1 / 30

Management’s Role in Information Security

Management’s Role in Information Security. V.T. Raja, Ph.D., Oregon State University. Outline. Example: iPremier Company (HBR article) Background about company Business Implications Some recommendations for future Management’s role in information security

susannah
Download Presentation

Management’s Role in Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University

  2. Outline • Example: iPremier Company (HBR article) • Background about company • Business Implications • Some recommendations for future • Management’s role in information security • Framework for a balanced approach to security

  3. Example: DDoS attack on iPremier Company • For a background about the company - refer to MS Word Document distributed in class. • Problems at Colocation facility: • iPremier employees could not get access to Qdata’s Network Operations Center (NOC) • Cannot telnet using T1 line which was supposed to permit iPremier employees to connect to Qdata • Qdata night shift personnel not very responsive to situation and not that competent (no one who knew anything about network monitoring software – except for one individual who was on vacation)

  4. iPremier Example(Continued) • Unable to determine extent of damage (firewall penetrated? How deep is the penetration?) • Unable to determine if customer data was stolen (CIO’s main immediate concern) • Unable to track (in a reasonable time frame) where ‘Ha, ha, ha’ e-mails received by “support” folks are originating • Even if e-mail is tracked eventually – leads to another “Zombie

  5. iPremier’s Response to Attack:Very Poor • Try to shut down traffic from “Zombies” – didn’t work – for every zombie that was shut down – two new zombies joined the “party” automatically • Shut down Web Server • Unable to determine if they should call “Seattle Police” or “FBI”?

  6. iPremier’s Response to Attack:Very Poor • Unable to determine if they should “disconnect the communication lines” • initially CIO and CTO had discussion - may lose logging data that could help them figure out what happened (preserving evidence to find root cause of problem; and what to disclose publicly); • later concluded that detailed logs have not been enabled • Unable to determine if they should call “Seattle Police” or “FBI”?

  7. iPremier’s Response to Attack:Very Poor • How to handle PR (before info about security breach leaks out)? • Unable to decide if all systems need to be rebuilt • What if competitor files a law suit after FBI determined that iPremier computers were performing DoS attack? • Would system rebuild imply wiping out any remaining proof of iPremier’s innocence?

  8. Some Business Implications for IPremier • Web server unavailable to legitimate customers • Unable to determine “Cost of downtime” • Bad reputation for the business • Lost customers • Loss of customer goodwill • Legal issues if customer data was compromised • Impact on stock price • Unknown damages to the network/business? • Attack stopped after about 75 minutes – without any intervention from iPremier or from Qdata • What if there was another attack?

  9. Some recommendations for iPremier • Revisit choice of ‘colocation’ partner • Although an early entrant in the industry, Qdata lost any prospect of market leadership • Had not been quick to invest in advance technology • Had experienced difficulty in retaining qualified staff • Create an incident response team • Enable secure remote access of network management software for security team

  10. Some recommendations for iPremier • Discuss/implement procedures for: • Performing Risk Assessment • Measuring cost of downtime • Filing a complaint with appropriate authorities • Handling PR and legal issues

  11. Some recommendations for iPremier • Other examples of appropriate Security/Privacy measures • More sophisticated firewall • Cryptography for sensitive data • Message Integrity algorithms to determine if files have been modified/corrupted • Enable logging and determine level of logging • Purchase disk space to enable higher levels of logging • Updated Virus signature files and security patches

  12. Some recommendations for iPremier • Design and document recovery plan • Practice a simulated attack • Educate users about security and threats • Hire a good Chief Security Officer • Institute periodic third-party security audits

  13. Imperative Need for Secure CommunicationReported Security Incidents up to 1995Source: CERT.ORG

  14. Reported Security Incidents 1995 – 2003Source: http://www.cert.org/present/cert-overview-trends/module-1.pdf

  15. Discussion Questions • Identify some reasons why cyber attacks have been on the rise? • What is your opinion about government, academic institutions and industry collaborating to provide cyber security solutions? • What do you think should be management’s role in information security?

  16. Barriers to Cyber Security • Worldwide diffusion of Internet • Adversaries of unknown origin and intent distributed worldwide • Hackers, virus writers • Criminal groups, terrorists • Disgruntled current or former employees • Foreign intelligence services, information warfare by foreign militaries and governments • Corporate espionage

  17. Barriers to Cyber Security • Hacking tools readily available on Internet (Scores of hacker publications, bulletin boards and web sites dealing with “hacking tips”). • Extensive partnering network • More difficult to define boundaries of IS • Java applets – enhances interaction with customers and suppliers • this technology capability requires programs created by external entities to run on organization’s machines • not possible to determine the full impact of each and every applet prior to running it

  18. Barriers to Cyber Security • Lack of good security policy • Lax attitude towards security • E-mail account of a dismissed employee not deleted after employee has left organization • Protecting content during transmission – but not after transmission • George Mason University • Moved from SSN to SID – ID theft of 30,000 SSN • Bank of America (backup tapes lost) • Intrusion detection logs not maintained • Virus signature files/security patches not updated

  19. Barriers to Security • Organizational characteristics • Lack of structure • Business environment • Culture • Lack of Standard Operating Procedures • Lack of Education, Training, and Awareness • Lack of understanding/appreciation of technology • Lack of leadership from senior management

  20. Management’s Role in Information Security • Total/Perfect security is a myth • Critical Asset Identification • Initial Risk Assessment • Risk Assessment as a continuous process • Creating a security team • Initiate and actively participate in planning/ design/documentation/testing of security policy • Initiate and actively participate in planning/ design/documentation/testing of recovery/response policy

  21. Management’s Role in Information Security • Actively involved in establishing standard operating procedures • Developing and maintaining an appropriate organizational culture • Ensure employees are educated and trained regarding importance of following security policy • Have an understanding of what each security tool proposed by IT team can do or cannot do

  22. Management’s Role in Information Security • Have a good control environment • Physical controls • Data/Content control • Implementation control (outsourcing) • Operations/Administrative Control • Application Controls specific to individual system components/applications (e.g., Limiting e-mail attachments)

  23. Management’s Role in Information Security • Recognize that security is a socio-technical issue • Recognize that security requires an end-to-end view of business processes • Achieve a balanced approach to security – one that does not solely focus on technological solutions • Recognize that security rests on three cornerstones

  24. Three Cornerstones: Technology • Have an understanding/appreciation of technology • Firewalls • IDS/IPS systems • Antivirus/Security Patches • Symmetric and Public Key Cryptography towards confidentiality, authentication, integrity and non-repudiation • Secure servers • VPNs • Evaluation of potential technology acquisitions based on their impact on security

  25. Three Cornerstones: Organization • Organizational characteristics – typically under the control of organization • Structure • Business environment • Culture • Policies and Responses • Standard Operating Procedures • Education, Training, and Awareness

  26. Three Cornerstones: Critical Infrastructure • Infrastructure that are so vital that their damage or destruction would have a debilitating impact on the physical or economic security of the country • Telecommunications • Banking • Energy

  27. Why should government/academic institutions/industry collaborate? • In each other’s interest CI in large part is owned by the private sector, used by both private and public sectors, and protected in large part by public sector. • Need to discuss problems and exchange ideas and solutions to cyber attacks/misuse • Resource/cost/information sharing • Opportunity to play a role in the evolution of “best practices” • Help shape legal and government policies in areas of mutual concerns; Appropriate guidance for rapid additional protection measures

  28. CERT Source: http://www.us-cert.gov/

  29. What does CERT do?

  30. Security Security Security Security Organization Management Technology Infrastructure What is Management’s role? • Management ties everything together • Responsibility • Ownership Security is a Mindset, not a service. It must be a part of all decisions and implementations.

More Related