INTRO TO IT SECURITY

ByCade Zvavanjanja

CISOGainful Information Security

ByCade Zvavanjanja

CISOGainful Information Security

AGENDA

Information Security Information Privacy Risk Management Opportunities & Markets Some Examples

3

Ecommerce Site

Data Storage

Business Interfaces

IT/IS/

Development

Anti-Virus

Firewalls

Encryption

Security in SDLC

Threat Modelling

Build Standards

Information Security Policies

Legislative Compliance

Configuration Reviews

Patch Management

Access Control Reviews

Application Testing

Penetration Testing

Intrusion Detection

Vulnerability Assessment

Vetting / References

Disciplinary Procedure

Awareness & Training

Holistic IT security

INFORMATION WARFARE THE MATRIX UPLOADED – SO WHAT?

TODAY’S TREND

Terrorists White Collar Crime

Open Source

Disasters Theft Scripts ID Theft

Insider/Espionage

IT Security

SO WHO CARES?

You care about information security and privacy because:

Information Security is a constant and a critical need Threats are becoming increasingly sophisticated Countermeasures are evolving to meet the threats You want to protect your asset and privacy You want to know what tools are there for protection

and Because information security, information privacy and legal and compliance are inter-related

INCREASE IN SECURITY INCIDENTS

1995 1996 1997 1998 1999 2000 2001 2002

200M

300M

400M

500M

600M

700M

900M

0

Infe

ctio

n A

ttem

pts

100M

800M

*Analysis by Symantec Security Response using data from Symantec, IDC & ICSA; 2002 estimated

**Source: CERT

Net

wo

rk In

tru

sio

n A

ttem

pts

20,000

40,000

60,000

80,000

120,000

0

100,000Blended Threats(CodeRed, Nimda, Slammer)

Denial of Service(Yahoo!, eBay)

Mass Mailer Viruses(Love Letter/Melissa)

Zombies

Polymorphic Viruses(Tequila)

Malicious CodeInfectionAttempts* Network

IntrusionAttempts**

0

20000

40000

60000

80000

100000

120000

140000

CERTCC Reported Vulnerabilities 1988-2003

CERTCC ReportedVulnerabilities

Total Number of Incidents Reported from 1988-2003 is 319,992

Average Yearly Increase of 40%

Total Number of Incidents Reported from 1988-2003 is 319,992

Average Yearly Increase of 40%

SOME POLLS SUGGEST SOURCE CSO

Which of the following is #1 priority Wireless Security (16%) Spam/AntiVirus (17%) Identity Management (27%) Disaster Recovery (21%) Other (19%)

Which of the following poses the greatest threat

Natural Disaster (36%) Terrorist Attack (12%) Cyberattack (52%)

SCARY DATA US Government Data

Id theft is perpetrated by hackers and their associates who steal personal information and identity (e.g. social security numbers) in order to commit various forms of fraud by assuming your identity

FTC reports that over 27.3 million Americans in the past 5 years reported their ID stolen

FTC survey revealed that ID theft costs consumers and business 53 billion in 2002

The FBI estimates that the number one threat to internet users is identity theft

Approximately 350,000 to 500,000 citizens fall victims to “id theft” every year.

Industry Data ID theft increased to

81% in 2002 Main cause for fraud is

id theft U.S.-based banks

37 percent said identify theft significantly increased

34 percent said it slightly increased

24 percent said identity theft rates had stayed the same

5 percent reported that the rates decreased

CYBERTERRORISM

“Cyberterrorism is any "premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against non-combatant targets by sub-national groups or clandestine agents." Cyberterrorism is sometimes referred to as electronic terrorism or information war.”

U.S. Federal Bureau of Investigation

INFORMATION WARFARE Use of or attacks on information and

information infrastructure to achieve strategic objectives

Tools in hostilities among NationsTrans-national groups (companies, NGOs,

associations, interest groups, terrorists)Corporate entities (corporations, companies,

government agencies)Individuals

LEVELS OF INFORMATION WARFARE Against individuals

Theft, impersonationExtortion, blackmailDefamation, racism

Against organizationsIndustrial espionageSabotageCompetitive intelligence

Against nationsDisinformation, destabilizationInfrastructure destabilizationEconomic collapse

PRIME TARGETS Companies with hiring volatilities

Financial, communication, manufacturing, transportation and retail

Companies with lower volatility Utilities, government, healthcare and education

Areas IDS, Firewall, Anti virus, Identity management Product design, policy Privacy vs. Security Security administration Training and awareness

POTENTIAL TARGETS AGAINST OUR INFRASTRUCTURE

Electricity Transportation Water Energy Financial Information Technology Emergency Services Government Operations

WHY USE CYBER WARFARE?

Low barriers to entry – laptops cost a lot less than tanks and bombs

Our world is dependent on computers, networks, and the Internet

Denial of service has economic, logistical, and emotional effect

Low cost to level the playing field

INFORMATION WARFARE STRATEGIES

The basic elements are: Hacking Malicious code Electronic snooping Old-fashioned human spying

Mass disruption can be unleashed over the internet, but

Attackers must first compromise private and secure networks (i.e. Unclassified, Secret, Top Secret)

WHAT ARE THE METHODS? Password cracking Viruses Trojan horses / RATS Worms Denial-of-service attacks E-mail impersonation E-mail eavesdropping Network packet

modification

Network eavesdropping

Intrusion attacks

Network spoofing

Session hijacking

Packet replay

Packet modification

Cryptography

Steganography

Identity theft

HACKERS INFORMATION WARRIORS?

Personal motives Retaliate or ”get even” Political or terrorism Make a joke Show off/Just BecauseElite Hackers

Black Hat Grey Hat White Hat No hat

Malicious Code Writers Criminal Enterprises Trusted Insiders

Economic gain

Steal information

Blackmail

Financial fraud

Inflicting damage

Alter, damage or delete information

Deny services

Damage public image

THE TRADITIONAL HACKER ETHIC

i. Access to computers should be unlimited and totalii. All information should be freeiii. Mistrust authority – promote decentralizationiv. Hackers should be judged by their hacking, not

criteria such as age, race, etc.v. You can create art and beauty on the computervi. Computers can change your life for the better

GEOPOLITICAL HOTSPOTS -TRENDS

CHINATargeting Japan, U.S., Taiwan and perceived allies of those countries

INDIA-PAKISTANWorldwide targets, Kashmir-related and Muslim-related defacements

MIDDLE EASTPalestinian hackers target Israeli .il websites; some pro-Israel activity

WESTERN EUROPECyber-activists with anti-global/anti-capitalism goals; some malicious code

BRAZILMultiple hacker groups, many mercenary; random targets

EASTERN EUROPE/RUSSIAMalicious code development; fraud and financial hacking

U.S.Multiple hacker/cyber-activist/hacktivist groups; random targets

A BALANCED SECURITY ARCHITECTURE

Single, unifying infrastructure that many applications can leverage

A good security architecture: Provides a core set of security services Is modular Provides uniformity of solutions Supports existing and new applications Contains technology as one component of a

complete security program Incorporates policy and standards as well

as people, process, and technologyPeople Technolog

y

Policy, Standards,

and Process

BASIC INFORMATION SECURITY COMPONENTS

AUTHENTICATION: How do we know who is using

the service?

ACCESS CONTROL: Can we control what they do?

CONFIDENTIALITY: Can we ensure the privacy of

information?

DATA INTEGRITY: Can we prevent unauthorized

changes to information?

NONREPUDIATION: Can we provide for non-

repudiation of a transaction?

AUDITABILITY & AVAILABILITY Do we know:

Whether there is a problem? Whether it’s soon enough to take appropriate action?

How to minimize/contain the problem?

How to prevent denial of service?

DATA GOVERNANCE & CONTROLS

Authentication

Confidentiality

Access C

ntrl

Data Integrity

Non-repudiation

Audit ability

XX X X

X X XXA

vailability

X X X X X X Information Management Infrastructure

(IMI)

ThreatsDisclosure of informationDisclosure of information

Unauthorized access Unauthorized access Loss of integrityLoss of integrityDenial of serviceDenial of service

Application

Networks

OS

INFORMATION SECURITY CONTROL AREAS Information Security Policies Roles and Responsibilities Asset Classification and Handling Personal Security Physical Security System and Operations Management Controls General Access Controls System Development Life Cycle Business Continuity Compliance, Legal and Regulatory

WHAT IS @RISK?

Financial & Monetary Loss Risk Payroll information leakage

Reputation Risk Distributed attacks from campus Terrorism Laptop theft ID Theft

Litigation & Regulatory Risk HIPAA, GLB, CA 1386

INFORMATION SECURITY BODIES, STANDARDS & PRIVACY LAWS Standards & Privacy Laws

British Standards (ISO 17799) EU Data Protection Act of 1998 (DPA) Health Insurance Portability and Accountability Act (HIPAA) Fair Credit Reporting Act (FCRA)

National Institute for Standards & Technology (www.NIST.gov):

Founded in 1901, NIST is a non-regulatory federal agency within the U.S. Commerce Department's Technology Administration.

NIST's mission is to develop and promote measurements, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life.

Computer Emergency Response Team www.cert.org: The CERT® Coordination Center (CERT/CC) is a center of Internet

security expertise at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University.

Information Privacy

ProcessProcess

OrganizationOrganization

TechnologyTechnology

Opt/in/outOpt/in/out

Regulatory Requirement

Regulatory Requirement

Security/Privacy Policy

Security/Privacy Policy

Planning and Strategy Program Maturity Program Metrics

Privacy Governance Architecture

• Privacy Strategy• Data Classification Analysis• Privacy Teams• Policy Development• Policy Update Plans• Decision Management• Privacy Support Architecture• Awareness

• Privacy Strategy• Data Classification Analysis• Privacy Teams• Policy Development• Policy Update Plans• Decision Management• Privacy Support Architecture• Awareness

• Privacy Risk Assessments• Data Governance• Vendor Governance• Technology Planning • Business Process Review• Information Security • Information Privacy

• Privacy Risk Assessments• Data Governance• Vendor Governance• Technology Planning • Business Process Review• Information Security • Information Privacy

• External Support Infrastructure• Privacy Auditing• Incident Response• Crisis Management• Knowledge Management• Consumer Support Infrastructure• Open Source Intelligence

• External Support Infrastructure• Privacy Auditing• Incident Response• Crisis Management• Knowledge Management• Consumer Support Infrastructure• Open Source Intelligence

PeoplePeople

ComplianceCompliance

-Technology containment- Process containment- Procedure containment

- Engage digital forensics process- Collect evidence- Engage 3rd party

- Detect Incident - Identify source of identified-Log incident- Reduce false positive

HIGH LEVEL OVERVIEW

Detection

Digital Forensics

Resolution & Reporting

Assessment

AnalysisContainment

- Determine scope- Assemble Response Team- Collect & sort facts

- Determine scope- Assemble Response Team- Collect & sort facts

- Notify client- Notify regulators- Remediate- Analyze long term effects- Analyze lessons learned

Privacy Incident Response Process

Information Security & Privacy

Risk Management

RISK MITIGATION

100% Risk Mitigation and not 100 % control Good Information Management Infrastructure

that Provides modular core set of controls Supports existing, infrastructures and new

applications Incorporates policy and standards, people,

process, and technology Provides a horizontal and vertical risk SELF or

AUTOMATIC assessment program Provides collaborative issues resolution system

Balanced Information Management Infrastructure (IMI)

Risk Mitigation Vertical – up and down controls in branches

and business units Horizontal – policies, best practices, processes

and priorities across the organization

Policies, Standards &Guidelines

Information Technology

People

Equilibrium Point

Equilibrium Point

RISK MANAGEMENT METHODOLOGY

Risk Assessment

Organizational Dynamics

Risk TakersKey Risk Indicator

Risk Tolerance

Point of Balance

Key Risk IndicatorsKey Risk Indicators

Pen Testing

ComplianceRegulatory

Audit

Site Reviews

Security& Privacy Incidents

Self Assessment

Vendor Reviews

Business Impact

Asset Value

Lo

ss

Am

ou

nt/R

OI

Stakeholders

Risk Evaluation Model Risk Rating

Market Opportunities

DEMAND – BASED ON GARTNER STUDIES

General IT staff outsourcing has gone up 24% since US recession was over

Growth in IT staff augmentation will be limited and in single digits

Security outsourcing is trending up Identity management Vulnerability Assessment Operations

Firewall management, anti virus and IDS

INFOSEC PEOPLE Typical jobs for contract

Business Intelligence Business Analysis Risk Management Information Security Officer Information Privacy Officer Digital Forensics Experts

Job seeker support to help professionals identify new career opportunities when they are unemployed or contingency searching due to circumstances at their workplace;

Contractor placement to help independent contractors identify and secure short and long term contract work based on hourly rates; and

Corporate candidate search to help clients identify candidates for new or vacant positions, as well as contingency searching to stage replacement of human resources

TYPES OF RECRUITING Contract & Temporary – constant spread

based Profit margins are small Limited Hourly, weekly monthly

Permanent – one time commission based Entry levels Mid levels Management, Technical, Operations, Design &

Architecture Outsourcing – profit margins are high

Some Examples

WHAT IS SOCIAL ENGINEERING Social Engineering is the art and science of use

to trick one or more human beings to do what an attackers wants them to do or to reveal information that compromises a target’s security.

Classic Social Engineering scams include, posing as a field service technician, calling an operator to reveal private information such as passwords and the like.

Social Engineering is an evolving art that uses the simplest and most creative schemes and involves minimal technical expertise

TERRORISTS AND STEGANOGRAPHY?

Thank You

Tel: +236 733 782 490

+263 773 796 365

+263 -4- 733 117

Eml: info@gis.co.zw

cade@gis.co.zw

Web: www.gis.co.zw