Management’s Role in Information Security

V.T. Raja, Ph.D.,

Oregon State University

Outline

• Example: iPremier Company (HBR article)– Background about company– Business Implications– Some recommendations for future

• Management’s role in information security

• Framework for a balanced approach to security

Example: DDoS attack on iPremier Company

• For a background about the company - refer to MS Word Document distributed in class.

• Problems at Colocation facility: • iPremier employees could not get access to

Qdata’s Network Operations Center (NOC)• Cannot telnet using T1 line which was supposed to permit

iPremier employees to connect to Qdata• Qdata night shift personnel not very responsive to situation

and not that competent (no one who knew anything about network monitoring software – except for one individual who was on vacation)

iPremier Example (Continued)

• Unable to determine extent of damage (firewall penetrated? How deep is the penetration?)

• Unable to determine if customer data was stolen (CIO’s main immediate concern)

• Unable to track (in a reasonable time frame) where ‘Ha, ha, ha’ e-mails received by “support” folks are originating

– Even if e-mail is tracked eventually – leads to another “Zombie

iPremier’s Response to Attack: Very Poor

• Try to shut down traffic from “Zombies” – didn’t work – for every zombie that was shut down – two new zombies joined the “party” automatically

• Shut down Web Server

• Unable to determine if they should call “Seattle Police” or “FBI”?

iPremier’s Response to Attack: Very Poor

• Unable to determine if they should “disconnect the communication lines”

• initially CIO and CTO had discussion - may lose logging data that could help them figure out what happened (preserving evidence to find root cause of problem; and what to disclose publicly);

• later concluded that detailed logs have not been enabled

• Unable to determine if they should call “Seattle Police” or “FBI”?

iPremier’s Response to Attack: Very Poor

• How to handle PR (before info about security breach leaks out)?

• Unable to decide if all systems need to be rebuilt

• What if competitor files a law suit after FBI determined that iPremier computers were performing DoS attack?

• Would system rebuild imply wiping out any remaining proof of iPremier’s innocence?

Some Business Implications for IPremier

• Web server unavailable to legitimate customers• Unable to determine “Cost of downtime”• Bad reputation for the business

• Lost customers• Loss of customer goodwill• Legal issues if customer data was compromised

• Impact on stock price• Unknown damages to the network/business?• Attack stopped after about 75 minutes – without any

intervention from iPremier or from Qdata• What if there was another attack?

Some recommendations for iPremier

• Revisit choice of ‘colocation’ partner• Although an early entrant in the industry, Qdata

lost any prospect of market leadership• Had not been quick to invest in advance

technology• Had experienced difficulty in retaining qualified

staff

• Create an incident response team• Enable secure remote access of network

management software for security team

Some recommendations for iPremier

• Discuss/implement procedures for:• Performing Risk Assessment• Measuring cost of downtime• Filing a complaint with appropriate authorities• Handling PR and legal issues

Some recommendations for iPremier

• Other examples of appropriate Security/Privacy measures

• More sophisticated firewall• Cryptography for sensitive data• Message Integrity algorithms to determine if files

have been modified/corrupted• Enable logging and determine level of logging

• Purchase disk space to enable higher levels of logging

• Updated Virus signature files and security patches

Some recommendations for iPremier

• Design and document recovery plan

• Practice a simulated attack

• Educate users about security and threats

• Hire a good Chief Security Officer

• Institute periodic third-party security audits

Imperative Need for Secure CommunicationReported Security Incidents up to 1995

Source: CERT.ORG

Reported Security Incidents 1995 – 2003 Source: http://www.cert.org/present/cert-overview-trends/module-1.pdf

Discussion Questions

• Identify some reasons why cyber attacks have been on the rise?

• What is your opinion about government, academic institutions and industry collaborating to provide cyber security solutions?

• What do you think should be management’s role in information security?

Barriers to Cyber Security

• Worldwide diffusion of Internet– Adversaries of unknown origin and intent

distributed worldwide• Hackers, virus writers• Criminal groups, terrorists• Disgruntled current or former employees• Foreign intelligence services, information warfare

by foreign militaries and governments• Corporate espionage

Barriers to Cyber Security

• Hacking tools readily available on Internet(Scores of hacker publications, bulletin boards and

web sites dealing with “hacking tips”). • Extensive partnering network

– More difficult to define boundaries of IS– Java applets – enhances interaction with customers

and suppliers – this technology capability requires programs created

by external entities to run on organization’s machines– not possible to determine the full impact of each and

every applet prior to running it

Barriers to Cyber Security

• Lack of good security policy– Lax attitude towards security

• E-mail account of a dismissed employee not deleted after employee has left organization

• Protecting content during transmission – but not after transmission

– George Mason University » Moved from SSN to SID – ID theft of 30,000 SSN

– Bank of America (backup tapes lost)– Intrusion detection logs not maintained– Virus signature files/security patches not updated

Barriers to Security

• Organizational characteristics – Lack of structure– Business environment– Culture– Lack of Standard Operating Procedures– Lack of Education, Training, and Awareness– Lack of understanding/appreciation of

technology– Lack of leadership from senior management

Management’s Role in Information Security

• Total/Perfect security is a myth• Critical Asset Identification• Initial Risk Assessment• Risk Assessment as a continuous process• Creating a security team• Initiate and actively participate in planning/

design/documentation/testing of security policy• Initiate and actively participate in planning/

design/documentation/testing of recovery/response policy

Management’s Role in Information Security

• Actively involved in establishing standard operating procedures

• Developing and maintaining an appropriate organizational culture

• Ensure employees are educated and trained regarding importance of following security policy

• Have an understanding of what each security tool proposed by IT team can do or cannot do

Management’s Role in Information Security

• Have a good control environment– Physical controls– Data/Content control– Implementation control (outsourcing)– Operations/Administrative Control– Application Controls specific to individual

system components/applications

(e.g., Limiting e-mail attachments)

Management’s Role in Information Security

• Recognize that security is a socio-technical issue

• Recognize that security requires an end-to-end view of business processes

• Achieve a balanced approach to security – one that does not solely focus on technological solutions

• Recognize that security rests on three cornerstones

Three Cornerstones: Technology

• Have an understanding/appreciation of technology– Firewalls– IDS/IPS systems– Antivirus/Security Patches– Symmetric and Public Key Cryptography towards

confidentiality, authentication, integrity and non-repudiation

– Secure servers– VPNs– Evaluation of potential technology acquisitions based

on their impact on security

Three Cornerstones: Organization

• Organizational characteristics – typically under the control of organization– Structure– Business environment– Culture– Policies and Responses– Standard Operating Procedures– Education, Training, and Awareness

Three Cornerstones: Critical Infrastructure

• Infrastructure that are so vital that their damage or destruction would have a debilitating impact on the physical or economic security of the country– Telecommunications– Banking – Energy

Why should government/academic institutions/industry collaborate?

• In each other’s interestCI in large part is owned by the private sector, used by both private and public sectors, and protected in large part by public sector.

• Need to discuss problems and exchange ideas and solutions to cyber attacks/misuse

• Resource/cost/information sharing• Opportunity to play a role in the evolution of “best

practices”• Help shape legal and government policies in areas of

mutual concerns; Appropriate guidance for rapid additional protection measures

CERT

Source: http://www.us-cert.gov/

What does CERT do?

What is Management’s role?

• Management ties everything together

• Responsibility

• Ownership

TechnologyInfrastructure

Organization

Management

Security is a Mindset, not a service. It must be a part of all decisions and implementations.