740 likes | 880 Views
Does IT Security Matter…. Does Information Security Matter?. Anton Otto Fischer. “A careless word… a needless sinking” 1943. IT Security and Privacy. GROUP 5:
E N D
Does IT Security Matter… Does Information Security Matter? Anton Otto Fischer “A careless word… a needless sinking” 1943
IT Security and Privacy GROUP 5: Natalia Hardey Christopher Boyce Christopher Rodelas Michael Bruns Irene Budiono
Agenda • Introduction • Video • IT Security at a Glance • Common IT Security Risks & Costs Involved • IT Security Technologies • Legislations • CSO/CISO Roles • Case Studies • Midwestern University • U.S. Army • Summary of Best Practices • Organizations • Individuals • Q & A
It’s not just the technology… http://www.youtube.com/watch?v=dy4VJP-lZpA
Recent IT Breaches • July 2008, University of Nebraska at Kearney – SSNs unaccounted for on university computers • January 2009, White House – “Chinese hackers crack White House” • January 2009, CheckFree Corp. – Five million E-Pay records hacked • January 2009, Heartland Payment Systems – Malicious software on payment processing network • January 2009, U.S. Military – soldiers SSNs found on thrift-store USB drive
Information Security • Information Security Definition • Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide: • Confidentiality : Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; • Integrity: Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity; and • Availability:Ensuring timely and reliable access to and use of information.
Common Security Threats • Vulnerability Issues • CIA Triad • Confidentiality • Integrity • Availability Mainly Concerned with Information. • ParkerianHexad. • CIA Triad PLUS: • Possession • Authenticity • Utility Still Concerned with Information.
Information Security • Types of Information Security • Products (Physical Security) • People (Personal Security) • Procedures (Organizational Security)
Common Security Threats • Behavioral • Often Referred to as ‘Social Engineering’ • Phishing Scams • Password Cracking • Disclosure of Financial Information • Disclosure of Personal Information Often Used in Conjunction with Malware • Malicious Software (Malware) • Spyware and Adware • Bots (Backdoors) • Viruses, Worms, and Trojans
n=577 The security practitioners ranked “cloud computing”, mobility, cybercrime and databreach as major threats to organizations’ confidential and sensitive data.
Mega Trends – IT Security Cloud Computing Mobile Workforce Cybercrime Outsourcing Data Breach
Costs of IT Security Incidents to Organizations 2008 n=144 Although erratic, costs seem to be declining as time progresses
Costs of IT Security Incidents to Organizations Contrary to what many people believe, viruses are not the most costly incidents that can affect an organization http://i.cmpnet.com/v2.gocsi.com/pdf/CSIsurvey2008.pdf
Security Spending and Justification (CSI 2008 Summary) • 53% of Respondents allocate no more than 5% of their IT Budget to IT Security • 42% Spent less than 1% of their security dollars on awareness programs • Low spending due to perceived financial benefits of security investments • (ROI, NPV, IRR) • Security Insurance
IT Security Technology Used • CSI 2008 Summary
Reasons for not reporting an Incident (CSI 2008 Summary) On a scale of 1-7 with 1 being least important and 7 being most important
Legislation – IT Security 17 American Recovery and Reinvestment Act • President Barack H. Obama signed into law the American Recovery and Reinvestment Act of 2009 (ARRA) • A significant portion of the ARRA's stimulus expenditures and measures are related to health information technology (HIT) and incentives to adopt electronic health record (EHR) systems.
Legislation – IT Security • FERPA • “The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education” • http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html • Outcome: • Rights transferred from parents once students reach 18, or no longer in high school. • Gives “Eligible Students” privacy of their education results. • Rights to inspect, review, and correct their information. • Schools must acknowledge parents and eligible students their rights each year. 18
Legislation – IT Security • HIPAA • Health Insurance Portability and Accountability Act of 1996. • Establish national standards for the security of electronic health care information. • Outcome: • Protects patients’ privacy on their personal information. • Health providers is subject to civil & criminal penalties if they violate the patients’ rights under HIPAA. • Up to $25,000 for multiple violations for the same standard in a calendar year. • Up to $250,000 and/or 10 years in jail, if knowing any misuse of patients’ information.
Legislation – IT Security Sarbanes-Oxley Act of 2002 Section 404 of the act addresses testing of general computer controls, such as: data center operating controls, system software controls, access security controls, and application system development and maintenance.
LEGISLATION – IT SECURITY • Federal Information Security Management Act (2002) 1. Inventory and Categorization of Information Systems 2. Security Controls 3. Risk Assessment 4. System Security Plan 5. Certification and Accreditation 6. Continues Monitoring
LEGISLATION – IT SECURITY • Created the Chief Information Security Officer (CISO) role • Established the CISO Council • Enhanced the continuous monitoring process • Required additional reporting from DHS Federal Information Security Management Act (2008)
Why CISO role created? • Enforce Security Standards and Compliances • Demonstrate to CxOs positive payback for the organization’s goals & strategy from IT investments • Control and track IT spending (esp. security costs) • Assist other senior managers to achieve business goals and protecting their information • Comply with annual audit requirements
Company Overview • University Population: 20,000 • FY2009 Budget: between $100 & $300 Million • IT Department: Very centralized • Employees: ~60 • IT Spend: 7% (higher than average) • IT Security Spend: ~5% of total IT Spend • Customers : Students, Faculty/Staff, Guests, Patients
Top Threats • Phishing (#1 threat) • Security Awareness • Denial of Service • Password Sharing • Malware, Spyware, Bots, etc • Human error, to which there is no control over • Sabotage
Gaining the Upper-hand • Centralization • Forces campus wide policies and procedures • Network Access Control (NAC) System • Authenticates all IP addresses and user names • Continuously ensures that your system is up to date • New threat detection software • Allows for immediate response • Exploiting functionality on legacy software that went unused due to lack of staff • Legacy: obsolete systems that are still be in use
Network Access Security • Port locking in place for wired connection • Wireless access allowed • Treated as a hostile network • Stores IP and ID information • On a different network than University • Allows wireless usage to grow while mitigating threats
Examples of Practices in Place • Products (Physical Security) • Hard drives wiped with GDisk to DOD standards • Stolen property reported to CSO, police • Machines with student data encrypted • People (Personal Security) • Awareness / Education • Staff to assist with issues • Free anti-virus software for personal machines • Procedures (Organizational Security) • SSN Remediation Project • General Usage Agreement
Difficulties and Challenges • Largest obstacle is human (users) error • The “Higher Education Culture” • Staff often lack anti-spy/spam software • Staff generally have more sensitive data • Staff have unfettered access • No real restrictions except file sharing
Recent Developments • Security awareness is much better • Promotion, persuasion, mandates • Regulatory issues have become high on the priority list • HIPPA, FERPA, Credit Card Transactions • RIAA suits
Biggest Costs • Anti-Spam software is the most expensive • Data Discovery and Litigation Lawsuits • New Jan ’08 Federal Law requires that all data related to lawsuits (like a hiring discrimination lawsuit) must physically be put into secure locations • Anti-Virus Software • Firewall and Hardware • Network Access Control (NAC) Software
New Security Technology • Host-Based Intrusion Prevention System • Combats attacks at the device and server level • Complements existing investments in network-based IPS without relying on signatures that require near-constant updates • Currently very expensive and used little • Application Firewall • Limits which software applications have access and type of traffic (Such as Web Browser vs. P2P File-sharing)
Chilling Encrypted Data Princeton computer security researchers discovered that spraying an inverted can of "canned air" on RAM chips can “freeze” the data stored on the chips. Less than 1 percent of the bits decaying after 10 minutes without power. When the DRAM chips were cooled to liquid nitrogen temperatures, the Princeton group observed decay rates of 0.17 percent after 60 minutes without power.
Biggest Lessons Learned • More often than not, it takes a critical situation for security to be taken seriously • Human error is always the largest threat • The security is only as good as the people using it
U.S. Army Signal Corps Overview Size • U.S. Army: • 547,000 Active Duty • 358,200 Nat’l Guard • 206,000 Army Reserve • 65,000 Signal Corps Budget • U.S. Army: $140.7 Billion (FY09) 41
Signal Corps Mission Statement • The mission of the Signal Corps is to provide and manage communications and information systems support for the command and control of combined arms forces. Signal support includes Network Operations (information assurance, information dissemination management, and network management) andmanagement of the electromagnetic spectrum. Signal support encompasses all aspects of designing, installing, maintaining, and managing information networks to include communications links, computers, and other components of local and wide area networks. Signal forces plan, install, operate, and maintain voice and data communications networks that employ single and multi-channel satellite, tropospheric scatter, terrestrial microwave, switching, messaging, video-teleconferencing, visual information, and other related systems. They integrate tactical, strategic and sustaining base communications, information processing and management systems into a seamless global information network that supports knowledge dominance for Army, joint and coalition operations. 42
US Army Signal CorpsChain of Command NETCOM, the 9th Signal Command, has 17,000 soldiers, civilians, and contractors working for it and the various units under its command
U.S. Federal and Department of the Army ICT Spending (in Billions $)
Structure of Security Network • DOD Network Structure 3 Types of Networks: 1. DOD Machines on Non-DOD Network 2. DOD Machines on DOD Network • NIPR Network • SIPR Network 3. Tactical Networks • Constraints • Satellite Bandwidth • Small Units still communicate primarily by radio. • Physical Security of Fiber and Cable
Structure of Security Network • DOD Network Security • Software Security • DOD centrally disseminates security updates for software • Activity of all users monitored and logged • Physical Security Measures • No USB Devices allowed on DOD Networks • Offices are secured • Checklists exist for users and administrators • Vaulted computers for highly sensitive information
Structure of Security Network • DOD Network Security • Network Security Measures • Three Layers of Network Security • DOD • Army • Installation – Level • Password Management • Passwords must be changed every 90 days • Can’t roll back to previous 6 passwords • Network Breaches • Happen rarely, typically a ‘people problem’, not a network problem
DOD Information Security • DOD Information Security • Unclassified Info • Open to all • Need to Know (Not Subject to FOIA) • Classified Info All Classified Information is Need to Know • Secret • Top-Secret • Special Security Information
Largest IT Threats • What keeps IT Pros in the Army up at night? • People not following security regulations! • People are the weakest link in the Information Security chain • Software Security/Vulnerabilities aren’t a big concern!
Upcoming Technologies • Static Analysis Tools • Used to augment software testing • Looks for errors in code that cause security vulnerabilities • Doesn’t need to run program