Security and Control Brian Mennecke

Planning for Security and Control In today’s net-enabled environment, an increasingly important part of IT planning involves planning to control and secure the IT resource

Control Systems The components of control systems are – Standards for performance – Sensory determination of actual conditions – Comparison of standard with actual conditions – Compensatory action if the deviation is too great

When there are Failures of Control Examples of control breakdowns – Worldcom – Qwest – Global Crossing What caused these? Probably, it was in part the reward systems for senior managers that consisted of stock options. Managers were rewarded for inflating the bottom line. IS has an important role to play in strengthening control systems – Audits – Monitoring – Information dissemination – Reporting

Vulnerability of Systems: Where Does Control Fail? Errors in and intrusion of the operating system Errors in application programs Problems with database security Lack of network reliability and security Problems with adequate control of manual procedures Failure of management to maintain proper organizational control Open networks and connectivity Misuse or mistakes made by users

Control in the Organization: Controls can be created through… The structure of the organization – Decentralized or centralized Rewards Management committee Budget Direct supervision Routine audits Establish and enforce standards and procedures Develop a plan and policy for managing database resources – Data Backup/Recovery – Data Concurrency Management – Data Security

Control in the Organization

A Key Requirement for Control is Establishing IT Security Without security, the integrity of organizational IT resources will be at risk – therefore, security is everyone’s business Security is an increasingly important issue because of an increasing number of threats – According to the statistics reported to CERT/CC over the past several years (CERT/CC 2003) the number of cyber attacks grew from approximately 22,000 in 2000 to 137, – According to the 2004 E-Crime Watch Survey, 43% of respondents report an increase in e-crimes and intrusions versus the previous year and 70% reported at least one e-crime or intrusion was committed against their organization

Security Concepts Authentication: The process by which one entity verifies that another entity is who they claim to be Authorization: The process that ensures that a person has the right to access certain resources Confidentiality: Keeping private or sensitive information from being disclosed to unauthorized individuals, entities, or processes Integrity: Being about to protect data from being altered or destroyed in an unauthorized or accidental manner Confidentiality: Keeping private or sensitive information from being disclosed to unauthorized individuals, entities, or processes Nonrepudiation: The ability to limit parties from refuting that a legitimate transaction took place, usually by means of a signature

Types of Threats and Attacks Nontechnical attack: An attack that uses chicanery to trick people into revealing sensitive information or performing actions that compromise the security of a network

Types of Threats and Attacks (cont.) Social engineering: A type of nontechnical attack that uses social pressures to trick computer users into compromising computer networks to which those individuals have access

Types of Threats and Attacks (cont.) Multiprong approach used to combat social engineering: 1.Education and training 2.Policies and procedures 3.Penetration testing

Types of Threats and Attacks (cont.) Technical attack: An attack perpetrated using software and systems knowledge or expertise

Types of Threats and Attacks (cont.) Denial-of-service (DoS) attack: An attack on a Web site in which an attacker uses specialized software to send a flood of data packets to the target computer with the aim of overloading its resources

Types of Threats and Attacks (cont.) Distributed denial-of-service (DDoS) attack: A denial-of-service attack in which the attacker gains illegal administrative access to as many computers on the Internet as possible and uses these multiple computers to send a flood of data packets to the target computer

Types of Threats and Attacks (cont.) Malware: A generic term for malicious software – The severity of virus attacks are increasing substantially, requiring much more time and money to recover – 85% of survey respondents said that their organizations had been the victims of viruses in 2002

Types of Threats and Attacks – Malware takes a variety of forms - both pure and hybrid Virus: A piece of software code that inserts itself into a host, including the operating systems, to propagate; it requires that its host program be run to activate it Virus Worm: A software program that runs independently, consuming the resources of its host in order to maintain itself and is capable of propagating a complete working version of itself onto another machine Macro virus or macro worm: A virus or worm that is executed when the application object that contains the macro is opened or a particular procedure is executed Trojan horse: A program that appears to have a useful function but that contains a hidden function that presents a security risk

CERT: Recommendations for Governing Organizational Security Questions to ask: – What is at risk? – How much security is enough – How should an organization … Develop policies on security Achieve and sustain proper security The CERT recommendations are derived from a report written by Julia Allen entitled Governing for Enterprise Security, which may be found at

CERT: Recommendations for Governing Organizational Security What is at risk? – Trust that the public has in your organization – Reputation and brand – Shareholder value – Market confidence – Regulatory compliance Fines Jail time – Market share – Customer privacy – Ongoing, uninterrupted operations – Morale of organizational members

CERT: Recommendations for Governing Organizational Security How Much Security is Enough? – “Management’s perspective needs to shift

CERT: Recommendations for Governing Organizational Security Good Security Strategy Questions – What needs to be protected? Why does it need to be protected? What happens if it is not protected? – What potential adverse consequences need to be prevented? What will be the cost? How much of a disruption can we stand before we take action? – How do we effectively manage the residual risk when protection and prevention actions are not taken?

CERT: Recommendations for Evolving the Security Approach

What Does Effective Security Look Like at the Enterprise Level? – It’s no longer solely under IT’s control – Achievable, measurable objectives are defined and included in strategic and operational plans – Functions across the organization view security as part of their job (e.g., Audit) and are so measured – Adequate and sustained funding is a given – Senior executives visibly sponsor and measure this work against defined performance parameters – Considered a requirement of being in business

Wireless Network Hacking

Security Information Symantec Guide to Scary Internet Stuff – Botnets Botnets – Phishing Phishing – Net Threats Net Threats – Underground Economy Underground Economy Symantec Guide to Scary Internet Stuff - Botnets

VOIP Threats

Hacking a Desktop

Mac aren’t immune