Presentation is loading. Please wait.

Presentation is loading. Please wait.

Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University.

Similar presentations


Presentation on theme: "Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University."— Presentation transcript:

1 Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University

2 Outline Example: iPremier Company (HBR article) –Background about company –Business Implications –Some recommendations for future Management’s role in information security Framework for a balanced approach to security

3 Example: DDoS attack on iPremier Company For a background about the company - refer to MS Word Document distributed in class. Problems at Colocation facility: iPremier employees could not get access to Qdata’s Network Operations Center (NOC) Cannot telnet using T1 line which was supposed to permit iPremier employees to connect to Qdata Qdata night shift personnel not very responsive to situation and not that competent (no one who knew anything about network monitoring software – except for one individual who was on vacation)

4 iPremier Example (Continued) Unable to determine extent of damage (firewall penetrated? How deep is the penetration?) Unable to determine if customer data was stolen (CIO’s main immediate concern) Unable to track (in a reasonable time frame) where ‘Ha, ha, ha’ e-mails received by “support” folks are originating –Even if e-mail is tracked eventually – leads to another “Zombie

5 iPremier’s Response to Attack: Very Poor Try to shut down traffic from “Zombies” – didn’t work – for every zombie that was shut down – two new zombies joined the “party” automatically Shut down Web Server Unable to determine if they should call “Seattle Police” or “FBI”?

6 iPremier’s Response to Attack: Very Poor Unable to determine if they should “disconnect the communication lines” initially CIO and CTO had discussion - may lose logging data that could help them figure out what happened (preserving evidence to find root cause of problem; and what to disclose publicly); later concluded that detailed logs have not been enabled Unable to determine if they should call “Seattle Police” or “FBI”?

7 iPremier’s Response to Attack: Very Poor How to handle PR (before info about security breach leaks out)? Unable to decide if all systems need to be rebuilt What if competitor files a law suit after FBI determined that iPremier computers were performing DoS attack? Would system rebuild imply wiping out any remaining proof of iPremier’s innocence?

8 Some Business Implications for IPremier Web server unavailable to legitimate customers Unable to determine “Cost of downtime” Bad reputation for the business Lost customers Loss of customer goodwill Legal issues if customer data was compromised Impact on stock price Unknown damages to the network/business? Attack stopped after about 75 minutes – without any intervention from iPremier or from Qdata What if there was another attack?

9 Some recommendations for iPremier Revisit choice of ‘colocation’ partner Although an early entrant in the industry, Qdata lost any prospect of market leadership Had not been quick to invest in advance technology Had experienced difficulty in retaining qualified staff Create an incident response team Enable secure remote access of network management software for security team

10 Some recommendations for iPremier Discuss/implement procedures for: Performing Risk Assessment Measuring cost of downtime Filing a complaint with appropriate authorities Handling PR and legal issues

11 Some recommendations for iPremier Other examples of appropriate Security/Privacy measures More sophisticated firewall Cryptography for sensitive data Message Integrity algorithms to determine if files have been modified/corrupted Enable logging and determine level of logging Purchase disk space to enable higher levels of logging Updated Virus signature files and security patches

12 Some recommendations for iPremier Design and document recovery plan Practice a simulated attack Educate users about security and threats Hire a good Chief Security Officer Institute periodic third-party security audits

13 Imperative Need for Secure Communication Reported Security Incidents up to 1995 Source: CERT.ORG

14 Reported Security Incidents 1995 – 2003 Source: http://www.cert.org/present/cert-overview-trends/module-1.pdf

15 Discussion Questions Identify some reasons why cyber attacks have been on the rise? What is your opinion about government, academic institutions and industry collaborating to provide cyber security solutions? What do you think should be management’s role in information security?

16 Barriers to Cyber Security Worldwide diffusion of Internet –Adversaries of unknown origin and intent distributed worldwide Hackers, virus writers Criminal groups, terrorists Disgruntled current or former employees Foreign intelligence services, information warfare by foreign militaries and governments Corporate espionage

17 Barriers to Cyber Security Hacking tools readily available on Internet (Scores of hacker publications, bulletin boards and web sites dealing with “hacking tips”). Extensive partnering network –More difficult to define boundaries of IS –Java applets – enhances interaction with customers and suppliers –this technology capability requires programs created by external entities to run on organization’s machines –not possible to determine the full impact of each and every applet prior to running it

18 Barriers to Cyber Security Lack of good security policy –Lax attitude towards security E-mail account of a dismissed employee not deleted after employee has left organization Protecting content during transmission – but not after transmission –George Mason University »Moved from SSN to SID – ID theft of 30,000 SSN –Bank of America (backup tapes lost) –Intrusion detection logs not maintained –Virus signature files/security patches not updated

19 Barriers to Security Organizational characteristics –Lack of structure –Business environment –Culture –Lack of Standard Operating Procedures –Lack of Education, Training, and Awareness –Lack of understanding/appreciation of technology –Lack of leadership from senior management

20 Management’s Role in Information Security Total/Perfect security is a myth Critical Asset Identification Initial Risk Assessment Risk Assessment as a continuous process Creating a security team Initiate and actively participate in planning/ design/documentation/testing of security policy Initiate and actively participate in planning/ design/documentation/testing of recovery/response policy

21 Management’s Role in Information Security Actively involved in establishing standard operating procedures Developing and maintaining an appropriate organizational culture Ensure employees are educated and trained regarding importance of following security policy Have an understanding of what each security tool proposed by IT team can do or cannot do

22 Management’s Role in Information Security Have a good control environment –Physical controls –Data/Content control –Implementation control (outsourcing) –Operations/Administrative Control –Application Controls specific to individual system components/applications (e.g., Limiting e-mail attachments)

23 Management’s Role in Information Security Recognize that security is a socio- technical issue Recognize that security requires an end- to-end view of business processes Achieve a balanced approach to security – one that does not solely focus on technological solutions Recognize that security rests on three cornerstones

24 Three Cornerstones: Technology Have an understanding/appreciation of technology –Firewalls –IDS/IPS systems –Antivirus/Security Patches –Symmetric and Public Key Cryptography towards confidentiality, authentication, integrity and non- repudiation –Secure servers –VPNs –Evaluation of potential technology acquisitions based on their impact on security

25 Three Cornerstones: Organization Organizational characteristics – typically under the control of organization –Structure –Business environment –Culture –Policies and Responses –Standard Operating Procedures –Education, Training, and Awareness

26 Three Cornerstones: Critical Infrastructure Infrastructure that are so vital that their damage or destruction would have a debilitating impact on the physical or economic security of the country –Telecommunications –Banking –Energy

27 Why should government/academic institutions/industry collaborate? In each other’s interest CI in large part is owned by the private sector, used by both private and public sectors, and protected in large part by public sector. Need to discuss problems and exchange ideas and solutions to cyber attacks/misuse Resource/cost/information sharing Opportunity to play a role in the evolution of “best practices” Help shape legal and government policies in areas of mutual concerns; Appropriate guidance for rapid additional protection measures

28 CERT Source: http://www.us-cert.gov /http://www.us-cert.gov /

29 What does CERT do?

30 What is Management’s role? Management ties everything together Responsibility Ownership Technology Infrastructure Organization Management Security is a Mindset, not a service. It must be a part of all decisions and implementations.


Download ppt "Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University."

Similar presentations


Ads by Google