Security Awareness

5,000 views

Published on

A security awareness presentation created for an audience of senior officials from MTNL (India's foremost telecom PSU). The presentation covers fundamentals of Information Security, it's evolution, present day risks from the IT and Telecom infrastructure perspective.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
5,000
On SlideShare
0
From Embeds
0
Number of Embeds
2,740
Actions
Shares
0
Downloads
99
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Security Awareness

  1. 1. Digital Crime, Fraud & Forensic investigation s, Governance Risk and Compliance, IT Asset Management , License Management , Cyber Security, Cyber Labs, At MTNL, Mumbai By Dinesh O Bareja November 19, 2013
  2. 2.  Introduction    Audience Us.. Pyramid & Dinesh Todays Program Plan Information Security Fundamentals  Why Security (cases and incidents; critical infrastructure concept for MTNL and telecom, national intranet and lights on concept)  What to Secure (current state analysis, maturity plan, essentials, goals and objectives – certification / compliance / reputation etc  When and How to Secure  First steps and discussions 
  3. 3. Established and well known Cyber Security and Forensics Consulting organization since past decade  Cyber Forensics Labs in 22 states across India  Qualified, experienced and certified team of Forensic and InfoSec professionals  Full range of InfoSec services – strategy, design, implement, maintain, test, response, investigation, protection 
  4. 4.  Managed Security Services as per RBI/IDRBT guidelines  Compliance with ISO, RBI, IDBRT, IT Act etc as applicable  ISMS Policies, Procedures, Audit Program as per ISO27001  Ethical hacking, Software Security  Open Source technology adoption  Security Awareness Training  Forensic and Incident Response…
  5. 5.  Professional Positions   Jharkhand Police – Cyber Defence Research Centre (Cyber Security Advisor)  Bombay Stock Exchange - IGRC (Technical Member)  Open Security Alliance (CEO)   Pyramid Cyber Security & Forensics (Principal Advisor) Indian Honeynet Project (Co Founder) Professional skills and special interest areas   Technologies: SOC, DLP, IRM, SIEM…  Practices: Incident Response, SAM, Forensics, Regulatory guidance..   Security Consulting and Advisory services for IS Architecture, Analysis, Optimization in Government and Enterprises Community: mentoring, training, citizen outreach, India research.. Opinioned Blogger, occasional columnist, wannabe photographer
  6. 6. MTNL was set up on 1st April, 1986 by the Government of India  Started as Bombay Telephone in 1882, in pre-independence era,  MTNL is the largest Broadband service provider in Mumbai  National Critical Infrastructure provides landline services, high speed broadband through ADSL, 3g, VoIP, IPTV among a range of telecom services 
  7. 7.  Introduction Audience  Us.. Pyramid & Dinesh   Information / Data Security  Todays Program Plan  Information Security Fundamentals  Why Security (cases and incidents; critical infrastructure concept for MTNL and telecom, national intranet and lights on concept)  What to Secure (current state analysis, maturity plan, essentials, goals and objectives – certification / compliance / reputation etc  When and How to Secure  First steps and discussions
  8. 8. When data is processed, organized, structured or presented in a given context so as to make it useful, it is called Information. X Data is raw, unorganized facts that need to be processed. Data can be something simple and seemingly random and useless until it is organized. http://www.infogineering.net/datainformation-knowledge.htm Knowledge is a combination of information, experience and insight that may benefit the individual or the organization.
  9. 9. Regulatory Corporate Data Secrets • Credit card data • Intellectual property • Privacy data • Financial information • Health care information • Trade secrets
  10. 10. http://movetheworld.wordpress.com/2008/01/16/evolution-of-information-security-technologies/
  11. 11. DATA Interpret data so that it has some value and meaning for the user INFORMATION A combination of information & data, experience, insight that is built thru’ a brain’s processes KNOWLEDGE
  12. 12. The practice of protecting information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Protecting data or a database from destructive forces and the unwanted actions of unauthorized users.
  13. 13. Even a young man has to use a walking stick ! Technology advancement has brought about dramatic change in life and work and continues it’s march of dynamic growth It was an era of innocence and invention when computing started upto the time when the internet was unveiled Over the years it has metamorphosed into a force we are still trying to understand and has brought with it ‘great expectations’ from the human beings who are in charge!
  14. 14. http://www.geeksaresexy.net/2013/ 04/26/the-evolution-of-essentialscomic/
  15. 15. http://www.geeksaresexy.net/2013/ 04/26/the-evolution-of-essentialscomic/
  16. 16. Information Technology NOT a support function Information Security NOT a cost center is is
  17. 17. Requires ABSOLUTE management support – absolutely and unconditionally  Management MUST have high level of awareness of risks and must maintain a high level of visibility  Risks, Threats and Metrics arising from IT / IS must be a regular item on the board  Board must receive regular intelligence advisories  Fires, floods, and such disasters will see the CxO on the frontlines… earning respect
  18. 18.  Empower security teams  Define roles and responsibilities  Ensure strong and well defined processes for managing risk, controls, BCP/DR, communication  Automate processes  InfoSec Management systems must have strong governance
  19. 19.  Various standards like ISO27001, ISo22301, ISO 20000, ISO 14000  Frameworks like ITIL, PCI-DSS, NIST  Laws and Regulatory requirements – IT Act, Guidelines, Data Protection etc
  20. 20. IT Security …
  21. 21. 11 Domains 11 Domains Organization of Information Security Security Policy Access Control Physical and Environment Security Asset Management 39 Controls Objectives 133 Controls Human Resource Security Communicatio n and Operations Management Information Systems Acquisition Development Maintenance Information Security Incident Managament Compliance Business Continuity Management
  22. 22.  ISO22301 – BCP/DR  ISO19770 – Software License  ISO31000 – Risk Management  ISO27011 – Telecom ISMS  BS10002 – Data Classification  ISO31010 – Risk Terminology
  23. 23.  Policies and Procedures  Risk Management  Asset Information  Data Classification  Incident Management  BCP/DR  Configuration, Change  Compliance Requirements
  24. 24. SHODAN (http://www.shodanhq.com/) is a computer search engine designed by web developer John Matherly (http://twitter.com/achillean)  While SHODAN is a search engine, it is much different than content search engines like Google, Yahoo or Bing  Rather than to locate specific content on a particular search term, SHODAN is designed to help the user find specific nodes (desktops, servers, routers, switches, etc.) with specific content in their banners 
  25. 25. PwC – State of Information Security in India Report 2013
  26. 26. Telecom Security …
  27. 27.  An unexplained suicide  Reputation loss for Vodafone  Rootkit Ericcson AXE MSE  Involvement of CIA ?? Not proven  Case is not yet resolved  Motive is unknown
  28. 28.  CMS/IMS regime  Radia Tapes  Lawful interception  Hardware Security
  29. 29. 23.7(i) Security 23.7(i) Security Responsibility - Responsibi lity Complete and Total Responsibility for Security of Networks under which the following must be done – Network Forensics, Network Hardening, Network PT, Risk Assessment 23.7(ii) Security Audit - Conduct a network security audit once a year by network audit certification agency, as per ISO15408 and ISO27001 23.7(iii) Security Testing - Network elements must be tested as per defined standards – IT and IT related against ISO15048, ISMS against ISO27001; Telecom elements against 3GPP. 3GPP2 security standards. Up to 31 Mar 2013 this can be done overseas and after this date in India 23.7(iv) Security Configuration - Include all security features, as per standards, while procuring equipment and implement the same. - Maintain list of all features while equipment is in use - List is subject to inspection by Licensing Authority 23.7(v) Security Personnel - CISO, System Administrators, Nodal Executives for handling NLD/ILD switches, central database, softswitches … all must be Indian Nationals.
  30. 30.  Introduction  Audience  Us.. Pyramid & Dinesh  Information / Data Security  Todays Program Plan  Information Security Fundamentals  Why Security (cases and incidents; critical infrastructure concept for MTNL and telecom, national intranet and lights on concept)  What to Secure (current state analysis, maturity plan, essentials, goals and objectives – certification / compliance / reputation etc  When and How to Secure  First steps and discussions
  31. 31. Hacked on Aug 14, and site was down as on Aug 16 Earlier hack in June 2013, by Anonymous to protest against censorship. Site was down for 6 hours
  32. 32. Stuxnet, Flame, Shomoon, Russian Nuclear Plant (last week) Duqu, Gauss, RUMOURS - ISRO - Fukushima - Baker Hughes - ConocoPhillips - Marathon - Chevron
  33. 33.  Viruses  Piracy  Data Integrity  MMS  Identity Theft, Website defacement  Trojans, Worms, APT  Ransomware
  34. 34. Low Orbit Cannon – used by Anonymous to launch DDOS attacks  Blackhole Exploit Kit (pre-made attack tools and packages.  Available for download it is a full-fledged, highly sophisticated attack suite - a widelyused, web-based software package which includes a collection of tools that leverage web browser security gaps. It enables the downloading of viruses, bots, trojans and other forms of malicious software onto the computers of unsuspecting victims. Prices for such kit range from $50 for a single day’s usage, up to $1,500 for a full year)  Managed Crime Services  Card Markets  Information Exchange  Cyber Mercenaries for Hire  Botnets (available for as low as $500)
  35. 35.  Introduction  Audience  Us.. Pyramid & Dinesh  Information / Data Security  Todays Program Plan  Information Security Fundamentals  Why Security (cases and incidents; critical infrastructure concept for MTNL and telecom, national intranet and lights on concept)  What to Secure (current state analysis, maturity plan, essentials, goals and objectives – certification / compliance / reputation etc  When and How to Secure  First steps and discussions
  36. 36.  Documented policies, procedures, audit procedures  Risk Management  Access Management – privilege users, passwords, onboarding, off boarding  HR – background checks  Configuration, Change, Patch, Backup  Network Traffic and Forensics  Threat Intelligence  End Point Protection
  37. 37.  Infrastructure Security Assessment  Training  Awareness  Mobile device management  Asset Management  Compliance (internal and external)  Application Security  Incident Management & Response
  38. 38.  Encryption  Version Control with source code review to thwart logic bombs
  39. 39.  Introduction Audience  Us.. Pyramid & Dinesh  Information / Data Security      Todays Program Plan Information Security Fundamentals Why Security (cases and incidents; critical infrastructure concept for MTNL and telecom, national intranet and lights on concept) What to Secure (current state analysis, maturity plan, essentials, goals and objectives – certification / compliance / reputation etc  When and How to Secure  First steps and discussions
  40. 40. The revelation of PRISM has changed the way we look at the future. What was to happen is already happening – the NSA can keep tabs on the global population! Microsoft, Google, Adobe and all the big names in technology are implicated - we have been dreaming and planning to get out of commercial systems into the open source domain and these events have pushed the future into the present
  41. 41.  Policies / Procedures / Documentation  DLP  SIEM  Network Forensics  Secure Web Application  Periodic VA and PT  Audit and Review
  42. 42.  Malware  APT  Data Breach  Denial of Service  Slow response in the face of change  Lack of actionable intelligence  Insufficient Capability and Capacity  Weak Incident Response and Crisis Management
  43. 43.  Insecure Applications  Lack of awareness  Internal - Human Error  Fraud  Default Passwords, hardening  Phishing / Vishing  Logic Bombs
  44. 44.  Introduction Audience  Us.. Pyramid & Dinesh  Information / Data Security  Todays Program Plan  Information Security Fundamentals  Why Security (cases and incidents; critical infrastructure concept for MTNL and telecom, national intranet and lights on concept)  What to Secure (current state analysis, maturity plan, essentials, goals and objectives – certification / compliance / reputation etc  When and How to Secure   Next steps and discussions
  45. 45.  Cloud  Mobile  Computers will be wearable, blowable  Smart grid  Driverless car
  46. 46.  Crackers for Hire (cyber mercenaries)  Cyber Espionage  Ransomware / Lockout  Denial of Service  Technology Obsolescence  Fake Employees  Internal Frauds
  47. 47. risks – tech / business flight timings sales what phone to buy/gift global events how to do a web checkin gadgets ……. people issues enterprise targets enterprise finance all processes business IT networks org growth systems © freedigitalphotos (royaltyfree, attribution) onboarding /exits background checks compliance liabilities contribute ideas email
  48. 48.           Current State Evaluation – People, Process and Technology Gap Analysis as per ISO / ITA Forensics as a Service Incident Response Policy Development aligned to Enterprise and National Strategies Build internal Governance Structures Emergency & Crisis Response Team Awareness Program IS Controls Implementation Training
  49. 49. Questions
  50. 50. Head Office: FB-05, NSIC Software Technology Park Extn, Okhla Industrial Estate, New Delhi-110020, T: +91-9650894671 F: +91-11-26322980 E: contact@pyramidcyber.com Mumbai Office: 308 Orbitz Premises Chincholi Bunder Road, Malad West Mumbai 400064 T: +91.9769890505 E: dinesh.bareja@pyramidcyber.com www.pyramidcyber.com
  51. 51.  http://en.wikipedia.org/wiki/Information_Security  http://en.wikipedia.org/wiki/Data_security  Raoul - tstf.net  http://www.infogineering.net/data-informationknowledge.htm  Google  Various internet resources

×