300 likes | 596 Views
Management’s Role in Information Security. V.T. Raja, Ph.D., Oregon State University. Outline. Example: iPremier Company (HBR article) Background about company Business Implications Some recommendations for future Management’s role in information security
E N D
Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University
Outline • Example: iPremier Company (HBR article) • Background about company • Business Implications • Some recommendations for future • Management’s role in information security • Framework for a balanced approach to security
Example: DDoS attack on iPremier Company • For a background about the company - refer to MS Word Document distributed in class. • Problems at Colocation facility: • iPremier employees could not get access to Qdata’s Network Operations Center (NOC) • Cannot telnet using T1 line which was supposed to permit iPremier employees to connect to Qdata • Qdata night shift personnel not very responsive to situation and not that competent (no one who knew anything about network monitoring software – except for one individual who was on vacation)
iPremier Example(Continued) • Unable to determine extent of damage (firewall penetrated? How deep is the penetration?) • Unable to determine if customer data was stolen (CIO’s main immediate concern) • Unable to track (in a reasonable time frame) where ‘Ha, ha, ha’ e-mails received by “support” folks are originating • Even if e-mail is tracked eventually – leads to another “Zombie
iPremier’s Response to Attack:Very Poor • Try to shut down traffic from “Zombies” – didn’t work – for every zombie that was shut down – two new zombies joined the “party” automatically • Shut down Web Server • Unable to determine if they should call “Seattle Police” or “FBI”?
iPremier’s Response to Attack:Very Poor • Unable to determine if they should “disconnect the communication lines” • initially CIO and CTO had discussion - may lose logging data that could help them figure out what happened (preserving evidence to find root cause of problem; and what to disclose publicly); • later concluded that detailed logs have not been enabled • Unable to determine if they should call “Seattle Police” or “FBI”?
iPremier’s Response to Attack:Very Poor • How to handle PR (before info about security breach leaks out)? • Unable to decide if all systems need to be rebuilt • What if competitor files a law suit after FBI determined that iPremier computers were performing DoS attack? • Would system rebuild imply wiping out any remaining proof of iPremier’s innocence?
Some Business Implications for IPremier • Web server unavailable to legitimate customers • Unable to determine “Cost of downtime” • Bad reputation for the business • Lost customers • Loss of customer goodwill • Legal issues if customer data was compromised • Impact on stock price • Unknown damages to the network/business? • Attack stopped after about 75 minutes – without any intervention from iPremier or from Qdata • What if there was another attack?
Some recommendations for iPremier • Revisit choice of ‘colocation’ partner • Although an early entrant in the industry, Qdata lost any prospect of market leadership • Had not been quick to invest in advance technology • Had experienced difficulty in retaining qualified staff • Create an incident response team • Enable secure remote access of network management software for security team
Some recommendations for iPremier • Discuss/implement procedures for: • Performing Risk Assessment • Measuring cost of downtime • Filing a complaint with appropriate authorities • Handling PR and legal issues
Some recommendations for iPremier • Other examples of appropriate Security/Privacy measures • More sophisticated firewall • Cryptography for sensitive data • Message Integrity algorithms to determine if files have been modified/corrupted • Enable logging and determine level of logging • Purchase disk space to enable higher levels of logging • Updated Virus signature files and security patches
Some recommendations for iPremier • Design and document recovery plan • Practice a simulated attack • Educate users about security and threats • Hire a good Chief Security Officer • Institute periodic third-party security audits
Imperative Need for Secure CommunicationReported Security Incidents up to 1995Source: CERT.ORG
Reported Security Incidents 1995 – 2003Source: http://www.cert.org/present/cert-overview-trends/module-1.pdf
Discussion Questions • Identify some reasons why cyber attacks have been on the rise? • What is your opinion about government, academic institutions and industry collaborating to provide cyber security solutions? • What do you think should be management’s role in information security?
Barriers to Cyber Security • Worldwide diffusion of Internet • Adversaries of unknown origin and intent distributed worldwide • Hackers, virus writers • Criminal groups, terrorists • Disgruntled current or former employees • Foreign intelligence services, information warfare by foreign militaries and governments • Corporate espionage
Barriers to Cyber Security • Hacking tools readily available on Internet (Scores of hacker publications, bulletin boards and web sites dealing with “hacking tips”). • Extensive partnering network • More difficult to define boundaries of IS • Java applets – enhances interaction with customers and suppliers • this technology capability requires programs created by external entities to run on organization’s machines • not possible to determine the full impact of each and every applet prior to running it
Barriers to Cyber Security • Lack of good security policy • Lax attitude towards security • E-mail account of a dismissed employee not deleted after employee has left organization • Protecting content during transmission – but not after transmission • George Mason University • Moved from SSN to SID – ID theft of 30,000 SSN • Bank of America (backup tapes lost) • Intrusion detection logs not maintained • Virus signature files/security patches not updated
Barriers to Security • Organizational characteristics • Lack of structure • Business environment • Culture • Lack of Standard Operating Procedures • Lack of Education, Training, and Awareness • Lack of understanding/appreciation of technology • Lack of leadership from senior management
Management’s Role in Information Security • Total/Perfect security is a myth • Critical Asset Identification • Initial Risk Assessment • Risk Assessment as a continuous process • Creating a security team • Initiate and actively participate in planning/ design/documentation/testing of security policy • Initiate and actively participate in planning/ design/documentation/testing of recovery/response policy
Management’s Role in Information Security • Actively involved in establishing standard operating procedures • Developing and maintaining an appropriate organizational culture • Ensure employees are educated and trained regarding importance of following security policy • Have an understanding of what each security tool proposed by IT team can do or cannot do
Management’s Role in Information Security • Have a good control environment • Physical controls • Data/Content control • Implementation control (outsourcing) • Operations/Administrative Control • Application Controls specific to individual system components/applications (e.g., Limiting e-mail attachments)
Management’s Role in Information Security • Recognize that security is a socio-technical issue • Recognize that security requires an end-to-end view of business processes • Achieve a balanced approach to security – one that does not solely focus on technological solutions • Recognize that security rests on three cornerstones
Three Cornerstones: Technology • Have an understanding/appreciation of technology • Firewalls • IDS/IPS systems • Antivirus/Security Patches • Symmetric and Public Key Cryptography towards confidentiality, authentication, integrity and non-repudiation • Secure servers • VPNs • Evaluation of potential technology acquisitions based on their impact on security
Three Cornerstones: Organization • Organizational characteristics – typically under the control of organization • Structure • Business environment • Culture • Policies and Responses • Standard Operating Procedures • Education, Training, and Awareness
Three Cornerstones: Critical Infrastructure • Infrastructure that are so vital that their damage or destruction would have a debilitating impact on the physical or economic security of the country • Telecommunications • Banking • Energy
Why should government/academic institutions/industry collaborate? • In each other’s interest CI in large part is owned by the private sector, used by both private and public sectors, and protected in large part by public sector. • Need to discuss problems and exchange ideas and solutions to cyber attacks/misuse • Resource/cost/information sharing • Opportunity to play a role in the evolution of “best practices” • Help shape legal and government policies in areas of mutual concerns; Appropriate guidance for rapid additional protection measures
Security Security Security Security Organization Management Technology Infrastructure What is Management’s role? • Management ties everything together • Responsibility • Ownership Security is a Mindset, not a service. It must be a part of all decisions and implementations.