Information Security Fundamentals

1
Information Security Fundamentals
Michael Sukkarieh CISSP, MBA, MS
2
Plan for Class

• We will follow the book chapters
• Starting next week we will go over the chapter
  and then you will take the exam at end of each
  chapter
• Requirement
• A paper
• An Exam
• Assignments
• Case studies
• Weekly participation using a Control Assessment
  Instrument
• Weekly PPT presentation of assignments
• Paper Review

3
About CISSP exam

• ISC2.org
• Divided exam into 2 steps examination and
  certification
• Once a CISSP candidate passes, the application
  must be endorsed by a qualified 3rd party
• A CISSP, candidate employer and other parties can
  endorse
• 90 days to submit endorsement
• Exam 6 hours with 250 questions
• 10 are experimental
• No penalties for wrong answers
• CPE credits to keep accreditation
• A fee to take the test and a fee for maintenance

4
Information Security Policy Control Areas

• Information Security Policies
• Information Security Organization
• Asset Classification and Handling
• Personal Security
• Physical Security
• System and Operations Management Controls
• General Access Controls
• System Development Life Cycle
• Business Continuity
• Compliance, Legal and Regulatory

5
Information Warfare The Matrix Uploaded So
what?
Michael Sukkarieh CISSP, MBA, MS
6
Agenda

• Information Security
• Information Privacy
• Risk Management
• Opportunities Markets
• Some Examples

7
Todays Trend
Open Source
Insider/Espionage
Terrorists
White Collar Crime
Today's World
Disasters
Theft
Scripts
ID Theft
8

• Information Security

9
So Who Cares?

• You care about information security and privacy
  because
• Information Security is a constant and a critical
  need
• Threats are becoming increasingly sophisticated
• Countermeasures are evolving to meet the threats
• You want to protect your asset and privacy
• You want to know what tools are there for
  protection and Because information security,
  information privacy and legal and compliance are
  inter-related

10
Increase in Security Incidents
11
Some Polls Suggest Source CSO

• Which of the following is 1 priority
• Wireless Security (16)
• Spam/AntiVirus (17)
• Identity Management (27)
• Disaster Recovery (21)
• Other (19)
• Which of the following poses the greatest threat
• Natural Disaster (36)
• Terrorist Attack (12)
• Cyberattack (52)

12
Scary Data

• Industry Data
• ID theft increased to 81 in 2002
• Main cause for fraud is id theft
• U.S.-based banks
• 37 percent said identify theft significantly
  increased
• 34 percent said it slightly increased
• 24 percent said identity theft rates had stayed
  the same
• 5 percent reported that the rates decreased

• US Government Data
• Id theft is perpetrated by hackers and their
  associates who steal personal information and
  identity (e.g. social security numbers) in order
  to commit various forms of fraud by assuming your
  identity
• FTC reports that over 27.3 million Americans in
  the past 5 years reported their ID stolen
• FTC survey revealed that ID theft costs consumers
  and business 53 billion in 2002
• The FBI estimates that the number one threat to
  internet users is identity theft
• Approximately 350,000 to 500,000 citizens fall
  victims to id theft every year.

13
Cyberterrorism

• Cyberterrorism is any "premeditated, politically
  motivated attack against information, computer
  systems, computer programs, and data which
  results in violence against non-combatant targets
  by sub-national groups or clandestine agents."
  Cyberterrorism is sometimes referred to as
  electronic terrorism or information war.
• U.S. Federal Bureau of Investigation

14
Information Warfare

• Use of or attacks on information and information
  infrastructure to achieve strategic objectives
• Tools in hostilities among
• Nations
• Trans-national groups (companies, NGOs,
  associations, interest groups, terrorists)
• Corporate entities (corporations, companies,
  government agencies)
• Individuals

15
Levels of Information Warfare

• Against individuals
• Theft, impersonation
• Extortion, blackmail
• Defamation, racism
• Against organizations
• Industrial espionage
• Sabotage
• Competitive intelligence
• Against nations
• Disinformation, destabilization
• Infrastructure destabilization
• Economic collapse

16
Presidential Decision Directive 63May 22, 1998

• President Clinton ordered the strengthening of
  the nation's defenses against emerging
  unconventional threats to the United States to
  include those involving terrorist acts, weapons
  of mass destruction, assaults on our critical
  infrastructures, and cyber-based attacks.
• Called for a national-level effort to assure the
  security of the increasingly vulnerable and
  interconnected infrastructures of the United
  States.
• Major component involved the development and
  implementation of a plan by each department and
  agency of the Federal Government to protect its
  own critical infrastructure, to include, but not
  limited, to its cyber-based systems.

17
Prime Targets

• Companies with hiring volatilities
• Financial, communication, manufacturing,
  transportation and retail
• Companies with lower volatility
• Utilities, government, healthcare and education
• Areas
• IDS, Firewall, Anti virus, Identity management
• Product design, policy
• Privacy vs. Security
• Security administration
• Training and awareness

18
Potential Targets against our Infrastructure

• Electricity
• Transportation
• Water
• Energy
• Financial
• Information Technology
• Emergency Services
• Government Operations

19
Why Use Cyber Warfare?

• Low barriers to entry laptops cost a lot less
  than tanks and bombs
• Our world is dependent on computers, networks,
  and the Internet
• Denial of service has economic, logistical, and
  emotional effect
• Low cost to level the playing field

20
Information Warfare Strategies

• The basic elements are
• Hacking
• Malicious code
• Electronic snooping
• Old-fashioned human spying
• Mass disruption can be unleashed over the
  internet, but
• Attackers must first compromise private and
  secure networks (i.e. Unclassified, Secret, Top
  Secret)

21
What are the methods?

• Password cracking
• Viruses
• Trojan horses / RATS
• Worms
• Denial-of-service attacks
• E-mail impersonation
• E-mail eavesdropping
• Network packet modification

• Network eavesdropping
• Intrusion attacks
• Network spoofing
• Session hijacking
• Packet replay
• Packet modification
• Cryptography
• Steganography
• Identity theft

22
Hackers Information Warriors?

• Inflicting damage
• Alter, damage or delete information
• Deny services
• Damage public image

• Personal motives
• Retaliate or get even
• Political or terrorism
• Make a joke
• Show off/Just Because
• Elite Hackers
• Black Hat
• Grey Hat
• White Hat
• No hat
• Malicious Code Writers
• Criminal Enterprises
• Trusted Insiders

• Economic gain
• Steal information
• Blackmail
• Financial fraud

23
The Traditional Hacker Ethic

• Access to computers should be unlimited and total
• All information should be free
• Mistrust authority promote decentralization
• Hackers should be judged by their hacking, not
  criteria such as age, race, etc.
• You can create art and beauty on the computer
• Computers can change your life for the better

24
Geopolitical Hotspots -Trends
25
A Balanced Security Architecture

• Single, unifying infrastructure that many
  applications can leverage
• A good security architecture
• Provides a core set of security services
• Is modular
• Provides uniformity of solutions
• Supports existing and new applications
• Contains technology as one component of a
  complete security program
• Incorporates policy and standards as well as
  people, process, and technology

Policy, Standards, and Process
People
Technology
26
Basic Information Security Components

• AUTHENTICATION
• How do we know who is using the service?
• ACCESS CONTROL
• Can we control what they do?
• CONFIDENTIALITY
• Can we ensure the privacy of information?
• DATA INTEGRITY
• Can we prevent unauthorized changes to
  information?

• NONREPUDIATION
• Can we provide for non-repudiation of a
  transaction?
• AUDITABILITY AVAILABILITY
• Do we know
• Whether there is a problem? Whether its soon
  enough to take appropriate action?
• How to minimize/contain the problem?
• How to prevent denial of service?

27
Data Governance Controls
Information Management Infrastructure (IMI) Thr
eats Disclosure of information Unauthorized
access Loss of integrity Denial of service
X
X
X
X
X
X
Application
X
X
X
X
Networks
X
X
X
X
OS
Authentication
Confidentiality
Audit ability
Non-repudiation
Access Cntrl
Data Integrity
Availability
28
Information Security Control Areas

• Information Security Policies
• Roles and Responsibilities
• Asset Classification and Handling
• Personal Security
• Physical Security
• System and Operations Management Controls
• General Access Controls
• System Development Life Cycle
• Business Continuity
• Compliance, Legal and Regulatory

29
What is _at_Risk?

• Financial Monetary Loss Risk
• Payroll information leakage
• Reputation Risk
• Distributed attacks from campus
• Terrorism
• Laptop theft
• ID Theft
• Litigation Regulatory Risk
• HIPAA, GLB, CA 1386

30
Information Security Bodies, Standards Privacy
Laws

• Standards Privacy Laws
• British Standards (ISO 17799)
• EU Data Protection Act of 1998 (DPA)
• Health Insurance Portability and Accountability
  Act (HIPAA)
• Fair Credit Reporting Act (FCRA)
• National Institute for Standards Technology
  (www.NIST.gov)
• Founded in 1901, NIST is a non-regulatory federal
  agency within the U.S. Commerce Department's
  Technology Administration.
• NIST's mission is to develop and promote
  measurements, standards, and technology to
  enhance productivity, facilitate trade, and
  improve the quality of life.
• Computer Emergency Response Team www.cert.org
• The CERT Coordination Center (CERT/CC) is a
  center of Internet security expertise at the
  Software Engineering Institute, a federally
  funded research and development center operated
  by Carnegie Mellon University.

31
Information Security Organizations
32

• Information Privacy

33
Privacy Regulations Environment

• Restrictive regulatory / Compliance environment
• Multinational Laws Regulations
• National Laws Regulations at federal levels
• Supersede state provincial laws
• State Provincial Laws
• Complicated 3rd party relationships
• Increased use of web based applications

34
U.S. Privacy Regulations
1974 US Privacy Act - Helps citizens gain access
to government records
1999 GLB Requires financial institutions to
disclose privacy policies allow client opt-out
of information sharing
1987 Computer Security Act Requires improving
information security privacy in government
agencies
1996 HIPAA - Prohibits sharing of health
information for non-health care reasons
2001 US Patriot Act Enhances law enforcement
investigative tools to deter punish terrorists
1978 RFPA - Provides confidentiality to
financial records their transfer
2002 Sarbanes-Oxley Requires certification of
corporate financial accounting
1997 CFR part 11 Creates criteria for
electronic record keeping in promoting public
health
1978 FCRA - Promotes accuracy in consumer
reporting ensures their privacy
1986 Electronic Communication Act Guards
against unlawful access to stored communications
1998 COPPA - Gives parents control over
information collected from their children on the
Internet
2003 CA 1386 Requires personal information
protection notification in case of compromise
35
Privacy Governance Architecture
Process
Opt/in/out
Compliance
Security/Privacy Policy
Organization
Regulatory Requirement
Technology
People
Planning and Strategy
Program Metrics
Program Maturity

• Privacy Strategy
• Data Classification Analysis
• Privacy Teams
• Policy Development
• Policy Update Plans
• Decision Management
• Privacy Support Architecture
• Awareness

• Privacy Risk Assessments
• Data Governance
• Vendor Governance
• Technology Planning
• Business Process Review
• Information Security
• Information Privacy

• External Support Infrastructure
• Privacy Auditing
• Incident Response
• Crisis Management
• Knowledge Management
• Consumer Support Infrastructure
• Open Source Intelligence

- -
35
36
High Level Overview

• Notify client
• Notify regulators
• Remediate
• Analyze long term effects
• Analyze lessons learned

• Detect Incident
• Identify source of identified
• Log incident
• Reduce false positive

Privacy Incident Response Process

• Determine scope
• Assemble Response Team
• Collect sort facts

• Engage digital forensics process
• Collect evidence
• Engage 3rd party

• Determine scope
• Assemble Response Team
• Collect sort facts

• Technology containment
• Process containment
• Procedure containment

37

• Information Security Privacy
• Risk Management

38
Risk Mitigation

• 100 Risk Mitigation and not 100 control
• Good Information Management Infrastructure that
• Provides modular core set of controls
• Supports existing, infrastructures and new
  applications
• Incorporates policy and standards, people,
  process, and technology
• Provides a horizontal and vertical risk SELF or
  AUTOMATIC assessment program
• Provides collaborative issues resolution system
• Balanced Information Management Infrastructure
  (IMI)
• Risk Mitigation
• Vertical up and down controls in branches and
  business units
• Horizontal policies, best practices, processes
  and priorities across the organization

39
Risk Management Methodology
40
Key Risk Indicators
Pen Testing
Site Reviews
Asset Value
Stakeholders
Audit
Vendor Reviews
Regulatory
Self Assessment
Compliance
Security Privacy Incidents
Loss Amount/ROI
Business Impact
Risk Evaluation Model
Risk Rating
41

• Market Opportunities

42
Demand based on Gartner studies

• General IT staff outsourcing has gone up 24
  since US recession was over
• Growth in IT staff augmentation will be limited
  and in single digits
• Security outsourcing is trending up
• Identity management
• Vulnerability Assessment
• Operations
• Firewall management, anti virus and IDS

43
InfoSec People

• Typical jobs for contract
• Business Intelligence
• Business Analysis
• Risk Management
• Information Security Officer
• Information Privacy Officer
• Digital Forensics Experts
• Job seeker support to help professionals identify
  new career opportunities when they are unemployed
  or contingency searching due to circumstances at
  their workplace
• Contractor placement to help independent
  contractors identify and secure short and long
  term contract work based on hourly rates and
• Corporate candidate search to help clients
  identify candidates for new or vacant positions,
  as well as contingency searching to stage
  replacement of human resources

44
Types of Recruiting

• Contract Temporary constant spread based
• Profit margins are small
• Limited
• Hourly, weekly monthly
• Permanent one time commission based
• Entry levels
• Mid levels
• Management, Technical, Operations, Design
  Architecture
• Outsourcing profit margins are high

45

• Some Examples

46
What is Social Engineering

• Social Engineering is the art and science of use
  to trick one or more human beings to do what an
  attackers wants them to do or to reveal
  information that compromises a targets security.
  
• Classic Social Engineering scams include, posing
  as a field service technician, calling an
  operator to reveal private information such as
  passwords and the like.
• Social Engineering is an evolving art that uses
  the simplest and most creative schemes and
  involves minimal technical expertise

47
(No Transcript)
48
Terrorists and Steganography?
49
Saturday, 5 May, 2001, 0100 GMT 0200 UK White
House website attacked
50
1996 CIA was hacked
51
Department of Justice 08 1996