Title: Esecurity knowledge for different types of users
1E-security knowledge for different types of users
2Criticality of e-security
- More than 80 had suffered information security
breach in last 12 months - Often perceived as an IT issue only
- Hence misdirected and misguided policies
- Security is essential for safety
3Categories of security breaches
- Most common is virus infection
- Unauthorized users
- Hackers
- Physical custody and transportation of data
4E-security Knowledge levels
- The completely unbreakable quantum computer
- Cryptography, digital signatures and biometrics
- E-forensics and evidence matters
- Management of e-security policy and standards
- Frauds through the Internet
5Information Assets Hardware
- Servers
- Nodes
- Circuit Cards
- External Tape, disk , CD Rom
- Routers / switches
- Converters / adaptors
- UPSs
- Test equipment
- Tools
- Spare parts
- Cards / cables
6Information Assets Software
- Source Code
- Object Code
- Locally written programs
- Purchased programs
- Operating system
- Utilities
- Diagnostics
- Communication programs
- Backups
- Documentation
7Information Assets Data
- Online data
- Offline ( archived ) data
- Log files
- Database
- In transit ( on communication lines )
8Information Assets People
- Users
- Programmers
- Administrators
- Electronic maintenance
- Facilities maintenance
- Operators
- Managers
- Delivery
- Vendors
- Consultants
- Visitors
9Information Assets Documents
- Hardware Manuals
- Software Manuals
- Licenses / contracts
- Physical online access control lists
- Training material
10Supplies
- Magnetic media
- Computer Stationary
- Printer ribbon
- Toner
- Cleaning materials
11BS7799
- BS7799 was originally conceived as a code of
practice for information security management. - It catalogues a whole host of good security
controls with near universal applicability for
multi-national organisations. - The code of practice has been adopted by the
Netherlands, Australia and New Zealand. Other
nations are showing keen interest. - The UK and the Netherlands have established
EN45012 accredited certification schemes.
1210 Generic Tips for e-security
- If you're not doing everything on this list,
chances are you'll suffer from a security loss. - And it's not a matter of if you'll suffer a loss,
but more of a question of when. - Check this list, check it again, and then get
busy. There is a lot to protect
131. Passwords Mandatory and strong
- Besides requiring your users to use passwords,
there are two other things you should require of
them password ageing and strong passwords. - Password ageing is essential to minimize the
chances of someone else discovering and using a
password that may be shared, for example to help
a co-worker access the corporate network. - A strong password (requiring a mix of letters,
numbers, and characters) minimizes the chances of
someone obtaining a password through a social
engineering exercise. ("I normally use my kid's
name for my password. Do you?")
142. Locks for physical security
- Data security is useless if one can easily walk
away with the device where the data resides and
have all the time in the world to try and access
the data on the device. - Locked server rooms, locking desktops and laptops
to the desk, and in general securing physical IT
assets, is often overlooked
153. Implementing inactivity monitors
- When users are away from their computers they are
vulnerable. Anyone can walk up and access all the
information on that user's computer just as if
they were that user. - Computers should be set to lock themselves after
the shortest period of inactivity that the user
is willing to tolerate. - If some users find it tedious to reenter their
passwords after short periods of inactivity,
consider a biometric solution which frees the
user from having to retype their passwords every
time to unlock the computer
164. Have a formal security policy document
- If your organization doesn't have a formal
security policy around the use of IT assets,
you're behind the times. - You need to develop security policies that
balance the productivity of your users with the
need to keep IT assets and data safe. - And once you have a policy, be sure to set up
training for all your users and make security
training a required part of every new employee
orientation
175. Distinguish between users and administrators
- Many companies grant administrative rights to
their users to install specific applications
themselves. - Don't let the user do the administrators job!
186. Updatesdo at least the critical ones!
- Many security problems stem from a flaw that a
hacker finds in a component of the operating
system. - You should make sure you sign up to receive the
latest critical updates which close these
potential exploits.
197. Backup and contingency
- Imaging a user's disk saves all their important
data in the event of a disaster and saves you the
trouble of having to rebuild their machine in the
event of a crash or even system theft. - This one is difficult, especially with a mobile
workforce, so you'll have to work closely with
your users to make this a reality.
208. Communicate the importance of security
- Getting the word out about security to your users
is one thing. Constantly reminding them of the
importance of perpetual security is something
else entirely. - Make communicating about security a regular habit
and people will respect the security policies you
have in place.
219. Wireless access management
- With the ubiquity of wireless access and the ease
by which it can be deployed, it's easy to
overlook these access points as a security hole. - Set up some type of wired-equivalent privacy
(WEP) on these access points so passers-by or
visitors can't easily hop on your network
2210. Regular IT Audits
- Accounting for all your equipment and how its
setup is a time-consuming and difficult job. - But if you do it on a regular basis, not only
will you catch security problems early, you'll
also keep your users on their toes, which further
enhances security
23Emerging Internet Frauds
- Hacking
- Identity theft
- Money laundering through the Internet
- Crimes of persuasion
24Top 10 Frauds on the Internet of 2006
- 1. Online Auctions Misrepresented or undelivered
goods - 2. General Merchandise Misrepresented or
undelivered goods not purchased through auctions
25 Top 10 Frauds on the Internet
- 3. Fake Check Scams Consumers used fake checks
to pay for sold items, and asked to have the
money wired back - 4. Nigerian Money Offers Deceptive promises of
large sums of money, if consumers agreed to pay
the transfer fee - 5. Lotteries Asking winners to pay before
claiming their non-existent prize
26Top 10 Frauds on the Internet
- 6. Advance Fee Loans Request a fee from
consumers in exchange of promised personal loans - 7. Phishing Emails pretending to represent a
credible source, ask consumers for their personal
information (e.g. credit card number)
27 Top 10 Frauds on the Internet
- 8. Prizes/Sweepstakes Request a payment from
consumers in order for them to claim their
non-existent prize - 9. Internet Access Services Misrepresentation of
the cost of Internet access and other services,
which are often not provided - 10. Investments False promises of gains on
investments
28The ABC of e-security
- ABC Automobile based comparison
- Executive Dashboards for Data Visualisation
- Strategic Decision making involves making
substantial investments of resources over long
periods of time, before results are seen
29Road
- The organisations Information Systems Vision.
- The road helps in developing the map which is the
ISS policy which has to be in congruence with
the business policy
30Map
- The ISS policy document
- This follows from the business vision or the
road. - It tries to devise the best route given the
road ahead covers purpose scope, mechanisms
and measures for implementation
31Gas / Petrol Gauge
- Resources/Money Allocated
- This is simply the money allocated for the IS
spending for any given time period (typically the
accounting year) - It shows the total amount of money available for
spending on IS at any given point of time
32Pedometer / Distance Gauge
- Distance to be traversed
- Typically the amount of time for which the budget
is allocated - At any point of time it would show the amount of
time the money allotted to IS has to last
33Speedometer
- ROSIreturn on security investments
- It is a metric which captures the cost/benefit
aspect of information security - Measured in terms of decreased risk of security
breaches
34Temperature
- Threat or attack frequency
- The number of security breaches which occur are
represented by the temperature hacking of
systems, stealing of data.. would increase the
temperature
35Windscreen
- External monitoring (threats, technologies,
standards etc..) - Provides knowledge and outside interaction to be
in touch with the latest developments the world
over
36Back Mirror / Rear view mirror
- Internal process monitoring
- Employee access and use of classified data
- Filtering e-mail, blocking sites (private mail,
entertainment..) and random system checks
37Steering wheel
- Strategic Direction
- What the IS policy should be, leads to the map
- The steering wheel is operated by the Director IT
- In case of unforeseen events he should have the
authority to change the direction (focus) of the
policy
38Headlights
- Market research, customer needs
39Wipers
- Fresh objectives
- Fresh perspectives
- Using external resources
- Using internal resources
40Brakes
- Calamity Control measures
- A 100 mirror image of the entire system
maintained guarded and secured in real time. - Called the Disaster Recovery system, it is
remotely located and only few concerned people
know about it
41Gear box Levels of security
- May be based on NIST level 5 framework
- Level 1Security policy documented
- Level 2Documented procedures and controls to
implement policy - Level 3Procedures and controls have been
implemented - Level 4Procedures controls have been tested
and reviewed - Level 5Fully integrated into a comprehensive
program
42Clutch
- Interim security procedures
- These are in place while shifting systems
- Also includes training and awareness during the
change process from one level to another
43Accelerator
- Rate of investing in information security
- This is a monitored factor ( burn rate ) by the
senior management - There cannot be a massive surge in spending all
of a sudden - Accelerator cannot be taken above a certain limit
without explicit permission
44Compass
- Navigator
- When moving along several dimensions
- Will give a sense of direction
45 Thank You !!!!!
mmpant_at_mmpant.org