17 info sec_ma_imt_27_2_2012

Information SecurityInformation SecurityRECIPA-IMTRECIPA-IMT

• Understanding of information security and Key concepts

• Understanding role model for having robust Information Security Management System Implementation

• Empowerment of Information Security Management System through implementing best practices for People, Process and Technology.

• Few Guidelines to maintain Network and Personal Security

AimsINFOSEC

The Growth of Internet Crime

“Of the top five categories of offenses reported to law enforcement during 2009, non-delivered merchandise and/or payment ranked 19.9%; identity theft, 14.1%; credit card fraud, 10.4%; auction fraud, 10.3%; and computer fraud (destruction/damage/vandalism of property), 7.9%.”

Information Security

• What is it?- The process in which “Confidentiality”, “Integrity” & “Availability” of information ensured.

• In other words: - protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. (United States Code, title 44)

Main Concepts

– Confidentiality

Preventing unauthorized persons, or parties to get access to the information

– Integrity

Safeguarding the accuracy and completeness of information and processing methods

– Availability

Ensuring access for authorized persons/parties anytime it’s needed.

Information classification

• Act of tagging information with labels to make divide them to different groups.

• When it’s related to information security, It should be first step!

• It enables to treat information in sets with similar procedures for easier handling and better management.

Information classification

• It clarifies information usage with respect to access control and confidentiality protection.– First is the issue of who is qualified to determine this– Mostly context and content dependent– Normally can be changed by Time and Circumstances

• Best example is military classical classification– Unclassified– Secret– Top secret

• In data world both “data” and “persons” are categorized to manage access control

Confidentiality

• Confidentiality ensures that only those with the rights and privileges to access information are able to do so.

• Having complete Confidentiality can be impossible to insure at times.

• Examples:– research data,– medical and insurance records, – new product specifications– corporate investment strategies.

Integrity

• Information has integrity when it is whole, complete, and uncorrupted.

• The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state.

• When information is modified in unexpected ways, the result is known as loss of integrity.

• It defines authenticity and level of trust

Availability

• Timely, reliable access to data and information services for authorized users, and has three main factors;– Reliability: degree in which a system performs its purpose

for the period of time intended under the operating conditions encountered

– Accessibility: degree in which a system is usable by as many people as possible without modification and is characterized in terms of the ability of users to have physical access to the system.

– Timeliness: is the responsiveness of a system or resource to a user request. In fact,

Availability

• Traditionally Info AV has mostly been measured by the amount of time an information resource is either processing or not (uptime and downtime)

• Other secondary factors;– Redundancy and thorough

system backups– Preventative and correctative

maintenance

Possible Threats

High User Knowledge of IT

Systems

Theft, Sabotage,

Misuse

Virus Attacks

Systems & Network Failure

Lack Of Documentation

Lapse in Physical Security

Natural Calamities &

Fire

SO HOW DO WE

OVERCOME THESE

PROBLEMS?

Planning of InfoSec

• An Strategic view will be: – Analysis of the current situation;– Identification of business-strategy requirements;– Identification of legal and regulatory requirements;– Identification of requirements due to external trends;– Definition of the target situation;– Definition and prioritization of strategic initiatives;– Distribution of the draft strategy;– Agreement and publication of final strategy.

InfoSec Policy is approved by Top Management

History

Early 1990• DTI (UK) established a working group• Information Security Management Code of Practice produced as

BSI-DISC publication

1995• BS 7799 published as UK Standard

1999• BS 7799 - 1:1999 second revision published

2000 • BS 7799 - 1 accepted by ISO as ISO - 17799 published• BS 7799-2:2002 published

History

• ISO 27001:2005Information technology — Security techniques — Information security management systems — Requirements

• ISO 27002:2005Information technology — Security techniques — Code of practice for information security management

Security Triangle again

Information Security Policy

Organisation of Information

Security

Asset Management

Human Resource Security

Physical Security

Communication & Operations Management

Access Control

System Development

& Maintenance

Incident Management

Business Continuity Planning

Compliance

Confiden

tialit

y Integrity

Availability

A Security System Components

PEOPLE

PROCESSES

TECHNOLOGY

Organization

Staff

Business

Processes

Technology

used by

Organization

Technologies

• Prevention of physical access by unauthorized people

• Data Network Security by using proper access control

• Communication line Security– Preventing eavesdroppers– Avoid tapping to line– Stopping intruders attacks

Technologies

• Proper Hardware design is main Solution:– Firewalls; Prevents

unauthorized access from outside network

– VPN; Provides Secure channels for transferring sensitive information

– Antivirus; Ensures security of stored data by stopping worms, viruses, malwares, Trojans

Processes

• The processes refer to "work practices" or workflow. Processes are the repeatable steps to accomplish business objectives.

• Generally this part which managed by software in data networks and administrative paperwork in physical environment, works under supervision of set of rules called “Policies”

• As mentioned before Policy makers are made by strategic planners and approved by top management.

• Asset management is main process of any InfoSec Solution

Human Factor

• People are biggest assets

• But also they are biggest threat

– More than 70% of Threats are Internal– More than 2/3rd express their inability to determine “Whether

my systems are currently compromised?”– Psychological manipulation “Social Engineering”

• Human awareness is most important issue• Also handled under asset management part

THE 10 RULES OF THE SOHO INTERNET

• 1. Safeguard your computer.• 2. Use strong passwords and a screensaver. • 3. Update and patch your operating system.• 4. Have an up-to-date firewall.• 5. Have up-to-date anti-virus software.• 6. Act anti-spam.• 7. Use up-to-date anti-spyware/adware tools.• 8. Be sensible – don’t take unnecessary risks.• 9. Back it up.• 10. Fix problems as soon as they arise.

Safe Password

Always use at least 8 character password with combination of alphabets, numbers and special characters (*, %, @, #, $, ^)

Use passwords that can be easily remembered by you Change password regularly as per policy Use password that is significantly different from earlier passwords

Use passwords which reveals your personal information or words found in dictionary

Write down or Store passwordsShare passwords over phone or EmailUse passwords which do not match above complexity

criteria

Enterprise Security Evaluation

• Five Questions:– What assets are you trying to protect?– What are the risks to these assets?– How well does the security solution mitigate those

risks?– What other risks does the security solution cause?– What costs and trade-offs does the security solution

impose?

• These Questions doesn’t bring solution but evaluates a particular one

• InfoSec is up-to-date sense of understanding of Risks and Assurance Controls.

• Balancing between Protection from Risks and Controls is guarantee of business continuity Availability of Information

• Policies are statements of management intentions and goals• Value defines the importance of info and required protection

level• Protection level determines procedures and policies• Policies are approved by high level managers• Senior Management support and approval is vital to success• Successful system should have different level of Security to

urge flexibility

Concluding Remarks

Information SecurityInformation SecurityRECIPA-IMTRECIPA-IMT