Beruflich Dokumente
Kultur Dokumente
Knowledge Statements 1
3.01 Knowledge of the processes of design, implementation, and monitoring of security (e.g. gap analysis, baseline, tool selection) 3.02 Knowledge of encryption techniques (e.g. DES, RSA) 3.03 Knowledge of public key infrastructure (PKI) components (e.g. certification authorities (CA), registration authorities) 3.04 Knowledge of digital signature techniques
3. Protection of Information Assets (25%)
4
Knowledge Statements 2
3.05 Knowledge of physical security practices (e.g. biometrics, card swipes) 3.06 Knowledge of techniques for identification, authentication, and restriction of users to authorized functions and data (e.g. dynamic passwords, challenge/response, menus, profiles)
Knowledge Statements 3
3.07 Knowledge of security software (e.g. single sign-on, intrusion detection systems (IDS), automated permissioning, network address translation) 3.08 Knowledge of security testing and assessment tools (e.g. penetration testing, vulnerability scanning) 3.09 Knowledge of network and Internet security (e.g. SSL, SET, VPN, tunneling)
3. Protection of Information Assets (25%)
6
Email Interception
Methods Script Monitor
Running a script on a server that receives email traffic, monitoring emails for certain keywords or number patterns. (I.E. bomb + president or credit card number patterns)
Account Emulation
Stealing someones user id and password to gain access to their email account.
PGP
Pretty Good Privacy allows strong encryption of your text. Can be incorporated easily into any text oriented program.
Standard Encryption
Text is encrypted and sent by the originator Ciphertext is decrypted by recipient Same key is used for encryption and decryption If key is intercepted or deciphered, encryption becomes useless
This is how WWII was won...
3. Protection of Information Assets (25%)
10
Strong Cryptography
There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files. This book is about the latter. -- Bruce Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C. 40 bit cryptography is considered weak. This can be intercepted and deciphered in seconds using todays tools. By contrast, 128 bit cryptography is considered technically infeasible to crack. Most banks require a 128 bit browser for online banking.
11
12
Acts as a virtual signature Very hard to forge Can be used for encryption or authentication Resides in the Browser/Email Client/OS Free digital certificates are available PGP Freeware is available
3. Protection of Information Assets (25%)
14
What is PGP?
Created by Phil Zimmerman
PGP is now a subsidiary of Network Associates
Secures e-mail and files Based on Public Key Cryptography Users whom have never met can exchange encrypted documents. Freeware
3. Protection of Information Assets (25%)
15
Obtain and install a certificate using the step by step instructions at the issuing website.
16
You can search for certificates on public directories (LDAP) directly from within Communicator
17
Certificate Fingerprint:E4:58:C8:8F:B5:90:4C:AC:AB:79:9C:6A:32:0C:3E:4E
Email Spoofing
Happens when someone impersonates an email user, sending messages that appear to be from the victims email address. Spoofing can be prevented by using your Digital Certificate or PGP to Digitally Sign your email message. Even Certificates can be spoofed, although difficult. Check the Certificate Fingerprint of the message to be sure its authentic.
3. Protection of Information Assets (25%)
19
Shopping Securely
You should never input sensitive info such as Credit Card numbers into a nonsecure website. Make sure website is certified by a trusted Certificate Authority (CA)
20
Note: Attempting to enter a secure site that is not signed by a valid or default CA will result in a cautionary error message.
21
Stopping Hackers
Set up a personal/home firewall. Encrypt your sensitive files!!!
PGP, all platforms. Mac OS 9 Built-In Encryption Feature
Dont give out your passwords to anyone! Use difficult passwords - not simple dictionary style words.
3. Protection of Information Assets (25%)
23
Password Strength
Simple words out of a dictionary make bad passwords. Use mixed upper and lower case characters. Use non-alphanumeric characters such as: ~!@#$%^&*()_+=-{}[]|\:;/?.>,<` Avoid sharing passwords, even with friends and family.
3. Protection of Information Assets (25%)
24
26
Viruses
Computer viruses are 100% man made. Can be transmitted via email, disk, network, etc Most are harmless experiments. Some are intended to wreak havoc on individuals and networks.
3. Protection of Information Assets (25%)
28
Virus Protection
Get a virus protection package and install it on your computer. Check the vendors website for downloadable updates and alerts on new viruses. Dont open email or attachments from unknown sources.
3. Protection of Information Assets (25%)
29
30
Section 501 of the Gramm-Leach-Bliley Act requires Financial Institutions to establish standards relating to administrative, technical and physical information safeguards to protect customer records and information. 31
3. Protection of Information Assets (25%)
Safeguard Objectives:
Ensure security and confidentially of customer records and information.
Protect against any anticipated threats or hazards to the security of the records. Protect against unauthorized access or use of records or information which could result in harm or inconvenience to customer.
3. Protection of Information Assets (25%)
32
Written to insure security and confidentiality of non-public customer financial information (NPI). Protect against any anticipated threats and hazards. 33 Protect against unauthorized access or use. 3. Protection of Information Assets
(25%)
Financial Institutions
Including Colleges
and
35
FTC Ruling
consumers information is not a privacy issue but is one of security.
Compliance with FERPA does not exempt colleges and universities from GLBA safeguarding regulations.
3. Protection of Information Assets (25%)
36
37
University Actions
Has established a committee to insure compliance. Committee meets regularly to review and insure compliance with the act. Performs risk assessment and regular testing. Oversees service providers and contracts. Trains staff to maintain security and confidentially.
38
Identity Theft
3. Protection of Information Assets (25%)
39
knowingly using, without authority, a means of identification of another person to commit any unlawful activity.
(unlawful activity: a violation of Federal law, or a felony under State or local law).
3. Protection of Information Assets (25%)
41
Identity Theft
When someone steals your identity, they are usually using your credit to obtain goods and services for themselves that you will have to pay for. 42
3. Protection of Information Assets (25%)
From: PNC Bank Sent: May 17, 2004 6:31 PM To: abuse@Miami.edu Subject: To All PNC bank users
Dear PNC user, During our regular update and verification of the user data, you must confirm your credit card details. Please confirm you information by clicking link below.
http://Cards.bank.com pncfeatures/cardmember access.shtml
3. Protection of Information Assets (25%)
44
Recovery
Take back control of your identity:
Close any fraudulent accounts. Put passwords on your accounts. Change old passwords and create new PIN codes.
3. Protection of Information Assets (25%)
47
Prevention
Protect yourself Protect others
Experian www.experian.com
To order a report, 1-888-397-3742 To report fraud, 1-888-397-3742
51
Damages
Time Money Credit rating Reputation
53
Good Practices
Photocopy the contents of your wallet/purse. Photocopy your passport (keep a copy at home and one with you when you travel). Empty your wallet/purse of non-essential identifiers. Do not use any information provided by the people who may be trying to scam you look it up yourself. Shred documents before you depose of them.
3. Protection of Information Assets (25%)
54
55
General Privacy
Do not provide correcting information for account verification questions. Be suspicious. Be paranoid. Dont be afraid to say no when asked for information that is not required to conduct the current business transaction.
3. Protection of Information Assets (25%)
60
61
University Assets
Are customer information and records assets?
62
Safeguarding Information
Information takes many forms.
Information is stored in various ways.
63
Safeguarding Information
Your Role:
Ensure Physical Security. Select and Protect hard to guess passwords. Avoid email traps and disclosures. Back up files. Log off your computer when not in use. Do not open emails with attachments from unknown sources. Obliterate data before giving up your computer. Recognize social engineering tactics.
3. Protection of Information Assets (25%)
64
Safeguarding Information
Your role as a user.
65
Do you leave NPI reports on your desk? Is NPI stored in unlocked file cabinets? Keep computer disks secure. Do not save NPI on your computer C drive.
3. Protection of Information Assets (25%)
66
Safeguarding Information
Your role.
The University has many policies and procedures to help you, learn them.
67
Georgia Tech accidental release of credit card to the internet cost them over $1,000,000.
3. Protection of Information Assets (25%)
69
Expectations
All University employees are responsible for securing and caring for University property, resources and other assets. University relies on the attention and cooperation of every member of the community to prevent, detect and report the misuse of university assets.
3. Protection of Information Assets (25%)
70
Prevention
71
72
Migrating
Migrating from compliance with the IM&T (Info. Management Tech) Security Manual to compliance with BS7799 Overview Implementation - assistance available
74
Basic Components
Confidentiality: protecting sensitive information from unauthorized disclosure Integrity: safeguarding the accuracy and completeness of information/data Availability: ensuring that information and associated services are available to users when required
3. Protection of Information Assets (25%)
76
Problem
Until early 90s information was handled by many organizations in an ad hoc and, generally, unsatisfactory manner In a period of increasing need to share information, there was little or no assurance that such information could or would be safeguarded What control measures there were focussed almost entirely on computer data, to the exclusion of other forms of information
3. Protection of Information Assets (25%)
77
Code of Practice
1993: in conjunction with a number of leading UK companies and organizations produced an ISM Code of Practice incorporating the best information security practices in general use. Addressed all forms of information;e.g. computer data, written, spoken, microfiche etc
3. Protection of Information Assets (25%)
78
79
Balance
A common concern amongst organizations is that the application of security measures often has an adverse impact on, or interferes with, operational processes BS7799 processes are flexible enough to ensure that the right balance can be struck security with operational efficiency!
3. Protection of Information Assets (25%)
80
Assets - Examples
81
The Standard
And
Personnel Security. Measures to reduce risks of human error, theft, fraud or misuse of facilities Physical/Environmental Security. Prevention of unauthorized access, interference to IT services and damage Computer and Network Management. To Ensure correct and secure operation of computer and network facilities 82
3. Protection of Information Assets (25%)
The Standard
.
System Access Control. Controls to prevent unauthorized access to computer systems System Development and Maintenance. A security program complementing development/maintenance of IT systems BCP. Measures to protect critical business processes from major failures and disasters Compliance. To avoid breaches of statutory or contractual requirements and ensure the ISMS is operational
3. Protection of Information Assets (25%)
83
Controls
Each of these Categories contains a number of security controls, mandatory or otherwise, which can be implemented as part of the information security risk management strategy
The same controls will not, necessarily apply across the board, owing to the varying nature 84 of organizations, risk factors etc 3. Protection of Information Assets
(25%)
A risk being the product, in this case, of the threat to information and its assets, and vulnerability to the of Information Assets threats 85 3. Protection
(25%)
Risk Analysis
The point is:
An effective risk management strategy cannot be implemented until the risks are identified and measured (that is, analyzed)
It almost goes without saying, that Analysis should be based upon a sound and proven methodology therefore the we will use CRAMM
3. Protection of Information Assets (25%)
86
CRAMM
Developed in 1985, CRAMM Risk Analysis Methodology is a complete package, containing:
the risk analysis process itself associated documentation (inc. report functionality; results and conclusions) training software support tools
3. Protection of Information Assets (25%)
87
Step 2
Step 3
Risk Assessment
T. V. I.
Step 4
Manage Risk
Select Control Options
Step 5
Additional Controls
Select Controls
Step 6
Statement of Applicability
Statement
90 (NB: Additional controls would incorporate DPAInformation Assets and Info Governance requirements) 3. Protection of 1998, Caldicott (25%)
And then..
Develop and implement security policies which comply with your specific requirements in terms of BS7799 Review and Maintain Simple, isnt it? No, it is appreciated that compliance with BS7799 is a significant undertaking But, as the benefits themselves are significantit is not only good practice, but makes good sense to adopt the standard 91
3. Protection of Information Assets (25%)