1

Information SecurityChallenges and Opportunities

M. Faisal Naqvi, CISSP, CISAMS (E-Com) Gold (PU), CMA inter (ICMA)

27001 A (IRCA, UK), 27001 Implr (IT Gov, UK)Associate Member of Business Continuity Institute

Senior Consultant – Information Security

© 2008 NetSol Technologies, Inc. All rights reserved2

Information Security (A-I-C)

Availability Integrity Confidentiality

© 2008 NetSol Technologies, Inc. All rights reserved3

Dependence on IT

Almost every Government Department Banks including ATM network, Stock

Exchanges & Brokers Telecommunication & Mobile Companies Electronic and Print Media Software houses and Call centers Other Private companies including MNCs

© 2008 NetSol Technologies, Inc. All rights reserved4

Challenges to Information Availability ATM Network/Credit Card Mobile Network/Mobile Card Charging Sys Call Centers TV Channels Internet Service Provider Stock Exchange Application

© 2008 NetSol Technologies, Inc. All rights reserved5

Attacks on Availability of Information Denial of Service (DoS) Attacks Distributed DoS (D-DoS) Attacks Malicious act by disgruntled employee Power Failure Natural/Man-made Disasters like Fire,

Flood, Storm, Earthquake, Strike and Terrorism

© 2008 NetSol Technologies, Inc. All rights reserved6

Challenges to Information Integrity

Balance of Rs.9,000/- in bank is changed to Rs.9,000,000/-

Tempering of NADRA records Changing CSS exam results Changing ownership of Vehicle / Land in E-

Records Tempering Share Prices of Stock Phishing Electronic Stalking Salami Attacks

© 2008 NetSol Technologies, Inc. All rights reserved7

Attacks on Information Integrity

Hacking SQL injection Insiders / Employees Weak cryptographic algorithms Buffer overflow Malicious Code

© 2008 NetSol Technologies, Inc. All rights reserved8

Challenges to Confidentiality of Information Source Code/Trade Secret Theft Tenders Quotation Disclosure Clients Information Stealing Govt. Sensitive Information Leakage Mobile Usage and Personal Information Online Bank Account Password ATM Pins

© 2008 NetSol Technologies, Inc. All rights reserved9

Attacks on Confidentiality of Information Employees Social Engineering Hacking SQL Injection Key Loggers (software/hardware)

© 2008 NetSol Technologies, Inc. All rights reserved10

Getting ATM cards & pins

© 2008 NetSol Technologies, Inc. All rights reserved11

Getting ATM cards & pins (cont…)

© 2008 NetSol Technologies, Inc. All rights reserved12

Getting ATM cards & pins (cont…)

© 2008 NetSol Technologies, Inc. All rights reserved13

Getting ATM cards & pins (cont…)

© 2008 NetSol Technologies, Inc. All rights reserved14

Getting ATM cards & pins (cont…)

© 2008 NetSol Technologies, Inc. All rights reserved15

How to Overcome these challenges

Pro-active approach rather than Reactive Preventive Controls rather than Corrective

© 2008 NetSol Technologies, Inc. All rights reserved16

Opportunities to ensure Availability of Information Firewalls Intrusion Detection Systems Intrusion Prevention Systems Anomaly Detection Systems Antivirus Business Continuity Management Disaster Recovery Planning

© 2008 NetSol Technologies, Inc. All rights reserved17

Opportunities to ensure Integrity of Information Application Security Segregation and Rotation of Duties Strong Cryptography Access Control Application Vulnerability Assessment Application Penetration Testing

© 2008 NetSol Technologies, Inc. All rights reserved18

Opportunities to ensure Confidentiality of Information Access Control Training and Awareness Anti spy ware Extrusion Prevention Systems

© 2008 NetSol Technologies, Inc. All rights reserved19

Opportunities to ensure overall Information Security Strength of overall Information Security is not

more than one weakest element Need for a system which can ensure the A-I-C in

a comprehensive manner ISO-27001 Information Security Management

System (ISMS) ISMS 133 countermeasures to control all

possible Threats and Vulnerabilities

© 2008 NetSol Technologies, Inc. All rights reserved20

Opportunities to ensure overall Information Security Periodic Audits and Assessments through

independent neutral organizations Vulnerability Assessments Penetration Tests through Ethical Hackers

© 2008 NetSol Technologies, Inc. All rights reserved21

Opportunities to ensure overall Information Security by Govt. Electronic Transaction Ordinance (ETO), 2002 Prevention of Electronic Crime Ordinance

(PECO) 2007 National Response Centre for Cyber Crimes

(NR3C), FIA Information & Communication Technology (ICT)

Tribunals

© 2008 NetSol Technologies, Inc. All rights reserved22

Electronic Transaction Ordinance

36. Violation of privacy of information

Protects Confidentiality

37. Damage to information system, etc.

Protects Integrity and Availability

© 2008 NetSol Technologies, Inc. All rights reserved23

Prevention of Electronic Crime Ordinance (Crimes)3. Criminal Access4. Criminal Data Access5. Data Damage6. System Damage7. Electronic Fraud8. Electronic Forgery9. Misuse of Electronic System or Device 10. Unauthorized access to code

© 2008 NetSol Technologies, Inc. All rights reserved24

Prevention of Electronic Crime Ordinance11. Misuse of Encryption12. Malicious Code13. Cyber Stalking14. Spamming15. Spoofing16. Unauthorized interception17. Cyber Terrorism18. Enhanced punishment for offences involving

electronic systems

© 2008 NetSol Technologies, Inc. All rights reserved25

?

© 2008 NetSol Technologies, Inc. All rights reserved26

Thank You