3. Protection of Information
Assets (25%)
Protecting Personal & Institutional Information
Assets & Data
Extra Credit Project
3.
Protection of Information Assets
(25%)
• 3. Protection of Information Assets
• (Content Area, Approximately 25% of exam) • 3.1 Evaluate the design, implementation, and
monitoring of logical access controls to ensure the integrity, confidentiality, and availability of
information assets.
3.
Protection of Information Assets
2
•
3. Protection of Information Assets
• 3.3 Evaluate the design, implementation,
and monitoring of environmental controls to
prevent and/or minimize potential loss.
• 3.4 Evaluate the design, implementation,
and monitoring of physical access controls
to ensure that the level of protection for
Knowledge Statements 1
• 3.01 Knowledge of the processes of design,
implementation, and monitoring of security
(e.g. gap analysis, baseline, tool selection)
• 3.02 Knowledge of encryption techniques
(e.g. DES, RSA)
• 3.03 Knowledge of public key infrastructure
(PKI) components (e.g. certification
authorities (CA), registration authorities)
• 3.04 Knowledge of digital signature
Knowledge Statements 2
• 3.05 Knowledge of physical security
practices (e.g. biometrics, card swipes)
• 3.06 Knowledge of techniques for
identification, authentication, and restriction
of users to authorized functions and data
(e.g. dynamic passwords,
Knowledge Statements 3
• 3.07 Knowledge of security software (e.g.
single sign-on, intrusion detection systems
(IDS), automated permissioning, network
address translation)
• 3.08 Knowledge of security testing and
assessment tools (e.g. penetration testing,
vulnerability scanning)
Some Possible Threats
• Email Interception
• Email Spoofing
• Web Data Interception
• Network & Volume Invasion
• Marketing Data / Spam & Junk Mail
• Viruses, Worms, Trojan Horses
More Possible Threats
• Mail bomb
• Denial of Service (DoS)
Email Interception
Methods • Script Monitor
– Running a script on a server that receives email traffic, monitoring emails for certain keywords or number patterns. (I.E. “bomb + president” or credit card number patterns)
• Account Emulation
– Stealing someone’s user id and password to gain access to their email account.
Defenses
• Digital Certificates
– Digital certificates authenticate you as the sender and are
extremely difficult to forge. Allows very strong encryption of email communications.
• PGP
Standard Encryption
• Text is encrypted and sent by the originator • Ciphertext is decrypted by recipient
• Same key is used for encryption and decryption
• If key is intercepted or deciphered, encryption becomes useless
Strong Cryptography
• “There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files. This book is
about the latter.” -- Bruce Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C.
• 40 bit cryptography is considered weak. This can be intercepted and deciphered in seconds using today’s tools.
Dual Key Cryptography
• Key pair is generated - public and private
key.
• Public key is sent to server and exchanged
with others
Dual Keys Continued
• Encrypted message is generated using
recipients public key and your private key.
•
Only
the intended recipient with the
corresponding private key will be able to
decrypt.
What is a Digital Certificate?
• Acts as a virtual signature
• Very hard to forge
• Can be used for encryption or
authentication
• Resides in the Browser/Email Client/OS
• Free digital certificates are available
• PGP Freeware is available
What is PGP?
• Created by Phil Zimmerman
– PGP is now a subsidiary of Network Associates
• Secures e-mail and files
• Based on “Public Key” Cryptography
• Users whom have never met can exchange
encrypted documents.
How To Encrypt a Message (1)
This will describe how to encrypt a message using Digital Certificates with
Netscape Communicator.
• Obtain and install a certificate using the step by step
instructions at the issuing website.
How To Encrypt a Message (2)
• Users must exchange “public keys”.
• Can be done via LDAP directory or email exchange.
An email that has a digital certificate
attached will display this icon in Communicator. You can click on the icon to examine the cert. Certs emailed to you are automatically added to Communicator’s
database.
How To Encrypt a Message (3)
• Once keys have been exchanged, address an email to the other
party.
• Click on the Security button and select the option for encrypting message.
Email Spoofing
• Happens when someone impersonates an email user, sending messages that appear to be from the victim’s email address.
• Spoofing can be prevented by using your Digital Certificate or PGP to “Digitally Sign” your email message.
• Even Certificates can be spoofed, although
difficult. Check the “Certificate Fingerprint” of the message to be sure it’s authentic.
Shopping Securely
• You should never input sensitive info such as Credit Card numbers into a non-secure website.
• Make sure website is certified by a trusted Certificate Authority
How to Shop Securely
• When you enter a secure site,
Communicator’s Security icon will change as shown:
• Click on the Security button to examine
which CA asserts that this site is safe.
Note: Attempting to enter a secure site that is not signed by a valid or default CA will result in a
Hacking In to Your Computer
• DSL and Cable internet access means round
the clock connections of home and small
business computers to the Internet.
• Greatly increases the chance of attack.
• Physical access is always a danger, too.
• Hackers can gain access to your personal
Stopping Hackers
• Set up a personal/home firewall.
• Encrypt your sensitive files!!!
– PGP, all platforms.
– Mac OS 9 Built-In Encryption Feature
• Don’t give out your passwords to anyone!
• Use difficult passwords - not simple
Password Strength
• Simple words out of a dictionary make bad
passwords.
• Use mixed upper and lower case characters.
• Use non-alphanumeric characters such as:
~!@#$%^&*()_+=-{}[]|\:;”’/?.>,<`
Password Strength Examples
• Using a simple passphrase such as “coffee” is simple to hack, takes about 40 minutes to break.
• Using random alphanumerics is significantly more difficult: A passphrase such as “bR1a9Az” takes about 22 years to crack.
• Using the full range of the keyboard with truly
Key Strength Comparison
• Most browsers ship with a default of 40 bit
encryption capabilities.
• You must upgrade to a 128 bit encryption
capable browser for most online banking.
Key Length
(bits) Individual Attacker Small Group Academic Network Large Company
Military Intelligence Agency
Strong Encryption Browsers
• Netscape Communicator is freely available
for all platforms with 128 bit encryption
capability and full features.
• 128 bit capable version of Microsoft Internet
Explorer is available for Windows and
Macintosh.
(Mac version has limited features.)Viruses
• Computer viruses are 100% man made.
• Can be transmitted via email, disk, network, etc…
• Most are harmless experiments.
• Some are intended to wreak havoc on
Virus Protection
• Get a virus protection package and install it
on your computer.
• Check the vendor’s website for
downloadable updates and alerts on new
viruses.
Safeguarding Customer Information
Why was GLBA enacted?
Section 501 of the Gramm-Leach-Bliley Act requires Financial Institutions to establish standards
Safeguard Objectives:
• Ensure security and confidentially of
customer records and information.
• Protect against any anticipated threats or
hazards to the security of the records.
Information Security Plan
Non-public customer information
(NPI)
• Credit card numbers
• Social Security numbers • Drivers license numbers • Student loan data
• Income information • Credit histories
Financial Institutions
IncludingColleges and
Universities
must ensure that their security programs provide adequate protectionto customer information in whatever format –
FTC Ruling
consumer’s
information is
not a
privacy
issue
but is one
of
security.
FERPA vs.. GLBA
• The Family Education Rights and Privacy Act addresses the privacy of student information.
University Actions
• Has established a committee to insure compliance. • Committee meets regularly to review and insure
compliance with the act.
• Performs risk assessment and regular testing. • Oversees service providers and contracts.
Why Protect your Identity?
Statistics on Identity Theft in
New Jersey
4802 Complaints / year
• 1. Credit Card Fraud 2,350 -- 49% • 2. Phone or Utilities Fraud 867--18% • 3. Bank Fraud 669 --14%
• 4. Government Documents/Benefits Fraud 396 --8% • 5. Loan Fraud 356 --7%
• Under ID Theft Act, identity theft is defined very broadly as:
knowingly using, without authority, a
means of identification of another person
to commit any unlawful activity.
(unlawful activity: a violation of Federal law, or a felony under State or local law).
Identity
Theft
How Does an Identity Thief Get
Your Information?
• Stealing files from places where you work, go to school, shop, get medical services, bank, etc.
• Stealing your wallet or purse.
• Stealing information from your home or car.
• Stealing from your mailbox or from mail in transit. • Sending a bogus email or calling with a false
promise or fraudulent purpose.
- For example: pretending to be from a bank, creating a false website, pretending to be
From: PNC Bank
Sent: May 17, 2004 6:31 PM To: abuse@Miami.edu
Subject: To All PNC bank users
Dear PNC user,
During our regular update and verification of the user data, you must confirm your credit card details.
Please confirm you information by clicking link below.
How Does an Identity Thief
Use Your Information?
• Obtains Credit Cards in your name or
makes charges on your existing accounts (42%).
• Obtains Wireless or telephone equipment or services in your name (20%).
• Forges checks, makes unauthorized EFTs, or open bank accounts in your name (13%).
• Works in your name (9%).
Victims of Identity Theft
•
If your identity is stolen, do the
following immediately:
– Contact the fraud department of the three major credit bureaus (Equifax, Experian, Trans Union). – Contact your creditors and check
your accounts.
– File a police report.
Recovery
•
Take back control of
your identity:
– Close any fraudulent accounts.
– Put passwords on your accounts.
– Change old
Prevention
Protect yourself
Protect others
Guard against fraud:
• Sign cards as soon as they arrive. • Keep records of account numbers and phone numbers.
• Keep an eye on your card during transactions. Also be aware of who is around you, is anyone else
listening?
Annual credit
bureau report
• New Jersey residents are entitled to one free
annual credit report.
• If you are denied credit, you are allowed to
request one free copy of your credit report.
• Check your report for accurate
Credit Bureau Links
•
Equifax – www.equifax.com
– To order a report, 1-800-685-1111
– To report fraud, 1-800-525-6285
•
Experian – www.experian.com
– To order a report, 1-888-397-3742
– To report fraud, 1-888-397-3742
Trans Union – www.tuc.com
– To order a report, 1-800-916-8800
You may be a victim if:
•
You are denied credit.
•
You stop getting mail.
•
You start getting collection calls/mail.
•
You start getting new bills for accounts
you do not have or services you did not
authorize.
Damages
•
Time
•
Money
Good Practices
• Photocopy the contents of your wallet/purse.
• Photocopy your passport (keep a copy at home and one with you when you travel).
• Empty your wallet/purse of non-essential identifiers.
• Do not use any information provided by the people who may be trying to scam you look it up yourself.
GLBA requires us
to
PROTECT CONSUMERS
from
What can we do to guard NPI?
• Keep confidential information private.
• Use care when asking or giving SSN.
• Use secure disposal methods.
• Protect the privacy of data transmissions.
Actions to prevent Others
from becoming Victims
•
Determine what information you need.
•
Provide a secure workplace.
•
Always ask for a student’s ID or debtors
account number.
•
Keep prying eyes away from customer’s
information.
Actions to prevent Others
from becoming Victims
• Take care when you provide employee’s or customers’ personal information to others. • Know & explain how you handle personal
information.
• Ask for written permission prior to sharing personal information.
Avoid
– unauthorized disclosure
– removing information from your office – sharing information
– tossing information in the trash
– down loading or e-mailing information.
Remember to always maintain
confidentiality, security and
General Privacy
• Do not provide correcting information for account verification questions. • Be suspicious.
• Be paranoid.
• Don’t be afraid to say no
when asked for information that is not required to
University Assets
Are customer
information and
Safeguarding Information
• Information takes many forms.
• Information is stored in various ways.
Safeguarding Information
Your Role:
• Ensure Physical Security.
• Select and Protect hard to guess passwords. • Avoid email traps and disclosures.
• Back up files.
• Log off your computer when not in use.
• Do not open emails with attachments from unknown sources.
Safeguarding Information
Your role as a user….
Check your work area!
• Do you leave NPI reports on your desk? • Is NPI stored in unlocked file cabinets? • Keep computer disks secure.
Safeguarding Information
Your role….
University Regulations &
Guidelines related to Safeguarding
Standards for University Operations Handbook
• Confidentiality
• Accounting for Financial Resources
• Acceptable Use of Network &Computing Resources:
– Agreement for Accessing Information – Acceptable Use Policy
– Guidelines for Interpretation of Acceptable Use – Acceptable Use Supplement
Potential Damages to Any U.
• Reputation
• Violation of federal and state laws • Fines
• Reparation costs • Recovery costs
• Increased prevention costs
Expectations
• All University employees are responsible for securing and caring for University property, resources and other assets.
Prevention
•
Protect yourself
Safeguarding customer
Information Security
Management
(ISO/IEC 17799:2000) &
Certified
Risk Analysis Methodology
Management (CRAMM
)Migrating
Migrating
Migrating from compliance with the IM&T
Migrating from compliance with the IM&T
(Info. Management Tech) Security
(Info. Management Tech) Security
Manual to compliance with BS7799
Manual to compliance with BS7799
Overview
Overview
Implementation - assistance available
What is Information Security
What is Information Security
Management (ISM)?
Management (ISM)?
An enabling mechanism An enabling mechanism
whose application ensures that information may be sharedshared in a manner
which ensures
the appropriate protection of that information &
Basic Components
Basic Components
•
Confidentiality
Confidentiality
: protecting sensitive
information from unauthorized disclosure
•
Integrity
Integrity
: safeguarding the accuracy and
completeness of information/data
•
Availability
Availability
: ensuring that information and
Problem
Problem
• Until early 90’s information was handled by
many organizations in an ad hoc and, generally,
unsatisfactory manner
• In a period of increasing need to share
information, there was
little or no assurance
little or no assurance
that such information could or would be
safeguarded
Code of Practice
Code of Practice
•
1993
1993
: in conjunction with a number of
leading UK companies and organizations
produced an ISM Code of Practice -
incorporating the best information security
practices in general use.
•
Addressed all forms of information
Addressed all forms of information
;e.g.
Code of Practice - Aims
Code of Practice - Aims
• To provide
– A common basisA common basis for organizations to develop,
implement, and measure effective information security management practice
Balance
Balance
• A common concern amongst organizations
is that the application of security measures
often has an adverse impact on, or interferes
with, operational processes
Assets - Examples
Assets - Examples
Information
Information
Databases, system documentation, data files, user manua
Software
Software
Application software, system software, development tools
Physical
Physical
Computer equ
ipment, magn
etic media,
furniture, acc
ommodation ServicesServices
The Standard
– Physical/Environmental Security. Physical/Environmental Security. Prevention of unauthorized access, interference to IT services and damage
The Standard
The Standard
• ………….
– System Access Control. Controls to prevent unauthorized System Access Control. access to computer systems
– System Development and Maintenance. A security System Development and Maintenance. program complementing development/maintenance of IT systems
– BCP. Measures to protect critical business processes from BCP. major failures and disasters
Controls
Controls
Each of these Categories contains a number of security controls, mandatory or otherwise, which
can be implemented as part of the information information security risk management strategy
security risk management strategy
The same controls will not, necessarily apply across
The same controls will not, necessarily apply across
the board, owing to the varying nature of
the board, owing to the varying nature of
organizations, risk factors etc
The Crux of the Matter
The Crux of the Matter
• Information is subject to numerous risks; which can be grouped together under the generic
headings of:
– AAccidental – NNatural
– DDeliberate
Risk Analysis
Risk Analysis
• The point is:
– An effective risk management strategyrisk management strategy cannot be implemented until the risks are identified
and measured (that is, analyzed)
• It almost goes without saying, that Analysis
should be based upon a sound and proven
methodology
CRAMM
CRAMM
• Developed in 1985, CRAMM Risk Analysis
Methodology is a complete package,
containing:
– the risk analysis process itself
– associated documentation (inc. report functionality; results and conclusions) – training
CRAMM Version 4.0
CRAMM Version 4.0
• This version, the latest, includes
– Full support for BS7799Full support for BS7799 including
• GAP analysis
• Implementation of a security improvement program • Statement of Applicability
• Risk Modeling for multi-role organizations
• ANDAND undertake a Risk Analysis !
Define the Policy
Statement of Applicability
Scope of ISMS
Scope of ISMS
Information Assets
Information Assets
Risk Assessment
Risk Assessment
Results & Conclusions
Results & Conclusions
Select Control Options
Select Control Options
Statement
Statement
Management Framework: ISMS
Management Framework: ISMS
T. V. I
T. V. I..
Degree of Assurance
Degree of Assurance
And then……..
And then……..
• Develop and implement security policies which comply with your specific requirements in terms of BS7799
• Review and Maintain • Simple, isn’t it?
• No, it is appreciated that compliance with BS7799 is a
significant
significant undertaking
You are Not Alone
You are Not Alone
• CRAMM risks models are being developed for specific
organizations (e.g. Acute Trusts)
• Such models will encompass approximately 90 - 95% of
organizations
• Pioneer Projects - results of which will be fed into the overall
implementation process
• Training
• Development and maintenance program
• FAQs
• Help Desk
Thanks for Coming!
For further information, contact: Dr. A. Rush, Ph.D.