12/01/19993. Protection of Information Assets (25%) 3. Protection of Information Assets 3....

12/01/19993. Protection of Information Assets (25%) 3. Protection of Information Assets

3. Protection of Information Assets (25%)

Protecting Personal & Institutional Information Assets & Data

Extra Credit Project

Jack Mason & July James


2


• 3. Protection of Information Assets• (Content Area, Approximately 25% of exam)• 3.1 Evaluate the design, implementation, and

monitoring of logical access controls to ensure the integrity, confidentiality, and availability of information assets.

• 3.2 Evaluate network infrastructure security to ensure integrity, confidentiality, availability and authorized use of the network and the information transmitted.


3

3. Protection of Information Assets 2

• 3. Protection of Information Assets

• 3.3 Evaluate the design, implementation, and monitoring of environmental controls to prevent and/or minimize potential loss.

• 3.4 Evaluate the design, implementation, and monitoring of physical access controls to ensure that the level of protection for assets and facilities is sufficient to meet the organization's business objectives.


4

Knowledge Statements 1

• 3.01 Knowledge of the processes of design, implementation, and monitoring of security (e.g. gap analysis, baseline, tool selection)

• 3.02 Knowledge of encryption techniques (e.g. DES, RSA)

• 3.03 Knowledge of public key infrastructure (PKI) components (e.g. certification authorities (CA), registration authorities)

• 3.04 Knowledge of digital signature techniques


5

Knowledge Statements 2• 3.05 Knowledge of physical security

practices (e.g. biometrics, card swipes)

• 3.06 Knowledge of techniques for identification, authentication, and restriction of users to authorized functions and data (e.g. dynamic passwords, challenge/response, menus, profiles)


6

Knowledge Statements 3• 3.07 Knowledge of security software (e.g.

single sign-on, intrusion detection systems (IDS), automated permissioning, network address translation)

• 3.08 Knowledge of security testing and assessment tools (e.g. penetration testing, vulnerability scanning)

• 3.09 Knowledge of network and Internet security (e.g. SSL, SET, VPN, tunneling)


7

Some Possible Threats

• Email Interception

• Email Spoofing

• Web Data Interception

• Network & Volume Invasion

• Marketing Data / Spam & Junk Mail

• Viruses, Worms, Trojan Horses

• Password Cracking


8

More Possible Threats

• Mail bomb

• Denial of Service (DoS)

• Piracy of Intellectual Property


9

Email Interception

Methods• Script Monitor

– Running a script on a server that receives email traffic, monitoring emails for certain keywords or number patterns. (I.E. “bomb + president” or credit card number patterns)

• Account Emulation– Stealing someone’s user id and

password to gain access to their email account.

Defenses• Digital Certificates

– Digital certificates authenticate you as the sender and are extremely difficult to forge. Allows very strong encryption of email communications.

• PGP– “Pretty Good Privacy” allows

strong encryption of your text. Can be incorporated easily into any text oriented program.


10

Standard Encryption

• Text is encrypted and sent by the originator• Ciphertext is decrypted by recipient• Same key is used for encryption and decryption• If key is intercepted or deciphered, encryption becomes useless

– This is how WWII was won...


11

Strong Cryptography

• “There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files. This book is about the latter.” -- Bruce Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C.

• 40 bit cryptography is considered weak. This can be intercepted and deciphered in seconds using today’s tools.

• By contrast, 128 bit cryptography is considered technically infeasible to crack. Most banks require a 128 bit browser for online banking.


12

Dual Key Cryptography

• Key pair is generated - public and private key.

• Public key is sent to server and exchanged with others

• Private key is guarded by the user


13

Dual Keys Continued

• Encrypted message is generated using recipients public key and your private key.

• Only the intended recipient with the corresponding private key will be able to decrypt.

• NSA hates this to be in the hands of the general public… but you have the right to privacy.


14

What is a Digital Certificate?

• Acts as a virtual signature

• Very hard to forge

• Can be used for encryption or authentication

• Resides in the Browser/Email Client/OS

• Free digital certificates are available

• PGP Freeware is available

(X.509)


15

What is PGP?

• Created by Phil Zimmerman– PGP is now a subsidiary of Network Associates

• Secures e-mail and files

• Based on “Public Key” Cryptography

• Users whom have never met can exchange encrypted documents.

• Freeware


16

How To Encrypt a Message (1)

This will describe how to encrypt a

message using Digital Certificates with Netscape Communicator.

• Obtain and install a certificate using the step by step instructions at the issuing website.

Clicking on the Security button in Netscape Communicator opens the Security Window below:


17


• Users must exchange “public keys”.

• Can be done via LDAP directory or email exchange.

An email that has a digital certificate attached will display this icon in Communicator. You can click on the icon to examine the cert. Certs emailed to you are automatically added to Communicator’s database.

You can search for certificates on public directories (LDAP) directly from within Communicator


18


• Once keys have been exchanged, address an email to the other party.

• Click on the Security button and select the option for encrypting message.

• That’s it!


19

Email Spoofing

• Happens when someone impersonates an email user, sending messages that appear to be from the victim’s email address.

• Spoofing can be prevented by using your Digital Certificate or PGP to “Digitally Sign” your email message.

• Even Certificates can be spoofed, although difficult. Check the “Certificate Fingerprint” of the message to be sure it’s authentic.

Certificate Fingerprint:E4:58:C8:8F:B5:90:4C:AC:AB:79:9C:6A:32:0C:3E:4E


20

Shopping Securely

• You should never input sensitive info such as Credit Card numbers into a non-secure website.

• Make sure website is certified by a trusted Certificate Authority (CA) List of default trusted CA’s in Communicator


21

How to Shop Securely

• When you enter a secure site, Communicator’s Security icon will change as shown:

• Click on the Security button to examine which CA asserts that this site is safe.

Note: Attempting to enter a secure site that is not signed by a valid or default CA will result in a cautionary error message.


22

Hacking In to Your Computer

• DSL and Cable internet access means round the clock connections of home and small business computers to the Internet.

• Greatly increases the chance of attack.

• Physical access is always a danger, too.

• Hackers can gain access to your personal files, Quicken data, etc.


23

Stopping Hackers

• Set up a personal/home firewall.

• Encrypt your sensitive files!!!– PGP, all platforms.– Mac OS 9 Built-In Encryption Feature

• Don’t give out your passwords to anyone!

• Use difficult passwords - not simple dictionary style words.


24

Password Strength

• Simple words out of a dictionary make bad passwords.

• Use mixed upper and lower case characters.

• Use non-alphanumeric characters such as:~!@#$%^&*()_+=-{}[]|\:;”’/?.>,<`

• Avoid sharing passwords, even with friends and family.


25

Password Strength Examples

• Using a simple passphrase such as “coffee” is simple to hack, takes about 40 minutes to break.

• Using random alphanumerics is significantly more difficult: A passphrase such as “bR1a9Az” takes about 22 years to crack.

• Using the full range of the keyboard with truly random characters is totally infeasible to crack. A passphrase like “,ThX1pD<V+” would take 3.8 x 10

8 years to crack.


26

Key Strength Comparison

• Most browsers ship with a default of 40 bit encryption capabilities.

• You must upgrade to a 128 bit encryption capable browser for most online banking.

Key Length (bits)

Individual Attacker Small Group

Academic Network

Large Company

Military Intelligence Agency

40 weeks days hours milliseconds microseconds

56 centuries decades years hours seconds

64 millenia centuries decades days minutes

80 infeasible infeasible infeasible centuries centuries

128 infeasible infeasible infeasible infeasible millennia


27

Strong Encryption Browsers

• Netscape Communicator is freely available for all platforms with 128 bit encryption capability and full features.

• 128 bit capable version of Microsoft Internet Explorer is available for Windows and Macintosh. (Mac version has limited features.)

• You may have to install additional plug ins to get 128 bit capabilities out of MSIE.


28

Viruses

• Computer viruses are 100% man made.

• Can be transmitted via email, disk, network, etc…

• Most are harmless experiments.

• Some are intended to wreak havoc on individuals and networks.


29

Virus Protection

• Get a virus protection package and install it on your computer.

• Check the vendor’s website for downloadable updates and alerts on new viruses.

• Don’t open email or attachments from unknown sources.


30

Safeguarding Customer InformationGramm-Leach-Bliley Act (GLBA) Compliance


31

Why was GLBA enacted?

Section 501 of the Gramm-Leach-Bliley Act requires Financial Institutions to establish standards relating to administrative, technical and physical information safeguards to protect customer records and information.


32

Safeguard Objectives:

• Ensure security and confidentially of customer records and information.

• Protect against any anticipated threats or hazards to the security of the records.

• Protect against unauthorized access or use of records or information which could result in harm or inconvenience to customer.


33

Information Security Plan

• Written to insure security and confidentiality of non-public customer financial information (NPI).

• Protect against any anticipated threats and hazards.• Protect against unauthorized access or use.


34

Non-public customer information(NPI)

• Credit card numbers• Social Security numbers• Drivers license numbers• Student loan data• Income information• Credit histories• Customer files with NPI• NPI Consumer information• Bank Account data


35

Financial Institutions

Including Colleges and Universities must ensure that their security programs provide adequate protection

to customer information

in whatever format –

electronic or hardcopy.


36

FTC Ruling

consumer’s information is not a privacy

issue but is one of security.

Compliance with FERPA does not exempt colleges and universities from GLBA safeguarding regulations.


37

FERPA vs.. GLBA

• The Family Education Rights and Privacy Act addresses the privacy of student information.

• Gramm- Leach-Bliley Act addresses the security of customer records and information.


38

University Actions• Has established a committee to insure compliance.

• Committee meets regularly to review and insure compliance with the act.

• Performs risk assessment and regular testing.

• Oversees service providers and contracts.

• Trains staff to maintain security and confidentially.


39

Why Protect your Identity?

Identity Theft


40

Statistics on Identity Theft in New Jersey

4802 Complaints / year

• 1. Credit Card Fraud 2,350 -- 49%• 2. Phone or Utilities Fraud 867--18%• 3. Bank Fraud 669 --14%• 4. Government Documents/Benefits Fraud 396 --8%• 5. Loan Fraud 356 --7%• 6. Employment-Related Fraud 260 -- 5%• 7. Attempted Identity Theft 477 --10%• 8. Other 710 -- 15%


41

• Under ID Theft Act, identity theft is defined very broadly as:

knowingly using, without authority, a means of identification of another person to commit any unlawful activity.

(unlawful activity: a violation of Federal law, or a felony under State or local law).

What is Identity Theft?


42

Identity Theft

When someone steals your identity, they are usually using your credit to obtain goods and services for themselves that “you” will have to pay for.


43

How Does an Identity Thief Get Your Information?

• Stealing files from places where you work, go to school, shop, get medical services, bank, etc.

• Stealing your wallet or purse.• Stealing information from your home or car.• Stealing from your mailbox or from mail in transit.• Sending a bogus email or calling with a false

promise or fraudulent purpose.- For example: pretending to be from a bank,

creating a false website, pretending to be a real company, fake auditing letters.


44

From: PNC BankSent: May 17, 2004 6:31 PMTo: [email protected]: To All PNC bank users

Dear PNC user,During our regular update and verification of the user data, you must confirm your credit card details.Please confirm you information by clicking link below. http://Cards.bank.com pncfeatures/cardmember access.shtml


45

How Does an Identity Thief Use Your Information?

• Obtains Credit Cards in your name or makes charges on your existing accounts (42%).• Obtains Wireless or telephone equipment or services

in your name (20%).• Forges checks, makes unauthorized EFTs, or open

bank accounts in your name (13%).• Works in your name (9%).• Obtains personal, student, car and mortgage loans,

or cashes convenience checks in your name (7%).• Other uses: obtains drivers license in your name.


46

Victims of Identity Theft

• If your identity is stolen, do the following immediately:

– Contact the fraud department of the three major credit bureaus (Equifax, Experian, Trans Union).

– Contact your creditors and check your accounts.

– File a police report.

- File a complaint with the FTC.


47

Recovery

• Take back control of your identity:

– Close any fraudulent accounts.

– Put passwords on your accounts.

– Change old passwords and create new PIN codes.


48

Prevention

Protect yourself

Protect others

Guard against fraud:

• Sign cards as soon as they arrive.

• Keep records of account numbers and phone numbers.

• Keep an eye on your card during transactions. Also be aware of who is around you, is anyone else listening?

• Check your credit report and credit card monthly statements.


49

Annual credit bureau report

• New Jersey residents are entitled to one free annual credit report.

• If you are denied credit, you are allowed to request one free copy of your credit report.

• Check your report for accurate information, open accounts, balance information, loan information, etc.


50

Credit Bureau Links

• Equifax – www.equifax.com– To order a report, 1-800-685-1111 – To report fraud, 1-800-525-6285

• Experian – www.experian.com– To order a report, 1-888-397-3742 – To report fraud, 1-888-397-3742

Trans Union – www.tuc.com – To order a report, 1-800-916-8800 – To report fraud, 1-800-680-7289


51

Have you been a Victim?


52

You may be a victim if:

• You are denied credit.

• You stop getting mail.

• You start getting collection calls/mail.

• You start getting new bills for accounts you do not have or services you did not authorize.

• Your bank account balances drops.


53

Damages

• Time

• Money

• Credit rating

• Reputation


54

Good Practices

• Photocopy the contents of your wallet/purse.• Photocopy your passport (keep a copy at home

and one with you when you travel).• Empty your wallet/purse of non-essential

identifiers.• Do not use any information provided by the

people who may be trying to scam you look it up yourself.

• Shred documents before you depose of them.


55

GLBA requires us to PROTECT CONSUMERS from

substantial harm or inconvenience.


56

What can we do to guard NPI?

• Keep confidential information private.

• Use care when asking or giving SSN.

• Use secure disposal methods.

• Protect the privacy of data transmissions.

• Improve procedures.


57

Actions to prevent Others from becoming Victims

• Determine what information you need.• Provide a secure workplace.• Always ask for a student’s ID or debtors

account number.• Keep prying eyes away from customer’s

information.• Don’t expose NPI information to the

outside world.


58

Actions to prevent Others from becoming Victims

• Take care when you provide employee’s or customers’ personal information to others.

• Know & explain how you handle personal information.

• Ask for written permission prior to sharing personal information.

• Report problems or concerns to managers or supervisors.


59

Avoid– unauthorized disclosure– removing information from your office– sharing information – tossing information in the trash – down loading or e-mailing information.

Remember to always maintain confidentiality, security and integrity :


60

General Privacy

• Do not provide correcting information for account verification questions.

• Be suspicious.• Be paranoid.• Don’t be afraid to say no

when asked for information that is not required to conduct the current business transaction.


61

What are university assets?


62

University Assets

Are customer

information and records assets?


63

Safeguarding Information

• Information takes many forms.

• Information is stored in various ways.

• Data assets have unique risks.


64


Your Role:• Ensure Physical Security.• Select and Protect hard to guess passwords.• Avoid email traps and disclosures.• Back up files.• Log off your computer when not in use.• Do not open emails with attachments from unknown

sources.• Obliterate data before giving up your computer.• Recognize social engineering tactics.


65


Your role as a user….

What else can you do?


66

Check your work area!

• Do you leave NPI reports on your desk?• Is NPI stored in unlocked file cabinets?• Keep computer disks secure. • Do not save NPI on your computer C drive.


67


Your role….

The University has many policies and procedures to help you, learn them.


68

University Regulations & Guidelines related to Safeguarding

Standards for University Operations Handbook• Confidentiality• Accounting for Financial Resources• Acceptable Use of Network &Computing Resources:

– Agreement for Accessing Information– Acceptable Use Policy– Guidelines for Interpretation of Acceptable Use– Acceptable Use Supplement– Basics


69

Potential Damages to Any U.

• Reputation• Violation of federal and state laws• Fines• Reparation costs• Recovery costs• Increased prevention costs

Georgia Tech accidental release of credit card to the internet cost them over $1,000,000.


70

Expectations

• All University employees are responsible for securing and caring for University property, resources and other assets.

• University relies on the attention and cooperation of every member of the community to prevent, detect and report the misuse of university assets.


71

Prevention

• Protect yourself

• Protect others


72

Safeguarding customer information and university assets

is everyone’s job!

12/01/19993. Protection of Information Assets (25%) 3. Protection of Information Assets

Information Security Management

(ISO/IEC 17799:2000) &

Certified Risk Analysis Methodology Management (CRAMM)

ISO - International Standardization Organization


74

MigratingMigrating

Migrating from compliance with the IM&T Migrating from compliance with the IM&T (Info. Management Tech) Security (Info. Management Tech) Security Manual to compliance with BS7799 Manual to compliance with BS7799

OverviewOverview

Implementation - assistance availableImplementation - assistance available


75

What is Information Security What is Information Security Management (ISM)?Management (ISM)?

An enabling mechanismAn enabling mechanism

whose application ensures that information may be sharedshared in a manner

which ensures

the appropriate protection of that information

&

associated information assets


76

Basic ComponentsBasic Components

• ConfidentialityConfidentiality: protecting sensitive information from unauthorized disclosure

• IntegrityIntegrity: safeguarding the accuracy and completeness of information/data

• AvailabilityAvailability: ensuring that information and associated services are available to users when required


77

ProblemProblem• Until early 90’s information was handled by

many organizations in an ad hoc and, generally, unsatisfactory manner

• In a period of increasing need to share information, there was little or no assurancelittle or no assurance that such information could or would be safeguarded

• What control measures there were focussed almost entirely on computer datacomputer data, to the exclusion of other forms of information


78

Code of PracticeCode of Practice

• 19931993: in conjunction with a number of leading UK companies and organizations produced an ISM Code of Practice - incorporating the best information security practices in general use.

• Addressed all forms of informationAddressed all forms of information;e.g. computer data, written, spoken, microfiche etc


79

Code of Practice - AimsCode of Practice - Aims

• To provide– A common basisA common basis for organizations to develop,

implement, and measure effective information security management practice

– ConfidenceConfidence in inter-organisational dealings


80

BalanceBalance

• A common concern amongst organizations is that the application of security measures often has an adverse impact on, or interferes with, operational processes

• BS7799 processes are flexible enough to ensure that the right balance can be struck - security with operational efficiency!


81

Assets - ExamplesAssets - Examples

InformationInformationDatabases, system documentation,data files, user manuals, continuity plans, backup processes

SoftwareSoftwareApplication software, system software,development tools

PhysicalPhysical

Computer equipment, magnetic media,

furniture, accommodation ServicesServices

Heating, lighting, power,air-conditioning


82

The StandardThe Standard• And

– Personnel Security. Personnel Security. Measures to reduce risks of human error, theft, fraud or misuse of facilities

– Physical/Environmental Security. Physical/Environmental Security. Prevention of unauthorized access, interference to IT services and damage

– Computer and Network Management. Computer and Network Management. To Ensure correct and secure operation of computer and network facilities


83

The StandardThe Standard• ………….

– System Access Control. System Access Control. Controls to prevent unauthorized access to computer systems

– System Development and Maintenance. System Development and Maintenance. A security program complementing development/maintenance of IT systems

– BCP. BCP. Measures to protect critical business processes from major failures and disasters

– Compliance. Compliance. To avoid breaches of statutory or contractual requirements a and ensure the ISMS is operational


84

ControlsControls

Each of these Categories contains a number of security controls, mandatory or otherwise, which can be implemented as part of the information security risk management information security risk management

strategystrategy

The same controls will not, necessarily apply across The same controls will not, necessarily apply across the board, owing to the varying nature of the board, owing to the varying nature of

organizations, risk factors etcorganizations, risk factors etc


85

The Crux of the MatterThe Crux of the Matter

• Information is subject to numerous risks; which can be grouped together under the generic headings of:– AAccidental– NNatural– DDeliberate

• A risk being the product, in this case, of the threat to information and its assets, and vulnerability to the threats


86

Risk AnalysisRisk Analysis

• The point is:– An effective risk management strategyrisk management strategy cannot

be implemented until the risks are identified and measured (that is, analyzed)

• It almost goes without saying, that Analysis should be based upon a sound and proven methodology

• therefore the we will use CRAMMCRAMM


87

CRAMMCRAMM

• Developed in 1985, CRAMM Risk Analysis Methodology is a complete package, containing:– the risk analysis process itself– associated documentation (inc. report

functionality; results and conclusions)– training– software support tools


89

CRAMM Version 4.0CRAMM Version 4.0

• This version, the latest, includes– Full support for BS7799Full support for BS7799 including

• GAP analysis

• Implementation of a security improvement program

• Statement of Applicability

• Risk Modeling for multi-role organizations

• ANDAND undertake a Risk Analysis !

• A fit with BS7799: Part 2


90

Define the Policy

Define Scope of ISMS

Undertake RA

Manage Risk

Select Controls

Statement of Applicability

Step 1Step 1

Step 2Step 2

Step 3Step 3

Step 4Step 4

Step 5Step 5

Step 6Step 6

Policy DocumentPolicy Document

Scope of ISMSScope of ISMS

Information AssetsInformation Assets

Risk AssessmentRisk Assessment

Results & ConclusionsResults & Conclusions

Select Control OptionsSelect Control Options

StatementStatement

Management Framework: ISMSManagement Framework: ISMS

T. V. IT. V. I..

Degree of AssuranceDegree of Assurance RequiredRequired

Control ObjectivesControl Objectives

Additional ControlsAdditional Controls

(NB: Additional controls would incorporate (NB: Additional controls would incorporate DPA 1998, CaldicottDPA 1998, Caldicott and Info Governanceand Info Governance requirements) requirements)


91

And then……..And then……..• Develop and implement security policies which

comply with your specific requirements in terms of BS7799

• Review and Maintain • Simple, isn’t it?• No, it is appreciated that compliance with BS7799 is

a significant significant undertaking

• But, as the benefits themselves are significant…it is not only good practice, but makes good sense to adopt the standard


92

You are Not AloneYou are Not Alone

• CRAMM risks models are being developed for specific organizations (e.g. Acute Trusts)

• Such models will encompass approximately 90 - 95% of organizations

• Pioneer Projects - results of which will be fed into the overall implementation process

• Training• Development and maintenance program• FAQs• Help Desk• User Groups


93

Thanks for Coming!

For further information, contact:

Dr. A. Rush, Ph.D.

[email protected]

Date post:	26-Mar-2015
Category:	Documents
Upload:	cole-wright
View:	215 times
Download:	1 times