security awareness
DESCRIPTION
A security awareness presentation created for an audience of senior officials from MTNL (India's foremost telecom PSU). The presentation covers fundamentals of Information Security, it's evolution, present day risks from the IT and Telecom infrastructure perspective.TRANSCRIPT
Digital
Crime,
Fraud &
Forensic
investigation
s,
Governance
Risk and
Compliance,
IT Asset
Management
, License
Management
, Cyber
Security,
Cyber Labs,
At
MTNL, Mumbai
Digital
Crime,
Fraud &
Forensic
investigation
s,
Governance
Risk and
Compliance,
IT Asset
Management
, License
Management
, Cyber
Security,
Cyber Labs,
By
Dinesh O Bareja
November 19, 2013
Introduction
Audience
Us.. Pyramid & Dinesh
Todays Program Plan
Information Security Fundamentals
Why Security (cases and incidents; critical infrastructure concept for MTNL and telecom, national intranet and lights on concept)
What to Secure (current state analysis, maturity plan, essentials, goals and objectives –certification / compliance / reputation etc
When and How to Secure
First steps and discussions
Established and well known Cyber Security and Forensics Consulting organization since past decade
Cyber Forensics Labs in 22 states across India
Qualified, experienced and certified team of Forensic and InfoSec professionals
Full range of InfoSec services – strategy, design, implement, maintain, test, response, investigation, protection
Managed Security Services as per
RBI/IDRBT guidelines
Compliance with ISO, RBI, IDBRT, IT Act
etc as applicable
ISMS Policies, Procedures, Audit
Program as per ISO27001
Ethical hacking, Software Security
Open Source technology adoption
Security Awareness Training
Forensic and Incident Response…
Professional Positions
Pyramid Cyber Security & Forensics (Principal Advisor)
Jharkhand Police – Cyber Defence Research Centre (Cyber Security Advisor)
Bombay Stock Exchange - IGRC (Technical Member)
Open Security Alliance (CEO)
Indian Honeynet Project (Co Founder)
Professional skills and special interest areas
Security Consulting and Advisory services for IS Architecture, Analysis, Optimization in Government and Enterprises
Technologies: SOC, DLP, IRM, SIEM…
Practices: Incident Response, SAM, Forensics, Regulatory guidance..
Community: mentoring, training, citizen outreach, India research..
Opinioned Blogger, occasional columnist, wannabe photographer
MTNL was set up on 1st April, 1986 by the Government of India
Started as Bombay Telephone in 1882, in pre-independence era,
MTNL is the largest Broadband service provider in Mumbai
National Critical Infrastructure -provides landline services, high speed broadband through ADSL, 3g, VoIP, IPTV among a range of telecom services
Introduction
Audience
Us.. Pyramid & Dinesh
Information / Data Security
Todays Program Plan
Information Security Fundamentals Why Security (cases and incidents; critical
infrastructure concept for MTNL and telecom, national intranet and lights on concept)
What to Secure (current state analysis, maturity plan, essentials, goals and objectives –certification / compliance / reputation etc
When and How to Secure
First steps and discussions
X
Data is raw, unorganized facts that
need to be processed. Data can be
something simple and seemingly
random and useless until it is organized.
When data is processed,
organized, structured or
presented in a given
context so as to make it
useful, it is called
Information.
http://www.infogineering.net/data-
information-knowledge.htm
Knowledge is a combination of information,
experience and insight that may benefit the
individual or the organization.
• Credit card data
• Privacy data
• Health care information
Regulatory
Data
• Intellectual property
• Financial information
• Trade secrets
Corporate
Secrets
http://movetheworld.wordpress.com/2008/01/16/evolution-of-information-security-technologies/
DATA INFORMATION
KNOWLEDGE
Interpret data so
that it has some
value and meaning
for the userA combination of
information & data,
experience, insight
that is built thru’ a
brain’s processes
The practice of
protecting information
from unauthorized
access, use, disclosure,
disruption,
modification, perusal,
inspection, recording
or destruction.
Protecting data or a
database from
destructive forces and
the unwanted actions
of unauthorized users.
Technology advancement has brought about dramatic change
in life and work and continues it’s march of dynamic growth
It was an era of innocence and invention when computing
started upto the time when the internet was unveiled
Over the years it has metamorphosed into a force we are still
trying to understand and has brought with it ‘great
expectations’ from the human beings who are in charge!
Even a young
man has to
use a walking
stick !
http://www.geeksaresexy.net/2013/
04/26/the-evolution-of-essentials-
comic/
http://www.geeksaresexy.net/2013/
04/26/the-evolution-of-essentials-
comic/
Information Technology is
NOT a support function
Information Security is
NOT a cost center
Requires ABSOLUTE management support – absolutely and unconditionally
Management MUST have high level of awareness of risks and must maintain a high level of visibility
Risks, Threats and Metrics arising from IT / IS must be a regular item on the board
Board must receive regular intelligence advisories
Fires, floods,
and such
disasters will see
the CxO on the
frontlines…
earning respect
Empower security teams
Define roles and responsibilities
Ensure strong and well defined
processes for managing risk,
controls, BCP/DR, communication
Automate processes
InfoSec Management systems must
have strong governance
Various standards like ISO27001,
ISo22301, ISO 20000, ISO 14000
Frameworks like ITIL, PCI-DSS, NIST
Laws and Regulatory requirements –
IT Act, Guidelines, Data Protection
etc
IT Security …
Security
Policy
Asset
Management
Organization
of Information
Security
Human
Resource
Security
Physical and
Environment
Security
Communicatio
n and
Operations
Management
Access Control
Information
Systems
Acquisition
Development
Maintenance
Information
Security
Incident
Managament
Business
Continuity
Management
Compliance
11 Domains
39
Controls
Objectives
133
Controls
11
Domains
ISO22301 – BCP/DR
ISO19770 – Software License
ISO31000 – Risk Management
ISO27011 – Telecom ISMS
BS10002 – Data Classification
ISO31010 – Risk Terminology
Policies and Procedures
Risk Management
Asset Information
Data Classification
Incident Management
BCP/DR
Configuration, Change
Compliance Requirements
SHODAN (http://www.shodanhq.com/) is a computer search engine designed by web developer John Matherly(http://twitter.com/achillean)
While SHODAN is a search engine, it is much different than content search engines like Google, Yahoo or Bing
Rather than to locate specific content on a particular search term, SHODAN is designed to help the user find specific nodes (desktops, servers, routers, switches, etc.) with specific content in their banners
PwC – State of Information Security in India Report 2013
Telecom Security …
An unexplained suicide
Reputation loss for Vodafone
Rootkit Ericcson AXE MSE
Involvement of CIA ?? Not proven
Case is not yet resolved
Motive is unknown
CMS/IMS regime
Radia Tapes
Lawful interception
Hardware Security
23.7(i)Security
Responsibi
lity23.7(i) Security Responsibility
- Complete and Total Responsibility for Security of Networks under which the
following must be done – Network Forensics, Network Hardening, Network PT, Risk
Assessment
23.7(ii) Security Audit
- Conduct a network security audit once a year by network audit certification agency,
as per ISO15408 and ISO27001
23.7(iii) Security Testing
- Network elements must be tested as per defined standards – IT and IT related against
ISO15048, ISMS against ISO27001; Telecom elements against 3GPP. 3GPP2 security
standards. Up to 31 Mar 2013 this can be done overseas and after this date in India
23.7(iv) Security Configuration
- Include all security features, as per standards, while procuring equipment and
implement the same.
- Maintain list of all features while equipment is in use
- List is subject to inspection by Licensing Authority
23.7(v) Security Personnel
- CISO, System Administrators, Nodal Executives for handling NLD/ILD switches,
central database, softswitches … all must be Indian Nationals.
Introduction
Audience
Us.. Pyramid & Dinesh
Information / Data Security
Todays Program Plan
Information Security Fundamentals
Why Security (cases and incidents; critical infrastructure concept for MTNL and telecom, national intranet and lights on concept)
What to Secure (current state analysis, maturity plan, essentials, goals and objectives – certification / compliance / reputation etc
When and How to Secure
First steps and discussions
Hacked on Aug 14, and site was down as on Aug 16
Earlier hack in June 2013, by Anonymous to protest
against censorship. Site was down for 6 hours
Stuxnet,
Flame,
Shomoon,
Duqu,
Gauss,
Russian Nuclear Plant (last week)
RUMOURS
- ISRO
- Fukushima
- Baker Hughes
- ConocoPhillips
- Marathon
- Chevron
Viruses
Piracy
Data Integrity
MMS
Identity Theft, Website defacement
Trojans, Worms, APT
Ransomware
Low Orbit Cannon – used by
Anonymous to launch DDOS attacks
Blackhole Exploit Kit (pre-made attack tools and packages.
Available for download it is a full-fledged, highly sophisticated attack suite - a widely-
used, web-based software package which includes a collection of tools that leverage
web browser security gaps. It enables the downloading of viruses, bots, trojans and
other forms of malicious software onto the computers of unsuspecting victims. Prices
for such kit range from $50 for a single day’s usage, up to $1,500 for a full year)
Managed Crime Services
Card Markets
Information Exchange
Cyber Mercenaries for Hire
Botnets (available for as low as $500)
Introduction
Audience
Us.. Pyramid & Dinesh
Information / Data Security
Todays Program Plan
Information Security Fundamentals
Why Security (cases and incidents; critical infrastructure concept for MTNL and telecom, national intranet and lights on concept)
What to Secure (current state analysis, maturity plan, essentials, goals and objectives – certification / compliance / reputation etc
When and How to Secure
First steps and discussions
Documented policies, procedures, audit
procedures
Risk Management
Access Management – privilege users,
passwords, onboarding, off boarding
HR – background checks
Configuration, Change, Patch, Backup
Network Traffic and Forensics
Threat Intelligence
End Point Protection
Infrastructure Security Assessment
Training
Awareness
Mobile device management
Asset Management
Compliance (internal and external)
Application Security
Incident Management & Response
Encryption
Version Control with source code
review to thwart logic bombs
Introduction
Audience
Us.. Pyramid & Dinesh
Information / Data Security
Todays Program Plan
Information Security Fundamentals
Why Security (cases and incidents; critical infrastructure concept for MTNL and telecom, national intranet and lights on concept)
What to Secure (current state analysis, maturity plan, essentials, goals and objectives – certification / compliance / reputation etc
When and How to Secure
First steps and discussions
The revelation of PRISM has changed the way we look
at the future.
What was to happen is already happening – the NSA
can keep tabs on the global population!
Microsoft, Google, Adobe and all the big names in
technology are implicated - we have been dreaming
and planning to get out of commercial systems into the
open source domain and these events have pushed the
future into the present
Policies / Procedures /
Documentation
DLP
SIEM
Network Forensics
Secure Web Application
Periodic VA and PT
Audit and Review
Malware
APT
Data Breach
Denial of Service
Slow response in the face of change
Lack of actionable intelligence
Insufficient Capability and Capacity
Weak Incident Response and Crisis
Management
Insecure Applications
Lack of awareness
Internal - Human Error
Fraud
Default Passwords, hardening
Phishing / Vishing
Logic Bombs
Introduction
Audience
Us.. Pyramid & Dinesh
Information / Data Security
Todays Program Plan
Information Security Fundamentals
Why Security (cases and incidents; critical infrastructure concept for MTNL and telecom, national intranet and lights on concept)
What to Secure (current state analysis, maturity plan, essentials, goals and objectives –certification / compliance / reputation etc
When and How to Secure
Next steps and discussions
Cloud
Mobile
Computers will be wearable, blowable
Smart grid
Driverless car
Crackers for Hire (cyber mercenaries)
Cyber Espionage
Ransomware / Lockout
Denial of Service
Technology Obsolescence
Fake Employees
Internal Frauds
© freedigitalphotos (royaltyfree, attribution)
systems
org growth
IT networks
business
all processes
enterprise finance
enterprise targets
people issues
gadgets
global events
sales
risks – tech / business
contribute ideas
compliance liabilities
background checks
onboarding /exits
flight timings
what phone to buy/gift
how to do a web checkin
…….
Current State Evaluation – People, Process and Technology
Gap Analysis as per ISO / ITA
Forensics as a Service
Incident Response
Policy Development aligned to Enterprise and National Strategies
Build internal Governance Structures
Emergency & Crisis Response Team
Awareness Program
IS Controls Implementation
Training
Questions
Head Office:
FB-05, NSIC Software Technology Park
Extn,
Okhla Industrial Estate,
New Delhi-110020,
T: +91-9650894671
F: +91-11-26322980
Mumbai Office:
308 Orbitz Premises
Chincholi Bunder Road,
Malad West
Mumbai 400064
T: +91.9769890505
www.pyramidcyber.com
http://en.wikipedia.org/wiki/Information_Security
http://en.wikipedia.org/wiki/Data_security
Raoul - tstf.net
http://www.infogineering.net/data-information-
knowledge.htm
Various internet resources