Advanced Penetration Analysis Module 1 The Need for Security Analysis
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserve d w orldwide.
Module Objective smo ue w • • • • • • • •
am ar zeyouw
:
What are we Concerned About? So What are you Trying to Protect? Why are Intrusions so Often Successful? What are the Greatest Challenges? Threat Agents Assessment Questions Risk n orma on ecur y wareness
• Security Policies • ISO 17799 • . . • U.K. Legislation EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
What are we Concerned About? e
Fraud/Forgery
Unauthorized Information Access
Interce tion or Modification of Data EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
So What are you Trying to Protect? Your Assets
Your Network Infrastructure
Availability of Your Network
Confidential Personal Data
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Why are Intrusions so Often
Poor detection, response, and escalation
No formal policies or non-existent procedures for [pro]active auditing, and/or event management
Limited use of authentication and/or authorization systems
Ignorance of logical and/or organizational boundaries within a network infrastructure
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
What are the Greatest Challen es?
Limited focus on securit Limited securit ex ertise EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Environmental Complexity Multi le oints of access: • Wired/wireless • Analog/remote
Insecure network design: •
-
DMZ(s) • Single-layer security design
Multi-vendor environments: • Cisco check oint ISS etc.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
New Technologies Technology is advancing rapidly. New technologies make old techniques ineffective or insufficient. Security technologies change almost every day. ’s o en m poss
e o evo ve our ne wor n ras ruc ure a
e same rap
pace.
Tunneling software makes it easier to bypass access controls.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
New Threats and Exploits
at its lowest.
This significantly increases the number of otential threats as ever teena er with a broadband connection can be a suspect.
New exploits are being discovered as frequently as every 4 hours -- and this
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Limited Focus
IT security is often allocated a small portion of overall IT budgets (on average, less than 3%; new .
Few managers see the need for secur y un a er an a ac as occurred, and by then, it’s often too little, too late.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Limited Expertise
Organizations don’tpersonnel. want to spend money on expensive security
Most often, ‘Security Administrators’ are Network Administrators. Information security is a complex and specialized field, and engineers need specialized training.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Tool: Data Loss Cost Calculator htt : www.tech-404.com calculator.html
Darwin Professional Underwriters Inc., has developed an online data loss cost calculator that allows companies to estimate their financial risk from data theft. This calculator provides companies with a no-cost, easy-to-use, and interactive tool to assess the impact of a data breach or identify theft data loss incident. This calculator can be used to immediately estimate financial exposure of the organizations in three major • Internal investigation expenses. • Customer notification/crisis management expenses. •
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
How to Use Enter the number of affected records in a data breach or identity theft incident , . Avoid using commas when entering a number. The button next to the text box will increase or decrease the number of the affected records by 500. A user can switch the options “ON” or “OFF” according to their need.
Click the “Graph” icon to generate a pie chart.
Click each pie chart slice to check distribution of costs for each category. EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Data Loss Cost Calculator Screenshot Input
Graph
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Features of Data Loss Cost Calculator e ps o ca cu a e
e a a oss cos approx ma e y
Range between 1000 and 250,000 is used Graphical representation makes the calculation easy and simple to understand Each category can be studied in detail with the help of advance pie chart option
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Graphical Representation of Total Loss
Notification/Crisis Management
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Graphical Representation of Loss of Each Cate or
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
In Order to Ensure... ccurate authentication Proper authorization Confidentiality of data Integrity of data Availability of data Non-repudiation EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Authentication ut ent cat on s t e process o v er y ng t e ent ty o a n n
v ua .
Logging on to a computer is a two-stage process; typically, you will enter your:
• Username: This is for the identifying process. . or proves your identity as posited in the username stage.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Authorization
subject can perform a given function against a given object. For example, some users may be authorized to view data, and others may be authorized to delete data; both must be valid users, but they have different capabilities. Authorization or access control is typically defined by Access Control Lists (ACLs).
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Confidentiality Confidentiality is the requirement that particular information be restricted to the a ro riate eo le. Mechanisms that are often used to maintain confidentiality include:
Data Classification:
• The process of labeling information so that people understand who is allowed to see it and who isn’t.
Encryption:
• Information is often encrypted to maintain confidentiality; only people with the right key are authorized and able to decrypt it.
Equipment Disposal:
• Formatting disks seven times, degaussing tapes, shredding paper, and sanding CD-ROMs are all activities to protect confidentiality when we throw away information storage.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Integrity Integrity is the principle that requires information to . Measures to maintain data integrity may include:
Checksums:
• A checksum is a number produced by a mathematical function to verify that a given block of data hasn’t been changed.
Access control:
• By ensuring that only the correct people can update, add, and delete data, we can protect its integrity.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Availability
timely manner. This principle underpins the whole principle of redundant systems.
Measures to maintain data availability may nc u e:
EC-Council
• Redundant s stems’ disk arra s and clustered machines. • Antivirus software to stop worms destroying our networks. • s r u e en a -o -serv ce (DDoS) prevention systems.
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Non-Repudiation
Non-repudiation effectively defines a principle or state that ensures that an action or transaction cannot be denied:
• Non-repudiation of receipt: The sender can prove that the message was e vere to t e r g t person. • Non-repudiation of sender: This is the most common case; the sender’s message appears to be from, say, Mark Osborne, but can we reall be sure when dealin with such a fickle character? • Nonrepud iatio of time No it one receiving oritsending anything; they justndeny getting at denies a time that makes meaningful.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
We Must be Diligent
The people.
The technology.
The processes.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Threat Agents Em lo ees:
No physical security = no security at all:
• Disgruntled employee • Lack of education:
• Unattended computer systems on the LAN • Unlocked doors or poorly secured server rooms or wiring closets ,
• Users • Administrators
• Corporate espionage • suse o pr v eges: • Internal • External
Organized threats: • • • •
EC-Council
Fundamentalist groups Organized crime Government/foreign intelligence Terrorists Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Assessment Questions Here are some questions for you to ponder: • How easy would it be for someone to steal our corporate information? • ow easy wou e o r someone o cras our ne wor • What vulnerabilities exist at our Internet connection? • What is the likelihood that we will be hacked by someone? • • What could one of our employees do with unauthorized access privileges? • How easy is it to circumvent these access controls? • Is it easier for insiders than someone trying to come in from the Internet? • How much should we spend on our IT security program? • resources? EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
How Much Security is Enough?
First, we have to un ers an risk:
EC-Council
• How much do you have to ose • What is your level of ex osure/risk? • How are you vulnerable? • How can these risks be
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Risk “
”.
It refers to the uncertainty about events and outcomes that could have an un es ra e e ect on t e organ zat on an ts goa s. The central element of risk is uncertainty, the probability of experiencing . The outcome is uncertain, but the threat is very real.
Risk = Loss * Exposure factor.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Simplifying Risk
R = Risk A = Asset value T = Perceive t reat = Vulnerabilit EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Risk Analysis There are many types of risk analysis. Common security risk analysis methods and tools include:
CRAMM. SARAH. IS1 and IS3. VISART. Delphi.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Risk Assessment Answers
1
2
3
• What can go wrong? (threat events)
• If it happened, how bad could it be? (single-loss exposure value) • How often might it happen? (frequency)
• How sure are the answers to the first three questions? (uncertainty)
5
6
• What can be done to remove, mitigate, or transfer risk? (safeguards and controls)
• How much will it cost? (safeguard and control costs)
7
EC-Council
, Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Steps of Risk Assessment Step 1: Inventory, Definition, and Requirements Phase 1: Identify critical business processes.
Phase 2: Create a list of
Phase 3: Place a value on
assets used by those critical processes.
the assets, or somehow quantify their importance.
Step 2: Vulnerability and Threat Assessment Phase 1: Run automated security tools to start process analysis.
Phase 2: Follow up with a manual review.
Step 3: Evaluation of Controls Identify potential safeguards and controls, as well as their associated cost. EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Steps of Risk Assessment Step 4: Analysis, Decision, and Documentation Phase 1: Analyze a list of control options for each threat.
Phase 2: Decide which control is best to implement for each threat.
Phase 3: Document the assessment process and results.
Step 5: Communication Communicate results to the appropriate parties.
Step 6: Monitoring Continuously analyze new threats and modify controls as necessary. Significant organizational changes should lead to a new risk assessment.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Risk Assessment Values
The RAV is defined as the degradation of security (or escalation of risk) over a specific life cycle based on best
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Information Security Awareness
Information security is all about people.
If people understand and appreciate the dangers and risks associated with mismanaging information, the exposures become measurably .
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Security Policies Security policies are the foundation of your security infrastructure. ,
,
lost revenue, and bad publicity, not to mention basic security attacks. A security policy is a document or set of documents that describes, at a high level, the security controls that will be implemented by the company.
Policies are not technology specific and do three things for a company: • Reduce or eliminate legal liability to employees and third parties. • Protect confidential, proprietary information from theft, misuse, unauthorized disclosure or modification. • Prevent waste of company computing resources. EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Security Policy Basics
A security policy should determine rules and regulations for the following systems: • • • • • • • •
EC-Council
Encryption mechanisms. Access control devices. Authentication s stems. Firewalls. Anti-virus systems. Websites. Gateways. Routers and switches.
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Security Policy Basics ’ There are two types of basic security policies:
• Technical security policies: Include how technology should be configured and used. • Administrative security policies: Include how people (both end-users and management) should behave/respond to security.
Persons responsible for the implementation of the security policies are: • Director of Information Security. • Chief Security Officer. • Director of Information Technology. • .
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Types of Policies Promiscuous Policy
Firewall-Management Policy
Permissive Policy
Special-Access Policy -
ru en o cy Paranoid Policy
Business-Partner Policy
Acceptable-Use Policy
Data Classification Policy Intrusion Detection Policy
Remote-Access Policy Information-Protection Policy EC-Council
Virus Prevention Policy Ot er Important Po c es Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Promiscuous Policy
No restrictions on Internet/remote access • Good luck to your network administrator, you have our blessings...
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Permissive Policy
Known dangerous services/attacks blocked
Policy begins wide open
Known holes plugged/known dangers stopped
Impossible to keep up with current exploits; administrators always playing catch-up
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Prudent Policy Provides maximum security while allowing known, but necessary, dangers
Non-essential services/procedures that cannot be made safe are NOT a owe Ever thin is lo
EC-Council
ed Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Paranoid Policy
Everything is forbidden
EC-Council
No Internet connection, or severely limited Internet usage
Users find wa s around overly severe restrictions
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Acceptable-Use Policy
Should users modify files that they have write access to, but are not their own? Should users make copies of system configuration files (for example, /etc/passwd and SAM) for their own personal use or to provide to other people? Should users be allowed to use .rhosts files? Which entries are acceptable?
Should users be allowed to share accounts?
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
User-Account Policy Who has the authority to approve account requests? Who (employees, spouses, children, company visitors, for example) is allowed to use the computing resources? May users have multiple accounts on a single system?
May users share accounts?
What are the users' rights and responsibilities? en s ou EC-Council
an accoun
e
sa e an arc ve Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Remote-Access Policy • Who is allowed to have remote access? • What specific methods (such as cable modem/DSL or dial-up) does the company support? • Are dial-out modems allowed on the internal network? • Are there any extra requirements, such as mandatory anti-virus and security software, on the remote system? • May other members of a household use the company network?
•
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Information-Protection Policy
What levels of sensitive information may be printed in public pr n ers How should sensitive information be deleted from storage media paper s re ng,s cru ng ar rv es, egaussn g s s, e c. EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Firewall-Management Policy Who has access to the firewall systems?
Who should receive requests to make a change to the firewall con gura on Who may approve requests to make a change to the firewall con gurat on
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Special-Access Policy • Who should receive requests for special access?
• Who may approve requests for special access?
• What are the password rules for special-access accounts?
• How often are passwords changed? • What are the reasons or situations that would lead to EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Network-Connection Policy
Do an securit re uirements exist for the new devices bein added to the network? EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Business-Partner Policy
Is each company required to have a written security policy? Should each company have a firewall or other perimeter security device? How will communications occur (virtual private networking [VPN] over the Internet, leased line, and so forth)? How will access to the partner's resources be requested? EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Data Classification Policies There is the need to classify data according to its use, sensitivity, and importance. Thus, data is classified into three classes: • High risk: Data that attracts legal penalties if lost or damaged. • Confidential: Data that is to be protected against unauthorized disclosure. • Public: Data that is freely available.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Data Classification Policies cont’d Do data owners determine the data classification and ensure data protection? Is high risk data encrypted during transmission over insecure channels? Is confidential data encrypted during transmission over insecure c anne s Is all data backed up? Are all backups handled with the same security precaution as that of
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Intrusion Detection Policies Is intrusion detection im lemented on all servers and workstations that contain high risk data?
Are the alarm and alert functions, as well as logging and monitoring systems, working as intended?
Do the intrusion detection tools ensure safety of the data?
Are the server, firewall, and critical system logs secure?
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Virus Prevention Policies Attempts of willful introduction of computer viruses or disruptive/destructive prosecution. ro ec a
es op sys ems w
an approve an
p a e an -v rus so ware as per
ecure a servers an wor s a ons
cense an -v rus so ware.
e recommen a on o
e ven or.
a are vu nera e o v ruses or worm a ac s.
server. EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Laptop Security Policy User must agree to take shared responsibility for the . User must protect laptop from installing unlicensed or malicious software. A strong password must be used to login. ap op mus
e secure w en no n use.
Encryption techniques should be used to save important documents. Backups for all sensitive data should be maintained. Standard anti-virus software must be used. EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Personal Security Policy 1. 2. 3. . 5.
• All the people related to the organization must protect their assets.
• All the peoplesecurity. must be trained about their responsibilities and organizations information • Employee handbook must consists of information about the security responsibilities. • All employees must sign organizations non-disclosure agreement. • Chief security officer must implement system for security related issues. • Human resource manager must ensure background checks of the employees.
6.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Cryptography Policy Cryptography secures data and protects privacy of the organization. People of the organization should know about get data secured. Stron cr to ra hic al orithms should be selected subjected to applicable law, and implemented.
implemented in private and public sectors. International trade can be facilitated by promoting costeffective, interoperable, portable, and mobile cryptographic methods. EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Fair and Accurate Credit
FACTA policies are divided into the following categories: • • • • •
Data classification Prevention, as well as detection Consumer request policies Consumer notification Employment policies and procedures
• Data destruction policies
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
FACTA Policy (cont’d)
• According to FACTA, organizations should protect consumer information throughout. • ro ec s persona y en a e a a, or a a a can e assoc a e c ear y with one individual.
, • Adopt procedures designed to prevent identity theft before it occurs.
Consumer request policies: • Under new FACTA provisions, a consumer may dispute inaccurate information directl with a furnisher. • Furnisher must investigate and provide a timely response to the inquiry. EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
FACTA Policy (cont’d) Consumer notification: • A new provision of FACTA is that consumers are to receive notification prior to or within 30 days of “negative” information being reported to a credit bureau.
• Organization should have hiring policies that require drug screening, credit checks or background checks, especially for key positions within the .
Data destruction policies: •
us nesses w
nee to e a e to prove t at t ey ave estroye sens t ve
documents or information to be FACTA compliant. • Businesses should have a written program outlining how to maintain and shred documents or destroy other data. • Regu ar y sc e u e paper s re ing an ata isposa i s recommen e to prevent the liability from storing excess records with personal information. EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Other Important Policies w re ess ne wor
po cy e ps secure w re ess ne wor s, nc u ng
which devices are allowed to be connected, what security measures should be followed, and so forth.
A lab policy discusses how to protect the internal network from the
connection network. and not have it connected in any way to the internal corporate
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Policy Statements The policy is as effective as the policy statements that it contains. Policy statements must e wr tten n a very c ear an orma sty e.
Good exam les of olic statements are: • All computers must have antivirus protection activated to provide real-time, continuous protection. • All servers must be configured with the minimum of services to perform their designated functions. • All access to data will be based on a valid business need and subject to a formal approval process. • All computer software must always be purchased by the IT department in accordance with the organization’s procurement policy. • A copy of the backup and restoration media must be kept with the off-site backups. • While using the Internet, no person is allowed to abuse, defame, stalk, harass, or threaten any other person or violate local or international legal rights. EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Basic Document Set of Information Securit Policies
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
ISO 17799 Another option when you are developing policies is to follow the internationally recognized International Standards Organization (ISO) 17799, a set of recommendations organized into 10 major sections covering all facets of information systems policies and procedures.
Many organizations and consulting firms use ISO 17799 as the baseline for olic best ractices.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Domains of ISO 17799
Business continuity planning: • Counteract interruptions to business activities and to critical business processes rom e e ec s o ma or a ures or sas ers
System access control: • • • • • •
Control access to information Prevent unauthorized access to information systems Ensure the protection of networked services Prevent unauthorized computer access Detect unauthorized activities Ensure information security when traveling and telecommuting
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Domains of ISO 17799 (cont’d)
System development and maintenance:
• Ensure security is built into operational systems • reven oss, mo ca on, or m suse o user a a n app ca on sys ems • Protect the confidentiality, authenticity, and integrity of information • Ensure that information technology (IT) projects and support activities are conducted in a secure manner •
• Prevent unauthorized access and damage to and interference with business premises and information • Prevent loss or compromise of assets and interruption to business activities • Prevent compromise or theft of information and information-processing facilities
environmental security:
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Domains of ISO 17799 (cont’d) • Avoid breaches of any criminal or civil law; any statutory, regulatory, or contractual obligations; and any security requirements • Ensure compliance of systems with organizational security policies and standards the effectiveness of — and minimize interference to and from — the systemCompliance: • Maximize audit process
Personnel security:
• Reduce risks of human error, theft, fraud, or misuse of facilities • Ensure that users are aware of information security threats and concerns, and are equipped to support the corporate security policy in the course of their normal work • incidents
• Manage information security within the organization • Maintain the security of organizational information-processing facilities and information assets accessed by third parties Security • Maintain the security of information when the responsibility for information processing organization: has been outsourced to another organization
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Domains of ISO 17799 (cont’d) Computer and network management: • • • • •
Ensure the correct and secure operation of information-processing facilities Minimize the risk of systems failures Protect the integrity of software and information Maintain the integrity and availability of information processing and communication Ensure the safeguarding of information in networks and the protection of the supporting infrastructure • Prevent dama e to assets and interru tions to business activities • Prevent loss, modification, or misuse of informati on exchanged between organizations
Asset classification and control: • Ma nta n appropr ate protect on o corporate assets an ensure t at n ormat on assets receive an appropriate level of protection
Security policy: • Provide management direction and support for information security EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
No Simple Solutions Rapid emergence of new exploits
Most vendors don’t take security seriously
Complex network infrastructure
Concentration on performance
Hurried OS and application deployment
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
U.S. Legislation
U.S. legislation has begun to set the standard for information security legislation n a very rec an prescr p ve way: • • • •
California SB 1386 Sarbanes-Oxley 2002 Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) • aro c
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
California SB 1386
Currently, it applies only to data of California residents, but a federal version is reportedly in the pipeline.
In short, this act makes reputational risk of poor security a reality because it requires public disclosure of any security breach that involves personal information if it is unencrypted or if it is reasonably believed that the information has been acquired by an unauthorized person.
In cases involving over 500,000 people, the organization can warn the potential victims en masse through a website and by alerting the media.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Sarbanes-Oxley 2002
At the beginning ofcame the new century, a plethora of informal recommendations down from the Securities and Exchange Commission (SEC) about auditor independence after a number of wellpublicized cases of false reporting. With the full extent of the Enron case coming to light, the Sarbanes-Oxley Act was introduced.
As an instrument for accounting reform and investor protection, this legislation was intended to reestablish investor confidence. It also was ‘ ’ had on professional services in larger corporations.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Sarbanes-Oxley 2002 Section 201: • Relating to auditor independence, it is no longer allowed for your auditor to perform such activities as inancia in ormation systems esign an imp ementation; interna au it outsourcing services; and legal services and expert services (including security).
Section 302: • The CEOs and CFOs of the accounting company’s clients must sign statements verifying the completeness and accuracy of financial reports.
Section 404: • CEOs, CFOs, and auditors must report on and attest to the effectiveness of internal controls for financial reporting. This report shall: • State the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting , , effectiveness of the internal control structure and procedures of the issuer for financial reporting • Each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation ma e un er t is su section s a e ma e in accor ance wit standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Gramm-Leach-Bliley Act (GLBA) The objective of the Gramm-Leach-Bliley Act was to ease the transfer of financial information between institutions and banks while making the rights of the individual through security requirements more specific. Key points include:
• Protecting consumers’ personal financial information held by financial institutions and their service providers. • The officers and directors of the financial institution shall be subject o, an persona y a e o r, a c v pena y o n o m ore an 10,000 for each violation.
Although the penalty is small, it is easy to see how it could impact a bank. EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Health Insurance Portability and Accountabilit Act HIPAA e ea
nsurance o r a
y an
ccoun a
y c , un versa y nown as
HIPAA, deals with health personal data, which is defined as: ’
, , . • An individual’s provision of health care. • Past, present, or future payment for provision of health care to an individual.
T e primary o jective o t e security ru e is to protect t e con i entia ity, integrity, and availability of data when it is managed (i.e., stored, maintained, or transmitted) by a health care provider. Health care providers must provide notice of privacy policies and procedures to patients, obtain consent and authorization for use of information, and tell how information is generally shared and how patients can access, inspect, copy, and amend their own medical records. EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
USA Patriot Act 2001 Introduced as a direct result of the events of Se tember 11 2001 the USA Patriot Act has had a huge impact on how government agencies could obtain information on private individuals.
1
• Wiretap orders now can be obtained pertaining to a person rather than individual circuits.
2
• Internet service providers (ISPs) may volunteer information that they believe is of national importance, without fear of prosecution.
3
• Mailbox information can be obtained by subpoena rather than wiretap order.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
U.K. Legislation
offenses: • Unauthorized access to computers, including the illicit copying of software e n any computer. s carr es a pena ty o up to s x mont s imprisonment or up to a £5000 fine and will be dealt with by a magistrate. This covers hobby hacking and, potentially, penetration testing. • Unauthorized access with intent to commit or facilitate commission of further offenses (such as fraud or theft), which covers more serious cases of hacking with a criminal intent. This has a penalty of up to five years’ imprisonment and an unlimited fine. Because it is a serious offense, it will be a trial by jury. • nau orz e mo ca ono compu erma er a, w c ncu es e intentional and unauthorized destruction of software or data; the circulation of “infected” materials online (“viruses”); and the unauthorized addition of a password to a data file (“crypto viruses”). This offense also carries a penalty of up to five years’ imprisonment and an unlimited fine. It is also a serious offense, so it too will be a trial by jury. EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
How Does This Law Affect a
Your security policy contain an AUP and be communicated tomust all employees.
Your systems should contain logon banners s a ng a a ccess s or au or ze personne only and must not contain a “welcome”.
Penetration tests should be accompanied by appropriate paperwork.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
The Data Protection Act 1998 ,
.
Covering the it use of personalthe data (data relating to identifiable living individuals), implements European Directive on data protection (95/46/EC) in U.K. law.
the processing of “personal data.” It works in two ways: • processed. • Requiring those who decide how and why personal data is processed (data controllers) to be o en about their use of that data and to com l with the data protection principles in their information-handling practices. EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
The Data Protection Act 1998 A data controller must comply with the eight principles of good practice, which require that personal information is: 1 2 3 4 5 6 7 8
• Fairly and lawfully processed. • Processed for limited purposes and not processed in any manner incompatible with those purposes . • Adequate, relevant, and not excessive . • Accurate. • Not kept for longer than is necessary.
• Processed in accordance with the data subject’s rights. • Kept secure. • Not transferred to countries without adequate protection for the information.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
The Human Rights Act 1998 Based on the European Convention on Human Rights, the Human Rights Act 1998 came n o orce n c o er 2000. n er r c e o e onven on, peop e are afforded the right to privacy. T is not on y covers privacy w i e peop e are in t e wor p ace, it a so app ies to emai communications, Internet use, and telephone calls. Bottom line: If you are going to monitor employees, you must let people know in advance. How Does This Law Affect a Security Officer? • Your security policy must be communicated to employees and include a warning that systems may be monitored for security purposes. Monitoring would include: • Pen tests. • IDS. • Mail scanning. • Packet sniffers.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Interception of Communications
The Telecommunications Regulations 2000 provided that an employer retains the right to carry out monitoring despite the fact the em lo ee has not iven his or her ex ress consent if such monitoring is required to carry out the following: • Recording evidence of business transactions. • Ensuring compliance with regulatory or self-regulatory guidelines. • Maintaining the effective operation of the employer’s systems (for example, preventing viruses). •• Monitoring standards trainingactivity. and service. Preventing or detectingofcriminal • Preventing the unauthorized use of the computer or telephone system.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
The Freedom of Information Act 2000 The Freedom of Information Act 2000 was implemented on January 1, 2005.
It gives private individuals the right to access information held by public authorities, including: • • • • •
Central government. Local authorities. NHS. Schools. Police departments.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
The Audit Investigation and Communit Enter rise Act 200 The Audit Investigation and Community Enterprise Act 2005 reinforces powers already in place from the companies act. This law makes arelevant directorinformation responsible of forwhich givingthe accurate auditors, for prosecution for withholding auditorinformation is unaware,to and signingliable off audit reports attesting to that fact. This responsibility takes the form of a statement in the director’s re ort to the effect that there is no relevant information that has not been disclosed to the auditors.
Should an ins ector discover that information has been withheld the directors will be liable to imprisonment and/or a fine.
The act also contains a whistleblower protection clause that excludes liability for breach of confidence for those who provide information to authorities.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
Summary In this module, we’ve discussed the statistics and importance of vulnerabilities and their impact on business. We have reviewed the various challenges against security.
We’ve discussed the challenges and how to simplify risk.
We have discussed security policies and postures.
We have discussed ISO 17799 standard for security policies. Last, but not least, we went over a few important laws and regulations related to information security. EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Copyright © 2004 EC-Council. All rights reserved worldwide.