Advances in technology have given rise to new operational threats to governments,companies and society as a whole,this presentation is an introduction of countermeasures against cyber threat.
7. SO WHO CARES?
You care about information security and privacy
because:
Information Security is a constant and a critical need
Threats are becoming increasingly sophisticated
Countermeasures are evolving to meet the threats
You want to protect your asset and privacy
You want to know what tools are there for protection and
Because information security, information privacy and
legal and compliance are inter-related
8. INCREASE IN SECURITY
INCIDENTS
900M 120,000
800M Blended Threats 100,000
Network Intrusion Attempts
700M (CodeRed, Nimda, Slammer)
Infection Attempts
600M Denial of Service 80,000
(Yahoo!, eBay)
500M
Mass Mailer Viruses 60,000
400M (Love Letter/Melissa)
300M Malicious Code 40,000
Zombies Infection
200M Attempts* Network
Polymorphic Viruses 20,000
Intrusion
100M (Tequila)
Attempts**
0 0
1995 1996 1997 1998 1999 2000 2001 2002
*Analysis by Symantec Security Response using data from Symantec, IDC & ICSA; 2002 estimated
**Source: CERT
CERTCC Reported Vulnerabilities 1988-2003
Total Number of Incidents
140000 Reported from 1988-2003 is 319,992
120000
Average Yearly Increase of 40%
100000
80000 CERTCC Reported
60000 Vulnerabilities
40000
20000
0
9. SOME POLLS SUGGEST
SOURCE CSO
Which of the following is #1 priority
Wireless Security (16%)
Spam/AntiVirus (17%)
Identity Management (27%)
Disaster Recovery (21%)
Other (19%)
Which of the following poses the greatest threat
Natural Disaster (36%)
Terrorist Attack (12%)
Cyberattack (52%)
10. SCARY DATA
US Government Data Industry Data
Id theft is perpetrated by ID theft increased to 81%
hackers and their associates
who steal personal information in 2002
and identity (e.g. social security Main cause for fraud is id
numbers) in order to commit
various forms of fraud by theft
assuming your identity U.S.-based banks
FTC reports that over 27.3 37 percent said identify
million Americans in the past 5
years reported their ID stolen theft significantly
FTC survey revealed that ID increased
theft costs consumers and 34 percent said it
business 53 billion in 2002
slightly increased
The FBI estimates that the
number one threat to internet 24 percent said identity
users is identity theft theft rates had stayed
Approximately 350,000 to the same
500,000 citizens fall victims to 5 percent reported that
“id theft” every year.
the rates decreased
11. CYBERTERRORISM
“Cyberterrorism is any "premeditated, politically
motivated attack against information, computer
systems, computer programs, and data which
results in violence against non-combatant targets by
sub-national groups or clandestine agents."
Cyberterrorism is sometimes referred to as
electronic terrorism or information war.”
U.S. Federal Bureau of Investigation
12. INFORMATION WARFARE
Use of or attacks on information and information
infrastructure to achieve strategic objectives
Tools in hostilities among
Nations
Trans-national groups (companies, NGOs,
associations, interest groups, terrorists)
Corporate entities (corporations, companies,
government agencies)
Individuals
13. LEVELS OF INFORMATION
WARFARE
Against individuals
Theft,impersonation
Extortion, blackmail
Defamation, racism
Against organizations
Industrial espionage
Sabotage
Competitive intelligence
Against nations
Disinformation, destabilization
Infrastructure destabilization
Economic collapse
14. PRIME TARGETS
Companies with hiring volatilities
• Financial, communication, manufacturing, transportation and
retail
Companies with lower volatility
• Utilities, government, healthcare and education
Areas
• IDS, Firewall, Anti virus, Identity management
• Product design, policy
• Privacy vs. Security
• Security administration
• Training and awareness
15. POTENTIAL TARGETS AGAINST OUR
INFRASTRUCTURE
Electricity
Transportation
Water
Energy
Financial
Information Technology
Emergency Services
Government Operations
16. WHY USE CYBER WARFARE?
Low barriers to entry – laptops cost a lot less
than tanks and bombs
Our world is dependent on computers, networks,
and the Internet
Denial of service has economic, logistical, and
emotional effect
Low cost to level the playing field
17. INFORMATION WARFARE STRATEGIES
The basic elements are:
Hacking
Malicious code
Electronic snooping
Old-fashioned human spying
Mass disruption can be unleashed over the
internet, but
Attackers must first compromise private and
secure networks (i.e. Unclassified, Secret, Top
Secret)
19. HACKERS INFORMATION WARRIORS?
Inflicting damage Personal motives
Retaliate or ”get even”
Alter, damage or delete Political or terrorism
information Make a joke
Show off/Just Because
Deny services
Elite Hackers
Damage public image Black Hat
Grey Hat
White Hat
No hat
Economic gain Malicious Code Writers
Steal information
Criminal Enterprises
Trusted Insiders
Blackmail
Financial fraud
20. THE TRADITIONAL HACKER ETHIC
i. Access to computers should be unlimited and total
ii. All information should be free
iii. Mistrust authority – promote decentralization
iv. Hackers should be judged by their hacking, not criteria
such as age, race, etc.
v. You can create art and beauty on the computer
vi. Computers can change your life for the better
21. GEOPOLITICAL HOTSPOTS -TRENDS
WESTERN EUROPE
Cyber-activists with anti-
EASTERN EUROPE/RUSSIA
global/anti-capitalism
Malicious code development; fraud
goals; some malicious
and financial hacking
code
CHINA
Targeting Japan, U.S., Taiwan and
perceived allies of those countries
U.S.
Multiple hacker/cyber-
activist/hacktivist groups;
random targets MIDDLE EAST
Palestinian hackers target INDIA-PAKISTAN
Israeli .il websites; some pro- Worldwide targets, Kashmir-
Israel activity related and Muslim-related
defacements
BRAZIL
Multiple hacker groups,
many mercenary;
random targets
22. A BALANCED SECURITY
ARCHITECTURE
Single, unifying infrastructure that many
applications can leverage
A good security architecture:
Provides a core set of security services
Is modular
Provides uniformity of solutions
Supports existing and new applications Policy,
Contains technology as one component of a Standards,
and Process
complete security program
Incorporates policy and standards as well as
people, process, and technology
People Technology
23. BASIC INFORMATION SECURITY
COMPONENTS
AUTHENTICATION: NONREPUDIATION:
How do we know who is using the Can we provide for non-
service? repudiation of a transaction?
ACCESS CONTROL: AUDITABILITY &
Can we control what they do?
AVAILABILITY
Do we know:
CONFIDENTIALITY:
Whether there is a
Can we ensure the privacy of problem? Whether it’s
information?
soon enough to take
DATA INTEGRITY: appropriate action?
How to minimize/contain
Can we prevent unauthorized
changes to information? the problem?
How to prevent denial of
service?
24. DATA GOVERNANCE & CONTROLS
X X X X X X Application Information
Management
X X Networks X X Infrastructure
(IMI)
X X X OS X Threats
Disclosure of information
Non-repudiation
Authentication
Unauthorized access
Confidentiality
Data Integrity
Audit ability
Access Cntrl
Availability
Loss of integrity
Denial of service
25. INFORMATION SECURITY CONTROL
AREAS
Information Security Policies
Roles and Responsibilities
Asset Classification and Handling
Personal Security
Physical Security
System and Operations Management Controls
General Access Controls
System Development Life Cycle
Business Continuity
Compliance, Legal and Regulatory
26. WHAT IS @RISK?
Financial & Monetary Loss Risk
Payroll information leakage
Reputation Risk
Distributed attacks from campus
Terrorism
Laptop theft
ID Theft
Litigation & Regulatory Risk
HIPAA, GLB, CA 1386
27. INFORMATION SECURITY BODIES,
STANDARDS & PRIVACY LAWS
Standards & Privacy Laws
British Standards (ISO 17799)
EU Data Protection Act of 1998 (DPA)
Health Insurance Portability and Accountability Act (HIPAA)
Fair Credit Reporting Act (FCRA)
National Institute for Standards & Technology (www.NIST.gov):
Founded in 1901, NIST is a non-regulatory federal agency within the
U.S. Commerce Department's Technology Administration.
NIST's mission is to develop and promote measurements, standards,
and technology to enhance productivity, facilitate trade, and improve
the quality of life.
Computer Emergency Response Team www.cert.org:
The CERT® Coordination Center (CERT/CC) is a center of Internet
security expertise at the Software Engineering Institute, a federally
funded research and development center operated by
Carnegie Mellon University.
32. RISK MITIGATION
100% Risk Mitigation and not 100 % control
Good Information Management Infrastructure
that
Provides modular core set of controls
Supports existing, infrastructures and new
applications Policies,
Incorporates policy and standards, people, process,
People Standards &
and technology Guidelines
Provides a horizontal and vertical risk SELF or
AUTOMATIC assessment program Equilibrium
Provides collaborative issues resolution system Point
Balanced Information Management
Infrastructure (IMI)
Risk Mitigation
Vertical – up and down controls in branches and
business units
Horizontal – policies, best practices, processes and Information
priorities across the organization Technology
33. RISK MANAGEMENT METHODOLOGY
Risk Assessment
Risk Tolerance Organizational Dynamics
Point of
Balance
Key Risk Indicator Risk Takers
34. Key Risk Indicators
Asset Value Stakeholders
Pen Testing Site Reviews
Vendor
Audit
Reviews
Regulatory Compliance Self Security
Loss Amount/ROI
Assessment & Privacy
Incidents
Business Impact Risk Evaluation Model Risk Rating
36. DEMAND – BASED ON GARTNER
STUDIES
General IT staff outsourcing has gone up 24%
since US recession was over
Growth in IT staff augmentation will be limited
and in single digits
Security outsourcing is trending up
Identity management
Vulnerability Assessment
Operations
Firewall management, anti virus and IDS
37. INFOSEC PEOPLE
Typical jobs for contract
Business Intelligence
Business Analysis
Risk Management
Information Security Officer
Information Privacy Officer
Digital Forensics Experts
Job seeker support to help professionals identify new
career opportunities when they are unemployed or
contingency searching due to circumstances at their
workplace;
Contractor placement to help independent contractors
identify and secure short and long term contract work
based on hourly rates; and
Corporate candidate search to help clients identify
candidates for new or vacant positions, as well as
contingency searching to stage replacement of human
resources
38. TYPES OF RECRUITING
Contract & Temporary – constant spread based
Profit margins are small
Limited
Hourly, weekly monthly
Permanent – one time commission based
Entry levels
Mid levels
Management, Technical, Operations, Design &
Architecture
Outsourcing – profit margins are high
40. WHAT IS SOCIAL ENGINEERING
Social Engineering is the art and science of use to
trick one or more human beings to do what an
attackers wants them to do or to reveal information
that compromises a target’s security.
Classic Social Engineering scams include, posing as
a field service technician, calling an operator to
reveal private information such as passwords and
the like.
Social Engineering is an evolving art that uses the
simplest and most creative schemes and involves
minimal technical expertise
The cyberwar strategy relies on hacking, virus writing, electronic snooping and plenty of good old-fashioned human spying. Much disruption can be unleashed over the Internet, but attackers first need to pry open electronic gates to private and secure networks with well-placed insiders, or at least inside knowledge, before they can be effective. Source: Far Eastern Economic Review , Copyright (c) 2001, Dow Jones & Company, Inc., Thursday, August 16, 2001, Innovation, Cyberwar, Combat on The Web; Charles Bickers in Tokyo
Take some of the examples and put them in a concrete context. Probe participants what they’re doing currently to protect against some of the these methods. DO NOT GO INTO DETAIL IN THIS MODULE, WE COME BACK TO THIS LATER.
The bullets are just examples of the three main motives. Be sure to exemplify most of them. Invite participants to come up with other motives and see if they fit into the three top categories. There’s no direct relationship between threats and motives, basically any mix is possible. However, the teen hackers are mostly hacking for personal motives. Criminals almost exclusively do it for economic gain.
From an information management perspective, we divide the infrastructure into three distinct areas: Network – This is the communication infrastructure that carries traffic for e-commerce and can be internet based as well as private. This includes Wide Area, Local Area and Metro Area Network Storage Area Networks Wireless Networks Voice Networks Application – This logical structure includes all of the applications that are currently used to create efficiencies in the work place Operating System (OS) – This is the nucleus that makes both communication’s and application’s functions possible. This includes both client, server and mainframes: Mainframe UNIX MAC Windows X The security & privacy dimension of this model that need to be addressed any time data is accessed are the following Authentication – Confidentiality Access Controls Data Integrity Audit-ability Non-Repudiation Availability
Detection – Incidents are detected from many sources such as People, Customer Service Desks, Audits, Alerts and Technology Trouble Tickets System. Assessment –. Determine scope & assemble Response Team members. Analysis – Classify an incident; determine actions and possible escalation requirements; and work with Response Team to determine actions. Containment – Activities designed to keep the incident from escalating in severity and limiting the number of affected clients. Forensics – When required identify, preserve, and analyze potential evidence. Resolution/Recover - Determine the extent of damage, the type of response needed, prepare necessary resolution statements (e.g. notification letter, inbound and outbound scripts). Evaluate if notification is necessary and then document lessons learned. It is at this stage where other major stakeholders maybe involved like Human Resources, OGC, Public Relations, Physical Security and Law Enforcement.