“information security for your company: its risks, tradeoffs, and solutions a management...

“Information Security For Your Company:

Its Risks, Tradeoffs, and Solutions A Management Perspective”

November 17, 2005

eWorkshop Purpose

To demystify the process of protecting your

company’s information

Our presenter will cover

• Types of information to protect• Types of attackers• Exposure• Defenses• Examples

Lois Webster

CEO

This workshop is sponsored by Jones International University

www.jiu.edu

http://www.jiu.edu/

Jones International University offers an online MBA in Information Security Management

For more information go to www.jiu.edu or call 866.246.0368 to speak with an Admissions

Counselor.

http://www.jiu.edu/

This Webcast is hosted by

www.meetingone.com

http://www.meetingone.com/

http://www.learnshare.com/Site/newsite/eworkshops/051117/eworkshop_051117.aspx

How ask a question:

Maura van der Linden

Software Development Engineer in Test

Microsoft Corporation

Understanding Information Security Tradeoffs:

A Management Perspective

Written by:

Maura van der Linden([email protected])

Brought to you by:

Jones International University

MBA with Information Security Management(www.jiu.edu/learnshare)

© 2005 Jones International University

Presentation Goals

• Convey a basic understanding of the Information Security Equation and its five variables.

• Provide an overview of the process of Threat Analysis.

• Demonstrate the iterative and ongoing nature of Information Security.

• Illustrate the Threat Analysis and Mitigation process with several real life samples of the tradeoffs made to minimize or remove Information Security threats.


Key Information SecurityConcepts

• Information Security Equation• Threat Analyses• Threat Mitigation and Re-Evaluation• Response and Contingency Planning• Security Champions• Security Reviews


Information Security EquationVariables

1. Information• Collection• Storage• Replication

2. Intruders / Attackers• Sources• Motivations

3. Exposure4. Defenses5. Responses


Poll Question #1

What do you think are the biggest risks to your company?

1 = Email Viruses2 = Directed Hacking Attacks3 = Opportunistic Hacking Attacks4 = Internal Theft / Misuse


Information Aspect 1:Collection

Examples:• Internet Orders or Submissions• Paper Orders• Employee Hiring Paperwork• Point-of-Sale Systems• Telephone Ordering Systems• 3rd Party Data Forwarding


Information Aspect 2:Storage

Business Data Examples:• HR Data• Emails• Intranet Documents• Financial Data• Payroll Data• Intellectual Property• Partner/Vendor/ Supplier

Data

Customer Data Examples:• Personal Data (Identifying

Information)• Credit Card Data• Order History• Financial Data• Medical Data


Information Aspect 3:Replication

Examples:• Live Databases• Test Databases• 3rd Party Forwarding• Backups• Log Files• Printouts• Paper Files / Copies


Intruders / Attackers Aspect 1:Sources

Internal Source Examples:• Current Employees• Contracting Companies• Vendors / Sub-

Contractors

External Source Examples:• Ex-Employees• Protesters / Idealists• Professional Hackers• Competitors• Cyber-Vandals


Intruders / Attackers Aspect 2:Motivations

Examples:• Data Theft• Data Destruction• Cyber-Vandalism / Nuisance• Coup Counters


Exposure

Internal Examples:• Employees• Locations• Intranet• Contractors

External Examples:• Internet• Partners• Vendors / Contractors• Customers


Defenses

Examples:• Commercial Software Defenses• Commercial Hardware Defenses• In-House / Custom Defenses• Physical Defenses• Policy Defenses


Responses

Examples:• Intrusion Detection Plan• Data Recovery Plan• Data Restoration• Web Site Restoration• Customer Notification


Poll Question #2

How many of you have defenses and a response plan in place already?

1 = Both are in place and updated.

2 = Both are in place but are out of date.

3 = Defenses are in place but no response plan.

4 = No formal plan for either


Threat Modeling Aspects

Examples:• How much harm can be done?• How easy is it to perform?• How well known is it?• How hard or expensive will it be to recover?• How many customers will it affect?


Threat Analysis & Mitigation Process

Example Questions:• What is the threat rating (severity)?• What mitigations are available?• What do those mitigations cost vs. how well they

mitigate the threat?• Is the convenience worth the risk?• How will the mitigation be enforced?• Are there additional legal or regulatory issues if the

threat is carried out?


Common Misconceptionsof Tradeoffs

• High mitigation = high cost.• Mitigation solutions must be custom or

customized.• Obscurity = security at very low cost.• All mitigations are high tech.• Hackers are isolated and tend to work alone.


Take Incremental Steps

• After each mitigation is developed, the threat must be reviewed again.

• Revisit the threat rating.• Identify any other threats that might be

affected – beneficially or adversely – by a mitigation designed for another threat.

• Don’t neglect easily mitigated threats that do not have the highest threat ratings.


Samples of Common Tradeoffs

• Convenience of multiple places to find the same data vs having to secure every place that data is stored.

• Ease of referencing plain text data instead of encrypted data vs. the risk that if the data is stolen, it’s easy and ready to use.

• Ability for any employee to solve problems for customers vs. the risk of all employees having the ability to steal customer data or misuse it.


More Samples of Common Tradeoffs

• Cost of buying commercial security software for every workstation vs. the risk of even one incident of a virus shutting down the business’ intranet.

• Employee morale and freedom of being able to open and read any email at work plus the expense of setting up and enforcing email attachment policies vs. risk of virus attack revealing confidential business information.


Sample Situation #1

Situation: A medical supply company keeps customer information in their permanent database and indexes the information by social security number. The database is accessible from the internet so customers can look up their own information.

Mitigation: The risk of exposing the customers’ social security numbers along with their associated personal information on an internet-facing database is mitigated by the company switching to a random customer number and removing the social security number from their data storage.

Tradeoffs: The convenience of having the social security number as a built-in index is traded for a Customer ID that means the records have to be retrieved by number or email address and password. A mailing had to be done to customers to inform them of why the change was being made and how to now access their information.


Sample Situation #2

Situation: An online shopping business was allowing their customers to store credit card information, including the three digit code, in order to provide the convenience of not having to enter their credit card information each time they placed an order.

Mitigation: The risk of both exposing credit card information in this internet-facing shopping system as well as the risk of a third party being able to charge items to the saved information was too high so the credit card information was removed from the customer database and the users now have to enter the credit card information for each purpose.

Tradeoffs: The convenience of having the credit card information already entered and available was traded for the security of not having credit card information vulnerable to theft of misuse. Information on the reason for the change was posted to the shopping checkout page and customer response was quite positive, especially in the wake of a highly publicized credit card information theft.


Sample Situation #3

Situation: A financial investment company which develops and utilizes in-house software for account maintenance has a test database for use by their contract testers but the test database is actually a copy of the live customer database and contains all the information that exists in the live database. In order to make it easier for the testers, the database administrator password has been set to <blank>.

Mitigation: The previously overlooked risk of having live data in an easy to access place was considered too high so an application was written to simulate live transactions and used to build a dummy database for test to use. Because the database now contained NO real data, the administrator password was left as <blank> .

Tradeoffs: The perfect replication of live customer data was traded for a very realistic set of dummy data without the risk of data theft. There was an additional benefit because the tool designed to create the test database was able to be used by other parts of the test effort.


Poll Question #3

How is your Information Security currently being managed?

1 = One person is in charge of it as a main job function and may or may not have a team working under them.

2 = One person is in charge of it as a secondary or lesser task.

3 = A team of people are in charge of it but are not coordinated by a single individual.

4 = It’s outsourced to another company

5 = It’s not being managed


Role of the Security Champion

• Centrally responsible for security efforts.• Single point of coordination for response plans and

materials.• Disseminates knowledge and information as changes

are made in business practices and policies.• Keeps up to date on software patches, vulnerabilities

and versions.• Presents threat analyses and mitigation plans and

proposals to management. • Conducts and enforces security review standards and

schedules.


External Security Consultants

Pro:• Considerable knowledge

and training that is generally kept up to date.

• Can be less expensive to use in circumstances where risks are fairly low and are not overly prone to frequent or rapid changes.

• Can provide a second set of eyes for in-house plans or for vulnerability assessment.

Con:• May not understand the

customer’s business so making an accurate determination of the tradeoff viabilities may be difficult.

• May be difficult to communicate the full impact of analyses and proposed changes.

• More difficult to use for ongoing changes or revisions.


Continuing Efforts are Key

• Businesses change over time.• Threats and vulnerabilities change over time.• Attack vectors and techniques change over

time.• Laws and legal precedents change over time.


How ask a question:

To access presentation materials

Go to www.LearnShare.comBest Practice Events

eWorkshops “Information Security For Your Company: It’s Risks,

Tradeoffs, and Solutions – A Management Perspective”

http://www.learnshare.com/

Thanks!

Evaluation by email

http://www.learnshare.com/Site/newsite/eworkshops/051117/eworkshop_051117.aspx

“information security for your company: its risks, tradeoffs, and solutions a management...

Documents

information security

information security

storagebusiness data

personal data

mitigation process

process of threat analysis

management perspectivenovember

basic understanding