450 likes | 463 Views
Gain a comprehensive understanding of information systems security management through this training, covering topics such as MIS concepts, information security, security policy, and governance. Learn how to protect information assets from threats and ensure confidentiality, integrity, and availability.
E N D
Objectives of ISSM Training • Understand various MIS concepts including • Define information security • Explain the rationale for information system • Describe the triad threats: confidentiality, Integrity and availability • Security policy • ISSM governance
Training overview • Chapter 1: Information Systems • Chapter 2: Information Security: what is it and why? • Chapter 3: Understanding ISSM System • Chapter 4: Security Policy • Chapter 5: Protect yourself and the company: Information Systems Controls • Chapter 6: Information Security • Chapter 7: Governance: Your Responsibility
Opening Remarks • One of the greatest threats to information security could actually come from within the organization. Inside attacks have been noted to be some of the most dangerous since employees are already quite familiar with the infrastructure. It is not always disgruntled workers and corporate spies who are a threat. Often, it is the non malicious, uninformed employee who can do harm to your network by visiting websites infected with malware, responding to phishing emails, storing their login information in an unsecured location, or even giving out sensitive information over the phone when exposed to social engineering. SANSInstitute
Data versus Information • Data raw facts • Information are the results of processed data
Data resource management • A resource is an asset that is used in production of goods and services • Data is a resource because it the raw material for: • Operational efficiency • Decision making • Planning • Management control • Firm’s strategic position • Money is in the information, if information is lost or stolen, then money is lost either directly or indirectly.
Levels of management and MIS used • Operational support Transaction processing systems (TPS) support the operations through which products are designed, marketed, produced, and delivered. • Support of Knowledge Work • Its concerned with sectional heads (sales, production, finance, etc. The management are responsible for policy implementation and decision making. • Management support • They are concerned with overall direction of the organization and long term planning. • Their systems should support flexible summarized reports in dashboards with drill down capability that provide information at the touch of a button using data from inside the organization and external data.
What is information security? • The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction • Information security is achieved through implementing technical, management, and operational measures designed to protect the confidentiality, integrity and availability of information.
Why? Rationale of Protecting Information • The three threats to Infosys: • Confidentiality: Protecting information from unauthorized disclosure to people or processes. • Integrity: Assuring the reliability and accuracy of information and IT resources. • Availability: Ensuring accessibility of resources when needed by defending information systems and resources from malicious, unauthorized users. • Also collectively known as the CIA triad
Key terminologies Threat: the potential to cause unauthorized disclosure, changes, or destruction to an asset;Threats can be classified as natural or man-made. Vulnerability: a weakness or a flaw that can be exploited or used and could result in a breach or a violation of a system’s security policy. Asset: considered to be anything that has value to an organization, be it tangible or intangible Risk: the likelihood that a threat will exploit vulnerability. Controls: policies, procedures, and practices designed to manage risk and protect IT assets.
Goal of ISSM • The goal of an Information security is to protect the confidentiality, availability, and integrity of information and information systems.
Focus of ISSM • Information processes, physical and electronic, regardless whether they involve people and technology or relationships with trading partners, customers and third parties. • Information protection, confidentiality, availability and integrity throughout the life cycle of the information and its use within the organization.
Strategic view of ISSM • Reduce adverse impacts on the organization to an acceptable level of risk. • Protect information assets against the risk of loss, operational discontinuity, misuse, unauthorized disclosure, inaccessibility and damage. • Protect against the ever-increasing potential for civil or legal liability that organizations face as a result of information inaccuracy and loss, or the absence of due care in its protection.
ISSM Triad 1: Confidentiality ensuring privacy of data Restrict physically access to sensitive data, key and lock logically restrict access to sensitive data, use firewall to deny access to network resources such as routers, servers and user computers Use appropriate usernames and passwords, to prevent unauthorized access. Encrypt data (obfuscate or scramble data) as it is being transmitted from one location to the other and decrypt when it gets to the source How do you encrypt and decrypt data? You use a key, such as a password but much stronger, and an encryption algorithm/ mathematical function implemented by a software like outlook.
ISSM Triad 2: Integrity Assurance that data has not been modified on transit; check if data is originating from the appropriate source. Modification of financial records Interception and alter e-commerce records Unauthorized modification of NHC website to mislead The best way to ensure integrity is use hash function or what is called one-way-encryption (if you encrypt you cannot decrypt) it is easy to compute the hash value for any given message it is infeasible to generate a message from its hash it is infeasible to modify a message without changing the hash it is infeasible to find two different messages with the same hash.
ISSM Triad 3: Availability Pertains to accessibility of a service e.g. if the total ERP is down, then security objective of availability has not been met. Server or service can be down if someone sent incorrectly formatted data such as to bring the system down If a denial of service attack is ongoing, where an attacker floods the server with a lot of data traffic or request, such as to overwhelm the system. A typical denial of service is where an attacker, exploit very many computers to work together (robot network or BOTNET), unknown to the owners to attack a specific network e.g. attack an e-government websites or web server, the attacker can flood the website with a lot of request, to the scale of millions and millions of people opening the website thus denying legitimate users the service.
C3: Understanding ISSM Systems Information states: Information is not a static entity. Information states refer to where i.e. environment in the information systems the information to be protected may be found: in processing, storage, or transmission. Processing: when programs are loaded to perform computations and comparisons on data, Ensure the operating systems are well configured and hardened against known attacks Anti-virus software is installed and up to date Application software passes information auditing and security baselines Installation of network security appliances and firewalls to deny unauthorized users or applications access to the network.
Information states refer to Security measures to implement and sustain information security involve policy and procedures, technology, and awareness of users and administrators of the systems Policy and procedures - Information security policies define the organization's rules and expectations regarding access, protection, and accountability for information assets and resources. Technology - To help enforce information security policies, defend against information system vulnerabilities and threats, and facilitate quick response when information security incidents System and network administrators and users - Administrators and users of information systems must understand their responsibilities for information security, and execute appropriate procedures to sustain and improve the security of information assets and resources
Security and Proprietary Information All computing devices that connect to the internal network must comply with the Minimum Access Policy. System level and user level passwords must comply with the Password Policy. Providing access to another individual, either deliberately or through failure to secure its access, is prohibited. All computing devices must be secured with a password-protected screensaver with the automatic activation feature set to 10 minutes or less. You must lock the screen or log off when the device is unattended. Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain malware.
“It’s unfortunate that sometimes instead of the donkey leading the cart, the cart leads the donkey. By this, I mean that sometimes policies and procedures are developed as a result of a negative event or an audit. The audit or policy shouldn’t be driving the process; the assessment should be. • The assessment’s purpose is to give management the tools needed to examine all currently identified concerns. From this, management can prioritize the level of exposure they are comfortable with and select an appropriate level of control. This level of control should then be locked into policy” by Michael Gregg, CISSP Security-Management Practices C3: Security Policy Objectives Describe an information security policy Describe a standard Describe a guideline Describe a procedure Understand Email policy Understand password policy Have a basis for examining information systems policies, standards and guideline
C3: Security policy, continued Policy An information security policy consists of high level statements relating to the protection of information across the business and should be produced by senior management. These document are at the top tier of formalized security documents These high level documents offer a general statement about the organization’s assets and what level of protection they should have. Well-written policies should spell out who’s responsible for security, what needs to be protected, and what is an acceptable level of risk. Much like a strategic plan because they outline what should be done but don’t specifically dictate how to accomplish the stated goals. Those decisions are left for standards, baselines, and procedures From a legal and compliance perspective, an information security policy is often viewed as a commitment from senior management to protect information
Baselines • A baseline is a minimum level of security that a system, network, or device must adhere to. They are usually drawn on industry standards. e.g. an organization might specify that all computer systems comply with a minimum Trusted Computer System Evaluation Criteria (TCSEC) Guidelines • Guidelines consist of recommended, non-mandatory controls that help support standards or serve as a reference when no applicable standard is in place. • It’s a recommendation or suggestion of how things should be done. It is meant to be flexible so it can be customized for individual situations. • Whereas guidelines are used to determine a recommended course of action, best practices are used to gauge liability. Best practices state what other competent security professionals would have done in the same or similar situation. Procedures • A procedure is the most specific of security documents. A procedure is a detailed, in-depth, step-by-step document that details exactly what is to be done. Procedures are detailed documents, they are tied to specific technologies and devices Standards, baselines, guidelines and procedures in ISSM Standards Standards consist of specific low level mandatory controls that help enforce and support the information security policy. Standards are much more specific than policies. Standards are tactical documents because they lay out specific steps or processes required to meet a certain requirement. As an example, a standard might set a mandatory requirement that all email communication be encrypted. So although it does specify a certain standard, it doesn’t spell out how it is to be done. That is left for the procedure.
Statement of Authority –an introduction to the information security policies • Policy Headings –logistical information (security domain, policy number, name of organization, effective date, author, change control documentation or number) • Policy Objectives –states what we are trying to achieve by implementing the policy • Policy Statement of Purpose why the policy was adopted, and howit will be implemented • Policy Audience –states who the policy is intended for • Policy Statement –how the policy will be implemented/rules • Policy Exceptions –special situations calling for exception to the normal, accepted rules • Policy Enforcement Clause –consequences for violation • Policy Definitions –a glossary to ensure that the target audience understands the policy Components of an information security policy
Information Security Policy Template Example of Information Security policies templates based on SANS (SysAdmin, Audit, Networking, and Security) SANS is a widely trusted source of information security best practices It classifies Information security policies into General, Network, Server and Application Categories
Email PolicyDefines the requirements for proper use of the company email system and make users aware of what is considered acceptable and unacceptable use of its email system. • Password Construction GuidelinesDefines the guidelines and best practices for the creation of strong passwords. • Password Protection PolicyDefines the standard for the creation of strong passwords, the protection of those passwords, and the frequency of change. • Other Categories of Information Security Policy • Network Security: Acquisition Assessment and the various network devices security • Server Security : Deals with databases, server, software installation etc, • Application Security : Web Application Security Policy General security policies include:-Acceptable Use Policy Defines acceptable use of equipment and computing services, and the appropriate employee security measures to protect the organization's corporate resources and proprietary information.
Data control approaches Administrative controls versus system controls Physical versus logical controls
Physical Access Controls • Passwords/Personal Identifications Numbers • This is an authentication mechanism based on what you know; they can be used to access building or information systems infrastructure. • Access Control Smart Card • These smart cards use radio frequency identification chips to reliably identify employees and contractors, and grant access to buildings and information systems infrastructure. • They contain personally identifiable information about you and must be protected like a password. • Maintain possession of your card at all times. • If your card is lost or misplaced, report it to the security office immediately. • Keep your card in a secure badge holder to shield it against unauthorized reading. • Tailgating • Physical security is an important information systems safeguard. Limiting physical access to information systems and infrastructure to authorized personnel diminishes the likelihood that information will be stolen or misused. • Combat tailgating • Never allow anyone to follow you into the building or secure area without his or her badge. • Be aware of procedures for entering a secure area, securing your workstation when you leave the office, and securing your workstation during emergencies. • Do not be afraid to challenge or report anyone who does not display a card or visitor’s badge. • Escort visitors to and from your office and around the facility. • Do not allow anyone else to use your card for building or secure area access. • Report any suspicious activity to the security office. What are Information security controls? These are policies, procedures, and practices designed to manage risk and protect IT assets. Examples Security awareness and training programs; Physical security, like guards, badges, and fences; and Restricting access to systems that contain sensitive information.
Lock your computer when it is not in use. • Remove your card when leaving your workstation. Do not leave it in the card reader. • Store and transport removable media such as CDs, DVDs, flash drives and external hard drives in a secure manner to prevent theft or loss. • Only connect authorized removable media devices. • Keep sensitive information out of sight when visitors are present. Physical Security Guidelines Guidelines that are implemented through manual procedures and equipments
Structured attack: Come from hackers who are more highly motivated and technically competent. • Unstructured attack: Consists of mostly inexperienced individuals using easily available hacking tools such as shell scripts and password crackers. • External attacks: Initiated by individuals or groups working outside of a company. They do not have authorized access to the computer systems or network. They gather information in order to work their way into a network mainly from the Internet. • Internal attacks: More common and dangerous. Internal attacks are initiated by someone who has authorized access to the network. • Active attack attempts to alter system resources or affect their operation. • Passive attack attempts to learn or make use of information from the system but does not affect system resources. Risks and response strategies Attacksan attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset (Wikipedia)
Social engineering attacks are more common and more successful than computer hacking attacks against the network. • Social engineering attacks are based on natural human desires like: • Trust • Desire to help • Desire to avoid conflict • Fear • Curiosity • Ignorance and carelessness • Social engineers want any information that will give them access to organization’s systems or facilities. Common targets are: • Passwords • Security badges • Access to secure areas of the building • Uniforms • Smart phones • Wallets • Employee’s personal information Risk response strategies cont.. Social engineering is classically defined as the art of manipulating and exploiting human behavior to gain unauthorized access to systems and information for fraudulent or criminal purposes.
Spear phishing is an attack that targets a specific individual or business. The email is addressed to you and appears to be sent from an organization you know and trust, like a government agency or a professional association. • Whaling is a phishing or spear phishing attack aimed at a senior official in the organization. • Examples of Phishing • Better Business Bureau complaint. Executives receive an email that looks like it comes from the Better Business Bureau. The message either details a complaint a customer has supposedly filed or claims the company has been accused of identity theft. The recipient is asked to click a link to contest the claim. Once the link is clicked, a computer virus is downloaded. • Travel trouble. An email appears to be a notice from an airline that you have purchased a ticket and arranged to check several bags. Many consumers, outraged because they never planned any such trip, click a link in the email to complain. The problem is, this clicking leads to an identity-theft page, where victims are asked to share sensitive data. If you receive such an email, simply ignore it. • Combat Phishing • Never disclose password to anyone via email. • Be suspicious of any email that: • Requests personal information. • Contains spelling and grammatical errors. • Asks you to click on a link. • Is unexpected or from a company or organization with whom you do not have a relationship. • If you are suspicious of an email: • Do not click on the links provided in the email. • Do not open any attachments in the email. • Do not provide personal information or financial data. • Do forward the email to the information security incidence office/ IT department, and delete it from your mail box. Risk response strategies Phishing Attacks Phishing is a social engineering scam whereby intruders seek access to your personal information or passwords by posing as a legitimate business or organization with legitimate reason to request information. Usually an email (or text) alerts you to a problem with your account and asks you to click on a link and provide information to correct the situation. These emails look real and often contain the organization’s logo and trademark. The URL in the email resembles the legitimate web address. For example “Amazons.com”.
Combat malware • Read email in plain text and do not use the preview pane. • Scan attachments with antivirus software before downloading. • Do not trust any attachments, even those that come from recognized senders. • Delete suspicious emails without opening them. • If you believe your computer is infected, report to the security office Risk response strategies, cont… Malware Short for malicious software, does damage to, steals information from, or disrupts a computer system. Malware is commonly installed through email attachments, downloading infected files, or visiting an infected web site. It can corrupt files, erase your hard drive, or give a hacker access to your computer.
Combat Internet Hoaxes • Do not forward chain letters, email spam, inappropriate messages, or unapproved newsletters and broadcast messages. You are most likely violating a Policy for Personal Use of Information Technology Resources. • Do not open emails from senders whom you do not recognize or if you are suspicious that the email could be a hoax. Risk response strategies Internet Hoaxes Email messages that promise a free gift certificate to your favorite restaurant, plead for financial help for a sick child, or warn of a new computer virus are typically hoaxes designed for you to forward them to everyone you know. Mass distribution of email messages floods computer networks with traffic slowing them down. This is a type of distributed denial-of-service (DDoS) attack.
Combat spam • Never click or download attachments from spam email • Only provide your email address for legitimate business purposes. • Do not sign web site guest books and limit your mailing list subscriptions. Spammers access these to obtain your email address. Risk response strategies, conti… Spam Email spam is unsolicited messages sent to numerous recipients, similar to junk mail. Spam is dangerous because it can contain links that direct you to phishing websites or install malware on your computer. Studies estimate that between 70% and 95% of emails sent are spam.
Combat cookies • Use cookies with caution. • Confirm that web sites that ask for personal information are encrypted and the URL begins with “https”. • Be aware of the sites being visited. Always know there are inherent dangers once connected Risks response strategies, cont.. Cookie A cookie is a text file that a website puts on your hard drive that saves information that you typed in like preferences or user name. Cookies are helpful, but can be misused by attackers to compromise security. Cookies can also be used to track your activities on the web. Cookies pose a security risk because someone could access your personal information or invade your privacy.
Always maintain possession of your laptop and other mobile devices. • Ensure that the wireless security features are properly configured. • Be cautious when establishing a VPN (Virtual Private Connection) connection through a non-secure environment (e.g., hotel). Do not work on sensitive material when using an insecure connection. • Turn off/disable wireless capability when connected via LAN cable. Turn off your laptop while travelling so that encryption is enabled. • Report a loss or theft of your laptop or other mobile device used at work immediately to your security POC. Risk response strategies, conti.. Security Outside of the Office Security researchers say that 35% of data breaches are caused by employees losing laptops or other mobile devices. Technology, teleworking, and job duties mean that many employees regularly work away from the office and using own devices.
Protect information and data while teleworking • Always keep your laptop in sight to prevent loss or theft. • Only use authorized equipment in authorized locations. • Use a screen protector so sensitive information cannot be seen by others. • Report lost or stolen equipment immediately. • Safeguarding your home computer • Use passwords on personal computers and mobile devices. • Install and update antivirus software on your home computer. • Enable the firewall on your computer. • Routinely backup your files. • Follow the instructions in the user manual to enable encryption for your wireless router. • Report an Incident • Do not investigate the incident on your own - immediately report suspected incidents, especially those that could compromise information, regardless of whether it is in electronic, paper, or oral format. Other teleworking good practices These are practices which enhance your data security when working away from your office.