Introduction to Information Security Policies, Standards & Procedures PDF
Document Details
Bahrain Polytechnic
Tags
Summary
This document provides an introduction to information security, covering learning objectives, context, threats, and protection measures. It also includes examples of high-impact attacks and analyses of regional trends.
Full Transcript
Introduction to Information Security Unit 1 - Week 2 1 Unit 1 Learning Objectives Define Information Security Understand Information Security principles and aims Be aware of the main components of Information Security policies,...
Introduction to Information Security Unit 1 - Week 2 1 Unit 1 Learning Objectives Define Information Security Understand Information Security principles and aims Be aware of the main components of Information Security policies, standards and procedures Assess the Information Security position of an organisation and develop an Information Security policy 2 Information Security - Context 3 Information Security - Context Information Security standard ISO 27000:2018, section 3.22 & 3.38: defines the concepts of: External context: in which environment does the company or public organisation evolve? Is it exposed to fierce competition, hacktivism, conflict with foreign governments,…? The most probable sources of threats Internal context: what is IT used for? What are the prevailing technologies? Are the employees aware of the existence of threats? These contexts define the supporting assets and their main vulnerabilities 4 Information Security - Context There is no certainty of complete security, as organisations often make the mistake of assuming their systems are quite secure. It is often the case that during a system check or audit that that users within the organisation display the following traits:- Knowledge (e.g. fail to upload security updates) Lack of awareness (implying that it will never occur within the company) Informing the security department of any security concerns Failure to adopt the organisational security procedures (e.g. approach to internet security) Such behavior is likely to: Generate security events leading to risks, threats and/or 5 Threats to Industries (2024) Source: Verizon’s 2024 Data Breach Investigation Report (DBIR) 6 Breaches 180% increase of attack compared to year 2023. Exploitation of vulnerabilities is the critical path to initiate a breach. Main vector is web application These attacks were mainly carried out by ransomware and other extortion- related threat actors. Source: Verizon’s 2024 Data Breach Investigation Report (DBIR) 7 Breaches 68% of breaches involved human element. 32% of breaches involved ransomware or extortion. 28% involved errors. 15% involved third part (including software vulnerabilities) Source: Verizon’s 2024 Data Breach Investigation Report (DBIR) 8 Regional Analysis (latest) Source: Verizon’s 2024 Data Breach Investigation Report (DBIR) 9 Considerations in attacks… why? In groups of two, discuss – Why do attacks happen? What motivates individuals or groups? Sample notes attached for reference 10 Hacker services Various hacking services are available for hire online. These include:- Email password recovery Spying services System hacking Virus creation Malware kits are available online (freeware & paid subscription) which can create viruses, phishing attacks, etc. e.g. Beast, TeraBit Virus Maker 3.2 and Blackhole (also sometimes referred to as ‘rootkits’). Example shown here 11 Lifecycle of an attack Compromise Asset capture Asset discovery Initial invasion Info gathering 12 Who can initiate an attack? Attacker Sophistication State-sponsored Cyber Warfare Disgruntled ex-IT Organised Crime Administrator Lone Hacker / Hacker Competitor Hobbyist Collectives Business Disgruntled Cyber Malware Partner Customer Terrorism Accidental Discovery Disgruntled Insider ‘Script kiddy’ ‘Hacktivism’ ex-Employee Attacker Determination 13 Attackers vary their approach Attackers get better results by combining together several low- level skills than focusing on one high-level skill Example = the ‘fake president’ scam Preparation = asset discovery, about the company’s organization, mix of open source and human interaction Resources = scam email sent from “close-to-correct” domain name (example: mcdonald.com instead of mcdonalds.com) Action = social engineering, to convince employee that he has to do something (transfer money!) or will lose job! Michelin (France) lost 1.6m euros in 2014 by an attacker from Israel 14 Further high impact attacks on organisations Company Year Method Cost Citigroup 2011 Obtained credit $2.7million (Citibank, etc) card details Sony 2011 Credit card details $1-2billion (PlayStation) – SQL injection Epsilon 2011 Email addresses $225million - $4billion (marketing) used for criminal activity (extortion, etc) Spamhaus 2013 DDoS Largest DDoS attack in history – spanned 20 countries China -.ch 2013 DDoS Slowed and restricted domain access to.ch domain Sony Pictures 2014 Malware injection, To be evaluated. possible internal Financial loss due to 15 support movie leakage + image History Cloud Computin g Swine Flu Evolving business models Mobile busines Emerging threats Increasing trend s towards Increasing Regulatory Major damage BPO/IT requirements incidents outsourcing MiFID Focused through intrusions Terrorist (viruses, worms, Rise in threats DOS attacks, etc) Online EU – Data Fraud Protection Directives Sarbanes- Oxley Increased Increasin Extended cybercrime g Identity Internet and web enterprise & phishing Theft service attacks s Organise Basel d E- 9/11 - War II industrial commerc against espionag terrorism Start of e boom Y2k e internet Evolution of Increased era connected awareness of economy insider risks, Increased intellectual regulatory focus property on Data Security 1995 - 1999 2000 - 2003 2004 - 2007 2008 - 16 Present History New business models are targeted Professional hackers are constantly looking for ways to exploit organisations Therefore, it’s vital that organisations continually develop, monitor and review their information security policy 17 Internal context – heavy trends Bring your own device (BYOD): usually led by C- level employees… the nightmare of security teams! Cloud computing: makes necessary to define exactly in which country data is stored Social Networks: people are prone to leak a wide variety of information through them (ex: Israel’s MoD) Recognition in a global cause: people love to receive fancy content about news’ issues (ex: would you resist to open a file named “JeSuisCharlie”?) 18 Zero-day “Zero-day” is a term given to a previously unknown vulnerability in a computer system. The attack continues unknown to the organisation. Zero-day is once the organisation becomes aware of the attack and breach. From day zero, there is a count of days before the breach is resolved. There is no patch or fix available at the time the vulnerability is discovered. 19 How to protect yourself? 20 *Symantec report recommendations How to protect yourself? 21 *Symantec report recommendations How to protect your company? As part of your information security controls checks the following can be implemented:- A vulnerability check Ethical hacking Penetration testing. 22 Penetration testing and risk management An effective penetration test will highlight vulnerabilities in the organisations system and network. Using these, apply the risk management matrix to them to determine their impact factor. Senior management use this information to decide on the strategic response to these vulnerabilities. Cost efficiency is also considered. All these factors determine if the vulnerability can be resolved. 23 Ethical hacking and Penetration testing Penetration testing:- This is an ethical hacking technique is a goal-oriented process of finding flaws in a target system with the focus being to breach the systems and take control of them. Ethical Hacking (known as white hat hacking):- Encompasses all hacking techniques and is aimed at a larger project by breaching more than one target system and includes and includes several different techniques. It is performed by a company or individual to help identify potential threats on a computer or network. The ethical hacker attempts to bypass the system security to search for any weak points that could be exploited by malicious hackers. This information is then used by the organisation to improve the system security, in an effort to minimise any potential attacks. 24 Summary – what you should know Evidence and scale of information security breaches in Middle-East and the world Motivations for attacks Commercial hacker services Protection measures Introduction to pen testing and ethical hacking Refer to the handout on Policies 25 Next… Risk Management 26
