information systems security - monash … systems security managing security in the organisation ......
TRANSCRIPT
1
IMS3110INFORMATION SYSTEMS SECURITY
Managing Security in the organisation
Step 2: Risk Mitigation – access controls cont/d- authentication
Lecturer: Sue Foster Week 5 Lecturer: Sue Foster: Week 5IMS3110
Weekly IS Security topics
BCP and disaster recoveryPresentation 7&8Business continuity plans (BCP) and disaster recovery19 September10
Security policies etcPresentation 6Risk Management: Step 3: Security policies and procedures
12 September9
Security design Presentation 5Security design http://www.cert.org/archive/html/protect-critical -
systems.html
5 September8
E – commerce – internet securityPresentation 4Internet security cont/d29 August7
Risk Management:Step 2: Risk Mitigation: access controls
Presentation 3E-commerce - Internet security 22 August6
Assignment 1 due in tutorials = 5%
Step 2: Risk Mitigation – access controls cont/d- Authentication
15 August5
Risk management:Step 1: Risk analysis and assessment
Presentation 1&2 (7.5%)Step 2: Risk Mitigation – access controls8 August4
Breaches threatsvulnerabilities
Presentations will be conducted in tutorials
Risk management Step 1: Risk analysis and assessment
1 August3
Introduction to IS security and the goals of IS Security
IS Security – frameworkBreaches, threats, vulnerabilities
25 July2
No Tutorial this weekAssignment 1&2 handed out
Brief overview of the unit and unit outline Introduction to IS Security in organisations
18 July1
Tutorials Assessment Lecture TopicsDate (week beginning)Week
Lecturer: Sue Foster: Week 5IMS3110
Learning Objectives
l Link IS security goals to protecting vulnerabilities and access controls
l Identify access controls by what they do and how access controls support information system protection
l Understand the importance of a defence in depth approach to information system security
Lecturer: Sue Foster: Week 5IMS3110
The Core Issues
THREATS
INFORMATION SYSTEM SECURITYDATA SECURITY =
Confidentiality, availability, integrity, Accountability
BREACHES
Information system
VULNERABILITIES
Lecturer: Sue Foster: Week 5IMS3110
External threats: Trophy Hunting
Symantec and McAfee are targeted by intruders due to the inherent value in breaking into their websites.
3000 to 4000 people each day try to breaking into Symantec website. Most of it is trophy hunting by the intruder
Lecturer: Sue Foster: Week 5IMS3110
Internal Threats:Employee Revenge
l Defence contractor Lockheed Martin’s email system crashed for six hours after an employee sent 60,000 co-workers a personal email message containing a confirmation request.
l Lockheed which posts 40 million emails each month, was forced to fly in a Microsoft rescue squad to repair the damage
2
Lecturer: Sue Foster: Week 5IMS3110
Holistic approach to IS security
Risk analysis/assessment•Determine critical assets
•analyse threats
•statistics
•current / future trends
•Establish vulnerabilities
•Perform gap analysis
Risk mitigation
Cramm/octave/Cobra
ALE (quant)
Assess current Access controls
New access controls
•Audit logs
•Computer forensics
• Preserve the evidence
• re-evaluate access controls and policies
RISK MANAGEMENT
Security Framework – goals of IS security
ConfidentialityPrivacy
availability Integrity Non-repudiation
AccountabilityAuthentication
Security management
Security audit
•Security policies
•Security culture
•Business continuity plans (BCP)
•Disaster recovery
Lecturer: Sue Foster: Week 5IMS3110
Step 2 – Risk Mitigation
the outcome from the risk assessment is used to identify the optimum set of mitigation (control) measures
Lecturer: Sue Foster: Week 5IMS3110
Security Controls
PROVIDE:l Protection for vulnerabilitiesl Countermeasures against
access breaches
Lecturer: Sue Foster: Week 5IMS3110
Controls
l Controls are policies, procedures, techniques devices, systems and other measures, which may be taken to reduce the opportunity for unauthorised access to a system
– Examples?– Control relational model
l Defence in depth– refers to a variety of security overlays
implemented to prevent unauthorised access
Lecturer: Sue Foster: Week 5IMS3110
Controls
Four types:
l Deterrent controls– reduce the likelihood of a deliberate attack
l Example?
l Preventative controls– protect vulnerabilities and make an attack
unsuccessful or reduce its impact
l Corrective controls– reduce the effect of an attack
l Detective controls– discover attacks and trigger preventative or
corrective controls
Reference: http://www.security - risk-analysis.com/introduction.htmLecturer: Sue Foster: Week 5IMS3110
Control Relational Modelhttp://www.security-r isk-analysis.com/introduction.htm
THREATCorrective Control
Deliberate Attack
Vulnerability
Impact
Preventative Control
Detective Control
Deterrent Controls
CreatesReduces
Likelihood of
Discovers
Triggers Protects
Reduces
Decreases
Results in
3
Lecturer: Sue Foster: Week 5IMS3110
The Core Issues
THREATS
BREACHES
Information system
VULNERABILITIES
CONTROLS
INFORMATION SYSTEM SECURITYDATA SECURITY =
Confidentiality, availability, integrity, authentication
Lecturer: Sue Foster: Week 5IMS3110
Most Common Inadequate Controls
l Lack of management commitmentl Poorly trained or overworked IT staff
– Slow system vulnerability awareness to patch time
l Ineffective information security infrastructure – lack of defense in depth
l Inadequate security training or awarenessl Ineffective personnel proceduresl Ineffective risk managementl Insecure document control etc
Lecturer: Sue Foster: Week 5IMS3110
What Else Can You Do??
Put in place sophisticated SECURITY CONTROLS
l Intrusion detection systemsl Firewallsl Anti virus software- updates
l Vulnerability Scanning and analysis tools– Provide automatic patching and updates
l Security policies and proceduresl Security logs = audits
Lecturer: Sue Foster: Week 5IMS3110
Defence In Depth solution –A Layered Strategy
DEFENCE IN DEPTH – PRIMARY
AREAS
Perimeter defences - Routers- firewalls
Network defences – IDS (intrusion detection systemsApplication
protection
•Virus detection
•Vulnerability scanning
Encryption
Policy definition and management
Risk management
OCTAVE/CRAMM/COBRA
Access controls
Physical defences
Lecturer: Sue Foster: Week 5IMS3110
Conclusion
The access controls are only as good as the people who support them.
IT staff need to be skilled in all facets of access controls from vulnerability management to reviewing a breach.
Lecturer: Sue Foster: Week 5IMS3110
References
l The SANS top trends in security management for 2002: White paper, January 2002 ( www.netiq.com)
l Allinson, C. (2002). Information Systems Audit Trails; An Australian Government survey. Journal of Research and Practice in Information Technology, Vol 34, No 1. Pp47-64.
l Independent Commission Against Corruption. eCorruption: eCrime vulnerabilities in the NSW Public Sector, Summary Report, 2001.
l http://www.thinkmobile.com/News/00/48/29/l http://www.sophos.com/virusinfo/whitepapers/arcati_ru.htmll http://www.sophos.com/virusinfo/whitepapers/abc.html#topl http://www.cert.org/present/cert-overview-trends/module-5.pdfl http://www.airdefense.net/whitepapers/bitpipe/what_hackers.pdf
4
Lecturer: Sue Foster: Week 5IMS3110
Additional readings:
l Panko, R. R. (2004). Corporate Computer and Network Security. New Jersey: Pearson Education Inc
l http://www.keuning.com/biometry/Biometrical_Fingerprint_Recognition.pdf
l Smith, R. E. (2002) Authentication: From Passwords to Public Keys (Chapter 1) Publisher: Addison-WesleyISBN: 0201-61599-1
l Retrieved on 12/8/05 located at:http://www.isl-biometrics.com/support/downloads/whitepapers.htm
Lecturer: Sue Foster: Week 5IMS3110
Revision Questions
l Why is there a need for security systems
l Why develop a defence in depthl If you were an IT security specialist
what would be your most important concerns regarding information system security?
Lecturer: Sue Foster: Week 5IMS3110
Appendix
Lecturer: Sue Foster: Week 5IMS3110
http://www.sans.org/newsletters/
l The Critical Vulnerability Analysis and the Security Alert Consensus have merged to become @RISK: The Consensus Security Alert.
l Delivered every Monday morning, @RISK first summarizes the three to eight vulnerabilities that matter most, tells what damage they do and how to protect yourself from them
Lecturer: Sue Foster: Week 5IMS3110
More Vulnerabilities:
l following sites.
http://www.cert.org/advisories/CA-2003-09.htmlhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0109http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q241520
l Please look at this power point slide:l http://www.sans.org/top20/top20paller03.pdf