Information Security RECIPA-IMT
• Understanding of information security and Key concepts
• Understanding role model for having robust Information Security Management System Implementation
• Empowerment of Information Security Management System through implementing best practices for People, Process and Technology.
• Few Guidelines to maintain Network and Personal Security
AimsINFOSEC
The Growth of Internet Crime
“Of the top five categories of offenses reported to law enforcement during 2009, non-delivered merchandise and/or payment ranked 19.9%; identity theft, 14.1%; credit card fraud, 10.4%; auction fraud, 10.3%; and computer fraud (destruction/damage/vandalism of property), 7.9%.”
Information Security
• What is it?- The process in which “Confidentiality”, “Integrity” & “Availability” of information ensured.
• In other words: - protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. (United States Code, title 44)
Main Concepts
– Confidentiality
Preventing unauthorized persons, or parties to get access to the information
– Integrity
Safeguarding the accuracy and completeness of information and processing methods
– Availability
Ensuring access for authorized persons/parties anytime it’s needed.
Information classification
• Act of tagging information with labels to make divide them to different groups.
• When it’s related to information security, It should be first step!
• It enables to treat information in sets with similar procedures for easier handling and better management.
Information classification
• It clarifies information usage with respect to access control and confidentiality protection.– First is the issue of who is qualified to determine this– Mostly context and content dependent– Normally can be changed by Time and Circumstances
• Best example is military classical classification– Unclassified– Secret– Top secret
• In data world both “data” and “persons” are categorized to manage access control
Confidentiality
• Confidentiality ensures that only those with the rights and privileges to access information are able to do so.
• Having complete Confidentiality can be impossible to insure at times.
• Examples:– research data,– medical and insurance records, – new product specifications– corporate investment strategies.
Integrity
• Information has integrity when it is whole, complete, and uncorrupted.
• The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state.
• When information is modified in unexpected ways, the result is known as loss of integrity.
• It defines authenticity and level of trust
Availability
• Timely, reliable access to data and information services for authorized users, and has three main factors;– Reliability: degree in which a system performs its purpose
for the period of time intended under the operating conditions encountered
– Accessibility: degree in which a system is usable by as many people as possible without modification and is characterized in terms of the ability of users to have physical access to the system.
– Timeliness: is the responsiveness of a system or resource to a user request. In fact,
Availability
• Traditionally Info AV has mostly been measured by the amount of time an information resource is either processing or not (uptime and downtime)
• Other secondary factors;– Redundancy and thorough
system backups– Preventative and correctative
maintenance
Possible Threats
High User Knowledge of IT
Systems
Theft, Sabotage,
Misuse
Virus Attacks
Systems & Network Failure
Lack Of Documentation
Lapse in Physical Security
Natural Calamities &
Fire
Planning of InfoSec
• An Strategic view will be: – Analysis of the current situation;– Identification of business-strategy requirements;– Identification of legal and regulatory requirements;– Identification of requirements due to external trends;– Definition of the target situation;– Definition and prioritization of strategic initiatives;– Distribution of the draft strategy;– Agreement and publication of final strategy.
InfoSec Policy is approved by Top Management
History
Early 1990• DTI (UK) established a working group• Information Security Management Code of Practice produced as
BSI-DISC publication
1995• BS 7799 published as UK Standard
1999• BS 7799 - 1:1999 second revision published
2000 • BS 7799 - 1 accepted by ISO as ISO - 17799 published• BS 7799-2:2002 published
History
• ISO 27001:2005Information technology — Security techniques — Information security management systems — Requirements
• ISO 27002:2005Information technology — Security techniques — Code of practice for information security management
Security Triangle again
Information Security Policy
Organisation of Information
Security
Asset Management
Human Resource Security
Physical Security
Communication & Operations Management
Access Control
System Development
& Maintenance
Incident Management
Business Continuity Planning
Compliance
Confiden
tialit
y Integrity
Availability
A Security System Components
PEOPLE
PROCESSES
TECHNOLOGY
Organization
Staff
Business
Processes
Technology
used by
Organization
Technologies
• Prevention of physical access by unauthorized people
• Data Network Security by using proper access control
• Communication line Security– Preventing eavesdroppers– Avoid tapping to line– Stopping intruders attacks
Technologies
• Proper Hardware design is main Solution:– Firewalls; Prevents
unauthorized access from outside network
– VPN; Provides Secure channels for transferring sensitive information
– Antivirus; Ensures security of stored data by stopping worms, viruses, malwares, Trojans
Processes
• The processes refer to "work practices" or workflow. Processes are the repeatable steps to accomplish business objectives.
• Generally this part which managed by software in data networks and administrative paperwork in physical environment, works under supervision of set of rules called “Policies”
• As mentioned before Policy makers are made by strategic planners and approved by top management.
• Asset management is main process of any InfoSec Solution
Human Factor
• People are biggest assets
• But also they are biggest threat
– More than 70% of Threats are Internal– More than 2/3rd express their inability to determine “Whether
my systems are currently compromised?”– Psychological manipulation “Social Engineering”
• Human awareness is most important issue• Also handled under asset management part
THE 10 RULES OF THE SOHO INTERNET
• 1. Safeguard your computer.• 2. Use strong passwords and a screensaver. • 3. Update and patch your operating system.• 4. Have an up-to-date firewall.• 5. Have up-to-date anti-virus software.• 6. Act anti-spam.• 7. Use up-to-date anti-spyware/adware tools.• 8. Be sensible – don’t take unnecessary risks.• 9. Back it up.• 10. Fix problems as soon as they arise.
Safe Password
Always use at least 8 character password with combination of alphabets, numbers and special characters (*, %, @, #, $, ^)
Use passwords that can be easily remembered by you Change password regularly as per policy Use password that is significantly different from earlier passwords
Use passwords which reveals your personal information or words found in dictionary
Write down or Store passwordsShare passwords over phone or EmailUse passwords which do not match above complexity
criteria
Enterprise Security Evaluation
• Five Questions:– What assets are you trying to protect?– What are the risks to these assets?– How well does the security solution mitigate those
risks?– What other risks does the security solution cause?– What costs and trade-offs does the security solution
impose?
• These Questions doesn’t bring solution but evaluates a particular one
• InfoSec is up-to-date sense of understanding of Risks and Assurance Controls.
• Balancing between Protection from Risks and Controls is guarantee of business continuity Availability of Information
• Policies are statements of management intentions and goals• Value defines the importance of info and required protection
level• Protection level determines procedures and policies• Policies are approved by high level managers• Senior Management support and approval is vital to success• Successful system should have different level of Security to
urge flexibility
Concluding Remarks