Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
INTRO TO ITSECURITY             By     Cade Zvavanjanja            CISOGainful Information Security
AGENDA Information Security Information Privacy Risk Management Opportunities & Markets Some Examples
Holistic IT security  Vetting /                             Information References         Business              SecurityD...
INFORMATION WARFARETHE MATRIX UPLOADED – SOWHAT?
TODAY’S TRENDTerrorists   White Collar   Insider/Espionage     Open               Crime                             Source...
IT Security
SO WHO CARES?   You care about information security and privacy    because:        Information Security is a constant an...
INCREASE IN SECURITY                                 INCIDENTS                       900M                                 ...
SOME POLLS SUGGESTSOURCE CSO   Which of the following is #1 priority      Wireless Security (16%)      Spam/AntiVirus (...
SCARY DATA   US Government Data                           Industry Data        Id theft is perpetrated by              ...
CYBERTERRORISM“Cyberterrorism is any "premeditated, politicallymotivated attack against information, computersystems, comp...
INFORMATION WARFARE    Use of or attacks on information and information     infrastructure to achieve strategic objective...
LEVELS OF INFORMATIONWARFARE     Against individuals        Theft,impersonation        Extortion, blackmail        Def...
PRIME TARGETS            Companies with hiring volatilities    •   Financial, communication, manufacturing, transportatio...
POTENTIAL TARGETS AGAINST OURINFRASTRUCTURE Electricity Transportation Water Energy Financial Information Technology...
WHY USE CYBER WARFARE? Low barriers to entry – laptops cost a lot less  than tanks and bombs Our world is dependent on c...
INFORMATION WARFARE STRATEGIES   The basic elements are:      Hacking      Malicious code      Electronic snooping    ...
WHAT ARE THE METHODS?   Password cracking              Network eavesdropping   Viruses                        Intrusio...
HACKERS INFORMATION WARRIORS?Inflicting damage           Personal motives                               Retaliate or ”get...
THE TRADITIONAL HACKER ETHICi.     Access to computers should be unlimited and totalii.    All information should be freei...
GEOPOLITICAL HOTSPOTS -TRENDS                                    WESTERN EUROPE                                    Cyber-a...
A BALANCED SECURITY    ARCHITECTURE Single, unifying infrastructure that many  applications can leverage A good security...
BASIC INFORMATION SECURITY    COMPONENTS   AUTHENTICATION:                           NONREPUDIATION:        How do we k...
DATA GOVERNANCE & CONTROLS     X             X                 X              X                 X               X Applicat...
INFORMATION SECURITY CONTROLAREAS   Information Security Policies   Roles and Responsibilities   Asset Classification a...
WHAT IS @RISK?   Financial & Monetary Loss Risk        Payroll information leakage   Reputation Risk      Distributed ...
INFORMATION SECURITY BODIES,STANDARDS & PRIVACY LAWS   Standards & Privacy Laws      British Standards (ISO 17799)     ...
Information Privacy
Privacy Governance Architecture                                      Process                                       Process...
HIGH LEVEL OVERVIEW    - Notify client    - Notify regulators    - Remediate    - Analyze long                            ...
Information Security &       Privacy  Risk Management
RISK MITIGATION   100% Risk Mitigation and not 100 % control   Good Information Management Infrastructure    that      ...
RISK MANAGEMENT METHODOLOGY                             Risk Assessment    Risk Tolerance                              Org...
Key Risk IndicatorsAsset Value                                 Stakeholders                                 Pen Testing   ...
Market Opportunities
DEMAND – BASED ON GARTNERSTUDIES General IT staff outsourcing has gone up 24%  since US recession was over Growth in IT ...
INFOSEC PEOPLE    Typical jobs for contract         Business Intelligence         Business Analysis         Risk Manag...
TYPES OF RECRUITING   Contract & Temporary – constant spread based      Profit margins are small      Limited      Hou...
Some Examples
WHAT IS SOCIAL ENGINEERING Social Engineering is the art and science of use to  trick one or more human beings to do what...
TERRORISTS ANDSTEGANOGRAPHY?
Thank YouTel: +236 733 782 490    +263 773 796 365    +263 -4- 733 117Eml: info@gis.co.zw    cade@gis.co.zwWeb: www.gis.co...
Introduction to IT Security
Upcoming SlideShare
Loading in …5
×

Introduction to IT Security

689 views

Published on

Advances in technology have given rise to new operational threats to governments,companies and society as a whole,this presentation is an introduction of countermeasures against cyber threat.

Published in: Technology
  • Be the first to comment

Introduction to IT Security

  1. 1. INTRO TO ITSECURITY By Cade Zvavanjanja CISOGainful Information Security
  2. 2. AGENDA Information Security Information Privacy Risk Management Opportunities & Markets Some Examples
  3. 3. Holistic IT security Vetting / Information References Business SecurityDisciplinary Interfaces Policies Procedure Build StandardsAwareness & Training IT/IS/ Threat Modelling Anti-Virus Development Security in Patch SDLCManagement ApplicationVulnerability Assessment Data Storage Testing PenetrationConfiguration Testing Reviews Access Control Encryption Ecommerce Reviews Site Firewalls Legislative Compliance Intrusion Detection 3
  4. 4. INFORMATION WARFARETHE MATRIX UPLOADED – SOWHAT?
  5. 5. TODAY’S TRENDTerrorists White Collar Insider/Espionage Open Crime SourceDisasters Theft Scripts ID Theft
  6. 6. IT Security
  7. 7. SO WHO CARES? You care about information security and privacy because:  Information Security is a constant and a critical need  Threats are becoming increasingly sophisticated  Countermeasures are evolving to meet the threats  You want to protect your asset and privacy  You want to know what tools are there for protection and Because information security, information privacy and legal and compliance are inter-related
  8. 8. INCREASE IN SECURITY INCIDENTS 900M 120,000 800M Blended Threats 100,000 Network Intrusion Attempts 700M (CodeRed, Nimda, Slammer)Infection Attempts 600M Denial of Service 80,000 (Yahoo!, eBay) 500M Mass Mailer Viruses 60,000 400M (Love Letter/Melissa) 300M Malicious Code 40,000 Zombies Infection 200M Attempts* Network Polymorphic Viruses 20,000 Intrusion 100M (Tequila) Attempts** 0 0 1995 1996 1997 1998 1999 2000 2001 2002 *Analysis by Symantec Security Response using data from Symantec, IDC & ICSA; 2002 estimated **Source: CERT CERTCC Reported Vulnerabilities 1988-2003 Total Number of Incidents 140000 Reported from 1988-2003 is 319,992 120000 Average Yearly Increase of 40% 100000 80000 CERTCC Reported 60000 Vulnerabilities 40000 20000 0
  9. 9. SOME POLLS SUGGESTSOURCE CSO Which of the following is #1 priority  Wireless Security (16%)  Spam/AntiVirus (17%)  Identity Management (27%)  Disaster Recovery (21%)  Other (19%) Which of the following poses the greatest threat  Natural Disaster (36%)  Terrorist Attack (12%)  Cyberattack (52%)
  10. 10. SCARY DATA US Government Data  Industry Data  Id theft is perpetrated by  ID theft increased to 81% hackers and their associates who steal personal information in 2002 and identity (e.g. social security  Main cause for fraud is id numbers) in order to commit various forms of fraud by theft assuming your identity  U.S.-based banks  FTC reports that over 27.3  37 percent said identify million Americans in the past 5 years reported their ID stolen theft significantly  FTC survey revealed that ID increased theft costs consumers and  34 percent said it business 53 billion in 2002 slightly increased  The FBI estimates that the number one threat to internet  24 percent said identity users is identity theft theft rates had stayed  Approximately 350,000 to the same 500,000 citizens fall victims to  5 percent reported that “id theft” every year. the rates decreased
  11. 11. CYBERTERRORISM“Cyberterrorism is any "premeditated, politicallymotivated attack against information, computersystems, computer programs, and data whichresults in violence against non-combatant targets bysub-national groups or clandestine agents."Cyberterrorism is sometimes referred to aselectronic terrorism or information war.” U.S. Federal Bureau of Investigation
  12. 12. INFORMATION WARFARE  Use of or attacks on information and information infrastructure to achieve strategic objectives  Tools in hostilities among  Nations  Trans-national groups (companies, NGOs, associations, interest groups, terrorists)  Corporate entities (corporations, companies, government agencies)  Individuals
  13. 13. LEVELS OF INFORMATIONWARFARE  Against individuals  Theft,impersonation  Extortion, blackmail  Defamation, racism  Against organizations  Industrial espionage  Sabotage  Competitive intelligence  Against nations  Disinformation, destabilization  Infrastructure destabilization  Economic collapse
  14. 14. PRIME TARGETS Companies with hiring volatilities • Financial, communication, manufacturing, transportation and retail Companies with lower volatility • Utilities, government, healthcare and education Areas • IDS, Firewall, Anti virus, Identity management • Product design, policy • Privacy vs. Security • Security administration • Training and awareness
  15. 15. POTENTIAL TARGETS AGAINST OURINFRASTRUCTURE Electricity Transportation Water Energy Financial Information Technology Emergency Services Government Operations
  16. 16. WHY USE CYBER WARFARE? Low barriers to entry – laptops cost a lot less than tanks and bombs Our world is dependent on computers, networks, and the Internet Denial of service has economic, logistical, and emotional effect Low cost to level the playing field
  17. 17. INFORMATION WARFARE STRATEGIES The basic elements are:  Hacking  Malicious code  Electronic snooping  Old-fashioned human spying Mass disruption can be unleashed over the internet, but Attackers must first compromise private and secure networks (i.e. Unclassified, Secret, Top Secret)
  18. 18. WHAT ARE THE METHODS? Password cracking  Network eavesdropping Viruses  Intrusion attacks Trojan horses / RATS  Network spoofing Worms  Session hijacking Denial-of-service attacks E-mail impersonation  Packet replay E-mail eavesdropping  Packet modification Network packet modification  Cryptography  Steganography  Identity theft
  19. 19. HACKERS INFORMATION WARRIORS?Inflicting damage Personal motives  Retaliate or ”get even” Alter, damage or delete  Political or terrorism information  Make a joke  Show off/Just Because Deny services Elite Hackers Damage public image  Black Hat  Grey Hat  White Hat  No hatEconomic gain  Malicious Code Writers Steal information  Criminal Enterprises  Trusted Insiders Blackmail Financial fraud
  20. 20. THE TRADITIONAL HACKER ETHICi. Access to computers should be unlimited and totalii. All information should be freeiii. Mistrust authority – promote decentralizationiv. Hackers should be judged by their hacking, not criteria such as age, race, etc.v. You can create art and beauty on the computervi. Computers can change your life for the better
  21. 21. GEOPOLITICAL HOTSPOTS -TRENDS WESTERN EUROPE Cyber-activists with anti- EASTERN EUROPE/RUSSIA global/anti-capitalism Malicious code development; fraud goals; some malicious and financial hacking code CHINA Targeting Japan, U.S., Taiwan and perceived allies of those countriesU.S.Multiple hacker/cyber-activist/hacktivist groups;random targets MIDDLE EAST Palestinian hackers target INDIA-PAKISTAN Israeli .il websites; some pro- Worldwide targets, Kashmir- Israel activity related and Muslim-related defacements BRAZIL Multiple hacker groups, many mercenary; random targets
  22. 22. A BALANCED SECURITY ARCHITECTURE Single, unifying infrastructure that many applications can leverage A good security architecture:  Provides a core set of security services  Is modular  Provides uniformity of solutions  Supports existing and new applications Policy,  Contains technology as one component of a Standards, and Process complete security program  Incorporates policy and standards as well as people, process, and technology People Technology
  23. 23. BASIC INFORMATION SECURITY COMPONENTS AUTHENTICATION:  NONREPUDIATION:  How do we know who is using the  Can we provide for non- service? repudiation of a transaction? ACCESS CONTROL:  AUDITABILITY &  Can we control what they do? AVAILABILITY  Do we know: CONFIDENTIALITY:  Whether there is a  Can we ensure the privacy of problem? Whether it’s information? soon enough to take DATA INTEGRITY: appropriate action?  How to minimize/contain  Can we prevent unauthorized changes to information? the problem?  How to prevent denial of service?
  24. 24. DATA GOVERNANCE & CONTROLS X X X X X X Application Information Management X X Networks X X Infrastructure (IMI) X X X OS X Threats Disclosure of information Non-repudiation Authentication Unauthorized access Confidentiality Data Integrity Audit ability Access Cntrl Availability Loss of integrity Denial of service
  25. 25. INFORMATION SECURITY CONTROLAREAS Information Security Policies Roles and Responsibilities Asset Classification and Handling Personal Security Physical Security System and Operations Management Controls General Access Controls System Development Life Cycle Business Continuity Compliance, Legal and Regulatory
  26. 26. WHAT IS @RISK? Financial & Monetary Loss Risk  Payroll information leakage Reputation Risk  Distributed attacks from campus  Terrorism  Laptop theft  ID Theft Litigation & Regulatory Risk  HIPAA, GLB, CA 1386
  27. 27. INFORMATION SECURITY BODIES,STANDARDS & PRIVACY LAWS Standards & Privacy Laws  British Standards (ISO 17799)  EU Data Protection Act of 1998 (DPA)  Health Insurance Portability and Accountability Act (HIPAA)  Fair Credit Reporting Act (FCRA) National Institute for Standards & Technology (www.NIST.gov):  Founded in 1901, NIST is a non-regulatory federal agency within the U.S. Commerce Departments Technology Administration.  NISTs mission is to develop and promote measurements, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. Computer Emergency Response Team www.cert.org:  The CERT® Coordination Center (CERT/CC) is a center of Internet security expertise at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University.
  28. 28. Information Privacy
  29. 29. Privacy Governance Architecture Process Process Opt/in/out Opt/in/outSecurity/Pr Security/Pr Organization ivacy Organization ivacy Compliance Policy Policy Technology Regulatory Regulatory Technology Requirement Requirement People People Planning and Program Metrics Strategy Program Maturity• •Privacy Strategy • •Privacy Risk Assessments • •External Support Infrastructure Privacy Strategy Privacy Risk Assessments External Support Infrastructure• •Data Classification Analysis • •Data Governance • •Privacy Auditing Data Classification Analysis Data Governance Privacy Auditing• •Privacy Teams • •Vendor Governance • •Incident Response Privacy Teams Vendor Governance Incident Response• •Policy Development • •Technology Planning • •Crisis Management Policy Development Technology Planning Crisis Management• •Policy Update Plans • •Business Process Review • •Knowledge Management Policy Update Plans Business Process Review Knowledge Management• Decision Management • Information Security • •Consumer Support Infrastructure • Decision Management • Information Security Consumer Support Infrastructure• •Privacy Support Architecture • •Information Privacy • •Open Source Intelligence Privacy Support Architecture Information Privacy Open Source Intelligence• •Awareness Awareness
  30. 30. HIGH LEVEL OVERVIEW - Notify client - Notify regulators - Remediate - Analyze long - Detect Incident term effects Resolution & - Identify source of Detection identified - Analyze lessons Reporting learned -Log incident - Reduce false positive Privacy - Determine scope - Assemble Response Digital Incident Assessment Team - Collect & sort facts Response Forensics Process- Engage digital forensicsprocess - Determine- Collect evidence scope- Engage 3rd party Containment Analysis - Assemble Response Team - Collect & sort -Technology containment facts - Process containment - Procedure containment
  31. 31. Information Security & Privacy Risk Management
  32. 32. RISK MITIGATION 100% Risk Mitigation and not 100 % control Good Information Management Infrastructure that  Provides modular core set of controls  Supports existing, infrastructures and new applications Policies,  Incorporates policy and standards, people, process, People Standards & and technology Guidelines  Provides a horizontal and vertical risk SELF or AUTOMATIC assessment program Equilibrium  Provides collaborative issues resolution system Point Balanced Information Management Infrastructure (IMI) Risk Mitigation  Vertical – up and down controls in branches and business units  Horizontal – policies, best practices, processes and Information priorities across the organization Technology
  33. 33. RISK MANAGEMENT METHODOLOGY Risk Assessment Risk Tolerance Organizational Dynamics Point of Balance Key Risk Indicator Risk Takers
  34. 34. Key Risk IndicatorsAsset Value Stakeholders Pen Testing Site Reviews Vendor Audit Reviews Regulatory Compliance Self Security Loss Amount/ROI Assessment & Privacy IncidentsBusiness Impact Risk Evaluation Model Risk Rating
  35. 35. Market Opportunities
  36. 36. DEMAND – BASED ON GARTNERSTUDIES General IT staff outsourcing has gone up 24% since US recession was over Growth in IT staff augmentation will be limited and in single digits  Security outsourcing is trending up  Identity management  Vulnerability Assessment  Operations  Firewall management, anti virus and IDS
  37. 37. INFOSEC PEOPLE  Typical jobs for contract  Business Intelligence  Business Analysis  Risk Management  Information Security Officer  Information Privacy Officer  Digital Forensics Experts  Job seeker support to help professionals identify new career opportunities when they are unemployed or contingency searching due to circumstances at their workplace;  Contractor placement to help independent contractors identify and secure short and long term contract work based on hourly rates; and  Corporate candidate search to help clients identify candidates for new or vacant positions, as well as contingency searching to stage replacement of human resources
  38. 38. TYPES OF RECRUITING Contract & Temporary – constant spread based  Profit margins are small  Limited  Hourly, weekly monthly Permanent – one time commission based  Entry levels  Mid levels  Management, Technical, Operations, Design & Architecture Outsourcing – profit margins are high
  39. 39. Some Examples
  40. 40. WHAT IS SOCIAL ENGINEERING Social Engineering is the art and science of use to trick one or more human beings to do what an attackers wants them to do or to reveal information that compromises a target’s security. Classic Social Engineering scams include, posing as a field service technician, calling an operator to reveal private information such as passwords and the like. Social Engineering is an evolving art that uses the simplest and most creative schemes and involves minimal technical expertise
  41. 41. TERRORISTS ANDSTEGANOGRAPHY?
  42. 42. Thank YouTel: +236 733 782 490 +263 773 796 365 +263 -4- 733 117Eml: info@gis.co.zw cade@gis.co.zwWeb: www.gis.co.zw

×