1. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 1 of 48 Information Insecurity Part II: The Solution

2. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 2 of 48 Basic rule of systems Complex problems are never solved, they are only transformed corollary You don’t “fix” security. You manage it

3. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 3 of 48 Information security principles Information must be available to those authorized to have it Information will only be disclosed at the appropriate time only to those authorized to have it Information will only be modified by those authorized to do so Source ISO 17799: Code of Practice for the Management of Information Security 1 2 3

4. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 4 of 48 Information security principles (2) Protection of intellectual property rights, including software Protection of privacy in cyberspace Effectiveness of the provision of digital signatures Prosecution of cyber-criminals Existence of a legal framework defining Covering information processed, stored and transmitted in e-form 4

5. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 5 of 48 What is your role in Infosec? Defender: one of the good guys Chief Information Officer Security manager Systems administrator Network administrator Enlightened User

6. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 6 of 48 How good a defender ? Due diligence Negligence Dereliction of duty Misconduct Sabotage Criminal damage Aiding and abbetting crime It really is your choice

7. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 7 of 48 What is your role in Infosec? A “special guy”: good or bad are relative Auditor (Security, internal, external) Ethical hacker Security consultant Vendors of security products Vendors of other ICT projects Info Security legislator

8. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 8 of 48 What is your role in Infosec? Bystander “Surely, it’s a technical problem” “Nothing to do with me” “Not in my job description” “What, change password again?” “What’s wrong using my birthday as a password?” “OK so my son used my employer’s notebook to download some shareware – what’s the big deal?”

9. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 9 of 48 What is your role in Infosec? Obstacle “No way can I increase your budget” “We have a freeze on recruitment” “It’s not compatible with our corporate culture” “The trade unions won’t have it”

10. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 10 of 48 Defender’s 1 st step: Culture Security relies on everyone Security requires many processes Security contains many projects which never end Only the paranoid succeed and survive

11. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 11 of 48 Defender’s 2 nd step: Reality check 100% security can NOT be achieved Technology is not enough to guarantee security Legislation is not enough to guarantee security Security resources must match risk Good security practices become barriers

12. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 12 of 48 Building effective defences Requirements definition Organization Asset valuation Policies and compliance Building blocks Technical defences Awareness Standards Best practices Tests Certification Audits Incident response Digital forensics Legislation 1 2 3 4 needs more than technology

13. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 13 of 48 Recommendations for Executives 1.Assign responsibility for information security 2.Ask your CIO to certify in writing the security status of your organization’s systems 3.Ask your CIO to document all known vulnerabilities 4.Engage a trusted ethical hacker to regularly attack your facilities and systems to help contain the headache

14. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 14 of 48 Security organization Who is responsible for information security in the organization as a whole and at its various locations ? Who does this person report to ? Who reviews this person’s performance and monitors her/his effectiveness ? How is security managed with contractors, temporary personnel and outsourcers ? Who is responsible for dealing with a security incident ? Effective Defences 1

15. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 15 of 48 Effective defences 1 Requirements definition What threats? What value what to protect? What vulnerabilities? How much funding can be made available to implement, operate and manage? Effective Defences 1

16. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 16 of 48 Information security Value of information assets vulnerabilities threats countermeasures 100% security is unachievable The size of the box represents RESIDUAL RISK

17. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 17 of 48 How much security is enough? Complexity and cost of security Acceptable level of residual risk 0 1 2 3 4 5 6 7 8 9 Military Major outsourcers Stock exchanges Fund transfers Major banks Telephone companies Low tech manufacturing

18. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 18 of 48 Asset valuation & impact analysis What is the value* of o Data o Intellectual property o Systems (software, hardware) o Documents o The Organisation’s reputation disclosed modified unavailable destroyed etc * Financial, commercial, reputation, political, etc Effective Defences 1

19. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 19 of 48 When does misuse become abuse? Theft and fraud Proprietary information Software and equipment Employer’s time Financial gain Modifying personal data (e.g. holiday records) Misuse of system privileges Inappropriate access to - data - websites - others’ e-mail Deletion of data e-mailing of offensive material, jokes, etc Installation of unauthorized software Downloading large files (music, video) Personal use of employer’s systems and facilities Disclosure Confidential information Embarrassing information Internal gossip and politics Effective Defences 1

20. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 20 of 48 Policies and compliance Scope Documentation Dissemination Maintenance Compliance POLICIES are formal statements of how an organization manages information security Policies without effective compliance measures are ineffective Effective Defences 1

21. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 21 of 48 Scope of policies Acceptable personal use or corporate resources e-mail policies for corporate and personal use Creation, change and management of passwords System / Resource access Employer’s right to monitor and right to access Use of encryption Physical access and remote access Software installation Mobile communications and computing Database administration Employee background checks (pre- and during employment) list goes on... Effective Defences 1

22. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 22 of 48 An e-mail policy would cover Legal liability (harassment, copyright, libel, etc) Offensive language/material Non-disclosure Corporate practices regarding encryption Personal use of corporate e-mail Employer’s right to monitor Retention and archival Junk and other non-productive e-mail Attachments Executable code including macros Audio and video files Other large files Virus, worm, other infectious software Non-compliance etc... Effective Defences 1

23. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 23 of 48 Policies: reality test Policies must make sense to the personnel to be followed (30% of all attacks are internal) Three options regarding compliance Don’t bother too muchTight monitoring and zero tolerance Managed program to address internal abuses Policies have no credibility Create martyrs Loss of trust Effective Defences 1

24. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 24 of 48 Effective defences 2 Building blocks authentication authorization non-repudiation audit confidentiality integrity

25. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 25 of 48 Building blocks (2) Authentication Authorization Confidentiality Integrity Non-repudation Audit Prove you are who you say you are The security system checks what you may do with the system Ability to prove that the information received is the same as the information sent System records of who did what and when Data can only be modified by someone authorized to do so Data can only be seen by someone authorized to do so Effective Defences 2

26. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 26 of 48 Technical defences Effective Defences 2 Tools Data access rights Database security System security LAN & server security Firewall security Physical access control Infrastructure - No single point of failure - UPS and standby - Clusters, fail-soft, RAID, alternative routing - proxy servers, firewalls Logical access control Diagnostics and monitoring System administration Virus management software Encryption software All properly installed, configured and tested by trained personnel

27. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 27 of 48 Technical defences (2) Effective Defences 2 Processes Software/product quality Reduce complexity Change Control Segregation of duties Backup /restore Media management Risk assessment Risk management Alert monitoring Disaster recovery Business continuity Crisis management Cluster # 1: operations and configuration management Cluster # 2: event intelligence Cluster # 3: preparedness

28. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 28 of 48 sections of ISO 17799 1.Develop and implement security policies 2.Put in place a security organization 3.Maintain an information asset classification 4.Address personnel issues of security 5.Implement physical and environmental security 6.Ensure adequate network and computer operations 7.Implement system and network access controls 8.Build security into systems development 9.Have disaster recovery and resumption plans 10.Compliance with legislation and best practices Effective Defences 2

29. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 29 of 48 COBIT process maturity levels COBIT: Control Objects for Information Technology 0135 4 2 Non-existentInitialRepeatableDefinedManagedOptimized The process is not managed The process is ad-hoc and disorganized The process follows a regular pattern The process is documented and communicated The process is monitored and measured Best practices Current status Strategic target Effective Defences 2

30. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 30 of 48 Justifying investments Demonstrating value has always been the BIG challenge for technical practitioners Typical ROSI (Return On Security Investment) analysis: cost“We spent a million dollars” benefit“We think we have not been hacked” Effective Defences 2 The industry is unable to agree on a better way

31. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 31 of 48 More about ROSI Effective Defences 2 Some of the intangible factors: No security metrics standards No warranties from vendors or outsourcers– only “best efforts” The same is true for Financial controls Fire prevention arrangements

32. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 32 of 48 ways to tighten security 1.Promote awareness 2.Know the assets you must protect 3.Invest wisely (“more” may not be “better”) 4.Survey the threatscape – who are the enemy? 5.Be vigilant 6.Understand and actively manage risk 7.Ensure security is engineered and designed into the infrastructure 8.Remember it is more than a technical matter 9.Detect and respond Effective Defences 2

33. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 33 of 48 Awareness Effective Defences 2 Management I.T. personnel All other personnel Policies and need for compliance What to do when an incident occurs Best practices Vendor bulletins about vulnerabilities Hacker activities CERT and other alerts Procedures and policies What to do when an incident occurs Disaster recovery, continuity and crisis plans Trusted insider risks – signals Breaches of security, subsequent “digital autopsy”

34. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 34 of 48 good personal practices 1.Use hard to guess passwords and ensure non-disclosure 2.Make regular backups of your critical data 3.Use effective protection against malicious code 4.Use a firewall between your computer and the Internet 5.Do not stay on-line unnecessarily or when inactive 6.Look for and install quickly software updates and patches from (trusted) vendors 7.Be careful of e-mail attachments from strangers and from known persons if the subject line is unusual Effective Defences 2

35. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 35 of 48 ways to protect your privacy 1.Set up your browser to secure personal information 2.Don’t reveal personal details unless you are sure 3.Actively manage cookies 4.Keep a “clean” e-mail address 5.Remember you may be monitored at work 6.Beware of websites that offer rewards in exchange for your contact or other information 7.Never reply to spam mail 8.Only reveal critical information to a “https” website 9.Use encryption if appropriate Effective Defences 2

36. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 36 of 48 A word of caution Tools and good practices increase security. For the end-user, they become a kind of obstacle race Effective Defences 2 Mwf1U4zX Hard to remember passwords prominently displayed on Post-it™ Notes

37. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 37 of 48 Effective defences 3 Incident response Digital forensics Effective Defences 3 Intrusion detection Emergency Response Team Problem containment Problem resolution Restoring normal operations (also called digital autopsy) Determine attack mechanism Review adequacy of arrangements Search for evidence Action plan for internal causes Action plan for external causes

38. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 38 of 48 How do you respond ? Hackers please note This facility is secured Monday and Friday, 09:00 to 17:00 CET Please do not visit at any other time We thank you for your understanding Option 1 Option 2 Emergency response plan + team Effective Defences 3

39. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 39 of 48 things to do if (when) attacked 1.Don’t panic ! 2.Call in your incident response team 3.Contain the problem and avoid the “quick fix” 4.Take good notes in case you need to take legal action 5.Have your backup facilities ready 6.Get rid of the problem 7.Use trusted, uncompromised, communications 8.Know what to say, to whom and when 9.Know when to involve crime investigators 10.Conduct an autopsy of the event and your response Effective Defences 3

40. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 40 of 48 Effective defences 4 tests audits digital autopsy certification Like your annual medical it’s no guarantee of good health but it might diagnose a problem Who tests the testers? How do you know you have not been attacked ? How do you know that your arrangements will work ?

41. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 41 of 48 e- evidence Volume and manageability Who else has copies ? Indexing, classification Retention, archival Media and software Right to access Right to remove Right to destroy Effective Defences 4

42. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 42 of 48 Headaches Hard to trace, particularly cross-border Hard to quantify losses Lack of clarity what is court-admissible Civil litigation Criminal litigation Contractual issues Harassment, bullying, impropriety Containable fraud Sabotage Industrial espionage Major fraud Out of court settlements are common Effective Defences 4 e- evidence (2)

43. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 43 of 48 Follow proper procedures for seizure Seize computer, media and paperwork Assess risk of logical bomb Protect the suspect computer from tampering Discover, recover and report Effective Defences 4 e- evidence (3)

44. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 44 of 48 ways to support e-forensics 1.Follow authorized seizure process (ask the lawyers!) 2.Seize and secure equipment, media and papers 3.Shutdown the computer – record it with a video camera 4.Document the hardware configuration 5.Transport to secure location and protect chain of evidence 6.Ensure the computer remains uncompromised 7.Make bitstream backups of hard disk and all media 8.Authenticate data with 128 bit checksum 9.Only use backups for subsequent analysis 10.Document the system’s time and date Effective Defences 4

45. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 45 of 48 ways to support e-forensics (2) 11.Identify all anomalies 12.Examine e-mail, Internet, Temporary files 13.Fully document all the findings 14.Retain copies of all software used for analysis 15.Only use fully licensed forensic software Hidden disk partitions, hidden files, encrypted files evidence of erased files, file slack, presence of steganographic software Effective Defences 4

46. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 46 of 48 things to worry about 1.Time elapsed between an attack and it being discovery 2.The size of incident logs (may inhibit discovery) 3.Examining incident logs is boring (easy to miss things) 4.The trusted insider 5.Hard to know what’s what in a multi-vendor environment 6.Good security staff are hard to find and harder to keep 7.Hard to define a return on security investment 8.Management detachment (denial of having a role to play) Effective Defences 4

47. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 47 of 48 things to worry about (2) 9.Limited international cyber-crime legislation 10.Certificate Authorities: the new trust issue 11.Vendors not liable for product vulnerabilities 12.Executives who believe security is not a real issue 13.Liabilities arising from lack of due diligence 14.Need to take cyber-crime insurance Effective Defences 4

48. E. Gelbstein A. Kamal Information Insecurity Part II: The Solution Next slide: PgDn or Click Previous slide: PgUp To quit the presentation: Esc 48 of 48 Conclusion Sounds daunting? It is. You have two options: a.Be prepared (Act now) or b. Improvise when it happens (React then)