Escolar Documentos
Profissional Documentos
Cultura Documentos
Information Insecurity
Part II: The Solution
E. Gelbstein A. Kamal
1 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
E. Gelbstein A. Kamal
2 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
1 2 3
Information must be available to those authorized to have it Information will only be disclosed at the appropriate time only to those authorized to have it Information will only be modified by those authorized to do so
Source ISO 17799: Code of Practice for the Management of Information Security
E. Gelbstein A. Kamal
3 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
(2)
E. Gelbstein A. Kamal
4 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Chief Information Officer Security manager Systems administrator Network administrator Enlightened User
E. Gelbstein A. Kamal
5 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
E. Gelbstein A. Kamal
6 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Auditor (Security, internal, external) Ethical hacker Security consultant Vendors of security products Vendors of other ICT projects Info Security legislator
E. Gelbstein A. Kamal
7 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
E. Gelbstein A. Kamal
8 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
E. Gelbstein A. Kamal
9 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
E. Gelbstein A. Kamal
10 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
E. Gelbstein A. Kamal
11 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
1 2
4
Tests Certification Audits
12 of 48
E. Gelbstein A. Kamal
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
1. Assign responsibility for information security 2. Ask your CIO to certify in writing the security status of your organizations systems 3. Ask your CIO to document all known vulnerabilities 4. Engage a trusted ethical hacker to regularly attack your facilities and systems
E. Gelbstein A. Kamal
13 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective Defences 1
Security organization
Who is responsible for information security in the organization as a whole and at its various locations ? Who does this person report to ? Who reviews this persons performance and monitors her/his effectiveness ? How is security managed with contractors, temporary personnel and outsourcers ? Who is responsible for dealing with a security incident ?
E. Gelbstein A. Kamal
14 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective Defences 1
Effective defences 1
Requirements definition
Inventories Insurance Strong locks Burglar alarm Remote monitoring Reinforced doors Impact resisting glass CCTV
How much funding can be made available to implement, operate and manage?
E. Gelbstein A. Kamal
15 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Information security
Value of information assets 100% security is unachievable
countermeasures
threats vulnerabilities
E. Gelbstein A. Kamal
16 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
17 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective Defences 1
18 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective Defences 1
Disclosure
e-mailing of offensive material, jokes, etc Installation of unauthorized software Downloading large files (music, video) Personal use of employers systems and facilities
19 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective Defences 1
E. Gelbstein A. Kamal
20 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Scope of policies
Effective Defences 1
Acceptable personal use or corporate resources e-mail policies for corporate and personal use Creation, change and management of passwords System / Resource access Employers right to monitor and right to access Use of encryption Physical access and remote access Software installation Mobile communications and computing Database administration Employee background checks (pre- and during employment)
list goes on...
E. Gelbstein A. Kamal
21 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective Defences 1
22 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective Defences 1
Create martyrs Loss of trust Information Insecurity Part II: The Solution 23 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective defences 2
Building blocks
non-repudiation
confidentiality
audit
authentication authorization
Information Insecurity Part II: The Solution
integrity
E. Gelbstein A. Kamal
24 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Building blocks
Authentication Authorization Confidentiality Integrity Non-repudation Audit
E. Gelbstein A. Kamal
Prove you are who you say you are The security system checks what you may do with the system Data can only be seen by someone authorized to do so Data can only be modified by someone authorized to do so Ability to prove that the information received is the same as the information sent System records of who did what and when Information Insecurity Part II: The Solution 25 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective Defences 2
Technical defences
Tools
Physical access control Infrastructure
- No single point of failure - UPS and standby - Clusters, fail-soft, RAID, alternative routing - proxy servers, firewalls
Data access rights Database security System security LAN & server security Firewall security
Logical access control Diagnostics and monitoring System administration Virus management software Encryption software
E. Gelbstein A. Kamal
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Technical defences
Processes
Software/product quality Reduce complexity Change Control Segregation of duties Backup /restore Media management
Cluster # 1: operations and configuration management
E. Gelbstein A. Kamal
27 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective Defences 2
28 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective Defences 2
Non-existent
The process is not managed
Initial
Repeatable
Defined
The process is documented and communicated
Managed
Optimized
Best practices
29 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Justifying investments
Effective Defences 2
Demonstrating value has always been the BIG challenge for technical practitioners
Typical ROSI (Return On Security Investment) analysis: cost benefit We spent a million dollars We think we have not been hacked
E. Gelbstein A. Kamal
30 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective Defences 2
Some of the intangible factors: No security metrics standards No warranties from vendors or outsourcers only best efforts
E. Gelbstein A. Kamal
31 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective Defences 2
6. Understand and actively manage risk 7. Ensure security is engineered and designed into the infrastructure 8. Remember it is more than a technical matter 9. Detect and respond
E. Gelbstein A. Kamal
32 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective Defences 2
Awareness
Management
Disaster recovery, continuity and crisis plans Trusted insider risks signals Breaches of security, subsequent digital autopsy Vendor bulletins about vulnerabilities Hacker activities CERT and other alerts Procedures and policies What to do when an incident occurs Policies and need for compliance What to do when an incident occurs Best practices
33 of 48
I.T. personnel
E. Gelbstein A. Kamal
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective Defences 2
6. Look for and install quickly software updates and patches from (trusted) vendors 7. Be careful of e-mail attachments from strangers and from known persons if the subject line is unusual
E. Gelbstein A. Kamal
34 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective Defences 2
6. Beware of websites that offer rewards in exchange for your contact or other information 7. Never reply to spam mail 8. Only reveal critical information to a https website 9. Use encryption if appropriate
E. Gelbstein A. Kamal
35 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective Defences 2
A word of caution
Tools and good practices increase security. For the end-user, they become a kind of obstacle race
Mwf1U4zX
Hard to remember passwords prominently displayed on Post-it Notes
E. Gelbstein A. Kamal
36 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective Defences 3
Effective defences 3
Incident response
Intrusion detection Emergency Response Team Problem containment Problem resolution Restoring normal operations Determine attack mechanism Review adequacy of arrangements Search for evidence Action plan for internal causes Action plan for external causes
Digital forensics
(also called digital autopsy)
E. Gelbstein A. Kamal
37 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective Defences 3
38 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective Defences 3
E. Gelbstein A. Kamal
39 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective defences 4
How do you know you have not been attacked ? How do you know that your arrangements will work ? tests audits digital autopsy certification Who tests the testers?
Like your annual medical its no guarantee of good health but it might diagnose a problem
40 of 48
E. Gelbstein A. Kamal
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective Defences 4
e-evidence
Volume and manageability Who else has copies ? Indexing, classification Retention, archival Media and software Right to access Right to remove Right to destroy
E. Gelbstein A. Kamal
41 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective Defences 4
e-evidence
Headaches
(2)
Hard to trace, particularly cross-border Hard to quantify losses Lack of clarity what is court-admissible Contractual issues Harassment, bullying, impropriety Containable fraud Sabotage Industrial espionage Major fraud
Civil litigation
Criminal litigation
Out of court settlements are common
E. Gelbstein A. Kamal
42 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective Defences 4
e-evidence
(3)
Follow proper procedures for seizure Seize computer, media and paperwork Assess risk of logical bomb Protect the suspect computer from tampering Discover, recover and report
E. Gelbstein A. Kamal
43 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective Defences 4
44 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective Defences 4
(2)
12. Examine e-mail, Internet, Temporary files 13. Fully document all the findings 14. Retain copies of all software used for analysis 15. Only use fully licensed forensic software
E. Gelbstein A. Kamal
45 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective Defences 4
6. Good security staff are hard to find and harder to keep 7. Hard to define a return on security investment 8. Management detachment (denial of having a role to play)
E. Gelbstein A. Kamal
46 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Effective Defences 4
(2)
Limited international cyber-crime legislation Certificate Authorities: the new trust issue Vendors not liable for product vulnerabilities Executives who believe security is not a real issue Liabilities arising from lack of due diligence Need to take cyber-crime insurance
E. Gelbstein A. Kamal
47 of 48
Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Conclusion
Sounds daunting? It is. You have two options: a. Be prepared (Act now)
or
E. Gelbstein A. Kamal
48 of 48