2. Tension between Business Drivers and Information
Security Risks
Managing Security is a balancing act between providing versatile solutions
to support business objectives while reducing security risks
•DLP-Focused Visual
Outsourced Workers
Insiders Trusted Employees
Third Party Workers
Competitors
Cyber Criminals
Phishers
Cloud Computing
Mass Storage
Online Services
ISO27001 Certification
Confidential
Information
Intellectual Property
Trade Secrets
Source Code
Customer Data
Personal Data
Product Information
ProposalsDesigns
Extended
Business Models
Bring Your Own
Mobile Devices
Advanced
Persistent Threats
(APT)Increase in Web
Based Services
Privacy & Cyber Security Laws
Increase in
Customer
Requirements
Increase in User-
Dependent Risks
Network Storage
Move towards Trust &
Verify Security model
Customer Security Audits
Expanded Contractual Requirements
Business
Demands for
Simplification
Continued Cost
Pressures
3. Key Principles of Information Security
Confidentiality
Integrity
Availability
Ensuring that information is accessible only to
those authorised to have access
Ensuring that authorised users have access to
information and associated assets when
required
Safeguarding the accuracy and completeness of
information and processing methods
5. Risk Based Approach for the ISMS
Threats Assets
YIELD
Security Controls
and Policies
None or minimal security
policies/controls allow
vulnerabilities to be exploited
Partial security
controls/policies
have limited effect
Holistic security policies/
controls provide a
robust approach
6. Information Security Framework (ISMS/ CAS-T)
Implementation
Plan
ISMS is established and scoped
Risks are analysed – Using HMG IA Standard No. 1 Technical
Risk Assessment (IS1)
Risk treatment plan developed
Applicable controls (countermeasures) are identified
Availability Performance must be analysed and documented
Do
Gap Analysis – including penetration testing
Fix programme
Act
Remedial Programme – Ongoing process of
continual improvement, corrective and preventive
action
Check
IL2 audit
Preparation – Stage 1 - Check the
completeness of the ISMS
Implementation – Stage 2 - Further inspect
documentation and undertake interviews
Continuous
Process
7. ISO 27002: 2005 - Code of practice for information
security management
Information security management best practice (12 information security controls and control objectives)
Risk Assessment & Treatment Security Policy
Organisational of Security Policy Asset Management
Human Resource Security Physical & Environmental Security
Communications & Operations Security Access Control
Information systems acquisition, development &
maintenance
Incident Management
Business continuity management Compliance
8. ISO 27001 2013 Update
New ISO 27001 Structure – additional ‘working clauses’
Less prescriptive – organisations can implement
requirements to suit
Top Management Leadership – needs to be more
demonstrable & active
Objectives, Monitoring/Metrics – greater emphasis
Terminology Changes – information security policy replaces
ISMS policy
ISO 27002 133 controls reduced to 114 controls –
merges, deletions/additions & more guidance
9. ITU-T X.805 Security Model
end user security
control/signalling security
management security
INFRASTRUCTURE
SECURITY
SERVICES
SECURITY
APPLICATIONS
SECURITY
THREATS
&
ATTACKS
(Developed by Bell Labs)
10. ITU-T X.800 Threat Model
1. DESTRUCTION
destruction of information and/or network resources
2. CORRUPTION
unauthorized tampering with an asset
3. REMOVAL
theft, removal or loss of information and/or other resources
4. DISCLOSURE
unauthorized access to an asset
5. INTERRUPTION
interruption of services, network becomes unavailable or
unusable
x?
?
x
11. How the Security Dimensions Map to the Security
Threats
SECURITY DIMENSION
DESTRUCTION CORRUPTION REMOVAL DISCLOSURE INTERRUPTION
ACCESS CONTROL ✔ ✔ ✔ ✔
AUTHENTICATION ✔ ✔
NON-REPUDIATION ✔ ✔ ✔ ✔ ✔
DATA
CONFIDENTIALITY
✔ ✔
COMMUNICATION
SECURITY
✔ ✔
DATA INTEGRITY ✔ ✔
AVAILABILITY ✔ ✔
PRIVACY ✔
12. Addressing Security Threats
THREAT RESPONSE ENCRYPTION IDS/ IPS FIREWALL SYSTEM
HARDENING
Network data interception - man-in-the-middle attack ✔ ✔ ✔
Intruder gains control of roadside camera ✔ ✔ ✔
Disgruntled employee or subcontractor with malicious intent ✔ ✔ ✔
Intruder bypasses physical security and gets into transmission station ✔ ✔ ✔ ✔
Gain access to control network through corporate network ✔ ✔ ✔
Malware introduction ✔ ✔ ✔
Access protected data ✔ ✔ ✔
Remote –access-based attacks ✔ ✔ ✔
DDoS attacks from the internet ✔ ✔ ✔
13. Telecoms Network & Attack Vectors
IP/MPLS network
internet
PABX
NOC
SCADA
IP/MPLS
network
management
(5620 SAM)
LAN
CCTV
TPR
telephone
TRANSMISSION CENTRE
database
CCTV
REGIONAL CONTROL CENTRE
router
telephone
TRANSMISSION CENTRE Attack vector
15. Secured Network
IP/MPLS network
internet PABX
NOC
SCADA
IP/MPLS
network
management
(5620 SAM)
LAN
CCTV
TPR
telephone
TRANSMISSION CENTRE
databaseIDS
firewall
IDS
encryption
NAT
System
Hardening
CCTV
REGIONAL CONTROL CENTRE
TRANSMISSION CENTRE
16. Conclusions
Build a robust information security governance structure.
Adopt a risk-based approach to information security - always consider
information security at the start to minimise future rework costs.
Follow good information security practice.
Assure the effective management of technical and non technical security
controls.
Promote security awareness – the human element is the always the most
significant threat!