- ISO 27001 is an international standard for information security management systems that specifies requirements for implementing controls around information security risks. It includes 114 controls grouped into 14 domains. - Recent large-scale data breaches at companies like JP Morgan, Sony Pictures, Anthem Healthcare, and a small accounting firm could potentially have been avoided or detected earlier if the organizations had implemented appropriate controls aligned with the ISO 27001 standard, such as access control policies, encryption of data at rest, logging and monitoring of administrator activities, independent security reviews, and physical security measures. - While the full details of the breaches are not public, lack of implementation of basic security practices around access controls, encryption, logging, monitoring, reviews, and

1. Is ISO 27001, an answer to Security
Breaches?
RAMANA KROTHAPALLI

2. Agenda
Terms & Definitions
Information Security Standards & Best Practices
What is ISO 27001?
Why is ISO 27001 Popular?
Security breaches – could these have been avoided?
Things you can do..

3. Terms & Definitions
ISO: International Organization for Standardization
IEC: International Electrotechnical Commission
HLS: High Level Structure
Control: any process, policy, procedure, guideline, practice or organisational structure, which
can be administrative, technical, management, or legal in nature which manage information
security risk
Objective: statement describing what is to be achieved as a result of implementing controls
Data Breach: is a security incident in which sensitive, protected or confidential data is copied,
transmitted, viewed, stolen or used by an individual unauthorized to do so

4. Information Security Standards / Best Practices
ISO 27001: 2013
NIST SP 800 Series - National Institute of Standards and Technology Special Publications
COBIT - Control Objectives for Information and Related Technology
SOGP – Standard of Good Practice
PCI DSS - Payment Card Industry Data Security Standard
HIPAA - Health Insurance Portability and Accountability Act of 1996
SANS Best Practices

5. What is ISO 27001?
ISO 27001: 2013 is an International Standard specifying requirements for information security
management systems (ISMS)
This is a certifiable standard from the ISO 27000 series of standards aka ISMS family of
standards
Published by ISO & IEC
Organisations meeting the requirements may gain an official certification issued by an
independent and accredited certification body on completion of a formal audit process
The official title of the standard is "Information technology— Security techniques —
Information security management systems — Requirements“
Has 10 clauses and an annexure that lists 114 controls and their objectives grouped into 14
domains

6. Why ISO 27001 is popular?
Information security is the biggest driver for companies
Generic standard for implementing an ISMS
Technology neutral
Globally recognised & accepted
Compliance with business, legal, contractual and regulatory requirements
HLS that allows easier integration with other ISO Standards
Risk Based approach to identify appropriate security requirements
Process approach – alignment with business objectives

7. Recent Security Breaches

8. Disclaimer
The discussions are based on the news in the public domain and a few assumptions . The
complete information about the massive security breaches is not available in the public domain.
The sole idea of this session is to see if a management system approach to information security
could help to prevent similar breaches, or at least improve the time to detection.

9. JP Morgan Chase
Hackers “exploited an employee’s access to a development server as part of the attack on a JPMorgan Chase &
Co. server that led the theft of data on 76 million households and 7 million small businesses”.
Source: JPMorgan Password Leads Hackers to 76 Million Households
So much data accessible using just one employee access right?
A.9.4.3: “Password systems shall be interactive and shall ensure quality passwords”
A.12.1.4: Development, testing, and operational environments shall be separated to reduce the risks of
unauthorized access or changes to the operational environment
Hackers used multiple custom-crafted bits of malware to infiltrate
A.12.2.1: Detection, prevention and recovery controls to protect against malware shall be implemented,
combined with appropriate user awareness
Hackers spent months pulling data from the servers
A. 12.6.1: Organization’s exposure to such vulnerabilities to be evaluated and appropriate measures taken to
address the associated risk.

10. Sony Pictures
The hack was a release of confidential data belonging to Sony Pictures Entertainment; the data included personal
information about Sony Pictures employees and their families, e-mails between employees, information about executive
salaries at the company, copies of (previously) unreleased Sony films, and other information.
Duration of the hack is unknown, though evidence suggests that the intrusion occurred for more than a year.
Article on SC Magazine: (Could the Sony breach have been prevented)
http://www.scmagazine.com/could-the-sony-breach-have-been-prevented/article/394249/
One of Sony's biggest problems wasn't being hacked; it was failing to detect the hack until it became public.
A.12.7: Information systems audit considerations - minimise the impact of audit activities on operational systems
A.18.2.1: Independent review of information security
A. 12.6.1: Organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the
associated risk.
Sony hack leaked 47,000 Social Security numbers
A.10.1: Cryptographic controls - to protect the confidentiality, authenticity and/or integrity of information

11. Anthem Healthcare
Personal records of as many as 80 million individuals were compromised.
Anthem data was encrypted on-the-wire but not in storage
A.10.1: Cryptographic controls - to protect the confidentiality, authenticity and/or integrity of
information
The attack was discovered when a database administrator noticed unauthorized queries running
with admin credentials
A.12.4.3: System administrator and system operator activities shall be logged and the logs protected
and regularly reviewed
An outsider could have phished the credentials from an employee
A.9.1.1: An access control policy shall be established, documented and reviewed based on business
and information security requirements
(Context-aware access control could have stopped an outsider, even with phished credentials, by
examining where the authentication session was coming from, what platform was in use etc.)

12. Green's Accounting
Stolen Server Exposes Accounting Clients' Personal Data. The server held unencrypted data,
including clients' names, addresses and Social Security numbers, Bank account numbers.
The burglars broke in by smashing the office's back window with the rock, then stole the firm's
network server.
A.11.1: Controls to prevent unauthorized physical access
A.11.2.1: Equipment shall be sited and protected to reduce the risks from unauthorized access
A.10.1: Cryptographic controls - to protect the confidentiality, authenticity and/or integrity of
information

13. Things you can do..
Implement Security Policies & Procedures
Security Awareness Training
Vulnerability Assessments – Internal & External
Penetration Testing – Internal & External
Social Engineering Exercises
Enterprise Security Assessments
 Administrative Safeguards
 Technical Safeguards
 Physical Safeguards

14. THANK YOU!