Introduction to IT Security
Upcoming SlideShare
Loading in...5
×
 

Introduction to IT Security

on

  • 317 views

Advances in technology have given rise to new operational threats to governments,companies and society as a whole,this presentation is an introduction of countermeasures against cyber threat.

Advances in technology have given rise to new operational threats to governments,companies and society as a whole,this presentation is an introduction of countermeasures against cyber threat.

Statistics

Views

Total Views
317
Views on SlideShare
316
Embed Views
1

Actions

Likes
1
Downloads
37
Comments
0

1 Embed 1

http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • The cyberwar strategy relies on hacking, virus writing, electronic snooping and plenty of good old-fashioned human spying. Much disruption can be unleashed over the Internet, but attackers first need to pry open electronic gates to private and secure networks with well-placed insiders, or at least inside knowledge, before they can be effective. Source: Far Eastern Economic Review , Copyright (c) 2001, Dow Jones & Company, Inc., Thursday, August 16, 2001, Innovation, Cyberwar, Combat on The Web; Charles Bickers in Tokyo
  • Take some of the examples and put them in a concrete context. Probe participants what they’re doing currently to protect against some of the these methods. DO NOT GO INTO DETAIL IN THIS MODULE, WE COME BACK TO THIS LATER.
  • The bullets are just examples of the three main motives. Be sure to exemplify most of them. Invite participants to come up with other motives and see if they fit into the three top categories. There’s no direct relationship between threats and motives, basically any mix is possible. However, the teen hackers are mostly hacking for personal motives. Criminals almost exclusively do it for economic gain.
  • From an information management perspective, we divide the infrastructure into three distinct areas: Network – This is the communication infrastructure that carries traffic for e-commerce and can be internet based as well as private. This includes Wide Area, Local Area and Metro Area Network Storage Area Networks Wireless Networks Voice Networks Application – This logical structure includes all of the applications that are currently used to create efficiencies in the work place Operating System (OS) – This is the nucleus that makes both communication’s and application’s functions possible. This includes both client, server and mainframes: Mainframe UNIX MAC Windows X The security & privacy dimension of this model that need to be addressed any time data is accessed are the following Authentication – Confidentiality Access Controls Data Integrity Audit-ability Non-Repudiation Availability
  • Detection – Incidents are detected from many sources such as People, Customer Service Desks, Audits, Alerts and Technology Trouble Tickets System. Assessment –. Determine scope & assemble Response Team members. Analysis – Classify an incident; determine actions and possible escalation requirements; and work with Response Team to determine actions. Containment – Activities designed to keep the incident from escalating in severity and limiting the number of affected clients. Forensics – When required identify, preserve, and analyze potential evidence. Resolution/Recover - Determine the extent of damage, the type of response needed, prepare necessary resolution statements (e.g. notification letter, inbound and outbound scripts). Evaluate if notification is necessary and then document lessons learned. It is at this stage where other major stakeholders maybe involved like Human Resources, OGC, Public Relations, Physical Security and Law Enforcement.

Introduction to IT Security Introduction to IT Security Presentation Transcript

  • INTRO TO ITSECURITY By Cade Zvavanjanja CISOGainful Information Security
  • AGENDA Information Security Information Privacy Risk Management Opportunities & Markets Some Examples
  • Holistic IT security Vetting / Information References Business SecurityDisciplinary Interfaces Policies Procedure Build StandardsAwareness & Training IT/IS/ Threat Modelling Anti-Virus Development Security in Patch SDLCManagement ApplicationVulnerability Assessment Data Storage Testing PenetrationConfiguration Testing Reviews Access Control Encryption Ecommerce Reviews Site Firewalls Legislative Compliance Intrusion Detection 3
  • INFORMATION WARFARETHE MATRIX UPLOADED – SOWHAT?
  • TODAY’S TRENDTerrorists White Collar Insider/Espionage Open Crime SourceDisasters Theft Scripts ID Theft
  • IT Security
  • SO WHO CARES? You care about information security and privacy because:  Information Security is a constant and a critical need  Threats are becoming increasingly sophisticated  Countermeasures are evolving to meet the threats  You want to protect your asset and privacy  You want to know what tools are there for protection and Because information security, information privacy and legal and compliance are inter-related
  • INCREASE IN SECURITY INCIDENTS 900M 120,000 800M Blended Threats 100,000 Network Intrusion Attempts 700M (CodeRed, Nimda, Slammer)Infection Attempts 600M Denial of Service 80,000 (Yahoo!, eBay) 500M Mass Mailer Viruses 60,000 400M (Love Letter/Melissa) 300M Malicious Code 40,000 Zombies Infection 200M Attempts* Network Polymorphic Viruses 20,000 Intrusion 100M (Tequila) Attempts** 0 0 1995 1996 1997 1998 1999 2000 2001 2002 *Analysis by Symantec Security Response using data from Symantec, IDC & ICSA; 2002 estimated **Source: CERT CERTCC Reported Vulnerabilities 1988-2003 Total Number of Incidents 140000 Reported from 1988-2003 is 319,992 120000 Average Yearly Increase of 40% 100000 80000 CERTCC Reported 60000 Vulnerabilities 40000 20000 0
  • SOME POLLS SUGGESTSOURCE CSO Which of the following is #1 priority  Wireless Security (16%)  Spam/AntiVirus (17%)  Identity Management (27%)  Disaster Recovery (21%)  Other (19%) Which of the following poses the greatest threat  Natural Disaster (36%)  Terrorist Attack (12%)  Cyberattack (52%)
  • SCARY DATA US Government Data  Industry Data  Id theft is perpetrated by  ID theft increased to 81% hackers and their associates who steal personal information in 2002 and identity (e.g. social security  Main cause for fraud is id numbers) in order to commit various forms of fraud by theft assuming your identity  U.S.-based banks  FTC reports that over 27.3  37 percent said identify million Americans in the past 5 years reported their ID stolen theft significantly  FTC survey revealed that ID increased theft costs consumers and  34 percent said it business 53 billion in 2002 slightly increased  The FBI estimates that the number one threat to internet  24 percent said identity users is identity theft theft rates had stayed  Approximately 350,000 to the same 500,000 citizens fall victims to  5 percent reported that “id theft” every year. the rates decreased
  • CYBERTERRORISM“Cyberterrorism is any "premeditated, politicallymotivated attack against information, computersystems, computer programs, and data whichresults in violence against non-combatant targets bysub-national groups or clandestine agents."Cyberterrorism is sometimes referred to aselectronic terrorism or information war.” U.S. Federal Bureau of Investigation
  • INFORMATION WARFARE  Use of or attacks on information and information infrastructure to achieve strategic objectives  Tools in hostilities among  Nations  Trans-national groups (companies, NGOs, associations, interest groups, terrorists)  Corporate entities (corporations, companies, government agencies)  Individuals
  • LEVELS OF INFORMATIONWARFARE  Against individuals  Theft,impersonation  Extortion, blackmail  Defamation, racism  Against organizations  Industrial espionage  Sabotage  Competitive intelligence  Against nations  Disinformation, destabilization  Infrastructure destabilization  Economic collapse
  • PRIME TARGETS Companies with hiring volatilities • Financial, communication, manufacturing, transportation and retail Companies with lower volatility • Utilities, government, healthcare and education Areas • IDS, Firewall, Anti virus, Identity management • Product design, policy • Privacy vs. Security • Security administration • Training and awareness
  • POTENTIAL TARGETS AGAINST OURINFRASTRUCTURE Electricity Transportation Water Energy Financial Information Technology Emergency Services Government Operations
  • WHY USE CYBER WARFARE? Low barriers to entry – laptops cost a lot less than tanks and bombs Our world is dependent on computers, networks, and the Internet Denial of service has economic, logistical, and emotional effect Low cost to level the playing field
  • INFORMATION WARFARE STRATEGIES The basic elements are:  Hacking  Malicious code  Electronic snooping  Old-fashioned human spying Mass disruption can be unleashed over the internet, but Attackers must first compromise private and secure networks (i.e. Unclassified, Secret, Top Secret)
  • WHAT ARE THE METHODS? Password cracking  Network eavesdropping Viruses  Intrusion attacks Trojan horses / RATS  Network spoofing Worms  Session hijacking Denial-of-service attacks E-mail impersonation  Packet replay E-mail eavesdropping  Packet modification Network packet modification  Cryptography  Steganography  Identity theft
  • HACKERS INFORMATION WARRIORS?Inflicting damage Personal motives  Retaliate or ”get even” Alter, damage or delete  Political or terrorism information  Make a joke  Show off/Just Because Deny services Elite Hackers Damage public image  Black Hat  Grey Hat  White Hat  No hatEconomic gain  Malicious Code Writers Steal information  Criminal Enterprises  Trusted Insiders Blackmail Financial fraud
  • THE TRADITIONAL HACKER ETHICi. Access to computers should be unlimited and totalii. All information should be freeiii. Mistrust authority – promote decentralizationiv. Hackers should be judged by their hacking, not criteria such as age, race, etc.v. You can create art and beauty on the computervi. Computers can change your life for the better
  • GEOPOLITICAL HOTSPOTS -TRENDS WESTERN EUROPE Cyber-activists with anti- EASTERN EUROPE/RUSSIA global/anti-capitalism Malicious code development; fraud goals; some malicious and financial hacking code CHINA Targeting Japan, U.S., Taiwan and perceived allies of those countriesU.S.Multiple hacker/cyber-activist/hacktivist groups;random targets MIDDLE EAST Palestinian hackers target INDIA-PAKISTAN Israeli .il websites; some pro- Worldwide targets, Kashmir- Israel activity related and Muslim-related defacements BRAZIL Multiple hacker groups, many mercenary; random targets
  • A BALANCED SECURITY ARCHITECTURE Single, unifying infrastructure that many applications can leverage A good security architecture:  Provides a core set of security services  Is modular  Provides uniformity of solutions  Supports existing and new applications Policy,  Contains technology as one component of a Standards, and Process complete security program  Incorporates policy and standards as well as people, process, and technology People Technology
  • BASIC INFORMATION SECURITY COMPONENTS AUTHENTICATION:  NONREPUDIATION:  How do we know who is using the  Can we provide for non- service? repudiation of a transaction? ACCESS CONTROL:  AUDITABILITY &  Can we control what they do? AVAILABILITY  Do we know: CONFIDENTIALITY:  Whether there is a  Can we ensure the privacy of problem? Whether it’s information? soon enough to take DATA INTEGRITY: appropriate action?  How to minimize/contain  Can we prevent unauthorized changes to information? the problem?  How to prevent denial of service?
  • DATA GOVERNANCE & CONTROLS X X X X X X Application Information Management X X Networks X X Infrastructure (IMI) X X X OS X Threats Disclosure of information Non-repudiation Authentication Unauthorized access Confidentiality Data Integrity Audit ability Access Cntrl Availability Loss of integrity Denial of service
  • INFORMATION SECURITY CONTROLAREAS Information Security Policies Roles and Responsibilities Asset Classification and Handling Personal Security Physical Security System and Operations Management Controls General Access Controls System Development Life Cycle Business Continuity Compliance, Legal and Regulatory
  • WHAT IS @RISK? Financial & Monetary Loss Risk  Payroll information leakage Reputation Risk  Distributed attacks from campus  Terrorism  Laptop theft  ID Theft Litigation & Regulatory Risk  HIPAA, GLB, CA 1386
  • INFORMATION SECURITY BODIES,STANDARDS & PRIVACY LAWS Standards & Privacy Laws  British Standards (ISO 17799)  EU Data Protection Act of 1998 (DPA)  Health Insurance Portability and Accountability Act (HIPAA)  Fair Credit Reporting Act (FCRA) National Institute for Standards & Technology (www.NIST.gov):  Founded in 1901, NIST is a non-regulatory federal agency within the U.S. Commerce Departments Technology Administration.  NISTs mission is to develop and promote measurements, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. Computer Emergency Response Team www.cert.org:  The CERT® Coordination Center (CERT/CC) is a center of Internet security expertise at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University.
  • Information Privacy
  • Privacy Governance Architecture Process Process Opt/in/out Opt/in/outSecurity/Pr Security/Pr Organization ivacy Organization ivacy Compliance Policy Policy Technology Regulatory Regulatory Technology Requirement Requirement People People Planning and Program Metrics Strategy Program Maturity• •Privacy Strategy • •Privacy Risk Assessments • •External Support Infrastructure Privacy Strategy Privacy Risk Assessments External Support Infrastructure• •Data Classification Analysis • •Data Governance • •Privacy Auditing Data Classification Analysis Data Governance Privacy Auditing• •Privacy Teams • •Vendor Governance • •Incident Response Privacy Teams Vendor Governance Incident Response• •Policy Development • •Technology Planning • •Crisis Management Policy Development Technology Planning Crisis Management• •Policy Update Plans • •Business Process Review • •Knowledge Management Policy Update Plans Business Process Review Knowledge Management• Decision Management • Information Security • •Consumer Support Infrastructure • Decision Management • Information Security Consumer Support Infrastructure• •Privacy Support Architecture • •Information Privacy • •Open Source Intelligence Privacy Support Architecture Information Privacy Open Source Intelligence• •Awareness Awareness
  • HIGH LEVEL OVERVIEW - Notify client - Notify regulators - Remediate - Analyze long - Detect Incident term effects Resolution & - Identify source of Detection identified - Analyze lessons Reporting learned -Log incident - Reduce false positive Privacy - Determine scope - Assemble Response Digital Incident Assessment Team - Collect & sort facts Response Forensics Process- Engage digital forensicsprocess - Determine- Collect evidence scope- Engage 3rd party Containment Analysis - Assemble Response Team - Collect & sort -Technology containment facts - Process containment - Procedure containment
  • Information Security & Privacy Risk Management
  • RISK MITIGATION 100% Risk Mitigation and not 100 % control Good Information Management Infrastructure that  Provides modular core set of controls  Supports existing, infrastructures and new applications Policies,  Incorporates policy and standards, people, process, People Standards & and technology Guidelines  Provides a horizontal and vertical risk SELF or AUTOMATIC assessment program Equilibrium  Provides collaborative issues resolution system Point Balanced Information Management Infrastructure (IMI) Risk Mitigation  Vertical – up and down controls in branches and business units  Horizontal – policies, best practices, processes and Information priorities across the organization Technology
  • RISK MANAGEMENT METHODOLOGY Risk Assessment Risk Tolerance Organizational Dynamics Point of Balance Key Risk Indicator Risk Takers
  • Key Risk IndicatorsAsset Value Stakeholders Pen Testing Site Reviews Vendor Audit Reviews Regulatory Compliance Self Security Loss Amount/ROI Assessment & Privacy IncidentsBusiness Impact Risk Evaluation Model Risk Rating
  • Market Opportunities
  • DEMAND – BASED ON GARTNERSTUDIES General IT staff outsourcing has gone up 24% since US recession was over Growth in IT staff augmentation will be limited and in single digits  Security outsourcing is trending up  Identity management  Vulnerability Assessment  Operations  Firewall management, anti virus and IDS
  • INFOSEC PEOPLE  Typical jobs for contract  Business Intelligence  Business Analysis  Risk Management  Information Security Officer  Information Privacy Officer  Digital Forensics Experts  Job seeker support to help professionals identify new career opportunities when they are unemployed or contingency searching due to circumstances at their workplace;  Contractor placement to help independent contractors identify and secure short and long term contract work based on hourly rates; and  Corporate candidate search to help clients identify candidates for new or vacant positions, as well as contingency searching to stage replacement of human resources
  • TYPES OF RECRUITING Contract & Temporary – constant spread based  Profit margins are small  Limited  Hourly, weekly monthly Permanent – one time commission based  Entry levels  Mid levels  Management, Technical, Operations, Design & Architecture Outsourcing – profit margins are high
  • Some Examples
  • WHAT IS SOCIAL ENGINEERING Social Engineering is the art and science of use to trick one or more human beings to do what an attackers wants them to do or to reveal information that compromises a target’s security. Classic Social Engineering scams include, posing as a field service technician, calling an operator to reveal private information such as passwords and the like. Social Engineering is an evolving art that uses the simplest and most creative schemes and involves minimal technical expertise
  • TERRORISTS ANDSTEGANOGRAPHY?
  • Thank YouTel: +236 733 782 490 +263 773 796 365 +263 -4- 733 117Eml: info@gis.co.zw cade@gis.co.zwWeb: www.gis.co.zw