E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click...

1 of 48E. GelbsteinA. Kamal

Information InsecurityPart II: The Solution

Next slide: PgDn or ClickPrevious slide: PgUpTo quit the presentation: Esc

Information Insecurity

Part II: The Solution




Basic rule of systems

Complex problems are never solved,

they are only transformed

corollary

You don’t “fix” security. You manage it




Information security principles

Information must be available to those authorized to have it

Information will only be disclosed at the appropriate time only to those authorized to have it

Information will only be modified by those authorized to do so

Source ISO 17799: Code of Practice for the Management of Information Security

1

2

3




Information security principles (2)

Protection of intellectual property rights, including software

Protection of privacy in cyberspace

Effectiveness of the provision of digital signatures

Prosecution of cyber-criminals

Existence of a legal framework defining

Covering information processed, stored and transmitted in e-form

4




What is your role in Infosec?

Defender: one of the good guys

Chief Information OfficerSecurity manager

Systems administratorNetwork administrator

Enlightened User




How good a defender ?

Due diligenceNegligenceDereliction of dutyMisconductSabotageCriminal damageAiding and abbetting crime

It really is your choice




What is your role in Infosec?A “special guy”: good or bad are relative

Auditor (Security, internal, external)Ethical hackerSecurity consultantVendors of security productsVendors of other ICT projectsInfo Security legislator




What is your role in Infosec?Bystander

“Surely, it’s a technical problem”“Nothing to do with me”

“Not in my job description”“What, change password again?”“What’s wrong using my birthday

as a password?”“OK so my son used my employer’s

notebook to download some shareware – what’s the big deal?”




What is your role in Infosec?

Obstacle

“No way can I increase your budget”“We have a freeze on recruitment”

“It’s not compatible with ourcorporate culture”

“The trade unions won’t have it”




Defender’s 1st step: Culture

Security relies on everyone

Security requires many processes

Security contains many projects which never end

Only the paranoid succeed and survive




Defender’s 2nd step: Reality check

100% security can NOT be achieved

Technology is not enough to guarantee security

Legislation is not enough to guarantee security

Security resources must match risk

Good security practices become barriers




Building effective defences

Requirements definitionOrganization

Asset valuationPolicies and compliance

Building blocksTechnical defences

AwarenessStandards

Best practices

TestsCertificationAudits

Incident responseDigital forensics

Legislation

1

23 4

needs more than technology




Recommendations for Executives

1. Assign responsibility for information security

2. Ask your CIO to certify in writing the security status of your organization’s systems

3. Ask your CIO to document all known vulnerabilities

4. Engage a trusted ethical hacker to regularly attack your facilities and systems

to help contain the headache




Security organization

Who is responsible for information security in the organization as a whole and at its various locations ?

Who does this person report to ?

Who reviews this person’s performance and monitors her/his effectiveness ?

How is security managed with contractors, temporary personnel and outsourcers ?

Who is responsible for dealing with a security incident ?

Effective Defences 1




Strong locksBurglar alarmRemote monitoringReinforced doorsI mpact resisting glass CCTV

I nventoriesI nsurance

Effective defences 1Requirements definition

What threats?What value what to protect?What vulnerabilities?

How much funding can be made available to implement, operate and manage?





Information securityValue of information assets

vulnerabilitiesthreats

countermeasures100% security is unachievable

The size of the box representsRESIDUAL RISK




How much security is enough?

Complexity and cost of security

Acceptable level of residual risk

0 1 2 3 4 5 6 7 8 9

MilitaryMajor outsourcers

Stock exchangesFund transfers

Major banksTelephone companies

Low tech manufacturing




Asset valuation & impact analysis

What is the value* of

o Data

o Intellectual property

o Systems (software, hardware)

o Documents

o The Organisation’s reputation

disclosed modified

unavailabledestroyed

etc

* Financial, commercial, reputation, political, etc





When does misuse become abuse?

Theft and fraud

Proprietary informationSoftware and equipmentEmployer’s time

Financial gainModifying personal data (e.g. holiday records)

Misuse of system privileges

Inappropriate access to- data- websites- others’ e-mailDeletion of data

e-mailing of offensive material, jokes, etcInstallation of unauthorized software Downloading large files (music, video)Personal use of employer’s systems and facilitiesDisclosure

Confidential informationEmbarrassing information Internal gossip and politics





Policies and compliance

ScopeDocumentationDisseminationMaintenanceCompliance

POLICIES are formal statements of how an organization manages information security

Policies without effective compliance measures are ineffective





Scope of policies

Acceptable personal use or corporate resources e-mail policies for corporate and personal use Creation, change and management of passwords System / Resource access Employer’s right to monitor and right to access Use of encryption Physical access and remote access Software installation Mobile communications and computing Database administration Employee background checks (pre- and during employment)

list goes on...





An e-mail policy would cover Legal liability (harassment, copyright, libel, etc) Offensive language/material Non-disclosure Corporate practices regarding encryption Personal use of corporate e-mail Employer’s right to monitor Retention and archival Junk and other non-productive e-mail Attachments

Executable code including macros Audio and video files Other large files Virus, worm, other infectious software

Non-complianceetc...





Policies: reality test

Policies must make sense to the personnel to be followed (30% of all attacks are internal)

Three options regarding compliance

Don’t bother too much Tight monitoring andzero tolerance

Managed program toaddress internal abuses

Policies haveno credibility

Create martyrsLoss of trust





Effective defences 2Building blocks

authentication

authorization

non-repudiation

auditconfidentiality

integrity




Building blocks (2)

Authentication

Authorization

Confidentiality

Integrity

Non-repudation

Audit

Prove you are who you say you are

The security system checkswhat you may do with the system

Ability to prove that the information received is the sameas the information sent

System records of who did whatand when

Data can only be modified by someoneauthorized to do so

Data can only be seen by someoneauthorized to do so





Technical defencesEffective Defences 2

ToolsData access rights

Database security

System security

LAN & server security

Firewall security

Physical access control

Infrastructure - No single point of failure - UPS and standby - Clusters, fail-soft, RAID, alternative routing- proxy servers, firewalls

Logical access control

Diagnostics and monitoringSystem administration

Virus management software Encryption software All properly installed, configured

and tested by trained personnel




Technical defences (2)


Processes

Software/product qualityReduce complexityChange ControlSegregation of dutiesBackup /restoreMedia management

Risk assessmentRisk managementAlert monitoring

Disaster recoveryBusiness continuityCrisis managementCluster # 1: operations and

configuration management

Cluster # 2: event intelligence

Cluster # 3: preparedness




sections of ISO 17799

1. Develop and implement security policies

2. Put in place a security organization

3. Maintain an information asset classification

4. Address personnel issues of security

5. Implement physical and environmental security

6. Ensure adequate network and computer operations

7. Implement system and network access controls

8. Build security into systems development

9. Have disaster recovery and resumption plans

10. Compliance with legislation and best practices





COBIT process maturity levels

COBIT: Control Objects for Information Technology

0 1 3 542

Non-existent Initial Repeatable Defined Managed Optimized

The process isnot managed

The process isad-hoc and

disorganized The process follows a

regular pattern

The process isdocumented andcommunicated

The process ismonitored and

measured Best practices

Current status Strategic target





Justifying investments

Demonstrating value has always been the BIG challenge for technical practitioners

Typical ROSI (Return On Security Investment) analysis:

cost “We spent a million dollars”benefit “We think we have not been hacked”


The industry is unable to agree on a better way




More about ROSI Effective Defences 2

Some of the intangible factors:

No security metrics standards

No warranties from vendors or outsourcers– only “best efforts”

The same is true for

Financial controls

Fire prevention arrangements




ways to tighten security

1. Promote awareness

2. Know the assets you must protect

3. Invest wisely (“more” may not be “better”)

4. Survey the threatscape – who are the enemy?

5. Be vigilant

6. Understand and actively manage risk

7. Ensure security is engineered and designed into the infrastructure

8. Remember it is more than a technical matter

9. Detect and respond





AwarenessEffective Defences 2

Management

I.T. personnel

All other personnelPolicies and need for complianceWhat to do when an incident occursBest practices

Vendor bulletins about vulnerabilitiesHacker activitiesCERT and other alertsProcedures and policiesWhat to do when an incident occurs

Disaster recovery, continuity and crisis plansTrusted insider risks – signalsBreaches of security, subsequent “digital autopsy”




good personal practices

1. Use hard to guess passwords and ensure non-disclosure

2. Make regular backups of your critical data

3. Use effective protection against malicious code

4. Use a firewall between your computer and the Internet

5. Do not stay on-line unnecessarily or when inactive

6. Look for and install quickly software updates and patches from (trusted) vendors

7. Be careful of e-mail attachments from strangers and from known persons if the subject line is unusual





ways to protect your privacy

1. Set up your browser to secure personal information

2. Don’t reveal personal details unless you are sure

3. Actively manage cookies

4. Keep a “clean” e-mail address

5. Remember you may be monitored at work

6. Beware of websites that offer rewards in exchange for your contact or other information

7. Never reply to spam mail

8. Only reveal critical information to a “https” website

9. Use encryption if appropriate





A word of caution

Tools and good practices increase security.

For the end-user, they become a kind of obstacle race


Mwf1U4zX

Hard to remember passwords prominently displayed

on Post-it™ Notes




Effective defences 3

Incident response

Digital forensics


Intrusion detectionEmergency Response TeamProblem containmentProblem resolutionRestoring normal operations

(also called digital autopsy)

Determine attack mechanismReview adequacy of arrangementsSearch for evidenceAction plan for internal causesAction plan for external causes




How do you respond ?

Hackers please noteThis facility is secured

Monday and Friday, 09:00 to 17:00 CET

Please do not visit at any other timeWe thank you for your understanding

Option 1

Option 2

Emergency response plan + team





things to do if (when) attacked

1. Don’t panic !

2. Call in your incident response team

3. Contain the problem and avoid the “quick fix”

4. Take good notes in case you need to take legal action

5. Have your backup facilities ready

6. Get rid of the problem

7. Use trusted, uncompromised, communications

8. Know what to say, to whom and when

9. Know when to involve crime investigators

10. Conduct an autopsy of the event and your response





Effective defences 4

tests audits digital autopsy certification

Like your annual medicalit’s no guarantee of good healthbut it might diagnose a problem

Who tests the testers?

How do you know you have not been attacked ?How do you know that your arrangements will work ?




e-evidence

Volume and manageabilityWho else has copies ?Indexing, classificationRetention, archivalMedia and software Right to accessRight to removeRight to destroy





HeadachesHard to trace, particularly cross-borderHard to quantify lossesLack of clarity what is court-admissible

Civil litigation

Criminal litigation

Contractual issuesHarassment, bullying, improprietyContainable fraud

SabotageIndustrial espionageMajor fraud

Out of court settlements are common


e-evidence (2)




Follow proper procedures for seizure

Seize computer, media and paperwork

Assess risk of logical bomb

Protect the suspect computer from tampering

Discover, recover and report


e-evidence (3)




ways to support e-forensics

1. Follow authorized seizure process (ask the lawyers!)

2. Seize and secure equipment, media and papers

3. Shutdown the computer – record it with a video camera

4. Document the hardware configuration

5. Transport to secure location and protect chain of evidence

6. Ensure the computer remains uncompromised

7. Make bitstream backups of hard disk and all media

8. Authenticate data with 128 bit checksum

9. Only use backups for subsequent analysis

10. Document the system’s time and date





ways to support e-forensics (2)

11. Identify all anomalies

12. Examine e-mail, Internet, Temporary files

13. Fully document all the findings

14. Retain copies of all software used for analysis

15. Only use fully licensed forensic software

Hidden disk partitions, hidden files, encrypted files evidence of erased files, file slack, presence of steganographic software





things to worry about

1. Time elapsed between an attack and it being discovery

2. The size of incident logs (may inhibit discovery)

3. Examining incident logs is boring (easy to miss things)

4. The trusted insider

5. Hard to know what’s what in a multi-vendor environment

6. Good security staff are hard to find and harder to keep

7. Hard to define a return on security investment

8. Management detachment (denial of having a role to play)





things to worry about (2)

9. Limited international cyber-crime legislation

10. Certificate Authorities: the new trust issue

11. Vendors not liable for product vulnerabilities

12. Executives who believe security is not a real issue

13. Liabilities arising from lack of due diligence

14. Need to take cyber-crime insurance





Conclusion

Sounds daunting? It is.

You have two options:

a. Be prepared (Act now) or

b. Improvise when it happens (React then)

Date post:	01-Apr-2015
Category:	Documents
Upload:	aylin-camby
View:	213 times
Download:	0 times