Download presentation
Presentation is loading. Please wait.
Published byElwin Franklin Modified over 9 years ago
1
Information Security OECD, April 2001 International Computing Centre Managing Information Security Ed Gelbstein, International Computing Centre, Geneva
2
Information Security OECD, April 2001 International Computing Centre
3
Information Security OECD, April 2001 International Computing Centre Asset valuation What is the business value of k Data k Intellectual property k Systems (sw/hw) k Documents k The Organisation’s reputation disclosed modified unavailable destroyed etc
4
Information Security OECD, April 2001 International Computing Centre How do you respond ? Hackers please note This facility is secured Monday and Friday, 09:00 to 17:00 CET Please do not visit at any other time We thank you for your understanding Option 1 Option 2 Emergency response plan + team
5
Information Security OECD, April 2001 International Computing Centre Key components Ownership and culture Policies Processes and tools Autopsies, diagnostics, audits
6
Information Security OECD, April 2001 International Computing Centre Ownership Anybody Somebody Everybody Nobody
7
Information Security OECD, April 2001 International Computing Centre Culture Security management is a way of life It relies on everyone It requires many processes It may contain many projects but it has no end Only the paranoid survive
8
Information Security OECD, April 2001 International Computing Centre Threatscape Internal External Physical Logical Sabotage Misuse/ fraud Unauthorised access Unauthorised change Unauthorised disclosure Destruction of data Malicious software Stupidity Weaknesses in systems Weaknesses in products Cyber-attack (DoS/ DDoS) Cyber-attack (EMP) Data blackmail and many more...
9
Information Security OECD, April 2001 International Computing Centre Threatscape (2) Most pervasiveMost expensive Most publicisedMost frequent Virus, worm, trojan horse Insider fraud, sabotage Theft of proprietary information Attacks on e-business - theft of credit card data - Denial of Service Developers’ mistakes Poor configuration Poor system administration
10
Information Security OECD, April 2001 International Computing Centre Building blocks Change Control Backup /restore Media management Disaster recovery Business continuity Crisis management Physical access control Logical access control Infrastructure - No single point of failure - UPS and standby - Clusters, fail-soft, alternative routing, RAID, … Diagnostics and monitoring System administration Audits Policies Best practices Standards Action plans Key word: OWNERSHIP
11
Information Security OECD, April 2001 International Computing Centre Building blocks (2) Confidentiality Integrity Authorisation Authentication Audit trail Non-repudiation Risk assessment Communications Risk management Alert monitoring Tools and products Organisation - incident detection - incident response Staff vetting Training Tests and audits Key word: OWNERSHIP
12
Information Security OECD, April 2001 International Computing Centre Policies Scope Documentation Dissemination Maintenance Compliance Non-compliance
13
Information Security OECD, April 2001 International Computing Centre Scope of policies 9 E-mail 9 Passwords 9 System / Resource access 9 Database administration 9 Encryption 9 Backup/ Restore/ Disaster recovery 9 Physical access and remote access 9 Software installation 9 Change control list continues...
14
Information Security OECD, April 2001 International Computing Centre Scope of policies (2) 9 Acceptable use 9 Monitoring and audits 9 Mobile computing 9 Wireless computing 9 Privacy 9 Staff background checks and more...
15
Information Security OECD, April 2001 International Computing Centre e-mail policy includes... < Virus, worm, other infectious software < Executable code < Audio and video files < Other large files < Encryption < Non-disclosure < Offensive language/material < Legal liability (harassment, copyright, libel, etc) < Junk e-mail and other loss of productivity < Personal use of corporate e-mail < Archival and so on...
16
Information Security OECD, April 2001 International Computing Centre Vigilance Alerts (Vendor, CERT, FBI, other) Attacks (who, when, how) Hacker tools, communiques, websites Disgruntled staff, behavioural changes etc
17
Information Security OECD, April 2001 International Computing Centre Security rings Data access rights Database security System security LAN and server security Firewall security Authentication etc What does it take to get through each of these layers
18
Information Security OECD, April 2001 International Computing Centre Tools and products Firewalls and antivirus software Resource access controls Encryption Digital certificates Proxy / Reverse Proxy servers Intrusion detection systems Software integrity checkers Log analysis tools and so on... “out of the box” may not be e-nough many choices
19
Information Security OECD, April 2001 International Computing Centre Certification, audits, etc d tests d audits d post-mortems d certification Like your annual medical it’s no guarantee of good health but it might diagnose a problem Who tests the testers? How do you know you have not been attacked ?
20
Information Security OECD, April 2001 International Computing Centre Be vigilant, be silent... Yes, we have been attacked and are very aware of the flaws in our security Our security is superb and we are totally confident in our ability to stay ahead Risk of losing credibility and of inviting trouble A challenge to every cracker and script kiddie to prove you wrong
21
Information Security OECD, April 2001 International Computing Centre Give it a try? Intrusion test Access a predefined file from a server on your network Report of route taken to access Report of weaknesses found
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.