security and assurance lecture jan 14

Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 1

Securing the Unsecured in Cyber Space

Creating Digital Trust in Cyber Era

Cyber Security Cyber Assurance

The need of Enterprises of Tomorrow

Prof. K. Subramanian

SM(IEEE), SMACM, FIETE, FNTF SMCSI,MAIMA,MAIS,MCFE,MISACA(USA)

EX-Professor & Director, Advanced Center for Informatics & Innovative Learning (ACIIL), IGNOU

Former IT Adviser to CAG of India

Ex-SR.1DDG(NIC), Min of Communications & Information Technology

Former President, Cyber Society of India

Emeritus President, eISSA

Academic Advocate of ISACA (USA) in India

Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 2 15th April 2009

Cyberspace is Dynamic, Undefined and Exponential

Countries’ need dynamic laws, keeping pace with the technological advancements

In a Virtual Space, Netizens Exist, Citizens Don’t!

Trust in E-environments

Lack of a mature IT society

Absence of Single governing body

Legislation

High skill inventory

Reduce fear of being caught

Disgruntled Employees

2

1/6/2014


"The poor have sometimes objected to being governed badly; the rich have always objected to being governed at all." G. K. Chesterton

“Ever since men began to modify their lives by using technology they have found themselves in a series of technological traps.” Roger Revelle

“The law is the last interpretation of the law given by the last judge.”- Anon.

“Privacy is where technology and the law collide.” --Richard Smith (who traced the ‘I Love You’ and ‘Melissa viruses’)

"Technology makes it possible for people to gain control over everything, except over technology" John Tudor

3

1/6/2014


In the Era of Digital Age

• Can all users be identified (e.g., employees, contractors, and business partners)?

• Do IT managers know what users have access to?

• Can all the interactions among users, assets, and applications be identified?

• Do IT managers have verifiable evidence that controls are working, and appropriate action takes place when a policy infraction occurs? Does this evidence exist in minutes rather than months?

• No one standard meets requirements—Advise on specific group standards (medical, commerce/Trade services— High-end-KBPOS)

Ten Important Imperatives

• IT & Law

• Security & Risk

• Business Integration

• Value to the Enterprise

• Alignment = collaboration

• Governance and funding

• IT sourcing & ITES outsourcing

• Performance Measures

• Growing talent

• Beyond customer service

1/6/2014


Perfect Security—A Dream

• "Perfect security is

not achievable,".

• "At the end of the

day, [the security

function] is about

managing the

frequency and

magnitude of loss."

• Concerns

PRIVACY

• vs

• SOCIETY

• SAFETY

• SECURITY

• Trust

1/6/2014


“In security matters,

there is nothing like absolute security”

“We are only trying to build comfort levels, because security costs money and lack of

it costs much more”

“Comfort level is a manifestation of efforts as well as a realization of its effectiveness &

limitations’

Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 7 1/6/2014


Data,

Mobility,

Questions of Responsibility

8

Cyber Threats 2013

1/6/2014

Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 9 15th April 2009 9

1/6/2014


eSecurity Technologies

Cryptography & Cryptology

Steganography Digital Water Marking

Digital Rights Management

Cyber Defence technologies (Firewall, IDS/IPS, Perimeter and Self-Defence )

Access Control &ID Management (Rule, Role, Demand Based)

Signatures (Digital/Electronic)

Cyber Forensics & Cyber Audit

10

1/6/2014

1/6/2014 Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 11

Cyber Security – A Holistic View

Authentication

Access Control

& Authorization

Identity

Mgmt

Antivirus

Firewall

Intrusion

Detection

VPN

Content

Updates &

Security

Response

24x7

Global

Customer

Support Attack

Recovery

Tools/Svcs

Honey Pot

& Decoy

Technology

Threat Management

& Early Warning

Vulnerability

Assessment

Policy

Compliance

Event &

Incident Mgmt

Config.

Mgmt Common

Console

Encryption

Proactive

Control

Source: Symantec Inc


FRAUD

& THEFT

SCAVENGING

VIRUS

ATTACK

ACCIDENTAL

DAMAGE

NATURAL

DISASTER

UNAUTHORISED

ACCESS

INTERCEPTION

TROJAN

HORSES

INCOMPLETE

PROGRAM

CHANGES

HARDWARE /

SOFTWARE

FAILURE

SOCIAL

ENGINEERING

ATTACK

DATA

DIDDLING

IS

PASSWORDS

ENCRYPTION

ANTI-VIRUS

BACKUPS

HARDWARE

MAINTENANCE SECURITY

GUARDS

INPUT

VALIDATIONS

AUDIT TRAILS

PROGRAM

CHANGE

DOCUMENTATION

AUTHORISATION

BUSINESS

CONTINUITY

PLAN

LOSING TO

COMPETITION

LOSS OF

CUSTOMERS

LOSS OF

CREDIBILITY

EMBARRASSMENT

FINANCIAL

LOSS

1/6/2014

Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 13 1/6/2014


Government Policy Guidelines

• Policy on :Identity and Access Management: An e-Governance standards initiative to make e-Government Programs and their services a reality

• Draft Document “e-Governance Information Security Standard” (Version 01 dated 12th October 2006)--has proposed additional security controls for E-Governance purposes Viz., Data security and privacy protection, Network security, and Application security;

• Draft Document “Base line security requirements & Selection of controls” (Version 01, 12th October 2 006).

http://egovstandards.gov.in

1/6/2014


Strategy-Policy-Good Practice

• “Information Security Policy for Protection Critical Information Infrastructure” (No. CERT-In/NISAP/01, issued on 1st May 2006) –Recent Guidelines

• Information & Privacy Protection Policy, apart from IT ACT & RTI ACTS

• Stopping Spam Before It Stops You – SPAM Policy to be done

• Privacy/Data Protection Legislation-Underway

"Data disposal, anonymity, trust, privacy management, and systems development activities are just a few of the many privacy concerns organizations must address and need to thoughtfully create a privacy strategy that is clearly and consistently supported by the top business leaders." 1/6/2014

http://www.infosectoday.com/Articles/Stopping_Spam.htm

Corporate Governance

Business Assurance Framework

Global Phenomena

• Combines Code of UK and SOX of USA

• Basel II & III

• Project Governance

• IT Governance

• Human & Humane Governance

India Initiatives

• 1. Clause 49

• 2. Basel II & III-RBI

• 3.SEBI- Corporate Governance Implementation directives

• 4.Risk management-RBI & TRAI

• 5. MCA Initiatives

• New company Law 2013

16 1/6/2014 Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 16


Learning From Experience

======================

==

1. The only source of knowledge is experience. -- Einstein 2. One must learn by doing the thing; for though you think you know it, you have no certainty, until you try. -- Sophocles 3. Experience is a hard teacher because she gives the test first, and the lesson afterwards. -- Vernon Sanders Law 4. Nothing is a waste of time if you use the experience wisely. -- Rodin


Known Threat Assessment Approaches

• Privilege Graph [Dacier et al. 94] • Vertices/nodes represent privilege

states

• Edges/arcs represent privilege escalation

• Attack Graph [Philips et al. 98, 01, 02] • Vertices/nodes represent network

states

• Edges/arcs represent atomic exploits

• Shortcomings • Too many details, very fine-

grained

• Without automation, model instantiation is cumbersome

• Model-checking can help, but state explosion problem

• Insider attacks may succeed without privilege escalation or vulnerabilities

Recent Insider Threat Mitigation Tools

• Skybox View

• Sureview from Oakley

Networks

• iGuard from Reconnex

• Content Alarm from

Tablus

• Vontu from Vontu, Inc.

• Rule-based techniques

• Detect policy violations

• Forensics analysis

1/6/2014


CERTIFICATION SEMANTIC ISSUES

What is certification; what does

it denote and mean?

What are the principal concepts

and elements of certification

What additional concepts and

notions are expressed and

implied by certification?

What is the Intent of the

certification; what is it you are

trying to do in certifying

something?

TECHNOLOGICAL ISSUES

How is certification achieved?

How are the prerequisites and

context for certification established?

What is it you are certifying?

(Object of certification)

Certification with respect to what?

(Business for certification)

What relation must exist for

certification?

(Object/basis relation)

What activities/decisions are

prerequisite for certification?

How and when is certification to

be conducted?

ADMINISTRATIVE

ISSUES

Who does the certification?

Who is the recipient of the

certification?

What is the significance of the

certification for the certifier?

What is the significance of the

certification for the recipient?

Why certify?

1/6/2014


“To determine how much is too much, so that we can implement appropriate security

measures to build adequate confidence and trust”

“To derive a powerful logic for implementing or not

implementing a security measure”

Security Assurance - Expectations


Managing Interdependencies

Critical in Enterprises/Institutions • Infrastructure characteristics (Organizational,

operational, temporal, spatial)

• Environment (economic, legal /regulatory, technical, social/political)

• Coupling and response behavior (adaptive, inflexible, loose/tight, linear/complex)

• Type of failure (common cause, cascading, escalating)

• Types of interdependencies

(Physical, cyber, logical, geographic)

• State of operations

(normal, stressed /disrupted, repair/restoration)

.


Identity Management

• Identity management is not new, but has evolved from the days of a single password entry onto the network to a comprehensive set of processes and systems that make it easier for all users to access information in real time and in a much more secure manner

• ID management tend to center on the technical improvements in system security, the more important benefits are the opportunities gained by collaborating with vendors, suppliers, and customers across the supply chain.

• A real value of an [ID management] solution enables ultimately this wide range of business enterprise.


Biometric System Operates on

•Verification

•Identification


Biometrics

Biometrics


Layered E-trust Framework

PKI Technology

Trusted Digital Identity

Infrastructure

Shared E-trust

Applications

Computing E-trust

Services

Single e-trust

Applications

Infrastructure

Layer 2 Service Provider

example: Identrus Layer 2 Service Provider

example IDENTRUS

B2B, B2C, SET, C2C


Present Risk Certification Issues

Trust • Trust cannot be bought or sold. It has to be

created

• Trust is earned and not given away.

• Trusted third party or a trusted CA

raises - trusted in relationship to whom

- trusted by whom?

- trusted for what?

- trusted for how long?


9 Rules of Risk Management

• There is no return without risk • Rewards to go to those who take risks.

• Be Transparent • Risk is measured, and managed by

people, not mathematical models.

• Know what you Don’t know • Question the assumptions you make

• Communicate • Risk should be discussed openly

• Diversify • Multiple risk will produce more consistent

rewards

• Sow Discipline • A consistent and rigorous approach will

beat a constantly changing strategy

• Use common sense • It is better to be approximately right, than

to be precisely wrong.

• Return is only half the question • Decisions to be made only by considering

the risk and return of the possibilities.

RiskMetrics Group

1/6/2014

Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 28 28

• UNIVERSALITY: Each person should have the characteristics

• Distinctiveness: Any two persons should be different in terms of the characteristic.

• Permanence: The characteristic should be sufficiently in-variant (w.r.to the matching criterion) over a period of time.

• Collectability: The characteristic should be quantatively measurable.

1/6/2014


• Uniform Naming convention-absence

• Birth & Death registration-Incomplete

• No social security registration number

• Absence of Identity such as phones, driving licenses available with every body

• Electoral ID DB- Complete set not there but at least covers 600-650 m records-not auditable and verifiable

• Absence of PAN & other ID number for everybody-Not auditable & verifiable

1/6/2014

Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 30 23rd June 2005 30 Cognizant Address

• By Possession

• Password • Static

• Dynamic

• By Association

• PIN/TOKEN

• By Card

• By Biometrics

• By Government

• PAN(TAXATION)

• Passport

• Social Security Number

• Citizenship ID NO.

• Senior Citizen NUMBER

1/6/2014


• Domain Name System (DNS)

• Dynamic Host Configuration Protocol (DHCP)

• Remote Authentication Dial-In User Service (RADIUS)

• Lightweight Directory Access Protocol (LDAP)

• Microsoft ’s Active Directory

• Novell Directory Services (NDS)

• Public Key Infrastructure (PKI)


• Most enterprises have no common, unified database of user profiles, access rights, and device identity. This situation has put the integrity of core infrastructure network services in jeopardy in the following areas:

• Security.

• Reliability.

• Cost.

• Software Version Control.

• Scalability.

1/6/2014


Internal Competition from Liberalization

World Competition from Globalization

Entrenched Competition Abroad

Asymmetry in Scale, Technology, Brands

Industry Shakeouts and Restructuring

Learn more about own Businesses.

Reach out to all Business & Function Heads.

Sharpen Internal Consultancy Competences.

Proactively Seize the Repertoire of MS & Partners

Foster two way flow of IS & Line Talent.

33

1/6/2014


Key Areas of Assurance

• Organizational

- Systems in place to identify & mitigate differing risk perceptions of

stakeholders to meet business needs

• Supplier

- Confidence that controls of third party suppliers adequate & meets

organization’s benchmarks

• Business Partners

- Confirmation that security arrangements with partners assess & mitigate

business risk

• Services & IT Systems

- Capability of developers, suppliers of IT services & systems to implement

effective systems to manage risks to the organization’s business

34

1/6/2014


Prof. KS@2009: BMS CII Conference

New delhi April14-15, 2009

Benefits of Assurance

• Contributes to effectiveness & efficiency of business operations

• Ensures reliability & continuity of information systems

• Assists in compliance with laws & regulations

• Assures that organizational risk exposure mitigated

• Confirms that internal information accurate & reliable

• Increases investor and lenders confidence

15th April 2009 35



1/6/2014

Cyber Assurance Framework

• Insurance-Protection of classified assets

• Audit—Gives comfort level (Internal/External) • Pre audit

• Concurrent audit

• Post audit

• Assurance-More degree of comfort as it is multi-layered.

• Management

• Operational

• Technology/technical

• Network

• Legal

• Impact




Standards, Standards, Standards

Technical Vs Management

Security

Audit

Interoperability

Interface (systems/devises/communications)

Architecture/Building Blocks/reusable

HCI (Human Computer Interface)

Process (Quality & Work)

Environmental (Physical, Safety, Security)

Data Interchange & mail messaging (Information/Data Exchange)

Layout/Imprint

BCM

Technical Standards-

Specifications-mainly

for interoperability,

accessibility and

Interactivity

Management

standards-Auditable &

Verifiable-Certification

& Compliance

15th April 2009 37



1/6/2014


Importance of Group Standards -no one standard meets all requirements ISO 27001/BS7799 Vs COBIT Vs CMM Vs ITIL

Mission

Business Objectives

Business Risks

Applicable Risks

Internal Controls

Review

1/6/2014


Transition: Insurance Assurance

&

Assurance Layered Framework • Insurance • Audit

Pre, Concurrent, Post

• IT Audit • Environmental • Operational • Technology • Network • Financial • Management • Impact

• Electronics Continuous Audit • Certification • Assurance

• Management

Assurance(GRC)

• Operational Assurance

(Risk & ROI)

• Technical Assurance

(Availability, Serviceability

& Maintainability)

• Revenue Assurance

(Leakage & Fraud)

• Legal Compliance &

Assurance (Governance)

1/6/2014


Cyber Governance Components

• Environmental & ICT Infrastructure

• Operational (logistics Integration)

• Technology (synergy & Convergence)

• Network (multi Modal Network)

• Management (HRM & SCM &CRM)

• Impact (feed-back correction)

Operational Integration

(Functional)

Professional Integration

(HR)

Emotional/Cultural

Integration

Technology Integration

1/6/2014


Legislative Trust &Techno-Legal issues &

Amendment to IT Act or Legislation of New Acts Legal/Regulatory

Framework & Attributes

Effectiveness

Efficiency

Confidentiality

Integrity

Availability

Compliance

Reliability of information

• Authentication for retrieval

• Authorized access and control of access

• Security standards for certification and mandatory for compliance for Electronic Achieves

• Information/Data Protection (Privacy and Piracy)

• Information management and Continuous preservation in Electronic Archives

• Information Assurance and Auditability

1/6/2014


“IT Regulations and Policies-Compliance &

Management” Pre-requisites Physical Infrastructure and Mind-set

• PAST: We have inherited a past, for which we cannot be held responsible ;

• PRESENT: have fashioned the present on the basis of development models, which have undergone many mid-course corrections

• FUTURE: The path to the future -- a future in which India and Indians will play a dominant role in world affairs -- is replete with opportunities and challenges.

In a number of key areas, it is necessary Break from the past in order to achieve our Vision.

We have within ourselves the capacity to succeed

We have to embrace Integrated Security & Cyber Assurance

Framework

1/6/2014


1/6/2014


CXO~CEO Internal Strategic Alliances

CIO & CEO Business Led Info. strategy

CIO & CMO Competitive Edge & CVP

CIO & CTO

Cost-Benefit Optimization

CIO & CFO Shareholder Value Maximization

CIO & CHRO

Employee Performance and Rewards

CIO & Business Partners

Virtual Extended Enterprise

The Productivity/Performance Promise

• Capital Productivity (ROI, EVA, MVA)

• Material Productivity (60% of Cost)

• Managerial Productivity (Information Worker)

• Labour Productivity (Enabled by IW)

• Company Productivity

Micro

• Factor Productivity

Macro

1/6/2014


Towards Information/Business

Assurance • Increasingly, the goal isn't about information

security but about information/Business

assurance, which deals with issues such as

data/information availability and integrity.

• That means organizations should focus not

only on risk avoidance but also on risk

management. "You have to be able to

evaluate risks and articulate them in business

terms“

--Jane Scott-Norris, CISO at the U.S.

State Department


Comparison of Seals

WEB Certification

Product Cost Privacy

of Data

Security

of Data

Business

Policies

Transaction

Processing

Integrity

BBB Online Low No No Lightly

Covered No

TRUSTe Low Yes No No No

Veri-Sign Low to

Medium No

Yes: Data

Transmittal

No: Data Storage

No No

ICSA High Yes Yes Somewhat

Covered

Lightly

Covered

WebTrust High Yes Yes Yes Yes


Security Governance Maturity Model

47 1/6/2014

Cyber Forensics & Cyber Frauds

• Digital forensics

• Email forensics

• Image forensics

• Video Forensics

• Storage Forensics

• Audio Forensics

• Network forensics

• Data/Information forensics


Types of Frauds

Conflict of Interest Nepotism Gratuities

False Statements Omissions Favoritism

False Claims Forgery Kickbacks

Misappropriation Conspiracy Alterations

Breach of Duty Bribery Substitution

Impersonation Embezzlement Extortion


Common Red Flags Signaling

Management Fraud

o Management decisions are dominated by an individual or small group.

o Managers’ accounting attitudes are unduly aggressive.

o Managers place much emphasis on meeting earnings projections.

o Management’s business reputation is poor.

o Management has engaged in opinion shopping.

o Managers are evasive responding to auditors’ queries.

o Managers engage in frequent disputes with auditors.

o Managers display significant disrespect for regulatory bodies.

o Company has a weak internal control environment. 1/6/2014 Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 50

Common Red Flags Signaling

Management Fraud

o Company accounting personnel are lax or inexperienced in their duties.

o Company employs inexperienced managers.

o Company is in a period of rapid growth.

o Company profit lags the industry.

o Company has going concern problems (bankruptcy).

o Company is decentralized without adequate monitoring.

o Company has many difficult accounting measurement and presentation issues.

o The company may be offered for sale.

o The company makes acquisitions using its stock.


Common Red Flags Signaling Employee

Fraud

o Missing documents.

o Unusual endorsements on checks.

o Unexplained adjustments to inventory balances.

o Unexplained adjustments to accounts receivable.

o Customer complaints.

o Adjustments to receivables and payables.

o Increased past due receivables.

o Inventory shortages.

o General ledger does not balance.


Common Red Flags Signaling Employee

Fraud

o Old items in bank reconciliations.

o Old outstanding checks.

o Unusual patterns in deposits in transit.

o Cash shortages and overages.

o Excessive voids and credit memos.

o Increased scrap.

o Alterations on documents.

o Duplicate payments.

o Employees cannot be found.

o Documents photocopied

o Dormant accounts become active.

o Common names or addresses for refunds.


“Honest Abraham” Lincoln

After angrily turning

down a bribe, he said,

“Every man has his

price, and he was

getting close to mine.”

Under the right set of

circumstances anyone could

become a fraud perpetrator. 1/6/2014 Prof. KS@2014 csi chennai Lecture Cyber Security-->Cyber Assurance Jan 6,2014 54


IT Security predictions 2014

1.Pirated software*

Pirated software will drive insecurity in much more dynamic ways than previously realized. Users of pirated software are afraid to download updates, thus are exposed to security risks because their software is entirely unpatched. Also, newer versions of pirated software now come with malware pre-installed. As a result, users of pirated software will become the new “Typhoid Marys” of the global computing community.

*IBM's X-Force research team

http://www.eweek.com/c/a/Security/Pirates-of-the-Caribbean-The-CyberCrime-Edition/




IT Security Predictions 2013

2.social networks and ups the ante

Social engineering meets social networks and ups the ante for creative compromises. Criminal organizations are increasingly sophisticated in how they attack different social networking sites. For example, Twitter is being used as a distribution engine for malware. LinkedIn, however, is being used for highly targeted attacks against high-value individuals. We will see these organizations use these sites in creative new ways in 2010 that will accelerate compromises and identity theft, especially as new commercial applications increase the disclosure of valuable personal information on these sites.

http://www.eweek.com/c/a/Security/Symantec-Uncovers-Scheme-to-Use-Facebook-to-Relay-Commands-to-Trojan-755029/







3.0 Criminals take to the cloud

Criminals take to the cloud. We have

already seen the emergence of “exploits

as a service.” In 2013 we will see

criminals take to cloud computing to

increase their efficiency and

effectiveness.

http://www.eweek.com/c/a/Security/RSA-The-Elusive-Structure-of-the-Cybercriminal-Economy-237961/





• a rise in attacks on health care organizations will occur for similar reasons,

• continued attacks on retailers big and small, tax authorities,

• school systems - anywhere where lots of records are kept by organizations that haven't traditionally had best practice security in place

Security & Governance - Final Message

“In Governance matters

Past is no guarantee;

Present is imperfect

&

Future is uncertain“

“Failure is not when we fall down, but when we fail to get up”



FOR FURTHER INFORMATION PLEASE CONTACT :-

E-MAIL:

[email protected]

[email protected]

[email protected]

[email protected]

91-11-22723557

Let us Secure and Cyber Assure our Enterprises by Good Governance

1/6/2014

mailto:[email protected]

