Esecurity knowledge for different types of users

1
E-security knowledge for different types of users

• M.M.Pant

2
Criticality of e-security

• More than 80 had suffered information security
  breach in last 12 months
• Often perceived as an IT issue only
• Hence misdirected and misguided policies
• Security is essential for safety

3
Categories of security breaches

• Most common is virus infection
• Unauthorized users
• Hackers
• Physical custody and transportation of data

4
E-security Knowledge levels

• The completely unbreakable quantum computer
• Cryptography, digital signatures and biometrics
• E-forensics and evidence matters
• Management of e-security policy and standards
• Frauds through the Internet

5
Information Assets Hardware

• Servers
• Nodes
• Circuit Cards
• External Tape, disk , CD Rom
• Routers / switches

• Converters / adaptors
• UPSs
• Test equipment
• Tools
• Spare parts
• Cards / cables

6
Information Assets Software

• Source Code
• Object Code
• Locally written programs
• Purchased programs
• Operating system

• Utilities
• Diagnostics
• Communication programs
• Backups
• Documentation

7
Information Assets Data

• Online data
• Offline ( archived ) data
• Log files
• Database
• In transit ( on communication lines )

8
Information Assets People

• Users
• Programmers
• Administrators
• Electronic maintenance
• Facilities maintenance

• Operators
• Managers
• Delivery
• Vendors
• Consultants
• Visitors

9
Information Assets Documents

• Hardware Manuals
• Software Manuals
• Licenses / contracts
• Physical online access control lists
• Training material

10
Supplies

• Magnetic media
• Computer Stationary
• Printer ribbon
• Toner
• Cleaning materials

11
BS7799

• BS7799 was originally conceived as a code of
  practice for information security management.
• It catalogues a whole host of good security
  controls with near universal applicability for
  multi-national organisations.
• The code of practice has been adopted by the
  Netherlands, Australia and New Zealand. Other
  nations are showing keen interest.
• The UK and the Netherlands have established
  EN45012 accredited certification schemes.

12
10 Generic Tips for e-security

• If you're not doing everything on this list,
  chances are you'll suffer from a security loss.
• And it's not a matter of if you'll suffer a loss,
  but more of a question of when.
• Check this list, check it again, and then get
  busy. There is a lot to protect

13
1. Passwords Mandatory and strong

• Besides requiring your users to use passwords,
  there are two other things you should require of
  them password ageing and strong passwords.
• Password ageing is essential to minimize the
  chances of someone else discovering and using a
  password that may be shared, for example to help
  a co-worker access the corporate network.
• A strong password (requiring a mix of letters,
  numbers, and characters) minimizes the chances of
  someone obtaining a password through a social
  engineering exercise. ("I normally use my kid's
  name for my password. Do you?")

14
2. Locks for physical security

• Data security is useless if one can easily walk
  away with the device where the data resides and
  have all the time in the world to try and access
  the data on the device.
• Locked server rooms, locking desktops and laptops
  to the desk, and in general securing physical IT
  assets, is often overlooked

15
3. Implementing inactivity monitors

• When users are away from their computers they are
  vulnerable. Anyone can walk up and access all the
  information on that user's computer just as if
  they were that user.
• Computers should be set to lock themselves after
  the shortest period of inactivity that the user
  is willing to tolerate.
• If some users find it tedious to reenter their
  passwords after short periods of inactivity,
  consider a biometric solution which frees the
  user from having to retype their passwords every
  time to unlock the computer

16
4. Have a formal security policy document

• If your organization doesn't have a formal
  security policy around the use of IT assets,
  you're behind the times.
• You need to develop security policies that
  balance the productivity of your users with the
  need to keep IT assets and data safe.
• And once you have a policy, be sure to set up
  training for all your users and make security
  training a required part of every new employee
  orientation

17
5. Distinguish between users and administrators

• Many companies grant administrative rights to
  their users to install specific applications
  themselves.
• Don't let the user do the administrators job!

18
6. Updatesdo at least the critical ones!

• Many security problems stem from a flaw that a
  hacker finds in a component of the operating
  system.
• You should make sure you sign up to receive the
  latest critical updates which close these
  potential exploits.

19
7. Backup and contingency

• Imaging a user's disk saves all their important
  data in the event of a disaster and saves you the
  trouble of having to rebuild their machine in the
  event of a crash or even system theft.
• This one is difficult, especially with a mobile
  workforce, so you'll have to work closely with
  your users to make this a reality.

20
8. Communicate the importance of security

• Getting the word out about security to your users
  is one thing. Constantly reminding them of the
  importance of perpetual security is something
  else entirely.
• Make communicating about security a regular habit
  and people will respect the security policies you
  have in place.

21
9. Wireless access management

• With the ubiquity of wireless access and the ease
  by which it can be deployed, it's easy to
  overlook these access points as a security hole.
• Set up some type of wired-equivalent privacy
  (WEP) on these access points so passers-by or
  visitors can't easily hop on your network

22
10. Regular IT Audits

• Accounting for all your equipment and how its
  setup is a time-consuming and difficult job.
• But if you do it on a regular basis, not only
  will you catch security problems early, you'll
  also keep your users on their toes, which further
  enhances security

23
Emerging Internet Frauds

• Hacking
• Identity theft
• Money laundering through the Internet
• Crimes of persuasion

24
Top 10 Frauds on the Internet of 2006

• 1. Online Auctions Misrepresented or undelivered
  goods
• 2. General Merchandise Misrepresented or
  undelivered goods not purchased through auctions

25
Top 10 Frauds on the Internet

• 3. Fake Check Scams Consumers used fake checks
  to pay for sold items, and asked to have the
  money wired back
• 4. Nigerian Money Offers Deceptive promises of
  large sums of money, if consumers agreed to pay
  the transfer fee
• 5. Lotteries Asking winners to pay before
  claiming their non-existent prize

26
Top 10 Frauds on the Internet

• 6. Advance Fee Loans Request a fee from
  consumers in exchange of promised personal loans
• 7. Phishing Emails pretending to represent a
  credible source, ask consumers for their personal
  information (e.g. credit card number)

27
Top 10 Frauds on the Internet

• 8. Prizes/Sweepstakes Request a payment from
  consumers in order for them to claim their
  non-existent prize
• 9. Internet Access Services Misrepresentation of
  the cost of Internet access and other services,
  which are often not provided
• 10. Investments False promises of gains on
  investments

28
The ABC of e-security

• ABC Automobile based comparison
• Executive Dashboards for Data Visualisation
• Strategic Decision making involves making
  substantial investments of resources over long
  periods of time, before results are seen

29
Road

• The organisations Information Systems Vision.
• The road helps in developing the map which is the
  ISS policy which has to be in congruence with
  the business policy

30
Map

• The ISS policy document
• This follows from the business vision or the
  road.
• It tries to devise the best route given the
  road ahead covers purpose scope, mechanisms
  and measures for implementation

31
Gas / Petrol Gauge

• Resources/Money Allocated
• This is simply the money allocated for the IS
  spending for any given time period (typically the
  accounting year)
• It shows the total amount of money available for
  spending on IS at any given point of time

32
Pedometer / Distance Gauge

• Distance to be traversed
• Typically the amount of time for which the budget
  is allocated
• At any point of time it would show the amount of
  time the money allotted to IS has to last

33
Speedometer

• ROSIreturn on security investments
• It is a metric which captures the cost/benefit
  aspect of information security
• Measured in terms of decreased risk of security
  breaches

34
Temperature

• Threat or attack frequency
• The number of security breaches which occur are
  represented by the temperature hacking of
  systems, stealing of data.. would increase the
  temperature

35
Windscreen

• External monitoring (threats, technologies,
  standards etc..)
• Provides knowledge and outside interaction to be
  in touch with the latest developments the world
  over

36
Back Mirror / Rear view mirror

• Internal process monitoring
• Employee access and use of classified data
• Filtering e-mail, blocking sites (private mail,
  entertainment..) and random system checks

37
Steering wheel

• Strategic Direction
• What the IS policy should be, leads to the map
• The steering wheel is operated by the Director IT
• In case of unforeseen events he should have the
  authority to change the direction (focus) of the
  policy

38
Headlights

• Market research, customer needs

39
Wipers

• Fresh objectives
• Fresh perspectives
• Using external resources
• Using internal resources

40
Brakes

• Calamity Control measures
• A 100 mirror image of the entire system
  maintained guarded and secured in real time.
• Called the Disaster Recovery system, it is
  remotely located and only few concerned people
  know about it

41
Gear box Levels of security

• May be based on NIST level 5 framework
• Level 1Security policy documented
• Level 2Documented procedures and controls to
  implement policy
• Level 3Procedures and controls have been
  implemented
• Level 4Procedures controls have been tested
  and reviewed
• Level 5Fully integrated into a comprehensive
  program

42
Clutch

• Interim security procedures
• These are in place while shifting systems
• Also includes training and awareness during the
  change process from one level to another

43
Accelerator

• Rate of investing in information security
• This is a monitored factor ( burn rate ) by the
  senior management
• There cannot be a massive surge in spending all
  of a sudden
• Accelerator cannot be taken above a certain limit
  without explicit permission

44
Compass

• Navigator
• When moving along several dimensions
• Will give a sense of direction

45
Thank You !!!!!
mmpant_at_mmpant.org