plan

Information securitypolicies identify the rulesrequired to maintain information security

Information securityplan details how anorganization will implement the information security

policies


25/46

People Readiness


26/46

The Second Line of Defense -

Technology

Three primary information security areas:

1. Authentication and authorization

2. Prevention and resistance3. Detection and response


27/46

Suggested Technologies

Policies, Procedures, &Awareness

OS hardening, Patch management,OS hardening, Patch management,

HIDSHIDS

Firewalls (Stateful, Deep packetFirewalls (Stateful, Deep packet

inspection, Application layer), VPN,inspection, Application layer), VPN,

Gateway Anti VirusGateway Anti Virus

Guards, CCTV, BiometricGuards, CCTV, Biometric

VLAN, NIDS, TACACS, NMSVLAN, NIDS, TACACS, NMS

Application hardening, RoleApplication hardening, Role

Based Access, Multi FactorBased Access, Multi Factor

Authentication, PKIAuthentication, PKI

ACL, Encryption, DatabaseACL, Encryption, DatabaseHardeningHardening

Management Framework, TrainingManagement Framework, Training

Physical Security

Perimeter

Internal Network

Host

Application

Data


28/46

AUTHENTICATION AND

AUTHORIZATION

Authentication a method for confirmingusers identities

The most secure type of authenticationinvolves a combination of the following:1. Something the user knows such as a userID and

password

2. Something the user has such as a smart card ortoken

3. Something that is part of the user such as afingerprint or voice signature


29/46

AUTHENTICATION Most common method of authentication is

UserID andPassword.

This is the most common way to identifyindividual users and typically contains a user

ID and a password This is also the most ineffective form of

authentication

Over 50 percent of help-desk calls arepassword related.


30/46

Identity Thefts


31/46

Better Forms of Authentication Smart cards and tokens are more effective

than a userID and a password Tokens small electronic devices that change

user passwords automatically

Smart card a device that is around the samesize as a credit card, containing embeddedtechnologies that can store information and smallamounts of software to perform some limited

processing


32/46

Biometrics The identification of a user based on a

physical characteristic, such as a fingerprint,iris, face, voice, or handwriting

This is by far the best and most effective way

to manage authentication Unfortunately, this method can be costly and

intrusive


33/46

PREVENTION AND RESISTANCE Downtime can cost an organization anywhere

from $100 to $1 million per hour.

Technologies available to help prevent andbuild resistance to attacks include:

1. Content filtering2. Encryption

3. Firewalls


34/46

Content Filtering Organizations can use content filtering

technologies to filter e-mail and prevent e-mails containing sensitive information fromtransmitting and stop spam and viruses from

spreading. Content filtering occurs when organizations

use software that filters content to prevent thetransmission of unauthorized information

Spam a form of unsolicited e-mail


35/46

ENCRYPTION If there is an information security breach and

the information was encrypted, the personstealing the information would be unable toread it

Encryption scrambles information into analternative form that requires a key or password todecrypt the information


36/46

FIREWALLS One of the most common defenses for

preventing a security breach is a firewall Firewall hardware and/or software that guards a

private network by analyzing the informationleaving and entering the network


37/46

FIREWALLS Sample firewall architecture connecting

systems located in Chicago, New York, andBoston


38/46

DETECTION AND RESPONSE If prevention and resistance strategies fail and

there is a security breach, an organization canuse detection and response technologies tomitigate the damage

Antivirus software is the most common type ofdetection and response technology


39/46

Security Policy

1. Information assets and IT assets to be protected againstunauthorized access.

2. Information is not to be disclosed to unauthorized personsthrough deliberate or careless action.

3. Information is to be protected from unauthorized modification.

4. Information is to be available to authorized users when needed.

5. Applicable regulatory and legislative requirements are to bemet.

5. All breaches of information security are to be reported andinvestigated.

6. Violations of policies are to be dealt with through a formaldisciplinary process.


40/46

Well Known Frameworks

What Frameworks say?

Information in all forms is an Asset (Digital/Non-digital)

Security is a Process (and not only technology)

Risk Based Approach (Prevent, Detect, Correct)

Security should be measurable (Effectiveness, Efficiency)

Controls include People, Process and Technology

Top Management Commitment (Define Acceptable level ofRisk, Allocate Resources, Implement Policy)


41/46

Well Known Frameworks

1. COBIT Framework for Auditing Controls(Control OBjectives in Information and relatedTechniques)

1. ISO 27001 (BS 7799) IS Management Framework

2. ISO 17799 Implementation guidance on IS Controls

3. ITIL IT Service Management Processes

4. ISO 20000 (BS 15000) ITSM Management Framework


42/46

Scope of ISO 20000 Certification Supports the provision of allITServices

including the following :

Enterprise PlanningSystem (SAP)

Infrastructure

Application andData Centre ManagementServices

to all its customers at all the locations.


43/46

Why ISO 20000?1. Sustainedpressure to deliver high quality IT

Service at minimum cost.(SLA definition,penalty clause)

2. ITservices, are not aligned with the needs of the

business and its customers.(Requirements gathering.)

3. ISO20k implementation, will ensure standard

andproactive (trend analysis etc.) workingpractices. (e.g. there isno concept ofCPA, ISOwill ensure the implementation, tracking and closure ofCPAs.)

4. would enhance the quality of ITService delivered

to their customers/users

5. Increase Effectiveness of the business operation

6. Hard evidence that quality of ITSM is taken

seriously


44/46

Post Security Implementation Benefits

At the organizational level Commitment

At the legal level Compliance

At the operating level - Risk management

At the commercial level - Credibility and

confidence At the financial level - Reduced costs

At the human level - Improved employeeawareness


45/46

Cyber Law of India

Electronic record

Digital Signature

Certifying Authority

Penalty for damage to information System Section 47 Up to 1 Crore

Unauthorized Access, Tampering, Damage

Penalty for failure to furnish Information up to tenthousand a day

Offences Section 65 Tampering : 3 Yrs / 2 Lacs

Section 66 Hacking : 3 Yrs / 2 Lacs

Section 67 Obscene Information : 5 Yrs / 1 Lac Section 72 Breach of Confidentiality / Privacy : 2 yrs / 1 Lac


46/46

IT Security Stakeholder Summary

AccessControls

AssetManagement

InformationSecurity Policy

OrganisationSecurity

Human ResourceSecurity

PhysicalSecurity

Communication& Operations

Mgmt

SystemDevelopment &

Maint.

Bus. ContinuityPlanning

Compliance

InformationInformation

Integrity Confidentiality

Availability

Security IncidentManagement

Documents

Information Security2