Advances in technology have given rise to new operational threats to governments,companies and society as a whole,this presentation is an introduction of countermeasures against cyber threat.

1. INTRO TO IT
SECURITY
By
Cade Zvavanjanja
CISO
Gainful Information Security

2. AGENDA
 Information Security
 Information Privacy
 Risk Management
 Opportunities & Markets
 Some Examples

3. Holistic IT security
Vetting / Information
References Business Security
Disciplinary Interfaces Policies
Procedure
Build Standards
Awareness &
Training IT/IS/
Threat
Modelling
Anti-Virus Development
Security in
Patch SDLC
Management
Application
Vulnerability
Assessment
Data Storage Testing
Penetration
Configuration Testing
Reviews
Access Control
Encryption
Ecommerce
Reviews
Site
Firewalls Legislative
Compliance
Intrusion
Detection
3

4. INFORMATION WARFARE
THE MATRIX UPLOADED – SO
WHAT?

5. TODAY’S TREND
Terrorists White Collar Insider/Espionage Open
Crime Source
Disasters Theft Scripts ID Theft

6. IT Security

7. SO WHO CARES?
 You care about information security and privacy
because:
 Information Security is a constant and a critical need
 Threats are becoming increasingly sophisticated
 Countermeasures are evolving to meet the threats
 You want to protect your asset and privacy
 You want to know what tools are there for protection and
Because information security, information privacy and
legal and compliance are inter-related

8. INCREASE IN SECURITY
INCIDENTS
900M 120,000
800M Blended Threats 100,000
Network Intrusion Attempts
700M (CodeRed, Nimda, Slammer)
Infection Attempts
600M Denial of Service 80,000
(Yahoo!, eBay)
500M
Mass Mailer Viruses 60,000
400M (Love Letter/Melissa)
300M Malicious Code 40,000
Zombies Infection
200M Attempts* Network
Polymorphic Viruses 20,000
Intrusion
100M (Tequila)
Attempts**
0 0
1995 1996 1997 1998 1999 2000 2001 2002
*Analysis by Symantec Security Response using data from Symantec, IDC & ICSA; 2002 estimated
**Source: CERT
CERTCC Reported Vulnerabilities 1988-2003
Total Number of Incidents
140000 Reported from 1988-2003 is 319,992
120000
Average Yearly Increase of 40%
100000
80000 CERTCC Reported
60000 Vulnerabilities
40000
20000
0

9. SOME POLLS SUGGEST
SOURCE CSO
 Which of the following is #1 priority
 Wireless Security (16%)
 Spam/AntiVirus (17%)
 Identity Management (27%)
 Disaster Recovery (21%)
 Other (19%)
 Which of the following poses the greatest threat
 Natural Disaster (36%)
 Terrorist Attack (12%)
 Cyberattack (52%)

10. SCARY DATA
 US Government Data  Industry Data
 Id theft is perpetrated by  ID theft increased to 81%
hackers and their associates
who steal personal information in 2002
and identity (e.g. social security  Main cause for fraud is id
numbers) in order to commit
various forms of fraud by theft
assuming your identity  U.S.-based banks
 FTC reports that over 27.3  37 percent said identify
million Americans in the past 5
years reported their ID stolen theft significantly
 FTC survey revealed that ID increased
theft costs consumers and  34 percent said it
business 53 billion in 2002
slightly increased
 The FBI estimates that the
number one threat to internet  24 percent said identity
users is identity theft theft rates had stayed
 Approximately 350,000 to the same
500,000 citizens fall victims to  5 percent reported that
“id theft” every year.
the rates decreased

11. CYBERTERRORISM
“Cyberterrorism is any "premeditated, politically
motivated attack against information, computer
systems, computer programs, and data which
results in violence against non-combatant targets by
sub-national groups or clandestine agents."
Cyberterrorism is sometimes referred to as
electronic terrorism or information war.”
U.S. Federal Bureau of Investigation

12. INFORMATION WARFARE
 Use of or attacks on information and information
infrastructure to achieve strategic objectives
 Tools in hostilities among
 Nations
 Trans-national groups (companies, NGOs,
associations, interest groups, terrorists)
 Corporate entities (corporations, companies,
government agencies)
 Individuals

13. LEVELS OF INFORMATION
WARFARE
 Against individuals
 Theft,impersonation
 Extortion, blackmail
 Defamation, racism
 Against organizations
 Industrial espionage
 Sabotage
 Competitive intelligence
 Against nations
 Disinformation, destabilization
 Infrastructure destabilization
 Economic collapse

14. PRIME TARGETS
 Companies with hiring volatilities
• Financial, communication, manufacturing, transportation and
retail
 Companies with lower volatility
• Utilities, government, healthcare and education
 Areas
• IDS, Firewall, Anti virus, Identity management
• Product design, policy
• Privacy vs. Security
• Security administration
• Training and awareness

15. POTENTIAL TARGETS AGAINST OUR
INFRASTRUCTURE
 Electricity
 Transportation
 Water
 Energy
 Financial
 Information Technology
 Emergency Services
 Government Operations

16. WHY USE CYBER WARFARE?
 Low barriers to entry – laptops cost a lot less
than tanks and bombs
 Our world is dependent on computers, networks,
and the Internet
 Denial of service has economic, logistical, and
emotional effect
 Low cost to level the playing field

17. INFORMATION WARFARE STRATEGIES
 The basic elements are:
 Hacking
 Malicious code
 Electronic snooping
 Old-fashioned human spying
 Mass disruption can be unleashed over the
internet, but
 Attackers must first compromise private and
secure networks (i.e. Unclassified, Secret, Top
Secret)

18. WHAT ARE THE METHODS?
 Password cracking  Network eavesdropping
 Viruses  Intrusion attacks
 Trojan horses / RATS  Network spoofing
 Worms
 Session hijacking
 Denial-of-service attacks
 E-mail impersonation  Packet replay
 E-mail eavesdropping  Packet modification
 Network packet modification
 Cryptography
 Steganography
 Identity theft

19. HACKERS INFORMATION WARRIORS?
Inflicting damage Personal motives
 Retaliate or ”get even”
 Alter, damage or delete  Political or terrorism
information  Make a joke
 Show off/Just Because
 Deny services
Elite Hackers
 Damage public image  Black Hat
 Grey Hat
 White Hat
 No hat
Economic gain  Malicious Code Writers
 Steal information
 Criminal Enterprises
 Trusted Insiders
 Blackmail
 Financial fraud

20. THE TRADITIONAL HACKER ETHIC
i. Access to computers should be unlimited and total
ii. All information should be free
iii. Mistrust authority – promote decentralization
iv. Hackers should be judged by their hacking, not criteria
such as age, race, etc.
v. You can create art and beauty on the computer
vi. Computers can change your life for the better

21. GEOPOLITICAL HOTSPOTS -TRENDS
WESTERN EUROPE
Cyber-activists with anti-
EASTERN EUROPE/RUSSIA
global/anti-capitalism
Malicious code development; fraud
goals; some malicious
and financial hacking
code
CHINA
Targeting Japan, U.S., Taiwan and
perceived allies of those countries
U.S.
Multiple hacker/cyber-
activist/hacktivist groups;
random targets MIDDLE EAST
Palestinian hackers target INDIA-PAKISTAN
Israeli .il websites; some pro- Worldwide targets, Kashmir-
Israel activity related and Muslim-related
defacements
BRAZIL
Multiple hacker groups,
many mercenary;
random targets

22. A BALANCED SECURITY
ARCHITECTURE
 Single, unifying infrastructure that many
applications can leverage
 A good security architecture:
 Provides a core set of security services
 Is modular
 Provides uniformity of solutions
 Supports existing and new applications Policy,
 Contains technology as one component of a Standards,
and Process
complete security program
 Incorporates policy and standards as well as
people, process, and technology
People Technology

23. BASIC INFORMATION SECURITY
COMPONENTS
 AUTHENTICATION:  NONREPUDIATION:
 How do we know who is using the  Can we provide for non-
service? repudiation of a transaction?
 ACCESS CONTROL:  AUDITABILITY &
 Can we control what they do?
AVAILABILITY
 Do we know:
 CONFIDENTIALITY:
 Whether there is a
 Can we ensure the privacy of problem? Whether it’s
information?
soon enough to take
 DATA INTEGRITY: appropriate action?
 How to minimize/contain
 Can we prevent unauthorized
changes to information? the problem?
 How to prevent denial of
service?

24. DATA GOVERNANCE & CONTROLS
X X X X X X Application Information
Management
X X Networks X X Infrastructure
(IMI)
X X X OS X Threats
Disclosure of information
Non-repudiation
Authentication
Unauthorized access
Confidentiality
Data Integrity
Audit ability
Access Cntrl
Availability
Loss of integrity
Denial of service

25. INFORMATION SECURITY CONTROL
AREAS
 Information Security Policies
 Roles and Responsibilities
 Asset Classification and Handling
 Personal Security
 Physical Security
 System and Operations Management Controls
 General Access Controls
 System Development Life Cycle
 Business Continuity
 Compliance, Legal and Regulatory

26. WHAT IS @RISK?
 Financial & Monetary Loss Risk
 Payroll information leakage
 Reputation Risk
 Distributed attacks from campus
 Terrorism
 Laptop theft
 ID Theft
 Litigation & Regulatory Risk
 HIPAA, GLB, CA 1386

27. INFORMATION SECURITY BODIES,
STANDARDS & PRIVACY LAWS
 Standards & Privacy Laws
 British Standards (ISO 17799)
 EU Data Protection Act of 1998 (DPA)
 Health Insurance Portability and Accountability Act (HIPAA)
 Fair Credit Reporting Act (FCRA)
 National Institute for Standards & Technology (www.NIST.gov):
 Founded in 1901, NIST is a non-regulatory federal agency within the
U.S. Commerce Department's Technology Administration.
 NIST's mission is to develop and promote measurements, standards,
and technology to enhance productivity, facilitate trade, and improve
the quality of life.
 Computer Emergency Response Team www.cert.org:
 The CERT® Coordination Center (CERT/CC) is a center of Internet
security expertise at the Software Engineering Institute, a federally
funded research and development center operated by
Carnegie Mellon University.

28. Information Privacy

29. Privacy Governance Architecture
Process
Process Opt/in/out
Opt/in/out
Security/Pr
Security/Pr Organization
ivacy Organization
ivacy Compliance
Policy
Policy
Technology Regulatory
Regulatory
Technology Requirement
Requirement
People
People
Planning and Program Metrics
Strategy Program Maturity
• •Privacy Strategy • •Privacy Risk Assessments • •External Support Infrastructure
Privacy Strategy Privacy Risk Assessments External Support Infrastructure
• •Data Classification Analysis • •Data Governance • •Privacy Auditing
Data Classification Analysis Data Governance Privacy Auditing
• •Privacy Teams • •Vendor Governance • •Incident Response
Privacy Teams Vendor Governance Incident Response
• •Policy Development • •Technology Planning • •Crisis Management
Policy Development Technology Planning Crisis Management
• •Policy Update Plans • •Business Process Review • •Knowledge Management
Policy Update Plans Business Process Review Knowledge Management
• Decision Management • Information Security • •Consumer Support Infrastructure
• Decision Management • Information Security Consumer Support Infrastructure
• •Privacy Support Architecture • •Information Privacy • •Open Source Intelligence
Privacy Support Architecture Information Privacy Open Source Intelligence
• •Awareness
Awareness

30. HIGH LEVEL OVERVIEW
- Notify client
- Notify regulators
- Remediate
- Analyze long - Detect Incident
term effects Resolution & - Identify source of
Detection identified
- Analyze lessons Reporting
learned -Log incident
- Reduce false positive
Privacy - Determine scope
- Assemble Response
Digital Incident Assessment
Team
- Collect & sort facts
Response
Forensics
Process
- Engage digital forensics
process
- Determine
- Collect evidence
scope
- Engage 3rd party
Containment Analysis - Assemble
Response Team
- Collect & sort
-Technology containment
facts
- Process containment
- Procedure containment

31. Information Security &
Privacy
Risk Management

32. RISK MITIGATION
 100% Risk Mitigation and not 100 % control
 Good Information Management Infrastructure
that
 Provides modular core set of controls
 Supports existing, infrastructures and new
applications Policies,
 Incorporates policy and standards, people, process,
People Standards &
and technology Guidelines
 Provides a horizontal and vertical risk SELF or
AUTOMATIC assessment program Equilibrium
 Provides collaborative issues resolution system Point
 Balanced Information Management
Infrastructure (IMI)
 Risk Mitigation
 Vertical – up and down controls in branches and
business units
 Horizontal – policies, best practices, processes and Information
priorities across the organization Technology

33. RISK MANAGEMENT METHODOLOGY
Risk Assessment
Risk Tolerance Organizational Dynamics
Point of
Balance
Key Risk Indicator Risk Takers

34. Key Risk Indicators
Asset Value Stakeholders
Pen Testing Site Reviews
Vendor
Audit
Reviews
Regulatory Compliance Self Security
Loss Amount/ROI
Assessment & Privacy
Incidents
Business Impact Risk Evaluation Model Risk Rating

35. Market Opportunities

36. DEMAND – BASED ON GARTNER
STUDIES
 General IT staff outsourcing has gone up 24%
since US recession was over
 Growth in IT staff augmentation will be limited
and in single digits
 Security outsourcing is trending up
 Identity management
 Vulnerability Assessment
 Operations
 Firewall management, anti virus and IDS

37. INFOSEC PEOPLE
 Typical jobs for contract
 Business Intelligence
 Business Analysis
 Risk Management
 Information Security Officer
 Information Privacy Officer
 Digital Forensics Experts
 Job seeker support to help professionals identify new
career opportunities when they are unemployed or
contingency searching due to circumstances at their
workplace;
 Contractor placement to help independent contractors
identify and secure short and long term contract work
based on hourly rates; and
 Corporate candidate search to help clients identify
candidates for new or vacant positions, as well as
contingency searching to stage replacement of human
resources

38. TYPES OF RECRUITING
 Contract & Temporary – constant spread based
 Profit margins are small
 Limited
 Hourly, weekly monthly
 Permanent – one time commission based
 Entry levels
 Mid levels
 Management, Technical, Operations, Design &
Architecture
 Outsourcing – profit margins are high

39. Some Examples

40. WHAT IS SOCIAL ENGINEERING
 Social Engineering is the art and science of use to
trick one or more human beings to do what an
attackers wants them to do or to reveal information
that compromises a target’s security.
 Classic Social Engineering scams include, posing as
a field service technician, calling an operator to
reveal private information such as passwords and
the like.
 Social Engineering is an evolving art that uses the
simplest and most creative schemes and involves
minimal technical expertise

41. TERRORISTS AND
STEGANOGRAPHY?

43. Thank You
Tel: +236 733 782 490
+263 773 796 365
+263 -4- 733 117
Eml: info@gis.co.zw
cade@gis.co.zw
Web: www.gis.co.zw