COMP3122 Network Management Richard Henson Worcester Business School February 2011.
COMP3123 Internet Security Richard Henson University of Worcester December 2010.
-
date post
18-Dec-2015 -
Category
Documents
-
view
220 -
download
2
Transcript of COMP3123 Internet Security Richard Henson University of Worcester December 2010.
COMP3123 COMP3123 Internet SecurityInternet Security
Richard HensonRichard Henson
University of WorcesterUniversity of Worcester
DecemberDecember 20102010
Week 10: Risks, Response, Week 10: Risks, Response, Recovery, ROIRecovery, ROI
Objectives:Objectives: Relate B2B and B2C hesitancy over use of the Relate B2B and B2C hesitancy over use of the
www to ignorance about the PKIwww to ignorance about the PKI Develop Information Security procedures for use Develop Information Security procedures for use
in an organisationin an organisation Develop a strategy to sell a security policy to the Develop a strategy to sell a security policy to the
work forcework force Explain the complexity of decision-making on Explain the complexity of decision-making on
whether, or whether not, to spend on securitywhether, or whether not, to spend on security
Global Use of SSL/PKIGlobal Use of SSL/PKI According to recent figures, nearly all top According to recent figures, nearly all top
companies in the US are now using SSL/PKI companies in the US are now using SSL/PKI for secure communications:for secure communications: top 40 e-commerce sitestop 40 e-commerce sites all Fortune 500 companies with a web presenceall Fortune 500 companies with a web presence
Conclusion: this technology is tried and Conclusion: this technology is tried and tested, and has become industry-standardtested, and has become industry-standard
Yet, according to another study:Yet, according to another study: eighty-five percent of Web users reported that a eighty-five percent of Web users reported that a
lack of security made them uncomfortable sending lack of security made them uncomfortable sending credit card numbers over the Internetcredit card numbers over the Internet
huge difference between perception and reality!huge difference between perception and reality!
The Real Picture on Security The Real Picture on Security and Online tradingand Online trading
Research Research has has showshownn that fears of online that fears of online fraud are more common than fraud itselffraud are more common than fraud itself
Example quotes:Example quotes: "Online shopping gets a bad rap in the press, but most of the "Online shopping gets a bad rap in the press, but most of the
stories reported are anecdotal tales of companies that stories reported are anecdotal tales of companies that haven't put successful defensive measures in place"haven't put successful defensive measures in place"
"Web businesses running proper screening of customer "Web businesses running proper screening of customer information are suffering very little, with average fraud information are suffering very little, with average fraud losses held to just over 1%losses held to just over 1%.”.”
““Fraud control is clearly possible online, although many Fraud control is clearly possible online, although many companies do not implement stringent screening and companies do not implement stringent screening and prevention measures.prevention measures.””
Why are security problems Why are security problems STILL arising?STILL arising?
Repeating research findings:Repeating research findings: SSL/PKI reliableSSL/PKI reliable About 1% cases of fraud on sites using SSL/PKI – About 1% cases of fraud on sites using SSL/PKI –
still too much, but nothing like the problem that still too much, but nothing like the problem that headlines suggestheadlines suggest
However…However… Many companies Many companies notnot applying strict security applying strict security
measures such as SSL/PKI are:measures such as SSL/PKI are:» being defraudedbeing defrauded» skewing the statistics for more responsible online skewing the statistics for more responsible online
traderstraders
Security Communications with Security Communications with the would-be on-line shopperthe would-be on-line shopper
As the main issues for users are encryption As the main issues for users are encryption and authentication, both are well catered for and authentication, both are well catered for in the browserin the browser
Communications involving these features Communications involving these features through pop ups and error messages should through pop ups and error messages should warn a savvy customer off from using the warn a savvy customer off from using the online traderonline trader
However, what about the “first time buyer?” However, what about the “first time buyer?” who probably knows nothing of the ways in who probably knows nothing of the ways in which security could be safeguarded through which security could be safeguarded through the browser…the browser…
Reassurances about Reassurances about EncryptionEncryption
Most users can understand the implications of Most users can understand the implications of encrypting dataencrypting data
How can they KNOW that the data they are How can they KNOW that the data they are sending really is being encrypted before it sending really is being encrypted before it goes onto the www?goes onto the www?
How can they know that when the data is How can they know that when the data is decrypted again at its destination that it decrypted again at its destination that it doesn’t get abused?doesn’t get abused?
Something more than mere encryption is Something more than mere encryption is needed to convince the sceptic!needed to convince the sceptic!
Encryption alone is Encryption alone is not enough!not enough!
The other aspect of SSL/PKI is the The other aspect of SSL/PKI is the establishment of trust between online vendors establishment of trust between online vendors and customers and customers usually achieved by providing a digital certificate usually achieved by providing a digital certificate
system:system:» verifies the identity at each end of the verifies the identity at each end of the
communication linkcommunication link» thereby authenticating the server/userthereby authenticating the server/user
Again, the savvy user will know about digital Again, the savvy user will know about digital certificates and expect to be able to view them certificates and expect to be able to view them onlineonline
Security Differences between Security Differences between B2B and B2CB2B and B2C
Normally, a business will set themselves Normally, a business will set themselves up properly for online tradingup properly for online tradinguse server certificates for their serversuse server certificates for their serversuse SSL to ensure data is encrypteduse SSL to ensure data is encryptedtrain users to become aware of the danger train users to become aware of the danger
signssigns B2B trading is therefore generally secureB2B trading is therefore generally secure A B2B customer using the web will A B2B customer using the web will
(SHOULD!!!) understand implications of (SHOULD!!!) understand implications of security messages from the browsersecurity messages from the browser
An Organisational Data An Organisational Data Security Strategy: Where to Security Strategy: Where to
start?start? Strategy can’t START with technologyStrategy can’t START with technology
needs to start with ISSUES that need addressingneeds to start with ISSUES that need addressing Should be primarily “top down”Should be primarily “top down”
concerned with policies, not technical matters…concerned with policies, not technical matters… can be supplemented by “bottom up” approachcan be supplemented by “bottom up” approach
Technologies can be used to put policies into Technologies can be used to put policies into practicepractice degree of success in the latter depends on:degree of success in the latter depends on:
» communication of policiescommunication of policies» understanding of technologiesunderstanding of technologies
Information Security StrategyInformation Security Strategy
Identify and quantify ALL potential security Identify and quantify ALL potential security threat:threat: BOTH internalBOTH internal
» Policy should already exist!Policy should already exist!» Most likely will need updatingMost likely will need updating
AND externalAND external» May have been neglected as the Internet creeped May have been neglected as the Internet creeped
into the network!into the network!
Need to set out a policy that, if implemented Need to set out a policy that, if implemented correctly, WILL effectively secure datacorrectly, WILL effectively secure data
Typical Information Security Typical Information Security PolicyPolicy
Who will quantify the threats?Who will quantify the threats?Head of IT?Head of IT?External Consultant?External Consultant?Both?Both?
Who will suggest strategies to mitigate Who will suggest strategies to mitigate against those threats?against those threats?As above?As above?
Who will make the policies?Who will make the policies?Senior ManagementSenior Management
Creating a PolicyCreating a Policy The same principles apply as with the The same principles apply as with the
introduction of ANY change in organisational introduction of ANY change in organisational policypolicy It MUST come from the top!!!It MUST come from the top!!!
Problem with any IT policy change is that Problem with any IT policy change is that senior management often don’t understand senior management often don’t understand IT… IT…
Big responsibility on the IT manager to Big responsibility on the IT manager to convince senior management:convince senior management: that policy change is necessary!that policy change is necessary! that the organisation won’t suffer financiallythat the organisation won’t suffer financially the consequences of NOT implementing such a the consequences of NOT implementing such a
changechange
Going beyond a Going beyond a Creating a Policy…Creating a Policy…
According to the latest BERR figures, the According to the latest BERR figures, the majority of businesses say they have an majority of businesses say they have an information security policyinformation security policy
But is it implemented???But is it implemented??? One possible approach to making sure policy One possible approach to making sure policy
gets through to all parts of an organisation is gets through to all parts of an organisation is to implement a quality standardto implement a quality standard standard for information security is ISO27001standard for information security is ISO27001
What is ISO27001?What is ISO27001?
A set of procedures and standards on A set of procedures and standards on Information Security for organisationsInformation Security for organisations evolved from BS7799evolved from BS7799
Does give an organisation credibility in terms Does give an organisation credibility in terms of providing evidence that it has procedures of providing evidence that it has procedures in place to appropriately manage its in place to appropriately manage its informationinformation
But quite an extensive “to do” list, and But quite an extensive “to do” list, and achievement of the kitemark can be a lengthy achievement of the kitemark can be a lengthy process…process…
Role of the Adviser/ConsultantRole of the Adviser/Consultant Will have specialist knowledge of Information Will have specialist knowledge of Information
Security in organisationsSecurity in organisations Likely to be aware of the need to convince Likely to be aware of the need to convince
senior management that the cost involved in senior management that the cost involved in obtaining ISO27001 is worthwhileobtaining ISO27001 is worthwhile
In an SME:In an SME: the adviser can provide moral, intellectual, and the adviser can provide moral, intellectual, and
evidential support for the IT manager’s positionevidential support for the IT manager’s position In a microbusiness:In a microbusiness:
there is no IT manager…there is no IT manager… adviser will usually be supporting the most IT-adviser will usually be supporting the most IT-
literate employee against a sceptical senior mgt…literate employee against a sceptical senior mgt…
How achieving ISO27001 could How achieving ISO27001 could help with business strategyhelp with business strategy
Whatever the business:Whatever the business: any new work will have a costany new work will have a cost That cost needs to be qualifiedThat cost needs to be qualified
More cost means less profit…More cost means less profit… What is the ROI of achieving a high level of What is the ROI of achieving a high level of
information security (assurance)?information security (assurance)?
Senior management have to be convinced Senior management have to be convinced that this is a price worth paying…that this is a price worth paying…
Potential Financial Benefits Potential Financial Benefits of ISO27001of ISO27001
These need to be sold to senior mgt…These need to be sold to senior mgt… Less risk of losing valuable (even strategically Less risk of losing valuable (even strategically
important…) dataimportant…) data» less likely to get embarrassing leaks, which could less likely to get embarrassing leaks, which could
even get to the mediaeven get to the media» less likely to fall foul of the lawless likely to fall foul of the law
An ever growing set of examples of businesses An ever growing set of examples of businesses who have done both of the abovewho have done both of the above» evidence that they lost customers and share price evidence that they lost customers and share price
dropped…dropped…
Role of Adviser/ConsultantRole of Adviser/Consultant Needs to have good credentials to be Needs to have good credentials to be
credible:credible: plenty of experience in this areaplenty of experience in this area contacts in the industrycontacts in the industry a good track record for:a good track record for:
» knowledgabilityknowledgability» keeping up to datekeeping up to date» communication of knowledgecommunication of knowledge
needs to be able to put technical problems into needs to be able to put technical problems into terms that non-technologists can understand….terms that non-technologists can understand….» very many technical “solutions” available that very many technical “solutions” available that
would be unnecessary if systems and procedures would be unnecessary if systems and procedures were properly implementedwere properly implemented
Role of Adviser/Consultant for Role of Adviser/Consultant for Implementation of PolicyImplementation of Policy
Role doesn’t stop once policy has been Role doesn’t stop once policy has been agreedagreed
Enforcement of policy is essentialEnforcement of policy is essentialneeds procedures needs procedures
» agreed at institutional levelagreed at institutional level» implemented by departmentsimplemented by departments
The processes involved in getting The processes involved in getting ISO27001 will ensure that policy ISO27001 will ensure that policy implementation processes are in placeimplementation processes are in place
Implementation of Policy Implementation of Policy (Technical)(Technical)
Technical aspects of implementation of policy Technical aspects of implementation of policy is a matter of operationalising the agreed is a matter of operationalising the agreed technologies that will CURRENTLY combat technologies that will CURRENTLY combat that threatthat threat e.g. make sure that W2K network users only have e.g. make sure that W2K network users only have
access to files & services they need through access to files & services they need through careful choice of parameters in GROUP careful choice of parameters in GROUP POLICIESPOLICIES
e.g. authenticate a secure site for buying online – e.g. authenticate a secure site for buying online – check, read, approve server certificatecheck, read, approve server certificate
Adviser’s knowledge and experience will be Adviser’s knowledge and experience will be crucial to the organisation when they select crucial to the organisation when they select actual products and engage in actual actual products and engage in actual implementationimplementation
Implementation of Policy Implementation of Policy (Technical) (Technical)
Furthermore, a good consultant will be Furthermore, a good consultant will be able to offer useful advice regarding;able to offer useful advice regarding;embedding the new technologies into embedding the new technologies into
existing systems as seamlessly and existing systems as seamlessly and transparently as possible!transparently as possible!
bring about a set of procedures from the bring about a set of procedures from the agreed “tools for the job” that should cover agreed “tools for the job” that should cover all eventualities…all eventualities…
Implementation of Procedures Implementation of Procedures (People)(People)
Not all security procedures will be Not all security procedures will be implemented by IT/networking staff:implemented by IT/networking staff: may apply such procedures to ensure security of may apply such procedures to ensure security of
servers and data coming into/leaving the servers and data coming into/leaving the organisationorganisation
but… only limited control on user behaviourbut… only limited control on user behaviour Client end security procedures have to be Client end security procedures have to be
implemented by ALL staffimplemented by ALL staff In order to implement such procedures, they In order to implement such procedures, they
must UNDERSTAND these procedures and must UNDERSTAND these procedures and their crucial importance to the organisationtheir crucial importance to the organisation
Implementing of Procedures Implementing of Procedures (People)(People)
On its own, a set of procedures On its own, a set of procedures distributed to staff (perhaps by email!) distributed to staff (perhaps by email!) will therefore have little effect!will therefore have little effect!people will often carry on in their own sweet people will often carry on in their own sweet
way!way! Senior Management must also provide Senior Management must also provide
the means to enforce policy through the means to enforce policy through requiring adherence to proceduresrequiring adherence to proceduresNot just stick, but “carrot-and-stick”Not just stick, but “carrot-and-stick”
Impact at the Impact at the Operational LevelOperational Level
Imposing a new set of procedures may well Imposing a new set of procedures may well affect work practicesaffect work practices therefore the impact of each needs to be carefully therefore the impact of each needs to be carefully
consideredconsidered Pilot scheme firstPilot scheme first
carefully trialled at operational level…carefully trialled at operational level… time for retraining realistically assessedtime for retraining realistically assessed accurate capital costing for roll-outaccurate capital costing for roll-out
Only when lessons have been learned…Only when lessons have been learned… can it be positively sold to staff i.e:can it be positively sold to staff i.e:
» Does mean learning new proceduresDoes mean learning new procedures» BUT there’ll be no more viruses, pop-ups, etc. BUT there’ll be no more viruses, pop-ups, etc.
Testing the PolicyTesting the Policy
A wise manager will not impose A wise manager will not impose something new on employees without something new on employees without checking first that it is WORKABLEchecking first that it is WORKABLE
Pilot new procedures with a small group Pilot new procedures with a small group first…first…get feedback…get feedback…learn lessons…learn lessons…PLAN to roll out across the organisationPLAN to roll out across the organisation
Selling the PolicySelling the Policy
Most policies are usually implemented Most policies are usually implemented on a departmental basison a departmental basis
The job of enforcement may be through The job of enforcement may be through departmentsdepartments
Again… to enforce a policy, you must Again… to enforce a policy, you must be able to understand it!be able to understand it!
Therefore the first stage should be Therefore the first stage should be EDUCATIONEDUCATION
Selling the PolicySelling the Policy
Once the penny drops, everyone will be Once the penny drops, everyone will be aware that this will mean changes to aware that this will mean changes to working practices…working practices…need to assure about trainingneed to assure about trainingNeed to assure that it is worth doing:Need to assure that it is worth doing:
» for the individual employeefor the individual employee» for the departmentfor the department» for the whole organisationfor the whole organisation
Reviewing the Reviewing the Policy/ProceduresPolicy/Procedures
If the problem is understood at a conceptual If the problem is understood at a conceptual level…level… POLICY changes shouldn’t be necessaryPOLICY changes shouldn’t be necessary
However…However… security technology does not stand still!security technology does not stand still! procedures may need to be revised:procedures may need to be revised:
» every year? every year? » six months?six months?» whenever a new threat becomes apparent?whenever a new threat becomes apparent?
The Cost of Losing The Cost of Losing Organisational DataOrganisational Data
Plenty of data around to supporting the Plenty of data around to supporting the observation that organisations have been observation that organisations have been leaking data for yearsleaking data for years actual problem has to be worse… actual problem has to be worse… could be far worse…could be far worse… not all data losses ever get reported!not all data losses ever get reported!
Is there is a cost to the organisation of losing Is there is a cost to the organisation of losing their data?their data? can a figure be put on this cost?can a figure be put on this cost?
The Direct Cost of Losing The Direct Cost of Losing Personal DataPersonal Data
Same systemic failures and Same systemic failures and potential cover-ups as for potential cover-ups as for organisation data…organisation data…
Direct cost to the organisation Direct cost to the organisation probably regarded as very low?probably regarded as very low?why?why?public reaction to loss?public reaction to loss?is all personal data equal?is all personal data equal?
The Direct Cost of The Direct Cost of Tightening Up SecurityTightening Up Security
Human cost of completing new Human cost of completing new documentationdocumentation essential part of tightening up proceduresessential part of tightening up procedures Cost of re-educating and re-training staff to make Cost of re-educating and re-training staff to make
best use of new proceduresbest use of new procedures
Associated with employing new technologyAssociated with employing new technology cost of purchasecost of purchase cost of installationcost of installation cost of day-to-day managementcost of day-to-day management
Indirect Costs of Losing DataIndirect Costs of Losing Data Cost of falling foul of the law…Cost of falling foul of the law…
time spent in courttime spent in court finesfines
Cost of bad publicityCost of bad publicity public embarrassment & loss of credibilitypublic embarrassment & loss of credibility making statements explaining how it wasn’t as bad making statements explaining how it wasn’t as bad
as reportedas reported stock market price may fall…stock market price may fall…
Cost of losing respect of customersCost of losing respect of customers send their personal data (and custom) elsewheresend their personal data (and custom) elsewhere
Cost of business insuranceCost of business insurance perceived as higher riskperceived as higher risk premiums more expensivepremiums more expensive
Differences in Organisational Differences in Organisational Data between Public & Private Data between Public & Private
Enterprises?Enterprises? Is there a difference?Is there a difference?
If strategic business data is lost, with no back upIf strategic business data is lost, with no back up» cannot do new businesscannot do new business» cannot fulfil existing businesscannot fulfil existing business» the business will foldthe business will fold
If public organisation data is similarly lostIf public organisation data is similarly lost» service level drops or becomes zeroservice level drops or becomes zero» people get angry, write to mediapeople get angry, write to media» public sector body gets lots of bad publicitypublic sector body gets lots of bad publicity» system gets patched up and limps onsystem gets patched up and limps on» enquiry suggests deficiencies & changes to be enquiry suggests deficiencies & changes to be
made…made…
Differences in Personal Data Differences in Personal Data between Public & Private between Public & Private
EnterprisesEnterprises A business losing personal data usually does nothingA business losing personal data usually does nothing
if information leaked to the mediaif information leaked to the media» should have a “damage limitation exercise” in placeshould have a “damage limitation exercise” in place» can (e.g. Virgin media) be taken to courtcan (e.g. Virgin media) be taken to court
Public enterprises previously also adopted the above Public enterprises previously also adopted the above approachapproach media usually kept quiet on such mattersmedia usually kept quiet on such matters
HMRC’s huge (26 million) records loss changed all HMRC’s huge (26 million) records loss changed all that) that) result: media ALWAYS reports public sector data lossresult: media ALWAYS reports public sector data loss
The Concept of “Value” of DataThe Concept of “Value” of Data
People don’t look after what they People don’t look after what they perceive not to have any value…perceive not to have any value…
If organisational and personal data If organisational and personal data could be given an intrinsic monetary could be given an intrinsic monetary value, perhaps…value, perhaps…people might look after it better?people might look after it better?businesses might wish to protect data as a businesses might wish to protect data as a
monetary asset in its own right?monetary asset in its own right?
Economics of Economics of Information Security Information Security
New academic research areaNew academic research area Seeks to produce economic models for Seeks to produce economic models for
organisations to attribute value to dataorganisations to attribute value to data Back to basics of Information Security:Back to basics of Information Security:
Confidentiality – relationship between confidentiality Confidentiality – relationship between confidentiality & intrinsic value?& intrinsic value?
Integrity – very difficult to quantifyIntegrity – very difficult to quantify Availability – if loss of particular data:Availability – if loss of particular data:
» causes system failurecauses system failure» puts the business temporarily out of businessputs the business temporarily out of business» Must have intrinsic valueMust have intrinsic value
Value of Business DataValue of Business Data More success to date with organisational data More success to date with organisational data
that affects business availability than with that affects business availability than with personal data...personal data... can put a monetary value on loss to the organisation can put a monetary value on loss to the organisation
of e.g.of e.g.» a day’s lost productiona day’s lost production» a 10% fall in share pricea 10% fall in share price
If 10000 customer details are leaked, who cares???If 10000 customer details are leaked, who cares???» members of the public?members of the public?» The Information Commissioner… The Information Commissioner… » would this affect:would this affect:
the business’s availability in the market place the business’s availability in the market place the business’s share price?the business’s share price?
Further ResearchFurther Research Business-oriented recent white papers:Business-oriented recent white papers:
http://www.findwhitepapers.com/security/securityhttp://www.findwhitepapers.com/security/security What SHOULD have happened as the 1998 What SHOULD have happened as the 1998
DPA was implemented…:DPA was implemented…: http://management.silicon.com/government/0,3902http://management.silicon.com/government/0,3902
4677,11015799,00.htm4677,11015799,00.htm
Information Commissioner’s current website – Information Commissioner’s current website – huge collection of documents:huge collection of documents: http://www.ico.gov.ukhttp://www.ico.gov.uk