INFORMATION SYSTEMS
SECURITY MANAGEMENT (ISSM)
TRAINING 2016
Objectives of ISSM Training
Understand various MIS concepts including
Define information security
Explain the rationale for information system
Describe the triad threats: confidentiality, Integrity and availability
Security policy
ISSM governance
Training overview
Chapter 1: Information Systems
Chapter 2: Information Security: what is it and why?
Chapter 3: Understanding ISSM System
Chapter 4: Security Policy
Chapter 5: Protect yourself and the company:
Information Systems Controls
Chapter 6: Information Security
Chapter 7: Governance: Your Responsibility
Opening Remarks
One of the greatest threats to information security could actually come from within the organization.
Inside attacks have been noted to be some of the most dangerous since employees are already quite familiar with the infrastructure. It is not always
disgruntled workers and corporate spies who are a threat. Often, it is the non malicious, uninformed employee who can do harm to your network by
visiting websites infected with malware, responding to phishing emails, storing their login information in an unsecured location, or even giving out
sensitive information over the phone when exposed
to social engineering. SANS Institute
Data versus Information
Data raw facts
Information are the results of processed data
Data resource management
A resource is an asset that is used in production of goods and services
Data is a resource because it the raw material for:
Operational efficiency
Decision making
Planning
Management control
Firm’s strategic position
Money is in the information, if information is lost or stolen, then money is lost either directly or
indirectly.
Operational support Transaction processing systems (TPS) support the operations through which products are designed, marketed, produced, and delivered.
Support of Knowledge Work
Its concerned with sectional heads (sales, production, finance, etc. The management are responsible for policy implementation and decision making.
Management support
They are concerned with overall
direction of the organization and long term planning.
Their systems should support flexible summarized reports in dashboards with drill down capability that provide
information at the touch of a button using data from inside the organization and external data.
Levels of management and MIS used
What is information security?
The protection of information and
information systems from unauthorized access, use, disclosure, disruption,
modification, or destruction
Information security is achieved through
implementing technical, management, and
operational measures designed to protect
the confidentiality, integrity and availability
of information.
Cyber security environment
Why? Rationale of Protecting Information
The three threats to Infosys:
Confidentiality: Protecting information from unauthorized disclosure to people or processes.
Integrity: Assuring the reliability and accuracy of information and IT resources.
Availability: Ensuring accessibility of resources when needed by defending information systems and
resources from malicious, unauthorized users.
Also collectively known as the CIA triad
Key
terminologies
Threat: the potential to cause unauthorized disclosure, changes, or destruction to an asset;
Threats can be classified as natural or man-made.
Vulnerability: a weakness or a flaw that can be exploited or used and could result in a breach or a violation of a system’s security policy.
Asset: considered to be anything that has value to an organization, be it tangible or intangible
Risk: the likelihood that a threat will exploit vulnerability.
Controls: policies, procedures, and practices designed to manage risk and protect IT assets.
Goal of ISSM
The goal of an Information security is to
protect the confidentiality, availability, and integrity of information and information
systems.
Action Line
Focus of ISSM
Information processes, physical and
electronic, regardless whether they involve people and technology or relationships with trading partners, customers and third parties.
Information protection, confidentiality,
availability and integrity throughout the life
cycle of the information and its use within the
organization.
Strategic view of ISSM
Reduce adverse impacts on the organization to an acceptable level of risk.
Protect information assets against the risk of loss, operational discontinuity, misuse,
unauthorized disclosure, inaccessibility and damage.
Protect against the ever-increasing potential
for civil or legal liability that organizations face
as a result of information inaccuracy and loss,
or the absence of due care in its protection.
ISSM Triad 1:
Confidentialit y
ensuring privacy of data Restrict physically access to sensitive data, key and lock logically restrict access to sensitive data, use firewall to deny access to network resources such as routers, servers and user computers Use appropriate usernames and passwords, to prevent unauthorized access.
Encrypt data (obfuscate or scramble data) as it is being transmitted from one location to the other and decrypt when it gets to the source
How do you encrypt and decrypt data? You use a key, such as a password but much stronger, and an encryption algorithm/ mathematical function implemented by a software like outlook.
ISSM Triad 1:
Confidentiality,
continued
ISSM Triad 2:
Integrity
Assurance that data has not been modified on transit; check if data is originating from the
appropriate source.
Modification of financial records Interception and alter e-
commerce records
Unauthorized modification of NHC website to mislead
The best way to ensure integrity is use hash function or what is called one-way-encryption (if you encrypt you cannot decrypt) it is easy to compute the hash value for any given message it is infeasible to generate a message from its hash it is infeasible to modify a message without changing the hash
it is infeasible to find two different messages with the same hash.
Hashing a message to produce a hash value, which acts as a finger print?
ISSM Triad 2:
Integrity,
continued
ISSM Triad 3:
Availability
Pertains to accessibility of a service e.g. if the total ERP is down, then security objective of availability has not been met.
Server or service can be down if someone sent incorrectly
formatted data such as to bring the system down
If a denial of service attack is ongoing, where an attacker floods the server with a lot of data traffic or request, such as to overwhelm the system.
A typical denial of service is where an attacker, exploit very many computers to work together (robot network or BOTNET), unknown to the owners to attack a specific network e.g. attack an e- government websites or web server, the attacker can flood the website with a lot of request, to the scale of millions and millions of people opening the website thus denying legitimate users the service.
Attacker using BOTNET (roBOT NETwork) to commit various crimes
C3: Understanding ISSM Systems
Information states:
Information is not a static entity.
Information states refer to where i.e.
environment in the information systems the information to be protected may be found: in processing, storage, or
transmission.
Processing: when programs are loaded to perform computations and
comparisons on data,
Ensure the operating systems are well configured and hardened against known attacks
Anti-virus software is installed and up to date
Application software passes information auditing and security baselines
Installation of network security appliances and firewalls to deny unauthorized users or applications access to the network.
Information Security Model
The security of information systems can be characterized in a variety of ways. The model depicted below, adapted from the National Training Standard for Information Systems Security Professionals characterizes
information security in three dimensions:
Information states refer to Security measures to implement and sustain information security involve policy and procedures, technology, and awareness of users and administrators of the systems Policy and procedures -
Information security policies define the organization's rules and
expectations regarding access, protection, and accountability for information assets and resources.
Technology - To help enforce information security policies, defend against information system vulnerabilities and threats, and facilitate quick response when information security incidents System and network
administrators and users - Administrators and users of information systems must
understand their responsibilities for information security, and
execute appropriate procedures to sustain and improve the security of information assets and resources
ISSM Security Strategy:
eight steps divided into four phases
Cyber security response strategy
(Mitigation)
ICT Policy Audit – Where do we focus?
Security and Proprietary Information
All computing devices that connect to the internal network must comply with the Minimum Access Policy.
System level and user level passwords must comply with the Password Policy.
Providing access to another individual, either deliberately or through failure to secure its access, is prohibited.
All computing devices must be secured with a password- protected screensaver with the automatic activation feature set to 10 minutes or less. You must lock the screen or log off when the device is unattended.
Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain malware.
C3: Security Policy
Objectives
Describe an information security policy
Describe a standard Describe a guideline Describe a procedure Understand Email policy
Understand password policy
Have a basis for
examining information systems policies,
standards and guideline
“It’s unfortunate that sometimes instead of the donkey leading the cart, the cart leads the donkey. By this, I mean that sometimes policies and procedures are developed as a result of a negative event or an audit.
The audit or policy shouldn’t be driving the process; the
assessment should be.
The assessment’s purpose is to give
management the tools needed to
examine all currently identified
concerns. From this, management
can prioritize the level of exposure
they are comfortable with and select
an appropriate level of control. This
level of control should then be locked
into policy” by Michael Gregg, CISSP
Security-Management Practices
C3: Security policy,
continued
Policy
An information security policy consists of high level
statements relating to the
protection of information across the business and should be
produced by senior management.
These document are at the top tier of formalized security documents These high level documents offer a general statement about the organization’s assets and what level of protection they should have. Well-written policies should spell out who’s responsible for security, what needs to be protected, and what is an acceptable level of risk.
Much like a strategic plan
because they outline what should be done but don’t specifically dictate how to accomplish the stated goals. Those decisions are left for standards, baselines, and procedures
From a legal and compliance perspective, an information
security policy is often viewed as a commitment from senior
management to protect information
Policy Structure
Standards, baselines,
guidelines and procedures in ISSM
Standards
Standards consist of
specific low level mandatory controls that help enforce and support the information security policy.
Standards are much more specific than policies.
Standards are tactical
documents because they lay out specific steps or
processes required to meet a certain requirement. As an example, a standard might set a mandatory
requirement that all email communication be
encrypted. So although it does specify a certain
standard, it doesn’t spell out how it is to be done. That is left for the procedure.
Baselines
A baseline is a minimum level of security that a
system, network, or device must adhere to. They are usually drawn on industry standards. e.g. an
organization might specify that all computer systems comply with a minimum Trusted Computer System Evaluation Criteria (TCSEC)
Guidelines
Guidelines consist of recommended, non-mandatory controls that help support standards or serve as a reference when no applicable standard is in place.
It’s a recommendation or suggestion of how things should be done. It is meant to be flexible so it can be customized for individual situations.
Whereas guidelines are used to determine a
recommended course of action, best practices are used to gauge liability. Best practices state what other
competent security professionals would have done in the same or similar situation.
Procedures
A procedure is the most specific of security
documents. A procedure is a detailed, in-depth, step- by-step document that details exactly what is to be done. Procedures are detailed documents, they are tied to specific technologies and devices
Components of an information security policy
Statement of Authority –an introduction to the information security policies
Policy Headings –logistical information (security domain, policy number, name of organization, effective date, author, change control documentation or number)
Policy Objectives –states what we are trying to achieve by implementing the policy
Policy Statement of Purpose why the policy was adopted, and howit will be
implemented
Policy Audience –states who the policy is intended for
Policy Statement –how the policy will be implemented/rules
Policy Exceptions –special situations calling for exception to the normal, accepted rules
Policy Enforcement Clause –consequences for violation
Policy Definitions –a glossary to ensure that
the target audience understands the policy
Information Security Policy Template
Example of Information
Security policies templates based on SANS
(SysAdmin, Audit, Net working, and Security)
•SANS is a widely trusted source of information security best practices
•It classifies
Information security policies into General, Network, Server and Application Categories
General security policies
include:-
Acceptable Use Policy
Defines acceptable use of equipment and computing services, and the appropriate
employee security measures to protect the organization's corporate resources and proprietary
information.
Email Policy
Defines the requirements for proper use of the company email system and make users aware of what is considered acceptable and unacceptable use of its email system.
Password Construction Guidelines
Defines the guidelines and best practices for the creation of strong passwords.
Password Protection Policy
Defines the standard for the creation of strong passwords, the protection of those passwords, and the frequency of change.
Other Categories of Information Security Policy
Network Security: Acquisition Assessment and the various network devices security
Server Security : Deals with databases, server, software installation etc,
Application Security : Web Application Security Policy
1.
Administrative controls versus system controls
2.
Physical versus logical controls
Data control approaches
What are Information security
controls?
These are policies, procedures, and
practices designed to manage risk and
protect IT assets.
Examples
Security awareness and training
programs;
Physical security, like guards, badges, and fences; and
Restricting access to systems that contain sensitive information.
Physical Access Controls
Passwords/Personal Identifications Numbers
This is an authentication mechanism based on what you know; they can be used to access building or information systems infrastructure.
Access Control Smart Card
These smart cards use radio frequency identification chips to reliably identify employees and contractors, and grant access to buildings and information systems infrastructure.
They contain personally identifiable information about you and must be protected like a password.
Maintain possession of your card at all times.
If your card is lost or misplaced, report it to the security office immediately.
Keep your card in a secure badge holder to shield it against unauthorized reading.
Tailgating
Physical security is an important information systems safeguard.
Limiting physical access to information systems and infrastructure to authorized personnel diminishes the likelihood that information will be stolen or misused.
Combat tailgating
Never allow anyone to follow you into the building or secure area without his or her badge.
Be aware of procedures for entering a secure area, securing your workstation when you leave the office, and securing your workstation during emergencies.
Do not be afraid to challenge or report anyone who does not display a card or visitor’s badge.
Escort visitors to and from your office and around the facility.
Do not allow anyone else to use your card for building or secure area access.
Report any suspicious activity to the security office.
Physical Security Guidelines
Guidelines that are implemented
through manual procedures and equipments
Lock your computer when it is not in use.
Remove your card when leaving your workstation. Do not leave it in the card reader.
Store and transport removable media such as CDs, DVDs, flash drives and external hard drives in a secure manner to prevent theft or loss.
Only connect authorized removable media devices.
Keep sensitive information out of
sight when visitors are present.
Risks and response strategies
Attacks
an attack is any attempt to destroy, expose, alter,
disable, steal or gain unauthorized access to or make
unauthorized use of an asset (Wikipedia)
Structured attack: Come from hackers who are more highly motivated and technically competent.
Unstructured attack: Consists of mostly inexperienced individuals using easily
available hacking tools such as shell scripts and password crackers.
External attacks: Initiated by individuals or groups working outside of a company. They do not have authorized access to the computer systems or network. They gather information in order to work their way into a network mainly from the Internet.
Internal attacks: More common and
dangerous. Internal attacks are initiated by someone who has authorized access to the network.
Active attack attempts to alter system resources or affect their operation.
Passive attack attempts to learn or make use
of information from the system but does not
affect system resources.
Risk
response strategies cont..
Social engineering is classically defined as the art of
manipulating and exploiting human behavior to gain unauthorized access to systems and
information for fraudulent or
criminal purposes.
Social engineering attacks are more common and more successful than computer hacking attacks against the network.
Social engineering attacks are based on natural human desires like:
Trust
Desire to help
Desire to avoid conflict
Fear
Curiosity
Ignorance and carelessness
Social engineers want any information that will give them access to organization’s
systems or facilities. Common targets are:
Passwords
Security badges
Access to secure areas of the building
Uniforms
Smart phones
Wallets
Employee’s personal information
Risk response strategies
Phishing Attacks Phishing is a social
engineering scam whereby intruders seek access to your personal information or passwords by posing as a legitimate business or
organization with legitimate reason to request
information.
Usually an email (or text) alerts you to a problem with your account and asks you to click on a link and
provide information to correct the situation.
These emails look real and often contain the
organization’s logo and trademark. The URL in the email resembles the
legitimate web address. For example “Amazons.com”.
Spear phishing is an attack that targets a specific individual or business. The email is addressed to you and appears to be sent from an organization you know and trust, like a government agency or a professional association.
Whaling is a phishing or spear phishing attack aimed at a senior official in the organization.
Examples of Phishing
Better Business Bureau complaint. Executives receive an email that looks like it comes from the Better Business Bureau. The
message either details a complaint a customer has supposedly filed or claims the company has been accused of identity theft. The recipient is asked to click a link to contest the claim. Once the link is clicked, a computer virus is downloaded.
Travel trouble. An email appears to be a notice from an airline that you have purchased a ticket and arranged to check several bags.
Many consumers, outraged because they never planned any such trip, click a link in the email to complain. The problem is, this clicking leads to an identity-theft page, where victims are asked to share sensitive data. If you receive such an email, simply ignore it.
Combat Phishing
Never disclose password to anyone via email.
Be suspicious of any email that:
Requests personal information.
Contains spelling and grammatical errors.
Asks you to click on a link.
Is unexpected or from a company or organization with whom you do not have a relationship.
If you are suspicious of an email:
Do not click on the links provided in the email.
Do not open any attachments in the email.
Do not provide personal information or financial data.
Do forward the email to the information security incidence office/
IT department, and delete it from your mail box.
Risk
response strategies, cont…
Malware
Short for malicious software, does damage to, steals information from, or disrupts a computer system.
Malware is commonly installed through
email attachments, downloading infected files, or visiting an infected web site.
It can corrupt files, erase your hard drive, or give a hacker
access to your computer.
Combat malware
Read email in plain text and do not use the preview pane.
Scan attachments with antivirus software before downloading.
Do not trust any attachments, even those that come from
recognized senders.
Delete suspicious emails without opening them.
If you believe your computer is
infected, report to the security
office
Risk
response strategies
Internet Hoaxes Email messages that promise a free gift certificate to your favorite restaurant, plead for financial help for a sick child, or warn of a new computer
virus are typically hoaxes designed for you to forward them to everyone you know.
Mass distribution of email messages floods computer networks with traffic slowing them down. This is a type of distributed denial-of-service (DDoS) attack.
Combat Internet Hoaxes
Do not forward chain letters, email spam, inappropriate
messages, or unapproved newsletters and broadcast
messages. You are most likely violating a Policy for Personal Use of Information
Technology Resources.
Do not open emails from senders whom you do not recognize or if you are
suspicious that the email
could be a hoax.
Risk response strategies,
conti…
Spam
Email spam is
unsolicited messages sent to numerous recipients, similar to junk mail.
Spam is dangerous because it can contain links that direct you to phishing websites or install malware on your computer.
Studies estimate that between 70% and 95%
of emails sent are spam.
Combat spam
Never click or download
attachments from spam email
Only provide your email address for legitimate business purposes.
Do not sign web site guest
books and limit your mailing
list subscriptions. Spammers
access these to obtain your
email address.
Risks
response strategies, cont..
Cookie
A cookie is a text file that a website puts on your hard drive that saves information that you typed in like
preferences or user name. Cookies are helpful, but can be
misused by attackers to compromise security.
Cookies can also be used to track your activities on the web.
Cookies pose a security risk because someone could access your
personal information or invade your privacy.
Combat cookies
Use cookies with caution.
Confirm that web sites that ask for personal information are encrypted and the URL begins with “https”.
Be aware of the sites being
visited. Always know there
are inherent dangers once
connected
Risk
response strategies, conti..
Security Outside of the Office
Security researchers say that 35% of data breaches are caused by employees losing laptops or other
mobile devices.
Technology,
teleworking, and job duties mean that many employees regularly work away from the office and using own devices.
Always maintain possession of your laptop and other mobile devices.
Ensure that the wireless security features are properly configured.
Be cautious when establishing a VPN (Virtual Private Connection) connection through a non-secure environment (e.g., hotel). Do not work on sensitive material when using an insecure connection.
Turn off/disable wireless capability when connected via LAN cable.
Turn off your laptop while travelling so that encryption is enabled.
Report a loss or theft of your laptop
or other mobile device used at work
immediately to your security POC.
Other
teleworking good
practices
These are practices which enhance your data security when working away from your office.
Protect information and data while teleworking
Always keep your laptop in sight to prevent loss or theft.
Only use authorized equipment in authorized locations.
Use a screen protector so sensitive information cannot be seen by others.
Report lost or stolen equipment immediately.
Safeguarding your home computer
Use passwords on personal computers and mobile devices.
Install and update antivirus software on your home computer.
Enable the firewall on your computer.
Routinely backup your files.
Follow the instructions in the user manual to enable encryption for your wireless router.
Report an Incident
Do not investigate the incident on your own -
immediately report suspected incidents, especially those that could compromise information, regardless of whether it is in electronic, paper, or oral format.
