Upload
elwin-franklin
View
217
Download
1
Embed Size (px)
Citation preview
International Computing CentreInformation Security
OECD, April 2001
Managing Information SecurityManaging Information Security
Ed Gelbstein, International Computing Centre, Geneva
International Computing CentreInformation Security
OECD, April 2001
International Computing CentreInformation Security
OECD, April 2001
Asset valuationWhat is the business value of
Data
Intellectual property
Systems (sw/hw)
Documents
The Organisation’s reputation
disclosed modified
unavailabledestroyed
etc
International Computing CentreInformation Security
OECD, April 2001
How do you respond ?
Hackers please noteThis facility is secured
Monday and Friday, 09:00 to 17:00 CET
Please do not visit at any other timeWe thank you for your understanding
Option 1
Option 2
Emergency response plan + team
International Computing CentreInformation Security
OECD, April 2001
Key components
Ownership and culture
Policies
Processes and tools
Autopsies, diagnostics, audits
International Computing CentreInformation Security
OECD, April 2001
Ownership
Anybody
Somebody
Everybody
Nobody
International Computing CentreInformation Security
OECD, April 2001
Culture
Security management is a way of life
It relies on everyone
It requires many processes
It may contain many projects but it has no end
Only the paranoid survive
International Computing CentreInformation Security
OECD, April 2001
Threatscape
Internal
External
Physical
Logical
SabotageMisuse/ fraud
Unauthorised accessUnauthorised change
Unauthorised disclosureDestruction of dataMalicious software
StupidityWeaknesses in systemsWeaknesses in products
Cyber-attack (DoS/ DDoS)Cyber-attack (EMP)
Data blackmail
and many more...
International Computing CentreInformation Security
OECD, April 2001
Threatscape (2)
Most pervasive Most expensive
Most publicised Most frequent
Virus, worm, trojan horseInsider fraud, sabotage
Theft of proprietary information
Attacks on e-business- theft of credit card data- Denial of Service
Developers’ mistakesPoor configurationPoor system administration
International Computing CentreInformation Security
OECD, April 2001
Building blocks
Change ControlBackup /restoreMedia managementDisaster recoveryBusiness continuityCrisis management
Physical access controlLogical access controlInfrastructure - No single point of failure - UPS and standby - Clusters, fail-soft, alternative routing, RAID, …
Diagnostics and monitoringSystem administrationAudits
PoliciesBest practicesStandardsAction plans
Key word: OWNERSHIP
International Computing CentreInformation Security
OECD, April 2001
Building blocks (2)
ConfidentialityIntegrity AuthorisationAuthenticationAudit trailNon-repudiation
Risk assessmentCommunicationsRisk managementAlert monitoringTools and productsOrganisation - incident detection - incident response
Staff vettingTrainingTests and audits
Key word: OWNERSHIP
International Computing CentreInformation Security
OECD, April 2001
Policies
Scope
Documentation
Dissemination
Maintenance
Compliance
Non-compliance
International Computing CentreInformation Security
OECD, April 2001
Scope of policies E-mail Passwords System / Resource access Database administration Encryption Backup/ Restore/ Disaster recovery Physical access and remote access Software installation Change control
list continues...
International Computing CentreInformation Security
OECD, April 2001
Scope of policies (2)
Acceptable use Monitoring and audits Mobile computing Wireless computing Privacy Staff background checks
and more...
International Computing CentreInformation Security
OECD, April 2001
e-mail policy includes... Virus, worm, other infectious software Executable code Audio and video files Other large files Encryption Non-disclosure Offensive language/material Legal liability (harassment, copyright, libel, etc) Junk e-mail and other loss of productivity Personal use of corporate e-mail Archival
and so on...
International Computing CentreInformation Security
OECD, April 2001
Vigilance
Alerts (Vendor, CERT, FBI, other)
Attacks (who, when, how)
Hacker tools, communiques, websites
Disgruntled staff, behavioural changes
etc
International Computing CentreInformation Security
OECD, April 2001
Security ringsData access rights
Database security
System security
LAN and server security
Firewall security
Authenticationetcetcetc
What does it taketo get through
each of these layers
International Computing CentreInformation Security
OECD, April 2001
Tools and products Firewalls and antivirus softwareResource access controlsEncryptionDigital certificatesProxy / Reverse Proxy serversIntrusion detection systemsSoftware integrity checkersLog analysis tools and so on...
“out of the box” may not be e-nough
manychoices
International Computing CentreInformation Security
OECD, April 2001
Certification, audits, etc
tests audits post-mortems certification
Like your annual medicalit’s no guarantee of good healthbut it might diagnose a problem
Who tests the testers?
How do you know you have not been attacked ?
International Computing CentreInformation Security
OECD, April 2001
Be vigilant, be silent...
Yes, we have been attackedand are very aware of the
flaws in our security
Our security is superband we are totally confidentin our ability to stay ahead
Risk of losing credibility and of inviting trouble
A challenge to everycracker and script kiddie
to prove you wrong