information systems security - monash … systems security managing security in the organisation ......

1

IMS3110INFORMATION SYSTEMS SECURITY

Managing Security in the organisation

Step 2: Risk Mitigation – access controls cont/d- authentication

Lecturer: Sue Foster Week 5 Lecturer: Sue Foster: Week 5IMS3110

Weekly IS Security topics

BCP and disaster recoveryPresentation 7&8Business continuity plans (BCP) and disaster recovery19 September10

Security policies etcPresentation 6Risk Management: Step 3: Security policies and procedures

12 September9

Security design Presentation 5Security design http://www.cert.org/archive/html/protect-critical -

systems.html

5 September8

E – commerce – internet securityPresentation 4Internet security cont/d29 August7

Risk Management:Step 2: Risk Mitigation: access controls

Presentation 3E-commerce - Internet security 22 August6

Assignment 1 due in tutorials = 5%

Step 2: Risk Mitigation – access controls cont/d- Authentication

15 August5

Risk management:Step 1: Risk analysis and assessment

Presentation 1&2 (7.5%)Step 2: Risk Mitigation – access controls8 August4

Breaches threatsvulnerabilities

Presentations will be conducted in tutorials

Risk management Step 1: Risk analysis and assessment

1 August3

Introduction to IS security and the goals of IS Security

IS Security – frameworkBreaches, threats, vulnerabilities

25 July2

No Tutorial this weekAssignment 1&2 handed out

Brief overview of the unit and unit outline Introduction to IS Security in organisations

18 July1

Tutorials Assessment Lecture TopicsDate (week beginning)Week

Lecturer: Sue Foster: Week 5IMS3110

Learning Objectives

l Link IS security goals to protecting vulnerabilities and access controls

l Identify access controls by what they do and how access controls support information system protection

l Understand the importance of a defence in depth approach to information system security


The Core Issues

THREATS

INFORMATION SYSTEM SECURITYDATA SECURITY =

Confidentiality, availability, integrity, Accountability

BREACHES

Information system

VULNERABILITIES


External threats: Trophy Hunting

Symantec and McAfee are targeted by intruders due to the inherent value in breaking into their websites.

3000 to 4000 people each day try to breaking into Symantec website. Most of it is trophy hunting by the intruder


Internal Threats:Employee Revenge

l Defence contractor Lockheed Martin’s email system crashed for six hours after an employee sent 60,000 co-workers a personal email message containing a confirmation request.

l Lockheed which posts 40 million emails each month, was forced to fly in a Microsoft rescue squad to repair the damage

2


Holistic approach to IS security

Risk analysis/assessment•Determine critical assets

•analyse threats

•statistics

•current / future trends

•Establish vulnerabilities

•Perform gap analysis

Risk mitigation

Cramm/octave/Cobra

ALE (quant)

Assess current Access controls

New access controls

•Audit logs

•Computer forensics

• Preserve the evidence

• re-evaluate access controls and policies

RISK MANAGEMENT

Security Framework – goals of IS security

ConfidentialityPrivacy

availability Integrity Non-repudiation

AccountabilityAuthentication

Security management

Security audit

•Security policies

•Security culture

•Business continuity plans (BCP)

•Disaster recovery


Step 2 – Risk Mitigation

the outcome from the risk assessment is used to identify the optimum set of mitigation (control) measures


Security Controls

PROVIDE:l Protection for vulnerabilitiesl Countermeasures against

access breaches


Controls

l Controls are policies, procedures, techniques devices, systems and other measures, which may be taken to reduce the opportunity for unauthorised access to a system

– Examples?– Control relational model

l Defence in depth– refers to a variety of security overlays

implemented to prevent unauthorised access


Controls

Four types:

l Deterrent controls– reduce the likelihood of a deliberate attack

l Example?

l Preventative controls– protect vulnerabilities and make an attack

unsuccessful or reduce its impact

l Corrective controls– reduce the effect of an attack

l Detective controls– discover attacks and trigger preventative or

corrective controls

Reference: http://www.security - risk-analysis.com/introduction.htmLecturer: Sue Foster: Week 5IMS3110

Control Relational Modelhttp://www.security-r isk-analysis.com/introduction.htm

THREATCorrective Control

Deliberate Attack

Vulnerability

Impact

Preventative Control

Detective Control

Deterrent Controls

CreatesReduces

Likelihood of

Discovers

Triggers Protects

Reduces

Decreases

Results in

3


The Core Issues

THREATS

BREACHES

Information system

VULNERABILITIES

CONTROLS

INFORMATION SYSTEM SECURITYDATA SECURITY =

Confidentiality, availability, integrity, authentication


Most Common Inadequate Controls

l Lack of management commitmentl Poorly trained or overworked IT staff

– Slow system vulnerability awareness to patch time

l Ineffective information security infrastructure – lack of defense in depth

l Inadequate security training or awarenessl Ineffective personnel proceduresl Ineffective risk managementl Insecure document control etc


What Else Can You Do??

Put in place sophisticated SECURITY CONTROLS

l Intrusion detection systemsl Firewallsl Anti virus software- updates

l Vulnerability Scanning and analysis tools– Provide automatic patching and updates

l Security policies and proceduresl Security logs = audits


Defence In Depth solution –A Layered Strategy

DEFENCE IN DEPTH – PRIMARY

AREAS

Perimeter defences - Routers- firewalls

Network defences – IDS (intrusion detection systemsApplication

protection

•Virus detection

•Vulnerability scanning

Encryption

Policy definition and management

Risk management

OCTAVE/CRAMM/COBRA

Access controls

Physical defences


Conclusion

The access controls are only as good as the people who support them.

IT staff need to be skilled in all facets of access controls from vulnerability management to reviewing a breach.


References

l The SANS top trends in security management for 2002: White paper, January 2002 ( www.netiq.com)

l Allinson, C. (2002). Information Systems Audit Trails; An Australian Government survey. Journal of Research and Practice in Information Technology, Vol 34, No 1. Pp47-64.

l Independent Commission Against Corruption. eCorruption: eCrime vulnerabilities in the NSW Public Sector, Summary Report, 2001.

l http://www.thinkmobile.com/News/00/48/29/l http://www.sophos.com/virusinfo/whitepapers/arcati_ru.htmll http://www.sophos.com/virusinfo/whitepapers/abc.html#topl http://www.cert.org/present/cert-overview-trends/module-5.pdfl http://www.airdefense.net/whitepapers/bitpipe/what_hackers.pdf

4


Additional readings:

l Panko, R. R. (2004). Corporate Computer and Network Security. New Jersey: Pearson Education Inc

l http://www.keuning.com/biometry/Biometrical_Fingerprint_Recognition.pdf

l Smith, R. E. (2002) Authentication: From Passwords to Public Keys (Chapter 1) Publisher: Addison-WesleyISBN: 0201-61599-1

l Retrieved on 12/8/05 located at:http://www.isl-biometrics.com/support/downloads/whitepapers.htm


Revision Questions

l Why is there a need for security systems

l Why develop a defence in depthl If you were an IT security specialist

what would be your most important concerns regarding information system security?


Appendix


http://www.sans.org/newsletters/

l The Critical Vulnerability Analysis and the Security Alert Consensus have merged to become @RISK: The Consensus Security Alert.

l Delivered every Monday morning, @RISK first summarizes the three to eight vulnerabilities that matter most, tells what damage they do and how to protect yourself from them


More Vulnerabilities:

l following sites.

http://www.cert.org/advisories/CA-2003-09.htmlhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0109http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q241520

l Please look at this power point slide:l http://www.sans.org/top20/top20paller03.pdf

information systems security - monash … systems security managing security in the organisation ......

Documents