• Save
Dr K Subramanian
Upcoming SlideShare
Loading in...5
×
 

Dr K Subramanian

on

  • 589 views

Presentation given by Dr K Subramanian, Director and Professor, Advance Centre for Informatic and Innovative Learning IGNOU on August 3rd, 2011 at eWorld Forum (www.eworldforum.net) in the session ...

Presentation given by Dr K Subramanian, Director and Professor, Advance Centre for Informatic and Innovative Learning IGNOU on August 3rd, 2011 at eWorld Forum (www.eworldforum.net) in the session Information Management and Security

Statistics

Views

Total Views
589
Views on SlideShare
459
Embed Views
130

Actions

Likes
0
Downloads
0
Comments
0

3 Embeds 130

http://www.eworldforum.net 124
http://ewf.eletsonline.com 4
http://webcache.googleusercontent.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • security of insecurity cyber ssurace Framework 3rd August 2011 Prof. KS@2011 Egov world forum 2011
  • security of insecurity cyber ssurace Framework 3rd August 2011 Prof. KS@2011 Egov world forum 2011
  • security of insecurity cyber ssurace Framework 3rd August 2011 Prof. KS@2011 Egov world forum 2011
  • security of insecurity cyber ssurace Framework 3rd August 2011 Prof. KS@2011 Egov world forum 2011 Model of how customers view their security needs Introduce Symantec’s process to secure your enterprise – APRM
  • security of insecurity cyber ssurace Framework 3rd August 2011 Prof. KS@2011 Egov world forum 2011
  • security of insecurity cyber ssurace Framework 3rd August 2011 Prof. KS@2011 Egov world forum 2011
  • security of insecurity cyber ssurace Framework 3rd August 2011 Prof. KS@2011 Egov world forum 2011
  • security of insecurity cyber ssurace Framework 3rd August 2011 Prof. KS@2011 Egov world forum 2011 cyber security-->insurance to Assurance Prof. K. Subramanian 20th april 2011 Secure IT 2011 Delhi
  • security of insecurity cyber ssurace Framework 3rd August 2011 Prof. KS@2011 Egov world forum 2011
  • security of insecurity cyber ssurace Framework 3rd August 2011 Prof. KS@2011 Egov world forum 2011
  • security of insecurity cyber ssurace Framework 3rd August 2011 Prof. KS@2011 Egov world forum 2011 Cybr assurance-Tne need for Technologists & Business of 'morrow 27/11/2007 Prof. KS SUNY BUF Lecture 27th November 2007
  • security of insecurity cyber ssurace Framework 3rd August 2011 Prof. KS@2011 Egov world forum 2011 CXsOs & Business Assurance Focus Prof. K. Subramanian 29th oct 2010 ciso forum oct 2010 esecurity Governance~Corporate Governance 29th November 2007 Prof. KS@2009, IOD Lecture, March 22, 2009
  • security of insecurity cyber ssurace Framework 3rd August 2011 Prof. KS@2011 Egov world forum 2011 CXsOs & Business Assurance Focus Prof. K. Subramanian 29th oct 2010 ciso forum oct 2010
  • security of insecurity cyber ssurace Framework 3rd August 2011 Prof. KS@2011 Egov world forum 2011 CXsOs & Business Assurance Focus Prof. K. Subramanian 29th oct 2010 ciso forum oct 2010
  • security of insecurity cyber ssurace Framework 3rd August 2011 Prof. KS@2011 Egov world forum 2011 CXsOs & Business Assurance Focus Prof. K. Subramanian 29th oct 2010 ciso forum oct 2010
  • security of insecurity cyber ssurace Framework 3rd August 2011 Prof. KS@2011 Egov world forum 2011 Corporate Goverance & Assurance 29th November 2007 Prof. K. Subramanian @October 2007
  • security of insecurity cyber ssurace Framework 3rd August 2011 Prof. KS@2011 Egov world forum 2011 Corporate Goverance & Assurance 29th November 2007 Prof. K. Subramanian @October 2007
  • security of insecurity cyber ssurace Framework 3rd August 2011 Prof. KS@2011 Egov world forum 2011 cbs convergence 2007 oct 25,2007 21/02/09 Prof. K. Subramanian 04/11/09 Prof. KS@2009, IOD Lecture, March 22, 2009 esecurity Governance~Corporate Governance
  • security of insecurity cyber ssurace Framework 3rd August 2011 Prof. KS@2011 Egov world forum 2011 cyber security-->insurance to Assurance Prof. K. Subramanian 20th april 2011 Secure IT 2011 Delhi
  • security of insecurity cyber ssurace Framework 3rd August 2011 Prof. KS@2011 Egov world forum 2011 Cyber Assurance for Trusted Financial Services 7th January 2008 2nd Bank Tech Congress Prof. K. Subramanian, Dec 2007, Mumbai India
  • security of insecurity cyber ssurace Framework 3rd August 2011 Prof. KS@2011 Egov world forum 2011 cbs convergence 2007 oct 25,2007 21/02/09 Prof. K. Subramanian 04/11/09 Prof. KS@2009, IOD Lecture, March 22, 2009 esecurity Governance~Corporate Governance
  • security of insecurity cyber ssurace Framework 3rd August 2011 Prof. KS@2011 Egov world forum 2011 cyber security-->insurance to Assurance Prof. K. Subramanian 20th april 2011 Secure IT 2011 Delhi Corporate Goverance & Assurance 29th November 2007 Prof. K. Subramanian @October 2007 The development was guided by the Software Engineering Institute’s efforts in the late 80’s in building maturity models for software development. By using such a scale, an organization can determine where it is, define where it wants to go and, if it identifies a gap, it can do an analysis to translate the findings into projects. Reference points can be added to the scale. Comparisons can be performed with what others are doing, if that data is available, and the organization can determine where emerging international standards and industry best practices are pointing for the effective management of security and control.
  • security of insecurity cyber ssurace Framework 3rd August 2011 Prof. KS@2011 Egov world forum 2011
  • security of insecurity cyber ssurace Framework 3rd August 2011 Prof. KS@2011 Egov world forum 2011
  • security of insecurity cyber ssurace Framework 3rd August 2011 Prof. KS@2011 Egov world forum 2011 Digital ADMINISTRATION CONFERENCE CHENNAI mARCH 2008 18th March 2008 PROF. ks@2008 March 2008 PROF. ks@2008 March 2008 Digital ADMINISTRATION CONFERENCE CHENNAI mARCH 2008 18th March 2008

Dr K Subramanian Dr K Subramanian Presentation Transcript

  • Securing the Unsecured World: 21 st Century Challenge Creating Digital Trust & Cyber Security  Cyber Assurance Need of the Enterprises of “morrow Prof. K. Subramanian SM(IEEE), SMACM, FIETE, SMCSI,MAIMA,MAIS,MCFE Professor & Director, Advanced Center for Informatics & Innovative Learning (ACIIL), IGNOU HON.IT Adviser to CAG of India & Ex-DDG(NIC), Min of C & IT President, Cyber Society of India Emeritus President, eInformation Systems Security Audit Association (eISSA), India
  • Important Notable Quotes
    • “ Ever since men began to modify their lives by using technology they have found themselves in a series of technological traps.” Roger Revelle
    • “ The law is the last interpretation of the law given by the last judge.”- Anon.
    • “ Privacy is where technology and the law collide.” -- Richard Smith (who traced the ‘I Love You’ and ‘Melissa viruses’)
    • "Technology makes it possible for people to gain control over everything, except over technology"
    • John Tudor
  • IS LOSING TO COMPETITION LOSS OF CUSTOMERS LOSS OF CREDIBILITY EMBARRASSMENT FINANCIAL LOSS FRAUD & THEFT SCAVENGING VIRUS ATTACK ACCIDENTAL DAMAGE NATURAL DISASTER UNAUTHORISED ACCESS INTERCEPTION TROJAN HORSES INCOMPLETE PROGRAM CHANGES HARDWARE / SOFTWARE FAILURE SOCIAL ENGINEERING ATTACK DATA DIDDLING PASSWORDS ENCRYPTION ANTI-VIRUS BACKUPS HARDWARE MAINTENANCE SECURITY GUARDS INPUT VALIDATIONS AUDIT TRAILS PROGRAM CHANGE DOCUMENTATION AUTHORISATION BUSINESS CONTINUITY PLAN INTEGRITY CONFIDENTIALITY AVAILABILITY
  • Cyber Security – A Holistic View Proactive Control Source: Symantec Inc Authentication Access Control & Authorization Identity Mgmt Antivirus Firewall Intrusion Detection VPN Content Updates & Security Response 24x7 Global Customer Support Attack Recovery Tools/Svcs Honey Pot & Decoy Technology Threat Management & Early Warning Vulnerability Assessment Policy Compliance Event & Incident Mgmt Config. Mgmt Common Console Encryption
  •  
  • Typical Global Scenario
    • Cyberspace is Dynamic, Undefined and Exponential
    • Countries’ need dynamic laws, keeping pace with the technological advancements
    • In a Virtual Space, Netizens Exist, Citizens Don’t!
    • Trust in E-environments
    • Lack of a mature IT society
    • Absence of Single governing body
    • Legislation
    • High skill inventory
    • Reduce fear of being caught
    • Disgruntled Employees
    • Data,
    • Mobility,
    • Questions of Responsibility
    Cyber Threats 2011-12
  • IT Security predictions 2011-2012
    • 1.0 Pirated software  will drive insecurity in much more dynamic ways than previously realized. Users of pirated software are afraid to download updates, thus are exposed to security risks because their software is entirely unpatched. Also, newer versions of pirated software now come with malware pre-installed. As a result, users of pirated software will become the new “Typhoid Marys” of the global computing community.
    • * IBM's X-Force research team
    • 2. social networks and ups the ante Social engineering meets  social networks and ups the ante  for creative compromises. Criminal organizations are increasingly sophisticated in how they attack different social networking sites. For example, Twitter is being used as a distribution engine for malware. LinkedIn, however, is being used for highly targeted attacks against high-value individuals. We will see these organizations use these sites in creative new ways in 2010 that will accelerate compromises and identity theft, especially as new commercial applications increase the disclosure of valuable personal information on these sites.
  • IT Security predictions 2011-2012
    • 3.0 Criminals take to the cloud.  We have already seen the emergence of “exploits as a service.” In 2012 we will see criminals take to cloud computing to increase their efficiency and effectiveness
    • a rise in attacks on health care organizations will occur for similar reasons,
    • continued attacks on retailers big and small, tax authorities,
    • school /College/University Systems - anywhere where lots of records are kept by organizations that haven't traditionally had best practice security in place
  • In the Era of Digital Age
    • Can all users be identified (e.g., employees, contractors, and business partners)?
    • Do IT managers know what users have access to?
    • Can all the interactions among users, assets, and applications be identified?
    • Do IT managers have verifiable evidence that controls are working, and appropriate action takes place when a policy infraction occurs? Does this evidence exist in minutes rather than months?
    • No one standard meets requirements—Advise on specific group standards (medical, commerce/Trade services— High-end-KPOS)
    • Ten Important Imperatives
    • IT & Law
    • Security & Risk
    • Business Integration
    • Value to the Enterprise
    • Alignment = collaboration
    • Governance and funding
    • IT sourcing & ITES outsourcing
    • Performance Measures
    • Growing talent
    • Beyond customer service
  • Cyber Assurance ~Business Assurance Feeling of Comfort by Enterprises
    • Insurance  If Assets are classified, Risk is Indexed, this gives a financial compensation of re-creation of Lost Assets
    • Audit  Internal & External-Indicates deficiencies in systems ansd Processes and Resources Utilisation (Use & Abuse)
    • Certification against management standards
    • Business Assurance  Multi-Layered
        • Managerial
        • Operational
        • Network/Technological
        • Financial
        • Legal
        • Impact
  • Challenging Issues Security is technology issue ? Trust is a management issue ? and Privacy is a social issue?
  • Present Risk Certification Issues Trust
    • Trust cannot be bought or sold. It has to be created
    • Trust is earned and not given away .
    • Trusted third party or a trusted CA
    • raises - trusted in relationship to whom
    • - trusted by whom?
    • - trusted for what?
    • - trusted for how long?
  • Layered E-trust Framework PKI Technology Trusted Digital Identity Infrastructure Shared E-trust Applications Computing E-trust Services Single e-trust Applications Infrastructure Layer 2 Service Provider example: Identrus Layer 2 Service Provider example IDENTRUS B2B, B2C, SET, C2C
  • Measurement of IT Projects Value and Effectiveness
    • IT Assessment
    • 1.Validity or Relevance 2.Protectibility 3.Quantifiability 4.Informativeness
    • 5.Generality
    • 6.Transferability
    • 7. Reliability to other parts of organization
    • Effectiveness
      • Utility
      • Efficiency
      • Economy
      • Control
      • Security
      • Assessment of IT Functions
      • Strategy
      • Delivery
      • Technology
      • People
      • Systems
  • ASSURANCE
    • Key Areas of Assurance
    • Organizational
      • - Systems in place to identify & mitigate differing risk perceptions of
      • stakeholders to meet business needs
    • Supplier
    • - Confidence that controls of third party suppliers adequate & meets
      • organization’s benchmarks
    • Business Partners
      • - Confirmation that security arrangements with partners assess & mitigate
      • business risk
    • Services & IT Systems
    • Capability of developers, suppliers of IT services & systems to implement effective systems to manage risks to the organization’s business
    • Benefits of Assurance
    • Contributes to effectiveness & efficiency of business operations
    • Ensures reliability & continuity of information systems
    • Assists in compliance with laws & regulations
    • Assures that organizational risk exposure mitigated
    • Confirms that internal information accurate & reliable
    • Increases investor and lenders confidence
  • Oct 29,2010 ciso forum Oct , 29 2010 Delhi India 15th April 2009
    • Internal Competition from Liberalization
    • World Competition from Globalization
    • Entrenched Competition Abroad
    • Asymmetry in Scale, Technology, Brands
    • Industry Shakeouts and Restructuring
    • Learn more about own Businesses.
    • Reach out to all Business & Function Heads.
    • Sharpen Internal Consultancy Competences.
    • Proactively Seize the Repertoire of MS & Partners
    • Foster two way flow of IS & Line Talent.
    • Uniform Naming convention-absence
    • Birth & Death registration-Incomplete
    • No social security registration number
    • Absence of Identity such as phones, driving licenses available with every body
    • Electoral ID DB- Complete set not there but at least covers 600-650 m records-not auditable and verifiable
    • Absence of PAN & other ID number for everybody-Not auditable & verifiable
    • UID may be a successful verifiable DB
    Oct 29,2010 ciso forum Oct , 29 2010 Delhi India
    • By Possession
      • Password
        • Static
        • Dynamic
    • By Association
      • PIN/TOKEN
      • By Card
      • By Biometrics
    • By Government
      • PAN(TAXATION)
      • Passport
      • Social Security Number
      • Citizenship ID NO.
      • Senior Citizen NUMBER
    Oct 29,2010 ciso forum Oct , 29 2010 Delhi India 23rd June 2005 Cognizant Address
    • Most enterprises have no common, unified database of user profiles, access rights, and device identity. This situation has put the integrity of core infrastructure network services in jeopardy in the following areas:
    • Security.
    • Reliability.
    • Cost.
    • Software Version Control.
    • Scalability.
    Oct 29,2010 ciso forum Oct , 29 2010 Delhi India
  • Transition: Insurance  Assurance & Assurance Layered Framework
    • Insurance
    • Audit
      • Pre, Concurrent, Post
    • IT Audit
      • Environmental
      • Operational
      • Technology
      • Network
      • Financial
      • Management
      • Impact
    • Electronics Continuous Audit
    • Certification
    • Assurance
    • Management & Operational Assurance
    • (Risk & ROI)
    • Technical Assurance
    • (Availability, Serviceability & Maintainability)
    • Financial ASSURANCE
    • Revenue Assurance
    • (Leakage & Fraud)
    • Legal Compliance & Assurance (Governance)
    • Known Threat Assessment Approaches
    • Privilege Graph [Dacier et al. 94]
      • Vertices/nodes represent privilege states
      • Edges/arcs represent privilege escalation
    • Attack Graph [Philips et al. 98, 01, 02]
      • Vertices/nodes represent network states
      • Edges/arcs represent atomic exploits
    • Shortcomings
      • Too many details, very fine-grained
      • Without automation, model instantiation is cumbersome
      • Model-checking can help, but state explosion problem
      • Insider attacks may succeed without privilege escalation or vulnerabilities
    • Recent Insider Threat Mitigation Tools
    • Skybox View
    • Sureview from Oakley Networks
    • iGuard from Reconnex
    • Content Alarm from Tablus
    • Vontu from Vontu, Inc.
      • Rule-based techniques
      • Detect policy violations
      • Forensics analysis
    Internal Threat Models and Mitigation Tools
  • Managing Interdependencies Critical Issues
    • Infrastructure characteristics (Organizational, operational, temporal, spatial)
    • Environment (economic, legal /regulatory, technical, social/political)
    • Coupling and response behaviour (adaptive, inflexible, loose/tight, linear/complex)
    • Type of failure (common cause, cascading, escalating)
    • Types of interdependencies
    • ( Physical, cyber, logical, geographic)
    • State of operations
    • ( normal, stressed /disrupted, repair/restoration )
    • .
  • Cyber Governance Components
      • Environmental & ICT Infrastructure
      • Operational (logistics Integration)
      • Technology (synergy & Convergence)
      • Network (multi Modal Network)
      • Management (HRM & SCM &CRM)
      • Impact (feed-back correction)
    • Operational Integration (Functional)
    • Professional Integration (HR)
    • Emotional/Cultural Integration
    • Technology Integration
  • Corporate Governance Business Assurance Framework
    • Global Phenomena
    • Combines Code of UK and SOX of USA
    • Basel II & III
    • Project Governance
    • IT Governance
    • Human & Humane Governance
    • India Initiatives
    • 1. Clause 49
    • 2. Basel II& III-RBI
    • 3.SEBI- Corporate Governance Implementation directives
    • 4.Risk management-RBI & TRAI
    • 5. MCA Initiatives
    • CXO~CEO Internal Strategic Alliances
    • CIO & CEO Business Led Info. strategy
    • CIO & CMO Competitive Edge & CVP
    • CIO & CTO
    • Cost-Benefit Optimization
    • CIO & CFO Shareholder Value Maximization
    • CIO & CHRO
    • Employee Performance and Rewards
    • CIO & Business Partners
    • Virtual Extended Enterprise
    • The Productivity/Performance Promise
    • Capital Productivity (ROI, EVA, MVA)
    • Material Productivity (60% of Cost)
    • Managerial Productivity (Information Worker)
    • Labour Productivity (Enabled by IW)
    • Company Productivity
    • Micro
    • Factor Productivity
    • Macro
    Business Vs cyber Alliances
  • 15th April 2009 Prof. KS@2009: BMS CII Conference New delhi April14-15, 2009 Standards, Standards, Standards Technical Vs Management
    • Security
    • Audit
    • Interoperability
    • Interface (systems/devises/communications)
    • Architecture/Building Blocks/reusable
    • HCI (Human Computer Interface)
    • Process (Quality & Work)
    • Environmental (Physical, Safety, Security)
    • Data Interchange & mail messaging (Information/Data Exchange)
    • Layout/Imprint
    • Technical Standards-Specifications-mainly for interoperability, accessibility and Interactivity
    • Management standards-Auditable & Verifiable-Certification & Compliance
    15th April 2009 Prof. KS@2009: BMS CII Conference New delhi April14-15, 2009
  • Importance of Group Standards -no one standard meets all requirements ISO 27001/BS7799 Vs COBIT Vs CMM Vs ITIL Mission Business Objectives Business Risks Applicable Risks Internal Controls Review
  • CERTIFICATION SEMANTIC ISSUES What is certification; what does it denote and mean? What are the principal concepts and elements of certification What additional concepts and notions are expressed and implied by certification? What is the Intent of the certification; what is it you are trying to do in certifying something? TECHNOLOGICAL ISSUES How is certification achieved? How are the prerequisites and context for certification established? What is it you are certifying? (Object of certification) Certification with respect to what? (Business for certification) What relation must exist for certification? (Object/basis relation) What activities/decisions are prerequisite for certification? How and when is certification to be conducted? ADMINISTRATIVE ISSUES Who does the certification? Who is the recipient of the certification? What is the significance of the certification for the certifier? What is the significance of the certification for the recipient ? Why certify?
    • Known Threat Assessment Approaches
    • Privilege Graph
      • Vertices/nodes represent privilege states
      • Edges/arcs represent privilege escalation
    • Attack Graph
      • Vertices/nodes represent network states
      • Edges/arcs represent atomic exploits
    • Shortcomings
      • Too many details, very fine-grained
      • Without automation, model instantiation is cumbersome
      • Model-checking can help, but state explosion problem
      • Insider attacks may succeed without privilege escalation or vulnerabilities
    • Recent Insider Threat Mitigation Tools
    • Skybox View
    • Sureview from Oakley Networks
    • iGuard from Reconnex
    • Content Alarm from Tablus
    • Vontu from Vontu, Inc.
      • Rule-based techniques
      • Detect policy violations
      • Forensics analysis
    Internal Threat Models in Use
  • eSecurity Technologies
    • Cryptography & Cryptology
    • Steganography
    • Digital water marking
    • Digital Rights Management
    • Cyber Defence technologies (Firewall, IDS/IPS, Perimeter and Self-Defence )
    • Access Control &ID Management (Rule, Role, Demand Based)
    • Signatures (Digital/Electronic)
    • Cyber Forensics & Cyber Audit
  • April 20, 2011 secure IT 2011 New Delhi Security Governance Maturity Model
  • Perfect Security—A Dream
    • "Perfect security is not achievable,".
    • "At the end of the day, [the security function] is about managing the frequency and magnitude of loss.“
    • “ In security matters,
    • there is nothing like absolute security”
    • “ We are only trying to build comfort levels , because security costs money and lack of it costs much more”
    • “ Comfort level is a manifestation of efforts as well as a realization of its effectiveness & limitations’
    • Concerns
    • PRIVACY Vs SOCIETY
    • SAFETY
    • SECURITY
    • Trust
  • “ IT Regulations and Policies-Compliance & Management” Pre-requisites Physical Infrastructure and Mind-set
    • PAST : We have inherited a past, for which we cannot be held responsible ;
    • PRESENT : have fashioned the present on the basis of development models, which have undergone many mid-course corrections
    • FUTURE : The path to the future -- a future in which India and Indians will play a dominant role in world affairs -- is replete with opportunities and challenges.
    • In a number of key areas, it is necessary Break from the past in order to achieve our Vision.
    • We have within ourselves the capacity to succeed
    We have to embrace Integrated Security & Cyber Assurance Framework
  • Security Governance - Final Message
    • “ In Governance matters Past is no guarantee;
    • Present is imperfect and Future is uncertain“
    • “ Failure is not when we fall down, but when we fail to get up”
  • Thank you
    • FOR FURTHER INFORMATION PLEASE CONTACT :-
    • E-MAIL: [email_address]
    • [email_address]
    • [email_address]
    • 91-11-29533068
    • Fax:91-11-29533068
    • ACIIL,IGNOU
    • Block 7, Room 16,IGNOU Campus, Maidan Garhi,
    • New Delhi-110002
    Let all of us work together to make our country a secured Developed Nation