300 likes | 466 Views
Managing Information System Security: Principles. GP Dhillon Associate Professor Virginia Commonwealth University. Shocking news. 25% of the organizations did not have an internal audit 50% of the organizations did not have computer audit skills
E N D
Managing Information System Security: Principles GP Dhillon Associate Professor Virginia Commonwealth University
Shocking news • 25% of the organizations did not have an internal audit • 50% of the organizations did not have computer audit skills • 60% of the organizations had no security awareness • 80% of the organizations did not conduct a risk analysis
General Statistics CERT/CC: Incidents Reported • 1991 – 406 • 1993 – 1,334 • 1995 – 2,412 • 1997 – 2,134 • 1999 – 9,859 • 2001 – 52,658 • 2003 – 137,529
Common Myths • “Why should I care, I have nothing to hide.” • “Why does anyone care about my computer?” • “It’s too difficult to get access to my computer or personal information…” • “If someone tries to [insert malicious activity here], I will notice!” • “Ignorance is bliss!”
Are you at risk? Using the following puts you at risk: • Computers • Credit Cards • Banks • Airlines • Automobiles • …many more…
Confidentiality • Ensures privacy. • Applies to both data on disks and network communication. • Accomplished through encryption: • https:// • s/mime • pgp • ssh and ipsec
Integrity • Develops trust of the network and computer systems. • Applies to both data on disks and network communication. • Integrity is increased by proper data and system management.
Availability • Another catalyst for trust. • Required for data on disk and network • Prevents Denial o Service attacks, etc.
Start with the basics • Basic computer security is through technology is easy; use… • A firewall, • Anti-Virus Software, • Patch your computer quickly, when required, • Strong passwords!
Firewalls • The most useful tool in your bag of defenses. • Prevents intruders from accessing services on your computer. • Validates/normalizes network traffic. • May provide reports and trend analysis. • Available for all major operating systems – usually for free!
Anti-virus software • Stops viruses and worms sent by email, attachments, downloads, etc. • Detects malicious software through intelligent heuristics. • Available for all major desktop and server operating systems. • A requirement; not an option.
Patches • (Usually) free updates to your computer; can be downloaded from the Internet. • Available before most exploits surface. • Automated, usually. • Critical to overall security. • Chant: “We Must Patch, We Must Patch…”
Strong passwords • Keeps you on-target with best practices. • Is composed of 8 or more characters and includes letters, numbers and 2 special characters, including !@#$%^&.-+-=|]{}:”. • Not based on any dictionary word from any language. • Changes regularly; not shared.
What technology doesn’t solve • Security technologies adapt as threats appear. They are not able to (easily) combat: • Threats, • Hoaxes, • Scams, • The behavior of others.
Education and awareness • Education and awareness are key to increasing the security posture of the University, and global Internet. • Dispells the FUD (fear, uncertainty, doubt). • Addresses problems before they exist. • Extends the radius of clue. • Creates inclusion in the entire infosecurity effort.
Self-education • You can increase your own awareness of security related issues. • Subscribe to mailing lists for security notifications. • Visit security related websites. • Voice your concern on security related issues, helping raise awareness in others.
Test your efforts • Remember: security is about sharing knowledge and contacts, not technology.
The ‘RITE’ principles • Responsibility (and knowledge of Roles) • Integrity (as requirement of Membership) • Trust (as distinct from Control) • Ethicality (as opposed to Rules)
“Total” security • CIA + RITE
Technical controls Conceptualizing controls Pragmatic controls Formalcontrols
Principle #1 • Principle 1: Education, training and awareness, although important, are not sufficient conditions for managing information security. A focus on developing a security culture goes a long way in developing and sustaining a secure environment.
Principle #2 • Principle 2: Responsibility, integrity, trust and ethicality are the cornerstones for maintaining a secure environment.
Principle #3 • Principle 3: Establishing a boundary between what can be formalized and what should be norm based is the basis for establishing appropriate control measures.
Principle #4 • Principle 4: Rules for managing information security have little relevance unless they are contextualized.
Principle #5 • Principle 5: In managing the security of technical systems a rationally planned grandiose strategy will fall short of achieving the purpose.
Principle #6 • Principle 6: Formal models for maintaining the confidentiality, integrity and availability (CIA) of information cannot be applied to commercial organizations on a grand scale. Micro-management for achieving CIA is the way forward.