Information Security2
-
Upload
rahul-sridhar -
Category
Documents
-
view
216 -
download
0
Transcript of Information Security2
-
8/6/2019 Information Security2
1/46
INFORMATION SECURITY
ISSUES,THREATS,SOLUTION
& STANDARDS
-
8/6/2019 Information Security2
2/46
IF YOU THINK TECHNOLOGY CAN SOLVE YOURSECURITY PROBLEMS , THEN
YOU DONT UNDERSTAND THE PROBLEMS
&
YOU DONT UNDERSTAND THE TECHNOLOGY.Bruce Schenier
-
8/6/2019 Information Security2
3/46
High Risk High Gain
Deals with sensitive Information in High Volumes
All Business Process generate, operate and processInformation
A News Item can move stock prices
Nature of BusinessNature of Business
-
8/6/2019 Information Security2
4/46
Nature of BusinessNature of Business
Every Sector / Vertical have faced Information Security Risk
Cyber Terrorism is real and rising (Planned cyber attacks prior /
after 9/11)
Countries of origin responsible for 75% of intrusions
USA, China, Romania, Germany
More than 2/3rd express their inability to determine Whether my
systems are currently compromised?
Information Governance pushed through Compliance
-
8/6/2019 Information Security2
5/46
Who areWho are these Attackersthese Attackers??
-
8/6/2019 Information Security2
6/46
Media / Competition / Government Ex-employee Third Party Insider Employee
More than 70% of Threats are Internal
More than 60% culprits are First Time fraudsters
Threat AgentsThreat Agents
-
8/6/2019 Information Security2
7/46
Who are Attackers?Who are Attackers? What are they doing?What are they doing?
Intruders are
Building up technical knowledge and skills Becoming more skilled at removing of trail
Interested in results than experience of hacking
Exploit weakest link
-
8/6/2019 Information Security2
8/46
Types of Hackers
-
8/6/2019 Information Security2
9/46
Embarrassment
Loss of confidential and sensitive information
Loss of strategic advantage and resources
Non availability of systems in combat situations
Time and efforts spent creating IntellectualProperty
National Security, when information is misused byterrorists/miscreants
Security ImpactsSecurity Impacts
-
8/6/2019 Information Security2
10/46
Cases India Specific
MPhasis BFL - Pune
CEO Bazee.com
Theft and Sale of Customer Data Delhi Arrest of GM of reputed corporate for CheatingNRI in Dubai
Attack on Web Sites BARC, Cyber cell Mumbai
War Room Leak - Navy
Recent casesRecent cases
-
8/6/2019 Information Security2
11/46
Introduction to Information SecurityIntroduction to Information Security
Information is an asset which, like otherimportant business assets, has value toan organization and consequently needsto be suitably protected
BS ISO 17799:20000
-
8/6/2019 Information Security2
12/46
Introduction to Information SecurityIntroduction to Information Security
Lifecycle of Information
Created Stored
Processed Transmitted Used (For proper & improper purposes) Lost Corrupted
Destroyed
-
8/6/2019 Information Security2
13/46
Introduction to Information SecurityIntroduction to Information Security
Confidentiality
Integrity
Availability
Ensuring that
information isaccessible only to those
authorized to haveaccessSafeguarding the
accuracy and
completeness ofinformation and
processing methodsEnsuring that authorizedusers have access to
information and
associated assets whenrequired
-
8/6/2019 Information Security2
14/46
Information Security TrendsInformation Security Trends
IT Security
Information
Security
Technology
Process
People
-
8/6/2019 Information Security2
15/46
INTRODUCTION Information security a broad term
encompassing the protection of informationfrom accidental or intentional misuse bypersons inside or outside an organization
This plug-in discusses how organizations canimplement information security lines of defense
through people first and technology second
-
8/6/2019 Information Security2
16/46
Security is everyones responsibility
Information Security is Organizational Problemrather than IT Problem
Biggest Risk : People
Biggest Asset : People
-
8/6/2019 Information Security2
17/46
Damaging forms of security threats Malicious code includes a variety of threats
such as viruses, worms, andTrojan horses Hoaxes attack computer systems by
transmitting a virus hoax, with a real virusattached
Spoofing the forging of the return address onan e-mail so that the e-mail message appears tocome from someone other than the actual sender
Sniffer a program or device that can monitor
data traveling over a network
-
8/6/2019 Information Security2
18/46
Types of Viruses
-
8/6/2019 Information Security2
19/46
Sophistication of AttacksSophistication of Attacks
No of hackers - 1980 : Handful
No of hackers - 2006 : Thousands
Time require to prepare 1980 : Months
Time require to prepare 2006 : Hours
No. of Machines affected 1980 : Hundreds
No. of Machines affected 2006 : Millions
Geographical Spread 1980 : LAN / Network
Geographical Spread 2006 : Internet
-
8/6/2019 Information Security2
20/46
Sophistication of AttacksSophistication of Attacks
Intruder
Knowledge
Attack
Sophistication
High
Low
1980 1985 1990 1995 2000
password guessing
self-replicating code
password cracking
exploiting known vulnerabilities
disabling auditsback doors
hijacking
sessions
sweepers
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www
attacks
Tools
Attackers
stealth / advanced
scanning techniques
burglaries
network mgmt. diagnostics
DDOS
attacks
-
8/6/2019 Information Security2
21/46
Steps to create Information Security
Plan
1. Develop the information security policies2. Communicate the information security policies
3. Identify critical information assets and risks
4. Test and reevaluate risks5. Obtain stakeholder support
-
8/6/2019 Information Security2
22/46
Suggested Roadmap for IT Security
Build Responsible Team
Apex CommitteeSecurity Forum
Task Force
Conduct Thorough Risk Assessment
Information AssetsIT Infrastructure / Network
Applications / Data Storage
Risk Treatment
a. Mitigate
b. Transfer
c. Avoid
d. Accept
-
8/6/2019 Information Security2
23/46
Suggested Roadmap for IT Security
Implementation of ControlsPolicyTechnologyTraining
Monitoring effectiveness of controls
Preventive / Corrective Actions
Continual Improvement
-
8/6/2019 Information Security2
24/46
The First Line of Defense - People The first line of defense an organization should
follow to help combat insider issues is todevelop information security policies and aninformation security plan
Information securitypolicies identify the rulesrequired to maintain information security
Information securityplan details how anorganization will implement the information security
policies
-
8/6/2019 Information Security2
25/46
People Readiness
-
8/6/2019 Information Security2
26/46
The Second Line of Defense -
Technology
Three primary information security areas:
1. Authentication and authorization
2. Prevention and resistance3. Detection and response
-
8/6/2019 Information Security2
27/46
Suggested Technologies
Policies, Procedures, &Awareness
OS hardening, Patch management,OS hardening, Patch management,
HIDSHIDS
Firewalls (Stateful, Deep packetFirewalls (Stateful, Deep packet
inspection, Application layer), VPN,inspection, Application layer), VPN,
Gateway Anti VirusGateway Anti Virus
Guards, CCTV, BiometricGuards, CCTV, Biometric
VLAN, NIDS, TACACS, NMSVLAN, NIDS, TACACS, NMS
Application hardening, RoleApplication hardening, Role
Based Access, Multi FactorBased Access, Multi Factor
Authentication, PKIAuthentication, PKI
ACL, Encryption, DatabaseACL, Encryption, DatabaseHardeningHardening
Management Framework, TrainingManagement Framework, Training
Physical Security
Perimeter
Internal Network
Host
Application
Data
-
8/6/2019 Information Security2
28/46
AUTHENTICATION AND
AUTHORIZATION
Authentication a method for confirmingusers identities
The most secure type of authenticationinvolves a combination of the following:1. Something the user knows such as a userID and
password
2. Something the user has such as a smart card ortoken
3. Something that is part of the user such as afingerprint or voice signature
-
8/6/2019 Information Security2
29/46
AUTHENTICATION Most common method of authentication is
UserID andPassword.
This is the most common way to identifyindividual users and typically contains a user
ID and a password This is also the most ineffective form of
authentication
Over 50 percent of help-desk calls arepassword related.
-
8/6/2019 Information Security2
30/46
Identity Thefts
-
8/6/2019 Information Security2
31/46
Better Forms of Authentication Smart cards and tokens are more effective
than a userID and a password Tokens small electronic devices that change
user passwords automatically
Smart card a device that is around the samesize as a credit card, containing embeddedtechnologies that can store information and smallamounts of software to perform some limited
processing
-
8/6/2019 Information Security2
32/46
Biometrics The identification of a user based on a
physical characteristic, such as a fingerprint,iris, face, voice, or handwriting
This is by far the best and most effective way
to manage authentication Unfortunately, this method can be costly and
intrusive
-
8/6/2019 Information Security2
33/46
PREVENTION AND RESISTANCE Downtime can cost an organization anywhere
from $100 to $1 million per hour.
Technologies available to help prevent andbuild resistance to attacks include:
1. Content filtering2. Encryption
3. Firewalls
-
8/6/2019 Information Security2
34/46
Content Filtering Organizations can use content filtering
technologies to filter e-mail and prevent e-mails containing sensitive information fromtransmitting and stop spam and viruses from
spreading. Content filtering occurs when organizations
use software that filters content to prevent thetransmission of unauthorized information
Spam a form of unsolicited e-mail
-
8/6/2019 Information Security2
35/46
ENCRYPTION If there is an information security breach and
the information was encrypted, the personstealing the information would be unable toread it
Encryption scrambles information into analternative form that requires a key or password todecrypt the information
-
8/6/2019 Information Security2
36/46
FIREWALLS One of the most common defenses for
preventing a security breach is a firewall Firewall hardware and/or software that guards a
private network by analyzing the informationleaving and entering the network
-
8/6/2019 Information Security2
37/46
FIREWALLS Sample firewall architecture connecting
systems located in Chicago, New York, andBoston
-
8/6/2019 Information Security2
38/46
DETECTION AND RESPONSE If prevention and resistance strategies fail and
there is a security breach, an organization canuse detection and response technologies tomitigate the damage
Antivirus software is the most common type ofdetection and response technology
-
8/6/2019 Information Security2
39/46
Security Policy
1. Information assets and IT assets to be protected againstunauthorized access.
2. Information is not to be disclosed to unauthorized personsthrough deliberate or careless action.
3. Information is to be protected from unauthorized modification.
4. Information is to be available to authorized users when needed.
5. Applicable regulatory and legislative requirements are to bemet.
5. All breaches of information security are to be reported andinvestigated.
6. Violations of policies are to be dealt with through a formaldisciplinary process.
-
8/6/2019 Information Security2
40/46
Well Known Frameworks
What Frameworks say?
Information in all forms is an Asset (Digital/Non-digital)
Security is a Process (and not only technology)
Risk Based Approach (Prevent, Detect, Correct)
Security should be measurable (Effectiveness, Efficiency)
Controls include People, Process and Technology
Top Management Commitment (Define Acceptable level ofRisk, Allocate Resources, Implement Policy)
-
8/6/2019 Information Security2
41/46
Well Known Frameworks
1. COBIT Framework for Auditing Controls(Control OBjectives in Information and relatedTechniques)
1. ISO 27001 (BS 7799) IS Management Framework
2. ISO 17799 Implementation guidance on IS Controls
3. ITIL IT Service Management Processes
4. ISO 20000 (BS 15000) ITSM Management Framework
-
8/6/2019 Information Security2
42/46
Scope of ISO 20000 Certification Supports the provision of allITServices
including the following :
Enterprise PlanningSystem (SAP)
Infrastructure
Application andData Centre ManagementServices
to all its customers at all the locations.
-
8/6/2019 Information Security2
43/46
Why ISO 20000?1. Sustainedpressure to deliver high quality IT
Service at minimum cost.(SLA definition,penalty clause)
2. ITservices, are not aligned with the needs of the
business and its customers.(Requirements gathering.)
3. ISO20k implementation, will ensure standard
andproactive (trend analysis etc.) workingpractices. (e.g. there isno concept ofCPA, ISOwill ensure the implementation, tracking and closure ofCPAs.)
4. would enhance the quality of ITService delivered
to their customers/users
5. Increase Effectiveness of the business operation
6. Hard evidence that quality of ITSM is taken
seriously
-
8/6/2019 Information Security2
44/46
Post Security Implementation Benefits
At the organizational level Commitment
At the legal level Compliance
At the operating level - Risk management
At the commercial level - Credibility and
confidence At the financial level - Reduced costs
At the human level - Improved employeeawareness
-
8/6/2019 Information Security2
45/46
Cyber Law of India
Electronic record
Digital Signature
Certifying Authority
Penalty for damage to information System Section 47 Up to 1 Crore
Unauthorized Access, Tampering, Damage
Penalty for failure to furnish Information up to tenthousand a day
Offences Section 65 Tampering : 3 Yrs / 2 Lacs
Section 66 Hacking : 3 Yrs / 2 Lacs
Section 67 Obscene Information : 5 Yrs / 1 Lac Section 72 Breach of Confidentiality / Privacy : 2 yrs / 1 Lac
-
8/6/2019 Information Security2
46/46
IT Security Stakeholder Summary
AccessControls
AssetManagement
InformationSecurity Policy
OrganisationSecurity
Human ResourceSecurity
PhysicalSecurity
Communication& Operations
Mgmt
SystemDevelopment &
Maint.
Bus. ContinuityPlanning
Compliance
InformationInformation
Integrity Confidentiality
Availability
Security IncidentManagement