Topic Outline Information security? Security Why? Security approach Vocabulary The weakest link Real life security sample
Information security? Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destructioninformation systems
Information security? According to Wikipedia, ISO2700x, CISSP, SANS,…. Confidentiality: Classified information must, be protected from unauthorized disclosure. Integrity: Information must be protected against unauthorized changes and modification. Availability: the information processed, and the services provided must be protected from deliberate or accidental loss, destruction, or interruption of services.
Information security? Security attributes according to the Belgian privacy commission Confidentiality Integrity Availability + Accountability Non-repudiation Authenticity Reliability
Confidentiality ?? Webserver only hosting public information? Webserver separated from LAN? Integrity Unauthorized changes! Availability Information is no longer available CIA Exercise
Security Why? Compliance with law Protect (valuable) assets Prevent production breakdowns Protect reputation, (non-)commercial image Meet customer & shareholder requirements Keep personnel happy
Security approach Both technical and non-technical countermeasures. Top-management approval and support! Communicate! Information security needs a layered approach!!! Best practices – COBIT Control Objectives for Information and related Technology – ISO 27002 (ISO 17799) Code of practice for information security management – …..
ISO27002 Section 0 Introduction Section 1 Scope Section 2 Terms and Definitions Section 3 Structure of the Standard Section 4 Risk Assessment and Treatment Section 5 Security Policy Section 6 Organizing Information Security Section 7 Asset Management Section 8 Human Resources Security Section 9 Physical and Environmental Security Section 10 Communications and Operations Management Section 11 Access Control Section 12 Information Systems Acquisition, Development and Maintenance Section 13 Information Security Incident Management Section 14 Business Continuity Management Section 15 Compliance
ISO27002 -Example Security audit local government > 500 employees Technique: Social Engineering
Security vocabulary - Threat A potential cause of an unwanted incident, which may result in harm to individuals, assets, a system or organization, the environment, or the community. Samples: Fire Death of a key person (SPOK or Single Point of Knowledge) Crash of a critical network component e.g. core switch (SPOF: single point of failure)
Security vocabulary - Damage Harm or injury to property or a person, resulting in loss of value or the impairment of usefulness Damage in information security: – Operational – Financial – Legal – Reputational Example: Damage defaced Belgian Army website? – Operational: probably (temporary frontpage, patch management,….) – Financial: probably (training personnel, hiring consultancy,….) – Legal: probably (lawsuit against external responsible?) – Reputational: certainly!
Damage Combination of the probability of an event and its consequence. Risk components Threat (probability) Damage (amount) Example: Damage ProcessThreatOFLRMax impactProbabilityRisk Food freezingElectricity Failure > 24 h4322428
The Zen of Risk What is just the right amount of security? Seeking Balance between Security (Yin) and Business (Yang) CostPotential Loss CountermeasuresProductivity
Authentication: technologies used to determine the authenticity of users, network nodes, and documents Authorization: who is allowed to do what? Accountability: is it possible to find out who has made any operations? Strong authentication (two-factor or multifactor) Something you know (password, PIN,…) Something you have (token,…) Something you are (fingerprint, …)
The weakest link Countermeasures: Force password policy on server Train personnel Use strong authentication … SEC_RITY is not complete without U!
The weakest link Countermeasures: Implement security & access policies Job rotation Encryption Employee awareness training Audit trail of all accesses to documents …. Amateurs hack systems, professionals hack people!
Attacks & Countermeasures StepCountermeasures (short list) 1. ReconnaissanceBe careful with information 2. Network mappingNetwork IDS – block ICMP 3. ExploitingSystem hardening 4. Keeping accessIDS – Antivirus – rootkit scanners 5. Covering Tracks Reconnaissance (information gathering): Searching interesting information on discussion groups/forum, social networks, customer reference lists, Google hacks…
Hacking Steps High security (war)zone Illiterate (local) cleaning personnel (Use opportunities!!!) Physical security: Personnel clearance Physical control Pc placement Clean desk policy Shredder Lock screen policy Fiber to pc Logical security VLAN’s Password policy
We LEARNED… Security is CIA(+) Confidentiality, Integrity, Availability + Accountability, Non-repudiation, Authenticity, Reliability Why: law, reputation, production continuity,… Approach: layered, technical & non-technical, support from CEO, lots of communication Vocabulary: threat, damage, risk, (strong)authentication, authorization, accountability Risk = threat * damage Security balance: loss vs. cost & countermeasures vs. productivity The weakest link is personnel! A hacker starts with information gathering