Information Security Management Joe Vest (CISSP, CISA, CEH) 4/08/2010
About Me <ul><li>Information Technology Field for over 10 years </li></ul><ul><li>Security Design and Engineering last 5 y...
Information Security <ul><li>Today’s Goal: Provide an awareness of information security and its role in business </li></ul...
<ul><li>Wikipedia Definition: </li></ul><ul><li>Information security  means protecting information and information systems...
<ul><li>Confidentiality </li></ul><ul><ul><li>Keeping secrets secret </li></ul></ul><ul><li>Integrity </li></ul><ul><ul><l...
<ul><li>Security is built on trust </li></ul><ul><ul><li>People trust People </li></ul></ul><ul><ul><li>Users trust Web Br...
Why Manage Information Security? <ul><li>Examples of Physical Security Failures </li></ul><ul><li>Compliance </li></ul><ul...
Why Manage Information Security? <ul><li>Lets take a look at something we may already understand. </li></ul><ul><li>Exampl...
Real World Examples of Physical Security Failure Why Manage Information Security? Does your security work?
Real World Examples of Physical Security Failure Why Manage Information Security? Security should not be confusing
Real World Examples of Physical Security Failure Why Manage Information Security? This is just funny  
Real World Examples of Physical Security Failure Why Manage Information Security? Computers are everywhere
Real World Examples of Physical Security Failure Why Manage Information Security? Security should protect something
Real World Examples of Physical Security Failure Why Manage Information Security? Do it yourself boarding pass? Site taken...
Real World Examples of Physical Security Failure Why Manage Information Security?
Real World Examples of Physical Security Failure Why Manage Information Security?
Real World Examples of Physical Security Failure Why Manage Information Security?
What about these? XSS CSRF Remote  Code Injection SQL Injection Man in the Middle  Brute Force Password Attack Buffer Over...
Compliance <ul><li>Federal and State laws </li></ul><ul><li>PCI-DSS, HIPAA, SOX, GLBA, FFIEC, FISMA </li></ul>Why Manage I...
Protect Assets <ul><li>Impact of loss from security incident can be extreme </li></ul><ul><li>Critical business processes ...
Business Requirement <ul><li>Information security is not much different that physical security. </li></ul><ul><li>Why do y...
Customers Demand Security <ul><li>Customers have an expectation that their information will be protected. </li></ul><ul><l...
Social Responsibility <ul><li>Using resources on the internet can be used by others for their own gain. </li></ul><ul><li>...
How to Manage Security <ul><li>Implement a security framework </li></ul><ul><ul><li>ISO 27001/27002 </li></ul></ul><ul><ul...
<ul><li>PDCA  (&quot; Plan-Do-Check-Act &quot;)  is an iterative four-step problem-solving process typically used in busin...
Information Security Management Process <ul><li>Policies, Procedures, controls </li></ul><ul><li>Business Continuity Plann...
Security Framework <ul><ul><li>Risk Assessment –  Understand assets, their threats and how likely the threat can successfu...
<ul><ul><li>Communication and Operations –  Technical security controls of network systems </li></ul></ul><ul><ul><li>Acce...
<ul><ul><li>Audit </li></ul></ul><ul><ul><li>Oversight Committee </li></ul></ul><ul><ul><li>Vendor Compliance </li></ul></...
Common Misconceptions <ul><li>I have a firewall, I am safe </li></ul><ul><ul><li>Firewalls protect your border.  What abou...
Top Antivirus vendors miss 10-20% of new threats !!
Common Misconceptions <ul><li>I encrypt my data.  It is safe. </li></ul><ul><ul><li>Encryption is great while data is at r...
Real World Security
State of Security Today <ul><li>Organized Crime </li></ul><ul><li>Hackers paid to find weaknesses in systems </li></ul><ul...
Example Business Model of Organized Hackers
Credit Cards for sale
Money Mules
Public Hacking attacks <ul><li>Heartland </li></ul><ul><li>Car Dealership </li></ul><ul><li>Twitter </li></ul>
Heartland Payment Systems Hacked <ul><li>One of the largest data breach to date </li></ul><ul><li>Heartland processes 100 ...
Heartland Payment Systems Hacked Heartland’s Data Breach: What Happened? II. The method used to compromise Heartland’s net...
Heartland Payment Systems Hacked Heartland’s Data Breach: Aftermath Albert Gonzalez, sentenced to 20 years for $200 Millio...
Hacker Disables More Than 100 Cars Remotely <ul><li>The dealership used a system called Webtech Plus as an alternative to ...
Twitter Hacked <ul><li>What happened? </li></ul><ul><ul><li>Twitter account that had access to admin pages was compromised...
Personal responses to Security Incidents <ul><li>City Hacked </li></ul><ul><li>Local Content Provider Hacked </li></ul><ul...
City Hacked <ul><li>What happened? </li></ul><ul><ul><li>City’s network was attacked by a botnet </li></ul></ul><ul><ul><l...
Local Content Provider Hacked <ul><li>Content Provider attacked with brute force FTP attack </li></ul><ul><ul><li>Entire w...
I got Hacked  <ul><li>Demonstration of Social Engineering attack using Cross Site Request Forgery (CSRF) </li></ul><ul><li...
I got Hacked <ul><li>Received email with link </li></ul>
I got Hacked <ul><li>Link takes me here </li></ul><ul><li>Must be broken. </li></ul><ul><li>Oh well, on the  </li></ul><ul...
I got Hacked <ul><li>When I clicked the link, I was logged into my netflix account in another browser session. </li></ul><...
I got Hacked <ul><li>What happened? </li></ul><ul><ul><li>The link took me to a separate site.  </li></ul></ul><ul><ul><li...
Real examples of spam
Questions? Joe Vest, (CISSP, CISA, CEH) [email_address]
Upcoming SlideShare
Loading in...5
×

Information security management v2010

740

Published on

Information Security Management presentation presented to students of MBA class at UAB

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
740
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Information security management v2010

  1. 1. Information Security Management Joe Vest (CISSP, CISA, CEH) 4/08/2010
  2. 2. About Me <ul><li>Information Technology Field for over 10 years </li></ul><ul><li>Security Design and Engineering last 5 years </li></ul><ul><li>Industry Certified (CISSP, CISA, CEH) </li></ul><ul><li>Former Security Researcher at FBI Malware Lab </li></ul><ul><li>Recently employed by Regions Bank as Information Security Engineer and Application Penetration tester </li></ul><ul><li>Currently Employed by as Army Civilian in Information Assurance </li></ul>
  3. 3. Information Security <ul><li>Today’s Goal: Provide an awareness of information security and its role in business </li></ul><ul><li>What is Information Security? </li></ul><ul><li>Why Manage Information Security? </li></ul><ul><li>How to Manage Information Security? </li></ul><ul><li>Security Misconceptions </li></ul><ul><li>State of Security Today </li></ul><ul><li>Real World Examples </li></ul>
  4. 4. <ul><li>Wikipedia Definition: </li></ul><ul><li>Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. </li></ul>What is Information Security?
  5. 5. <ul><li>Confidentiality </li></ul><ul><ul><li>Keeping secrets secret </li></ul></ul><ul><li>Integrity </li></ul><ul><ul><li>Preventing unauthorized changes </li></ul></ul><ul><li>Availability </li></ul><ul><ul><li>Maintaining access to systems </li></ul></ul>CIA What is Information Security?
  6. 6. <ul><li>Security is built on trust </li></ul><ul><ul><li>People trust People </li></ul></ul><ul><ul><li>Users trust Web Browsers </li></ul></ul><ul><ul><li>Websites trust users </li></ul></ul><ul><ul><li>Trust can be inherited (Transitive) </li></ul></ul><ul><ul><ul><li>A trusts B </li></ul></ul></ul><ul><ul><ul><li>B trusts C </li></ul></ul></ul><ul><ul><ul><li>= A Trust C </li></ul></ul></ul>What is Information Security? Trust
  7. 7. Why Manage Information Security? <ul><li>Examples of Physical Security Failures </li></ul><ul><li>Compliance </li></ul><ul><li>Protect Assets </li></ul><ul><li>Business Requirement </li></ul><ul><li>Customers Demand Security </li></ul><ul><li>Social Responsibility </li></ul>
  8. 8. Why Manage Information Security? <ul><li>Lets take a look at something we may already understand. </li></ul><ul><li>Example of physical security failures help illustrate the importance of information security. </li></ul>Real World Examples of Physical Security Failure
  9. 9. Real World Examples of Physical Security Failure Why Manage Information Security? Does your security work?
  10. 10. Real World Examples of Physical Security Failure Why Manage Information Security? Security should not be confusing
  11. 11. Real World Examples of Physical Security Failure Why Manage Information Security? This is just funny 
  12. 12. Real World Examples of Physical Security Failure Why Manage Information Security? Computers are everywhere
  13. 13. Real World Examples of Physical Security Failure Why Manage Information Security? Security should protect something
  14. 14. Real World Examples of Physical Security Failure Why Manage Information Security? Do it yourself boarding pass? Site taken down by Feds in 2006
  15. 15. Real World Examples of Physical Security Failure Why Manage Information Security?
  16. 16. Real World Examples of Physical Security Failure Why Manage Information Security?
  17. 17. Real World Examples of Physical Security Failure Why Manage Information Security?
  18. 18. What about these? XSS CSRF Remote Code Injection SQL Injection Man in the Middle Brute Force Password Attack Buffer Overflow Race Condition Clear Text Transmission of Sensitive Information ARP Poisoning Zero Day Attack Remote Code Execution DNS Cache Poisoning Phishing Why Manage Information Security?
  19. 19. Compliance <ul><li>Federal and State laws </li></ul><ul><li>PCI-DSS, HIPAA, SOX, GLBA, FFIEC, FISMA </li></ul>Why Manage Information Security?
  20. 20. Protect Assets <ul><li>Impact of loss from security incident can be extreme </li></ul><ul><li>Critical business processes can become unavailable </li></ul><ul><li>Damage to brand or share price </li></ul><ul><li>Direct losses </li></ul><ul><li>Litigation and Liability </li></ul>Why Manage Information Security?
  21. 21. Business Requirement <ul><li>Information security is not much different that physical security. </li></ul><ul><li>Why do you keep your doors locked? </li></ul><ul><li>Would you leave a cash register opened and unattended? </li></ul>Why Manage Information Security?
  22. 22. Customers Demand Security <ul><li>Customers have an expectation that their information will be protected. </li></ul><ul><li>Important to have well documented processes and procedures to show ‘You are doing the right thing to protect information’ </li></ul>Why Manage Information Security?
  23. 23. Social Responsibility <ul><li>Using resources on the internet can be used by others for their own gain. </li></ul><ul><li>Although you may only have a blog or brochure site, the resource can be used to support criminal activity. </li></ul>Why Manage Information Security?
  24. 24. How to Manage Security <ul><li>Implement a security framework </li></ul><ul><ul><li>ISO 27001/27002 </li></ul></ul><ul><ul><li>COBIT </li></ul></ul><ul><ul><li>Formal or informal </li></ul></ul><ul><li>Classify information </li></ul><ul><li>C-level position to oversee security </li></ul><ul><li>Roles assigned to manage and implement security </li></ul><ul><li>Information Technology staff are Not (necessarily) security experts </li></ul>
  25. 25. <ul><li>PDCA (&quot; Plan-Do-Check-Act &quot;) is an iterative four-step problem-solving process typically used in business process improvement. It is also known as the Deming Cycle </li></ul><ul><li>Controlling process to monitor and improve security processes </li></ul>How to Manage Security Controlling a Security Framework
  26. 26. Information Security Management Process <ul><li>Policies, Procedures, controls </li></ul><ul><li>Business Continuity Planning </li></ul><ul><li>ISO 27001 ISMS </li></ul><ul><li>Technology Implementation </li></ul><ul><li>Information Security Awareness </li></ul><ul><li>Security Audit </li></ul><ul><li>Compliance and Governance Review </li></ul><ul><li>Risk Assessments </li></ul><ul><li>Take corrective action </li></ul><ul><li>Take preventative action based on risks identified </li></ul><ul><li>Implement updates to controls </li></ul>Check Plan Do Act Check Plan Do Act Check Plan Do Act Check Plan Do Act
  27. 27. Security Framework <ul><ul><li>Risk Assessment – Understand assets, their threats and how likely the threat can successfully exploit the asset </li></ul></ul><ul><ul><li>Security Policy – Formal document outlining what is expected when implementing systems </li></ul></ul><ul><ul><li>Organization of Information Security – Authorized staff that focuses on Information Security </li></ul></ul><ul><ul><li>Asset Management – Inventory and classification of information assets </li></ul></ul><ul><ul><li>Human Resource Security – Security of employees joining and leaving an organization </li></ul></ul><ul><ul><li>Physical Security – Protection of information system facilities </li></ul></ul>ISO 27002 – Control Framework
  28. 28. <ul><ul><li>Communication and Operations – Technical security controls of network systems </li></ul></ul><ul><ul><li>Access Control – Restriction of access to systems </li></ul></ul><ul><ul><li>Information systems acquisition, development and maintenance – Build Security into applications </li></ul></ul><ul><ul><li>Incident Management – Planned response to security incident </li></ul></ul><ul><ul><li>Business Continuity management – Protect and maintain critical business functions </li></ul></ul><ul><ul><li>Compliance – Conforming with policies, standards, laws and regulations </li></ul></ul>Security Framework ISO 27002 – Control Framework
  29. 29. <ul><ul><li>Audit </li></ul></ul><ul><ul><li>Oversight Committee </li></ul></ul><ul><ul><li>Vendor Compliance </li></ul></ul><ul><ul><li>Penetration Testing </li></ul></ul>Security Framework Other considerations
  30. 30. Common Misconceptions <ul><li>I have a firewall, I am safe </li></ul><ul><ul><li>Firewalls protect your border. What about inside the network? </li></ul></ul><ul><ul><li>Is the firewall configured properly? </li></ul></ul><ul><ul><li>Is the firewall monitoring what is leaving the organization? </li></ul></ul><ul><li>I have up-to-date antivirus software </li></ul><ul><ul><li>Antivirus is good at detecting known attacks. </li></ul></ul><ul><ul><li>Once a system is compromised, antivirus software is useless. </li></ul></ul><ul><ul><li>Antivirus is currently estimated at 80%-85% effective </li></ul></ul>
  31. 31. Top Antivirus vendors miss 10-20% of new threats !!
  32. 32. Common Misconceptions <ul><li>I encrypt my data. It is safe. </li></ul><ul><ul><li>Encryption is great while data is at rest. </li></ul></ul><ul><ul><li>Once data is moved or opened, it must be decrypted and is at risk for capture. </li></ul></ul><ul><li>My data is protected with a password. </li></ul><ul><ul><li>A password is like a key to a lock. They only slow down an attack. </li></ul></ul>
  33. 33. Real World Security
  34. 34. State of Security Today <ul><li>Organized Crime </li></ul><ul><li>Hackers paid to find weaknesses in systems </li></ul><ul><li>Easy to deploy ‘Hacking Kits’ </li></ul><ul><li>Technical support </li></ul>
  35. 35. Example Business Model of Organized Hackers
  36. 36. Credit Cards for sale
  37. 37. Money Mules
  38. 38. Public Hacking attacks <ul><li>Heartland </li></ul><ul><li>Car Dealership </li></ul><ul><li>Twitter </li></ul>
  39. 39. Heartland Payment Systems Hacked <ul><li>One of the largest data breach to date </li></ul><ul><li>Heartland processes 100 million credit card transactions per month for 250,000 different businesses </li></ul><ul><li>01/20/2009 Heartland’s CFO announced malware has been attached to its processing systems </li></ul><ul><li>Malware was sending credit card information outside the organization </li></ul>
  40. 40. Heartland Payment Systems Hacked Heartland’s Data Breach: What Happened? II. The method used to compromise Heartland’s network was ultimately determined to be SQL injection. Code written eight years ago for a web form allowed access to Heartland’s corporate network. This code had a vulnerability that (1) was not identified through annual internal and external audits of Heartland’s systems or through continuous internal system-monitoring procedures, and (2) provided a means to extend the compromise from the corporate network to the separate payment processing network. Although the vulnerability existed for several years, SQL injection didn’t occur until late 2007. * Heartland Payment Systems:Lessons Learned from a Data Breach Julia S. Cheney
  41. 41. Heartland Payment Systems Hacked Heartland’s Data Breach: Aftermath Albert Gonzalez, sentenced to 20 years for $200 Million Theft Gonzalez pleaded guilty in September to multiple federal charges of conspiracy, computer fraud, access device fraud and identity theft for hacking into TJX, which owns T.J. Maxx, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority. He was facing up to 25 years in prison for these charges. Gonzalez also pleaded guilty last year in two other pending hacking cases for which he is scheduled to be sentenced on Friday. He faces up to 20 years in prison for his role in hacking into the network of Dave & Buster's restaurant chain and stealing credit and debit card numbers from at least 11 locations. As part of a third pending case, Gonzalez faces between 17 and 25 years in prison for hacking into the payment card networks of Heartland, 7-Eleven and Hannaford Bros. supermarket chain to steal more than 130 million credit and debit card numbers. In a plea deal, his sentences will run concurrently to each other. SCMagazine (http://www.scmagazineus.com/hacker-albert-gonzalez-receives-20-years-in-prison/article/166571/)
  42. 42. Hacker Disables More Than 100 Cars Remotely <ul><li>The dealership used a system called Webtech Plus as an alternative to repossessing vehicles that haven’t been paid for. </li></ul><ul><li>Dealers installed a small black box under vehicle dashboards that responds to commands issued through a central website, and relayed over a wireless pager network. </li></ul><ul><li>System allows for cars to be disabled or honk the horn. </li></ul><ul><li>After employee was terminated, he accessed the system through another user’s account. </li></ul><ul><li>He was able to vandalize account records, disable cars and set off horns. </li></ul>http://www.wired.com/threatlevel/2010/03/hacker-bricks-cars/
  43. 43. Twitter Hacked <ul><li>What happened? </li></ul><ul><ul><li>Twitter account that had access to admin pages was compromised. </li></ul></ul><ul><ul><li>Accounts taken over </li></ul></ul><ul><ul><ul><li>President-Elect Barack Obama's </li></ul></ul></ul><ul><ul><ul><li>Britney Spears </li></ul></ul></ul><ul><ul><ul><li>Fox News Feed </li></ul></ul></ul><ul><li>What when wrong? </li></ul><ul><ul><li>Unlimited attempts allowed brute forcing of password </li></ul></ul><ul><ul><li>Easy password in use </li></ul></ul><ul><ul><li>Account with admin level access compromised </li></ul></ul><ul><ul><li>Demonstrates Dependency on Third party tools </li></ul></ul>
  44. 44. Personal responses to Security Incidents <ul><li>City Hacked </li></ul><ul><li>Local Content Provider Hacked </li></ul><ul><li>I was hacked  </li></ul>
  45. 45. City Hacked <ul><li>What happened? </li></ul><ul><ul><li>City’s network was attacked by a botnet </li></ul></ul><ul><ul><li>80%+ of all computers infected (1500+ machines) </li></ul></ul><ul><ul><li>Police, Fire and other Emergency service taken offline </li></ul></ul><ul><ul><li>Backend accounting and payroll taken offline </li></ul></ul><ul><ul><li>Printing taken offline </li></ul></ul><ul><ul><li>Antivirus did not detect threat </li></ul></ul><ul><ul><li>Forced to write custom antivirus tool to ‘inoculate’ virus </li></ul></ul><ul><li>What went wrong </li></ul><ul><ul><li>Out of date systems </li></ul></ul><ul><ul><li>Out of date or no antivirus </li></ul></ul><ul><ul><li>Antivirus that was current, did not detect the threat </li></ul></ul><ul><ul><li>Poor network design </li></ul></ul><ul><ul><li>No security framework </li></ul></ul><ul><ul><li>Security was rolled up as a small piece of information technology (Information Technology staff are Not security experts) </li></ul></ul><ul><ul><li>No incident response plan </li></ul></ul>
  46. 46. Local Content Provider Hacked <ul><li>Content Provider attacked with brute force FTP attack </li></ul><ul><ul><li>Entire web site had ‘bad code’ embedded in all webpages </li></ul></ul><ul><ul><li>Customers using the company’s services, were attacked with malware </li></ul></ul><ul><li>What went wrong </li></ul><ul><ul><li>No security management </li></ul></ul><ul><ul><li>No log management </li></ul></ul><ul><ul><li>No incident response plan </li></ul></ul>
  47. 47. I got Hacked <ul><li>Demonstration of Social Engineering attack using Cross Site Request Forgery (CSRF) </li></ul><ul><li>Scenario </li></ul><ul><li>Click a link from an email </li></ul><ul><li>Bad stuff happens </li></ul>I really didn’t get hacked. This is a demo using proof of concept code
  48. 48. I got Hacked <ul><li>Received email with link </li></ul>
  49. 49. I got Hacked <ul><li>Link takes me here </li></ul><ul><li>Must be broken. </li></ul><ul><li>Oh well, on the </li></ul><ul><li>to the next email. </li></ul>“ And it's not about who's got the most bullets. It's about who controls the information.“
  50. 50. I got Hacked <ul><li>When I clicked the link, I was logged into my netflix account in another browser session. </li></ul><ul><li>How did Sneakers get here? </li></ul>“ And it's not about who's got the most bullets. It's about who controls the information.“
  51. 51. I got Hacked <ul><li>What happened? </li></ul><ul><ul><li>The link took me to a separate site. </li></ul></ul><ul><ul><li>The code on that site took advantage of a flaw in Netflix’s site. </li></ul></ul><ul><ul><li>This allowed one site to jump out of its context and into another. </li></ul></ul>“ And it's not about who's got the most bullets. It's about who controls the information.“ Not all attacks are protected by antivirus or a firewall !!!
  52. 52. Real examples of spam
  53. 53. Questions? Joe Vest, (CISSP, CISA, CEH) [email_address]

×