Escolar Documentos
Profissional Documentos
Cultura Documentos
IF YOU THINK TECHNOLOGY CAN SOLVE YOUR SECURITY PROBLEMS , THEN YOU DONT UNDERSTAND THE PROBLEMS & YOU DONT UNDERSTAND THE TECHNOLOGY. Bruce Schenier
Nature of Business
High Risk High Gain Deals with sensitive Information in High Volumes All Business Process generate, operate and process Information A News Item can move stock prices
Nature of Business
Every Sector / Vertical have faced Information Security Risk Cyber Terrorism is real and rising (Planned cyber attacks prior / after 9/11) Countries of origin responsible for 75% of intrusions USA, China, Romania, Germany More than 2/3rd express their inability to determine Whether my systems are currently compromised? Information Governance pushed through Compliance
Threat Agents
Media / Competition / Government Ex-employee Third Party Insider Employee
More than 70% of Threats are Internal More than 60% culprits are First Time fraudsters
Types of Hackers
Security Impacts
Embarrassment Loss of confidential and sensitive information Loss of strategic advantage and resources Non availability of systems in combat situations Time and efforts spent creating Intellectual Property National Security, when information is misused by terrorists/miscreants
Recent cases
Theft and Sale of Customer Data Delhi Arrest of GM of reputed corporate for Cheating NRI in Dubai Attack on Web Sites BARC, Cyber cell Mumbai War Room Leak - Navy
Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected
BS ISO 17799:20000
Lifecycle of Information
Created Stored Processed Transmitted Used (For proper & improper purposes) Lost Corrupted Destroyed
Confidentiality
Integrity
Availability
Information Security
People Process
IT Security
Technology
Information security a broad term encompassing the protection of information from accidental or intentional misuse by persons inside or outside an organization This plug-in discusses how organizations can implement information security lines of defense through people first and technology second
INTRODUCTION
Types of Viruses
Sophistication of Attacks No of hackers - 1980 : Handful No of hackers - 2006 : Thousands Time require to prepare 1980 : Months Time require to prepare 2006 : Hours No. of Machines affected 1980 : Hundreds No. of Machines affected 2006 : Millions Geographical Spread 1980 : LAN / Network Geographical Spread 2006 : Internet
Sophistication of Attacks
stealth / advanced scanning techniques
Tools
DDOS attacks
High
Intruder Knowledge
packet spoofing denial of service sniffers sweepers www attacks automated probes/scans GUI network mgmt. diagnostics
Attack Sophistication
hijacking burglaries sessions exploiting known vulnerabilities password cracking self-replicating code password guessing
Low
1980
Attackers
1995 2000
1985
1990
Implementation of Controls Policy Technology Training Monitoring effectiveness of controls Preventive / Corrective Actions Continual Improvement
People Readiness
Suggested Technologies
Data Application Host Internal Network Perimeter Physical Security Policies, Procedures, & Awareness
ACL, Encryption, Database Hardening Application hardening, Role Based Access, Multi Factor Authentication, PKI OS hardening, Patch management, HIDS VLAN, NIDS, TACACS, NMS Firewalls (Stateful, Deep packet inspection, Application layer), VPN, Gateway Anti Virus Guards, CCTV, Biometric Management Framework, Training
AUTHENTICATION
Most common method of authentication is User ID and Password. This is the most common way to identify individual users and typically contains a user ID and a password This is also the most ineffective form of authentication Over 50 percent of help-desk calls are password related.
Identity Thefts
Smart cards and tokens are more effective than a user ID and a password
Tokens small electronic devices that change user passwords automatically Smart card a device that is around the same size as a credit card, containing embedded technologies that can store information and small amounts of software to perform some limited processing
The identification of a user based on a physical characteristic, such as a fingerprint, iris, face, voice, or handwriting This is by far the best and most effective way to manage authentication Unfortunately, this method can be costly and intrusive
Biometrics
Content Filtering
Organizations can use content filtering technologies to filter e-mail and prevent emails containing sensitive information from transmitting and stop spam and viruses from spreading.
Content filtering occurs when organizations use software that filters content to prevent the transmission of unauthorized information Spam a form of unsolicited e-mail
ENCRYPTION
If there is an information security breach and the information was encrypted, the person stealing the information would be unable to read it
Encryption scrambles information into an alternative form that requires a key or password to decrypt the information
FIREWALLS
One of the most common defenses for preventing a security breach is a firewall
Firewall hardware and/or software that guards a private network by analyzing the information leaving and entering the network
FIREWALLS
Sample firewall architecture connecting systems located in Chicago, New York, and Boston
If prevention and resistance strategies fail and there is a security breach, an organization can use detection and response technologies to mitigate the damage Antivirus software is the most common type of detection and response technology
Security Policy
1. Information assets and IT assets to be protected against unauthorized access. 2. Information is not to be disclosed to unauthorized persons through deliberate or careless action. 3. Information is to be protected from unauthorized modification. 4. Information is to be available to authorized users when needed. 5. Applicable regulatory and legislative requirements are to be met. 5. All breaches of information security are to be reported and investigated. 6. Violations of policies are to be dealt with through a formal disciplinary process.
1. COBIT Framework for Auditing Controls (Control OBjectives in Information and related Techniques) 1. ISO 27001 (BS 7799) IS Management Framework 2. ISO 17799 3. ITIL Implementation guidance on IS Controls
1. Sustained pressure to deliver high quality IT Service at minimum cost. (SLA definition, penalty clause) 2. IT services, are not aligned with the needs of the business and its customers. (Requirements gathering .) 3. ISO 20k implementation, will ensure standard and proactive (trend analysis etc.) working practices. (e.g. there is
no concept of CPA, ISO will ensure the implementation, tracking and closure of CPAs.)
4. would enhance the quality of IT Service delivered to their customers/users 5. Increase Effectiveness of the business operation 6. Hard evidence that quality of ITSM is taken seriously
At the organizational level Commitment At the legal level Compliance At the operating level - Risk management At the commercial level - Credibility and confidence At the financial level - Reduced costs At the human level - Improved employee awareness
Integrity
Confidentiality
Information