CYBERCRIME Future Perspectives charl van der walt www.sensepost.com
Commercial Crime <ul><li>Commercial crime up  3.5%  from last year  </li></ul><ul><ul><li>R 3.4 billion  in the first half...
Computer Crime <ul><li>61%  of the organizations surveyed have experienced losses due to unauthorized computer use. </li><...
Crime Costs Money SECURITY TRENDS & STATISTICS “ Just ask Edgars, the clothing retail group, which lost more than  R1m  af...
Computers & Commercial Crime <ul><li>KPMG:  </li></ul><ul><li>‘ 63% of top-level managers in South Africa rate their compa...
Did they have it coming? <ul><li>access control 93%   </li></ul><ul><li>biometrics 9%   </li></ul><ul><li>encrypted files ...
Threat Distribution - USA <ul><li>Theft of proprietary info 20% </li></ul><ul><li>Sabotage of data or networks 15% </li></...
Threat Distribution - RSA SECURITY TRENDS & STATISTICS <ul><ul><li>Some form of breach 89% </li></ul></ul><ul><ul><li>Viru...
The value of statistics <ul><li>What we know: </li></ul><ul><ul><li>There is a threat to our Information Resources </li></...
<ul><li>What is Risk? </li></ul><ul><ul><li>Valuable resources + exploitable technology </li></ul></ul><ul><li>What is “Se...
Trends in IT security <ul><li>There is a continual phase shift security risks </li></ul><ul><li>And in security solutions ...
Future Threats <ul><li>Denial of Service </li></ul><ul><ul><li>Distributed </li></ul></ul><ul><ul><li>Anonymous </li></ul>...
Determining your own risk SECURITY TRENDS & STATISTICS charl van der walt The magnitude of the risk is a product of the  v...
Understanding the Internet <ul><li>Host </li></ul><ul><li>Network </li></ul><ul><li>LAN </li></ul><ul><li>WAN </li></ul><u...
Four Pillars of Information Security <ul><li>Access Control </li></ul><ul><ul><li>Control who may and who may not access d...
Security Control Methods <ul><li>Information Security Policy </li></ul><ul><li>Sound system design </li></ul><ul><li>Acces...
More about Encryption <ul><li>Encrypt </li></ul><ul><ul><li>Convert information into unreadable format </li></ul></ul><ul>...
Still more about Encryption <ul><li>Public Key Cryptography </li></ul><ul><ul><li>A special type of encryption using a key...
Security Technologies <ul><li>Firewalls </li></ul><ul><ul><li>Network Level </li></ul></ul><ul><ul><li>Application Level <...
Security Products <ul><li>Firewalls </li></ul><ul><ul><li>Check Point  FW-1  (www.checkpoint.com) </li></ul></ul><ul><ul><...
. <ul><li>Content removed </li></ul>INFORMATION SECURITY FUNDAMENTALS charl van der walt
SECURITY DEMONSTRATED <ul><li>1. A server is connected to the Internet. </li></ul><ul><li>2. Passwords are used to restric...
SECURITY DEMONSTRATED <ul><li>3. An firewall is used to restrict server access to the web service port - 80. </li></ul>SEC...
SECURITY DEMONSTRATED <ul><li>4. An IDS system is used to detect and report on attempted attacks on the web server. </li><...
Proactive or Reactive? <ul><li>Locate weaknesses </li></ul><ul><li>Controls in place </li></ul><ul><li>LT cost effective <...
The Process… THE INFORMATION SECURITY PROCESS jaco van graan Threat/Risk Analysis Security Policy Creation Planning Policy...
Threat/risk Analysis <ul><li>Value you assets (information/reputation). </li></ul><ul><li>Determine the acceptable level o...
Security Policy <ul><li>Practical, understandable. </li></ul><ul><li>Control document. </li></ul><ul><li>Communicated. </l...
Planning <ul><li>Enforcement of  controls - security policy </li></ul><ul><li>Select products to ensure compliance </li></...
Planning <ul><li>Resources </li></ul><ul><ul><li>People </li></ul></ul><ul><ul><li>Time  </li></ul></ul><ul><ul><li>$$$ </...
Implementation <ul><li>Remember your exposure! </li></ul><ul><li>Security partner? </li></ul><ul><li>Schedule change contr...
Manage & Monitor <ul><li>Physical audit of infrastructure </li></ul><ul><li>Responsibility handover </li></ul><ul><ul><li>...
Internal & External Audit <ul><li>Collect  and evaluate evidence to determine whether a computer system : </li></ul><ul><u...
Internal Audit <ul><li>Compare to internal audit division. </li></ul><ul><li>Independence, thus not involved in implementa...
External Audit - Evaluation <ul><li>Organisation </li></ul><ul><ul><li>Independence </li></ul></ul><ul><ul><li>References ...
External Audit - Evaluation <ul><li>Methodology </li></ul><ul><ul><li>Certification/benchmark </li></ul></ul><ul><ul><li>A...
External Audit - Evaluation <ul><li>Resources </li></ul><ul><ul><li>Business skills </li></ul></ul><ul><ul><li>Experience:...
External Audit - Evaluation <ul><li>Toolbox. </li></ul><ul><ul><li>Tool combinations: wider vulnerability exposure. </li><...
Intrusion Detection <ul><li>If all else failed… </li></ul><ul><li>Regular updates. </li></ul><ul><li>Follow up of intrusio...
Adjust Security Policy <ul><li>Recommendations from internal & external audits. </li></ul><ul><li>New business requirement...
Definition INFORMATION SECURITY CERTIFICATION charl van der walt The evaluation of the security of a computer system by a ...
Objective <ul><li>To enforce structure on your security program </li></ul><ul><li>A means of assessing your own security <...
Leading Standards <ul><li>BS 7799 </li></ul><ul><ul><li>British Standards Institute </li></ul></ul><ul><ul><li>Outlines 10...
Leading Standards <ul><li>ITSEC </li></ul><ul><ul><li>Information Technology Security Evaluation Criteria </li></ul></ul><...
Leading Standards <ul><li>ISO / GMITS   </li></ul><ul><ul><li>Guidelines to the Management of IT Security </li></ul></ul><...
Leading Standards <ul><li>ICSA </li></ul><ul><ul><li>International Computer Security Association </li></ul></ul><ul><ul><l...
Is Certification for you? <ul><li>Yes, if: </li></ul><ul><ul><li>You’re a large corporation </li></ul></ul><ul><ul><li>You...
Choosing the right standard <ul><li>Recognition </li></ul><ul><ul><li>Respect in your target market </li></ul></ul><ul><li...
THE BOTTOM LINE <ul><li>1.  Take security seriously </li></ul><ul><li>2.  Don’t panic! </li></ul><ul><li>3.  Value your in...
Like source of attacks <ul><li>Foreign gov.  21% </li></ul><ul><li>Foreign corp. 30% </li></ul><ul><li>Independent Hackers...
Upcoming SlideShare
Loading in...5
×

Cybercrime future perspectives

596
-1

Published on

Presentation by Charl van der Walt, Jaco van Graan and Roelof Temmingh at ISEC in 2000.

The presentation begins with a discussion on commercial crime statics and trends. Security fundamentals such as encryption and the four pillars of information security are discussed. The presentation ends with a series of discussions on the seven steps of the security process.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
596
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cybercrime future perspectives

  1. 1. CYBERCRIME Future Perspectives charl van der walt www.sensepost.com
  2. 2. Commercial Crime <ul><li>Commercial crime up 3.5% from last year </li></ul><ul><ul><li>R 3.4 billion in the first half of '99 alone </li></ul></ul><ul><li>84.3% of cases involved fraud </li></ul><ul><ul><li>25,000 incidents </li></ul></ul><ul><ul><li>R 2.9 billion </li></ul></ul><ul><li>Gauteng occupies a first position with regard to Commercial Crime </li></ul><ul><li>www.saps.org.za </li></ul>SECURITY TRENDS & STATISTICS
  3. 3. Computer Crime <ul><li>61% of the organizations surveyed have experienced losses due to unauthorized computer use. </li></ul><ul><li>The average loss resulting from security breaches in all categories was approximately $ 1,000,000 </li></ul><ul><li>FBI / CSI Survey, 1999 </li></ul>SECURITY TRENDS & STATISTICS
  4. 4. Crime Costs Money SECURITY TRENDS & STATISTICS “ Just ask Edgars, the clothing retail group, which lost more than R1m after a computer programmer brought down more than 600 stores for an entire day.” Financial Mail - April 2000
  5. 5. Computers & Commercial Crime <ul><li>KPMG: </li></ul><ul><li>‘ 63% of top-level managers in South Africa rate their company's dependence on IT for the successful running of business as &quot;Extremely High” ’ </li></ul>SECURITY TRENDS & STATISTICS
  6. 6. Did they have it coming? <ul><li>access control 93% </li></ul><ul><li>biometrics 9% </li></ul><ul><li>encrypted files 61% </li></ul><ul><li>anti-virus software 98% </li></ul><ul><li>reusable passwords 61% </li></ul><ul><li>firewalls 91% </li></ul><ul><li>encrypted log-in/sessions 46% </li></ul><ul><li>physical security 91% </li></ul><ul><li>PCMCIA, smart cords, one-time tokens 39% </li></ul><ul><li>intrusion detection 42% </li></ul><ul><li>digital Ids, certificates 34% </li></ul><ul><li>FBI / CSI Survey, 1999 </li></ul>SECURITY TRENDS & STATISTICS charl van der walt
  7. 7. Threat Distribution - USA <ul><li>Theft of proprietary info 20% </li></ul><ul><li>Sabotage of data or networks 15% </li></ul><ul><li>Telecom eavesdropping 10% </li></ul><ul><li>System penetration by outsider 24% </li></ul><ul><li>Insider abuse of net access 76% </li></ul><ul><li>Financial fraud 11% </li></ul><ul><li>Denial of service 25% </li></ul><ul><li>Virus contamination 70% </li></ul><ul><li>Unauthorized access to info by insider 43% </li></ul><ul><li>Telecom fraud 13% </li></ul><ul><li>Active wiretapping 2% </li></ul><ul><li>Laptop theft 54% </li></ul>SECURITY TRENDS & STATISTICS charl van der walt
  8. 8. Threat Distribution - RSA SECURITY TRENDS & STATISTICS <ul><ul><li>Some form of breach 89% </li></ul></ul><ul><ul><li>Virus incident 87% </li></ul></ul><ul><ul><li>Theft of equipment 80% </li></ul></ul><ul><ul><li>E-mail intrusion 27% </li></ul></ul><ul><ul><li>Loss of company documents 12% </li></ul></ul><ul><ul><li>Breach of confidentiality 8% </li></ul></ul><ul><ul><li>External systems attack 8% </li></ul></ul><ul><ul><li>Internal systems attack 6% </li></ul></ul>
  9. 9. The value of statistics <ul><li>What we know: </li></ul><ul><ul><li>There is a threat to our Information Resources </li></ul></ul><ul><ul><li>The threat has direct financial implications </li></ul></ul><ul><ul><li>The threat is growing </li></ul></ul><ul><ul><li>A large part of the threat is internal </li></ul></ul><ul><ul><li>There are a number of distinguishable trends </li></ul></ul><ul><li>What we don’t know: </li></ul><ul><ul><li>How accurate are the statistics? </li></ul></ul><ul><ul><li>Are international statistics relevant in SA? </li></ul></ul><ul><ul><li>Are international solutions relevant in SA? </li></ul></ul><ul><ul><li>What does this all mean to me? </li></ul></ul><ul><li>You need to determine your own unique risk profile </li></ul>
  10. 10. <ul><li>What is Risk? </li></ul><ul><ul><li>Valuable resources + exploitable technology </li></ul></ul><ul><li>What is “Secure”? </li></ul><ul><ul><li>When the financial losses incurred are at an acceptable level </li></ul></ul><ul><li>Your “Risk-Profile”: </li></ul><ul><ul><li>The value of your Information </li></ul></ul><ul><ul><li>The degree of technological vulnerability </li></ul></ul><ul><ul><li>A level of loss that is acceptable to you </li></ul></ul><ul><ul><ul><li>Unique to your organisation. Today. </li></ul></ul></ul>Determining your own risk SECURITY TRENDS & STATISTICS charl van der walt
  11. 11. Trends in IT security <ul><li>There is a continual phase shift security risks </li></ul><ul><li>And in security solutions </li></ul><ul><li>In the beginning </li></ul><ul><ul><li>Physical Attacks </li></ul></ul><ul><li>Yesterday </li></ul><ul><ul><li>Network Attacks </li></ul></ul><ul><li>Today </li></ul><ul><ul><li>Application Attacks </li></ul></ul><ul><li>The industry is typically technology driven , not problem driven. </li></ul><ul><li>Can we afford to follow the ‘solutions’ trend? </li></ul>SECURITY TRENDS & STATISTICS
  12. 12. Future Threats <ul><li>Denial of Service </li></ul><ul><ul><li>Distributed </li></ul></ul><ul><ul><li>Anonymous </li></ul></ul><ul><ul><li>Depends on 3 rd parties to solve </li></ul></ul><ul><ul><li>Directly impacts the “e” world </li></ul></ul><ul><li>Trojans & Worms </li></ul><ul><ul><li>Stealthy </li></ul></ul><ul><ul><li>Remote Controlled </li></ul></ul><ul><ul><li>Fetch Model </li></ul></ul><ul><li>Corporate Backdoors </li></ul><ul><ul><li>How will we ever know? </li></ul></ul><ul><li>Semantic Attacks </li></ul>SECURITY TRENDS & STATISTICS
  13. 13. Determining your own risk SECURITY TRENDS & STATISTICS charl van der walt The magnitude of the risk is a product of the value of the information and the degree to which the vulnerability can be exploited.
  14. 14. Understanding the Internet <ul><li>Host </li></ul><ul><li>Network </li></ul><ul><li>LAN </li></ul><ul><li>WAN </li></ul><ul><li>Internet </li></ul><ul><li>Protocol </li></ul><ul><li>IP </li></ul><ul><li>Packet </li></ul><ul><li>Server / Service </li></ul><ul><li>Port </li></ul>INFORMATION SECURITY FUNDAMENTALS charl van der walt
  15. 15. Four Pillars of Information Security <ul><li>Access Control </li></ul><ul><ul><li>Control who may and who may not access data </li></ul></ul><ul><li>Confidentiality </li></ul><ul><ul><li>Ensure data is viewed only by intended audience </li></ul></ul><ul><li>Integrity </li></ul><ul><ul><li>Ensure data is not changed by unauthorized parties </li></ul></ul><ul><li>Authenticity </li></ul><ul><ul><li>Ensure that data originated where you think </li></ul></ul><ul><li>#5 - Availability </li></ul><ul><ul><li>Ensure data is there when you need it </li></ul></ul>INFORMATION SECURITY FUNDAMENTALS charl van der walt
  16. 16. Security Control Methods <ul><li>Information Security Policy </li></ul><ul><li>Sound system design </li></ul><ul><li>Access Control </li></ul><ul><ul><li>Physical </li></ul></ul><ul><ul><li>Network </li></ul></ul><ul><ul><li>Operating System </li></ul></ul><ul><ul><li>Application </li></ul></ul><ul><li>Encryption </li></ul><ul><li>Audit and Review </li></ul>INFORMATION SECURITY FUNDAMENTALS charl van der walt
  17. 17. More about Encryption <ul><li>Encrypt </li></ul><ul><ul><li>Convert information into unreadable format </li></ul></ul><ul><ul><ul><li>Crypto-Text </li></ul></ul></ul><ul><li>Decrypt </li></ul><ul><ul><li>Change data back to normal format </li></ul></ul><ul><ul><ul><li>Clear-Text </li></ul></ul></ul><ul><li>Algorithm </li></ul><ul><ul><li>Steps followed to encrypt or decrypt the information </li></ul></ul><ul><li>Key </li></ul><ul><ul><li>Secret shared between parties </li></ul></ul><ul><li>Key Length </li></ul><ul><ul><li>An indication of how hard the key is to guess </li></ul></ul>INFORMATION SECURITY FUNDAMENTALS charl van der walt
  18. 18. Still more about Encryption <ul><li>Public Key Cryptography </li></ul><ul><ul><li>A special type of encryption using a key pair </li></ul></ul><ul><li>Private Key </li></ul><ul><ul><li>Kept strictly secret </li></ul></ul><ul><li>Public Key </li></ul><ul><ul><li>Published with a Certificate </li></ul></ul><ul><li>Certificate </li></ul><ul><ul><li>A way of linking your Key to your Identity </li></ul></ul><ul><li>Certificate Authority (CA) </li></ul><ul><ul><li>Responsible for verifying the Certificate </li></ul></ul><ul><li>Public Key Infrastructure (PKI) </li></ul><ul><ul><li>Structures needed to make the process work </li></ul></ul>INFORMATION SECURITY FUNDAMENTALS charl van der walt
  19. 19. Security Technologies <ul><li>Firewalls </li></ul><ul><ul><li>Network Level </li></ul></ul><ul><ul><li>Application Level </li></ul></ul><ul><ul><li>Content Level </li></ul></ul><ul><li>Authentication Systems </li></ul><ul><ul><li>Something you know </li></ul></ul><ul><ul><li>Something you have </li></ul></ul><ul><ul><li>Something you are </li></ul></ul><ul><li>Encryption Protocols </li></ul><ul><ul><li>SSH </li></ul></ul><ul><ul><li>SSL </li></ul></ul><ul><ul><li>IPSec </li></ul></ul><ul><li>Intrusion Detection Systems </li></ul>INFORMATION SECURITY FUNDAMENTALS charl van der walt
  20. 20. Security Products <ul><li>Firewalls </li></ul><ul><ul><li>Check Point FW-1 (www.checkpoint.com) </li></ul></ul><ul><ul><li>NAI Gauntlet (www.nai.com) </li></ul></ul><ul><ul><li>Linux IPchains (www.linux.org) </li></ul></ul><ul><li>Authentication Systems </li></ul><ul><ul><li>RSA SecurID (www.rsa.com) </li></ul></ul><ul><ul><li>Alladin eToken (www.aks.com) </li></ul></ul><ul><li>Encryption </li></ul><ul><ul><li>Windows EFS - </li></ul></ul><ul><ul><li>Trispen IPGranite (www.trispen.com) </li></ul></ul><ul><li>Intrusion Detection Systems </li></ul><ul><ul><li>AXENT Netprowler (www.axent.com) </li></ul></ul><ul><ul><li>SNORT (www.snort.org) </li></ul></ul>INFORMATION SECURITY FUNDAMENTALS charl van der walt
  21. 21. . <ul><li>Content removed </li></ul>INFORMATION SECURITY FUNDAMENTALS charl van der walt
  22. 22. SECURITY DEMONSTRATED <ul><li>1. A server is connected to the Internet. </li></ul><ul><li>2. Passwords are used to restrict access to the MS file service. </li></ul>SECURITY DEMO roelof temmingh
  23. 23. SECURITY DEMONSTRATED <ul><li>3. An firewall is used to restrict server access to the web service port - 80. </li></ul>SECURITY DEMO roelof temmingh
  24. 24. SECURITY DEMONSTRATED <ul><li>4. An IDS system is used to detect and report on attempted attacks on the web server. </li></ul>SECURITY DEMO roelof temmingh
  25. 25. Proactive or Reactive? <ul><li>Locate weaknesses </li></ul><ul><li>Controls in place </li></ul><ul><li>LT cost effective </li></ul>THE INFORMATION SECURITY PROCESS jaco van graan <ul><li>No or weak controls </li></ul><ul><li>Try plug security holes </li></ul><ul><li>Least effective </li></ul><ul><li>Costly </li></ul>
  26. 26. The Process… THE INFORMATION SECURITY PROCESS jaco van graan Threat/Risk Analysis Security Policy Creation Planning Policy Enforcement/ Implementation Monitor & Manage Intrusion detection Security Audit 1 2 3 4 5 6 7
  27. 27. Threat/risk Analysis <ul><li>Value you assets (information/reputation). </li></ul><ul><li>Determine the acceptable level of loss. </li></ul><ul><li>Some losses will inevitably occur. </li></ul><ul><ul><li>Eliminating ALL loses would be either too costly or impossible. </li></ul></ul><ul><li>Level of acceptable losses need to be set </li></ul><ul><ul><li>dictates how much you are willing to spend on security. </li></ul></ul><ul><li>Set time period for the acceptable losses. </li></ul>THE INFORMATION SECURITY PROCESS jaco van graan
  28. 28. Security Policy <ul><li>Practical, understandable. </li></ul><ul><li>Control document. </li></ul><ul><li>Communicated. </li></ul><ul><li>Endorsed by management. </li></ul><ul><li>Applies to all users of infrastructure. </li></ul><ul><li>Gives security administrator a mandate </li></ul>THE INFORMATION SECURITY PROCESS jaco van graan A security policy helps to define what you consider to be valuable, and it specifies what steps should be taken to safeguard those assets.
  29. 29. Planning <ul><li>Enforcement of controls - security policy </li></ul><ul><li>Select products to ensure compliance </li></ul><ul><li>Determine required implementation and maintenance skills </li></ul><ul><li>Evaluate impact on business </li></ul>THE INFORMATION SECURITY PROCESS jaco van graan
  30. 30. Planning <ul><li>Resources </li></ul><ul><ul><li>People </li></ul></ul><ul><ul><li>Time </li></ul></ul><ul><ul><li>$$$ </li></ul></ul><ul><li>Evaluate possible security partner </li></ul><ul><ul><li>Experience: references </li></ul></ul><ul><ul><li>Financial backing </li></ul></ul><ul><ul><li>Trust relationship </li></ul></ul><ul><ul><li>Support: training/skills transfer/SLA’s </li></ul></ul><ul><ul><li>Product range </li></ul></ul>THE INFORMATION SECURITY PROCESS jaco van graan
  31. 31. Implementation <ul><li>Remember your exposure! </li></ul><ul><li>Security partner? </li></ul><ul><li>Schedule change control - security policy </li></ul><ul><li>Inform all users / business partners </li></ul><ul><li>Ensure skill level of implementers </li></ul><ul><li>Roll back plan </li></ul>THE INFORMATION SECURITY PROCESS jaco van graan
  32. 32. Manage & Monitor <ul><li>Physical audit of infrastructure </li></ul><ul><li>Responsibility handover </li></ul><ul><ul><li>Security alerts, advisories, bug fixes </li></ul></ul><ul><ul><li>Equipment load </li></ul></ul><ul><ul><li>Configuration changes </li></ul></ul><ul><li>Catch ‘em! (If you can…) </li></ul>THE INFORMATION SECURITY PROCESS jaco van graan
  33. 33. Internal & External Audit <ul><li>Collect and evaluate evidence to determine whether a computer system : </li></ul><ul><ul><li>safeguards assets. </li></ul></ul><ul><ul><li>maintain data integrity. </li></ul></ul><ul><ul><li>allow the goals of an organisation to be achieved efficiently and effectively. </li></ul></ul><ul><li>Security policy as control document. </li></ul><ul><li>International standards: SAS 70; Bs 7799. </li></ul>THE INFORMATION SECURITY PROCESS jaco van graan
  34. 34. Internal Audit <ul><li>Compare to internal audit division. </li></ul><ul><li>Independence, thus not involved in implementation or operations. </li></ul><ul><li>Report to IT manager. </li></ul>THE INFORMATION SECURITY PROCESS jaco van graan
  35. 35. External Audit - Evaluation <ul><li>Organisation </li></ul><ul><ul><li>Independence </li></ul></ul><ul><ul><li>References </li></ul></ul><ul><ul><li>Experience </li></ul></ul><ul><ul><li>Certification </li></ul></ul><ul><ul><li>Cost </li></ul></ul><ul><ul><li>Ethics </li></ul></ul><ul><ul><li>Services offered </li></ul></ul><ul><ul><li>Backing: subsidiary/insurance </li></ul></ul>THE INFORMATION SECURITY PROCESS jaco van graan
  36. 36. External Audit - Evaluation <ul><li>Methodology </li></ul><ul><ul><li>Certification/benchmark </li></ul></ul><ul><ul><li>Audit plan </li></ul></ul><ul><ul><li>Execution according to plan </li></ul></ul><ul><ul><li>Report </li></ul></ul><ul><ul><li>Recommendations & resolution </li></ul></ul>THE INFORMATION SECURITY PROCESS jaco van graan
  37. 37. External Audit - Evaluation <ul><li>Resources </li></ul><ul><ul><li>Business skills </li></ul></ul><ul><ul><li>Experience: qualification; Certifications; Bodies </li></ul></ul><ul><ul><li>Individual background </li></ul></ul><ul><li>The brief… How; What; Where? </li></ul><ul><ul><li>Type: logical; Physical or social </li></ul></ul><ul><ul><li>Restrictions / conditions </li></ul></ul><ul><ul><li>Internal /external </li></ul></ul>THE INFORMATION SECURITY PROCESS jaco van graan
  38. 38. External Audit - Evaluation <ul><li>Toolbox. </li></ul><ul><ul><li>Tool combinations: wider vulnerability exposure. </li></ul></ul><ul><ul><li>Proprietary or off the shelf. </li></ul></ul><ul><li>Confidentiality. </li></ul>THE INFORMATION SECURITY PROCESS jaco van graan
  39. 39. Intrusion Detection <ul><li>If all else failed… </li></ul><ul><li>Regular updates. </li></ul><ul><li>Follow up of intrusion attempts. </li></ul><ul><li>Play it again, Sam. </li></ul>THE INFORMATION SECURITY PROCESS jaco van graan
  40. 40. Adjust Security Policy <ul><li>Recommendations from internal & external audits. </li></ul><ul><li>New business requirements. </li></ul>THE INFORMATION SECURITY PROCESS jaco van graan
  41. 41. Definition INFORMATION SECURITY CERTIFICATION charl van der walt The evaluation of the security of a computer system by a recognised third party. If the system being tested meets all the criteria it receives certification (also called accreditation) which is an indication of the level of security of the system being tested.
  42. 42. Objective <ul><li>To enforce structure on your security program </li></ul><ul><li>A means of assessing your own security </li></ul><ul><li>A means of measuring against best-of-breed </li></ul><ul><li>A means of convincing others of your security </li></ul>INFORMATION SECURITY CERTIFICATION charl van der walt
  43. 43. Leading Standards <ul><li>BS 7799 </li></ul><ul><ul><li>British Standards Institute </li></ul></ul><ul><ul><li>Outlines 10 controls that must be addressed </li></ul></ul><ul><ul><li>Uses the c:cure program for accreditation </li></ul></ul><ul><ul><li>www.bsi.org.uk / www.bsi.org.za </li></ul></ul><ul><ul><li>www.c:cure.org </li></ul></ul><ul><li>TCSEC </li></ul><ul><ul><li>Trusted Computer System Evaluation Criteria </li></ul></ul><ul><ul><li>“ Orange Book” </li></ul></ul><ul><ul><li>Published by the US National Security Agency </li></ul></ul><ul><ul><li>Defines different ‘Levels’ of trust </li></ul></ul><ul><ul><ul><li>Minimal -> Formally Proven </li></ul></ul></ul><ul><ul><li>www.radium.ncsc.mil/tpep </li></ul></ul>INFORMATION SECURITY CERTIFICATION charl van der walt
  44. 44. Leading Standards <ul><li>ITSEC </li></ul><ul><ul><li>Information Technology Security Evaluation Criteria </li></ul></ul><ul><ul><li>Recognised by most European countries </li></ul></ul><ul><ul><li>Concentrates on product evaluations </li></ul></ul><ul><ul><li>Defines different levels (E0 - E6) </li></ul></ul><ul><ul><li>www.itsec.gov.uk </li></ul></ul><ul><li>CCITSE </li></ul><ul><ul><li>Common Criteria for IT Security Evaluation </li></ul></ul><ul><ul><li>Joint American / European Evaluation Standard </li></ul></ul><ul><ul><li>Successor to TCSEC and ITSEC </li></ul></ul><ul><ul><li>Defines ‘levels’ similar to TCSEC, but more flexible </li></ul></ul><ul><ul><ul><li>Protection Profiles </li></ul></ul></ul><ul><ul><li>http://csrc.nist.gov/cc/ </li></ul></ul>INFORMATION SECURITY CERTIFICATION charl van der walt
  45. 45. Leading Standards <ul><li>ISO / GMITS </li></ul><ul><ul><li>Guidelines to the Management of IT Security </li></ul></ul><ul><ul><li>Published by the JTC </li></ul></ul><ul><ul><ul><li>Joint Technical Committee of ISO and IEC </li></ul></ul></ul><ul><ul><li>www.iso.ch </li></ul></ul><ul><ul><li>www.diffuse.org/secure.html </li></ul></ul><ul><li>COBIT </li></ul><ul><ul><li>Control Objectives for Information and Related Technologies </li></ul></ul><ul><ul><li>Information Systems Audit and Control Association </li></ul></ul><ul><ul><ul><li>ISACA </li></ul></ul></ul><ul><ul><li>‘ Business Oriented & Practical’ </li></ul></ul><ul><ul><li>www.isaca.org </li></ul></ul>INFORMATION SECURITY CERTIFICATION charl van der walt
  46. 46. Leading Standards <ul><li>ICSA </li></ul><ul><ul><li>International Computer Security Association </li></ul></ul><ul><ul><li>Commercial Venture represented world-wide </li></ul></ul><ul><ul><li>Product certification and security assurance services </li></ul></ul><ul><ul><ul><li>TrueSecure </li></ul></ul></ul><ul><ul><li>Internet focused </li></ul></ul><ul><ul><li>www.icsa.net </li></ul></ul><ul><li>Ernst & Young SAS70 </li></ul><ul><ul><li>Statement of Auditing Standards # 70 </li></ul></ul><ul><ul><li>American version of a similar international standard </li></ul></ul><ul><ul><li>Specifically for the outsourced environment </li></ul></ul><ul><ul><li>Business focused </li></ul></ul><ul><ul><li>www.ey.com </li></ul></ul>INFORMATION SECURITY CERTIFICATION charl van der walt
  47. 47. Is Certification for you? <ul><li>Yes, if: </li></ul><ul><ul><li>You’re a large corporation </li></ul></ul><ul><ul><li>You’re publicly owned </li></ul></ul><ul><ul><li>You offer IT-based services to clients </li></ul></ul><ul><ul><li>You have legal obligations </li></ul></ul><ul><ul><li>You’re comfortable with formal processes </li></ul></ul><ul><li>No, if: </li></ul><ul><ul><li>You have a small, manageable infrastructure </li></ul></ul><ul><ul><li>You’re only responsibility is to yourself </li></ul></ul><ul><ul><li>You have an informal culture and strong skills </li></ul></ul><ul><ul><li>You believe certification will make you secure </li></ul></ul>INFORMATION SECURITY CERTIFICATION charl van der walt
  48. 48. Choosing the right standard <ul><li>Recognition </li></ul><ul><ul><li>Respect in your target market </li></ul></ul><ul><li>Focus </li></ul><ul><ul><li>Support for your own security objectives </li></ul></ul><ul><li>Local Presence </li></ul><ul><ul><li>A program that can be certified in SA </li></ul></ul><ul><li>Total cost </li></ul><ul><ul><li>Good return on investment </li></ul></ul><ul><li>Overhead </li></ul><ul><ul><li>Reasonable implementation time and life-span </li></ul></ul><ul><li>Impact </li></ul><ul><ul><li>A tangible effect on your systems </li></ul></ul>INFORMATION SECURITY CERTIFICATION charl van der walt
  49. 49. THE BOTTOM LINE <ul><li>1. Take security seriously </li></ul><ul><li>2. Don’t panic! </li></ul><ul><li>3. Value your information </li></ul><ul><li>4. Evaluate your risk </li></ul><ul><li>5. Be requirement driven, not technology driven </li></ul><ul><li>6. Enable your business </li></ul>THE BOTTOM LINE jaco van graan
  50. 50. Like source of attacks <ul><li>Foreign gov. 21% </li></ul><ul><li>Foreign corp. 30% </li></ul><ul><li>Independent Hackers 74% </li></ul><ul><li>US competitor 53% </li></ul><ul><li>Disgruntled employee 86% </li></ul><ul><li>FBI / CSI Survey, 1999 </li></ul>SECURITY TRENDS & STATISTICS charl van der walt
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×