002.itsecurity bcp v1
-
Upload
mohammad-ashfaqur-rahman -
Category
Engineering
-
view
316 -
download
0
Transcript of 002.itsecurity bcp v1
![Page 1: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/1.jpg)
Information Security &
Risk Management
Presented by
Mohammad Ashfaqur RahmanCompliance Professional
www.linkedin.com/in/ashfaqsaphal
![Page 2: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/2.jpg)
Objective
● Common method and types of attack● Layered Approach● Security Objective● Responsibilities● Risk Management
![Page 3: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/3.jpg)
Common Cyber Attack
● Malware– code with malicious intent that typically steals
data or destroys something on the computer– introduced to a system through
• email attachments• software downloads or • operating system vulnerabilities
![Page 4: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/4.jpg)
Common Cyber Attack
● Malware– code with malicious intent that typically steals
data or destroys something on the computer– Viruses : make a computer "sick"– Spyware : monitors or spies on its victims– Worms : fulfill a nefarious
![Page 5: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/5.jpg)
Common Cyber Attack
● Malware Infection Techniques– Phishing – Spear phishing – Drive by Download– Fake Anti-Virus Software– Ransomware– Drive by Email– Web Inject
![Page 6: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/6.jpg)
Common Cyber Attack
● Phishing– Social engineering + widespread email
![Page 7: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/7.jpg)
Common Cyber Attack● Drive by Download
– unintentional download of malicious software
![Page 8: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/8.jpg)
Common Cyber Attack● Fake Antivirus
– Alarming user with false infection warning
![Page 9: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/9.jpg)
Common Cyber Attack● Ransomware
– Encrypt your computer data and ask you to pay money
![Page 10: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/10.jpg)
Common Cyber Attack● Drive-by Email
– Open email or view email preview screen
![Page 11: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/11.jpg)
Common Cyber Attack● DOS attack
– a denial-of-service (DoS) attack is an attempt to– make a machine or network resource unavailable
to its intended user● DDOS attack
– attack source is more than one–and often thousands of-unique IP addresses.
![Page 12: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/12.jpg)
DoS and DDoS
![Page 13: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/13.jpg)
Layered Approach● Also known as “defense-in-depth approach”● implement different layers of protection● spectrums can range from the
– programming code– the protocols that are being used– the operating system, and the application
configurations– through to user activity– the security program
![Page 14: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/14.jpg)
Layered Approach● Example : protecting file agent
– Configure application, file, and Registry access control lists (ACLs)
– Configure the system default user rights– Consider the physical security of the environment– Place users into groups policy as required– A strict logon credential policy– Removal of shared ID– Implement monitoring and auditing of file access– Actions to identify any suspicious activity.
![Page 15: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/15.jpg)
Security Objectives - CIA● Confidentiality : “Preserving authorized restriction on
information access and disclosure, including means for protecting personal privacy and proprietary information.” (44 USC Sec. 3542)
● Integrity : “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.” (44 USC Sec. 3542)
● Availability : “Ensuring timely and reliable access and use of information.” (44 USC Sec. 3542)
![Page 16: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/16.jpg)
Security Objectives - CIA
Confidentiality
IntegrityAvailability
Information Security
Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information
Ensuring timely and reliable access to and use of information.
Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity;
![Page 17: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/17.jpg)
Security Objectives - CIA
![Page 18: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/18.jpg)
The Best Practices● Confidentiality● Integrity● Availability● Need-to-know● Least privilege● Separation of duties● Job rotation ● Mandatory vacation
![Page 19: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/19.jpg)
Security Control Points● Operational and Physical Controls.
– Operational Security (Execution of Policies, Standards & Process, Education & Awareness)
• Service Providers: IA, Program Security, Personnel Security, Document Controls (or CM), HR, Finance, etc
![Page 20: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/20.jpg)
Security Control Points● Operational and Physical Controls.
– Physical Security (Facility or Infrastructure Protection)
• Locks, Doors, Walls, Fence, Curtain, etc.• Service Providers: FSO, Guards, Dogs
![Page 21: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/21.jpg)
Security Control Points● Technical (Logical) Controls.
– Access Controls, Identification & Authorization, Confidentiality, Integrity, Availability, Non-Repudiation.
• Service Providers: Enterprise Architect, Security Engineer, CERT, NOSC, Helpdesk.
![Page 22: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/22.jpg)
Threat, Risk, and Countermeasure
Threat Agent An entity that may act on a vulnerability.
Threat Any potential danger to information life cycle.
Vulnerability A weakness or flaw that may provide an opportunity to a threat agent.
Risk The likelihood of a threat agent exploits a discovered vulnerability.
Exposure An instance of being compromised by a threat agent.
Countermeasure /safeguard
An administrative, operational, or logical mitigation against potential risk(s).
![Page 23: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/23.jpg)
Threat, Risk, and Countermeasure
![Page 24: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/24.jpg)
Information Security Implementation
![Page 25: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/25.jpg)
Security System Development Life Cycle
● The same phases used in traditional SDLC may be adapted to support specialized implementation of an IS project
● Identification of specific threats and creating controls to counter them
● SecSDLC is a coherent program rather than a series of random, seemingly unconnected actions
![Page 26: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/26.jpg)
Security System Development Life Cycle
![Page 27: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/27.jpg)
SSDLC - Investigation
● Identifies process, outcomes, goals, and constraints of the project
● Begins with enterprise information security policy● Organizational feasibility analysis is performed
![Page 28: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/28.jpg)
SSDLC - Analysis
● Documents from investigation phase are studied● Analyzes existing security policies or programs, along
with documented current threats and associated controls● Includes analysis of relevant legal issues that could
impact design of the security solution ● The risk management task begins
![Page 29: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/29.jpg)
SSDLC - Logical Design
● Creates and develops blueprints for information security● Incident response actions planned:
– Continuity planning– Incident response– Disaster recovery
● Feasibility analysis to determine whether project should continue or be outsourced
![Page 30: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/30.jpg)
SSDLC - Physical Design
● Needed security technology is evaluated, alternatives generated, and final design selected
● At end of phase, feasibility study determines readiness of organization for project
![Page 31: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/31.jpg)
SSDLC - Implementation
● Security solutions are acquired, tested, implemented, and tested again
● Personnel issues evaluated; specific training and education programs conducted
● Entire tested package is presented to management for final approval
![Page 32: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/32.jpg)
SSDLC - Maintenance and Change
● Perhaps the most important phase, given the ever-changing threat environment
● Often, reparation and restoration of information is a constant duel with an unseen adversary
● Information security profile of an organization requires constant adaptation as new threats emerge and old threats evolve
![Page 33: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/33.jpg)
Security Professionals
● Wide range of professionals required to support a diverse information security program
● Senior management is key component; also, additional administrative support and technical expertise required to implement details of IS program
![Page 34: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/34.jpg)
Information Security Project Team
● A number of individuals who are experienced in one or more facets of technical and non-technical areas:
– SME– Team leader– Security policy developers– Risk assessment specialists– Security professionals – Systems administrators– End users
![Page 35: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/35.jpg)
Additional Information : Data Ownership
● Data Owner– responsible for the security and use of a particular
set of information● Data Custodian
– responsible for storage, maintenance, and protection of information
● Data Users– end users who work with information to perform
their daily jobs supporting the mission of the organization
![Page 36: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/36.jpg)
It is your turn again
![Page 37: 002.itsecurity bcp v1](https://reader036.fdocuments.in/reader036/viewer/2022070515/5876fcb51a28abf3398b683f/html5/thumbnails/37.jpg)
The Final Word