Managing Information System Security: Principles

Managing Information Managing Information System Security: PrinciplesSystem Security: Principles

GP DhillonGP Dhillon

Associate ProfessorAssociate Professor

Virginia Commonwealth UniversityVirginia Commonwealth University

Shocking newsShocking news

25% of the organizations did not have an 25% of the organizations did not have an internal auditinternal audit

50% of the organizations did not have 50% of the organizations did not have computer audit skillscomputer audit skills

60% of the organizations had no security 60% of the organizations had no security awarenessawareness

80% of the organizations did not conduct 80% of the organizations did not conduct a risk analysisa risk analysis

General StatisticsGeneral Statistics

CERT/CC: Incidents CERT/CC: Incidents ReportedReported1991 – 4061991 – 4061993 – 1,3341993 – 1,3341995 – 2,4121995 – 2,4121997 – 2,1341997 – 2,1341999 – 9,8591999 – 9,8592001 – 52,6582001 – 52,6582003 – 137,5292003 – 137,529

Common MythsCommon Myths

““Why should I care, I have nothing to hide.”Why should I care, I have nothing to hide.” ““Why does anyone care about my computer?”Why does anyone care about my computer?” ““It’s too difficult to get access to my computer or It’s too difficult to get access to my computer or

personal information…”personal information…” ““If someone tries to [insert malicious activity If someone tries to [insert malicious activity

here], I will notice!”here], I will notice!” ““Ignorance is bliss!”Ignorance is bliss!”

Are you at risk?Are you at risk?

Using the following puts you at risk:Using the following puts you at risk: ComputersComputers Credit CardsCredit Cards BanksBanks AirlinesAirlines AutomobilesAutomobiles ……many more…many more…

CIACIA – the building blocks – the building blocks

ConfidentialityConfidentiality

AvailabilityAvailabilityIntegrityIntegrity

ConfidentialityConfidentiality

Ensures privacy.Ensures privacy. Applies to both data Applies to both data

on disks and network on disks and network communication.communication.

Accomplished Accomplished through encryption:through encryption: https://https:// s/mimes/mime pgppgp ssh and ipsecssh and ipsec

ConfidentialityConfidentiality

IntegrityIntegrity

Develops trust of the Develops trust of the network and network and computer systems.computer systems.

Applies to both data Applies to both data on disks and network on disks and network communication.communication.

Integrity is increased Integrity is increased by proper data and by proper data and system management.system management.

IntegrityIntegrity

AvailabilityAvailability

Another catalyst for Another catalyst for trust.trust.

Required for data on Required for data on disk and network disk and network

Prevents Denial o Prevents Denial o Service attacks, etc.Service attacks, etc.

AvailabilityAvailability

Defending with Defending with technologytechnology

Defending with Defending with technologytechnology

Start with the basicsStart with the basics

Basic computer security is Basic computer security is through technology is easy; through technology is easy; use…use… A firewall,A firewall, Anti-Virus Software,Anti-Virus Software, Patch your computer Patch your computer

quickly, when required,quickly, when required, Strong passwords!Strong passwords!

FirewallsFirewalls

The most useful tool in your bag The most useful tool in your bag of defenses.of defenses.

Prevents intruders from accessing Prevents intruders from accessing services on your computer.services on your computer.

Validates/normalizes network Validates/normalizes network traffic.traffic.

May provide reports and trend May provide reports and trend analysis.analysis.

Available for all major operating Available for all major operating systems – usually for free!systems – usually for free!

Anti-virus softwareAnti-virus software

Stops viruses and worms sent Stops viruses and worms sent by email, attachments, by email, attachments, downloads, etc.downloads, etc.

Detects malicious software Detects malicious software through intelligent heuristics.through intelligent heuristics.

Available for all major desktop Available for all major desktop and and server operating systems.server operating systems.

A requirement; not an option.A requirement; not an option.

PatchesPatches

(Usually) free updates to your computer; (Usually) free updates to your computer; can be downloaded can be downloaded from the Internet. from the Internet.

Available before most Available before most exploits surface.exploits surface.

Automated, usually.Automated, usually.CriticalCritical to overall security. to overall security. Chant:Chant: “We Must Patch, We Must “We Must Patch, We Must

Patch…”Patch…”

Strong passwordsStrong passwords

Keeps you on-target with best Keeps you on-target with best practices.practices.

Is composed of 8 or more Is composed of 8 or more characters and includes letters, characters and includes letters, numbers and 2 special characters, numbers and 2 special characters, including !@#$%^&.-+-=|]{}:”.including !@#$%^&.-+-=|]{}:”.

Not based on any dictionary word Not based on any dictionary word from any language.from any language.

Changes regularly; not shared.Changes regularly; not shared.

Behavioral changesBehavioral changesBehavioral changesBehavioral changes

What technology doesn’t solveWhat technology doesn’t solve

Security technologies adapt Security technologies adapt as threats appear. They are as threats appear. They are not able to (easily) combat:not able to (easily) combat: Threats,Threats, Hoaxes,Hoaxes, Scams,Scams, The behavior of others.The behavior of others.

The clue factorThe clue factor

Education and awarenessEducation and awareness

Education and awareness are Education and awareness are key to increasing the security key to increasing the security posture of the University, and posture of the University, and global Internet.global Internet. Dispells the FUD (fear, uncertainty, Dispells the FUD (fear, uncertainty,

doubt).doubt). Addresses problems before they Addresses problems before they

exist.exist. Extends the radius of clue.Extends the radius of clue. Creates inclusion in the entire Creates inclusion in the entire

infosecurity effort.infosecurity effort.

Self-educationSelf-education

You can increase your own You can increase your own awareness of security awareness of security related issues.related issues. Subscribe to mailing lists for Subscribe to mailing lists for

security notifications.security notifications. Visit security related websites.Visit security related websites. Voice your concern on Voice your concern on

security related issues, security related issues, helping raise awareness in helping raise awareness in others.others.

Test your effortsTest your efforts

Remember: security is Remember: security is about sharing about sharing knowledgeknowledge and and contactscontacts, not , not technology.technology.

The ‘RITE’ principlesThe ‘RITE’ principles

RResponsibility esponsibility (and knowledge of (and knowledge of Roles)Roles)

IIntegrity ntegrity (as requirement of Membership)(as requirement of Membership)

TTrust rust (as distinct from Control)(as distinct from Control)

EEthicality thicality (as opposed to Rules)(as opposed to Rules)

““Total” securityTotal” security

CIA + RITECIA + RITE

Conceptualizing controlsConceptualizing controls

Pragmatic controls

Formal controls

Technical controls

Principle #1Principle #1

Principle 1: Education, training and Principle 1: Education, training and awareness, although important, are awareness, although important, are not sufficient conditions for not sufficient conditions for managing information security. A managing information security. A focus on developing a security focus on developing a security culture goes a long way in culture goes a long way in developing and sustaining a secure developing and sustaining a secure environment. environment.

Principle #2Principle #2

Principle 2: Responsibility, integrity, Principle 2: Responsibility, integrity, trust and ethicality are the trust and ethicality are the cornerstones for maintaining a secure cornerstones for maintaining a secure environment.environment.

Principle #3Principle #3

Principle 3: Establishing a boundary Principle 3: Establishing a boundary between what can be formalized and between what can be formalized and what should be norm based is the basis what should be norm based is the basis for establishing appropriate control for establishing appropriate control measures.measures.

Principle #4Principle #4

Principle 4: Rules for managing Principle 4: Rules for managing information security have little information security have little relevance unless they are relevance unless they are contextualized.contextualized.

Principle #5Principle #5

Principle 5: In managing the security of Principle 5: In managing the security of technical systems a rationally planned technical systems a rationally planned grandiose strategy will fall short of grandiose strategy will fall short of achieving the purpose.achieving the purpose.

Principle #6Principle #6

Principle 6: Formal models for Principle 6: Formal models for maintaining the confidentiality, maintaining the confidentiality, integrity and availability (CIA) of integrity and availability (CIA) of information cannot be applied to information cannot be applied to commercial organizations on a grand commercial organizations on a grand scale. Micro-management for scale. Micro-management for achieving CIA is the way forward. achieving CIA is the way forward.