A security awareness presentation created for an audience of senior officials from MTNL (India's foremost telecom PSU). The presentation covers fundamentals of Information Security, it's evolution, present day risks from the IT and Telecom infrastructure perspective.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Digital
Crime,
Fraud &
Forensic
investigation
s,
Governance
Risk and
Compliance,
IT Asset
Management
, License
Management
, Cyber
Security,
Cyber Labs,
At
MTNL, Mumbai
Digital
Crime,
Fraud &
Forensic
investigation
s,
Governance
Risk and
Compliance,
IT Asset
Management
, License
Management
, Cyber
Security,
Cyber Labs,
By
Dinesh O Bareja
November 19, 2013
Introduction
Audience
Us.. Pyramid & Dinesh
Todays Program Plan
Information Security Fundamentals
Why Security (cases and incidents; critical infrastructure concept for MTNL and telecom, national intranet and lights on concept)
What to Secure (current state analysis, maturity plan, essentials, goals and objectives –certification / compliance / reputation etc
When and How to Secure
First steps and discussions
Established and well known Cyber Security and Forensics Consulting organization since past decade
Cyber Forensics Labs in 22 states across India
Qualified, experienced and certified team of Forensic and InfoSec professionals
Full range of InfoSec services – strategy, design, implement, maintain, test, response, investigation, protection
Technology advancement has brought about dramatic change
in life and work and continues it’s march of dynamic growth
It was an era of innocence and invention when computing
started upto the time when the internet was unveiled
Over the years it has metamorphosed into a force we are still
trying to understand and has brought with it ‘great
expectations’ from the human beings who are in charge!
Even a young
man has to
use a walking
stick !
http://www.geeksaresexy.net/2013/
04/26/the-evolution-of-essentials-
comic/
http://www.geeksaresexy.net/2013/
04/26/the-evolution-of-essentials-
comic/
Information Technology is
NOT a support function
Information Security is
NOT a cost center
Requires ABSOLUTE management support – absolutely and unconditionally
Management MUST have high level of awareness of risks and must maintain a high level of visibility
Risks, Threats and Metrics arising from IT / IS must be a regular item on the board
Board must receive regular intelligence advisories
Fires, floods,
and such
disasters will see
the CxO on the
frontlines…
earning respect
Empower security teams
Define roles and responsibilities
Ensure strong and well defined
processes for managing risk,
controls, BCP/DR, communication
Automate processes
InfoSec Management systems must
have strong governance
Various standards like ISO27001,
ISo22301, ISO 20000, ISO 14000
Frameworks like ITIL, PCI-DSS, NIST
Laws and Regulatory requirements –
IT Act, Guidelines, Data Protection
etc
IT Security …
Security
Policy
Asset
Management
Organization
of Information
Security
Human
Resource
Security
Physical and
Environment
Security
Communicatio
n and
Operations
Management
Access Control
Information
Systems
Acquisition
Development
Maintenance
Information
Security
Incident
Managament
Business
Continuity
Management
Compliance
11 Domains
39
Controls
Objectives
133
Controls
11
Domains
ISO22301 – BCP/DR
ISO19770 – Software License
ISO31000 – Risk Management
ISO27011 – Telecom ISMS
BS10002 – Data Classification
ISO31010 – Risk Terminology
Policies and Procedures
Risk Management
Asset Information
Data Classification
Incident Management
BCP/DR
Configuration, Change
Compliance Requirements
SHODAN (http://www.shodanhq.com/) is a computer search engine designed by web developer John Matherly(http://twitter.com/achillean)
While SHODAN is a search engine, it is much different than content search engines like Google, Yahoo or Bing
Rather than to locate specific content on a particular search term, SHODAN is designed to help the user find specific nodes (desktops, servers, routers, switches, etc.) with specific content in their banners
PwC – State of Information Security in India Report 2013
Telecom Security …
An unexplained suicide
Reputation loss for Vodafone
Rootkit Ericcson AXE MSE
Involvement of CIA ?? Not proven
Case is not yet resolved
Motive is unknown
CMS/IMS regime
Radia Tapes
Lawful interception
Hardware Security
23.7(i)Security
Responsibi
lity23.7(i) Security Responsibility
- Complete and Total Responsibility for Security of Networks under which the
following must be done – Network Forensics, Network Hardening, Network PT, Risk
Assessment
23.7(ii) Security Audit
- Conduct a network security audit once a year by network audit certification agency,
as per ISO15408 and ISO27001
23.7(iii) Security Testing
- Network elements must be tested as per defined standards – IT and IT related against
ISO15048, ISMS against ISO27001; Telecom elements against 3GPP. 3GPP2 security
standards. Up to 31 Mar 2013 this can be done overseas and after this date in India
23.7(iv) Security Configuration
- Include all security features, as per standards, while procuring equipment and
implement the same.
- Maintain list of all features while equipment is in use
- List is subject to inspection by Licensing Authority
23.7(v) Security Personnel
- CISO, System Administrators, Nodal Executives for handling NLD/ILD switches,
central database, softswitches … all must be Indian Nationals.
Introduction
Audience
Us.. Pyramid & Dinesh
Information / Data Security
Todays Program Plan
Information Security Fundamentals
Why Security (cases and incidents; critical infrastructure concept for MTNL and telecom, national intranet and lights on concept)
What to Secure (current state analysis, maturity plan, essentials, goals and objectives – certification / compliance / reputation etc
When and How to Secure
First steps and discussions
Hacked on Aug 14, and site was down as on Aug 16
Earlier hack in June 2013, by Anonymous to protest
against censorship. Site was down for 6 hours
Stuxnet,
Flame,
Shomoon,
Duqu,
Gauss,
Russian Nuclear Plant (last week)
RUMOURS
- ISRO
- Fukushima
- Baker Hughes
- ConocoPhillips
- Marathon
- Chevron
Viruses
Piracy
Data Integrity
MMS
Identity Theft, Website defacement
Trojans, Worms, APT
Ransomware
Low Orbit Cannon – used by
Anonymous to launch DDOS attacks
Blackhole Exploit Kit (pre-made attack tools and packages.
Available for download it is a full-fledged, highly sophisticated attack suite - a widely-
used, web-based software package which includes a collection of tools that leverage
web browser security gaps. It enables the downloading of viruses, bots, trojans and
other forms of malicious software onto the computers of unsuspecting victims. Prices
for such kit range from $50 for a single day’s usage, up to $1,500 for a full year)
Managed Crime Services
Card Markets
Information Exchange
Cyber Mercenaries for Hire
Botnets (available for as low as $500)
Introduction
Audience
Us.. Pyramid & Dinesh
Information / Data Security
Todays Program Plan
Information Security Fundamentals
Why Security (cases and incidents; critical infrastructure concept for MTNL and telecom, national intranet and lights on concept)
What to Secure (current state analysis, maturity plan, essentials, goals and objectives – certification / compliance / reputation etc
When and How to Secure
First steps and discussions
Documented policies, procedures, audit
procedures
Risk Management
Access Management – privilege users,
passwords, onboarding, off boarding
HR – background checks
Configuration, Change, Patch, Backup
Network Traffic and Forensics
Threat Intelligence
End Point Protection
Infrastructure Security Assessment
Training
Awareness
Mobile device management
Asset Management
Compliance (internal and external)
Application Security
Incident Management & Response
Encryption
Version Control with source code
review to thwart logic bombs
Introduction
Audience
Us.. Pyramid & Dinesh
Information / Data Security
Todays Program Plan
Information Security Fundamentals
Why Security (cases and incidents; critical infrastructure concept for MTNL and telecom, national intranet and lights on concept)
What to Secure (current state analysis, maturity plan, essentials, goals and objectives – certification / compliance / reputation etc
When and How to Secure
First steps and discussions
The revelation of PRISM has changed the way we look
at the future.
What was to happen is already happening – the NSA
can keep tabs on the global population!
Microsoft, Google, Adobe and all the big names in
technology are implicated - we have been dreaming
and planning to get out of commercial systems into the
open source domain and these events have pushed the
future into the present
Policies / Procedures /
Documentation
DLP
SIEM
Network Forensics
Secure Web Application
Periodic VA and PT
Audit and Review
Malware
APT
Data Breach
Denial of Service
Slow response in the face of change
Lack of actionable intelligence
Insufficient Capability and Capacity
Weak Incident Response and Crisis
Management
Insecure Applications
Lack of awareness
Internal - Human Error
Fraud
Default Passwords, hardening
Phishing / Vishing
Logic Bombs
Introduction
Audience
Us.. Pyramid & Dinesh
Information / Data Security
Todays Program Plan
Information Security Fundamentals
Why Security (cases and incidents; critical infrastructure concept for MTNL and telecom, national intranet and lights on concept)
What to Secure (current state analysis, maturity plan, essentials, goals and objectives –certification / compliance / reputation etc