We have to identify the threats and assign localized realistic weights to each to create a prioritized list. Thus we should develop a cost benefit solution “toolbox” and a security policy for the FIU.
Information security threats are global in nature, and indiscriminately target every organization and individual who owns or uses (primarily) electronic information. These threats are automated and loose on the internet. In addition, data is exposed to many other dangers, from acts of nature, through external attack to internal corruption and theft.
Risk assessment and risk treatment plans Every organization must have its own specific business model, objectives, unique selling features and culture, it also has its different appetites for risk. In other words, something that one organization sees as a threat against which it must guard, another might see as an opportunity that it should grasp. Similarly, one organization might be less prepared to invest in defences against an identified risk than another. For this, and other reasons, every organization that implements an ISMS must do so against the findings of a risk assessment whose methodology, findings and recommendations have been approved by the board of directors. ISO27001, in fact, requires there to be a risk assessment and, while it does not specify a methodology, is very clear that this risk assessment must be based on identifying threats and vulnerabilities at an individual asset level and, from there, analysing and assessing risks. Risk assessment tool. One can develop one’s own tool, or use one that is pre-designed to meet the specific requirements of both ISO27001 and BS7799-3, such as vsRisk, which is available on CD-Rom. It can be quickly and easily be deployed international standard ( ISO / IEC 15408) http://www.iso15408.net/15408presentation.htm
The MoJ Network is part of the e-government public internet based network accessible by the public. It is partly secured against Malware and Cyber Attacks. It enables set-up of Virtual Private Network (VPN) Encrypted). It enables batch filing of CTR and SAR via encrypted VPN. The access to on-line government databases (Registers) is enable via VPNs relayed through this system. The Collection Subsystem is detached from the Cyber world (external) and enables retrieval and input of external digital files via Virtual Private Network (e.g., reports SAR CTR), as well as report on removable media and files extracted from remote government databases. Scanning and data entry of printed documents and images. Collection Subsystem is linked to the Core Research Network via “Air Gap” (Hardware Software Box) that ensures one-way passage of passive files only. The “box” is commercially available. It maybe replaced by dedicated software solution (commercially available). The Research subsystem is the Core system of the FIU. It is classified as “Top Secret”. It is selectively accessible only to classified personnel according to the needs of their duty. It stores the entire knowledge base of the FIU (e.g., SARs CTRs External Registers files, Foreign FIU information sharing, ). It’s servers enable the researches to manage case files, use information mining, analytical and visualization tools) Information extraction from the Core system is closely controlled and monitored. There are no External Gateways to the Research subsystem.
Air-Gap or e-gap is a programmed hardware device which filters in-coming and out-going data and prevents any active software from crossing over to the Core System. The Israeli solution was developed by Whale Systems which was acquired by Microsoft in 2006 and integrated into its line of Microsoft IAG 2007.
The two key reasons for the growing interest in certification to ISO27001 are the proliferation of threats to information and the growing range of regulatory and statutory requirements that relate to information protection. The information security standards are the essential starting point for any organization that is commencing an information security project. Anyone contemplating such a project should purchase and study copies of both standards, which are available for online purchase in a money-saving kit, in either hard copy or electronic format, from here: http://www.itgovernance.co.uk/standards.aspx
Fingerprint and Facial Recognition http://www.l1id.com/pages/9-company L-1 develops customer-focused solutions that address the ID requirements of specific markets. U.S. Federal Border Management Criminal Justice Government ID
“ Senior Officers Privileges e.g., assigning cases, authorizing dissemination of intelligence reports, request for additional information, Open Sources search, termination of cases, Business Intelligence reports review. Top persons are privileged but may have to act together to complete a “Change” cycle or a major implementation of security policy.
The definition can be highly formal or informal. Security policies are enforced by Security Mechanisms
The Bell-La Padula model is a state machine model used for enforcing access control in government and military applications.  It was developed by David Elliott Bell and Leonard J. La Padula, subsequent to strong guidance from Roger R. Schell to formalize the U.S. Department of Defense (DoD) multilevel security (MLS) policy.    The model is a formal state transition model of computer security policy that describes a set of access control rules which use security labels on objects and clearances for subjects. Security labels range from the most sensitive (e.g.&quot;Top Secret&quot;), down to the least sensitive (e.g., &quot;Unclassified&quot; or &quot;Public&quot;). This is provided by e.g., Oracle Database Management toolbox. http://en.wikipedia.org/wiki/Bell-La_Padula_model The Biba Integrity Model describes rules for the protection of data integrity .
The log and the audit policies that govern it are also favorite targets of hackers and rogue system administrators seeking to cover their tracks before and after committing unauthorized activity. [ http://en.wikipedia.org/wiki/Log_management_and_intelligence
First step enables us to define scope of BCP. It provides an idea for limitations and boundaries of plan. It also includes audit and risk analysis reports for institution’s assets. Business impact analysis is the study and assessment of effects to the organization in the event of the loss or degradation of business/mission functions resulting from a destructive event. Such loss may be financial, or less tangible but nevertheless essential (e.g. human resources, shareholder liaison) Convincing senior management to approve BCP/DRP is key task. It is very important for security professionals to get approval for plan from upper management to bring it to effect. US National Standards Institute provides a tool set which can be used for doing BCP. National Institute of Standards and Technologies has published tools which can help in creating BCP.
The IT Security Plan and process is a first step to eliminating system and information compromises. 1. Take an inventory of your physical and information assets
Secure Financial Intelligence System
Secure FIU Affordable Threats Restraining for FIU’s Computing Center
Objective of the Presentation Egmont Group ITWG
Threats Recognition <ul><li>The Human Inner Circle </li></ul><ul><ul><li>Users (who is using? What tool is used ? What information is exposed? What changed was deleted?) </li></ul></ul><ul><ul><li>Service providers (Who? Which Service? What privileges? ) </li></ul></ul><ul><li>Internal System Electronic Leakage </li></ul><ul><ul><li>The work station’s “give away” </li></ul></ul><ul><ul><li>Local Area Network </li></ul></ul><ul><li>External IT Threats </li></ul><ul><ul><li>Sharing of Government External Data interdepartmental data sharing ) </li></ul></ul><ul><ul><li>Mining Internet Open resources (Yahoo or Google Search) </li></ul></ul><ul><ul><li>Virtual Private Networks (Accountable persons’ reporting channel) </li></ul></ul>Egmont Group ITWG
Defense Circles Egmont Group ITWG High level of protection to Local Area Network Data Protection per 15408 international standard ( ISO / IEC Maximum defense of IT system against external attacks Simple Operation High Level ID and users’ Authentication Implementing the INFOSEC model
FIU Systems Architecture ( IMPA Concept ) Egmont Group ITWG
Some Basic Good Practices highlights for Secure FIU <ul><li>Importing data to the Core System </li></ul><ul><li>Protecting the Local Area Network </li></ul><ul><li>Defending the core Computing System </li></ul><ul><li>Transmission of Intelligence </li></ul><ul><li>Users Management </li></ul>
Importing of Information Cleansing of External Files <ul><li>To accommodate : </li></ul><ul><ul><li>Secure reporting via Internet Virtual Private Network </li></ul></ul><ul><ul><li>Submission of reports on removable media </li></ul></ul><ul><ul><li>Insertion of External Government and commercial information from “Open Sources” </li></ul></ul><ul><li>All input formats have to be subjected to a “Laundering” stand alone station that shall remove any Malware (e.g., Virus, Trojan ) </li></ul>
Protecting the Local Area Network <ul><li>Separate Work-Stations </li></ul><ul><ul><li>Internal Research System </li></ul></ul><ul><ul><li>Collection subsystem </li></ul></ul><ul><ul><li>External Cyber World subsystem </li></ul></ul><ul><ul><li>“ Switched view” </li></ul></ul><ul><li>Cabling </li></ul><ul><li>Wireless </li></ul><ul><li>Mobiles Laptop </li></ul>
Protecting Computing Center <ul><li>The Core computing center must be isolated from both Local Area and Wide Area Networks (LAN and WAN) by </li></ul><ul><ul><li>A Firewall with two different up-to-date Anti-Virus Anti Spyware tools </li></ul></ul><ul><ul><li>Blocking of external media ports (CD DVD USB Wi-FI) of local work-stations . </li></ul></ul><ul><ul><li>The “Collection subsystem” may be connected to the Core Computing Center by a dedicated software-hardware device (Air-Gap) </li></ul></ul>
Secure Dissemination of Intelligence Reports <ul><li>Dissemination of Intelligence should take some form of secured digital file, that is extracted from the FIU Database and contains classified confidential or “top secret” information. </li></ul><ul><li>The Intel File must be audited by a qualified senior officer and digitally signed and encrypted. The addressee should be uniquely defined. Receipt confirmation must be provided . </li></ul><ul><li>The Intel File must be submitted via a secure unique channel. </li></ul>
Transmission of Intelligence <ul><li>Transmission of the Intelligence report to Law Enforcement or Judicial units should be made from a stand alone work-station over secured point to point dedicated lines. </li></ul><ul><li>The transmission of information to another FIU should be made from a stand alone workstation by the Officer in charge of Foreign FIUs relations. </li></ul><ul><li>Information streaming back should be handled via the “Laundering” station and the Collection sub system. </li></ul>
Records Management Policy <ul><li>All imported files and documents are digitally stored in their original format or image thereof. </li></ul><ul><li>No records are “exterminated ” without trace and removed from the system at anytime. </li></ul><ul><li>“ Deleted” records are “invisible” to users but are displayable for backtracking and review by privileged users. </li></ul><ul><li>Records are accessible only to classified personnel who have a “need to know”. </li></ul>
Users Management <ul><li>Identification and Authentication of Users </li></ul><ul><ul><li>Privileged Users </li></ul></ul><ul><ul><li>Ordinary Users </li></ul></ul><ul><li>Users Access Management </li></ul>
Users Identification and Authentication <ul><li>Identification and Authentication of Users </li></ul>
Users Access Management <ul><li>“ Common ” Users have limited access and authorization scope which should correspond to their task. </li></ul><ul><li>“ Senior Officers” have wider privileges e.g </li></ul><ul><li>System Administrators are awarded extremely sensitive privileges e.g., System Maintenance, Upgrade of applications, Database Maintenance, Access Control and users management . </li></ul>
Code of Practice International Standards Organization <ul><li>ISO27001 Details the controls which should be implemented for the various levels of Info Security. </li></ul><ul><li>ISO27002 provides the guidance for the selection and implementation of the controls mandated by ISO27001. </li></ul>
Computer security policy <ul><li>Defines the goals and elements of an organization's computer systems security </li></ul><ul><li>Confidentiality, Integrity and Availability . </li></ul><ul><li>A technical implementation of security mechanisms defines whether a computer system is secure or insecure . </li></ul><ul><li>A system state is defined to be "secure" if the only permitted access modes of subjects to objects are in accordance with a security policy . </li></ul>
The Security mechanism <ul><li>Enable the System Manager to: </li></ul><ul><li>Monitor the activities on the system, </li></ul><ul><li>Detect and log breaches of Security Policy or attempts thereof. </li></ul><ul><li>Log changes to the Mechanisms or attempts to change. Enable retrieval of entries and analysis of events, as well as recovery of damaged elements and reinstatement of the policy. </li></ul><ul><li>Alert System Manager </li></ul><ul><li>Mitigate or thwart such breaches or attempts . </li></ul>
Security events Review and Analysis <ul><li>The Security Log , in e.g., Microsoft Windows, is a log that contains records of login/logout activity and/or other security-related events specified by the system's audit policy. </li></ul><ul><li>Auditing allows administrators to configure Windows to record operating system activity in the Security Log. </li></ul><ul><li>Local Security Authority Subsystem Service writes events to the log. </li></ul><ul><li>The Security Log is one of the primary tools used by Administrators to detect and investigate attempted and successful unauthorized activity and to troubleshoot problems; ] 2] </li></ul>
Most common strategies for data protection. <ul><li>Backups made to Solid State or removable discs and sent off-site at regular intervals (preferably daily) </li></ul><ul><li>Backups made to disk on-site and automatically remotely copied to off-site disk, or made directly to off-site disk </li></ul><ul><li>Replication of data to an off-site location , which overcomes the need to restore the data (only the systems then need to be restored or synced). [Storage area network (SAN) technology] </li></ul><ul><li>High availability systems which keep both the data and system replicated off-site, enabling continuous access to systems and data . </li></ul><ul><li>In many cases, an organization may elect to use an outsourced disaster recovery provider to provide a stand-by site and systems rather than using their own remote facilities. </li></ul>
Precautionary measures <ul><li>Implement some of the following: </li></ul><ul><li>Local mirrors of systems and/or data </li></ul><ul><li>Use of disk protection technology such as RAID </li></ul><ul><li>Surge protectors — to minimize the effect of power surges on d elicate electronic equipment </li></ul><ul><li>Uninterruptible power supply (UPS) and/or backup generator to keep systems going in the event of a power failure </li></ul><ul><li>Fire preventions and containment — alarms, fire extinguishers </li></ul><ul><li>Anti-virus software and other server s security measures </li></ul>
Backup, Restart and Recovery <ul><li>Disaster can be classified in two broad categories. </li></ul><ul><ul><li>Natural disasters such as floods, hurricanes, tornadoes or earthquakes. </li></ul></ul><ul><ul><ul><li>Preventing a natural disaster is very difficult, measures such as good planning which includes mitigation measures can help reduce or avoid losses. </li></ul></ul></ul><ul><ul><li>Man made disasters. (e.g., hazardous material spills, infrastructure failure or bio-terrorism). </li></ul></ul><ul><ul><ul><li>Surveillance and mitigation planning are invaluable towards avoiding or lessening losses from these events. </li></ul></ul></ul>
Business Continuity Plan BCP <ul><li>Identify the scope and boundaries of business continuity plan BCP. </li></ul><ul><li>Conduct a business impact analysis (BIA). </li></ul><ul><li>Sell the concept of BCP to upper management and obtain organizational and financial commitment. </li></ul><ul><li>BCP Implementation team should follow the guidelines procedures in the plan. </li></ul>
12 Steps to Secure FIU <ul><li>Review Data coming through each network connection. Shut down any where you can't determine remote origin. </li></ul><ul><li>Examine how remote and external users are authenticated; use token-based or similar authentication when possible. </li></ul><ul><li>Make sure all encryption functions on existing software applications are enabled. </li></ul><ul><li>Back up critical systems consistently at another location. </li></ul><ul><li>Review Security alerts and vendors' patch announcements. Know what versions of operating systems are in use, seek out alerts affecting them and apply appropriate patches immediately. </li></ul>
The Next Steps <ul><li>1. Define what are you protecting? 2. Perform a risk assessment to determine what level of security is needed to protect your information assets. 3. Complete the checklist to make you aware of your security strengths and weaknesses . 4. Complete an evaluation. Evaluate your findings and discuss recommendations to correct deficiencies and/or improve security with departmental administration and IT staff. 5. Develop a security plan . Create a Security Plan with target dates for implementation. </li></ul><ul><li>Assign r esponsibilities and target dates for the plan. </li></ul><ul><li>Monitor progress </li></ul>