Presentation of Mr. Khondkar Atique-e-Rabbani, FCA (1).pdf

Information SecurityIssues that impact an Accountant

Presentation from

by

K. Atique �e- Rabbani, B Tech (Hons), UK, FCA


Preamble

1. People look upon us to give a check/opinion on the financial health of an organization.

2. Information generated from every nook and corner of the organization goes into making the accounting information system and the financial statements, the window to the health of the organization.

3. Information must be captured correctly, transferred correctly, collated correctly over myriad of networks and places for our opinions to hold water.

4. This is what Information Security attempts to ensure. 5. Hence our need to understand the issues and the need for

this seminar.3


Index

� The best Security can�t help the most �naïve�user � (1 slide)

� For Information Security one cannot also completely lock away information � Obama gets to keep his blackberry � (2 slides)

� Information Security (InfoSec) breach stories (Obama, Bank of New York Mellon) � (4 slides)

� Introduction to Information Security � (3 slides)

4


Index -2

� Core Principles of Information Security � CIA �(1 slide)

� Confidentiality � (1 slide)

� Integrity � (2 slides)

� Availability - (2 slides)

� The New Information Security Professional � (8 slides)

� Suggested Information Security Steps integrated with IT Governance � (1 slide)

5


Index -3� Info Security certifications - CISSP / CISM � (2 slides)

� Information Security Audit (12 slides)

� The Last Word: Information Security � a business requirement � (1 slide)

� Appendix 1: CISSP Information Security certification curriculum � (4 slides)

� Appendix 2: Digital Signature � (1 slide)

� Appendix 3: Cryptography � (1 slide)

� Appendix 4: PKI (Public Key Infrastructure) � (1 slide)

� Appendix 5: Useful websites � (3 slides)6


The Best Security Can�t Help the Most Stupid User

User name and password on display

Lest he forgets!!!7


I�ve Locked Down My Host to the Point Where It�s Unusable 8


�Hey Secret Service Agent � Leave my Blackberry alone�

Obama gets to keep his Blackberry but with Super Encryption package built in

9


Stories/ Facts

� An embarrassed State Department admitted that the passport files of all three presidential candidates � Sens. John McCain, Barack Obama and Hillary Clinton � have been breached by its employees.

� The bombshell announcement came within hours of the admission that Obama�s personal file was improperly accessed several times in 2008 and no one was notified of the breach.

10


Stories/ Facts -2

� Criminal hackers are part of a very mature and multi-billion dollar industry that reaches around the world. No organization is immune to the threat.

� The Aug 2008 arrest of 11 alleged hackers accused of stealing more than 40 million credit and debit cards is still the largest hack ever.

� US Dept of Justice brought charges against 11 alleged hackers from around the globe.

11


Stories/Facts -3

� An unencrypted backup tape with 4.5 million customers of the Bank of New York Mellon went missing on Feb. 27, 2008 after it was sent to a storage facility.

� The missing tape contained social security numbers and bank account information on 4.5 million customers.

12


Stories/Facts -4

� In Aug 08, a former �Countrywide Financial Corp� Senior Financial Analyst was arrested and charged by the FBI for stealing and selling sensitive personal information of an estd 2 million mortgage loan applicants.

� He did it over a 2 yr period by downloading 20,000 customer profiles each week onto flash drives, working on Sunday nights, when no one else was in the office.

13


Introduction

� Information Security is not new.

� Julius Caesar invented Caesar Cipher in c50 BC to prevent his messages from falling into wrong hands

� What is new? - The ICT rock star has jumped in with multitude of tentacles and promises of nirvana, the heaven and the earth.

� And as an aside also brought Information Security nightmare.

14


Introduction -2

� Highly networked business environment is the order of the day. This has pushed Information Security to preeminence today.

� Information is arguably among an enterprise's most valuable assets.

� Its protection from predators from both within and outside has taken center stage as an IT priority and indeed a business priority.

15


Introduction -3

� As a Finance Controller, as an Auditor, as a CEO we breathe, live, rise and fall with information.

� The organizations we serve also breathe, live, rise and fall with information � ofcourse secure, untampered, authentic information.

� But the paradox is we need greater, more convenient, from anywhere, on the fly access to more and more secure information. 16


Core Principles of Information Security

� Confidentiality, Integrity and AvailabilityTriad

� There is a CBK (Common Body of Knowledge) propagated by (ISC)² which is a collection of topics relevant to all InfoSec professionals.

� CBK is fundamentally based on the CIA triad, the core information security and assurance tenets.

17


Confidentiality

� Permitting someone to look over your shoulder at your computer screen while you have confidential data displayed on it could be a breach of confidentiality.

� Giving out confidential information over the telephone is a breach of confidentiality if the caller is not authorized to have the information.

18


Integrity

� Integrity is compromised when an employee is able to modify his own salary in a payroll database or say when an unauthorized user vandalizes a web site.

� There are many ways in which integrity could be violated without malicious intent.

� In the simplest case, a user on a system could mistype someone's address.

19


Integrity -2

� On a larger scale, if an automated process is not written and tested correctly, bulk updates to a database could alter data in an incorrect way, leaving the integrity of the data compromised.

� Information security professionals are tasked with finding ways to implement controls that prevent errors of integrity.

20


Availability

� For any information system to serve its purpose, the information must be available when it is needed.

� This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly.

21


Availability -2

� High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades.

� Ensuring availability also involves preventing denial-of-service attacks.

� Some add possession, authenticity and utility to CIA as three more atomic elements of information.

22


The new InfoSec Professional

� There has been a significant change in responsibilities held by the InfoSec manager.

� More often, traditional business functions such as compliance, risk management and privacy are being assigned to the InfoSec manager.

� Therefore, the InfoSec professional must understand not only technological requirements, but also needs of the business.

23


The new InfoSec Professional -2

� The information security professional has thus evolved from computer operator to chief information security officer, and from controlling punched cards to negotiating strategic plans, defining policies, documenting processes, managing technology, measuring performance, controlling costs, supporting business recovery and demonstrating regulatory compliance.

24



� Some desiarble skills of the Info Sec professionals are:

� Communicate with others - a must ability. Info Sec professionals must be able to communicate with all layers of management, specialist technical staff and convey ideas/concepts clearly.

25



� Application Penetration Skills - understand how applications work, what protocols they use to communicate, what information is input and output from those applications, and best of all, how to make those applications do things that the programmer did not intend the application to do. This is the next major battle front in information security, and being able to move effectively in this space is important.

26



� Network Penetration Skills - being able to understand and use network properties to map, understand, and find vulnerable nodes on the network.

� Knowing what is a real/viable attack and what is not - Knowing which attacks against what target are viable and then being able to prove that viability to the developers and users of the system.

27



� Knowing how data migrates around the network - how is data used, where is it used, and who uses it in normal day to day patterns

� Network engineering skills - just enough to know how each component works on the network, what is it�s function, what are it�s strengths and weaknesses, and how could it be exploited.

28



� IDS/IPS (Intrusion Detection System/ Intrusion Prevention System) - interpretation of results - being able to work with the IDS/IPS that is on the network and understanding what are its limitations.

� System Administration - know enough about system administration so that if presented with a series of computers, one can safely secure them allowing the applications to run.

29



� Risk Management skills - being able to understand the concepts of risk management, and how they are applied in regards to the company�s culture. Not all companies are the same when it comes to risk management; each company has their own tolerance to risk. Be able to work within the confines of the companies� tolerance for risk

� Be creative - the ability to be creative 30


Suggested InfoSec Program Steps

� Compose an information security program

� Cement a relationship between an information security program and IT governance

� Design roles and responsibilities to ensure accountability

� Identify and allocate resources to achieve information security program objectives

� Determine if an information security program is achieving objectives 31


Certifications

� CISSP (Certified Information Systems Security Professional), an international gold standard, is given by ISC2 (International Information System Security Certificate Consortium)

� ISACA (www.isaca.org) introduced the Certified Information Security Manager (CISM) certification in 2002 for those who manage an enterprise�s information security program.

� There are other Information Security certifications too � see Appendix 32


Certifications -2

� We have included some part of what people taking such certification learn about in Appendix 2

� ICT obviously constantly changes and these certifications also has a two to three year shelf life.

� Such certification holders will need to be in practice and always remain current

� We need not all become InfoSec professionals33

Information Security AuditIssues that impact an Accountant

What is it?

� An information security audit is an audit on the level of information security in an organization.

� Such audit can be of various types and with various objectives

� Audit focuses on physical, technical and administrative controls of Information Security

� Audit may be on physical security of data and on logical security of databases

34

Information Security AuditIssues that impact an Accountant

What is it? (Contd)

� Different audit methods can be used for different components of Information security

� Information security encompasses much more than IT

� When audit is centred on IT aspects of Information Security it becomes part of IT Audit

35

Information Security AuditAudit Process: Audit planning and preparation

� Goal congruence must be there between IT, Information Security and Business objectives

� Auditor must understand above and consider� Areas of concern/ IT organization chart/ Job

descriptions of Data Centre employees

� Research on OS, Applications and Hardware in Data Centre

� IT Policies & Procedures/ IT Budget/ Disaster Recovery Plan

36

Information Security AuditAudit Process: Establishing Audit Objectives

� Data centre Audit objectives defined

� Identify audit risks in Data Centre operating environment and their mitigation controls

� Thorough testing and analyses carried out to ensure control and efficiency in Data Centre

� Auditor reviews� Personnel processes and training/ backup proc

� Change management processes/ authorised access/ environmental controls

37

Information Security AuditAudit Process: Performing the review

� Evidence of trained Data centre personnel

� Evidence of quality and performance of Data Centre Equipment and their maintenance

� Evidence of documented Data Centre policies and procedures for job responsibilities, back up/ disaster recovery on and off site, security, termination, SOP and OS overview

� Evidence of Physical Security like bolted down equipment and Environmental control

38

Information Security AuditAudit Process: Issuing review report

� Summarize auditor�s findings in a standard format

� Report must mention date of completion of auditor�s inquiry and procedures

� Identify what was reviewed

� Emphasise that audit provides �limited assurance� to third parties

39

Information Security AuditAuditing Network Security - Vulnerabilities

� Obtain a network diagram, assess extent of the network and what critical information network must protect

� Identify Network vulnerabilities and corresponding controls at Interception, on Availability and Access/entry points

� Consider specially point of vulnerability where network connects to Internet

40

Information Security AuditConsider Network Security tools used

� Firewalls, proxy servers, access control, anti virus software, encryption, log management

� Firewalls � basic security, authenticates, monitors, logs and reports traffic

� Proxy server firewalls acts as middleman

� Anti virus software locate and dispose malicious content

� Remote access � intrusion point, should be logged 41

Information Security AuditAuditing Network Security - Encryption

� Assess encryption policies and procedures

� COBIT guidelines established by ITGI of ISACA may be used

� Whether management attest that encryption policies ensure data protection at desired level

� Cost of encryption not to exceed value of info

� Assess whether encryption system is strong and compliant with local and international laws and regulations 42

Information Security AuditAuditing Logical Security

� Password policies written, mandatory scheduled changes, user rights in line with job functions

� Security tokens, cryptographic keys, biometric data

� Termination procedures � block access

� Monitoring of special user accounts

� Remote access � intrusion point, should be logged 43

Information Security AuditAuditing Application Security

� Application Security centres around Programming, Processing and Access

� Security over application development and changes

� Checks against wrong input, wrong or incomplete processing (rollover) � any control concerns

� Employ hacker to break the system from within and without

44

Information Security AuditAuditing Application Security

Segregation of duties (SoD)

� Ensure proper SoD such as separation of developers and implementors

� Consider SoD conflicts/breaches and which user/users have super user access

� Consider permission function matrix against each employees� accessibilities

� Ultimate goal is to ensure data integrity and fraud prevention 45


Appendix 1-1: Info Sec Certification Curriculum

� Access Control � Categories and Controls

� Control Threats and Measures

� Application Security � Software Based Controls

� Software Development Lifecycle and Principles

� Business Continuity and Disaster Recovery Planning � Response and Recovery Plans

� Restoration Activities 46



� Cryptography � Basic Concepts and Algorithms

� Signatures and Certification

� Cryptanalysis

� Information Security and Risk Management � Policies, Standards, Guidelines and Procedures

� Risk Management Tools and Practices

� Planning and Organization

47



� Legal, Regulations, Compliance and Investigations � Major Legal Systems

� Common and Civil Law

� Regulations, Laws and Information Security

� Operations Security � Media, Backups and Change Control Management

� Controls Categories

48



� Physical (Environmental) Security � Layered Physical Defense and Entry Points

� Site Location Principles

� Security Architecture and Design � Principles and Benefits

� Trusted Systems and Computing Base

� System and Enterprise Architecture

� Telecommunications and Network Security � Network Security Concepts and Risks

� Business Goals and Network Security 49


Appendix 2: Digital SignatureDigital Signature Offers Authentication and Integrity

50


Appendix 3

Cryptography� It is the practice and

study of hiding information

� It is a branch of mathematics and computer science

� PCs and Internet has made quality cryptography commonplace 51

A credit card with smart card capabilities. The 3 by 5 mm chip embedded in the card is shown enlarged in the insert. Smart cards attempt to combine portability with the power to compute modern cryptographic algorithms.


Appendix 4

PKI(Public Key Infrastructure)

� The Public Key Infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates.

52

A user applies for a certificate with his public key at a registration authority (RA). The latter confirms the user's identity to the certification authority (CA) which in turn issues the certificate. The user can then digitally sign a contract using his new certificate. His identity is then checked by the contracting party with a validation authority (VA) which again receives information about issued certificates by the certification authority.


Appendix 5-1Sl No

Certification Name

Certification Awarding Organisation and relevant information

Website

1 Certified Information Systems Security Professional(CISSP)

(CISSP) is an independent information security certification governed by the International Information Systems Security Certification Consortium (commonly known as (ISC)²). As of October 10, 2008, (ISC)² has reported certifying 61,763 information security professionals in 133 countries

www.isc2.org

2 Global Information Assurance Certification(GIAC)

SANS Institute founded the certification entity in 1999 and the term GIAC is trademarked by the The Escal Institute of Advanced Technologies. GIAC provides a set of vendor-neutral computer security certifications linked to the training courses provided by the SANS. GIAC is specific to the leading edge technological advancement of IT security in order to keep ahead of "black hat" techniques.

www.giac.org

53

http://www.isc2.org

http://www.giac.org


Appendix 5-2Sl No

Certification Name


Website

3 The Certified Information Security Manager®(CISM®)

CISM certification program is developed specifically for experienced information security managers and those who have information security management responsibilities. The CISM certification is for the individual who manages, designs, oversees and/or assesses an enterprise's information security (IS).

www.isaca.org

4 CompTIA Security+�Certification

Earning a CompTIA Security+ certification demonstrates proof of knowledge and expertise in security topics, such as system security, communication security, infrastructure security, cryptography, access control, authentication, external attack and operational and organization security.

www.comptia.org

54

http://www.isaca.org

http://www.comptia.


Appendix 5-3Sl No

Certification Name


Website

5 Cisco Certified Security Professional (CCSP)

CCSP validates advanced knowledge and skills required to secure Cisco networks. CCSP certification demonstrates the skills required to secure and manage network infrastructures, mitigate threats, and reduce costs.

www.cisco.com

6 SEI Certificate in Information Security

This certificate is designed to provide participants with practical techniques for protecting the security of an organization's information assets and resources and increase the depth of knowledge and skills of technical staff charged with administering and securing networks.

http://www.sei.cmu.edu/training/certificates/security/infosecurity.cfm

7 M Sc in Info Security

University College London's MSc in Information Security

www.mscinfosec.adastral.ucl.ac.uk 55

http://www.cisco.com

http://www.sei.cm

http://www.mscinfosec.ad


The Last WordInformation Security � a business requirement� We must, however, understand that information

security is a business requirement on top of being an ethical and legal requirement

� We therefore need to be constantly aware about certain Information Security issues and ensure that proper resources are engaged and best practices adopted.

� We must strive to create a �values infrastructure�56


Thank you for lending me your ears57


The EndThank you and Good wishes from

58

Presentation of Mr. Khondkar Atique-e-Rabbani, FCA (1).pdf

Documents

Transcript of Presentation of Mr. Khondkar Atique-e-Rabbani, FCA (1).pdf