ISM_01 - Intro to ISM.pdf

Full Transcript

INTRODUCTION TO
INFORMATION SECURITY MANAGEMENT
Instructor: Arian Sheremeti, CISM

September 2024

1
 ISM Module Information
ABOUT THE MODULE
▪ Module duration: 4 weeks (Sep 2 nd – Sep 26 th)
▪ Number of chapters: 13
▪ Number of classes: 11 + 1 Final Exam
▪ Class start time: 18:00
▪ Duration p/class: 3.5 hours per class
▪ Breaks: up to 2x breaks of 10-15 mins each
▪ Final Exam: Scheduled on last session (Sep 26th)

CLASS SCHEDULE
▪ 3x times p/week: Mon, Wed, and Thur

LANGUAGE
▪ Lectures, materials, quizzes and final exam will be conducted in
English language

ABOUT INSTRUCTORS
▪ Arian Sheremeti Drilon Osmani
[email protected] [email protected]
linkedin.com/in/ariansh/ linkedin.com/in/drilon-osmani/

2
 Getting to Know Each Other: Instructor Profile
International experience Industries
15+ years of international experience Financial Services, Retail,
Global engagements: Canada, United States, and Insurance, IT Consulting,
Southeastern Europe. Banking, Telecommunications,
Worked for global companies, such as PwC, Deloitte, etc. Aerospace, Energy and Utilities,
Worked across various industries &functional areas Cruise Line, Higher Education,
Distribution, Theme Parks,
Hospitality, Beverage,
Specialization
Clients / Engagements
IT Governance, Risk and Compliance (GRC)
Information Security Strategy and Governance USA Kosova Albania
Cyber-defense Operations Management Schneider Electrics BQK ABI Bank
Walt Disney Parks Trusti Tirana Bank
Disaster Recovery and Business Continuity
Awareness Campaigns and Trainings Bacardi Inc. IPKO Fibank
Carrier Kujtesa Union Bank
Norwegian Cruise Line NLB Bank Raiffiesen Albania
Education Royal Caribbean BpB Bank One Albania
Master of Science in Information Systems, Tech Data Corp, B. Ekonomike Antea
Chapman Graduate School of Business,
Arian Sheremeti
Bloomin’ Brands AFK Sigal
Florida International University Cott Corporation KEP
Bachelor of Business Administration, Aero Turbine ELKOS Group
Landon Undergraduate School of Business, Florida Blue Meridian Group
Florida International University VIVA Fresh
Services KEDS / KESCO
Certifications
Certified Information Security Manager (CISM) Information Security Strategy and Governance
Certified Information System Auditor (CISA) Cyber-defense Operations Management
Certified ISO/IEC 27001 Lead Implementer IT Risk Assessment
Certified ISO/IED 27001 Lead Auditor Disaster Recovery Planning (DRP)
Microsoft Certified Systems Engineer (MCSE) Business Continuity Management (BCM)
Microsoft Certified Systems Administrator (MCSA) IT Policies and Procedures Review
Microsoft Certified Professional (MCP) Application Development Security Review
Network+ IT Infrastructure Security Review
3 Implementation of ISO/IEC 27001
 ISM Module Calendar
Monday Tuesday Wednesday Thursday Friday

2 3 4 5 6

1. Intro to ISMS 1. Asset Management Cloud and Virtualization Tech.
2. Security Policies and Procedures 2. Identity and Access Management

9 10 11 12 13

Vulnerability & Patch Management 1. Third-Party Management Security Operations & Monitoring
2. Legal & Ethical Considerations

16 17 18 19 20

Risk Management and Compliance Security Assessment & Testing Incident Response

23 24 25 26

Disaster Recovery Data Protection Final Exam

4
 General Overview
Session
Introduction to Information Security Management
Security Policies and Procedures
Asset Management
Identity and Access Management
Characteristics and Benefits of Cloud and Virtualization Technologies
Vulnerability and Patch Management
Third-Party Management
Security Operations and Monitoring
Legal and Ethical Considerations in Information Security
Risk Management and Compliance
Security Assessment and Testing
Incident Response
Disaster Recovery
Data Protection

5
 Outline of Today's Session
Introduction to Information Security Management
This session provides an introduction to information security management, highlighting its importance in today's digital landscape and
outlines the key principles and concepts of information security management. The session will also delve into the foundational
knowledge of cybersecurity, emphasizing the impact of threats on organizations and individuals. This will set the foundation for the rest
of the module.

▪ Understanding the Need for Information Security Management
▪ Core Principles and Concepts of Information Security Management
▪ Foundational Knowledge of Cybersecurity
▪ Understanding the Impact of Cyber Threats on Organizations and Individuals
▪ Exploration of Common Security Threats
▪ Comprehension of Security Vulnerabilities
▪ Human Factor and its Role in Information Security

6
 The Need for Information Security Management
INTRODUCTION RISING CYBER-THREAT LANDSCAPE MOTIVATION BEHIND CYBERATTACKS
▪ What is ISM ▪ Evolution of Threats ▪ Financial gain
▪ The increasing reliance on digital ▪ Sophistications of cyber-attacks ▪ Political motivation
systems + interconnectivity ▪ The increasing reliance on digital ▪ State actors
Example: Critical Infrastructure systems + interconnectivity ▪ Corporate Espionage
▪ Insider threats
Sectors: Communications, Energy, Example: Estonia (2007), Ukraine
Financial, Transportation, Water (2015), Target (2013), Equifax (2017), ▪ Revenge
▪ Recognition & achievement
management, etc. Colonial Pipeline (2021), Albania
(2022), etc.

OPERATIONAL CONTINUITY
▪ Importance of information security for
uninterrupted business operations
▪ Examples of operational disruptions due to
cyberattacks (Ransomware, DDoS, etc.)

FINANCIAL IMPLICATIONS REPUTATIONAL DAMAGE LEGAL AND REGULATORY REQUIREMENTS
▪ Cost of security breaches to organizations ▪ Reputational impact due to security ▪ Consequences of non-compliance
(forensics and remediations, compensations incidents ▪ GDPR, HIPAA, latest SEC requirement, etc.
to affected parties) ▪ Trust and brand loyalty
▪ Investment in proactive security measures considerations
vs. reactive measures
7
 The Need for Information Security Management
Key Takeaways
ESSENTIAL FOR ORGANIZATIONAL PROTECTION
▪ Fundamental in safeguarding organizational assets against diverse cyber threats.
▪ Critical in ensuring the confidentiality, integrity, and availability of data.

IMPACT EXTENDS BEYOND THE ORGANIZATION
▪ Poor security management affects not just the organization, but also its customers, partners, and potentially the wider public.
▪ Can lead to financial, reputational, and legal consequences on a larger scale.

SHARED RESPONSIBILITY
▪ Effective security is a collective effort, involving every individual in the organization.
▪ Not limited to the IT department; requires engagement from all levels, including management and staff.

LEADERSHIP 'S PIVOTAL ROLE
▪ Leadership must champion a security-focused organizational culture.
▪ Responsible for allocating necessary resources for robust security measures and training.

A CONTINUOUS AND ADAPTIVE PROCESS
▪ Information security is not a one-time effort but an ongoing process.
▪ Requires constant vigilance, regular updates, and adaptation to emerging threats and technologies.
8
 Core Principles of Information Security Management
Introduction to the CIA Triad
CONFIDENTIALITY INTEGRITY AVAILABILITY
Ensuring that information and resources are
Ensuring that sensitive information is accessed Guaranteeing the accuracy and completeness of available to those who need them, when they
only by authorized individuals. data. need them.
Example: Encryption, access controls. Example: Data checksums, version controls. Example: Redundant systems, regular
maintenance.

Expanding Beyond the CIA Triad
ACCOUNTABILITY NON-REPUDIATION
Ensuring that all actions on the system can be
Preventing individuals or entities from denying
attributed to an individual or entity.
their actions.
Importance: Tracing actions back to the source,
ensuring responsible use. Tools: Digital signatures, audit trails.

Additional Considerations
AUTHENTICATION AUTHORIZATION
Verifying the identity of a user, device, or entity
Defining and controlling access levels and
in the network.
permissions.
Methods: Passwords, biometrics, multi-factor
Approach: Role-based access control, least
authentication.
privilege principle.
9 Source: Okta
 Core Principles of Information Security Management
Key Takeaways

The Foundational Principles for Protecting Information
CONFIDENTIALITY
A set of rules that prevents sensitive information from being disclosed to
unauthorized people, resources and processes. Methods to ensure confidentiality
include data encryption, identity proofing and two factor authentication.

INTEGRITY
Ensures that system information or processes are protected from intentional or
accidental modification. One way to ensure integrity is to use a hash function or
checksum.

AVAILABILITY
Availability means that authorized users are able to access systems and data when
and where needed and those that do not meet established conditions, are not. This
Source: IBM
can be achieved by maintaining equipment, performing hardware repairs, keeping
operating systems & software up to date, and creating backups.

10
 Core Principles of Information Security Management

Protection of Information in Each Stage
PROCESSING STORAGE TRANSMISSION
Refers to data stored in memory Refers to data traveling
Refers to data that is being used
or on a permanent storage between information systems
to perform an operation such as
device such as a hard drive, (data in transit).
updating a database record
(data in process). solid-state drive or USB drive
(data at rest).

The Security Measures Used to Protect Data
AWARENESS, TRAINING AND TECHNOLOGY POLICY AND PROCEDURES
EDUCATION Refers to the software- and Refers to the administrative
Measures put in place by an hardware-based solutions controls that provide a
organization to ensure that designed to protect information foundation for how an
users are knowledgeable about systems such as firewalls, which organization implements
potential security threats and continuously monitor your information assurance, such as
the actions they can take to network in search of possible incident response plans and
protect information systems. malicious incidents. best practice guidelines.

11
 Foundational Knowledge of Cybersecurity
▪ Cybersecurity
Is the application of technologies, processes, and controls to protect systems, networks, programs, devices and data from cyber attacks.
It aims to reduce the risk of cyber attacks and protect against the unauthorized exploitation of systems, networks, and technologies.

▪ Why is cybersecurity Important
THE COSTS OF CYBER SECURITY CYBER ATTACKS ARE INCREASINGLY CYBER CRIME IS A BIG BUSINESS CYBER SECURITY IS A CRITICAL,
BREACHES ARE RISING SOPHISTICATED BOARD-LEVEL ISSUE

According to a study by McAfee and New regulations and reporting
Organizations that suffer cyber Cyber attacks continue to grow in requirements make cyber security
the CSIS, based on data collected by
security breaches may face sophistication, with attackers using risk oversight a challenge. The
significant fines. There are also an ever-expanding variety of Vanson Bourne, the world economy
loses more than $1 trillion each board needs assurance from
non-financial costs to be tactics. These include social management that its cyber risk
considered, like reputational engineering, malware and year due to cybercrime. Political,
ethical, and social incentives can strategies will reduce the risk of
damage. ransomware. attacks and limit financial and
also drive attackers.
operational impacts.

▪ Who needs Cyber Security
PERSONAL ORGANIZATIONAL GOVERNMENT

On a personal level, you need to At an organizational level, it is As more digital information is being gathered and
safeguard your identity, your data, everyone’s responsibility to protect shared, its protection becomes even more vital at
and your computing devices. the organization’s reputation, data the government level, where national security,
and customers. economic stability and the safety and wellbeing of
12
citizens are at stake.
 Understanding the Impact of Cyber Threats

Functions Most Likely to be Affected by Cyberattacks

OPERATION FINANCIAL BRAND CUSTOMER INTELLECTUAL
INTERRUPTIONS LOSS REPUTATION RETENTION PROPERTY

PARTNER SUPPLIER LEGAL REGULATORY SECURITY BREACH
RELATIONSHIP RELATIONSHIP ENGAGEMENTS SCRUTINY HISTORY

13
 Exploration of Common Security Threats
MALWARE PHISHING RANSOMWARE MAN-IN-THE-MIDDLE (MITM)
ATTACKS
Malicious software designed to Deceptive attempts to obtain A type of malware that encrypts a
disrupt, damage, or gain sensitive information by disguising victim's files and demands payment Where attackers secretly intercept
unauthorized access. Includes as a trustworthy entity, often via for decryption. and possibly alter the
viruses, worms, trojans, and email.. communication between two
spyware. parties who believe they are
directly communicating with each
other.

DENIAL-OF-SERVICE (DOS) SQL INJECTION ZERO-DAY EXPLOIT INSIDER THREATS
This is when a network, host or Injecting malicious SQL code into a Exploitation of a previously Security threats originating from
application is sent an enormous database via a vulnerable unknown vulnerability before within the targeted organization,
amount of data at a rate which it application, compromising data developers have had a chance to often by an employee or former
cannot handle. This causes a integrity. address the security flaw. employee.
slowdown in transmission or
response, or the device or service
to crash.

PASSWORD ATTACKS BOTNET THE COSTS OF CYBER SECURITY BREACHES ARE
A group of computers which have RISING
Dictionary attacks
been infected by malware and have
Brute-force attacks Organizations that suffer cyber security
come under the control of a
Traffic intersception breaches may face significant fines. There are
Password Spraying malicious actor.
also non-financial costs to be considered, like
reputational damage.
14
 Understanding Security Vulnerabilities
SECURITY VULNERABILITIES EXPLOIT CYTBER-ATTACK
Security vulnerabilities are any kind of A program written to take advantage of A cybercriminal can use an exploit against
software or hardware defects/flaws or a known vulnerability is referred to as a vulnerability to carry out a cyber-attack
weaknesses that can be exploited by cyber an exploit.
attackers to gain unauthorized access, steal
data, or cause other harm.

Broad Classification of Vulnerabilities
SOFTWARE VULNERABILITIES HARDWARE VULNERABILITIES NETWORK VULNERABILITIES PROCESS VULNERABILITIES
Flaws in operating systems, Physical weaknesses in hardware Weaknesses in network Flaws in organizational procedures
applications, or other software. devices. Examples include firmware architecture or protocols. Examples and policies. Examples include
Examples include buffer overflows, flaws. include unsecured Wi-Fi networks inadequate data encryption
SQL injection, and cross-site and poorly configured firewalls. practices and insufficient employee
scripting (XSS). training on security protocols.

Broad Mitigation Strategies
REGULAR SOFTWARE AND PROPER CONFIGURATION AND COMPREHENSIVE SECURITY EMPLOYEE TRAINING AND
FIRMWARE UPDATES (PATCHING) AUDITS ASSESSMENT AWARENESS PROGRAMS
Implementing routine updates to Regularly reviewing and updating Conducting thorough security Educating staff about common
software and hardware systems to the configuration of network assessments to identify and cyber threats and best practices.
address known vulnerabilities. devices and systems. address vulnerabilities.
15
 The Human Factor in Information Security
Understanding Human Error in Cybersecurity
TYPES OF HUMAN ERRORS COMMON INCIDENTS
▪ Misjudgment ▪ Clicking on malicious link
▪ Oversight ▪ Using unsecured networks
▪ Misconfiguration ▪ Sharing passwords
▪ Failure to follow procedures ▪ Losing devices containing sensitive data

Psychology Behind Human Error
COMPLACENCY SOCIAL ENGINEERING VULNERABILITY
Complacency in cybersecurity Humans are naturally trusting, which can
refers to a sense of self-satisfaction be exploited through social engineering
with one's performance, to the tactics.
point of no longer seeing the
potential threats or not diligently Exploitation of Trust
following security procedures. Social engineering is the art of
manipulating people, so they give up
Causes of Complacency confidential information or they follow
Routine attackers' instructions.
Overconfidence
Lack of Visible Threats Manipulative Tactics
▪ Authority – I’m calling from…
When security protocols are not ▪ Intimidation – If you don’t help me…
actively enforced or encouraged, ▪ Urgency – I need this now…
employees may become ▪ … and much more

16 complacent.
 The Human Factor in Information Security
Importance of Security Awareness Training
SECURITY-CONSCIOUS CULTURE SIMULATED ATTACKS
Regular, engaging training to foster a mindset where Use of simulated phishing and social engineering attacks
security is everyone's priority to train employees to recognize and respond to threats.

Building Resilient Security Behaviors
REWARDING COMPLIANCE ENCOURAGING REPORTING
Implementing incentive programs for following security Making it easy and stigma-free for employees to report
protocols. mistakes or suspicious activities.

Leadership and Information Security
TOP-DOWN APPROACH RESOURCE ALLOCATION
Leadership must exemplify and drive the security culture Ensuring adequate resources are provided for
comprehensive security training programs.

Continuous Improvement
ADAPTIVE TRAINING HOLISTIC APPROACH
Evolving training programs to adapt to new threats and Integrating technical, physical, and administrative
learning from past security incidents. controls with a strong emphasis on the human element.

17
18