SlideShare a Scribd company logo

Cyber Risks Implementation on an IP MPLS Network

Download as PPTX, PDF
G
Gabriel E Ozique

Cyber Risk Presentation at the ITS Work Congress in Detroit, USA.

Technology
1 of 17
© 2012 Fluor Corporation. All Rights Reserved. A Case Study on Information Security and Cyber Risks Implementation on an IP/MPLS Network Gabriel Ozique & Peter Crumpton
Tension between Business Drivers and Information Security Risks Managing Security is a balancing act between providing versatile solutions to support business objectives while reducing security risks •DLP-Focused Visual Outsourced Workers Insiders Trusted Employees Third Party Workers Competitors Cyber Criminals Phishers Cloud Computing Mass Storage Online Services ISO27001 Certification Confidential Information Intellectual Property Trade Secrets Source Code Customer Data Personal Data Product Information ProposalsDesigns Extended Business Models Bring Your Own Mobile Devices Advanced Persistent Threats (APT)Increase in Web Based Services Privacy & Cyber Security Laws Increase in Customer Requirements Increase in User- Dependent Risks Network Storage Move towards Trust & Verify Security model Customer Security Audits Expanded Contractual Requirements Business Demands for Simplification Continued Cost Pressures
Key Principles of Information Security Confidentiality Integrity Availability Ensuring that information is accessible only to those authorised to have access Ensuring that authorised users have access to information and associated assets when required Safeguarding the accuracy and completeness of information and processing methods
People-Process-Technology Combined Approach
Risk Based Approach for the ISMS Threats Assets YIELD Security Controls and Policies None or minimal security policies/controls allow vulnerabilities to be exploited Partial security controls/policies have limited effect Holistic security policies/ controls provide a robust approach
Information Security Framework (ISMS/ CAS-T) Implementation Plan  ISMS is established and scoped  Risks are analysed – Using HMG IA Standard No. 1 Technical Risk Assessment (IS1)  Risk treatment plan developed  Applicable controls (countermeasures) are identified  Availability Performance must be analysed and documented Do  Gap Analysis – including penetration testing  Fix programme Act  Remedial Programme – Ongoing process of continual improvement, corrective and preventive action Check IL2 audit  Preparation – Stage 1 - Check the completeness of the ISMS  Implementation – Stage 2 - Further inspect documentation and undertake interviews Continuous Process
ISO 27002: 2005 - Code of practice for information security management Information security management best practice (12 information security controls and control objectives) Risk Assessment & Treatment Security Policy Organisational of Security Policy Asset Management Human Resource Security Physical & Environmental Security Communications & Operations Security Access Control Information systems acquisition, development & maintenance Incident Management Business continuity management Compliance
ISO 27001 2013 Update  New ISO 27001 Structure – additional ‘working clauses’  Less prescriptive – organisations can implement requirements to suit  Top Management Leadership – needs to be more demonstrable & active  Objectives, Monitoring/Metrics – greater emphasis  Terminology Changes – information security policy replaces ISMS policy  ISO 27002 133 controls reduced to 114 controls – merges, deletions/additions & more guidance
ITU-T X.805 Security Model end user security control/signalling security management security INFRASTRUCTURE SECURITY SERVICES SECURITY APPLICATIONS SECURITY THREATS & ATTACKS (Developed by Bell Labs)
ITU-T X.800 Threat Model 1. DESTRUCTION destruction of information and/or network resources 2. CORRUPTION unauthorized tampering with an asset 3. REMOVAL theft, removal or loss of information and/or other resources 4. DISCLOSURE unauthorized access to an asset 5. INTERRUPTION interruption of services, network becomes unavailable or unusable x? ? x
How the Security Dimensions Map to the Security Threats SECURITY DIMENSION DESTRUCTION CORRUPTION REMOVAL DISCLOSURE INTERRUPTION ACCESS CONTROL ✔ ✔ ✔ ✔ AUTHENTICATION ✔ ✔ NON-REPUDIATION ✔ ✔ ✔ ✔ ✔ DATA CONFIDENTIALITY ✔ ✔ COMMUNICATION SECURITY ✔ ✔ DATA INTEGRITY ✔ ✔ AVAILABILITY ✔ ✔ PRIVACY ✔
Addressing Security Threats THREAT RESPONSE ENCRYPTION IDS/ IPS FIREWALL SYSTEM HARDENING Network data interception - man-in-the-middle attack ✔ ✔ ✔ Intruder gains control of roadside camera ✔ ✔ ✔ Disgruntled employee or subcontractor with malicious intent ✔ ✔ ✔ Intruder bypasses physical security and gets into transmission station ✔ ✔ ✔ ✔ Gain access to control network through corporate network ✔ ✔ ✔ Malware introduction ✔ ✔ ✔ Access protected data ✔ ✔ ✔ Remote –access-based attacks ✔ ✔ ✔ DDoS attacks from the internet ✔ ✔ ✔
Telecoms Network & Attack Vectors IP/MPLS network internet PABX NOC SCADA IP/MPLS network management (5620 SAM) LAN CCTV TPR telephone TRANSMISSION CENTRE database CCTV REGIONAL CONTROL CENTRE router telephone TRANSMISSION CENTRE Attack vector
Example Security Threats to Telecom Networks • safety failures • equipment failures • carelessness • misconfigurations • natural disasters • Hardware redundancy • IP/MPLS resiliency FRR, primary/secondary LSP, multi-chassis LAG/APS, G.8032… • traffic management (QoS) • priority / separation • … INADVERTENT THREATS • disgruntled employees • industrial espionage • vandalism/terrorism • viruses, worms, malware • theft • DDoS DELIBERATE THREATS • Access Control Lists (ACL) • router login access control • firewall • encryption • Intrusion Detection Service (IDS) • …
Secured Network IP/MPLS network internet PABX NOC SCADA IP/MPLS network management (5620 SAM) LAN CCTV TPR telephone TRANSMISSION CENTRE databaseIDS firewall IDS encryption NAT System Hardening CCTV REGIONAL CONTROL CENTRE TRANSMISSION CENTRE
Conclusions  Build a robust information security governance structure.  Adopt a risk-based approach to information security - always consider information security at the start to minimise future rework costs. Follow good information security practice. Assure the effective management of technical and non technical security controls. Promote security awareness – the human element is the always the most significant threat!
17 Any Questions?

Recommended

Business Value of Security and Control
Business Value of Security and ControlBusiness Value of Security and Control
Business Value of Security and ControlSyama Raveendran
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical SecurityJorge Sebastiao
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? PECB
 
Residency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiResidency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiSHIVA101531
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general attSHIVA101531
 
Is iso 27001, an answer to security
Is iso 27001, an answer to securityIs iso 27001, an answer to security
Is iso 27001, an answer to securityRaghunath G
 
12 security policies
12 security policies12 security policies
12 security policiesSaqib Raza
 

Recommended

Business Value of Security and Control
Business Value of Security and ControlBusiness Value of Security and Control
Business Value of Security and ControlSyama Raveendran
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical SecurityJorge Sebastiao
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? PECB
 
Residency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiResidency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiSHIVA101531
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general attSHIVA101531
 
Is iso 27001, an answer to security
Is iso 27001, an answer to securityIs iso 27001, an answer to security
Is iso 27001, an answer to securityRaghunath G
 
12 security policies
12 security policies12 security policies
12 security policiesSaqib Raza
 
Network security
Network securityNetwork security
Network securityPooja Dewangan
 
CIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control ConvergenceCIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control ConvergenceCloudIDSummit
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practicesamiable_indian
 
17 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_201217 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_2012RECIPA
 
It and-cyber-module-2
It and-cyber-module-2It and-cyber-module-2
It and-cyber-module-2Marneil Sanchez
 
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...Shah Sheikh
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control SystemHemanth M
 
Project cyper
Project cyper Project cyper
Project cyper AbdulazizShammri
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
Security Operations Center
Security Operations CenterSecurity Operations Center
Security Operations CenterMDS CS
 
Industrial Cyber Security: What is Application Whitelisting?
Industrial Cyber Security: What is Application Whitelisting?Industrial Cyber Security: What is Application Whitelisting?
Industrial Cyber Security: What is Application Whitelisting?honeywellgf
 
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber ResilienceISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber ResilienceShah Sheikh
 
The Firewall Policy Hangover: Alleviating Security Management Migraines
The Firewall Policy Hangover: Alleviating Security Management MigrainesThe Firewall Policy Hangover: Alleviating Security Management Migraines
The Firewall Policy Hangover: Alleviating Security Management MigrainesAlgoSec
 
Cyber security standards
Cyber security standardsCyber security standards
Cyber security standardsVaughan Olufemi ACIB, AICEN, ANIM
 
CompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsCompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsGanbayar Sukhbaatar
 
Smart security solutions for SMBs
Smart security solutions for SMBsSmart security solutions for SMBs
Smart security solutions for SMBsJyothi Satyanathan
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security WebinarAVEVA
 
DTS Solution - Outsourcing Outlook Dubai 2015
DTS Solution - Outsourcing Outlook Dubai 2015DTS Solution - Outsourcing Outlook Dubai 2015
DTS Solution - Outsourcing Outlook Dubai 2015Shah Sheikh
 
The importance of information security
The importance of information securityThe importance of information security
The importance of information securityethanBrownusa
 
Ooredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20ServicesOoredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20ServicesMuhammad Mudassar
 
Information Security
Information SecurityInformation Security
Information SecurityMohit8780
 
Securing control systems v0.4
Securing control systems v0.4Securing control systems v0.4
Securing control systems v0.4CrispnCrunch
 

More Related Content

What's hot

CIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control ConvergenceCIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control ConvergenceCloudIDSummit
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practicesamiable_indian
 
17 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_201217 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_2012RECIPA
 
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...Shah Sheikh
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control SystemHemanth M
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
Security Operations Center
Security Operations CenterSecurity Operations Center
Security Operations CenterMDS CS
 
Industrial Cyber Security: What is Application Whitelisting?
Industrial Cyber Security: What is Application Whitelisting?Industrial Cyber Security: What is Application Whitelisting?
Industrial Cyber Security: What is Application Whitelisting?honeywellgf
 
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber ResilienceISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber ResilienceShah Sheikh
 
The Firewall Policy Hangover: Alleviating Security Management Migraines
The Firewall Policy Hangover: Alleviating Security Management MigrainesThe Firewall Policy Hangover: Alleviating Security Management Migraines
The Firewall Policy Hangover: Alleviating Security Management MigrainesAlgoSec
 
CompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsCompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsGanbayar Sukhbaatar
 
Smart security solutions for SMBs
Smart security solutions for SMBsSmart security solutions for SMBs
Smart security solutions for SMBsJyothi Satyanathan
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security WebinarAVEVA
 
DTS Solution - Outsourcing Outlook Dubai 2015
DTS Solution - Outsourcing Outlook Dubai 2015DTS Solution - Outsourcing Outlook Dubai 2015
DTS Solution - Outsourcing Outlook Dubai 2015Shah Sheikh
 
The importance of information security
The importance of information securityThe importance of information security
The importance of information securityethanBrownusa
 
Ooredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20ServicesOoredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20ServicesMuhammad Mudassar
 

What's hot (20)

Network security
Network securityNetwork security
Network security
 
CIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control ConvergenceCIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control Convergence
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practices
 
17 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_201217 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_2012
 
It and-cyber-module-2
It and-cyber-module-2It and-cyber-module-2
It and-cyber-module-2
 
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control System
 
Project cyper
Project cyper Project cyper
Project cyper
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security Management
 
Security Operations Center
Security Operations CenterSecurity Operations Center
Security Operations Center
 
Industrial Cyber Security: What is Application Whitelisting?
Industrial Cyber Security: What is Application Whitelisting?Industrial Cyber Security: What is Application Whitelisting?
Industrial Cyber Security: What is Application Whitelisting?
 
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber ResilienceISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
 
The Firewall Policy Hangover: Alleviating Security Management Migraines
The Firewall Policy Hangover: Alleviating Security Management MigrainesThe Firewall Policy Hangover: Alleviating Security Management Migraines
The Firewall Policy Hangover: Alleviating Security Management Migraines
 
Cyber security standards
Cyber security standardsCyber security standards
Cyber security standards
 
CompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsCompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentals
 
Smart security solutions for SMBs
Smart security solutions for SMBsSmart security solutions for SMBs
Smart security solutions for SMBs
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security Webinar
 
DTS Solution - Outsourcing Outlook Dubai 2015
DTS Solution - Outsourcing Outlook Dubai 2015DTS Solution - Outsourcing Outlook Dubai 2015
DTS Solution - Outsourcing Outlook Dubai 2015
 
The importance of information security
The importance of information securityThe importance of information security
The importance of information security
 
Ooredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20ServicesOoredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20Services
 

Similar to Cyber Risks Implementation on an IP MPLS Network

Information Security
Information SecurityInformation Security
Information SecurityMohit8780
 
Securing control systems v0.4
Securing control systems v0.4Securing control systems v0.4
Securing control systems v0.4CrispnCrunch
 
Bridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataBridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataIBM Security
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM
 
Sweden dell security
Sweden dell securitySweden dell security
Sweden dell securityRonny Stavem
 
Guardium Suite_seguridad de los datos...
Guardium Suite_seguridad de los datos...Guardium Suite_seguridad de los datos...
Guardium Suite_seguridad de los datos...EdiverLadino
 
Security solutions for a smarter planet
Security solutions for a smarter planetSecurity solutions for a smarter planet
Security solutions for a smarter planetVincent Kwon
 
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...PlatformSecurityManagement
 
Automation alley day in the cloud presentation - formatted
Automation alley day in the cloud presentation - formattedAutomation alley day in the cloud presentation - formatted
Automation alley day in the cloud presentation - formattedMatthew Moldvan
 
Network Security
Network SecurityNetwork Security
Network Securityforpalmigho
 
Presentation cloud security the grand challenge
Presentation cloud security the grand challengePresentation cloud security the grand challenge
Presentation cloud security the grand challengexKinAnx
 
Assuring Reliable and Secure IT Services
Assuring Reliable and Secure IT ServicesAssuring Reliable and Secure IT Services
Assuring Reliable and Secure IT Servicestsaiblake
 
FIS Profile Summary V7.3
FIS Profile Summary V7.3FIS Profile Summary V7.3
FIS Profile Summary V7.3Jorge Sebastiao
 
Advanced IT and Cyber Security for Your Business
Advanced IT and Cyber Security for Your BusinessAdvanced IT and Cyber Security for Your Business
Advanced IT and Cyber Security for Your BusinessInfopulse
 
Primend praktiline konverents - Office 365 turvalisus
Primend praktiline konverents - Office 365 turvalisusPrimend praktiline konverents - Office 365 turvalisus
Primend praktiline konverents - Office 365 turvalisusPrimend
 

Similar to Cyber Risks Implementation on an IP MPLS Network (20)

Information Security
Information SecurityInformation Security
Information Security
 
Securing control systems v0.4
Securing control systems v0.4Securing control systems v0.4
Securing control systems v0.4
 
Cisco Managed Security
Cisco Managed SecurityCisco Managed Security
Cisco Managed Security
 
Bridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataBridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical Data
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
Esguf Profile Short V34
Esguf Profile Short V34Esguf Profile Short V34
Esguf Profile Short V34
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
 
Sweden dell security
Sweden dell securitySweden dell security
Sweden dell security
 
Guardium Suite_seguridad de los datos...
Guardium Suite_seguridad de los datos...Guardium Suite_seguridad de los datos...
Guardium Suite_seguridad de los datos...
 
Security solutions for a smarter planet
Security solutions for a smarter planetSecurity solutions for a smarter planet
Security solutions for a smarter planet
 
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
 
Automation alley day in the cloud presentation - formatted
Automation alley day in the cloud presentation - formattedAutomation alley day in the cloud presentation - formatted
Automation alley day in the cloud presentation - formatted
 
Network Security
Network SecurityNetwork Security
Network Security
 
Presentation cloud security the grand challenge
Presentation cloud security the grand challengePresentation cloud security the grand challenge
Presentation cloud security the grand challenge
 
Assuring Reliable and Secure IT Services
Assuring Reliable and Secure IT ServicesAssuring Reliable and Secure IT Services
Assuring Reliable and Secure IT Services
 
CloudSecurity
CloudSecurityCloudSecurity
CloudSecurity
 
FIS Profile Summary V7.3
FIS Profile Summary V7.3FIS Profile Summary V7.3
FIS Profile Summary V7.3
 
Advanced IT and Cyber Security for Your Business
Advanced IT and Cyber Security for Your BusinessAdvanced IT and Cyber Security for Your Business
Advanced IT and Cyber Security for Your Business
 
Primend praktiline konverents - Office 365 turvalisus
Primend praktiline konverents - Office 365 turvalisusPrimend praktiline konverents - Office 365 turvalisus
Primend praktiline konverents - Office 365 turvalisus
 
Cyber Security Needs and Challenges
Cyber Security Needs and ChallengesCyber Security Needs and Challenges
Cyber Security Needs and Challenges
 

Recently uploaded

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

Recently uploaded (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 

Cyber Risks Implementation on an IP MPLS Network

  • 1. © 2012 Fluor Corporation. All Rights Reserved. A Case Study on Information Security and Cyber Risks Implementation on an IP/MPLS Network Gabriel Ozique & Peter Crumpton
  • 2. Tension between Business Drivers and Information Security Risks Managing Security is a balancing act between providing versatile solutions to support business objectives while reducing security risks •DLP-Focused Visual Outsourced Workers Insiders Trusted Employees Third Party Workers Competitors Cyber Criminals Phishers Cloud Computing Mass Storage Online Services ISO27001 Certification Confidential Information Intellectual Property Trade Secrets Source Code Customer Data Personal Data Product Information ProposalsDesigns Extended Business Models Bring Your Own Mobile Devices Advanced Persistent Threats (APT)Increase in Web Based Services Privacy & Cyber Security Laws Increase in Customer Requirements Increase in User- Dependent Risks Network Storage Move towards Trust & Verify Security model Customer Security Audits Expanded Contractual Requirements Business Demands for Simplification Continued Cost Pressures
  • 3. Key Principles of Information Security Confidentiality Integrity Availability Ensuring that information is accessible only to those authorised to have access Ensuring that authorised users have access to information and associated assets when required Safeguarding the accuracy and completeness of information and processing methods
  • 5. Risk Based Approach for the ISMS Threats Assets YIELD Security Controls and Policies None or minimal security policies/controls allow vulnerabilities to be exploited Partial security controls/policies have limited effect Holistic security policies/ controls provide a robust approach
  • 6. Information Security Framework (ISMS/ CAS-T) Implementation Plan  ISMS is established and scoped  Risks are analysed – Using HMG IA Standard No. 1 Technical Risk Assessment (IS1)  Risk treatment plan developed  Applicable controls (countermeasures) are identified  Availability Performance must be analysed and documented Do  Gap Analysis – including penetration testing  Fix programme Act  Remedial Programme – Ongoing process of continual improvement, corrective and preventive action Check IL2 audit  Preparation – Stage 1 - Check the completeness of the ISMS  Implementation – Stage 2 - Further inspect documentation and undertake interviews Continuous Process
  • 7. ISO 27002: 2005 - Code of practice for information security management Information security management best practice (12 information security controls and control objectives) Risk Assessment & Treatment Security Policy Organisational of Security Policy Asset Management Human Resource Security Physical & Environmental Security Communications & Operations Security Access Control Information systems acquisition, development & maintenance Incident Management Business continuity management Compliance
  • 8. ISO 27001 2013 Update  New ISO 27001 Structure – additional ‘working clauses’  Less prescriptive – organisations can implement requirements to suit  Top Management Leadership – needs to be more demonstrable & active  Objectives, Monitoring/Metrics – greater emphasis  Terminology Changes – information security policy replaces ISMS policy  ISO 27002 133 controls reduced to 114 controls – merges, deletions/additions & more guidance
  • 9. ITU-T X.805 Security Model end user security control/signalling security management security INFRASTRUCTURE SECURITY SERVICES SECURITY APPLICATIONS SECURITY THREATS & ATTACKS (Developed by Bell Labs)
  • 10. ITU-T X.800 Threat Model 1. DESTRUCTION destruction of information and/or network resources 2. CORRUPTION unauthorized tampering with an asset 3. REMOVAL theft, removal or loss of information and/or other resources 4. DISCLOSURE unauthorized access to an asset 5. INTERRUPTION interruption of services, network becomes unavailable or unusable x? ? x
  • 11. How the Security Dimensions Map to the Security Threats SECURITY DIMENSION DESTRUCTION CORRUPTION REMOVAL DISCLOSURE INTERRUPTION ACCESS CONTROL ✔ ✔ ✔ ✔ AUTHENTICATION ✔ ✔ NON-REPUDIATION ✔ ✔ ✔ ✔ ✔ DATA CONFIDENTIALITY ✔ ✔ COMMUNICATION SECURITY ✔ ✔ DATA INTEGRITY ✔ ✔ AVAILABILITY ✔ ✔ PRIVACY ✔
  • 12. Addressing Security Threats THREAT RESPONSE ENCRYPTION IDS/ IPS FIREWALL SYSTEM HARDENING Network data interception - man-in-the-middle attack ✔ ✔ ✔ Intruder gains control of roadside camera ✔ ✔ ✔ Disgruntled employee or subcontractor with malicious intent ✔ ✔ ✔ Intruder bypasses physical security and gets into transmission station ✔ ✔ ✔ ✔ Gain access to control network through corporate network ✔ ✔ ✔ Malware introduction ✔ ✔ ✔ Access protected data ✔ ✔ ✔ Remote –access-based attacks ✔ ✔ ✔ DDoS attacks from the internet ✔ ✔ ✔
  • 13. Telecoms Network & Attack Vectors IP/MPLS network internet PABX NOC SCADA IP/MPLS network management (5620 SAM) LAN CCTV TPR telephone TRANSMISSION CENTRE database CCTV REGIONAL CONTROL CENTRE router telephone TRANSMISSION CENTRE Attack vector
  • 14. Example Security Threats to Telecom Networks • safety failures • equipment failures • carelessness • misconfigurations • natural disasters • Hardware redundancy • IP/MPLS resiliency FRR, primary/secondary LSP, multi-chassis LAG/APS, G.8032… • traffic management (QoS) • priority / separation • … INADVERTENT THREATS • disgruntled employees • industrial espionage • vandalism/terrorism • viruses, worms, malware • theft • DDoS DELIBERATE THREATS • Access Control Lists (ACL) • router login access control • firewall • encryption • Intrusion Detection Service (IDS) • …
  • 15. Secured Network IP/MPLS network internet PABX NOC SCADA IP/MPLS network management (5620 SAM) LAN CCTV TPR telephone TRANSMISSION CENTRE databaseIDS firewall IDS encryption NAT System Hardening CCTV REGIONAL CONTROL CENTRE TRANSMISSION CENTRE
  • 16. Conclusions  Build a robust information security governance structure.  Adopt a risk-based approach to information security - always consider information security at the start to minimise future rework costs. Follow good information security practice. Assure the effective management of technical and non technical security controls. Promote security awareness – the human element is the always the most significant threat!