introduction to it security
DESCRIPTION
Advances in technology have given rise to new operational threats to governments,companies and society as a whole,this presentation is an introduction of countermeasures against cyber threat.TRANSCRIPT
INTRO TO IT SECURITY
ByCade Zvavanjanja
CISOGainful Information Security
ByCade Zvavanjanja
CISOGainful Information Security
AGENDA
Information Security Information Privacy Risk Management Opportunities & Markets Some Examples
3
Ecommerce Site
Data Storage
Business Interfaces
IT/IS/
Development
Anti-Virus
Firewalls
Encryption
Security in SDLC
Threat Modelling
Build Standards
Information Security Policies
Legislative Compliance
Configuration Reviews
Patch Management
Access Control Reviews
Application Testing
Penetration Testing
Intrusion Detection
Vulnerability Assessment
Vetting / References
Disciplinary Procedure
Awareness & Training
Holistic IT security
INFORMATION WARFARE THE MATRIX UPLOADED – SO WHAT?
TODAY’S TREND
Terrorists White Collar Crime
Open Source
Disasters Theft Scripts ID Theft
Insider/Espionage
IT Security
SO WHO CARES?
You care about information security and privacy because:
Information Security is a constant and a critical need Threats are becoming increasingly sophisticated Countermeasures are evolving to meet the threats You want to protect your asset and privacy You want to know what tools are there for protection
and Because information security, information privacy and legal and compliance are inter-related
INCREASE IN SECURITY INCIDENTS
1995 1996 1997 1998 1999 2000 2001 2002
200M
300M
400M
500M
600M
700M
900M
0
Infe
ctio
n A
ttem
pts
100M
800M
*Analysis by Symantec Security Response using data from Symantec, IDC & ICSA; 2002 estimated
**Source: CERT
Net
wo
rk In
tru
sio
n A
ttem
pts
20,000
40,000
60,000
80,000
120,000
0
100,000Blended Threats(CodeRed, Nimda, Slammer)
Denial of Service(Yahoo!, eBay)
Mass Mailer Viruses(Love Letter/Melissa)
Zombies
Polymorphic Viruses(Tequila)
Malicious CodeInfectionAttempts* Network
IntrusionAttempts**
0
20000
40000
60000
80000
100000
120000
140000
CERTCC Reported Vulnerabilities 1988-2003
CERTCC ReportedVulnerabilities
Total Number of Incidents Reported from 1988-2003 is 319,992
Average Yearly Increase of 40%
Total Number of Incidents Reported from 1988-2003 is 319,992
Average Yearly Increase of 40%
SOME POLLS SUGGEST SOURCE CSO
Which of the following is #1 priority Wireless Security (16%) Spam/AntiVirus (17%) Identity Management (27%) Disaster Recovery (21%) Other (19%)
Which of the following poses the greatest threat
Natural Disaster (36%) Terrorist Attack (12%) Cyberattack (52%)
SCARY DATA US Government Data
Id theft is perpetrated by hackers and their associates who steal personal information and identity (e.g. social security numbers) in order to commit various forms of fraud by assuming your identity
FTC reports that over 27.3 million Americans in the past 5 years reported their ID stolen
FTC survey revealed that ID theft costs consumers and business 53 billion in 2002
The FBI estimates that the number one threat to internet users is identity theft
Approximately 350,000 to 500,000 citizens fall victims to “id theft” every year.
Industry Data ID theft increased to
81% in 2002 Main cause for fraud is
id theft U.S.-based banks
37 percent said identify theft significantly increased
34 percent said it slightly increased
24 percent said identity theft rates had stayed the same
5 percent reported that the rates decreased
CYBERTERRORISM
“Cyberterrorism is any "premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against non-combatant targets by sub-national groups or clandestine agents." Cyberterrorism is sometimes referred to as electronic terrorism or information war.”
U.S. Federal Bureau of Investigation
INFORMATION WARFARE Use of or attacks on information and
information infrastructure to achieve strategic objectives
Tools in hostilities among NationsTrans-national groups (companies, NGOs,
associations, interest groups, terrorists)Corporate entities (corporations, companies,
government agencies)Individuals
LEVELS OF INFORMATION WARFARE Against individuals
Theft, impersonationExtortion, blackmailDefamation, racism
Against organizationsIndustrial espionageSabotageCompetitive intelligence
Against nationsDisinformation, destabilizationInfrastructure destabilizationEconomic collapse
PRIME TARGETS Companies with hiring volatilities
Financial, communication, manufacturing, transportation and retail
Companies with lower volatility Utilities, government, healthcare and education
Areas IDS, Firewall, Anti virus, Identity management Product design, policy Privacy vs. Security Security administration Training and awareness
POTENTIAL TARGETS AGAINST OUR INFRASTRUCTURE
Electricity Transportation Water Energy Financial Information Technology Emergency Services Government Operations
WHY USE CYBER WARFARE?
Low barriers to entry – laptops cost a lot less than tanks and bombs
Our world is dependent on computers, networks, and the Internet
Denial of service has economic, logistical, and emotional effect
Low cost to level the playing field
INFORMATION WARFARE STRATEGIES
The basic elements are: Hacking Malicious code Electronic snooping Old-fashioned human spying
Mass disruption can be unleashed over the internet, but
Attackers must first compromise private and secure networks (i.e. Unclassified, Secret, Top Secret)
WHAT ARE THE METHODS? Password cracking Viruses Trojan horses / RATS Worms Denial-of-service attacks E-mail impersonation E-mail eavesdropping Network packet
modification
Network eavesdropping
Intrusion attacks
Network spoofing
Session hijacking
Packet replay
Packet modification
Cryptography
Steganography
Identity theft
HACKERS INFORMATION WARRIORS?
Personal motives Retaliate or ”get even” Political or terrorism Make a joke Show off/Just BecauseElite Hackers
Black Hat Grey Hat White Hat No hat
Malicious Code Writers Criminal Enterprises Trusted Insiders
Economic gain
Steal information
Blackmail
Financial fraud
Inflicting damage
Alter, damage or delete information
Deny services
Damage public image
THE TRADITIONAL HACKER ETHIC
i. Access to computers should be unlimited and totalii. All information should be freeiii. Mistrust authority – promote decentralizationiv. Hackers should be judged by their hacking, not
criteria such as age, race, etc.v. You can create art and beauty on the computervi. Computers can change your life for the better
GEOPOLITICAL HOTSPOTS -TRENDS
CHINATargeting Japan, U.S., Taiwan and perceived allies of those countries
INDIA-PAKISTANWorldwide targets, Kashmir-related and Muslim-related defacements
MIDDLE EASTPalestinian hackers target Israeli .il websites; some pro-Israel activity
WESTERN EUROPECyber-activists with anti-global/anti-capitalism goals; some malicious code
BRAZILMultiple hacker groups, many mercenary; random targets
EASTERN EUROPE/RUSSIAMalicious code development; fraud and financial hacking
U.S.Multiple hacker/cyber-activist/hacktivist groups; random targets
A BALANCED SECURITY ARCHITECTURE
Single, unifying infrastructure that many applications can leverage
A good security architecture: Provides a core set of security services Is modular Provides uniformity of solutions Supports existing and new applications Contains technology as one component of a
complete security program Incorporates policy and standards as well
as people, process, and technologyPeople Technolog
y
Policy, Standards,
and Process
BASIC INFORMATION SECURITY COMPONENTS
AUTHENTICATION: How do we know who is using
the service?
ACCESS CONTROL: Can we control what they do?
CONFIDENTIALITY: Can we ensure the privacy of
information?
DATA INTEGRITY: Can we prevent unauthorized
changes to information?
NONREPUDIATION: Can we provide for non-
repudiation of a transaction?
AUDITABILITY & AVAILABILITY Do we know:
Whether there is a problem? Whether it’s soon enough to take appropriate action?
How to minimize/contain the problem?
How to prevent denial of service?
DATA GOVERNANCE & CONTROLS
Authentication
Confidentiality
Access C
ntrl
Data Integrity
Non-repudiation
Audit ability
XX X X
X X XXA
vailability
X X X X X X Information Management Infrastructure
(IMI)
ThreatsDisclosure of informationDisclosure of information
Unauthorized access Unauthorized access Loss of integrityLoss of integrityDenial of serviceDenial of service
Application
Networks
OS
INFORMATION SECURITY CONTROL AREAS Information Security Policies Roles and Responsibilities Asset Classification and Handling Personal Security Physical Security System and Operations Management Controls General Access Controls System Development Life Cycle Business Continuity Compliance, Legal and Regulatory
WHAT IS @RISK?
Financial & Monetary Loss Risk Payroll information leakage
Reputation Risk Distributed attacks from campus Terrorism Laptop theft ID Theft
Litigation & Regulatory Risk HIPAA, GLB, CA 1386
INFORMATION SECURITY BODIES, STANDARDS & PRIVACY LAWS Standards & Privacy Laws
British Standards (ISO 17799) EU Data Protection Act of 1998 (DPA) Health Insurance Portability and Accountability Act (HIPAA) Fair Credit Reporting Act (FCRA)
National Institute for Standards & Technology (www.NIST.gov):
Founded in 1901, NIST is a non-regulatory federal agency within the U.S. Commerce Department's Technology Administration.
NIST's mission is to develop and promote measurements, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life.
Computer Emergency Response Team www.cert.org: The CERT® Coordination Center (CERT/CC) is a center of Internet
security expertise at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University.
Information Privacy
ProcessProcess
OrganizationOrganization
TechnologyTechnology
Opt/in/outOpt/in/out
Regulatory Requirement
Regulatory Requirement
Security/Privacy Policy
Security/Privacy Policy
Planning and Strategy Program Maturity Program Metrics
Privacy Governance Architecture
• Privacy Strategy• Data Classification Analysis• Privacy Teams• Policy Development• Policy Update Plans• Decision Management• Privacy Support Architecture• Awareness
• Privacy Strategy• Data Classification Analysis• Privacy Teams• Policy Development• Policy Update Plans• Decision Management• Privacy Support Architecture• Awareness
• Privacy Risk Assessments• Data Governance• Vendor Governance• Technology Planning • Business Process Review• Information Security • Information Privacy
• Privacy Risk Assessments• Data Governance• Vendor Governance• Technology Planning • Business Process Review• Information Security • Information Privacy
• External Support Infrastructure• Privacy Auditing• Incident Response• Crisis Management• Knowledge Management• Consumer Support Infrastructure• Open Source Intelligence
• External Support Infrastructure• Privacy Auditing• Incident Response• Crisis Management• Knowledge Management• Consumer Support Infrastructure• Open Source Intelligence
PeoplePeople
ComplianceCompliance
-Technology containment- Process containment- Procedure containment
- Engage digital forensics process- Collect evidence- Engage 3rd party
- Detect Incident - Identify source of identified-Log incident- Reduce false positive
HIGH LEVEL OVERVIEW
Detection
Digital Forensics
Resolution & Reporting
Assessment
AnalysisContainment
- Determine scope- Assemble Response Team- Collect & sort facts
- Determine scope- Assemble Response Team- Collect & sort facts
- Notify client- Notify regulators- Remediate- Analyze long term effects- Analyze lessons learned
Privacy Incident Response Process
Information Security & Privacy
Risk Management
RISK MITIGATION
100% Risk Mitigation and not 100 % control Good Information Management Infrastructure
that Provides modular core set of controls Supports existing, infrastructures and new
applications Incorporates policy and standards, people,
process, and technology Provides a horizontal and vertical risk SELF or
AUTOMATIC assessment program Provides collaborative issues resolution system
Balanced Information Management Infrastructure (IMI)
Risk Mitigation Vertical – up and down controls in branches
and business units Horizontal – policies, best practices, processes
and priorities across the organization
Policies, Standards &Guidelines
Information Technology
People
Equilibrium Point
Equilibrium Point
RISK MANAGEMENT METHODOLOGY
Risk Assessment
Organizational Dynamics
Risk TakersKey Risk Indicator
Risk Tolerance
Point of Balance
Key Risk IndicatorsKey Risk Indicators
Pen Testing
ComplianceRegulatory
Audit
Site Reviews
Security& Privacy Incidents
Self Assessment
Vendor Reviews
Business Impact
Asset Value
Lo
ss
Am
ou
nt/R
OI
Stakeholders
Risk Evaluation Model Risk Rating
Market Opportunities
DEMAND – BASED ON GARTNER STUDIES
General IT staff outsourcing has gone up 24% since US recession was over
Growth in IT staff augmentation will be limited and in single digits
Security outsourcing is trending up Identity management Vulnerability Assessment Operations
Firewall management, anti virus and IDS
INFOSEC PEOPLE Typical jobs for contract
Business Intelligence Business Analysis Risk Management Information Security Officer Information Privacy Officer Digital Forensics Experts
Job seeker support to help professionals identify new career opportunities when they are unemployed or contingency searching due to circumstances at their workplace;
Contractor placement to help independent contractors identify and secure short and long term contract work based on hourly rates; and
Corporate candidate search to help clients identify candidates for new or vacant positions, as well as contingency searching to stage replacement of human resources
TYPES OF RECRUITING Contract & Temporary – constant spread
based Profit margins are small Limited Hourly, weekly monthly
Permanent – one time commission based Entry levels Mid levels Management, Technical, Operations, Design &
Architecture Outsourcing – profit margins are high
Some Examples
WHAT IS SOCIAL ENGINEERING Social Engineering is the art and science of use
to trick one or more human beings to do what an attackers wants them to do or to reveal information that compromises a target’s security.
Classic Social Engineering scams include, posing as a field service technician, calling an operator to reveal private information such as passwords and the like.
Social Engineering is an evolving art that uses the simplest and most creative schemes and involves minimal technical expertise
TERRORISTS AND STEGANOGRAPHY?
Thank You
Tel: +236 733 782 490
+263 773 796 365
+263 -4- 733 117
Eml: [email protected]
Web: www.gis.co.zw