Information in Security Part 2 The Solution

Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc
Information Insecurity
Part II: The Solution
E. Gelbstein A. Kamal
Information Insecurity Part II: The Solution
1 of 48
Basic rule of systems

Complex problems are never solved, they are only transformed
corollary
You dont fix security. You manage it
2 of 48
Information security principles
1 2 3
Information must be available to those authorized to have it Information will only be disclosed at the appropriate time only to those authorized to have it Information will only be modified by those authorized to do so
Source ISO 17799: Code of Practice for the Management of Information Security
3 of 48
Information security principles
(2)
Existence of a legal framework defining

Protection of intellectual property rights, including software Protection of privacy in cyberspace Effectiveness of the provision of digital signatures Prosecution of cyber-criminals
Covering information processed, stored and transmitted in e-form
4 of 48
What is your role in Infosec?

Defender: one of the good guys
Chief Information Officer Security manager Systems administrator Network administrator Enlightened User
5 of 48
How good a defender ?

It really is your choice Due diligence Negligence Dereliction of duty Misconduct Sabotage Criminal damage Aiding and abbetting crime
6 of 48

A special guy: good or bad are relative
Auditor (Security, internal, external) Ethical hacker Security consultant Vendors of security products Vendors of other ICT projects Info Security legislator
7 of 48

Bystander
Surely, its a technical problem Nothing to do with me Not in my job description What, change password again? Whats wrong using my birthday as a password? OK so my son used my employers notebook to download some shareware whats the big deal?
8 of 48

Obstacle
No way can I increase your budget We have a freeze on recruitment Its not compatible with our corporate culture The trade unions wont have it
9 of 48
Defenders 1st step: Culture

Security relies on everyone Security requires many processes Security contains many projects which never end Only the paranoid succeed and survive
10 of 48
Defenders 2nd step: Reality check

100% security can NOT be achieved Technology is not enough to guarantee security Legislation is not enough to guarantee security Security resources must match risk Good security practices become barriers
11 of 48
Building effective defences

needs more than technology
Requirements definition Organization Asset valuation Policies and compliance
1 2
Building blocks Technical defences Awareness Standards Best practices
4
Tests Certification Audits
12 of 48
Incident response Digital forensics Legislation

Recommendations for Executives
to help contain the headache
1. Assign responsibility for information security 2. Ask your CIO to certify in writing the security status of your organizations systems 3. Ask your CIO to document all known vulnerabilities 4. Engage a trusted ethical hacker to regularly attack your facilities and systems
13 of 48
Effective Defences 1
Security organization
Who is responsible for information security in the organization as a whole and at its various locations ? Who does this person report to ? Who reviews this persons performance and monitors her/his effectiveness ? How is security managed with contractors, temporary personnel and outsourcers ? Who is responsible for dealing with a security incident ?
14 of 48
Effective defences 1
Requirements definition
Inventories Insurance Strong locks Burglar alarm Remote monitoring Reinforced doors Impact resisting glass CCTV
What threats? What value what to protect? What vulnerabilities?
How much funding can be made available to implement, operate and manage?
15 of 48
Information security
Value of information assets 100% security is unachievable
countermeasures
The size of the box represents RESIDUAL RISK
threats vulnerabilities
16 of 48
How much security is enough?

Complexity and cost of security
Military Major outsourcers Stock exchanges Fund transfers Major banks Telephone companies
Low tech manufacturing
Acceptable level of residual risk

17 of 48
Asset valuation & impact analysis

What is the value* of o Data o Intellectual property o Systems (software, hardware) o Documents o The Organisations reputation
etc * Financial, commercial, reputation, political, etc
disclosed modified unavailable destroyed
18 of 48
When does misuse become abuse?

Theft and fraud
Proprietary information Software and equipment Employers time Financial gain Modifying personal data (e.g. holiday records) Inappropriate access to - data - websites - others e-mail Deletion of data
Misuse of system privileges
Disclosure
e-mailing of offensive material, jokes, etc Installation of unauthorized software Downloading large files (music, video) Personal use of employers systems and facilities
Confidential information Embarrassing information Internal gossip and politics

19 of 48
Policies and compliance

POLICIES are formal statements of how an organization manages information security
Scope Documentation Dissemination Maintenance Compliance
Policies without effective compliance measures are ineffective
20 of 48
Scope of policies
Acceptable personal use or corporate resources e-mail policies for corporate and personal use Creation, change and management of passwords System / Resource access Employers right to monitor and right to access Use of encryption Physical access and remote access Software installation Mobile communications and computing Database administration Employee background checks (pre- and during employment)
list goes on...
21 of 48
An e-mail policy would cover

Legal liability (harassment, copyright, libel, etc) Offensive language/material Non-disclosure Corporate practices regarding encryption Personal use of corporate e-mail Employers right to monitor Retention and archival Junk and other non-productive e-mail Attachments Executable code including macros Audio and video files Other large files Virus, worm, other infectious software Non-compliance
etc...
22 of 48
Policies: reality test

Policies must make sense to the personnel to be followed
(30% of all attacks are internal)
Three options regarding compliance

Dont bother too much Tight monitoring and zero tolerance
Managed program to address internal abuses

Policies have no credibility
Create martyrs Loss of trust Information Insecurity Part II: The Solution 23 of 48
Building blocks
non-repudiation
confidentiality
audit
authentication authorization
integrity
24 of 48
Effective Defences 2 (2)
Building blocks
Authentication Authorization Confidentiality Integrity Non-repudation Audit
Prove you are who you say you are The security system checks what you may do with the system Data can only be seen by someone authorized to do so Data can only be modified by someone authorized to do so Ability to prove that the information received is the same as the information sent System records of who did what and when Information Insecurity Part II: The Solution 25 of 48
Technical defences
Tools
Physical access control Infrastructure
- No single point of failure - UPS and standby - Clusters, fail-soft, RAID, alternative routing - proxy servers, firewalls
Data access rights Database security System security LAN & server security Firewall security
Logical access control Diagnostics and monitoring System administration Virus management software Encryption software
All properly installed, configured and tested by trained personnel

26 of 48
Effective Defences 2 (2)
Technical defences
Processes
Risk assessment Risk management Alert monitoring

Cluster # 2: event intelligence
Software/product quality Reduce complexity Change Control Segregation of duties Backup /restore Media management
Cluster # 1: operations and configuration management
Disaster recovery Business continuity Crisis management

Cluster # 3: preparedness
27 of 48
sections of ISO 17799

1. 2. 3. 4. 5. 6. 7. 8. 9. Develop and implement security policies Put in place a security organization Maintain an information asset classification Address personnel issues of security Implement physical and environmental security Ensure adequate network and computer operations Implement system and network access controls Build security into systems development Have disaster recovery and resumption plans
10. Compliance with legislation and best practices

28 of 48
COBIT process maturity levels

Current status Strategic target
Non-existent
The process is not managed
Initial
Repeatable
Defined
The process is documented and communicated
Managed
Optimized
The process is ad-hoc and disorganized
The process follows a regular pattern
The process is monitored and measured
Best practices
COBIT: Control Objects for Information Technology

29 of 48
Justifying investments
Demonstrating value has always been the BIG challenge for technical practitioners
Typical ROSI (Return On Security Investment) analysis: cost benefit We spent a million dollars We think we have not been hacked
The industry is unable to agree on a better way
30 of 48
More about ROSI
Some of the intangible factors: No security metrics standards No warranties from vendors or outsourcers only best efforts
The same is true for Financial controls Fire prevention arrangements
31 of 48
ways to tighten security

1. 2. 3. 4. 5. Promote awareness Know the assets you must protect Invest wisely (more may not be better) Survey the threatscape who are the enemy? Be vigilant
6. Understand and actively manage risk 7. Ensure security is engineered and designed into the infrastructure 8. Remember it is more than a technical matter 9. Detect and respond
32 of 48
Awareness
Management
Disaster recovery, continuity and crisis plans Trusted insider risks signals Breaches of security, subsequent digital autopsy Vendor bulletins about vulnerabilities Hacker activities CERT and other alerts Procedures and policies What to do when an incident occurs Policies and need for compliance What to do when an incident occurs Best practices
33 of 48
I.T. personnel
All other personnel
good personal practices

1. 2. 3. 4. 5. Use hard to guess passwords and ensure non-disclosure Make regular backups of your critical data Use effective protection against malicious code Use a firewall between your computer and the Internet Do not stay on-line unnecessarily or when inactive
6. Look for and install quickly software updates and patches from (trusted) vendors 7. Be careful of e-mail attachments from strangers and from known persons if the subject line is unusual
34 of 48
ways to protect your privacy

1. 2. 3. 4. 5. Set up your browser to secure personal information Dont reveal personal details unless you are sure Actively manage cookies Keep a clean e-mail address Remember you may be monitored at work
6. Beware of websites that offer rewards in exchange for your contact or other information 7. Never reply to spam mail 8. Only reveal critical information to a https website 9. Use encryption if appropriate
35 of 48
A word of caution
Tools and good practices increase security. For the end-user, they become a kind of obstacle race
Mwf1U4zX
Hard to remember passwords prominently displayed on Post-it Notes
36 of 48
Incident response
Intrusion detection Emergency Response Team Problem containment Problem resolution Restoring normal operations Determine attack mechanism Review adequacy of arrangements Search for evidence Action plan for internal causes Action plan for external causes
Digital forensics
(also called digital autopsy)
37 of 48
How do you respond ?

Option 1
Hackers please note

This facility is secured Monday and Friday, 09:00 to 17:00 CET Please do not visit at any other time We thank you for your understanding
Option 2 Emergency response plan + team

38 of 48
things to do if (when) attacked

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Dont panic ! Call in your incident response team Contain the problem and avoid the quick fix Take good notes in case you need to take legal action Have your backup facilities ready Get rid of the problem Use trusted, uncompromised, communications Know what to say, to whom and when Know when to involve crime investigators Conduct an autopsy of the event and your response
39 of 48
How do you know you have not been attacked ? How do you know that your arrangements will work ? tests audits digital autopsy certification Who tests the testers?
Like your annual medical its no guarantee of good health but it might diagnose a problem
40 of 48
e-evidence
Volume and manageability Who else has copies ? Indexing, classification Retention, archival Media and software Right to access Right to remove Right to destroy
41 of 48
e-evidence
Headaches
(2)
Hard to trace, particularly cross-border Hard to quantify losses Lack of clarity what is court-admissible Contractual issues Harassment, bullying, impropriety Containable fraud Sabotage Industrial espionage Major fraud
Civil litigation
Criminal litigation
Out of court settlements are common
42 of 48
e-evidence
(3)
Follow proper procedures for seizure Seize computer, media and paperwork Assess risk of logical bomb Protect the suspect computer from tampering Discover, recover and report
43 of 48
ways to support e-forensics

1. 2. 3. 4. 5. 6. 7. 8. 9. Follow authorized seizure process (ask the lawyers!) Seize and secure equipment, media and papers Shutdown the computer record it with a video camera Document the hardware configuration Transport to secure location and protect chain of evidence Ensure the computer remains uncompromised Make bitstream backups of hard disk and all media Authenticate data with 128 bit checksum Only use backups for subsequent analysis
10. Document the systems time and date

44 of 48
ways to support e-forensics

11. Identify all anomalies
Hidden disk partitions, hidden files, encrypted files evidence of erased files, file slack, presence of steganographic software
(2)
12. Examine e-mail, Internet, Temporary files 13. Fully document all the findings 14. Retain copies of all software used for analysis 15. Only use fully licensed forensic software
45 of 48
things to worry about

1. 2. 3. 4. 5. Time elapsed between an attack and it being discovery The size of incident logs (may inhibit discovery) Examining incident logs is boring (easy to miss things) The trusted insider Hard to know whats what in a multi-vendor environment
6. Good security staff are hard to find and harder to keep 7. Hard to define a return on security investment 8. Management detachment (denial of having a role to play)
46 of 48
things to worry about

9. 10. 11. 12. 13. 14.
(2)
Limited international cyber-crime legislation Certificate Authorities: the new trust issue Vendors not liable for product vulnerabilities Executives who believe security is not a real issue Liabilities arising from lack of due diligence Need to take cyber-crime insurance
47 of 48
Conclusion
Sounds daunting? It is. You have two options: a. Be prepared (Act now)
or
b. Improvise when it happens (React then)
48 of 48

Information in Security Part 2 The Solution

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Information in Security Part 2 The Solution

Hochgeladen von

Copyright:

Verfügbare Formate

Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc

Information Insecurity Part II: The Solution

Basic rule of systems

You dont fix security. You manage it

Information Insecurity Part II: The Solution

Information security principles

Information Insecurity Part II: The Solution

Information security principles

Existence of a legal framework defining

Information Insecurity Part II: The Solution

What is your role in Infosec?

Information Insecurity Part II: The Solution

How good a defender ?

Information Insecurity Part II: The Solution

What is your role in Infosec?

Information Insecurity Part II: The Solution

What is your role in Infosec?

Information Insecurity Part II: The Solution

What is your role in Infosec?

Information Insecurity Part II: The Solution

Defenders 1st step: Culture

Information Insecurity Part II: The Solution

Defenders 2nd step: Reality check

Information Insecurity Part II: The Solution

Building effective defences

Building blocks Technical defences Awareness Standards Best practices

Incident response Digital forensics Legislation

Recommendations for Executives

to help contain the headache

Information Insecurity Part II: The Solution

Information Insecurity Part II: The Solution

What threats? What value what to protect? What vulnerabilities?

Information Insecurity Part II: The Solution

The size of the box represents RESIDUAL RISK

Information Insecurity Part II: The Solution

How much security is enough?

Low tech manufacturing

Acceptable level of residual risk

Information Insecurity Part II: The Solution

Asset valuation & impact analysis

disclosed modified unavailable destroyed

Information Insecurity Part II: The Solution

When does misuse become abuse?

Misuse of system privileges

Confidential information Embarrassing information Internal gossip and politics

Information Insecurity Part II: The Solution

Policies and compliance

Scope Documentation Dissemination Maintenance Compliance

Policies without effective compliance measures are ineffective

Information Insecurity Part II: The Solution

Information Insecurity Part II: The Solution

An e-mail policy would cover

Information Insecurity Part II: The Solution

Policies: reality test

Three options regarding compliance

Managed program to address internal abuses

Effective Defences 2 (2)

All properly installed, configured and tested by trained personnel

Information Insecurity Part II: The Solution

Effective Defences 2 (2)

Risk assessment Risk management Alert monitoring

Disaster recovery Business continuity Crisis management

Information Insecurity Part II: The Solution