Escolar Documentos
Profissional Documentos
Cultura Documentos
Confidential Document 1
ISO-17799 Overview
• BS7799 was created in 1999 as a two part document (standard +
certification scheme) by the British Standards Institution (BSI)
• The standard portion was adopted and converted into an ISO standard in
2000
• The certification scheme portions is still a BSI only standard and it’s latest
revision is dated 2002
Confidential Document 2
ISO-17799:2000 Overview
• 127 controls distributed within 10 categories
- Information security policy
- Organizational security
- Asset classification and control
- Personnel security
- Physical & environmental security
- Communication & operations management
- Access control
- System development & maintenance
- Business continuity management
- Compliance
Confidential Document 4
What’s new in ISO-17799:2005 ?
• Risk management where addressed only in part 2 document, the part 1 now
includes a new chapter on ‘Risk Assessment and Treatment’ requirements
• Incident management controls that where spread all around the previous
version of the standard are now consolidated within a new chapter titled
‘Information Security Incident Management’
• In short: 2 new control families, a new total of 135 controls, over 80 changes
within the existing controls (deletion/addition/modification)
Confidential Document 5
Defining Information System
Information System
Applications
(Web, SAP, PeopleSoft…)
Application Servers
(IIS, SQL, WebSphere, Oracle…)
Users Customers
Operating Systems
(Win2K, XP, Unix, OS/400…)
Networking
(TCP/IP, FW, Router, Switch)
Confidential Document 6
Copyright 2004 - Above Security
Defining Information Security
Confidential Document 7
Copyright 2004 - Above Security
Defining Information Security
- Firewalls
- VPNs
- IDS
- Applications
- Wireless
Confidential Document 8
Copyright 2004 - Above Security
Problems with Firewalls
•Definition
- A Firewall filters available services from your
company incoming from and outgoing to the
Internet.
•Problems
- Will not prevent hackers from interacting with your
company.
- Often badly configured incoming and outgoing.
- Logging is often poorly configured.
- Who checks the Logs ?
Confidential Document 9
Problems with VPN
•Definition
- Virtual Private Network.
- Remote access system.
- Replacing traditional dial-up modem pools on the
net.
•Problems
- Inexpensive to attack.
- Often available for Whoever, Whenever, Wherever.
- Few companies use strong authentication.
- Once inside, there is no limited field of action to
users.
Confidential Document 10
Problems with IDS
•Definition
- Intrusion Detection System
•Problems
- False positives, false negatives.
- Limited load capacity
- Correlation of event is painful.
- Companies often only use the network IDS.
- 24x7 monitoring is required.
- Incident handling and response procedure often
lacking.
- IDS are only alarm systems – useless without
monitoring and a central police force.
Confidential Document 11
Problems with Applications
Problems:
- Privileges:
• Web server volume and client-server
applications with plenty of privileges.
- Developers Inexperience:
• Often no security training.
• Insufficient controls and logs to protect
systems.
- Validation:
• Insufficient validation in data entry and data
consultation.
– Important information leakages.
Confidential Document 12
Problems with Wireless
•Problem
- Only 25% of companies use the WEP.
- Give an unwatched access to the internal network.
•Examples:
- Jamaica – New Kingston.
• More than 80 access points were discovered.
• 80% did not use the WEP.
- Montreal (in 2 hours)
• More than 200 access points discovered.
• 85% did not use the WEP.
Confidential Document 13
How to diagnose? Penetration Testing
Confidential Document 15
Copyright 2004 - Above Security
Example of successful hack
Confidential Document 17
Copyright 2004 - Above Security
What are we left with ?
But how ?
Confidential Document 18
Copyright 2004 - Above Security
Security Governance
Confidential Document 19
Copyright 2004 - Above Security
Security Governance
Confidential Document 20
Copyright 2004 - Above Security
Information security recipe
2. Risk Assessment
Confidential Document 22
Copyright 2004 - Above Security
Information Security Policies
Confidential Document 23
Copyright 2004 - Above Security
Ingredient #2
•Risk Management:
Confidential Document 24
Copyright 2004 - Above Security
Risk Management
Risk =
Volume of cube
Risk
Threat Threat
Vulnerability Vulnerability
Confidential Document 25
Copyright 2004 - Above Security
Ingredient #3
•Business Continuity:
- BC is the ability to maintain a constant
availability of processes and information
availability
- DR is the immediate and temporary restoration of
computing and network operation within a
defined timeframe after a disaster occurs
- Advanced planning and preparations are
necessary to identify impact and potential losses
and to establish a step by step approach to
business resumption
- A plan is not a static document, it is a living
strategy and an evolving process
Confidential Document 26
Copyright 2004 - Above Security
Cost of Downtimes
Confidential Document 28
Copyright 2004 - Above Security
Components to monitor
Server logs
Vulnerability Firewall &
Management VPN Logs
Application Policy
Based IDS Compliance
Anti-Virus
Confidential Document 29
Copyright 2004 - Above Security
Steps for proper monitoring
Centralization and
Alert Normalization
Information Collection standardization of the
Process
information
Incident Handling
Intervention
Confidential Document 30
Copyright 2004 - Above Security
The MMI Infrastructure
Confidential Document 31
Copyright 2004 - Above Security
Platforms to support
Confidential Document 32
Copyright 2004 - Above Security
Solutions
• Forensic
Confidential Document 33
Copyright 2004 - Above Security
Ingredient #5
-Executives
linked to business drivers
Regulations, obligations and risks
- IT
Very technical
Incident analysis
Build a training plan
- End-Users
Real world examples
Link to their daily activities
Confidential Document 35
Copyright 2004 - Above Security
Thanks for attending !
Questions?
Web: www.abovesecurity.com
E-mail: info@abovesecurity.com
HQ Phone: (450) 430-8166
Confidential Document 36