???????? (ISMS) ???? - PowerPoint PPT Presentation

About This Presentation

Title:

???????? (ISMS) ????

Description:

Title: 1 Author: Sunrise Last modified by: Kevin Created Date: 9/7/2003 9:50:09 AM Document presentation format: Company – PowerPoint PPT presentation

Number of Views:71

Avg rating:3.0/5.0

Slides: 85

Provided by: sunrise

Category:

more less

Transcript and Presenter's Notes

Title: ???????? (ISMS) ????

1
????????(ISMS)????
ISMS/BS7799 ??????

????/????/????
???
kevin_at_secure.idv.tw
BS7799 L.A. / CISSP

2
????

??
????????
??????
?????????????
????????(ISMS)???
???? lt ISMS lt BS 7799
BS 7799 ????????
Part-(1) Part (4)
?????

3
??
ISMS/BS7799 ??????
4
??!?????

????????
1996/9????????????????
2000/3???? DDos ???????,?? Yahoo?Amazon?CNN?eBay
???????
2001/7Amazon.com ??? Bibliofind ?????1?8?????
??? ??
2001/5?????????? ???? ????
2002/3?????????? ?????? ??????????
2003/08????????????,??????,???????????,??????????
2003/09???? 88?? ?????????,??20??????
2003/10??????????? ATM ????????????

??????????????,??????,???????????!
5
???? ????

??????? 93/05/03 ??????,??????????????????????????
???????????????????,????????????????????????,?????
????????,???????
???????? 92/10 93/05 ??????????????????????????,
?????????????,??????????????????????,?????????????
????
?????????????????,??????????,??????
??????????????,?? NT 2 ? 10 ???
?CNet ??? 2004/06/17 EarthLink ? Webroot
???????42.1 ????,??? 13.37 ??????? ????? ??
????,????????,???? 1,130 ??????,????????? 26.9
????????

6
?????????-???

????
??
MIS ??
????/????
????
????
????
????
DB ??
AP ??
????
B2B/?????

????
????
????
????
????
????
Internet User

7
??-???????

??
??????????????,??????,????
??
??????????????, ?? ?????? ?? ????,?

8
????(Assets)???

????(Information Assets)
????(Software Assets)
????(Hardware Assets)
????(Paper Document)
??(Service)
????(Company Image)

??
??
??
9
???? (1/3)

????
?????-??????????????
????????-????
????-?????
?????
?????????
????
??/?? ???? ? ????

10
???? (2/3)

????????
???????????
??????
?????????
?? ?? ??
????????
??????AP?????
?????????????

11
???? (3/3)

???????
??????
??????
????
???????
?????
????
????
??? ????

12
(No Transcript)
13
(No Transcript)
14
????????????
15
????

??
????????
??????
?????????????
????????(ISMS)???
???? lt ISMS lt BS 7799
BS 7799 ????????
Part-(1) Part (4)
?????

16
????????????
ISMS/BS7799 ??????
17
???? ???????
?????????,??,??,??,?????!
18
IT ??? ???? ???

?????????????????
E-Business
ERP/MRP
PDM
Intranets
Extranets

19
IT ??? ???? ???

?? IT ??????????????
???(Confidential)
??????????
???(Integrity)
??????????
???(Available)
???????????

20
?? ??

???????
?????
????
? SARS ??
?????????
????????(???,????,?????,????)
????????????????
??????????

21
?????????????
Network Threats and Vulnerabilities
22
????????

???????
Web ?? ??????(ASP/CGI/Perl)???????
???????????
???????????????
????????
??????????????

23
??????(1/2)
Executive Summary Executive Summary Executive Summary
We have scanned your host/s XXX.XXX.XXX.XXX for YYY known security holes. This scan took place on 224302 09/09/2002 and took 0 hours and 50 minutes to complete. A total of 17 vulnerabilities were found Out of the 17 vulnerabilities that were found We have scanned your host/s XXX.XXX.XXX.XXX for YYY known security holes. This scan took place on 224302 09/09/2002 and took 0 hours and 50 minutes to complete. A total of 17 vulnerabilities were found Out of the 17 vulnerabilities that were found We have scanned your host/s XXX.XXX.XXX.XXX for YYY known security holes. This scan took place on 224302 09/09/2002 and took 0 hours and 50 minutes to complete. A total of 17 vulnerabilities were found Out of the 17 vulnerabilities that were found
High Risk Vulnerabilities (Should be attended to as soon as possible) 3 Security 'holes' that allow a remote attacker to Have read / write access to any file on the server Login to the server remotely easily as administrator Ability to run commands in order to continue hacking to the network
Medium Risk Vulnerabilities (Should be repaired in the next couple of days) 5 Security 'holes' that allow a remote attacker to attack a server by Conducting a combination attack (using several vulnerabilities simultaneously) Having access to 'sensitive' files Running 'Denial of Service' attacks that will crash the network
Intelligence Gathering or Low Risk Vulnerabilities (Should be added to work list can be attended at later time) 9 Security 'holes' which will not help an attacker to gain access to server, but, it will give him information about the local network or hosts
In addition, 11 open TCP or UDP ports were found Make sure all those services are really needed. Remember Useless services are possible entry points for attackers!! In addition, 11 open TCP or UDP ports were found Make sure all those services are really needed. Remember Useless services are possible entry points for attackers!! In addition, 11 open TCP or UDP ports were found Make sure all those services are really needed. Remember Useless services are possible entry points for attackers!!
24
??????(2/2)
25
?? ??

???????
?????
??????????????????
? SARS ??
?????????
??????????????
?????????????
????????????????????????

26
?? ??

??????????(Risk Analysis)
???????????????
???????????
???????????????

27
??, ??, ?? ? ?? ???
Threat Agent
Give Rise to
Threat
Exploits
Leads to
Vulnerability
Risk
Directly Affects
Asset
Can Damage
Exposure
And Causes an
Safeguard (Control)
Can be Countermeasured by a
28
?????????????
?? ?? ??? ????
???? ???? ????? ??????
????? ????? ?? ????????
?????? ?? ??????? ???????
?????? ?? ?????????????? ??????,????
???? ??/?? ???????? ?? e-mail ??
??/?? ????? Bug ????
?? XXX ????
???? ????/????/ ??/????/????
29
????? ???? ???

Detect
Security
Vulnerabilities Threats
Respond
30
???? ???????
??,??,??,??
Security
High
Costs of Security vs. Exposure
Costs in balance
Exposure
High
Low
Security Level
31
??????
????
????
????

???????
(????)
??????????
???????????????
?????????

??????
??
????????????
??????
(????)

?? CIA
????? ????
32
????

??
????????
??????
?????????????
????????(ISMS)
???? lt ISMS lt BS 7799
BS 7799 ????????
Part-(1) Part (4)
?????

33
????????(ISMS)
ISMS/BS7799 ??????
34
????????
BS7799 ??
ISMS
????
35
BS 7799/CNS 17800 ??????
ISMS/BS7799 ??????
36
BS 7799-2 ? ?? ????
37
ISO/IEC 17799 BS 7799 - 2

BSi ?? BS 7799 Part 1 2 ??
BS 7799 1 (????)
1999 ? 2000?? ISO ???????
ISO/IEC 17799
ISMS ??????
BS 7799 2 (????)
ISMS ?????????
BS 7799-2 ??

38
?? BS 7799 - 2 ????
Source IUG web site, Oct.-2003
Total 399 (OCT-2003)
39
BS 7799 1 (ISO 17799)

ISO/IEC 177992000 (BS 7799-11999)
?? ISMS ?????
???????????
???????????
??10 ?????? Code of Practice
?????????????

40
BS 7799-2 1999

BS 7799-2 1999
?? BS 7799-11999 ???
?? ISMS ??? ??(Requirement)
????? ? ???
????????? ??(Need), ?????????? ??????(Security
Controls) ? ??.
10 ????? (Control Clause)
36 ????? (Control Objectives)
127 ?????(Controls)

41
CNS (????)

? ? ? ? 17800
? ? ? ? ????-??????????
? ? ? ? Information technology-Specification for
information security management systems
? ? ? ? X600041
????? 35.040
? ? ? ? 91/12/05
? ? ? ? ???
? ? ? ? ???
? ? ?????32?/????

42
????????

?????? ?
?????? ?
?????? ?
???? ?
???? ?
??????? ?

??
Email Server
File Server
??
WWW Server
Database Server
????
????
??????

43
????(Security Controls)
Administrative Controls
Technical Controls
Physical Controls
Policies, Standards, Procedures, Guidelines,
Screening Personnel, Security Awareness Training,
System Act. Monitoring
Logical Access Controls, Encryption, Security
Devices, Identification and Authentication
Facility Protection, Security Guards, Locks,
Monitoring, Environmental Controls, Intrusion
Detection
Physical Controls
Technical Controls
Administrative Controls
Company Data and Assets
44
????????
2.? ISMS ??? ???
45
????????
46
??????-(????)
47
??????-(??????)
48
??????-(????)
49
???????????

?????????
?????????
??????
????????
????????????
?????????

50
??????????
51
BS 7799-2 ? ?? ????
52
ISMS ??
???
???
???
????
????
????
????
????
??
??
??
??
??
53
A.3 (4.1) ???? (1,2)

??????
????????
?????????
?????
???????
???????,?????? ???

54
A.4 (4.2) ???? (3,10)

?? ????????(Infrastructure)
??
?????????
?????????????
??
??????
?????????????????,?????
?????????
??? (Third-Party)?????
?? ???????
????/???? ? ????

55
?????????
????
??????? (????????)

????

????? (???????)

??????

56
????
57
A.5 (4.3) ??????? (2,3)

???????
????
????
????
????/????
???????

58
????(Assets)???

????(Information Assets)
????(Software Assets)
????(Hardware Assets)
????(Paper Document)
??(Service)
????(Company Image)

??
??
??
59
???????

Commercial
Confidential
Private
Sensitive
Public
Focus on
Integrity
Availability

Military
Top Secret
Secret
Confidential
Sensitive but unclassified (SBU)
Unclassified
Focus on
Non-Disclosure of Confidential

60
??????
61
A.6 (4.4) ???? (3,10)

????????????
???? ??????
???????
?????
????
??????????

62
????

???????
???????
???????
??????????
???????????
???????
??????????
??????????
?????????????
???????????
??????????..

????
?????
????
Separation of duties
????
Non-Disclosure Agreements
????
Job rotation
????
Termination

??????????????????????,????,???????????
63
????????

???????????,????
???????
???????????
????????,????
???????
?????????
??????????????
?????????
????????
????????
???????..

????
64
????
65
??????????

????, ????, ???????
???????
???????
?????????
??????
?????

66
??????(SOP) ????

???? SARS ???
???? ??
???? ??
??? ?
?????? ?????????? ?
?????? ?????????? ?
?????? ?????????? ?
?????? ?????????? ?

67
?? ? ???? ????

???? ???? ??? !
???? ??
???, ???????????? ?
???? ??
??? ??, ????? ?? ?
???? ??
???????? ???? ?
??????? ?? , ??? ??????? ?

68
?????????????

???????????
?????
????
????..
??????
??????
?????
????
?????..

????
????
??????..
?????
????
????
????

69
????-????

????????
??
??
??
???
??
????
????
???

??????
??
??
??
??
???
??
??
??

70
????-????

??????
????
Email
Pager
SNMP Trap
Telephone
SMS
Mobile Phone
Alarm

???????
??
??
??
??
??
??
??
??

71
??????????

?? http//www.ncert.nat.gov.tw/infosec/data.asp
????
????
????, ????, ????, ????
????
????, ????, ????, ????, ????

72
????-????

??????
??????
?????
??

73
A.7 (4.5) ??????? (3,13)

????
??????
??????
??????????
??????????
????
????
??????
????,?????
?????????????
?????????

?????
???????????????
?????
????????????????????????

74
???????????????
???
???
???
A.7.1.4
?????
??
A.7.1.13
A.6.1.14 A.6.2.1 A.6.3.15 A.7.2.5 A.7.3.12 A.8.
3.1 A.8.6.13 A.9.1.1 4.9.2.13
A.9.3.12 A.9.4.1,3,4 A.9.5.15.7.8 A.9.6.1 A.9.8.
12 A.10.3.24 A.11.1.5 A.12.1.27
??
???
???
47 A.3A.4
A.6.3.14 A.7.1.4 A.7.2.16 A.8.17 A.9.18 A.10.1
5 A.11.1 A.12.3.2
????
???
??
A.7.1.13
A.9.1.5
??
A.7.1.13
???
A.9.1.13
A.9.1.13
???
????
?? ???
A.5.1.1 A.5.2.1,2 A.7.13 A.7.2.1,46 A.7.3
A.7.1.13
???
?????
A.8.7.2 A.12.1.1 A.12.2 A.12.3.1
A.6.12 A.6.3.5
75
A.8 (4.6) ??????? (7,15)