Your SlideShare is downloading. ×
Information Security Risk Management
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Information Security Risk Management


Published on

By Fredrick P. Holborn

By Fredrick P. Holborn

Published in: Technology

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Theft Happens: Data Security for Intellectual Property Managers Presented by Fred Holborn on behalf of Psiframe, Inc. to the Intellectual Property Society, July 16, 2003. For more information, visit and Copyright  2003 Psiframe, Inc. All Rights Reserved.
  • 2. Today’s Situation ! 92% of large organizations detected computer security attacks in 2003. ! 75% acknowledged financial losses due to computer breaches. ! Theft of proprietary information caused the greatest financial loss - $2.7 Million average. Source: CSI / FBI Computer Crime and Security Survey, April 2003
  • 3. $2.7 Million . . . ! Profit vs. Loss for , Inc? ! $ Annual Interest Expense? ! $ Million in Additional Revenue to Recoup?
  • 4. Founding Premise “Improve the security of a site by breaking into it.” Dan Farmer, 1993 Creator of SATAN (Security Analysis Tool for Auditing Networks) Source:
  • 5. Psiframe’s Purpose ! Psiframe enables organizations to Lock Down Data Systems and Network Security by: " Performing “Real World” Risk Assessments. " Identifying Exploitable Vulnerabilities from an Attacker’s Perspective. " Recommending “Best Practice” Solutions.
  • 6. Goals and Objectives ! Protect Information Assets through a program of regularly conducted assessments that quantify and enable mitigation of unacceptable risks. ! Develop understanding and consensus among executive and technology leaders to achieve and validate strong security.
  • 7. Assessing IP Assets on IP Networks ! What are the IP Assets and their values values? ! What are the actual threats to IP Assets facilitated by vulnerabilities on Networks? ! What consequences are possible if threats arise? ! What are the probabilities that thefts will happen? ! What safeguards can be deployed? ! What investments are required for safeguards?
  • 8. What’s Vulnerable? Examples: ! Hardware Devices ! Operating Systems & Applications Software ! Systems Architecture & Configurations ! Data Transmission & Encryption Protocols ! Access Control Methods ! People
  • 9. Reported Hardware & Software Vulnerabilities per Year Source: Computer Emergency Response Team Coordination Center Copyright  1998-2003 Carnegie Mellon University
  • 10. How Did This Happen? ! Internet connectivity is “Open” by design. ! Faith and trust in “Firewalls” is misplaced. ! Software and hardware security remains poor. ! Complexities of systems & network configurations are “Incomprehensible”.
  • 11. What’s Required for Strong Security? Awareness? Assessments? Budgets? Compliance? Resources? Procedures? Training? Policies? Skills?
  • 12. What’s At Risk? 1. Information Assets 2. Business Relationships 3. Network Infrastructure
  • 13. 1. Information Assets At Risk ! Trade Secrets ! Designs & Processes ! Business Plans ! Personnel Records ! Financial Transactions ! Privileged Communications
  • 14. 2. Business Relationships At Risk ! Customer & Partner Data Confidentiality ! Production & Service Quality ! Industry Reputation ! Competitive Advantage ! Regulatory Compliance ! Investor & Stakeholder Confidence
  • 15. 3. Network Infrastructure At Risk ! Authentication & Privacy ! Availability of Systems & Resources ! Customer & Supplier Connectivity ! Functionality of Software Applications ! Integrity of Records & Databases ! Business Continuity
  • 16. Network Security Roadmap 1. Establishing Executive Mandates for Assessments 2. Comparing Audit Methodologies & Deliverables 3. Identifying Exploitable Vulnerabilities 4. Exposing Firewall Circumventions 5. Detecting & Monitoring Wireless Access 6. Revealing Information Leakage & Sources 7. Recognizing Critical Infrastructure & IP Threats 8. Implementing Lock Down & Best Security Practices 9. Maintaining Federal & State Regulatory Compliance 10. Managing Ongoing Processes & Oversight
  • 17. !Establishing Executive Mandates for Strong Security Source:
  • 18. Comparing Audit Methodologies 1. Policy & Procedure Review " Determine Existence & Extent of Written Policies ? Can it Prove Policy Adherence or Effectiveness? 2. Automated Scanning Tools & Scripts " Low-Cost Product Purchase or Outsourced Option ? Can they Combine & Correlate Multiple Findings? ? Do they Produce False Positives? ? Are Validities of Results Affected by Version Currency?
  • 19. Comparing Audit Methodologies 3. “Red Team” Vulnerability, Exploit & Pen. Testing " Simulates Real-World Scenarios (Many Tools & Methodologies) " Combines & Correlates Multiple Results (Human Approach) " Validates Indications in “Day 0” Time " Determines Actual Risks to Specific Assets " Proves Existence/Efficacies of Policies & Practices " Tailors Recommendations to Specific Environments " Connects IT Leadership with Sr. Management - Scalability Limited by Availability of Specialists
  • 20. Comparing Deliverables ! Paper Based or Interactive Reports? ! Level of Comprehensiveness? ! Includes Both Vulnerability & Risk Assessments?
  • 21. Psiframe’s RiskPoints™ eDeliverable RiskPoints is a trademark of Psiframe, Inc.
  • 22. Identifying Exploitable Vulnerabilities Examples: ! Routers ! Operating Systems ! Service Applications (Mail, FTP, DNS, etc.) ! Web Applications ! Configuration Errors ! Authentication Weaknesses ! People
  • 23. Exploit Example: Router Cisco IOS Vulnerability & Exploit # This vulnerability enables eavesdroppers to sniff email and monitor other traffic while transparently forwarding it to its intended destination within milliseconds. ! Once privileged (administrative) access to the Client’s router was gained, Psiframe installed an encapsulated tunnel (Virtual Private Network) between the router and a Psiframe server on the Internet. ! Using this technique, Psiframe was able to surreptitiously capture any or all outgoing traffic from the Client's network.
  • 24. Exploit Example: Web Server Microsoft IIS Vulnerability & Exploit # This vulnerability enables intruders to deface Web sites, install worms that attack other sites, or leverage them as stepping-stones to penetrate back-end systems such as database servers with credit card data. ! Once root access was gained to the Client’s Web server, Psiframe had full administrative control over all files and configuration settings. ! From the Web server, Psiframe was able to penetrate further and access other systems on the Client's internal network that “trusted” the Web server through the firewall.
  • 25. Exposing Firewall Circumventions ! Vulnerable Systems, Services and Software ! Misconfigured Firewalls & Network Topologies ! Dual-Homed Devices ! Modems ! Rogue & Insecure Wireless Access Points
  • 26. Firewall Circumvention Example ?
  • 27. “WiFi” Wireless LANs ! 2003 Worldwide Users: 5 Million + ! Advertised Useable Distance: ~ 300 Feet ! Encryption: None (default) / 40 bit & 128 bit (WEP) ! Authentication: None (default) / Various Types ! User IP Address Assignment: Auto (default) / None
  • 28. “WiFi” Wireless LANs ! “By year-end 2002, 30 percent of enterprises will suffer serious security exposures from deploying wireless local area networks (WLANs) without implementing the proper security… At least 20 percent of enterprises already have ‘rogue’ WLANs attached to their corporate networks, installed by users looking for the convenience of wireless and unwilling to wait for the IS organization to take the lead… Fixing the exposure after a hacking attack cannot recapture lost intellectual property and sensitive customer information.” — Gartner Source:
  • 29. Wireless “WiFi” LANs Potrero Hill, San Francisco WiFi Access Points July 1, 2003 Drive Count = 376 ! Green: No Encryption ! Red: Encryption (WEP) Enabled Note: Unpopulated streets not scanned.
  • 30. Exploiting WiFi Range Extension Intercepting Client Data 1.2 Miles From Source
  • 31. Information Leakage Examples # Whois: Search Domain Account Holder Records # Dig-It: Query DNS for Host Names & IP Addresses # Netcraft: What’s That Site Running? # Google: Technical Newsgroup Archives
  • 32. Info Leakage Example: Netcraft !Source:
  • 33. Info Leakage Example: Newsgroups
  • 34. Recognizing Critical Infrastructure ! IP Asset Storage Locations & Shared Files ! Authorized Users & Privileges ! Networked Devices & Services ! Access Points ! Interconnections ! Single Points of Failure ! Failover, Backup & Recovery Systems
  • 35. Locking Down With Best Practices “Best Practices” is a Consensus of Approaches # SANS Institute # NSA Security Recommendation Guides # IETF Site Security Handbook # NIST Computer Security Resource Center # AICPA Trust Services Principles and Criteria
  • 36. Maintaining Regulatory Compliance Examples of New California & Federal Legislation ! Security Breach Information Act ! Notification of Risk to Personal Data Act # Consult Your Attorney
  • 37. New California Law This bill, operative July 1, 2003, would require a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person... Source:
  • 38. Proposed Federal Law A bill to require Federal agencies, and persons engaged in interstate commerce, in possession of electronic data containing personal information, to disclose any unauthorized acquisition of such information. This Act may be cited as the Notification of “Risk to Personal Data Act”... Source:
  • 39. Manage Process & Oversight Strong Security Is Not An Option ! Cultivate C-Level Awareness ! Regularly Assess Risks, Threats & Vulnerabilities ! Provide Administrator Training ! Review Incident Detection, Reporting & Response Programs
  • 40. Why Leverage Psiframe? " Real World Scenarios " Comprehensive Audit Framework " Impartial & Objective Findings " Interactive RiskPoints eDeliverable " Best Practice Recommendations " Expert Knowledge & Skills Transfer
  • 41. Recommended Actions 1. Involve Board-Level Management 2. Review a Sample Composite Deliverable 3. Request an Engagement Agreement 4. Conduct a “Baseline” Assessment 5. Attend the Findings Presentation 6. Measure Improvement Quarterly
  • 42. Contact ! Fred Holborn Desk 925.803.4131 Cell 925.876.6903 Email Web