security awareness

Digital

Crime,

Fraud &

Forensic

investigation

s,

Governance

Risk and

Compliance,

IT Asset

Management

, License

Management

, Cyber

Security,

Cyber Labs,

At

MTNL, Mumbai

Digital

Crime,

Fraud &

Forensic

investigation

s,

Governance

Risk and

Compliance,

IT Asset

Management

, License

Management

, Cyber

Security,

Cyber Labs,

By

Dinesh O Bareja

November 19, 2013

Introduction

Audience

Us.. Pyramid & Dinesh

Todays Program Plan

Information Security Fundamentals

Why Security (cases and incidents; critical infrastructure concept for MTNL and telecom, national intranet and lights on concept)

What to Secure (current state analysis, maturity plan, essentials, goals and objectives –certification / compliance / reputation etc

When and How to Secure

First steps and discussions

Established and well known Cyber Security and Forensics Consulting organization since past decade

Cyber Forensics Labs in 22 states across India

Qualified, experienced and certified team of Forensic and InfoSec professionals

Full range of InfoSec services – strategy, design, implement, maintain, test, response, investigation, protection

Managed Security Services as per

RBI/IDRBT guidelines

Compliance with ISO, RBI, IDBRT, IT Act

etc as applicable

ISMS Policies, Procedures, Audit

Program as per ISO27001

Ethical hacking, Software Security

Open Source technology adoption

Security Awareness Training

Forensic and Incident Response…

Professional Positions

Pyramid Cyber Security & Forensics (Principal Advisor)

Jharkhand Police – Cyber Defence Research Centre (Cyber Security Advisor)

Bombay Stock Exchange - IGRC (Technical Member)

Open Security Alliance (CEO)

Indian Honeynet Project (Co Founder)

Professional skills and special interest areas

Security Consulting and Advisory services for IS Architecture, Analysis, Optimization in Government and Enterprises

Technologies: SOC, DLP, IRM, SIEM…

Practices: Incident Response, SAM, Forensics, Regulatory guidance..

Community: mentoring, training, citizen outreach, India research..

Opinioned Blogger, occasional columnist, wannabe photographer

MTNL was set up on 1st April, 1986 by the Government of India

Started as Bombay Telephone in 1882, in pre-independence era,

MTNL is the largest Broadband service provider in Mumbai

National Critical Infrastructure -provides landline services, high speed broadband through ADSL, 3g, VoIP, IPTV among a range of telecom services

Introduction

Audience


Information / Data Security

Todays Program Plan

Information Security Fundamentals Why Security (cases and incidents; critical

infrastructure concept for MTNL and telecom, national intranet and lights on concept)




X

Data is raw, unorganized facts that

need to be processed. Data can be

something simple and seemingly

random and useless until it is organized.

When data is processed,

organized, structured or

presented in a given

context so as to make it

useful, it is called

Information.

http://www.infogineering.net/data-

information-knowledge.htm

Knowledge is a combination of information,

experience and insight that may benefit the

individual or the organization.

• Credit card data

• Privacy data

• Health care information

Regulatory

Data

• Intellectual property

• Financial information

• Trade secrets

Corporate

Secrets

http://movetheworld.wordpress.com/2008/01/16/evolution-of-information-security-technologies/

http://movetheworld.wordpress.com/2008/01/16/evolution-of-information-security-technologies/

DATA INFORMATION

KNOWLEDGE

Interpret data so

that it has some

value and meaning

for the userA combination of

information & data,

experience, insight

that is built thru’ a

brain’s processes

The practice of

protecting information

from unauthorized

access, use, disclosure,

disruption,

modification, perusal,

inspection, recording

or destruction.

Protecting data or a

database from

destructive forces and

the unwanted actions

of unauthorized users.

Technology advancement has brought about dramatic change

in life and work and continues it’s march of dynamic growth

It was an era of innocence and invention when computing

started upto the time when the internet was unveiled

Over the years it has metamorphosed into a force we are still

trying to understand and has brought with it ‘great

expectations’ from the human beings who are in charge!

Even a young

man has to

use a walking

stick !

http://www.geeksaresexy.net/2013/

04/26/the-evolution-of-essentials-

comic/

Information Technology is

NOT a support function

Information Security is

NOT a cost center

Requires ABSOLUTE management support – absolutely and unconditionally

Management MUST have high level of awareness of risks and must maintain a high level of visibility

Risks, Threats and Metrics arising from IT / IS must be a regular item on the board

Board must receive regular intelligence advisories

Fires, floods,

and such

disasters will see

the CxO on the

frontlines…

earning respect

Empower security teams

Define roles and responsibilities

Ensure strong and well defined

processes for managing risk,

controls, BCP/DR, communication

Automate processes

InfoSec Management systems must

have strong governance

Various standards like ISO27001,

ISo22301, ISO 20000, ISO 14000

Frameworks like ITIL, PCI-DSS, NIST

Laws and Regulatory requirements –

IT Act, Guidelines, Data Protection

etc

IT Security …

Security

Policy

Asset

Management

Organization

of Information

Security

Human

Resource

Security

Physical and

Environment

Security

Communicatio

n and

Operations

Management

Access Control

Information

Systems

Acquisition

Development

Maintenance

Information

Security

Incident

Managament

Business

Continuity

Management

Compliance

11 Domains

39

Controls

Objectives

133

Controls

11

Domains

ISO22301 – BCP/DR

ISO19770 – Software License

ISO31000 – Risk Management

ISO27011 – Telecom ISMS

BS10002 – Data Classification

ISO31010 – Risk Terminology

Policies and Procedures

Risk Management

Asset Information

Data Classification

Incident Management

BCP/DR

Configuration, Change

Compliance Requirements

SHODAN (http://www.shodanhq.com/) is a computer search engine designed by web developer John Matherly(http://twitter.com/achillean)

While SHODAN is a search engine, it is much different than content search engines like Google, Yahoo or Bing

Rather than to locate specific content on a particular search term, SHODAN is designed to help the user find specific nodes (desktops, servers, routers, switches, etc.) with specific content in their banners

PwC – State of Information Security in India Report 2013

Telecom Security …

An unexplained suicide

Reputation loss for Vodafone

Rootkit Ericcson AXE MSE

Involvement of CIA ?? Not proven

Case is not yet resolved

Motive is unknown

CMS/IMS regime

Radia Tapes

Lawful interception

Hardware Security

23.7(i)Security

Responsibi

lity23.7(i) Security Responsibility

- Complete and Total Responsibility for Security of Networks under which the

following must be done – Network Forensics, Network Hardening, Network PT, Risk

Assessment

23.7(ii) Security Audit

- Conduct a network security audit once a year by network audit certification agency,

as per ISO15408 and ISO27001

23.7(iii) Security Testing

- Network elements must be tested as per defined standards – IT and IT related against

ISO15048, ISMS against ISO27001; Telecom elements against 3GPP. 3GPP2 security

standards. Up to 31 Mar 2013 this can be done overseas and after this date in India

23.7(iv) Security Configuration

- Include all security features, as per standards, while procuring equipment and

implement the same.

- Maintain list of all features while equipment is in use

- List is subject to inspection by Licensing Authority

23.7(v) Security Personnel

- CISO, System Administrators, Nodal Executives for handling NLD/ILD switches,

central database, softswitches … all must be Indian Nationals.

Introduction

Audience



Todays Program Plan



What to Secure (current state analysis, maturity plan, essentials, goals and objectives – certification / compliance / reputation etc



Hacked on Aug 14, and site was down as on Aug 16

Earlier hack in June 2013, by Anonymous to protest

against censorship. Site was down for 6 hours

Stuxnet,

Flame,

Shomoon,

Duqu,

Gauss,

Russian Nuclear Plant (last week)

RUMOURS

- ISRO

- Fukushima

- Baker Hughes

- ConocoPhillips

- Marathon

- Chevron

Viruses

Piracy

Data Integrity

MMS

Identity Theft, Website defacement

Trojans, Worms, APT

Ransomware

Low Orbit Cannon – used by

Anonymous to launch DDOS attacks

Blackhole Exploit Kit (pre-made attack tools and packages.

Available for download it is a full-fledged, highly sophisticated attack suite - a widely-

used, web-based software package which includes a collection of tools that leverage

web browser security gaps. It enables the downloading of viruses, bots, trojans and

other forms of malicious software onto the computers of unsuspecting victims. Prices

for such kit range from $50 for a single day’s usage, up to $1,500 for a full year)

Managed Crime Services

Card Markets

Information Exchange

Cyber Mercenaries for Hire

Botnets (available for as low as $500)

Introduction

Audience



Todays Program Plan






Documented policies, procedures, audit

procedures

Risk Management

Access Management – privilege users,

passwords, onboarding, off boarding

HR – background checks

Configuration, Change, Patch, Backup

Network Traffic and Forensics

Threat Intelligence

End Point Protection

Infrastructure Security Assessment

Training

Awareness

Mobile device management

Asset Management

Compliance (internal and external)

Application Security

Incident Management & Response

Encryption

Version Control with source code

review to thwart logic bombs

Introduction

Audience



Todays Program Plan






The revelation of PRISM has changed the way we look

at the future.

What was to happen is already happening – the NSA

can keep tabs on the global population!

Microsoft, Google, Adobe and all the big names in

technology are implicated - we have been dreaming

and planning to get out of commercial systems into the

open source domain and these events have pushed the

future into the present

Policies / Procedures /

Documentation

DLP

SIEM

Network Forensics

Secure Web Application

Periodic VA and PT

Audit and Review

Malware

APT

Data Breach

Denial of Service

Slow response in the face of change

Lack of actionable intelligence

Insufficient Capability and Capacity

Weak Incident Response and Crisis

Management

Insecure Applications

Lack of awareness

Internal - Human Error

Fraud

Default Passwords, hardening

Phishing / Vishing

Logic Bombs

Introduction

Audience



Todays Program Plan





Next steps and discussions

Cloud

Mobile

Computers will be wearable, blowable

Smart grid

Driverless car

Crackers for Hire (cyber mercenaries)

Cyber Espionage

Ransomware / Lockout

Denial of Service

Technology Obsolescence

Fake Employees

Internal Frauds

© freedigitalphotos (royaltyfree, attribution)

systems

org growth

IT networks

business

all processes

enterprise finance

enterprise targets

people issues

gadgets

global events

sales

risks – tech / business

contribute ideas

compliance liabilities

email

background checks

onboarding /exits

flight timings

what phone to buy/gift

how to do a web checkin

…….

Current State Evaluation – People, Process and Technology

Gap Analysis as per ISO / ITA

Forensics as a Service

Incident Response

Policy Development aligned to Enterprise and National Strategies

Build internal Governance Structures

Emergency & Crisis Response Team

Awareness Program

IS Controls Implementation

Training

Questions

Head Office:

FB-05, NSIC Software Technology Park

Extn,

Okhla Industrial Estate,

New Delhi-110020,

T: +91-9650894671

F: +91-11-26322980

E: [email protected]

Mumbai Office:

308 Orbitz Premises

Chincholi Bunder Road,

Malad West

Mumbai 400064

T: +91.9769890505

E: [email protected]

www.pyramidcyber.com

http://en.wikipedia.org/wiki/Information_Security

http://en.wikipedia.org/wiki/Data_security

Raoul - tstf.net

http://www.infogineering.net/data-information-

knowledge.htm

Google

Various internet resources