3. Protection of Information

Assets (25%)

Protecting Personal & Institutional Information

Assets & Data

Extra Credit Project

3.

Protection of Information Assets

(25%)

• _{3. Protection of Information Assets}

• _{(Content Area, Approximately 25% of exam)} • 3.1 Evaluate the design, implementation, and

monitoring of logical access controls to ensure the integrity, confidentiality, and availability of

information assets.

3.

Protection of Information Assets

2

•

_{3. Protection of Information Assets}

• 3.3 Evaluate the design, implementation,

and monitoring of environmental controls to

prevent and/or minimize potential loss.

• 3.4 Evaluate the design, implementation,

and monitoring of physical access controls

to ensure that the level of protection for

Knowledge Statements 1

• 3.01 Knowledge of the processes of design,

implementation, and monitoring of security

(e.g. gap analysis, baseline, tool selection)

• 3.02 Knowledge of encryption techniques

(e.g. DES, RSA)

• 3.03 Knowledge of public key infrastructure

(PKI) components (e.g. certification

authorities (CA), registration authorities)

• 3.04 Knowledge of digital signature

Knowledge Statements 2

• 3.05 Knowledge of physical security

practices (e.g. biometrics, card swipes)

• 3.06 Knowledge of techniques for

identification, authentication, and restriction

of users to authorized functions and data

(e.g. dynamic passwords,

Knowledge Statements 3

• 3.07 Knowledge of security software (e.g.

single sign-on, intrusion detection systems

(IDS), automated permissioning, network

address translation)

• 3.08 Knowledge of security testing and

assessment tools (e.g. penetration testing,

vulnerability scanning)

Some Possible Threats

• Email Interception

• Email Spoofing

• Web Data Interception

• Network & Volume Invasion

• Marketing Data / Spam & Junk Mail

• Viruses, Worms, Trojan Horses

More Possible Threats

• Mail bomb

• Denial of Service (DoS)

Email Interception

Methods • Script Monitor

– Running a script on a server that receives email traffic, monitoring emails for certain keywords or number patterns. (I.E. “bomb + president” or credit card number patterns)

• Account Emulation

– Stealing someone’s user id and password to gain access to their email account.

Defenses

• Digital Certificates

– Digital certificates authenticate you as the sender and are

extremely difficult to forge. Allows very strong encryption of email communications.

• PGP

Standard Encryption

• Text is encrypted and sent by the originator • Ciphertext is decrypted by recipient

• Same key is used for encryption and decryption

• If key is intercepted or deciphered, encryption becomes useless

Strong Cryptography

• “There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files. This book is

about the latter.” -- Bruce Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C.

• 40 bit cryptography is considered weak. This can be intercepted and deciphered in seconds using today’s tools.

Dual Key Cryptography

• Key pair is generated - public and private

key.

• Public key is sent to server and exchanged

with others

Dual Keys Continued

• Encrypted message is generated using

recipients public key and your private key.

•

_Only

_{the intended recipient with the}

corresponding private key will be able to

decrypt.

What is a Digital Certificate?

• Acts as a virtual signature

• Very hard to forge

• Can be used for encryption or

authentication

• Resides in the Browser/Email Client/OS

• Free digital certificates are available

• PGP Freeware is available

What is PGP?

• Created by Phil Zimmerman

– PGP is now a subsidiary of Network Associates

• Secures e-mail and files

• Based on “Public Key” Cryptography

• Users whom have never met can exchange

encrypted documents.

How To Encrypt a Message (1)

This will describe how to encrypt a message using Digital Certificates with

Netscape Communicator.

• Obtain and install a certificate using the step by step

instructions at the issuing website.

How To Encrypt a Message (2)

• Users must exchange “public keys”.

• Can be done via LDAP directory or email exchange.

An email that has a digital certificate

attached will display this icon in Communicator. You can click on the icon to examine the cert. Certs emailed to you are automatically added to Communicator’s

database.

How To Encrypt a Message (3)

• Once keys have been exchanged, address an email to the other

party.

• Click on the Security button and select the option for encrypting message.

Email Spoofing

• Happens when someone impersonates an email user, sending messages that appear to be from the victim’s email address.

• Spoofing can be prevented by using your Digital Certificate or PGP to “Digitally Sign” your email message.

• Even Certificates can be spoofed, although

difficult. Check the “Certificate Fingerprint” of the message to be sure it’s authentic.

Shopping Securely

• You should never input sensitive info such as Credit Card numbers into a non-secure website.

• Make sure website is certified by a trusted Certificate Authority

How to Shop Securely

• When you enter a secure site,

Communicator’s Security icon will change as shown:

• Click on the Security button to examine

which CA asserts that this site is safe.

Note: Attempting to enter a secure site that is not signed by a valid or default CA will result in a

Hacking In to Your Computer

• DSL and Cable internet access means round

the clock connections of home and small

business computers to the Internet.

• Greatly increases the chance of attack.

• Physical access is always a danger, too.

• Hackers can gain access to your personal

Stopping Hackers

• Set up a personal/home firewall.

• Encrypt your sensitive files!!!

– PGP, all platforms.

– _{Mac OS 9 Built-In Encryption Feature}

• Don’t give out your passwords to anyone!

• Use difficult passwords - not simple

Password Strength

• Simple words out of a dictionary make bad

passwords.

• Use mixed upper and lower case characters.

• Use non-alphanumeric characters such as:

~!@#$%^&*()_+=-{}[]|\:;”’/?.>,<`

Password Strength Examples

• Using a simple passphrase such as “coffee” is simple to hack, takes about 40 minutes to break.

• Using random alphanumerics is significantly more difficult: A passphrase such as “bR1a9Az” takes about 22 years to crack.

• Using the full range of the keyboard with truly

Key Strength Comparison

• Most browsers ship with a default of 40 bit

encryption capabilities.

• You must upgrade to a 128 bit encryption

capable browser for most online banking.

Key Length

(bits) Individual Attacker Small Group Academic Network Large Company

Military Intelligence Agency

Strong Encryption Browsers

• Netscape Communicator is freely available

for all platforms with 128 bit encryption

capability and full features.

• 128 bit capable version of Microsoft Internet

Explorer is available for Windows and

Macintosh.

(Mac version has limited features.)

Viruses

• Computer viruses are 100% man made.

• Can be transmitted via email, disk, network, etc…

• Most are harmless experiments.

• Some are intended to wreak havoc on

Virus Protection

• Get a virus protection package and install it

on your computer.

• Check the vendor’s website for

downloadable updates and alerts on new

viruses.

Safeguarding Customer Information

Why was GLBA enacted?

Section 501 of the Gramm-Leach-Bliley Act requires Financial Institutions to establish standards

Safeguard Objectives:

• Ensure security and confidentially of

customer records and information.

• Protect against any anticipated threats or

hazards to the security of the records.

Information Security Plan

Non-public customer information

(NPI)

• Credit card numbers

• Social Security numbers • Drivers license numbers • Student loan data

• Income information • Credit histories

Financial Institutions

Including

Colleges and

Universities

must ensure that their security programs provide adequate protection

to customer information in whatever format –

FTC Ruling

consumer’s

information is

not a

privacy

issue

but is one

of

security.

FERPA vs.. GLBA

• The Family Education Rights and Privacy Act addresses the privacy of student information.

University Actions

• Has established a committee to insure compliance. • _{Committee meets regularly to review and insure}

compliance with the act.

• Performs risk assessment and regular testing. • Oversees service providers and contracts.

Why Protect your Identity?

Statistics on Identity Theft in

New Jersey

4802 Complaints / year

• 1. Credit Card Fraud 2,350 -- 49% • 2. Phone or Utilities Fraud 867--18% • 3. Bank Fraud 669 --14%

• 4. Government Documents/Benefits Fraud 396 --8% • 5. Loan Fraud 356 --7%

• Under ID Theft Act, identity theft is defined very broadly as:

knowingly using, without authority, a

means of identification of another person

to commit any unlawful activity.

(unlawful activity: a violation of Federal law, or a felony under State or local law).

Identity

Theft

How Does an Identity Thief Get

Your Information?

• Stealing files from places where you work, go to school, shop, get medical services, bank, etc.

• Stealing your wallet or purse.

• Stealing information from your home or car.

• Stealing from your mailbox or from mail in transit. • Sending a bogus email or calling with a false

promise or fraudulent purpose.

- For example: pretending to be from a bank, creating a false website, pretending to be

From: PNC Bank

Sent: May 17, 2004 6:31 PM To: abuse@Miami.edu

Subject: To All PNC bank users

Dear PNC user,

During our regular update and verification of the user data, you must confirm your credit card details.

Please confirm you information by clicking link below.

How Does an Identity Thief

Use Your Information?

• Obtains Credit Cards in your name or

makes charges on your existing accounts (42%).

• Obtains Wireless or telephone equipment or services in your name (20%).

• Forges checks, makes unauthorized EFTs, or open bank accounts in your name (13%).

• Works in your name (9%).

Victims of Identity Theft

•

_{If your identity is stolen, do the}

following immediately:

– Contact the fraud department of the three major credit bureaus (Equifax, Experian, Trans Union). – _{Contact your creditors and check}

your accounts.

– _{File a police report.}

Recovery

•

Take back control of

your identity:

– Close any fraudulent accounts.

– Put passwords on your accounts.

– Change old

Prevention

Protect yourself

Protect others

Guard against fraud:

• Sign cards as soon as they arrive. • Keep records of account numbers and phone numbers.

• _{Keep an eye on your card during} transactions. Also be aware of who is around you, is anyone else

listening?

Annual credit

bureau report

• New Jersey residents are entitled to one free

annual credit report.

• If you are denied credit, you are allowed to

request one free copy of your credit report.

• Check your report for accurate

Credit Bureau Links

•

Equifax – www.equifax.com

– To order a report, 1-800-685-1111

– To report fraud, 1-800-525-6285

•

Experian – www.experian.com

– To order a report, 1-888-397-3742

– To report fraud, 1-888-397-3742

Trans Union – www.tuc.com

– To order a report, 1-800-916-8800

You may be a victim if:

•

_{You are denied credit.}

•

_{You stop getting mail.}

•

_{You start getting collection calls/mail.}

•

_{You start getting new bills for accounts}

you do not have or services you did not

authorize.

Damages

•

_Time

•

_Money

Good Practices

• _{Photocopy the contents of your wallet/purse.}

• _{Photocopy your passport (keep a copy at home} and one with you when you travel).

• _{Empty your wallet/purse of non-essential} identifiers.

• _{Do not use any information provided by the} people who may be trying to scam you look it up yourself.

GLBA requires us

to

PROTECT CONSUMERS

from

What can we do to guard NPI?

• Keep confidential information private.

• Use care when asking or giving SSN.

• Use secure disposal methods.

• Protect the privacy of data transmissions.

Actions to prevent Others

from becoming Victims

•

Determine what information you need.

•

Provide a secure workplace.

•

Always ask for a student’s ID or debtors

account number.

•

_{Keep prying eyes away from customer’s}

information.

Actions to prevent Others

from becoming Victims

• _{Take care when you provide employee’s or} customers’ personal information to others. • _{Know & explain how you handle personal}

information.

• _{Ask for written permission prior to sharing} personal information.

Avoid

– _{unauthorized disclosure}

– _{removing information from your office} – _{sharing information}

– tossing information in the trash

– _{down loading or e-mailing information.}

Remember to always maintain

confidentiality, security and

General Privacy

• _{Do not provide correcting} information for account verification questions. • Be suspicious.

• _{Be paranoid.}

• _{Don’t be afraid to say no}

when asked for information that is not required to

University Assets

Are customer

information and

Safeguarding Information

• Information takes many forms.

• Information is stored in various ways.

Safeguarding Information

Your Role:

• Ensure Physical Security.

• Select and Protect hard to guess passwords. • Avoid email traps and disclosures.

• Back up files.

• Log off your computer when not in use.

• Do not open emails with attachments from unknown sources.

Safeguarding Information

Your role as a user….

Check your work area!

• Do you leave NPI reports on your desk? • Is NPI stored in unlocked file cabinets? • Keep computer disks secure.

Safeguarding Information

Your role….

University Regulations &

Guidelines related to Safeguarding

Standards for University Operations Handbook

• Confidentiality

• Accounting for Financial Resources

• Acceptable Use of Network &Computing Resources:

– Agreement for Accessing Information – Acceptable Use Policy

– Guidelines for Interpretation of Acceptable Use – Acceptable Use Supplement

Potential Damages to Any U.

• Reputation

• Violation of federal and state laws • Fines

• Reparation costs • Recovery costs

• Increased prevention costs

Expectations

• All University employees are responsible for securing and caring for University property, resources and other assets.

Prevention

•

_{Protect yourself}

Safeguarding customer

Information Security

Management

(ISO/IEC 17799:2000) &

Certified

Risk Analysis Methodology

Management (CRAMM

)

Migrating

Migrating

Migrating from compliance with the IM&T

Migrating from compliance with the IM&T

(Info. Management Tech) Security

(Info. Management Tech) Security

Manual to compliance with BS7799

Manual to compliance with BS7799

Overview

Overview

Implementation - assistance available

What is Information Security

What is Information Security

Management (ISM)?

Management (ISM)?

An enabling mechanism An enabling mechanism

whose application ensures that information may be sharedshared in a manner

which ensures

the appropriate protection of that information &

Basic Components

Basic Components

•

_{Confidentiality}

_{Confidentiality}

_{: protecting sensitive}

information from unauthorized disclosure

•

_Integrity

_Integrity

_{: safeguarding the accuracy and}

completeness of information/data

•

_Availability

_Availability

_{: ensuring that information and}

Problem

Problem

• Until early 90’s information was handled by

many organizations in an ad hoc and, generally,

unsatisfactory manner

• In a period of increasing need to share

information, there was

little or no assurance

little or no assurance

that such information could or would be

safeguarded

Code of Practice

Code of Practice

•

₁₉₉₃

₁₉₉₃

_{: in conjunction with a number of}

leading UK companies and organizations

produced an ISM Code of Practice -

incorporating the best information security

practices in general use.

•

_{Addressed all forms of information}

_{Addressed all forms of information}

_;e.g.

Code of Practice - Aims

Code of Practice - Aims

• To provide

– _{A common basisA common basis for organizations to develop,}

implement, and measure effective information security management practice

Balance

Balance

• A common concern amongst organizations

is that the application of security measures

often has an adverse impact on, or interferes

with, operational processes

Assets - Examples

Assets - Examples

Information

Information

Databases, system doc_umentation, data files, user manua

Software

Software

Application software, sy_{stem software,} development tools

Physical

Physical

Computer equ

ipment, magn

etic media,

furniture, acc

ommodation ServicesServices

The Standard

– Physical/Environmental Security. _{Physical/Environmental Security.} Prevention of unauthorized access, interference to IT services and damage

The Standard

The Standard

• ………….

– System Access Control. Controls to prevent unauthorized _{System Access Control.} access to computer systems

– System Development and Maintenance. A security _{System Development and Maintenance.} program complementing development/maintenance of IT systems

– BCP. Measures to protect critical business processes from _BCP. major failures and disasters

Controls

Controls

Each of these Categories contains a number of security controls, mandatory or otherwise, which

can be implemented as part of the information information security risk management strategy

security risk management strategy

The same controls will not, necessarily apply across

The same controls will not, necessarily apply across

the board, owing to the varying nature of

the board, owing to the varying nature of

organizations, risk factors etc

The Crux of the Matter

The Crux of the Matter

• Information is subject to numerous risks; which can be grouped together under the generic

headings of:

– _AAccidental – N_Natural

– _DDeliberate

Risk Analysis

Risk Analysis

• The point is:

– An effective risk management strategyrisk management strategy cannot be implemented until the risks are identified

and measured (that is, analyzed)

• It almost goes without saying, that Analysis

should be based upon a sound and proven

methodology

CRAMM

CRAMM

• Developed in 1985, CRAMM Risk Analysis

Methodology is a complete package,

containing:

– the risk analysis process itself

– associated documentation (inc. report functionality; results and conclusions) – training

CRAMM Version 4.0

CRAMM Version 4.0

• This version, the latest, includes

– _{Full support for BS7799Full support for BS7799 including}

• GAP analysis

• Implementation of a security improvement program • Statement of Applicability

• Risk Modeling for multi-role organizations

• _{ANDAND undertake a Risk Analysis !}

Define the Policy

Statement of Applicability

Scope of ISMS

Scope of ISMS

Information Assets

Information Assets

Risk Assessment

Risk Assessment

Results & Conclusions

Results & Conclusions

Select Control Options

Select Control Options

Statement

Statement

Management Framework: ISMS

Management Framework: ISMS

T. V. I

T. V. I..

Degree of Assurance

Degree of Assurance

And then……..

And then……..

• Develop and implement security policies which comply with your specific requirements in terms of BS7799

• Review and Maintain • Simple, isn’t it?

• No, it is appreciated that compliance with BS7799 is a

significant

significant undertaking

You are Not Alone

You are Not Alone

• CRAMM risks models are being developed for specific

organizations (e.g. Acute Trusts)

• Such models will encompass approximately 90 - 95% of

organizations

• Pioneer Projects - results of which will be fed into the overall

implementation process

• Training

• Development and maintenance program

• FAQs

• Help Desk

Thanks for Coming!

For further information, contact: Dr. A. Rush, Ph.D.