Cybercrime

1,075 views

Published on

Presentation by Charl van der Walt, Jaco van Graan and Roelof Temmingh at ICM in 2000.

The presentation begins by giving an overview of what hackers are, what they do and what drives them. Security fundamentals such as encryption and the four pillars of information security are discussed. The presentation ends with discussions on the security process and security certification.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,075
On SlideShare
0
From Embeds
0
Number of Embeds
34
Actions
Shares
0
Downloads
103
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Comment on our background and the kind of work we do - technology focused
  • Comment on our background and the kind of work we do - technology focused
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Comment on actual statistics Give URL as source ** Refer to John Tullet’s talk earlier...
  • Cybercrime

    1. 1. charl van der walt jaco van graan roelof temmingh CYBERCRIME
    2. 2. <ul><li>1. INFORMATION SECURITY AWARENESS Jaco van Graan </li></ul><ul><li>2. PROFILING THE ENEMY Roelof Temmingh </li></ul><ul><li>3. SECURITY TRENDS AND STATICS Charl van der Walt </li></ul><ul><li>4. INFORMATION SECURITY FUNDAMENTALS Charl van der Walt </li></ul><ul><li>5 . SECURITY DEMONSTRATED SensePost Information Security </li></ul><ul><li>6. THE INFORMATION SECURITY PROCESS Jaco van Graan </li></ul><ul><li>7. INFORMATION SECURITY CERTIFICATION Charl van der Walt </li></ul><ul><li>8. THE BOTTOM LINE Jaco van Graan </li></ul>AGENDA CYBERCRIME charl van der walt jaco van graan roelof temmingh
    3. 3. INTRODUCTION <ul><li>About the speakers </li></ul><ul><ul><li>jaco van graan </li></ul></ul><ul><ul><li>charl van der walt </li></ul></ul><ul><ul><li>roelof temmingh </li></ul></ul><ul><li>Objective </li></ul><ul><li>Approach </li></ul><ul><li>References: </li></ul><ul><ul><li>http://wips.sensepost.com/misc/cybercrime.zip </li></ul></ul><ul><ul><li>http://www.sensepost.com </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>roelof@sensepost.com </li></ul></ul>CYBERCRIME jaco van graan
    4. 4. <ul><li>1. The Age of the Net </li></ul><ul><li>2. Threats and Risks in IT </li></ul><ul><li>3. Examples </li></ul><ul><li>4. What’s this hacking stuff? </li></ul><ul><li>5 . What do hackers do? </li></ul><ul><li>6. But why hack? </li></ul><ul><li>7. Why they do it </li></ul><ul><li>8. Security Breaches in the past 12 months </li></ul>AGENDA INFORMATION SECURITY AWARENESS jaco van graan
    5. 5. Age of the Net... <ul><li>Global village </li></ul><ul><li>Information overload </li></ul><ul><li>Evernet </li></ul><ul><li>E - Commerce </li></ul><ul><li>Removing the middleman </li></ul><ul><li>Information replaces inventory </li></ul>INFORMATION SECURITY AWARENESS jaco van graan
    6. 6. Threats and Risks in IT <ul><li>Lack of security in IT </li></ul><ul><li>Networks transfer data without security </li></ul><ul><li>System administrators are trusted (completely) </li></ul><ul><li>Theft </li></ul><ul><li>People </li></ul><ul><ul><li>Untrusted, Outsourcing </li></ul></ul><ul><li>Internet designed with open architecture </li></ul><ul><li>Hacking </li></ul>INFORMATION SECURITY AWARENESS jaco van graan
    7. 7. What’s this hacking stuff? <ul><li>“ Hacker” </li></ul><ul><ul><li>clever programmer </li></ul></ul><ul><ul><li>Enjoys learning details of a programming language or system </li></ul></ul><ul><ul><li>Enjoys actually doing the programming rather than just theorizing about it </li></ul></ul><ul><ul><li>Capable of appreciating someone else's hacking </li></ul></ul><ul><ul><li>Picks up programming quickly </li></ul></ul><ul><ul><li>Expert at a particular programming language or system, as in “UNIX ”hacker&quot; </li></ul></ul>INFORMATION SECURITY AWARENESS jaco van graan
    8. 8. What hackers do: <ul><li>Steal </li></ul><ul><ul><li>information - to use and to sell </li></ul></ul><ul><ul><li>money from accounts </li></ul></ul><ul><ul><li>goods through e-buying </li></ul></ul><ul><ul><li>resource - time and equipment </li></ul></ul><ul><li>Talk </li></ul><ul><li>Leave backdoors open </li></ul><ul><li>Launch new attacks </li></ul>INFORMATION SECURITY AWARENESS jaco van graan
    9. 9. But why hack? <ul><li>Fun </li></ul><ul><ul><li>technical challenges </li></ul></ul><ul><ul><li>curiosity </li></ul></ul><ul><ul><li>harmless pranks </li></ul></ul><ul><ul><li>thrills </li></ul></ul><ul><li>Emotional </li></ul><ul><ul><li>pride </li></ul></ul><ul><ul><li>hate </li></ul></ul><ul><ul><li>revenge </li></ul></ul><ul><ul><li>psychological </li></ul></ul>INFORMATION SECURITY AWARENESS jaco van graan
    10. 10. How do they do it? <ul><li>Social engineering </li></ul><ul><li>Networking </li></ul><ul><li>Resources from the web... </li></ul>INFORMATION SECURITY AWARENESS jaco van graan
    11. 11. Security breaches past 12 months INFORMATION SECURITY AWARENESS jaco van graan
    12. 12. <ul><li>1. Statistics on Commercial Crime </li></ul><ul><li>2. Statistics on Computer Crime </li></ul><ul><li>3. Computers and Commercial Crime </li></ul><ul><li>4. The value of Trends and Statistics </li></ul><ul><li>5 . Trends in Computer Security </li></ul><ul><li>6. Determining your own Risk Profile… </li></ul>TRENDS & STATISTICS SECURITY TRENDS & STATISTICS charl van der walt
    13. 13. Statistics on Commercial Crime <ul><li>Commercial crime up 3.5% from last year </li></ul><ul><ul><li>R 3.4 billion in the first half of '99 alone </li></ul></ul><ul><li>84.3% of cases involved fraud </li></ul><ul><ul><li>25,000 incidents </li></ul></ul><ul><ul><li>R 2.9 billion </li></ul></ul><ul><li>Gauteng occupies a first position with regard to Commercial Crime </li></ul><ul><li>www.saps.org.za </li></ul>SECURITY TRENDS & STATISTICS charl van der walt
    14. 14. Statistics on Computer Crime <ul><li>61% of the organizations surveyed have experienced losses due to unauthorized computer use. </li></ul><ul><li>The average loss from theft of proprietary information is over $1.2M . </li></ul><ul><li>The average loss from data or network sabotage is over $1.1M . </li></ul><ul><li>50% of all organizations surveyed reported insider abuse of net access. </li></ul><ul><li>FBI / CSI Survey, 1999 </li></ul>SECURITY TRENDS & STATISTICS charl van der walt
    15. 15. Statistics on Computer Crime SECURITY TRENDS & STATISTICS charl van der walt “ Just ask Edgars, the clothing retail group, which lost more than R1m after a computer programmer brought down more than 600 stores for an entire day.” Financial Mail - April 2000
    16. 16. Threat Distribution - International SECURITY TRENDS & STATISTICS charl van der walt <ul><ul><li>Theft of proprietary info 20% </li></ul></ul><ul><ul><li>Sabotage of data or networks 15% </li></ul></ul><ul><ul><li>Telecom eavesdropping 10% </li></ul></ul><ul><ul><li>System penetration by outsider 24% </li></ul></ul><ul><ul><li>Insider abuse of net access 76% </li></ul></ul><ul><ul><li>Financial fraud 11% </li></ul></ul><ul><ul><li>Denial of service 25% </li></ul></ul><ul><ul><li>Virus contamination 70% </li></ul></ul><ul><ul><li>Unauthorized access to info by insider 43% </li></ul></ul><ul><ul><li>Telecom fraud 13% </li></ul></ul><ul><ul><li>Active wiretapping 2% </li></ul></ul><ul><ul><li>Laptop theft 54% </li></ul></ul>
    17. 17. Threat Distribution - RSA SECURITY TRENDS & STATISTICS charl van der walt <ul><ul><li>Some form of breach 89% </li></ul></ul><ul><ul><li>Virus incident 87% </li></ul></ul><ul><ul><li>Theft of equipment 80% </li></ul></ul><ul><ul><li>E-mail intrusion 27% </li></ul></ul><ul><ul><li>Loss of company documents 12% </li></ul></ul><ul><ul><li>Breach of confidentiality 8% </li></ul></ul><ul><ul><li>External systems attack 8% </li></ul></ul><ul><ul><li>Internal systems attack 6% </li></ul></ul>
    18. 18. Computers & Commercial Crime <ul><li>KPMG: </li></ul><ul><li>‘ 63% of top-level managers in South Africa rate their company's dependence on IT for the successful running of business as &quot;Extremely High”’ </li></ul><ul><li>Business today simply doesn't run without IT </li></ul><ul><li>Neither does fraud or other commercial crime </li></ul>SECURITY TRENDS & STATISTICS charl van der walt
    19. 19. The value of statistics <ul><li>Local and International statistics differ </li></ul><ul><ul><li>“ Internal”: 76% vs 6% </li></ul></ul><ul><ul><li>“ External”: 24% vs 8% </li></ul></ul><ul><li>Statistical methodologies differ </li></ul><ul><li>Many incidents are never discovered </li></ul><ul><li>Most are never reported </li></ul><ul><li>Statistics probably won’t tell you much, </li></ul><ul><li>Except: </li></ul><ul><ul><li>Create an awareness </li></ul></ul><ul><ul><li>Stimulate technology </li></ul></ul><ul><ul><li>Indicate trends </li></ul></ul>SECURITY TRENDS & STATISTICS charl van der walt
    20. 20. Trends in IT security <ul><li>The industry is typically technology driven: </li></ul><ul><li>Host Security </li></ul><ul><li>Firewalls </li></ul><ul><li>Virus scanners </li></ul><ul><li>Proxies </li></ul><ul><li>VPN </li></ul><ul><li>Content Scanners </li></ul><ul><li>Intrusion Detection </li></ul><ul><li>Hacker-in-a-Box </li></ul><ul><li>Host Security </li></ul><ul><li>File Security </li></ul>SECURITY TRENDS & STATISTICS charl van der walt
    21. 21. Determining your own risk SECURITY TRENDS & STATISTICS charl van der walt The magnitude of the risk is a product of the value of the information and the degree to which the vulnerability can be exploited.
    22. 22. <ul><li>1. Media and &quot;hackers&quot; - utter confusion </li></ul><ul><li>2. The intellectual and emotional makeup of a good &quot;hacker&quot; </li></ul><ul><li>3. Types of &quot;hackers&quot; </li></ul><ul><li>4. What motivates &quot;hackers&quot; ? </li></ul><ul><li>5 . The real threat - should we be worried about &quot;hackers&quot;? </li></ul>PROFILING THE ENEMY PROFILING THE ENEMY roelof temmingh
    23. 23. <ul><li>1. Understanding the Internet </li></ul><ul><li>2. The four Pillars </li></ul><ul><li>3. Control Methods </li></ul><ul><li>4. More about Encryption </li></ul><ul><li>5. Security Technologies </li></ul><ul><li>6. Security Products </li></ul><ul><li>7 . Case Study </li></ul>SECURITY FUNDAMENTALS INFORMATION SECURITY FUNDAMENTALS charl van der walt
    24. 24. Understanding the Internet <ul><li>Host </li></ul><ul><li>Network </li></ul><ul><li>LAN </li></ul><ul><li>WAN </li></ul><ul><li>Internet </li></ul><ul><li>Protocol </li></ul><ul><li>IP </li></ul><ul><li>Packet </li></ul><ul><li>Server / Service </li></ul><ul><li>Port </li></ul>INFORMATION SECURITY FUNDAMENTALS charl van der walt
    25. 25. Four Pillars of Information Security <ul><li>Access Control </li></ul><ul><ul><li>Control who may and who may not access data </li></ul></ul><ul><li>Confidentiality </li></ul><ul><ul><li>Ensure data is viewed only by intended audience </li></ul></ul><ul><li>Integrity </li></ul><ul><ul><li>Ensure data is not changed by unauthorized parties </li></ul></ul><ul><li>Authenticity </li></ul><ul><ul><li>Ensure that data originated where you think </li></ul></ul><ul><li>#5 - Availability </li></ul><ul><ul><li>Ensure data is there when you need it </li></ul></ul>INFORMATION SECURITY FUNDAMENTALS charl van der walt
    26. 26. Security Control Methods <ul><li>Information Security Policy </li></ul><ul><li>Sound system design </li></ul><ul><li>Access Control </li></ul><ul><ul><li>Physical </li></ul></ul><ul><ul><li>Network </li></ul></ul><ul><ul><li>Operating System </li></ul></ul><ul><ul><li>Application </li></ul></ul><ul><li>Encryption </li></ul><ul><li>Audit and Review </li></ul>INFORMATION SECURITY FUNDAMENTALS charl van der walt
    27. 27. More about Encryption <ul><li>Encrypt </li></ul><ul><ul><li>Convert information into unreadable format </li></ul></ul><ul><ul><ul><li>Crypto-Text </li></ul></ul></ul><ul><li>Decrypt </li></ul><ul><ul><li>Change data back to normal format </li></ul></ul><ul><ul><ul><li>Clear-Text </li></ul></ul></ul><ul><li>Algorithm </li></ul><ul><ul><li>Steps followed to encrypt or decrypt the information </li></ul></ul><ul><li>Key </li></ul><ul><ul><li>Secret shared between parties </li></ul></ul><ul><li>Key Length </li></ul><ul><ul><li>An indication of how hard the key is to guess </li></ul></ul>INFORMATION SECURITY FUNDAMENTALS charl van der walt
    28. 28. Still more about Encryption <ul><li>Public Key Cryptography </li></ul><ul><ul><li>A special type of encryption using a key pair </li></ul></ul><ul><li>Private Key </li></ul><ul><ul><li>Kept strictly secret </li></ul></ul><ul><li>Public Key </li></ul><ul><ul><li>Published with a Certificate </li></ul></ul><ul><li>Certificate </li></ul><ul><ul><li>A way of linking your Key to your Identity </li></ul></ul><ul><li>Certificate Authority (CA) </li></ul><ul><ul><li>Responsible for verifying the Certificate </li></ul></ul><ul><li>Public Key Infrastructure (PKI) </li></ul><ul><ul><li>Structures needed to make the process work </li></ul></ul>INFORMATION SECURITY FUNDAMENTALS charl van der walt
    29. 29. Security Technologies <ul><li>Firewalls </li></ul><ul><ul><li>Network Level </li></ul></ul><ul><ul><li>Application Level </li></ul></ul><ul><ul><li>Content Level </li></ul></ul><ul><li>Authentication Systems </li></ul><ul><ul><li>Something you know </li></ul></ul><ul><ul><li>Something you have </li></ul></ul><ul><ul><li>Something you are </li></ul></ul><ul><li>Encryption Protocols </li></ul><ul><ul><li>SSH </li></ul></ul><ul><ul><li>SSL </li></ul></ul><ul><ul><li>IPSec </li></ul></ul><ul><li>Intrusion Detection Systems </li></ul>INFORMATION SECURITY FUNDAMENTALS charl van der walt
    30. 30. Security Products <ul><li>Firewalls </li></ul><ul><ul><li>Check Point FW-1 (www.checkpoint.com) </li></ul></ul><ul><ul><li>NAI Gauntlet (www.nai.com) </li></ul></ul><ul><ul><li>Linux IPchains (www.linux.org) </li></ul></ul><ul><li>Authentication Systems </li></ul><ul><ul><li>RSA SecurID (www.rsa.com) </li></ul></ul><ul><ul><li>Alladin eToken (www.aks.com) </li></ul></ul><ul><li>Encryption </li></ul><ul><ul><li>Windows EFS - </li></ul></ul><ul><ul><li>Trispen IPGranite (www.trispen.com) </li></ul></ul><ul><li>Intrusion Detection Systems </li></ul><ul><ul><li>AXENT Netprowler (www.axent.com) </li></ul></ul><ul><ul><li>SNORT (www.snort.org) </li></ul></ul>INFORMATION SECURITY FUNDAMENTALS charl van der walt
    31. 31. Case Study - www.bluebean.com <ul><li>Use a firewall </li></ul><ul><ul><li>Restrict access to port 80 and 443 only </li></ul></ul>INFORMATION SECURITY FUNDAMENTALS charl van der walt
    32. 32. Case Study - www.bluebean.com <ul><li>Use a secure web server </li></ul><ul><ul><li>Netscape Enterprise 3/6 </li></ul></ul>INFORMATION SECURITY FUNDAMENTALS charl van der walt
    33. 33. Case Study - www.bluebean.com <ul><li>Use SSL to encrypt the connection </li></ul>INFORMATION SECURITY FUNDAMENTALS charl van der walt
    34. 34. Case Study - www.bluebean.com <ul><li>Use SSL for authentication </li></ul>INFORMATION SECURITY FUNDAMENTALS charl van der walt
    35. 35. Case Study - www.bluebean.com <ul><li>Data Confidentiality </li></ul><ul><ul><li>No credit card numbers to foreign sites </li></ul></ul>INFORMATION SECURITY FUNDAMENTALS charl van der walt
    36. 36. Case Study - www.bluebean.com <ul><li>Use two-factor authentication </li></ul><ul><ul><li>The BlueBean credit card </li></ul></ul>INFORMATION SECURITY FUNDAMENTALS charl van der walt
    37. 37. Case Study - www.bluebean.com <ul><li>Account Lockout </li></ul>INFORMATION SECURITY FUNDAMENTALS charl van der walt
    38. 38. Case Study - www.bluebean.com <ul><li>Potential Weaknesses </li></ul><ul><ul><li>Credit card number can be guessed </li></ul></ul><ul><ul><li>User PC could be attacked </li></ul></ul><ul><ul><li>User could be tricked </li></ul></ul><ul><ul><li>Cycle through the card numbers, not the PINs? </li></ul></ul>INFORMATION SECURITY FUNDAMENTALS charl van der walt
    39. 39. SECURITY DEMONSTRATED <ul><li>1. Connecting to the firewall </li></ul><ul><li>2. Using passwords to restrict access to data </li></ul><ul><li>3. Using a firewall to protect or servers </li></ul><ul><li>4. Using IDS to warn us of attacks </li></ul>THE INFORMATION SECURITY PROCESS jaco van graan
    40. 40. SECURITY DEMONSTRATED <ul><li>1. A server is connected to the Internet. </li></ul><ul><li>2. Passwords are used to restrict access to the MS file service. </li></ul>SECURITY DEMO roelof temmingh
    41. 41. SECURITY DEMONSTRATED <ul><li>3. An firewall is used to restrict server access to the web service port - 80. </li></ul>SECURITY DEMO roelof temmingh
    42. 42. SECURITY DEMONSTRATED <ul><li>4. An IDS system is used to detect and report on attempted attacks on the web server. </li></ul>SECURITY DEMO roelof temmingh
    43. 43. THE SECURITY PROCESS <ul><li>1. Proactive or Reactive? </li></ul><ul><li>2. The Process </li></ul><ul><li>3. Threat / Risk Analysis </li></ul><ul><li>4. Security Policy </li></ul><ul><li>5 . Planning </li></ul><ul><li>6. Implementation </li></ul><ul><li>7. Manage & Monitor </li></ul><ul><li>8. Internal & External Audit </li></ul><ul><li>9. Intrusion Detection </li></ul><ul><li>10. Adjust Security Policy </li></ul>THE INFORMATION SECURITY PROCESS jaco van graan
    44. 44. Proactive or Reactive? <ul><li>Locate weaknesses </li></ul><ul><li>Controls in place </li></ul><ul><li>LT cost effective </li></ul>THE INFORMATION SECURITY PROCESS jaco van graan <ul><li>No or weak controls </li></ul><ul><li>Try plug security holes </li></ul><ul><li>Least effective </li></ul><ul><li>Costly </li></ul>
    45. 45. The Process… THE INFORMATION SECURITY PROCESS jaco van graan Threat/Risk Analysis Security Policy Creation Planning Policy Enforcement/ Implementation Monitor & Manage Intrusion detection Security Audit 1 2 3 4 5 6 7
    46. 46. Threat/risk Analysis <ul><li>Value you assets (information/reputation). </li></ul><ul><li>Determine the acceptable level of loss. </li></ul><ul><li>Some losses will inevitably occur. </li></ul><ul><ul><li>Eliminating ALL loses would be either too costly or impossible. </li></ul></ul><ul><li>Level of acceptable losses need to be set </li></ul><ul><ul><li>dictates how much you are willing to spend on security. </li></ul></ul><ul><li>Set time period for the acceptable losses. </li></ul>THE INFORMATION SECURITY PROCESS jaco van graan
    47. 47. Security Policy <ul><li>Practical, understandable. </li></ul><ul><li>Control document. </li></ul><ul><li>Communicated. </li></ul><ul><li>Endorsed by management. </li></ul><ul><li>Applies to all users of infrastructure. </li></ul><ul><li>Gives security administrator a mandate </li></ul>THE INFORMATION SECURITY PROCESS jaco van graan A security policy helps to define what you consider to be valuable, and it specifies what steps should be taken to safeguard those assets.
    48. 48. Planning <ul><li>Enforcement of controls - security policy </li></ul><ul><li>Select products to ensure compliance </li></ul><ul><li>Determine required implementation and maintenance skills </li></ul><ul><li>Evaluate impact on business </li></ul>THE INFORMATION SECURITY PROCESS jaco van graan
    49. 49. Planning <ul><li>Resources </li></ul><ul><ul><li>People </li></ul></ul><ul><ul><li>Time </li></ul></ul><ul><ul><li>$$$ </li></ul></ul><ul><li>Evaluate possible security partner </li></ul><ul><ul><li>Experience: references </li></ul></ul><ul><ul><li>Financial backing </li></ul></ul><ul><ul><li>Trust relationship </li></ul></ul><ul><ul><li>Support: training/skills transfer/SLA’s </li></ul></ul><ul><ul><li>Product range </li></ul></ul>THE INFORMATION SECURITY PROCESS jaco van graan
    50. 50. Implementation <ul><li>Remember your exposure! </li></ul><ul><li>Security partner? </li></ul><ul><li>Schedule change control - security policy </li></ul><ul><li>Inform all users / business partners </li></ul><ul><li>Ensure skill level of implementers </li></ul><ul><li>Roll back plan </li></ul>THE INFORMATION SECURITY PROCESS jaco van graan
    51. 51. Manage & Monitor <ul><li>Physical audit of infrastructure </li></ul><ul><li>Responsibility handover </li></ul><ul><ul><li>Security alerts, advisories, bug fixes </li></ul></ul><ul><ul><li>Equipment load </li></ul></ul><ul><ul><li>Configuration changes </li></ul></ul><ul><li>Catch ‘em! (If you can…) </li></ul>THE INFORMATION SECURITY PROCESS jaco van graan
    52. 52. Internal & External Audit <ul><li>Collect and evaluate evidence to determine whether a computer system : </li></ul><ul><ul><li>safeguards assets. </li></ul></ul><ul><ul><li>maintain data integrity. </li></ul></ul><ul><ul><li>allow the goals of an organisation to be achieved efficiently and effectively. </li></ul></ul><ul><li>Security policy as control document. </li></ul><ul><li>International standards: SAS 70; Bs 7799. </li></ul>THE INFORMATION SECURITY PROCESS jaco van graan
    53. 53. Internal Audit <ul><li>Compare to internal audit division. </li></ul><ul><li>Independence, thus not involved in implementation or operations. </li></ul><ul><li>Report to IT manager. </li></ul>THE INFORMATION SECURITY PROCESS jaco van graan
    54. 54. External Audit - Evaluation <ul><li>Organisation </li></ul><ul><ul><li>Independence </li></ul></ul><ul><ul><li>References </li></ul></ul><ul><ul><li>Experience </li></ul></ul><ul><ul><li>Certification </li></ul></ul><ul><ul><li>Cost </li></ul></ul><ul><ul><li>Ethics </li></ul></ul><ul><ul><li>Services offered </li></ul></ul><ul><ul><li>Backing: subsidiary/insurance </li></ul></ul>THE INFORMATION SECURITY PROCESS jaco van graan
    55. 55. External Audit - Evaluation <ul><li>Methodology </li></ul><ul><ul><li>Certification/benchmark </li></ul></ul><ul><ul><li>Audit plan </li></ul></ul><ul><ul><li>Execution according to plan </li></ul></ul><ul><ul><li>Report </li></ul></ul><ul><ul><li>Recommendations & resolution </li></ul></ul>THE INFORMATION SECURITY PROCESS jaco van graan
    56. 56. External Audit - Evaluation <ul><li>Resources </li></ul><ul><ul><li>Business skills </li></ul></ul><ul><ul><li>Experience: qualification; Certifications; Bodies </li></ul></ul><ul><ul><li>Individual background </li></ul></ul><ul><li>The brief… How; What; Where? </li></ul><ul><ul><li>Type: logical; Physical or social </li></ul></ul><ul><ul><li>Restrictions / conditions </li></ul></ul><ul><ul><li>Internal /external </li></ul></ul>THE INFORMATION SECURITY PROCESS jaco van graan
    57. 57. External Audit - Evaluation <ul><li>Toolbox. </li></ul><ul><ul><li>Tool combinations: wider vulnerability exposure. </li></ul></ul><ul><ul><li>Proprietary or off the shelf. </li></ul></ul><ul><li>Confidentiality. </li></ul>THE INFORMATION SECURITY PROCESS jaco van graan
    58. 58. Intrusion Detection <ul><li>If all else failed… </li></ul><ul><li>Regular updates. </li></ul><ul><li>Follow up of intrusion attempts. </li></ul><ul><li>Play it again, Sam. </li></ul>THE INFORMATION SECURITY PROCESS jaco van graan
    59. 59. Adjust Security Policy <ul><li>Recommendations from internal & external audits. </li></ul><ul><li>New business requirements. </li></ul>THE INFORMATION SECURITY PROCESS jaco van graan
    60. 60. SECURITY CERTIFICATION <ul><li>1. Definition </li></ul><ul><li>2. The purpose of Certification </li></ul><ul><li>3. Leading standards today </li></ul><ul><li>4. Is Certification for you? </li></ul><ul><li>5. Choosing the right standard </li></ul>INFORMATION SECURITY CERTIFICATION charl van der walt
    61. 61. Definition INFORMATION SECURITY CERTIFICATION charl van der walt The evaluation of the security of a computer system by a recognised third party. If the system being tested meets all the criteria it receives certification (also called accreditation) which is an indication of the level of security of the system being tested.
    62. 62. Objective <ul><li>To enforce structure on your security program </li></ul><ul><li>A means of assessing your own security </li></ul><ul><li>A means of measuring against best-of-breed </li></ul><ul><li>A means of convincing others of your security </li></ul>INFORMATION SECURITY CERTIFICATION charl van der walt
    63. 63. Leading Standards <ul><li>BS 7799 </li></ul><ul><ul><li>British Standards Institute </li></ul></ul><ul><ul><li>Outlines 10 controls that must be addressed </li></ul></ul><ul><ul><li>Uses the c:cure program for accreditation </li></ul></ul><ul><ul><li>www.bsi.org.uk / www.bsi.org.za </li></ul></ul><ul><ul><li>www.c:cure.org </li></ul></ul><ul><li>TCSEC </li></ul><ul><ul><li>Trusted Computer System Evaluation Criteria </li></ul></ul><ul><ul><li>“ Orange Book” </li></ul></ul><ul><ul><li>Published by the US National Security Agency </li></ul></ul><ul><ul><li>Defines different ‘Levels’ of trust </li></ul></ul><ul><ul><ul><li>Minimal -> Formally Proven </li></ul></ul></ul><ul><ul><li>www.radium.ncsc.mil/tpep </li></ul></ul>INFORMATION SECURITY CERTIFICATION charl van der walt
    64. 64. Leading Standards <ul><li>ITSEC </li></ul><ul><ul><li>Information Technology Security Evaluation Criteria </li></ul></ul><ul><ul><li>Recognised by most European countries </li></ul></ul><ul><ul><li>Concentrates on product evaluations </li></ul></ul><ul><ul><li>Defines different levels (E0 - E6) </li></ul></ul><ul><ul><li>www.itsec.gov.uk </li></ul></ul><ul><li>CCITSE </li></ul><ul><ul><li>Common Criteria for IT Security Evaluation </li></ul></ul><ul><ul><li>Joint American / European Evaluation Standard </li></ul></ul><ul><ul><li>Successor to TCSEC and ITSEC </li></ul></ul><ul><ul><li>Defines ‘levels’ similar to TCSEC, but more flexible </li></ul></ul><ul><ul><ul><li>Protection Profiles </li></ul></ul></ul><ul><ul><li>http://csrc.nist.gov/cc/ </li></ul></ul>INFORMATION SECURITY CERTIFICATION charl van der walt
    65. 65. Leading Standards <ul><li>ISO / GMITS </li></ul><ul><ul><li>Guidelines to the Management of IT Security </li></ul></ul><ul><ul><li>Published by the JTC </li></ul></ul><ul><ul><ul><li>Joint Technical Committee of ISO and IEC </li></ul></ul></ul><ul><ul><li>www.iso.ch </li></ul></ul><ul><ul><li>www.diffuse.org/secure.html </li></ul></ul><ul><li>COBIT </li></ul><ul><ul><li>Control Objectives for Information and Related Technologies </li></ul></ul><ul><ul><li>Information Systems Audit and Control Association </li></ul></ul><ul><ul><ul><li>ISACA </li></ul></ul></ul><ul><ul><li>‘ Business Oriented & Practical’ </li></ul></ul><ul><ul><li>www.isaca.org </li></ul></ul>INFORMATION SECURITY CERTIFICATION charl van der walt
    66. 66. Leading Standards <ul><li>ICSA </li></ul><ul><ul><li>International Computer Security Association </li></ul></ul><ul><ul><li>Commercial Venture represented world-wide </li></ul></ul><ul><ul><li>Product certification and security assurance services </li></ul></ul><ul><ul><ul><li>TrueSecure </li></ul></ul></ul><ul><ul><li>Internet focused </li></ul></ul><ul><ul><li>www.icsa.net </li></ul></ul><ul><li>Ernst & Young SAS70 </li></ul><ul><ul><li>Statement of Auditing Standards # 70 </li></ul></ul><ul><ul><li>American version of a similar international standard </li></ul></ul><ul><ul><li>Specifically for the outsourced environment </li></ul></ul><ul><ul><li>Business focused </li></ul></ul><ul><ul><li>www.ey.com </li></ul></ul>INFORMATION SECURITY CERTIFICATION charl van der walt
    67. 67. Is Certification for you? <ul><li>Yes, if: </li></ul><ul><ul><li>You’re a large corporation </li></ul></ul><ul><ul><li>You’re publicly owned </li></ul></ul><ul><ul><li>You offer IT-based services to clients </li></ul></ul><ul><ul><li>You have legal obligations </li></ul></ul><ul><ul><li>You’re comfortable with formal processes </li></ul></ul><ul><li>No, if: </li></ul><ul><ul><li>You have a small, manageable infrastructure </li></ul></ul><ul><ul><li>You’re only responsibility is to yourself </li></ul></ul><ul><ul><li>You have an informal culture and strong skills </li></ul></ul><ul><ul><li>You believe certification will make you secure </li></ul></ul>INFORMATION SECURITY CERTIFICATION charl van der walt
    68. 68. Choosing the right standard <ul><li>Recognition </li></ul><ul><ul><li>Respect in your target market </li></ul></ul><ul><li>Focus </li></ul><ul><ul><li>Support for your own security objectives </li></ul></ul><ul><li>Local Presence </li></ul><ul><ul><li>A program that can be certified in SA </li></ul></ul><ul><li>Total cost </li></ul><ul><ul><li>Good return on investment </li></ul></ul><ul><li>Overhead </li></ul><ul><ul><li>Reasonable implementation time and life-span </li></ul></ul><ul><li>Impact </li></ul><ul><ul><li>A tangible effect on your systems </li></ul></ul>INFORMATION SECURITY CERTIFICATION charl van der walt
    69. 69. THE BOTTOM LINE <ul><li>1. Take security seriously </li></ul><ul><li>2. Don’t panic! </li></ul><ul><li>3. Value your information </li></ul><ul><li>4. Evaluate your risk </li></ul><ul><li>5. Be requirement driven, not technology driven </li></ul><ul><li>6. Enable your business </li></ul>THE BOTTOM LINE jaco van graan

    ×