INFORMATION SECURITY

ISSUES,THREATS,SOLUTION
& STANDRADS
“IF YOU THINK TECHNOLOGY CAN SOLVE YOUR
SECURITY PROBLEMS , THEN
YOU DON’T UNDERSTAND THE PROBLEMS
&
YOU DON’T UNDERSTAND THE TECHNOLOGY.”
…Bruce Schenier
 Nature of Business –

• High Risk – High Gain

• Deals with sensitive Information in High Volumes

• All Business Process generate, operate and process

Information

• A News Item can move stock prices

Nature of Business –
• Every Sector / Vertical have faced Information Security Risk

• Cyber Terrorism is real and rising (Planned cyber attacks prior /

after 9/11)

• Countries of origin responsible for 75% of intrusions

USA, China, Romania, Germany

• More than 2/3rd express their inability to determine “Whether my

systems are currently compromised?”

• Information Governance pushed through Compliance

Threat Agents

• Media / Competition / Government

• Ex-employee
• Third Party
• Insider Employee
• More than 70% of Threats are Internal

• More than 60% culprits are First Time fraudsters

 Security Impacts

• Embarrassment
• Loss of confidential and sensitive information
• Loss of strategic advantage and resources
• Non availability of systems in combat situations
• Time and efforts spent creating ‘Intellectual
Property’
• National Security, when information is misused by
terrorists/miscreants
Recent cases
Cases – India Specific

• MPhasis BFL - Pune

• CEO – Bazee.com

• Theft and Sale of Customer Data – Delhi

• Arrest of GM of reputed corporate for Cheating

NRI in Dubai
• Attack on Web Sites – BARC, Cyber cell Mumbai

• War Room Leak - Navy

Introduction to Information Security

“Information is an asset which, like other

important business assets, has value to
an organization and consequently needs
to be suitably protected”

BS ISO 17799:20000
Introduction to Information Security

Lifecycle of Information
 Created
 Stored
 Processed
 Transmitted
 Used – (For proper & improper purposes)
 Lost
 Corrupted
 Destroyed
Introduction to Information Security

Ensuring that
information is
accessible only to those
authorized to have
– Confidentiality Safeguarding
accessthe
accuracy and
completeness of
– Integrity information and
Ensuring that
processing authorized
methods
users have access to
– Availability information and
associated assets when
required
Information Security Trends

Information People
Security
Process

IT Security Technology
 INTRODUCTION
• Information security – a broad term
encompassing the protection of information
from accidental or intentional misuse by
persons inside or outside an organization

• This plug-in discusses how organizations can

implement information security lines of defense
through people first and technology second
Security is everyone’s responsibility

• Information Security is “Organizational Problem”

rather than “IT Problem”

• Biggest Risk : People

• Biggest Asset : People

Who are these Attackers?
Who are Attackers? – What are they doing?
Intruders are
• Building up technical knowledge and skills

• Becoming more skilled at removing of trail

• Interested in ‘results’ than experience of hacking

• Exploit weakest link

Types of Hackers
Sophistication of Attacks
• No of hackers - 1980 : Handful
• No of hackers - 2006 : Thousands

• Time require to prepare – 1980 : Months

• Time require to prepare – 2006 : Hours

• No. of Machines affected – 1980 : Hundreds

• No. of Machines affected – 2006 : Millions

• Geographical Spread – 1980 : LAN / Network

• Geographical Spread – 2006 : Internet
Sophistication of Attacks

“stealth” / advanced Tools

scanning techniques

High packet spoofing denial of service

DDOS
sniffers
attacks
Intruder www
sweepers
Knowledge attacks
automated probes/scans
GUI
back doors
disabling audits network mgmt. diagnostics
hijacking
burglaries sessions
Attack exploiting known vulnerabilities
Sophistication
password cracking
self-replicating code
password guessing
Attackers
Low
1980 1985 1990 1995 2000
Damaging forms
• Malicious code of security
– includes a variety threats
of threats
such as viruses, worms, and Trojan horses
• Hoaxes – attack computer systems by
transmitting a virus hoax, with a real virus
attached
• Spoofing – the forging of the return address on
an e-mail so that the e-mail message appears to
come from someone other than the actual sender
• Sniffer – a program or device that can monitor
data traveling over a network
Types of Viruses
Steps to create Information Security
Plan

1. Develop the information security policies

2. Communicate the information security policies
3. Identify critical information assets and risks
4. Test and reevaluate risks
5. Obtain stakeholder support
Suggested Roadmap for IT Security
• Build Responsible Team
Apex Committee
Security Forum
Task Force

• Conduct Thorough Risk Assessment

Information Assets
IT Infrastructure / Network
Applications / Data Storage

• Risk Treatment
a. Mitigate
b. Transfer
c. Avoid
d. Accept
Suggested Roadmap for IT Security

• Implementation of Controls
Policy
Technology
Training

• Monitoring effectiveness of controls

• Preventive / Corrective Actions

• Continual Improvement
 Thefirst
• The First Line
line of of Defense
defense - People
an organization should
follow to help combat insider issues is to
develop information security policies and an
information security plan
• Information security policies – identify the rules
required to maintain information security
• Information security plan – details how an
organization will implement the information security
policies
People Readiness
 The Second Line of Defense -
Technology
• Three primary information security areas:
1. Authentication and authorization
2. Prevention and resistance
3. Detection and response
Suggested Technologies

Data ACL, Encryption, Database

Hardening
Application hardening, Role
Application Based Access, Multi Factor
Authentication, PKI
Host OS hardening, Patch management,
HIDS
Internal Network VLAN, NIDS, TACACS, NMS
Firewalls (Stateful, Deep packet
Perimeter inspection, Application layer), VPN,
Gateway Anti Virus
Physical Security Guards, CCTV, Biometric

Policies, Procedures, & Management Framework, Training

Awareness
 AUTHENTICATION AND
AUTHORIZATION

• Authentication – a method for confirming

users’ identities
• The most secure type of authentication
involves a combination of the following:
1. Something the user knows such as a user ID and
password
2. Something the user has such as a smart card or
token
3. Something that is part of the user such as a
fingerprint or voice signature
• AUTHENTICATION
Most common method of authentication is
User ID and Password.
• This is the most common way to identify
individual users and typically contains a user
ID and a password
• This is also the most ineffective form of
authentication
• Over 50 percent of help-desk calls are
password related.
Identity Thefts
• Better Forms
Smart cards of Authentication
and tokens are more effective
than a user ID and a password
• Tokens – small electronic devices that change
user passwords automatically
• Smart card – a device that is around the same
size as a credit card, containing embedded
technologies that can store information and small
amounts of software to perform some limited
processing
• Biometrics
The identification of a user based on a
physical characteristic, such as a fingerprint,
iris, face, voice, or handwriting
• This is by far the best and most effective way
to manage authentication
• Unfortunately, this method can be costly and
intrusive
• PREVENTION
Downtime can costAND RESISTANCE
an organization anywhere
from $100 to $1 million per hour.
• Technologies available to help prevent and
build resistance to attacks include:
1. Content filtering
2. Encryption
3. Firewalls
• Content Filtering
Organizations can use content filtering
technologies to filter e-mail and prevent e-
mails containing sensitive information from
transmitting and stop spam and viruses from
spreading.
• Content filtering – occurs when organizations
use software that filters content to prevent the
transmission of unauthorized information
• Spam – a form of unsolicited e-mail
• ENCRYPTION
If there is an information security breach and
the information was encrypted, the person
stealing the information would be unable to
read it
• Encryption – scrambles information into an
alternative form that requires a key or password to
decrypt the information
• FIREWALLS
One of the most common defenses for
preventing a security breach is a firewall
• Firewall – hardware and/or software that guards a
private network by analyzing the information
leaving and entering the network
• FIREWALLS
Sample firewall architecture connecting
systems located in Chicago, New York, and
Boston
• DETECTION AND RESPONSE
If prevention and resistance strategies fail and
there is a security breach, an organization can
use detection and response technologies to
mitigate the damage

• Antivirus software is the most common type of

detection and response technology
Security Policy

1. Information assets and IT assets to be protected against

unauthorized access.

2. Information is not to be disclosed to unauthorized persons

through deliberate or careless action.

3. Information is to be protected from unauthorized modification.

4. Information is to be available to authorized users when needed.

5. Applicable regulatory and legislative requirements are to be met.

5. All breaches of information security are to be reported and

investigated.

6. Violations of policies are to be dealt with through a formal

disciplinary process.
Well Known Frameworks
What Frameworks say?

• Information in all forms is an Asset (Digital/Non-digital)

• Security is a Process (and not only technology)

• Risk Based Approach (Prevent, Detect, Correct)

• Security should be measurable (Effectiveness, Efficiency)

• Controls include People, Process and Technology

• Top Management Commitment (Define Acceptable level of

Risk, Allocate Resources, Implement Policy)
Well Known Frameworks

1. COBIT – Framework for Auditing Controls

(Control OBjectives in Information and related
Techniques)
2. ISO 27001 (BS 7799) – IS Management Framework

3. ISO 17799 – Implementation guidance on IS Controls

4. ITIL – IT Service Management Processes

5. ISO 20000 (BS 15000) – ITSM Management Framework

 Scope of ISO 20000 Certification
• Supports the provision of all IT Services
including the following :
• Enterprise Planning System (SAP)
• Infrastructure
• Application and Data Centre Management
Services
to all its customers at all the locations.
 Why ISO 20000?
1. Sustained pressure to deliver high quality IT
Service at minimum cost. (SLA definition, penalty clause)
2. IT services, are not aligned with the needs of the
business and its customers. (Requirements gathering .)
3. ISO 20k implementation, will ensure standard
and proactive (trend analysis etc.) working practices. (e.g. there is
no concept of CPA, ISO will ensure the implementation, tracking and closure of CPAs.)

4. would enhance the quality of IT Service delivered

to their customers/users
5. Increase Effectiveness of the business operation
6. Hard evidence that quality of ITSM is taken
seriously
Cyber Law of India
• Electronic record
• Digital Signature
• Certifying Authority
• Penalty for damage to information System – Section 47
– Up to 1 Crore
• Unauthorized Access, Tampering, Damage
• Penalty for failure to furnish Information – up to ten
thousand a day
• Offences
• Section 65 – Tampering : 3 Yrs / 2 Lacs
• Section 66 – Hacking : 3 Yrs / 2 Lacs
• Section 67 – Obscene Information : 5 Yrs / 1 Lac
• Section 72 – Breach of Confidentiality / Privacy : 2 yrs / 1 Lac
Post Security Implementation Benefits

• At the organizational level – Commitment

• At the legal level – Compliance
• At the operating level - Risk management
• At the commercial level - Credibility and
confidence
• At the financial level - Reduced costs
• At the human level - Improved employee
awareness
IT Security Stakeholder Summary

Information
Security Policy
Organisation
Compliance
Security

Bus. Continuity Asset

Planning Integrity Confidentiality Management

Information
Security Incident Human Resource
Management Security
Availability
System Physical
Development & Security
Maint.
Communication
Access & Operations
Controls Mgmt