security and risk management · cis8110 10/8/07 ©2007 v. storey and c. stucke 1 security and risk...
TRANSCRIPT
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 1
SecuritySecurityandand
Risk ManagementRisk Management
MBA 8125MBA 8125
Acknowledgement: Parts of this session are based uponmaterial from Cecil Chua, Deb Dey, Kimball, Dorothy Dennings,Ray Panko, Graeme Payne, Ernst & Young, Gartner Group andArjan Raven
10/8/07 ©2007 V. Storey and C. Stucke 2
CorporateStrategy
Ethics/Privacy
ISStrategyand Plan
InternalSystems
Development
OutsourcedSystems
Development
Implementation
InternalSystems
Operations
OutsourcedSystems
Operations
Infrastructure
Security
Course OverviewCourse Overview
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 3
Learning Objectives Learning Objectives
Define information security Explain how information security fits into
business risk management Identify security context Describe current threats and mitigation
practices Identify different types of attacks Understand business process continuity Evaluate tradeoffs in business recovery
plans
10/8/07 ©2007 V. Storey and C. Stucke 4
Risk Management Information Security Security Concerns Management Issues Future Trends
AgendaAgenda
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 5
Risk ManagementRisk Management
“Effective risk management is based on afoundation of good corporate governance andrigorous internal controls. Taking calculated risksis part of any business enterprise. That is wellunderstood. At the same time, each companyneeds to have in place the technical systems andmanagement processes necessary not only toidentify risks associated with its activities butalso to effectively measure, monitor and controlthem.”
William McDonough – Former PCAOBChairman
http://www.pcaobus.org/index.aspx
10/8/07 ©2007 V. Storey and C. Stucke 6
Risk Management Another ViewRisk Management Another View
"Risk Management is a methodologyfor assessing the potential of futureevents that can cause adverseeffects; and implementing cost-efficient strategies that can deal withthese risks" Marilyn Greenstein(http://www.mhhe.com/business/accounting/greenstein/authors.mhtml )
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 7
MonitorRisk functions perform monitoring
activities to ensure processes areoperating as designed, controls
are effective and risksare managed.Executing Sustainable Processes
Companies have in place a seriesof processes to manage theirchanging risk profile.
StrategiesCompanies deploy multiple strategies tomeet stakeholder demands, to respond toenvironmental conditions, and to capitalizeon market opportunities.
Evolving Risk ProfileThe multiple strategies together withthe changing environment generaterisks and a continually evolving riskprofile.
EnhanceExecutive management
together with the riskfunctions implement
identifiedenhancements.
AssessRisk functions together with executive
management continually assess theevolving risk profile and processes.
Strategy
Risks
Process
Enhance
Asse
ssM
onitor
From Ernst & Young
http://www.ey.com/global/content.nsf/International/Global_Risk_Homehttp://www.ey.com/global/content.nsf/International/Global_Risk_Home
10/8/07 ©2007 V. Storey and C. Stucke 8
Risk ManagementRisk Management’’s Broad Scopes Broad Scope
BUSINESS UNITS
BOARD OF DIRECTORS
INTELLECTUAL PROPERTY
RISK MANAGEMENT COMMITTEE
REVENUECREDIT
MARKETFIDUCIARY
FINANCIAL
PROJECT MANAGEMENTINFO SECURITY AND AVAILABILITY
HUMAN CAPITAL
PHYSICAL SECURITY
OPERATIONAL
IT CAPACITY AND PERFORMANCE
RISK FINANCING AND INSURANCE
REPUTATIONSTRATEGIC
PRIVACY
Stra-tegic
Copyright © 2002
REGULATIONS
RISK
POLICIES
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 9
Risk Management Life CycleRisk Management Life Cycle
Copyright © 2002
Inventory AssetsWho, what, what value, what priority?
Analyze/assess/measureHow much, how often, how related, what business impact?
MitigateEliminate, avoid, reduce
TransferContractual, risk financing, insurance
Monitor Results / Initiate Update
Identify RisksWho, what, where, when, why, how?
AcceptCreate/Implement BCP
Adapted From
Start/Update Risk Planning
10/8/07 ©2007 V. Storey and C. Stucke 10
0
20
40
60
80
100
120
140
160
Day 1 Day 4 Week 1 Week 2
Lost Sales Order Cancel Penalties Interest
Cash flow
Competition Lost sales
Interest expense
Shareholderconfidence
Legal/contractual obligations Penalties
Companyviability
Customer serviceCanceled orders
Cost to business
Insurance issuesRegulatory requirements
Productivity
Copyright © 2002
Business Impact AnalysisBusiness Impact Analysis
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 11
Revenue
Know your downtimecosts per hour,day, two days ...
• Number ofemployees affectedx hours out xburdened hourly rate
Damaged Reputation• Customers• Suppliers• Financial markets• Banks• Business partners• ...
Financial Performance• Revenue recognition• Cash flow• Lost discounts (A/P)• Payment guarantees• Credit rating• Stock price
Other ExpensesTemporary employees, equipment rental, overtime costs,extra shipping costs, travel expenses, legal obligations ...
• Direct loss• Compensatory
payments• Lost future revenue• Billing losses• Investment losses
Copyright © 2002
Productivity
What Is Your Cost of Downtime?What Is Your Cost of Downtime?
10/8/07 ©2007 V. Storey and C. Stucke 12
Growing Impact:Growing Impact:System Vulnerability and AbuseSystem Vulnerability and Abuse
Worldwide Damage from Digital Attacks
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 13
The Digital Firm: Where Are The Risks?The Digital Firm: Where Are The Risks?
Source: Laudon & Laudon 2006
••Multiple Failure PointsMultiple Failure Points••Human ErrorHuman Error••Performance / CapacityPerformance / Capacity••Outsourced Service ProvidersOutsourced Service Providers••Natural DisastersNatural Disasters••Downtime (planned/unplanned)Downtime (planned/unplanned)••Security IncidentsSecurity Incidents••Links to Third PartiesLinks to Third Parties
10/8/07 ©2007 V. Storey and C. Stucke 14
Partners
Customers
Contractors
Hackers
Malware
Spam
From Ernst & Young
The Digital Firm: Where Are The Risks?The Digital Firm: Where Are The Risks?
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 15
Risk Management Information Security Security Concerns Management Issues Future Trends
AgendaAgenda
10/8/07 ©2007 V. Storey and C. Stucke 16
Top 10 Business and Technology Priorities in 2006
10Legacy application modernization10Faster innovation and cycle times
9Virtualization9Faster innovation
8Networking, voice and datacommunications8Revenue growth
7Workflow management7Security breaches and disruptionsSecurity breaches and disruptions
6Service Oriented Architectures (SOA)6Using intelligence in products andservices
5Customer sales and service5Improving competitiveness
4Collaboration technologies4Improving competitive advantage
3Mobile workforce enablement3Attracting and growing customerrelationships
2Security technologiesSecurity technologies2Controlling enterprise operating costs
1Business Intelligence applications1Business process improvement
RankingTop 10 Technology PrioritiesRankingTop 10 Business Priorities
Source: Gartner EXP (January 2006).See http://www.gartner.com/press_releases/asset_143678_11.html
CIS8110
Top 10 Business & Technology Priorities in 2007Top 10 Business & Technology Priorities in 2007
MBA 8125 2007 17 10/8/07
Top 10 Business Priorities Rank Top 10 Technology Priorities Rank
Business process improvement 1 Business Intelligence applications 1
Controlling enterprise-wideoperating costs
2 Enterprise applications (ERP, CRMand others)
2
Attract, retain and grow customerrelationships
3 Legacy application modernization 3
Improve effectiveness of enterpriseworkforce
4 Networking, voice and datacommunications
4
Revenue growth 5 Servers and storage technologies(virtualization)
5
Improving competitiveness 6 Security technologies 6
Using intelligence in products andservices
7 Service-oriented architectures 7
Deploy new business capabilities tomeet strategic goals
8 Technical infrastructuremanagement
8
Enter new markets, new products ornew services
9 Document management 9
Faster innovation 10 Collaboration technologies 10
http://www.metrics2.com/blog/2007/02/15/top_10_business_and_technology_priorities_in_2007.html Source: Gartner EXP (February 2007)
10/8/07 ©2007 V. Storey and C. Stucke 18
The policies, procedures, and technicalmeasures used to prevent unauthorizedaccess, alteration, theft, or physicaldamage to information systems.
Source: Laudon & Laudon 2006
Primary Issues:Confidentiality -- no “data spills”IntegrityAvailability
What is Information Security?What is Information Security?
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 19
Risk Concepts RelationshipsRisk Concepts Relationships
See SANS Glossary of Terms http://www.sans.org/resources/glossary.php
Threats Vulnerabilities
Security Controls Security Risks Assets
SecurityRequirements
Asset Values &Potential Impacts
exploit
exposeincrease
increase
increaseprotect against
indicateimplemented by have
10/8/07 ©2007 V. Storey and C. Stucke 20
Risk Management Information Security Security Concerns Management Issues Future Trends
AgendaAgenda
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 21
Information technology– Critical to business and society
Computer security– Evolving into information security
Information security– Responsibility of every member of organization– Managers play critical role
• Information security managers and professionals• Information technology managers and professionals• Non-technical business managers and professionals
Source: J. Joshi
Security in the Information SocietySecurity in the Information Society
10/8/07 ©2007 V. Storey and C. Stucke 22
Cookies – files stored on computer that saveinformation and track visits to a website.
Web Bugs – graphic files embedded in emailand web pages to monitor visitors
Spyware – applications secretly installed oncomputer to report user activities onInternet
Internet Internet ChallengesChallenges to Privacy to Privacy
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 23
Spamming – Marketers send out unsolicited mass-email to unwilling recipients
Hacking – Exploiting weaknesses in security to gainaccess to machines and data
Jamming – Denial of service, tie up resources tomake them unavailable
Worms/viruses – Malicious software that spreadsand may be destructive
Sniffing – Placing software for electroniceavesdropping
Spoofing – fraudulent misrepresentation of identity
Types of Computer CrimeTypes of Computer Crime
See Computer Crime Cases
10/8/07 ©2007 V. Storey and C. Stucke 24
Security Challenges in OrganizationsSecurity Challenges in Organizations
Source: Laudon & Laudon 2006
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 25
Unauthorized Access & Human ErrorUnauthorized Access & Human Error Use strong passwords and change frequently (more in coming slide) Use additional authentication where appropriate (something you know,
you have, or you are) Encrypt data on hard drive Install anti-virus, anti-spyware, and firewall (more later) Minimize data stored on client Limit data access to need to know basis Human error hard to prevent
– Everyone makes mistakes Software Bugs
– Errors within software program– Updates and patches
Input Mistakes– Application controls (greatest number of vulnerabilities come from
applications/developers not checking length of supplied information:potentially allows “a buffer overflow” that can take over a machine. See theSANS top 20 vulnerabilities at http://www.sans.org/top20/ )
What about SPAM and Phish?
10/8/07 ©2007 V. Storey and C. Stucke 26
Botnets & PhishingBotnets & Phishing
Botnets:http://images.businessweek.com/ss/05/05/hacker_botnet/index_01.htm
Phishing:http://images.businessweek.com/ss/05/05/hacker_phishing/index_01.htm
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 27
Attacks against a weak link: passwordsAttacks against a weak link: passwords
Brute Force Attack Try every combination possible Defeated by long passwords
Default Password Attack Check if user never changed password from default Defeated by changing password (“password” most common password in DoD)
Dictionary Attack Dictionary of common passwords Name, Common words, Famous people, Domain specific
Good passwords– Minimum Length – 8 characters– Passwords should use three or four of the following four types of characters:
• Lowercase• Uppercase• Numbers• Special characters such as !@#$%^&*(){}[]
– My favorite song is “Dust in the Wind”. Password: “mFSI!492023” OK, so how do you remember 20+ good passwords? Try a program such
as: PasswordSafe at http://passwordsafe.sourceforge.net/
Factor One: What you know
10/8/07 ©2007 V. Storey and C. Stucke 28
Facial RecognitionFacial RecognitionFingerprint ScanFingerprint ScanFactor: What you are
Retinal ScanRetinal Scan
Biometric examples are from Kelly Rainer.
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 29
Iris ScanIris ScanFactor: What you are
10/8/07 ©2007 V. Storey and C. Stucke 30
Signature RecognitionSignature Recognition
Speech RecognitionSpeech Recognition
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 31
Smart ID CardSmart ID CardFactor: What you have
Hardware TokenHardware Token
10/8/07 ©2007 V. Storey and C. Stucke 32
Communications Line AccessCommunications Line Access
Secure physical communications lines Encrypt communications (via Virtual Private
Network – VPN http://computer.howstuffworks.com/vpn.htm or othertechniques)
Authenticate sender & receiver Use digital signatures to prevent
alteration and identify sender (seehttp://computer.howstuffworks.com/question571.htm )
Use fiber optics or “tempest” to prevent“reading” of electrical signal (see tempest athttp://www.webopedia.com/TERM/T/Tempest.html )
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 33
AttacksAttacks
Virus– Piece of code embedded in an e-mail
attachment• User opens the attached program• Virus copies itself into other programs on the
computer• Virus spreads until a certain date, then deletes files
Worm– Less harmful than a virus (does not destroy)– Usually increases load on a resource; may lead
crash Denial of Service
– Generate large number of useless service requests– Overload and system crash
10/8/07 ©2007 V. Storey and C. Stucke 34
Damages from AttacksDamages from Attacks
In 2003, viruses cost business $55billion in damages
AOL blocks over 1 million virusesand worms a day from membersemails– AOL blocked over 24 million virus in 24
hours during Sobig.f worm outbreak
Source: Jessup & Valacich 2006
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 35
Corporate Server ProtectionCorporate Server Protection
Limit external access by using firewalls Use anti-virus software Install “patches” for server software Limit data on servers Limit functions the servers support Use intrusion detection software Use read only media ( a cd for instance) for
“static” information on web (so these can notbe defaced)
Have agreement with ISP to assist with denialof service attacks (try to block, alternateaddresses, etc.)
10/8/07 ©2007 V. Storey and C. Stucke 36
Sample Firewall ConfigurationSample Firewall Configuration
WebServer DB
DBWebClient
HTTPrequest
(cleartextor SSL)
HTTP reply(HTML,
Javascript,etc)
SQLDatabase
(Also see http://computer.howstuffworks.com/firewall.htm )
Web app
Web app
Web app
Web app
Firewall Firewall
DMZ
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 37
NAS
DMZ Servers
Data Center
Users
InternetCorporate
Office
BusinessPartner
Intranet/InternalProtection(NIDS/HIDS)Protects DataCenters and CriticalSystems fromInternal Threats
Internet ProtectionComplements FW andVPN by MonitoringTraffic for MaliciousActivity
ExtranetProtection (NIDS)Monitors PartnerTraffic Where“Trust” is ImpliedBut Not Assured
Remote AccessProtection (NIDS)Hardens PerimeterControl byMonitoring RemoteUsers
Intrusion Detection SystemsIntrusion Detection Systems
Server FarmProtection (HIDS)Protects e-BusinessServers from Attackand Compromise
Also see http://en.wikipedia.org/wiki/Intrusion_detection_system
10/8/07 ©2007 V. Storey and C. Stucke 38
Corporate Systems ProtectionCorporate Systems Protection
Limit physical access Inspect media coming in & leaving Limit logical system access (most
access may be via applications ratherthan logging in)
Limit functions the systems support Encrypt data Limit decrypted data access to data
access via applications Use intrusion detection software Keep patch levels up to date Enforce change control and testing What about BCP & DR? Hold that thought.
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 39
Wait! These Attackers: Who are they?Wait! These Attackers: Who are they?
10/8/07 ©2007 V. Storey and C. Stucke 40
Attackers: Who are they?Attackers: Who are they?
Kid down the street? Professional, working for your
competitors? Foreign intelligence agency? Ex-employee? Disgruntled co-worker? “Professional” funded by organized
crime
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 41
Who Commits Computer Crimes?Who Commits Computer Crimes?
Group PercentageAuthorized employees 58%Employees unauthorized to use computersystem
24%
Outside computer hackers or terrorists 13%
Organization’s competitors 3%Other 2%
Source: Jessup, L. and Valacich, J. Information Systems Today: Why IS Matters, 2nd edition (2006)
10/8/07 ©2007 V. Storey and C. Stucke 42
Quotes from HackersQuotes from Hackers
“It’s really just a bunch of really smart kids trying to provethemselves. I know I was.”
– Splurge, sm0ked crew“It’s power at your fingertips. You can control all these
computers from the government, from the military, from largecorporations. … That’s power; it’s a power trip.”
– anonymous“You do get a rush from doing it – definitely.”“I’m like your nosy neighbor on steroids, basically.”
– Raphael Gray (aka Curador)[stole and posted 26,000 credit card numbers]
Source: Dorothy Denning
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 43
Why So Many Attacks?Why So Many Attacks? Today’s Systems
– Complex and vulnerable Internet Growth
– More targets and attackers Attackers Organized
– Teach each other and novices– Exchange tools and information
Attackers Develop Better Tools– Build on each other’s work– Build on work of security community
Attacks Easy, Low Risk, Hard to Trace– Investigations difficult; often international
Lack of Security Awareness, Expertise, or Priorities– .0025 percent of revenue spent on information security [Forrester]
Organized Crime now involved!
10/8/07 ©2007 V. Storey and C. Stucke 44
Why are Attacks Challenging in Cyberspace?Why are Attacks Challenging in Cyberspace?
Automation Action at a distance Technique propagation
– Low communication costs– Viruses, worms etc. need only a link
between two systems.
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 45
Attacks via Social EngineeringAttacks via Social Engineering
The acquisition of sensitive information orinappropriate access privileges by an outsider,based upon the building of an inappropriate trustrelationship with insiders.
Manipulation of human beings to obtain informationor confidence pertaining to the security ofnetworked computer systems (with malicious intent)
We are the weakest link….
http://www.kevinmitnick.com/
10/8/07 ©2007 V. Storey and C. Stucke 46
Area of Risk Hacker Tactic Combat Strategy
Phone (Help Desk) Impersonation and persuasion Train employees/help desk to never give outpasswords or other confidential info by phone
Building entrance Unauthorized physical access Tight badge security, employee training, andsecurity officers present
Office Shoulder surfing Don’t type in passwords with anyone else present(or if you must, do it quickly!)
Phone (Help Desk) Impersonation on help desk calls All employees should be assigned a PIN specificto help desk support
Office Wandering through halls looking foropen offices Require all guests to be escorted
Mail room Insertion of forged memos Lock & monitor mail room
Machineroom/Phone closet
Attempting to gain access, removeequipment, and/or attach a protocolanalyzer to grab confidential data
Keep phone closets, server rooms, etc. locked atall times and keep updated inventory onequipment
Phone & PBX Stealing phone toll access Control overseas & long-distance calls, tracecalls, refuse transfers
Dumpsters Dumpster diving Keep all trash in secured, monitored areas, shredimportant data, erase magnetic media
Intranet-InternetCreation & insertion of mocksoftware on intranet or internet tosnarf passwords
Continual awareness of system and networkchanges, training on password use
Office Stealing sensitive documentsMark documents as confidential & require thosedocuments to be locked
General-Psychological Impersonation & persuasion Keep employees on their toes through continued
awareness and training programs
Sarah Granger, SecurityFocus
Social Engineering Tactics & Defenses
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 47
Many StudiesMany Studies
Available fromhttp://www.gocsi.com/
http://cis.gsu.edu/~cstucke/cis8680/content/FBI2006.pdf
10/8/07 ©2007 V. Storey and C. Stucke 48
CSI/FBI Computer Crime andCSI/FBI Computer Crime andSecurity Survey Security Survey ((www.gocsi.comwww.gocsi.com ) )
Computer Security Institute / FBI (2006)– 615 U.S. Computer Security Professionals.
Also check out http://en.wikipedia.org/wiki/Internet_fraud
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 51
10/8/07 ©2007 V. Storey and C. Stucke 52
Disasters (Disasters (Natural & Human-initiated)Natural & Human-initiated)
Cannot prevent natural disaster(may not be able to prevent human-initiated disaster)– Can create business continuity /
disaster recovery plans– Can choose where people, process,
and technology are located
http://www-1.ibm.com/services/us/index.wss/offerfamily/bcrs/a1000387
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 53Copyright © 2002
Security in ContextSecurity in ContextSeptember 11 Raises the Bar for RiskSeptember 11 Raises the Bar for Risk
People vs. Asset Centricity / Protection– Resilience in people/processes– Resilience in workspace– Resilience in safety and communications
New Planning Scenarios — loss of life, lack of decisionmakers, interruption of transportation, building evacuation,loss of physical assets and workspace, lack ofcommunications, crisis command center site unavailable,terrorism, bioterrorism and more
Capacity Management — technology and people Contingency Planning — mitigate risks of external events
10/8/07 ©2007 V. Storey and C. Stucke 54
Disaster RecoveryDisaster Recovery
Question: What is a disaster?
– 10 users out of service for 1 hour nota disaster (unless one is the CEO … )
– 1,000,000 users out of service for 24hours is disaster
Source: A.P. Snow
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 55
Disaster Recovery: Levels of BackupDisaster Recovery: Levels of Backup
Hot backup– Backup of complete system at another site– Data, operating components of hardware and software
Cold backup– Backup of data only– No transaction can be processed during downtime
Warm backup– Somewhere in the middle– Usually smaller system with full backup of data– Transactions processed, but more slowly
10/8/07 ©2007 V. Storey and C. Stucke 56
Risk ReductionRisk Reduction
Risk– (Probability of Disaster) x (Lost Revenue)
Decrease risk– Decrease chance of disaster– Decrease amount of lost revenue
Given disaster– Minimize impact by shortening duration or
size of outage
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 57
Distribute IS Architectures and DistributeDistribute IS Architectures and DistributeOrganizations to become ResilientOrganizations to become Resilient
Remove single point of failure so risk spread out geographically Depends on
– redundancy of human capital necessary to run OR– ability to transition to backup site
False security if personnel lost in outage, or loss of transportation orcommunication systems for transfer of operations
Reliability demands for telecommunication services increasedramatically
Redundancy requirements shift to network services
1/51/5
1/5 1/5
Network1/51/5x100%
10/8/07 ©2007 V. Storey and C. Stucke 58
Risk Management Information Security Security Concerns Management Issues Future Trends
AgendaAgenda
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 59
Management ConcernsManagement Concerns
Security Management
Question: Why is security a managementconcern?
10/8/07 ©2007 V. Storey and C. Stucke 60
• Inadequate security may lead to legal liability• Businesses must protect
• own information assets• assets of customers, employees, business partners.
• Failure to protect may bring costly litigation for dataexposure or theft
• Security framework needed to• protect business information assets• assure business continuity• high return on investment.
Business Value of Security
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 61
Risk Management Information Security Security Concerns Management Issues Future Trends
AgendaAgenda
10/8/07 ©2007 V. Storey and C. Stucke 62
Attacks: Challenges and TrendsAttacks: Challenges and Trends
Growing number of attacks (and attackers!)
Attacks– Faster, propagate over network– More random (size doesn’t matter, can’t be small and hide)– Growing power / sophistication of attacks/tools– Automation (kits, botnets http://en.wikipedia.org/wiki/Botnet ,…)– More malicious; have learned how to turn information into money– Growing number of vulnerabilities
• including insider vulnerabilities– Impossible to prevent all attacks
Use of always connected cable modems or DSL Lack of encryption with most Voice over IP (VoIP) Widespread use of e-mail and instant messaging (IM) Wireless access
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 63
Again, why is this happening?Again, why is this happening?
Information systems– Complex– Interact with each other– Have emergent properties– Have bugs
Integrated systems of the emergingdigital enterprise are very, verydifficult to secure
Humans are imperfect…
10/8/07 ©2007 V. Storey and C. Stucke 64
So you protected everythingSo you protected everythingand then Wireless appearedand then Wireless appeared……
Identify all wireless devices attached to network Apply all security features of products Require Authentication and Authorization and Encryption Use the same well known network security solutions as wired networks including:
– Network segmentation (We didn’t talk about this. Seehttp://www.sans.org/rr/whitepapers/hsoffice/1645.php )
– Use of personal firewalls– Well defined, trainable, and enforceable security policy
Perform Wireless Security Monitoring
802.11?
Bluetooth
Source Rick Doten, MCI NETSEC
http://www.ibahn.com/ibahn-wpa.php
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 65
What should we as managers implement?What should we as managers implement? Policies and Procedures (samples at http://www.sans.org/resources/policies/ ) Education and Training
– Teach users “Safe Internet Skills”– Strong authentication (e.g., 8 character password)– Social Engineering (recognizing and handling)
Techniques– Access control (need to know) / authentication (multi-factor: know, have, am)– Filtering (Firewall) & Intrusion Detection– Data encryption (code data transmitted over a link or stored)– Anti-virus software (for every computer; extend license for home use; regular virus
updates) Process
– Security not one-shot project– Continuous evaluation / investment– Business Continuity Planning– Risk Management
Vulnerability Assessment & Audit– By third-party consultant– Adhering to standards (ISO 17799 see http://en.wikipedia.org/wiki/ISO_17799 , http://www.iso-
17799.com/ and http://www.sans.org/score/checklists/ISO_17799_checklist.pdf )Based on Kimball, 2004.
10/8/07 ©2007 V. Storey and C. Stucke 66
Take-Away: The Security ChainTake-Away: The Security Chain
Links in the Chain(Technology based examples)
Access control mechanisms Identification & authentication mechanisms Audit mechanisms Encryption mechanisms Firewalls Smart cards Biometrics
Links in the Chain(Non-technology based examples)
Security policies and procedures Risk management Security planning Contingency planning Incident response planning Physical security Personnel security
Adversaries attack the weakest link…where is yours?
From National Information Assurance Partnership presentation by Dr. Ron Ross
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 67
Hope for Future . . .Hope for Future . . .
Increased security awareness Increased priority Growing number of information security experts Growing security industry
– New / better products and services Growing public and private sector security
initiatives– Joint public/private initiatives
Attention from Congress and the Administration– $$$ for research and education/training
New laws to facilitate investigations International cooperation to fight cyber crime
10/8/07 ©2007 V. Storey and C. Stucke 68
ConclusionConclusion
Risk management is an essential aspect of successful businessoperation
Security problems– Real and growing
Threats considerable today– worse tomorrow– plan for tomorrow’s threat environment
Many threats from many attackers Technology can reduce threats
– Firewalls– Intrusion Detection Systems– Anti-virus and anti-spyware programs
Multiple protection measures (defense in depth)– Awareness / education required
Ongoing update and evaluation critical People are your greatest risk (and your greatest asset)
CIS8110
10/8/07 ©2007 V. Storey and C. Stucke 69
Q&AQ&A
10/8/07 ©2007 V. Storey and C. Stucke 70
Take-Away: Information Security FrameworkTake-Away: Information Security Framework
COMPANYINFORMATION
AND INFORMATIONSYSTEMS
Information Security Program
Defines categories of information andinformation systems according to levels
of impact for confidentiality, integrity, andavailability; maps information types to
security categories.
Categorization ofInformation and
Information System
FIPS 199 SP 800-60
Documents the security requirements andsecurity controls planned or in place for the
protection of information and information systems.
Security Planning
SP 800-18
Analyzes the threats to and vulnerabilities ininformation systems and the potential impact or
magnitude of harm that the loss of confidentiality,integrity, or availability would have on an company’s
operations and assets.
Risk Assessment
SP 800-30
SP 800-37
SecurityAuthorization(Accreditation)
Authorizes information systemsto process, store, or transmit
information; granted by a seniorcompany official, based on risk
to company operations andassets.
Security ControlAssessment(Certification)
Determines extent to which securitycontrols are implemented correctly,
operating as intended, andproducing the desired outcome inmeeting security requirements.
SP 800-37 SP 800-53A
Security ControlSelection and
Implementation
Implements management, operational, andtechnical controls (i.e., safeguards and
countermeasures) planned or in place to protectinformation and information systems.
FIPS 200(Final)
SP 800-53 (Interim)
From National Information Assurance Partnership presentation by Dr. Ron Ross