Docstoc

e-security knowledge

Document Sample
e-security knowledge Powered By Docstoc
					E-security knowledge for
different types of users

          M.M.Pant
Criticality of e-security
   More than 80% had suffered
    information security breach in last 12
    months
   Often perceived as an IT issue only
   Hence misdirected and misguided
    policies
   Security is essential for safety
Categories of security
breaches
   Most common is virus infection

   Unauthorized users

   Hackers

   Physical custody and transportation of data
E-security Knowledge levels
   The completely unbreakable quantum
    computer
   Cryptography, digital signatures and
    biometrics
   E-forensics and evidence matters
   Management of e-security: policy and
    standards
   Frauds through the Internet
Information Assets : Hardware
   Servers                    Converters /
   Nodes                       adaptors
   Circuit Cards              UPS’s
   External Tape, disk ,      Test equipment
    CD Rom                     Tools
   Routers / switches         Spare parts
                               Cards / cables
Information Assets : Software
   Source Code             Utilities
   Object Code             Diagnostics
   Locally written         Communication
    programs                 programs
   Purchased programs      Backups
   Operating system        Documentation
Information Assets : Data
   Online data
   Offline ( archived ) data
   Log files
   Database
   In transit ( on communication lines )
Information Assets : People
   Users               Operators
   Programmers         Managers
   Administrators      Delivery
   Electronic          Vendors
    maintenance         Consultants
   Facilities          Visitors
    maintenance
Information Assets :
Documents
   Hardware Manuals
   Software Manuals
   Licenses / contracts
   Physical & online access control lists
   Training material
Supplies
   Magnetic media
   Computer Stationary
   Printer ribbon
   Toner
   Cleaning materials
BS7799


   BS7799 was originally conceived as a code of
    practice for information security management.
   It catalogues a whole host of good security
    controls with near universal applicability for
    multi-national organisations.
   The code of practice has been adopted by the
    Netherlands, Australia and New Zealand. Other
    nations are showing keen interest.
10 Generic Tips for e-security
   If you're not doing everything on this
    list, chances are you'll suffer from a
    security loss.
   And it's not a matter of if you'll suffer a
    loss, but more of a question of when.
   Check this list, check it again, and then
    get busy. There is a lot to protect
1. Passwords: Mandatory and
strong
   Besides requiring your users to use passwords, there
    are two other things you should require of them:
    password ageing and strong passwords.
   Password ageing is essential to minimize the chances
    of someone else discovering and using a password
    that may be shared, for example to help a co-worker
    access the corporate network.
   A strong password (requiring a mix of letters,
    numbers, and characters) minimizes the chances of
    someone obtaining a password through a social
    engineering exercise. ("I normally use my kid's name
    for my password. Do you?")
2. Locks for physical security
   Data security is useless if one can easily walk
    away with the device where the data resides
    and have all the time in the world to try and
    access the data on the device.

   Locked server rooms, locking desktops and
    laptops to the desk, and in general securing
    physical IT assets, is often overlooked
3. Implementing inactivity
monitors
   When users are away from their computers they are
    vulnerable. Anyone can walk up and access all the
    information on that user's computer just as if they
    were that user.
   Computers should be set to lock themselves after the
    shortest period of inactivity that the user is willing to
    tolerate.
   If some users find it tedious to reenter their
    passwords after short periods of inactivity, consider a
    biometric solution which frees the user from having
    to retype their passwords every time to unlock the
    computer
4. Have a formal security
policy document
   If your organization doesn't have a formal
    security policy around the use of IT assets,
    you're behind the times.
   You need to develop security policies that
    balance the productivity of your users with
    the need to keep IT assets and data safe.
   And once you have a policy, be sure to set up
    training for all your users and make security
    training a required part of every new
    employee orientation
5. Distinguish between users
and administrators
   Many companies grant administrative
    rights to their users to install specific
    applications themselves.

   Don't let the user do the administrator’s
    job!
6. Updates—do at least the
critical ones!

   Many security problems stem from a
    flaw that a hacker finds in a component
    of the operating system.
   You should make sure you sign up to
    receive the latest critical updates which
    close these potential exploits.
7. Backup and contingency
   Imaging a user's disk saves all their important
    data in the event of a disaster and saves you
    the trouble of having to rebuild their machine
    in the event of a crash or even system theft.
   This one is difficult, especially with a mobile
    workforce, so you'll have to work closely with
    your users to make this a reality.
8. Communicate the
importance of security
   Getting the word out about security to
    your users is one thing. Constantly
    reminding them of the importance of
    perpetual security is something else
    entirely.
   Make communicating about security a
    regular habit and people will respect
    the security policies you have in place.
9. Wireless access
management
   With the ubiquity of wireless access and
    the ease by which it can be deployed,
    it's easy to overlook these access points
    as a security hole.
   Set up some type of wired-equivalent
    privacy (WEP) on these access points so
    passers-by or visitors can't easily hop
    on your network
10. Regular IT Audits
   Accounting for all your equipment and
    how its setup is a time-consuming and
    difficult job.
   But if you do it on a regular basis, not
    only will you catch security problems
    early, you'll also keep your users on
    their toes, which further enhances
    security
Emerging Internet Frauds

    Hacking
    Identity theft
    Money laundering through the Internet
    Crimes of persuasion
Top 10 Frauds on the Internet
of 2006
  1. Online Auctions:
   Misrepresented or
   undelivered goods
  2. General Merchandise:

   Misrepresented or
   undelivered goods not
   purchased through auctions
 Top 10 Frauds on the
Internet
    3. Fake Check Scams: Consumers
     used fake checks to pay for sold
     items, and asked to have the money
     wired back
    4. Nigerian Money Offers: Deceptive
     promises of large sums of money, if
     consumers agreed to pay the transfer
     fee
    5. Lotteries: Asking winners to pay
     before claiming their non-existent
     prize
Top 10 Frauds on the Internet
    6. Advance Fee Loans: Request a fee
     from consumers in exchange of
     promised personal loans
    7. Phishing: Emails pretending to
     represent a credible source, ask
     consumers for their personal
     information (e.g. credit card number)
 Top 10 Frauds on the
Internet
    8. Prizes/Sweepstakes: Request a
     payment from consumers in order for
     them to claim their non-existent prize
    9. Internet Access Services:
     Misrepresentation of the cost of
     Internet access and other services,
     which are often not provided
    10. Investments: False promises of
     gains on investments
The ABC of e-security
   ABC – Automobile based comparison
   Executive Dashboards for Data
    Visualisation
   Strategic Decision making involves
    making substantial investments of
    resources over long periods of time,
    before results are seen
Road
   The organisation’s
    Information Systems
    Vision.
   The road helps in
    developing the map
    which is the IS&S
    policy which has to
    be in congruence
    with the ‘business’
    policy
Map
   The IS&S policy
    document
   This follows from the
    ’business’ vision or the
    road.
   It tries to devise the
    ‘best’ route given the
    road ahead; covers
    purpose & scope,
    mechanisms and
    measures for
    implementation
Gas / Petrol Gauge
   Resources/Money
    Allocated
   This is simply the
    money allocated for the
    IS spending for any
    given time period
    (typically the accounting
    year)
   It shows the total
    amount of money
    available for spending
    on IS at any given point
Pedometer / Distance Gauge
   Distance to be
    traversed
   Typically the amount
    of time for which the
    budget is allocated
   At any point of time
    it would show the
    amount of time the
    money allotted to IS
    has to last
Speedometer
   ROSI:return on
    security investments
   It is a metric which
    captures the
    cost/benefit aspect
    of information
    security
   Measured in terms
    of decreased risk of
    security breaches
Temperature
   Threat or attack
    frequency
   The number of
    security breaches
    which occur are
    represented by the
    temperature;
    hacking of systems,
    stealing of data..
    would increase the
    temperature
Windscreen
   External monitoring
    (threats, technologies,
    standards etc..)
   Provides knowledge
    and outside
    interaction to be in
    touch with the latest
    developments the
    world over
Back Mirror / Rear view mirror
   Internal process
    monitoring
   Employee access
    and use of classified
    data
   Filtering e-mail,
    blocking sites
    (private mail,
    entertainment..) and
    random system
    checks
Steering wheel
   Strategic Direction
   What the IS policy
    should be, leads to the
    map
   The steering wheel is
    operated by the
    Director IT
   In case of unforeseen
    events he should have
    the authority to change
    the direction (focus) of
    the policy
Headlights
   Market research,
    customer needs
Wipers
   Fresh objectives
   Fresh perspectives
   Using external
    resources
   Using internal
    resources
Brakes
   Calamity Control
    measures
   A 100% mirror image of
    the entire system
    maintained guarded and
    secured in real time.
   Called the Disaster
    Recovery system, it is
    remotely located and
    only few concerned
    people know about it
Gear box: Levels of security
   May be based on NIST level
    5 framework
   Level 1:Security policy
    documented
   Level 2:Documented
    procedures and controls to
    implement policy
   Level 3:Procedures and
    controls have been
    implemented
   Level 4:Procedures &
    controls have been tested
    and reviewed
   Level 5:Fully integrated into
    a comprehensive program
Clutch
   Interim security
    procedures
   These are in place
    while shifting
    systems
   Also includes
    training and
    awareness during
    the change process
    from one level to
    another
Accelerator
   Rate of investing in
    information security
   This is a monitored
    factor ( burn rate ) by
    the senior management
   There cannot be a
    massive surge in
    spending all of a sudden
   Accelerator cannot be
    taken above a certain
    limit without explicit
    permission
Compass
   Navigator
   When moving along
    several dimensions
   Will give a sense of
    direction
Thank You !!!!!




   mmpant@mmpant.org

				
DOCUMENT INFO