Introduction to Information Security Management PDF
Document Details
2024
Arian Sheremeti
Tags
Summary
This document is an introduction to information security management, providing course details, instructor information, and module calendar. The course is for professionals to enhance their knowledge in the field.
Full Transcript
INTRODUCTION TO INFORMATION SECURITY MANAGEMENT Instructor: Arian Sheremeti, CISM September 2024 1 ISM Module Information ABOUT THE MODULE ▪ Module duration: 4 weeks (Sep 2 nd – Sep 26 th) ▪ Number of chapters: 13 ▪...
INTRODUCTION TO INFORMATION SECURITY MANAGEMENT Instructor: Arian Sheremeti, CISM September 2024 1 ISM Module Information ABOUT THE MODULE ▪ Module duration: 4 weeks (Sep 2 nd – Sep 26 th) ▪ Number of chapters: 13 ▪ Number of classes: 11 + 1 Final Exam ▪ Class start time: 18:00 ▪ Duration p/class: 3.5 hours per class ▪ Breaks: up to 2x breaks of 10-15 mins each ▪ Final Exam: Scheduled on last session (Sep 26th) CLASS SCHEDULE ▪ 3x times p/week: Mon, Wed, and Thur LANGUAGE ▪ Lectures, materials, quizzes and final exam will be conducted in English language ABOUT INSTRUCTORS ▪ Arian Sheremeti Drilon Osmani [email protected] [email protected] linkedin.com/in/ariansh/ linkedin.com/in/drilon-osmani/ 2 Getting to Know Each Other: Instructor Profile International experience Industries 15+ years of international experience Financial Services, Retail, Global engagements: Canada, United States, and Insurance, IT Consulting, Southeastern Europe. Banking, Telecommunications, Worked for global companies, such as PwC, Deloitte, etc. Aerospace, Energy and Utilities, Worked across various industries &functional areas Cruise Line, Higher Education, Distribution, Theme Parks, Hospitality, Beverage, Specialization Clients / Engagements IT Governance, Risk and Compliance (GRC) Information Security Strategy and Governance USA Kosova Albania Cyber-defense Operations Management Schneider Electrics BQK ABI Bank Walt Disney Parks Trusti Tirana Bank Disaster Recovery and Business Continuity Awareness Campaigns and Trainings Bacardi Inc. IPKO Fibank Carrier Kujtesa Union Bank Norwegian Cruise Line NLB Bank Raiffiesen Albania Education Royal Caribbean BpB Bank One Albania Master of Science in Information Systems, Tech Data Corp, B. Ekonomike Antea Chapman Graduate School of Business, Arian Sheremeti Bloomin’ Brands AFK Sigal Florida International University Cott Corporation KEP Bachelor of Business Administration, Aero Turbine ELKOS Group Landon Undergraduate School of Business, Florida Blue Meridian Group Florida International University VIVA Fresh Services KEDS / KESCO Certifications Certified Information Security Manager (CISM) Information Security Strategy and Governance Certified Information System Auditor (CISA) Cyber-defense Operations Management Certified ISO/IEC 27001 Lead Implementer IT Risk Assessment Certified ISO/IED 27001 Lead Auditor Disaster Recovery Planning (DRP) Microsoft Certified Systems Engineer (MCSE) Business Continuity Management (BCM) Microsoft Certified Systems Administrator (MCSA) IT Policies and Procedures Review Microsoft Certified Professional (MCP) Application Development Security Review Network+ IT Infrastructure Security Review 3 Implementation of ISO/IEC 27001 ISM Module Calendar Monday Tuesday Wednesday Thursday Friday 2 3 4 5 6 1. Intro to ISMS 1. Asset Management Cloud and Virtualization Tech. 2. Security Policies and Procedures 2. Identity and Access Management 9 10 11 12 13 Vulnerability & Patch Management 1. Third-Party Management Security Operations & Monitoring 2. Legal & Ethical Considerations 16 17 18 19 20 Risk Management and Compliance Security Assessment & Testing Incident Response 23 24 25 26 Disaster Recovery Data Protection Final Exam 4 General Overview Session Introduction to Information Security Management Security Policies and Procedures Asset Management Identity and Access Management Characteristics and Benefits of Cloud and Virtualization Technologies Vulnerability and Patch Management Third-Party Management Security Operations and Monitoring Legal and Ethical Considerations in Information Security Risk Management and Compliance Security Assessment and Testing Incident Response Disaster Recovery Data Protection 5 Outline of Today's Session Introduction to Information Security Management This session provides an introduction to information security management, highlighting its importance in today's digital landscape and outlines the key principles and concepts of information security management. The session will also delve into the foundational knowledge of cybersecurity, emphasizing the impact of threats on organizations and individuals. This will set the foundation for the rest of the module. ▪ Understanding the Need for Information Security Management ▪ Core Principles and Concepts of Information Security Management ▪ Foundational Knowledge of Cybersecurity ▪ Understanding the Impact of Cyber Threats on Organizations and Individuals ▪ Exploration of Common Security Threats ▪ Comprehension of Security Vulnerabilities ▪ Human Factor and its Role in Information Security 6 The Need for Information Security Management INTRODUCTION RISING CYBER-THREAT LANDSCAPE MOTIVATION BEHIND CYBERATTACKS ▪ What is ISM ▪ Evolution of Threats ▪ Financial gain ▪ The increasing reliance on digital ▪ Sophistications of cyber-attacks ▪ Political motivation systems + interconnectivity ▪ The increasing reliance on digital ▪ State actors Example: Critical Infrastructure systems + interconnectivity ▪ Corporate Espionage ▪ Insider threats Sectors: Communications, Energy, Example: Estonia (2007), Ukraine Financial, Transportation, Water (2015), Target (2013), Equifax (2017), ▪ Revenge ▪ Recognition & achievement management, etc. Colonial Pipeline (2021), Albania (2022), etc. OPERATIONAL CONTINUITY ▪ Importance of information security for uninterrupted business operations ▪ Examples of operational disruptions due to cyberattacks (Ransomware, DDoS, etc.) FINANCIAL IMPLICATIONS REPUTATIONAL DAMAGE LEGAL AND REGULATORY REQUIREMENTS ▪ Cost of security breaches to organizations ▪ Reputational impact due to security ▪ Consequences of non-compliance (forensics and remediations, compensations incidents ▪ GDPR, HIPAA, latest SEC requirement, etc. to affected parties) ▪ Trust and brand loyalty ▪ Investment in proactive security measures considerations vs. reactive measures 7 The Need for Information Security Management Key Takeaways ESSENTIAL FOR ORGANIZATIONAL PROTECTION ▪ Fundamental in safeguarding organizational assets against diverse cyber threats. ▪ Critical in ensuring the confidentiality, integrity, and availability of data. IMPACT EXTENDS BEYOND THE ORGANIZATION ▪ Poor security management affects not just the organization, but also its customers, partners, and potentially the wider public. ▪ Can lead to financial, reputational, and legal consequences on a larger scale. SHARED RESPONSIBILITY ▪ Effective security is a collective effort, involving every individual in the organization. ▪ Not limited to the IT department; requires engagement from all levels, including management and staff. LEADERSHIP 'S PIVOTAL ROLE ▪ Leadership must champion a security-focused organizational culture. ▪ Responsible for allocating necessary resources for robust security measures and training. A CONTINUOUS AND ADAPTIVE PROCESS ▪ Information security is not a one-time effort but an ongoing process. ▪ Requires constant vigilance, regular updates, and adaptation to emerging threats and technologies. 8 Core Principles of Information Security Management Introduction to the CIA Triad CONFIDENTIALITY INTEGRITY AVAILABILITY Ensuring that information and resources are Ensuring that sensitive information is accessed Guaranteeing the accuracy and completeness of available to those who need them, when they only by authorized individuals. data. need them. Example: Encryption, access controls. Example: Data checksums, version controls. Example: Redundant systems, regular maintenance. Expanding Beyond the CIA Triad ACCOUNTABILITY NON-REPUDIATION Ensuring that all actions on the system can be Preventing individuals or entities from denying attributed to an individual or entity. their actions. Importance: Tracing actions back to the source, ensuring responsible use. Tools: Digital signatures, audit trails. Additional Considerations AUTHENTICATION AUTHORIZATION Verifying the identity of a user, device, or entity Defining and controlling access levels and in the network. permissions. Methods: Passwords, biometrics, multi-factor Approach: Role-based access control, least authentication. privilege principle. 9 Source: Okta Core Principles of Information Security Management Key Takeaways The Foundational Principles for Protecting Information CONFIDENTIALITY A set of rules that prevents sensitive information from being disclosed to unauthorized people, resources and processes. Methods to ensure confidentiality include data encryption, identity proofing and two factor authentication. INTEGRITY Ensures that system information or processes are protected from intentional or accidental modification. One way to ensure integrity is to use a hash function or checksum. AVAILABILITY Availability means that authorized users are able to access systems and data when and where needed and those that do not meet established conditions, are not. This Source: IBM can be achieved by maintaining equipment, performing hardware repairs, keeping operating systems & software up to date, and creating backups. 10 Core Principles of Information Security Management Protection of Information in Each Stage PROCESSING STORAGE TRANSMISSION Refers to data stored in memory Refers to data traveling Refers to data that is being used or on a permanent storage between information systems to perform an operation such as device such as a hard drive, (data in transit). updating a database record (data in process). solid-state drive or USB drive (data at rest). The Security Measures Used to Protect Data AWARENESS, TRAINING AND TECHNOLOGY POLICY AND PROCEDURES EDUCATION Refers to the software- and Refers to the administrative Measures put in place by an hardware-based solutions controls that provide a organization to ensure that designed to protect information foundation for how an users are knowledgeable about systems such as firewalls, which organization implements potential security threats and continuously monitor your information assurance, such as the actions they can take to network in search of possible incident response plans and protect information systems. malicious incidents. best practice guidelines. 11 Foundational Knowledge of Cybersecurity ▪ Cybersecurity Is the application of technologies, processes, and controls to protect systems, networks, programs, devices and data from cyber attacks. It aims to reduce the risk of cyber attacks and protect against the unauthorized exploitation of systems, networks, and technologies. ▪ Why is cybersecurity Important THE COSTS OF CYBER SECURITY CYBER ATTACKS ARE INCREASINGLY CYBER CRIME IS A BIG BUSINESS CYBER SECURITY IS A CRITICAL, BREACHES ARE RISING SOPHISTICATED BOARD-LEVEL ISSUE According to a study by McAfee and New regulations and reporting Organizations that suffer cyber Cyber attacks continue to grow in requirements make cyber security the CSIS, based on data collected by security breaches may face sophistication, with attackers using risk oversight a challenge. The significant fines. There are also an ever-expanding variety of Vanson Bourne, the world economy loses more than $1 trillion each board needs assurance from non-financial costs to be tactics. These include social management that its cyber risk considered, like reputational engineering, malware and year due to cybercrime. Political, ethical, and social incentives can strategies will reduce the risk of damage. ransomware. attacks and limit financial and also drive attackers. operational impacts. ▪ Who needs Cyber Security PERSONAL ORGANIZATIONAL GOVERNMENT On a personal level, you need to At an organizational level, it is As more digital information is being gathered and safeguard your identity, your data, everyone’s responsibility to protect shared, its protection becomes even more vital at and your computing devices. the organization’s reputation, data the government level, where national security, and customers. economic stability and the safety and wellbeing of 12 citizens are at stake. Understanding the Impact of Cyber Threats Functions Most Likely to be Affected by Cyberattacks OPERATION FINANCIAL BRAND CUSTOMER INTELLECTUAL INTERRUPTIONS LOSS REPUTATION RETENTION PROPERTY PARTNER SUPPLIER LEGAL REGULATORY SECURITY BREACH RELATIONSHIP RELATIONSHIP ENGAGEMENTS SCRUTINY HISTORY 13 Exploration of Common Security Threats MALWARE PHISHING RANSOMWARE MAN-IN-THE-MIDDLE (MITM) ATTACKS Malicious software designed to Deceptive attempts to obtain A type of malware that encrypts a disrupt, damage, or gain sensitive information by disguising victim's files and demands payment Where attackers secretly intercept unauthorized access. Includes as a trustworthy entity, often via for decryption. and possibly alter the viruses, worms, trojans, and email.. communication between two spyware. parties who believe they are directly communicating with each other. DENIAL-OF-SERVICE (DOS) SQL INJECTION ZERO-DAY EXPLOIT INSIDER THREATS This is when a network, host or Injecting malicious SQL code into a Exploitation of a previously Security threats originating from application is sent an enormous database via a vulnerable unknown vulnerability before within the targeted organization, amount of data at a rate which it application, compromising data developers have had a chance to often by an employee or former cannot handle. This causes a integrity. address the security flaw. employee. slowdown in transmission or response, or the device or service to crash. PASSWORD ATTACKS BOTNET THE COSTS OF CYBER SECURITY BREACHES ARE A group of computers which have RISING Dictionary attacks been infected by malware and have Brute-force attacks Organizations that suffer cyber security come under the control of a Traffic intersception breaches may face significant fines. There are Password Spraying malicious actor. also non-financial costs to be considered, like reputational damage. 14 Understanding Security Vulnerabilities SECURITY VULNERABILITIES EXPLOIT CYTBER-ATTACK Security vulnerabilities are any kind of A program written to take advantage of A cybercriminal can use an exploit against software or hardware defects/flaws or a known vulnerability is referred to as a vulnerability to carry out a cyber-attack weaknesses that can be exploited by cyber an exploit. attackers to gain unauthorized access, steal data, or cause other harm. Broad Classification of Vulnerabilities SOFTWARE VULNERABILITIES HARDWARE VULNERABILITIES NETWORK VULNERABILITIES PROCESS VULNERABILITIES Flaws in operating systems, Physical weaknesses in hardware Weaknesses in network Flaws in organizational procedures applications, or other software. devices. Examples include firmware architecture or protocols. Examples and policies. Examples include Examples include buffer overflows, flaws. include unsecured Wi-Fi networks inadequate data encryption SQL injection, and cross-site and poorly configured firewalls. practices and insufficient employee scripting (XSS). training on security protocols. Broad Mitigation Strategies REGULAR SOFTWARE AND PROPER CONFIGURATION AND COMPREHENSIVE SECURITY EMPLOYEE TRAINING AND FIRMWARE UPDATES (PATCHING) AUDITS ASSESSMENT AWARENESS PROGRAMS Implementing routine updates to Regularly reviewing and updating Conducting thorough security Educating staff about common software and hardware systems to the configuration of network assessments to identify and cyber threats and best practices. address known vulnerabilities. devices and systems. address vulnerabilities. 15 The Human Factor in Information Security Understanding Human Error in Cybersecurity TYPES OF HUMAN ERRORS COMMON INCIDENTS ▪ Misjudgment ▪ Clicking on malicious link ▪ Oversight ▪ Using unsecured networks ▪ Misconfiguration ▪ Sharing passwords ▪ Failure to follow procedures ▪ Losing devices containing sensitive data Psychology Behind Human Error COMPLACENCY SOCIAL ENGINEERING VULNERABILITY Complacency in cybersecurity Humans are naturally trusting, which can refers to a sense of self-satisfaction be exploited through social engineering with one's performance, to the tactics. point of no longer seeing the potential threats or not diligently Exploitation of Trust following security procedures. Social engineering is the art of manipulating people, so they give up Causes of Complacency confidential information or they follow Routine attackers' instructions. Overconfidence Lack of Visible Threats Manipulative Tactics ▪ Authority – I’m calling from… When security protocols are not ▪ Intimidation – If you don’t help me… actively enforced or encouraged, ▪ Urgency – I need this now… employees may become ▪ … and much more 16 complacent. The Human Factor in Information Security Importance of Security Awareness Training SECURITY-CONSCIOUS CULTURE SIMULATED ATTACKS Regular, engaging training to foster a mindset where Use of simulated phishing and social engineering attacks security is everyone's priority to train employees to recognize and respond to threats. Building Resilient Security Behaviors REWARDING COMPLIANCE ENCOURAGING REPORTING Implementing incentive programs for following security Making it easy and stigma-free for employees to report protocols. mistakes or suspicious activities. Leadership and Information Security TOP-DOWN APPROACH RESOURCE ALLOCATION Leadership must exemplify and drive the security culture Ensuring adequate resources are provided for comprehensive security training programs. Continuous Improvement ADAPTIVE TRAINING HOLISTIC APPROACH Evolving training programs to adapt to new threats and Integrating technical, physical, and administrative learning from past security incidents. controls with a strong emphasis on the human element. 17 18