Information Security Fundamentals - PowerPoint PPT Presentation

1 / 51
About This Presentation
Title:

Information Security Fundamentals

Description:

... destruction, assaults on our critical infrastructures, and cyber-based attacks. ... and Process. Basic Information Security Components. AUTHENTICATION: ... – PowerPoint PPT presentation

Number of Views:3445
Avg rating:3.0/5.0
Slides: 52
Provided by: tommini
Category:

less

Transcript and Presenter's Notes

Title: Information Security Fundamentals


1
Information Security Fundamentals
Michael Sukkarieh CISSP, MBA, MS
2
Plan for Class
  • We will follow the book chapters
  • Starting next week we will go over the chapter
    and then you will take the exam at end of each
    chapter
  • Requirement
  • A paper
  • An Exam
  • Assignments
  • Case studies
  • Weekly participation using a Control Assessment
    Instrument
  • Weekly PPT presentation of assignments
  • Paper Review

3
About CISSP exam
  • ISC2.org
  • Divided exam into 2 steps examination and
    certification
  • Once a CISSP candidate passes, the application
    must be endorsed by a qualified 3rd party
  • A CISSP, candidate employer and other parties can
    endorse
  • 90 days to submit endorsement
  • Exam 6 hours with 250 questions
  • 10 are experimental
  • No penalties for wrong answers
  • CPE credits to keep accreditation
  • A fee to take the test and a fee for maintenance

4
Information Security Policy Control Areas
  • Information Security Policies
  • Information Security Organization
  • Asset Classification and Handling
  • Personal Security
  • Physical Security
  • System and Operations Management Controls
  • General Access Controls
  • System Development Life Cycle
  • Business Continuity
  • Compliance, Legal and Regulatory

5
Information Warfare The Matrix Uploaded So
what?
Michael Sukkarieh CISSP, MBA, MS
6
Agenda
  • Information Security
  • Information Privacy
  • Risk Management
  • Opportunities Markets
  • Some Examples

7
Todays Trend
Open Source
Insider/Espionage
Terrorists
White Collar Crime
Today's World
Disasters
Theft
Scripts
ID Theft
8
  • Information Security

9
So Who Cares?
  • You care about information security and privacy
    because
  • Information Security is a constant and a critical
    need
  • Threats are becoming increasingly sophisticated
  • Countermeasures are evolving to meet the threats
  • You want to protect your asset and privacy
  • You want to know what tools are there for
    protection and Because information security,
    information privacy and legal and compliance are
    inter-related

10
Increase in Security Incidents
11
Some Polls Suggest Source CSO
  • Which of the following is 1 priority
  • Wireless Security (16)
  • Spam/AntiVirus (17)
  • Identity Management (27)
  • Disaster Recovery (21)
  • Other (19)
  • Which of the following poses the greatest threat
  • Natural Disaster (36)
  • Terrorist Attack (12)
  • Cyberattack (52)

12
Scary Data
  • Industry Data
  • ID theft increased to 81 in 2002
  • Main cause for fraud is id theft
  • U.S.-based banks
  • 37 percent said identify theft significantly
    increased
  • 34 percent said it slightly increased
  • 24 percent said identity theft rates had stayed
    the same
  • 5 percent reported that the rates decreased
  • US Government Data
  • Id theft is perpetrated by hackers and their
    associates who steal personal information and
    identity (e.g. social security numbers) in order
    to commit various forms of fraud by assuming your
    identity
  • FTC reports that over 27.3 million Americans in
    the past 5 years reported their ID stolen
  • FTC survey revealed that ID theft costs consumers
    and business 53 billion in 2002
  • The FBI estimates that the number one threat to
    internet users is identity theft
  • Approximately 350,000 to 500,000 citizens fall
    victims to id theft every year.

13
Cyberterrorism
  • Cyberterrorism is any "premeditated, politically
    motivated attack against information, computer
    systems, computer programs, and data which
    results in violence against non-combatant targets
    by sub-national groups or clandestine agents."
    Cyberterrorism is sometimes referred to as
    electronic terrorism or information war.
  • U.S. Federal Bureau of Investigation

14
Information Warfare
  • Use of or attacks on information and information
    infrastructure to achieve strategic objectives
  • Tools in hostilities among
  • Nations
  • Trans-national groups (companies, NGOs,
    associations, interest groups, terrorists)
  • Corporate entities (corporations, companies,
    government agencies)
  • Individuals

15
Levels of Information Warfare
  • Against individuals
  • Theft, impersonation
  • Extortion, blackmail
  • Defamation, racism
  • Against organizations
  • Industrial espionage
  • Sabotage
  • Competitive intelligence
  • Against nations
  • Disinformation, destabilization
  • Infrastructure destabilization
  • Economic collapse

16
Presidential Decision Directive 63May 22, 1998
  • President Clinton ordered the strengthening of
    the nation's defenses against emerging
    unconventional threats to the United States to
    include those involving terrorist acts, weapons
    of mass destruction, assaults on our critical
    infrastructures, and cyber-based attacks.
  • Called for a national-level effort to assure the
    security of the increasingly vulnerable and
    interconnected infrastructures of the United
    States.
  • Major component involved the development and
    implementation of a plan by each department and
    agency of the Federal Government to protect its
    own critical infrastructure, to include, but not
    limited, to its cyber-based systems.

17
Prime Targets
  • Companies with hiring volatilities
  • Financial, communication, manufacturing,
    transportation and retail
  • Companies with lower volatility
  • Utilities, government, healthcare and education
  • Areas
  • IDS, Firewall, Anti virus, Identity management
  • Product design, policy
  • Privacy vs. Security
  • Security administration
  • Training and awareness

18
Potential Targets against our Infrastructure
  • Electricity
  • Transportation
  • Water
  • Energy
  • Financial
  • Information Technology
  • Emergency Services
  • Government Operations

19
Why Use Cyber Warfare?
  • Low barriers to entry laptops cost a lot less
    than tanks and bombs
  • Our world is dependent on computers, networks,
    and the Internet
  • Denial of service has economic, logistical, and
    emotional effect
  • Low cost to level the playing field

20
Information Warfare Strategies
  • The basic elements are
  • Hacking
  • Malicious code
  • Electronic snooping
  • Old-fashioned human spying
  • Mass disruption can be unleashed over the
    internet, but
  • Attackers must first compromise private and
    secure networks (i.e. Unclassified, Secret, Top
    Secret)

21
What are the methods?
  • Password cracking
  • Viruses
  • Trojan horses / RATS
  • Worms
  • Denial-of-service attacks
  • E-mail impersonation
  • E-mail eavesdropping
  • Network packet modification
  • Network eavesdropping
  • Intrusion attacks
  • Network spoofing
  • Session hijacking
  • Packet replay
  • Packet modification
  • Cryptography
  • Steganography
  • Identity theft

22
Hackers Information Warriors?
  • Inflicting damage
  • Alter, damage or delete information
  • Deny services
  • Damage public image
  • Personal motives
  • Retaliate or get even
  • Political or terrorism
  • Make a joke
  • Show off/Just Because
  • Elite Hackers
  • Black Hat
  • Grey Hat
  • White Hat
  • No hat
  • Malicious Code Writers
  • Criminal Enterprises
  • Trusted Insiders
  • Economic gain
  • Steal information
  • Blackmail
  • Financial fraud

23
The Traditional Hacker Ethic
  • Access to computers should be unlimited and total
  • All information should be free
  • Mistrust authority promote decentralization
  • Hackers should be judged by their hacking, not
    criteria such as age, race, etc.
  • You can create art and beauty on the computer
  • Computers can change your life for the better

24
Geopolitical Hotspots -Trends
25
A Balanced Security Architecture
  • Single, unifying infrastructure that many
    applications can leverage
  • A good security architecture
  • Provides a core set of security services
  • Is modular
  • Provides uniformity of solutions
  • Supports existing and new applications
  • Contains technology as one component of a
    complete security program
  • Incorporates policy and standards as well as
    people, process, and technology

Policy, Standards, and Process
People
Technology
26
Basic Information Security Components
  • AUTHENTICATION
  • How do we know who is using the service?
  • ACCESS CONTROL
  • Can we control what they do?
  • CONFIDENTIALITY
  • Can we ensure the privacy of information?
  • DATA INTEGRITY
  • Can we prevent unauthorized changes to
    information?
  • NONREPUDIATION
  • Can we provide for non-repudiation of a
    transaction?
  • AUDITABILITY AVAILABILITY
  • Do we know
  • Whether there is a problem? Whether its soon
    enough to take appropriate action?
  • How to minimize/contain the problem?
  • How to prevent denial of service?

27
Data Governance Controls
Information Management Infrastructure (IMI) Thr
eats Disclosure of information Unauthorized
access Loss of integrity Denial of service
X
X
X
X
X
X
Application
X
X
X
X
Networks
X
X
X
X
OS
Authentication
Confidentiality
Audit ability
Non-repudiation
Access Cntrl
Data Integrity
Availability
28
Information Security Control Areas
  • Information Security Policies
  • Roles and Responsibilities
  • Asset Classification and Handling
  • Personal Security
  • Physical Security
  • System and Operations Management Controls
  • General Access Controls
  • System Development Life Cycle
  • Business Continuity
  • Compliance, Legal and Regulatory

29
What is _at_Risk?
  • Financial Monetary Loss Risk
  • Payroll information leakage
  • Reputation Risk
  • Distributed attacks from campus
  • Terrorism
  • Laptop theft
  • ID Theft
  • Litigation Regulatory Risk
  • HIPAA, GLB, CA 1386

30
Information Security Bodies, Standards Privacy
Laws
  • Standards Privacy Laws
  • British Standards (ISO 17799)
  • EU Data Protection Act of 1998 (DPA)
  • Health Insurance Portability and Accountability
    Act (HIPAA)
  • Fair Credit Reporting Act (FCRA)
  • National Institute for Standards Technology
    (www.NIST.gov)
  • Founded in 1901, NIST is a non-regulatory federal
    agency within the U.S. Commerce Department's
    Technology Administration.
  • NIST's mission is to develop and promote
    measurements, standards, and technology to
    enhance productivity, facilitate trade, and
    improve the quality of life.
  • Computer Emergency Response Team www.cert.org
  • The CERT Coordination Center (CERT/CC) is a
    center of Internet security expertise at the
    Software Engineering Institute, a federally
    funded research and development center operated
    by Carnegie Mellon University.

31
Information Security Organizations
32
  • Information Privacy

33
Privacy Regulations Environment
  • Restrictive regulatory / Compliance environment
  • Multinational Laws Regulations
  • National Laws Regulations at federal levels
  • Supersede state provincial laws
  • State Provincial Laws
  • Complicated 3rd party relationships
  • Increased use of web based applications

34
U.S. Privacy Regulations
1974 US Privacy Act - Helps citizens gain access
to government records
1999 GLB Requires financial institutions to
disclose privacy policies allow client opt-out
of information sharing
1987 Computer Security Act Requires improving
information security privacy in government
agencies
1996 HIPAA - Prohibits sharing of health
information for non-health care reasons
2001 US Patriot Act Enhances law enforcement
investigative tools to deter punish terrorists
1978 RFPA - Provides confidentiality to
financial records their transfer
2002 Sarbanes-Oxley Requires certification of
corporate financial accounting
1997 CFR part 11 Creates criteria for
electronic record keeping in promoting public
health
1978 FCRA - Promotes accuracy in consumer
reporting ensures their privacy
1986 Electronic Communication Act Guards
against unlawful access to stored communications
1998 COPPA - Gives parents control over
information collected from their children on the
Internet
2003 CA 1386 Requires personal information
protection notification in case of compromise
35
Privacy Governance Architecture
Process
Opt/in/out
Compliance
Security/Privacy Policy
Organization
Regulatory Requirement
Technology
People
Planning and Strategy
Program Metrics
Program Maturity
  • Privacy Strategy
  • Data Classification Analysis
  • Privacy Teams
  • Policy Development
  • Policy Update Plans
  • Decision Management
  • Privacy Support Architecture
  • Awareness
  • Privacy Risk Assessments
  • Data Governance
  • Vendor Governance
  • Technology Planning
  • Business Process Review
  • Information Security
  • Information Privacy
  • External Support Infrastructure
  • Privacy Auditing
  • Incident Response
  • Crisis Management
  • Knowledge Management
  • Consumer Support Infrastructure
  • Open Source Intelligence

- -
35
36
High Level Overview
  • Notify client
  • Notify regulators
  • Remediate
  • Analyze long term effects
  • Analyze lessons learned
  • Detect Incident
  • Identify source of identified
  • Log incident
  • Reduce false positive

Privacy Incident Response Process
  • Determine scope
  • Assemble Response Team
  • Collect sort facts
  • Engage digital forensics process
  • Collect evidence
  • Engage 3rd party
  • Determine scope
  • Assemble Response Team
  • Collect sort facts
  • Technology containment
  • Process containment
  • Procedure containment

37
  • Information Security Privacy
  • Risk Management

38
Risk Mitigation
  • 100 Risk Mitigation and not 100 control
  • Good Information Management Infrastructure that
  • Provides modular core set of controls
  • Supports existing, infrastructures and new
    applications
  • Incorporates policy and standards, people,
    process, and technology
  • Provides a horizontal and vertical risk SELF or
    AUTOMATIC assessment program
  • Provides collaborative issues resolution system
  • Balanced Information Management Infrastructure
    (IMI)
  • Risk Mitigation
  • Vertical up and down controls in branches and
    business units
  • Horizontal policies, best practices, processes
    and priorities across the organization

39
Risk Management Methodology
40
Key Risk Indicators
Pen Testing
Site Reviews
Asset Value
Stakeholders
Audit
Vendor Reviews
Regulatory
Self Assessment
Compliance
Security Privacy Incidents
Loss Amount/ROI
Business Impact
Risk Evaluation Model
Risk Rating
41
  • Market Opportunities

42
Demand based on Gartner studies
  • General IT staff outsourcing has gone up 24
    since US recession was over
  • Growth in IT staff augmentation will be limited
    and in single digits
  • Security outsourcing is trending up
  • Identity management
  • Vulnerability Assessment
  • Operations
  • Firewall management, anti virus and IDS

43
InfoSec People
  • Typical jobs for contract
  • Business Intelligence
  • Business Analysis
  • Risk Management
  • Information Security Officer
  • Information Privacy Officer
  • Digital Forensics Experts
  • Job seeker support to help professionals identify
    new career opportunities when they are unemployed
    or contingency searching due to circumstances at
    their workplace
  • Contractor placement to help independent
    contractors identify and secure short and long
    term contract work based on hourly rates and
  • Corporate candidate search to help clients
    identify candidates for new or vacant positions,
    as well as contingency searching to stage
    replacement of human resources

44
Types of Recruiting
  • Contract Temporary constant spread based
  • Profit margins are small
  • Limited
  • Hourly, weekly monthly
  • Permanent one time commission based
  • Entry levels
  • Mid levels
  • Management, Technical, Operations, Design
    Architecture
  • Outsourcing profit margins are high

45
  • Some Examples

46
What is Social Engineering
  • Social Engineering is the art and science of use
    to trick one or more human beings to do what an
    attackers wants them to do or to reveal
    information that compromises a targets security.
  • Classic Social Engineering scams include, posing
    as a field service technician, calling an
    operator to reveal private information such as
    passwords and the like.
  • Social Engineering is an evolving art that uses
    the simplest and most creative schemes and
    involves minimal technical expertise

47
(No Transcript)
48
Terrorists and Steganography?
49
Saturday, 5 May, 2001, 0100 GMT 0200 UK White
House website attacked
50
1996 CIA was hacked
51
Department of Justice 08 1996
Write a Comment
User Comments (0)
About PowerShow.com