INFORMATION SECURITY ISSUES,THREATS,SOLUTION & STANDARDS

IF YOU THINK TECHNOLOGY CAN SOLVE YOUR SECURITY PROBLEMS , THEN YOU DONT UNDERSTAND THE PROBLEMS & YOU DONT UNDERSTAND THE TECHNOLOGY. Bruce Schenier

Nature of Business
High Risk High Gain Deals with sensitive Information in High Volumes All Business Process generate, operate and process Information A News Item can move stock prices

Nature of Business
Every Sector / Vertical have faced Information Security Risk Cyber Terrorism is real and rising (Planned cyber attacks prior / after 9/11) Countries of origin responsible for 75% of intrusions USA, China, Romania, Germany More than 2/3rd express their inability to determine Whether my systems are currently compromised? Information Governance pushed through Compliance

Who are these Attackers? Attackers?

Threat Agents
Media / Competition / Government Ex-employee Third Party Insider Employee

More than 70% of Threats are Internal More than 60% culprits are First Time fraudsters

Who are Attackers? What are they doing?

Intruders are Building up technical knowledge and skills Becoming more skilled at removing of trail Interested in results than experience of hacking Exploit weakest link

Types of Hackers

Security Impacts
Embarrassment Loss of confidential and sensitive information Loss of strategic advantage and resources Non availability of systems in combat situations Time and efforts spent creating Intellectual Property National Security, when information is misused by terrorists/miscreants

Cases India Specific MPhasis BFL - Pune CEO Bazee.com

Recent cases

Theft and Sale of Customer Data Delhi Arrest of GM of reputed corporate for Cheating NRI in Dubai Attack on Web Sites BARC, Cyber cell Mumbai War Room Leak - Navy

Introduction to Information Security

Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected
BS ISO 17799:20000

Introduction to Information Security

Lifecycle of Information
       

Created Stored Processed Transmitted Used (For proper & improper purposes) Lost Corrupted Destroyed

Introduction to Information Security

Ensuring that information is accessible only to those authorized to have Safeguarding the access accuracy and completeness of information and Ensuring that authorized processing methods users have access to information and associated assets when required

Confidentiality

Integrity

Availability

Information Security Trends

Information Security

People Process

IT Security

Technology

 Information security a broad term encompassing the protection of information from accidental or intentional misuse by persons inside or outside an organization This plug-in discusses how organizations can implement information security lines of defense through people first and technology second

INTRODUCTION

Security is everyones responsibility

Information Security is Organizational Problem

rather than IT Problem

Biggest Risk : People Biggest Asset : People

Damaging forms of security threats

Malicious code includes a variety of threats such as viruses, worms, and Trojan horses Hoaxes attack computer systems by transmitting a virus hoax, with a real virus attached Spoofing the forging of the return address on an e-mail so that the e-mail message appears to come from someone other than the actual sender Sniffer a program or device that can monitor data traveling over a network

Types of Viruses

Sophistication of Attacks No of hackers - 1980 : Handful No of hackers - 2006 : Thousands Time require to prepare 1980 : Months Time require to prepare 2006 : Hours No. of Machines affected 1980 : Hundreds No. of Machines affected 2006 : Millions Geographical Spread 1980 : LAN / Network Geographical Spread 2006 : Internet

Sophistication of Attacks
stealth / advanced scanning techniques

Tools
DDOS attacks

High
Intruder Knowledge

packet spoofing denial of service sniffers sweepers www attacks automated probes/scans GUI network mgmt. diagnostics

back doors disabling audits

Attack Sophistication

hijacking burglaries sessions exploiting known vulnerabilities password cracking self-replicating code password guessing

Low
1980

Attackers
1995 2000

1985

1990

Steps to create Information Security Plan

1. 2. 3. 4. 5. Develop the information security policies Communicate the information security policies Identify critical information assets and risks Test and reevaluate risks Obtain stakeholder support

Suggested Roadmap for IT Security

Build Responsible Team Apex Committee Security Forum Task Force Conduct Thorough Risk Assessment Information Assets IT Infrastructure / Network Applications / Data Storage Risk Treatment a. Mitigate b. Transfer c. Avoid d. Accept

Suggested Roadmap for IT Security

Implementation of Controls Policy Technology Training Monitoring effectiveness of controls Preventive / Corrective Actions Continual Improvement

The First Line of Defense - People

The first line of defense an organization should follow to help combat insider issues is to develop information security policies and an information security plan
Information security policies identify the rules required to maintain information security Information security plan details how an organization will implement the information security policies

People Readiness

The Second Line of Defense Technology

Three primary information security areas:
1. Authentication and authorization 2. Prevention and resistance 3. Detection and response

Suggested Technologies

Data Application Host Internal Network Perimeter Physical Security Policies, Procedures, & Awareness

ACL, Encryption, Database Hardening Application hardening, Role Based Access, Multi Factor Authentication, PKI OS hardening, Patch management, HIDS VLAN, NIDS, TACACS, NMS Firewalls (Stateful, Deep packet inspection, Application layer), VPN, Gateway Anti Virus Guards, CCTV, Biometric Management Framework, Training

AUTHENTICATION AND AUTHORIZATION

Authentication a method for confirming users identities The most secure type of authentication involves a combination of the following:
1. Something the user knows such as a user ID and password 2. Something the user has such as a smart card or token 3. Something that is part of the user such as a fingerprint or voice signature

AUTHENTICATION

Most common method of authentication is User ID and Password. This is the most common way to identify individual users and typically contains a user ID and a password This is also the most ineffective form of authentication Over 50 percent of help-desk calls are password related.

Identity Thefts

Better Forms of Authentication

Smart cards and tokens are more effective than a user ID and a password
Tokens small electronic devices that change user passwords automatically Smart card a device that is around the same size as a credit card, containing embedded technologies that can store information and small amounts of software to perform some limited processing

 The identification of a user based on a physical characteristic, such as a fingerprint, iris, face, voice, or handwriting This is by far the best and most effective way to manage authentication Unfortunately, this method can be costly and intrusive

Biometrics

PREVENTION AND RESISTANCE

Downtime can cost an organization anywhere from $100 to $1 million per hour. Technologies available to help prevent and build resistance to attacks include:
1. Content filtering 2. Encryption 3. Firewalls

Content Filtering

Organizations can use content filtering technologies to filter e-mail and prevent emails containing sensitive information from transmitting and stop spam and viruses from spreading.
Content filtering occurs when organizations use software that filters content to prevent the transmission of unauthorized information Spam a form of unsolicited e-mail

ENCRYPTION

If there is an information security breach and the information was encrypted, the person stealing the information would be unable to read it
Encryption scrambles information into an alternative form that requires a key or password to decrypt the information

FIREWALLS

One of the most common defenses for preventing a security breach is a firewall
Firewall hardware and/or software that guards a private network by analyzing the information leaving and entering the network

FIREWALLS

Sample firewall architecture connecting systems located in Chicago, New York, and Boston

DETECTION AND RESPONSE

If prevention and resistance strategies fail and there is a security breach, an organization can use detection and response technologies to mitigate the damage Antivirus software is the most common type of detection and response technology

Security Policy
1. Information assets and IT assets to be protected against unauthorized access. 2. Information is not to be disclosed to unauthorized persons through deliberate or careless action. 3. Information is to be protected from unauthorized modification. 4. Information is to be available to authorized users when needed. 5. Applicable regulatory and legislative requirements are to be met. 5. All breaches of information security are to be reported and investigated. 6. Violations of policies are to be dealt with through a formal disciplinary process.

Well Known Frameworks

What Frameworks say? Information in all forms is an Asset (Digital/Non-digital) Security is a Process (and not only technology) Risk Based Approach (Prevent, Detect, Correct) Security should be measurable (Effectiveness, Efficiency) Controls include People, Process and Technology Top Management Commitment (Define Acceptable level of Risk, Allocate Resources, Implement Policy)

Well Known Frameworks

1. COBIT Framework for Auditing Controls (Control OBjectives in Information and related Techniques) 1. ISO 27001 (BS 7799) IS Management Framework 2. ISO 17799 3. ITIL Implementation guidance on IS Controls

IT Service Management Processes ITSM Management Framework

4. ISO 20000 (BS 15000)

Scope of ISO 20000 Certification

Supports the provision of all IT Services including the following : Enterprise Planning System (SAP) Infrastructure Application and Data Centre Management Services to all its customers at all the locations.

1. Sustained pressure to deliver high quality IT Service at minimum cost. (SLA definition, penalty clause) 2. IT services, are not aligned with the needs of the business and its customers. (Requirements gathering .) 3. ISO 20k implementation, will ensure standard and proactive (trend analysis etc.) working practices. (e.g. there is
no concept of CPA, ISO will ensure the implementation, tracking and closure of CPAs.)

Why ISO 20000?

4. would enhance the quality of IT Service delivered to their customers/users 5. Increase Effectiveness of the business operation 6. Hard evidence that quality of ITSM is taken seriously

Post Security Implementation Benefits

At the organizational level Commitment At the legal level Compliance At the operating level - Risk management At the commercial level - Credibility and confidence At the financial level - Reduced costs At the human level - Improved employee awareness

Cyber Law of India

Electronic record Digital Signature Certifying Authority Penalty for damage to information System Section 47 Up to 1 Crore
Unauthorized Access, Tampering, Damage

Penalty for failure to furnish Information up to ten thousand a day Offences

Section 65 Tampering : 3 Yrs / 2 Lacs Section 66 Hacking : 3 Yrs / 2 Lacs Section 67 Obscene Information : 5 Yrs / 1 Lac Section 72 Breach of Confidentiality / Privacy : 2 yrs / 1 Lac

IT Security Stakeholder Summary

Information Security Policy Compliance Organisation Security Asset Management

Bus. Continuity Planning

Integrity

Confidentiality

Security Incident Management System Development & Maint. Access Controls

Information

Human Resource Security

Availability Physical Security Communication & Operations Mgmt