Downloaded 42 times
Uploaded byMohammad Ashfaqur Rahman
002.itsecurity bcp v1
The document provides an overview of information security and risk management, highlighting common cyber attacks such as malware, phishing, and denial-of-service attacks. It emphasizes a layered security approach, including the CIA (Confidentiality, Integrity, Availability) objectives and the importance of risk management practices. Additionally, it outlines the security system development life cycle and the roles of various professionals in maintaining an effective information security program.
More Related Content
002.itsecurity bcp v1
- 1. Information Security & Risk Management Presentedby Mohammad Ashfaqur Rahman Compliance Professional www.linkedin.com/in/ashfaqsaphal ashfaq.saphal@gmail.com
- 2. Objective ● Common method andtypes of attack ● Layered Approach ● Security Objective ● Responsibilities ● Risk Management
- 3. Common Cyber Attack ● Malware –code with malicious intent that typically steals data or destroys something on the computer – introduced to a system through • email attachments • software downloads or • operating system vulnerabilities
- 4. Common Cyber Attack ● Malware –code with malicious intent that typically steals data or destroys something on the computer – Viruses : make a computer "sick" – Spyware : monitors or spies on its victims – Worms : fulfill a nefarious
- 5. Common Cyber Attack ● MalwareInfection Techniques – Phishing – Spear phishing – Drive by Download – Fake Anti-Virus Software – Ransomware – Drive by Email – Web Inject
- 6. Common Cyber Attack ● Phishing –Social engineering + widespread email
- 7. Common Cyber Attack ● Driveby Download – unintentional download of malicious software
- 8. Common Cyber Attack ● FakeAntivirus – Alarming user with false infection warning
- 9. Common Cyber Attack ● Ransomware –Encrypt your computer data and ask you to pay money
- 10. Common Cyber Attack ● Drive-byEmail – Open email or view email preview screen
- 11. Common Cyber Attack ● DOSattack – a denial-of-service (DoS) attack is an attempt to – make a machine or network resource unavailable to its intended user ● DDOS attack – attack source is more than one–and often thousands of-unique IP addresses.
- 12.
- 13. Layered Approach ● Also knownas “defense-in-depth approach” ● implement different layers of protection ● spectrums can range from the – programming code – the protocols that are being used – the operating system, and the application configurations – through to user activity – the security program
- 14. Layered Approach ● Example :protecting file agent – Configure application, file, and Registry access control lists (ACLs) – Configure the system default user rights – Consider the physical security of the environment – Place users into groups policy as required – A strict logon credential policy – Removal of shared ID – Implement monitoring and auditing of file access – Actions to identify any suspicious activity.
- 15. Security Objectives -CIA ● Confidentiality : “Preserving authorized restriction on information access and disclosure, including means for protecting personal privacy and proprietary information.” (44 USC Sec. 3542) ● Integrity : “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.” (44 USC Sec. 3542) ● Availability : “Ensuring timely and reliable access and use of information.” (44 USC Sec. 3542)
- 16. Security Objectives -CIA Confidentiality IntegrityAvailability Information Security Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information Ensuring timely and reliable access to and use of information. Guarding against improper information modification or destruction, and includes ensuring information non- repudiation and authenticity;
- 17.
- 18. The Best Practices ● Confidentiality ● Integrity ● Availability ● Need-to-know ● Leastprivilege ● Separation of duties ● Job rotation ● Mandatory vacation
- 19. Security Control Points ● Operationaland Physical Controls. – Operational Security (Execution of Policies, Standards & Process, Education & Awareness) • Service Providers: IA, Program Security, Personnel Security, Document Controls (or CM), HR, Finance, etc
- 20. Security Control Points ● Operationaland Physical Controls. – Physical Security (Facility or Infrastructure Protection) • Locks, Doors, Walls, Fence, Curtain, etc. • Service Providers: FSO, Guards, Dogs
- 21. Security Control Points ● Technical(Logical) Controls. – Access Controls, Identification & Authorization, Confidentiality, Integrity, Availability, Non- Repudiation. • Service Providers: Enterprise Architect, Security Engineer, CERT, NOSC, Helpdesk.
- 22. Threat, Risk, andCountermeasure Threat Agent An entity that may act on a vulnerability. Threat Any potential danger to information life cycle. Vulnerability A weakness or flaw that may provide an opportunity to a threat agent. Risk The likelihood of a threat agent exploits a discovered vulnerability. Exposure An instance of being compromised by a threat agent. Countermeasure / safeguard An administrative, operational, or logical mitigation against potential risk(s).
- 23. Threat, Risk, andCountermeasure
- 24.
- 25. Security System DevelopmentLife Cycle ● The same phases used in traditional SDLC may be adapted to support specialized implementation of an IS project ● Identification of specific threats and creating controls to counter them ● SecSDLC is a coherent program rather than a series of random, seemingly unconnected actions
- 26. Security System DevelopmentLife Cycle
- 27. SSDLC - Investigation ● Identifiesprocess, outcomes, goals, and constraints of the project ● Begins with enterprise information security policy ● Organizational feasibility analysis is performed
- 28. SSDLC - Analysis ● Documentsfrom investigation phase are studied ● Analyzes existing security policies or programs, along with documented current threats and associated controls ● Includes analysis of relevant legal issues that could impact design of the security solution ● The risk management task begins
- 29. SSDLC - LogicalDesign ● Creates and develops blueprints for information security ● Incident response actions planned: – Continuity planning – Incident response – Disaster recovery ● Feasibility analysis to determine whether project should continue or be outsourced
- 30. SSDLC - PhysicalDesign ● Needed security technology is evaluated, alternatives generated, and final design selected ● At end of phase, feasibility study determines readiness of organization for project
- 31. SSDLC - Implementation ● Securitysolutions are acquired, tested, implemented, and tested again ● Personnel issues evaluated; specific training and education programs conducted ● Entire tested package is presented to management for final approval
- 32. SSDLC - Maintenanceand Change ● Perhaps the most important phase, given the ever- changing threat environment ● Often, reparation and restoration of information is a constant duel with an unseen adversary ● Information security profile of an organization requires constant adaptation as new threats emerge and old threats evolve
- 33. Security Professionals ● Wide rangeof professionals required to support a diverse information security program ● Senior management is key component; also, additional administrative support and technical expertise required to implement details of IS program
- 34. Information Security ProjectTeam ● A number of individuals who are experienced in one or more facets of technical and non-technical areas: – SME – Team leader – Security policy developers – Risk assessment specialists – Security professionals – Systems administrators – End users
- 35. Additional Information :Data Ownership ● Data Owner – responsible for the security and use of a particular set of information ● Data Custodian – responsible for storage, maintenance, and protection of information ● Data Users – end users who work with information to perform their daily jobs supporting the mission of the organization
- 36. It is yourturn again
- 37.