The cyberwar strategy relies on hacking, virus writing, electronic snooping and plenty of good old-fashioned human spying. Much disruption can be unleashed over the Internet, but attackers first need to pry open electronic gates to private and secure networks with well-placed insiders, or at least inside knowledge, before they can be effective. Source: Far Eastern Economic Review , Copyright (c) 2001, Dow Jones & Company, Inc., Thursday, August 16, 2001, Innovation, Cyberwar, Combat on The Web; Charles Bickers in Tokyo
Take some of the examples and put them in a concrete context. Probe participants what they’re doing currently to protect against some of the these methods. DO NOT GO INTO DETAIL IN THIS MODULE, WE COME BACK TO THIS LATER.
The bullets are just examples of the three main motives. Be sure to exemplify most of them. Invite participants to come up with other motives and see if they fit into the three top categories. There’s no direct relationship between threats and motives, basically any mix is possible. However, the teen hackers are mostly hacking for personal motives. Criminals almost exclusively do it for economic gain.
From an information management perspective, we divide the infrastructure into three distinct areas: Network – This is the communication infrastructure that carries traffic for e-commerce and can be internet based as well as private. This includes Wide Area, Local Area and Metro Area Network Storage Area Networks Wireless Networks Voice Networks Application – This logical structure includes all of the applications that are currently used to create efficiencies in the work place Operating System (OS) – This is the nucleus that makes both communication’s and application’s functions possible. This includes both client, server and mainframes: Mainframe UNIX MAC Windows X The security & privacy dimension of this model that need to be addressed any time data is accessed are the following Authentication – Confidentiality Access Controls Data Integrity Audit-ability Non-Repudiation Availability
Detection – Incidents are detected from many sources such as People, Customer Service Desks, Audits, Alerts and Technology Trouble Tickets System. Assessment –. Determine scope & assemble Response Team members. Analysis – Classify an incident; determine actions and possible escalation requirements; and work with Response Team to determine actions. Containment – Activities designed to keep the incident from escalating in severity and limiting the number of affected clients. Forensics – When required identify, preserve, and analyze potential evidence. Resolution/Recover - Determine the extent of damage, the type of response needed, prepare necessary resolution statements (e.g. notification letter, inbound and outbound scripts). Evaluate if notification is necessary and then document lessons learned. It is at this stage where other major stakeholders maybe involved like Human Resources, OGC, Public Relations, Physical Security and Law Enforcement.
Introduction to IT Security
INTRO TO ITSECURITY By Cade Zvavanjanja CISOGainful Information Security
AGENDA Information Security Information Privacy Risk Management Opportunities & Markets Some Examples
Holistic IT security Vetting / Information References Business SecurityDisciplinary Interfaces Policies Procedure Build StandardsAwareness & Training IT/IS/ Threat Modelling Anti-Virus Development Security in Patch SDLCManagement ApplicationVulnerability Assessment Data Storage Testing PenetrationConfiguration Testing Reviews Access Control Encryption Ecommerce Reviews Site Firewalls Legislative Compliance Intrusion Detection 3
INFORMATION WARFARETHE MATRIX UPLOADED – SOWHAT?
TODAY’S TRENDTerrorists White Collar Insider/Espionage Open Crime SourceDisasters Theft Scripts ID Theft
SO WHO CARES? You care about information security and privacy because: Information Security is a constant and a critical need Threats are becoming increasingly sophisticated Countermeasures are evolving to meet the threats You want to protect your asset and privacy You want to know what tools are there for protection and Because information security, information privacy and legal and compliance are inter-related
INCREASE IN SECURITY INCIDENTS 900M 120,000 800M Blended Threats 100,000 Network Intrusion Attempts 700M (CodeRed, Nimda, Slammer)Infection Attempts 600M Denial of Service 80,000 (Yahoo!, eBay) 500M Mass Mailer Viruses 60,000 400M (Love Letter/Melissa) 300M Malicious Code 40,000 Zombies Infection 200M Attempts* Network Polymorphic Viruses 20,000 Intrusion 100M (Tequila) Attempts** 0 0 1995 1996 1997 1998 1999 2000 2001 2002 *Analysis by Symantec Security Response using data from Symantec, IDC & ICSA; 2002 estimated **Source: CERT CERTCC Reported Vulnerabilities 1988-2003 Total Number of Incidents 140000 Reported from 1988-2003 is 319,992 120000 Average Yearly Increase of 40% 100000 80000 CERTCC Reported 60000 Vulnerabilities 40000 20000 0
SOME POLLS SUGGESTSOURCE CSO Which of the following is #1 priority Wireless Security (16%) Spam/AntiVirus (17%) Identity Management (27%) Disaster Recovery (21%) Other (19%) Which of the following poses the greatest threat Natural Disaster (36%) Terrorist Attack (12%) Cyberattack (52%)
SCARY DATA US Government Data Industry Data Id theft is perpetrated by ID theft increased to 81% hackers and their associates who steal personal information in 2002 and identity (e.g. social security Main cause for fraud is id numbers) in order to commit various forms of fraud by theft assuming your identity U.S.-based banks FTC reports that over 27.3 37 percent said identify million Americans in the past 5 years reported their ID stolen theft significantly FTC survey revealed that ID increased theft costs consumers and 34 percent said it business 53 billion in 2002 slightly increased The FBI estimates that the number one threat to internet 24 percent said identity users is identity theft theft rates had stayed Approximately 350,000 to the same 500,000 citizens fall victims to 5 percent reported that “id theft” every year. the rates decreased
CYBERTERRORISM“Cyberterrorism is any "premeditated, politicallymotivated attack against information, computersystems, computer programs, and data whichresults in violence against non-combatant targets bysub-national groups or clandestine agents."Cyberterrorism is sometimes referred to aselectronic terrorism or information war.” U.S. Federal Bureau of Investigation
INFORMATION WARFARE Use of or attacks on information and information infrastructure to achieve strategic objectives Tools in hostilities among Nations Trans-national groups (companies, NGOs, associations, interest groups, terrorists) Corporate entities (corporations, companies, government agencies) Individuals
LEVELS OF INFORMATIONWARFARE Against individuals Theft,impersonation Extortion, blackmail Defamation, racism Against organizations Industrial espionage Sabotage Competitive intelligence Against nations Disinformation, destabilization Infrastructure destabilization Economic collapse
PRIME TARGETS Companies with hiring volatilities • Financial, communication, manufacturing, transportation and retail Companies with lower volatility • Utilities, government, healthcare and education Areas • IDS, Firewall, Anti virus, Identity management • Product design, policy • Privacy vs. Security • Security administration • Training and awareness
POTENTIAL TARGETS AGAINST OURINFRASTRUCTURE Electricity Transportation Water Energy Financial Information Technology Emergency Services Government Operations
WHY USE CYBER WARFARE? Low barriers to entry – laptops cost a lot less than tanks and bombs Our world is dependent on computers, networks, and the Internet Denial of service has economic, logistical, and emotional effect Low cost to level the playing field
INFORMATION WARFARE STRATEGIES The basic elements are: Hacking Malicious code Electronic snooping Old-fashioned human spying Mass disruption can be unleashed over the internet, but Attackers must first compromise private and secure networks (i.e. Unclassified, Secret, Top Secret)
HACKERS INFORMATION WARRIORS?Inflicting damage Personal motives Retaliate or ”get even” Alter, damage or delete Political or terrorism information Make a joke Show off/Just Because Deny services Elite Hackers Damage public image Black Hat Grey Hat White Hat No hatEconomic gain Malicious Code Writers Steal information Criminal Enterprises Trusted Insiders Blackmail Financial fraud
THE TRADITIONAL HACKER ETHICi. Access to computers should be unlimited and totalii. All information should be freeiii. Mistrust authority – promote decentralizationiv. Hackers should be judged by their hacking, not criteria such as age, race, etc.v. You can create art and beauty on the computervi. Computers can change your life for the better
GEOPOLITICAL HOTSPOTS -TRENDS WESTERN EUROPE Cyber-activists with anti- EASTERN EUROPE/RUSSIA global/anti-capitalism Malicious code development; fraud goals; some malicious and financial hacking code CHINA Targeting Japan, U.S., Taiwan and perceived allies of those countriesU.S.Multiple hacker/cyber-activist/hacktivist groups;random targets MIDDLE EAST Palestinian hackers target INDIA-PAKISTAN Israeli .il websites; some pro- Worldwide targets, Kashmir- Israel activity related and Muslim-related defacements BRAZIL Multiple hacker groups, many mercenary; random targets
A BALANCED SECURITY ARCHITECTURE Single, unifying infrastructure that many applications can leverage A good security architecture: Provides a core set of security services Is modular Provides uniformity of solutions Supports existing and new applications Policy, Contains technology as one component of a Standards, and Process complete security program Incorporates policy and standards as well as people, process, and technology People Technology
BASIC INFORMATION SECURITY COMPONENTS AUTHENTICATION: NONREPUDIATION: How do we know who is using the Can we provide for non- service? repudiation of a transaction? ACCESS CONTROL: AUDITABILITY & Can we control what they do? AVAILABILITY Do we know: CONFIDENTIALITY: Whether there is a Can we ensure the privacy of problem? Whether it’s information? soon enough to take DATA INTEGRITY: appropriate action? How to minimize/contain Can we prevent unauthorized changes to information? the problem? How to prevent denial of service?
DATA GOVERNANCE & CONTROLS X X X X X X Application Information Management X X Networks X X Infrastructure (IMI) X X X OS X Threats Disclosure of information Non-repudiation Authentication Unauthorized access Confidentiality Data Integrity Audit ability Access Cntrl Availability Loss of integrity Denial of service
INFORMATION SECURITY CONTROLAREAS Information Security Policies Roles and Responsibilities Asset Classification and Handling Personal Security Physical Security System and Operations Management Controls General Access Controls System Development Life Cycle Business Continuity Compliance, Legal and Regulatory
WHAT IS @RISK? Financial & Monetary Loss Risk Payroll information leakage Reputation Risk Distributed attacks from campus Terrorism Laptop theft ID Theft Litigation & Regulatory Risk HIPAA, GLB, CA 1386
INFORMATION SECURITY BODIES,STANDARDS & PRIVACY LAWS Standards & Privacy Laws British Standards (ISO 17799) EU Data Protection Act of 1998 (DPA) Health Insurance Portability and Accountability Act (HIPAA) Fair Credit Reporting Act (FCRA) National Institute for Standards & Technology (www.NIST.gov): Founded in 1901, NIST is a non-regulatory federal agency within the U.S. Commerce Departments Technology Administration. NISTs mission is to develop and promote measurements, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. Computer Emergency Response Team www.cert.org: The CERT® Coordination Center (CERT/CC) is a center of Internet security expertise at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University.
Privacy Governance Architecture Process Process Opt/in/out Opt/in/outSecurity/Pr Security/Pr Organization ivacy Organization ivacy Compliance Policy Policy Technology Regulatory Regulatory Technology Requirement Requirement People People Planning and Program Metrics Strategy Program Maturity• •Privacy Strategy • •Privacy Risk Assessments • •External Support Infrastructure Privacy Strategy Privacy Risk Assessments External Support Infrastructure• •Data Classification Analysis • •Data Governance • •Privacy Auditing Data Classification Analysis Data Governance Privacy Auditing• •Privacy Teams • •Vendor Governance • •Incident Response Privacy Teams Vendor Governance Incident Response• •Policy Development • •Technology Planning • •Crisis Management Policy Development Technology Planning Crisis Management• •Policy Update Plans • •Business Process Review • •Knowledge Management Policy Update Plans Business Process Review Knowledge Management• Decision Management • Information Security • •Consumer Support Infrastructure • Decision Management • Information Security Consumer Support Infrastructure• •Privacy Support Architecture • •Information Privacy • •Open Source Intelligence Privacy Support Architecture Information Privacy Open Source Intelligence• •Awareness Awareness
HIGH LEVEL OVERVIEW - Notify client - Notify regulators - Remediate - Analyze long - Detect Incident term effects Resolution & - Identify source of Detection identified - Analyze lessons Reporting learned -Log incident - Reduce false positive Privacy - Determine scope - Assemble Response Digital Incident Assessment Team - Collect & sort facts Response Forensics Process- Engage digital forensicsprocess - Determine- Collect evidence scope- Engage 3rd party Containment Analysis - Assemble Response Team - Collect & sort -Technology containment facts - Process containment - Procedure containment
Information Security & Privacy Risk Management
RISK MITIGATION 100% Risk Mitigation and not 100 % control Good Information Management Infrastructure that Provides modular core set of controls Supports existing, infrastructures and new applications Policies, Incorporates policy and standards, people, process, People Standards & and technology Guidelines Provides a horizontal and vertical risk SELF or AUTOMATIC assessment program Equilibrium Provides collaborative issues resolution system Point Balanced Information Management Infrastructure (IMI) Risk Mitigation Vertical – up and down controls in branches and business units Horizontal – policies, best practices, processes and Information priorities across the organization Technology
RISK MANAGEMENT METHODOLOGY Risk Assessment Risk Tolerance Organizational Dynamics Point of Balance Key Risk Indicator Risk Takers
Key Risk IndicatorsAsset Value Stakeholders Pen Testing Site Reviews Vendor Audit Reviews Regulatory Compliance Self Security Loss Amount/ROI Assessment & Privacy IncidentsBusiness Impact Risk Evaluation Model Risk Rating
DEMAND – BASED ON GARTNERSTUDIES General IT staff outsourcing has gone up 24% since US recession was over Growth in IT staff augmentation will be limited and in single digits Security outsourcing is trending up Identity management Vulnerability Assessment Operations Firewall management, anti virus and IDS
INFOSEC PEOPLE Typical jobs for contract Business Intelligence Business Analysis Risk Management Information Security Officer Information Privacy Officer Digital Forensics Experts Job seeker support to help professionals identify new career opportunities when they are unemployed or contingency searching due to circumstances at their workplace; Contractor placement to help independent contractors identify and secure short and long term contract work based on hourly rates; and Corporate candidate search to help clients identify candidates for new or vacant positions, as well as contingency searching to stage replacement of human resources
TYPES OF RECRUITING Contract & Temporary – constant spread based Profit margins are small Limited Hourly, weekly monthly Permanent – one time commission based Entry levels Mid levels Management, Technical, Operations, Design & Architecture Outsourcing – profit margins are high
WHAT IS SOCIAL ENGINEERING Social Engineering is the art and science of use to trick one or more human beings to do what an attackers wants them to do or to reveal information that compromises a target’s security. Classic Social Engineering scams include, posing as a field service technician, calling an operator to reveal private information such as passwords and the like. Social Engineering is an evolving art that uses the simplest and most creative schemes and involves minimal technical expertise