Post on 02-Nov-2014
description
Overview
• What is Information Security ?• Key component• Security controls • Classification of security • Laws and regulations
What is information security ?The protection of information and its critical
elements, including systems and hardware that use, store, and transmit that information
Necessary tools: policy, awareness, training, education, technology
Information security: a “well-informed sense of assurance that the information risks and
controls are in balance.”—Jim Anderson, Inovant (2002)
Why Information Security ?
The purpose of information security management is to ensure business continuity and reduce
business damage by preventing and minimizing the impact of security incidents.
According to Organization of Economic Co-operation and development:9 generally accepted principles are 1. Awareness2. Responsibility3. Response4. Ethics5. Democracy6. Risk Assessment7. Security Design and Implementation8. Security management9. Reassessment
Confidentiality Confidentiality is the term used to prevent the
disclosure of information to unauthorized individuals or systems.
Example: Password hacking in online money transaction systems
Prevention: by encrypting the data and by limiting the places where it might appear.
IntegrityIn information security, integrity means that data cannot
be modified undetectably. Example:
Prevention: message authentication & integrity codes (MAC/MIC), and message digests such as MD5 or SHA-1 hashes.
AvailabilityAbility of the infrastructure to function according to
business expectations during its specified time of operation
Prevention: Backup systems
Utility Utility means usefulness
Example: Encrypted data stored in hard disk and the decryption key is lost.
Prevention: Use a specific computer architecture for a specific purpose ( MS word file can’t be open in Notepad)
Risk management
“Risk management is the process of identifying vulnerabilities and threats to the
information resources used by an organization in achieving business objectives, and deciding what
countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information
resource to the organization.”Certified Information System Auditor (CSIA)
The Risk management Process consist of:
• Identification of assets and estimating their value.• Conduct a threat assessment.• Conduct a vulnerability assessment.• Calculate the impact that each threat would have on
each asset. • Identify, select and implement appropriate controls. • Evaluate the effectiveness of the control measures.
Threats to Information System
Unintentional
Threats
• Human Errors • Environmental Errors• System Failure
Intentional Threa
ts
• Information Extortion • Theft • Identify theft• Software Attack
Administrative Controls
• Administrative controls (also called procedural controls) consist of approved written policies, procedures, standards and guidelines.
• Administrative controls form the framework for running the business and managing people.
• Laws and regulations created by government bodies are also a type of administrative control because they inform the business.
• Example: corporate security policy, password policy, hiring policies, and disciplinary policies.
Logical Controls
• Logical controls (also called technical controls) use software and data to monitor and control access to information and computing systems.
Example: Firewall network instruction detection system • An important logical control that is frequently
overlooked is the principle of least privilege. Example where this principle fails: logging windows as administrator
Physical Controls
• Physical controls monitor and control the environment of the work place and computing facilities.
Example: Fire alarms, fire suppression systems, cameras, security guards, cable locks etc.
• An important physical control that is frequently overlooked is the separation of duties.
Example: An application programmer should not also be the server administrator or the database administrator.
Access control
Access to protected information must be restricted to people who are authorized to access the information.
Main Elements:• Identification• Authentication • Cryptography
Defense in depth
Information security must protect information throughout the life span of the information, from the initial creation of the information on through to the final disposal of the information.
To fully protect the information during its lifetime, each component of the information processing system must have its own protection mechanisms.
Balancing Information Security and Access
• Impossible to obtain perfect security—it is a process, not an absolute
• Security should be considered balance between protection and availability
• To achieve balance, level of security must allow reasonable access, yet protect against threats
Security classification of Information • In the business sector Public Sensitive Private Confidential
• In Government Sector Unclassified Sensitive but unclassified Restricted Confidential Secret Top Secret And Their non English equivalent
Laws and regulations The original Information Technology Act (section 43 and 66)• Passed in 2000• Deals with computer misuse • Does not have any express provision for data security.
The IT (Amendment ) Act 2008 (“Amendment Act”)(section 43A and section 72A)• Under Section 43A, “bodies corporate” can be liable if they
are negligent in implementing and maintaining “reasonable security practices and procedures” to protect “sensitive personal data or information”.
New data security regulations , 2011 (“sensitive personal data rules”)
The Sensitive Personal Data Rules defines “sensitive personal data or information” of a person to include information about:
• Passwords;• Financial information such as bank accounts, credit and debit card details;• Physiological and mental health condition, medical records;• Biometric information;• Information received by body corporate under lawful contract or otherwise;• User details as provided at the time of registration or thereafter; and• Call data records.
Information that is freely available in the public domain or accessible under the Right to Information Act, 2005 or any other law will not be regarded as sensitive personal data or information.
Summary
• Information security is a “well-informed sense of assurance that the information risks and controls are in balance.”
• Successful organizations have multiple layers of security in place: physical, personal, operations, communications, network, and information.
• Security should be considered a balance between protection and availability
Types of IT Threats 1. Computer virus 2. Trojan Horses 3. DNS poisoning 4. Password grabbers 5. Network worms 6. Logic Bombs 7. Hijacked home page 8. Password cracker
Types of Attacks 9. SQL Injection 10. Dictionary attack 11. Phishing 12. Cross site scripting (XSS)13. UI redressing