Is ISO 27001, an answer to Security Breaches?
RAMANA KROTHAPALLI
AgendaTerms & Definitions
Information Security Standards & Best Practices
What is ISO 27001?
Why is ISO 27001 Popular?
Security breaches – could these have been avoided?
Things you can do..
Terms & DefinitionsISO: International Organization for Standardization
IEC: International Electrotechnical Commission
HLS: High Level Structure
Control: any process, policy, procedure, guideline, practice or organisational structure, which can be administrative, technical, management, or legal in nature which manage information security risk
Objective: statement describing what is to be achieved as a result of implementing controls
Data Breach: is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so
Information Security Standards / Best PracticesISO 27001: 2013
NIST SP 800 Series - National Institute of Standards and Technology Special Publications
COBIT - Control Objectives for Information and Related Technology
SOGP – Standard of Good Practice
PCI DSS - Payment Card Industry Data Security Standard
HIPAA - Health Insurance Portability and Accountability Act of 1996
SANS Best Practices
What is ISO 27001?ISO 27001: 2013 is an International Standard specifying requirements for information security management systems (ISMS)
This is a certifiable standard from the ISO 27000 series of standards aka ISMS family of standards
Published by ISO & IEC
Organisations meeting the requirements may gain an official certification issued by an independent and accredited certification body on completion of a formal audit process
The official title of the standard is "Information technology— Security techniques —Information security management systems — Requirements“
Has 10 clauses and an annexure that lists 114 controls and their objectives grouped into 14 domains
Why ISO 27001 is popular?Information security is the biggest driver for companies
Generic standard for implementing an ISMS
Technology neutral
Globally recognised & accepted
Compliance with business, legal, contractual and regulatory requirements
HLS that allows easier integration with other ISO Standards
Risk Based approach to identify appropriate security requirements
Process approach – alignment with business objectives
Recent Security Breaches
DisclaimerThe discussions are based on the news in the public domain and a few assumptions . The complete information about the massive security breaches is not available in the public domain. The sole idea of this session is to see if a management system approach to information security could help to prevent similar breaches, or at least improve the time to detection.
JP Morgan Chase Hackers “exploited an employee’s access to a development server as part of the attack on a JPMorgan Chase & Co. server that led the theft of data on 76 million households and 7 million small businesses”.
Source: JPMorgan Password Leads Hackers to 76 Million Households
So much data accessible using just one employee access right?
A.9.4.3: “Password systems shall be interactive and shall ensure quality passwords”
A.12.1.4: Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment
Hackers used multiple custom-crafted bits of malware to infiltrate
A.12.2.1: Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness
Hackers spent months pulling data from the servers
A. 12.6.1: Organization’s exposure to such vulnerabilities to be evaluated and appropriate measures taken to address the associated risk.
Sony PicturesThe hack was a release of confidential data belonging to Sony Pictures Entertainment; the data included personal information about Sony Pictures employees and their families, e-mails between employees, information about executive salaries at the company, copies of (previously) unreleased Sony films, and other information.
Duration of the hack is unknown, though evidence suggests that the intrusion occurred for more than a year.
Article on SC Magazine: (Could the Sony breach have been prevented)
http://www.scmagazine.com/could-the-sony-breach-have-been-prevented/article/394249/
One of Sony's biggest problems wasn't being hacked; it was failing to detect the hack until it became public.
A.12.7: Information systems audit considerations - minimise the impact of audit activities on operational systems
A.18.2.1: Independent review of information security
A. 12.6.1: Organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.
Sony hack leaked 47,000 Social Security numbers
A.10.1: Cryptographic controls - to protect the confidentiality, authenticity and/or integrity of information
Anthem HealthcarePersonal records of as many as 80 million individuals were compromised.
Anthem data was encrypted on-the-wire but not in storage
A.10.1: Cryptographic controls - to protect the confidentiality, authenticity and/or integrity of information
The attack was discovered when a database administrator noticed unauthorized queries running with admin credentials
A.12.4.3: System administrator and system operator activities shall be logged and the logs protected and regularly reviewed
An outsider could have phished the credentials from an employee
A.9.1.1: An access control policy shall be established, documented and reviewed based on business and information security requirements
(Context-aware access control could have stopped an outsider, even with phished credentials, by examining where the authentication session was coming from, what platform was in use etc.)
Green's AccountingStolen Server Exposes Accounting Clients' Personal Data. The server held unencrypted data, including clients' names, addresses and Social Security numbers, Bank account numbers.
The burglars broke in by smashing the office's back window with the rock, then stole the firm's network server.
A.11.1: Controls to prevent unauthorized physical access
A.11.2.1: Equipment shall be sited and protected to reduce the risks from unauthorized access
A.10.1: Cryptographic controls - to protect the confidentiality, authenticity and/or integrity of information
Things you can do..Implement Security Policies & Procedures
Security Awareness Training
Vulnerability Assessments – Internal & External
Penetration Testing – Internal & External
Social Engineering Exercises
Enterprise Security Assessments Administrative Safeguards
Technical Safeguards
Physical Safeguards
THANK YOU!