Security and Control

Brian Mennecke

Planning for Security and Control

• In today’s net-enabled environment, an increasingly important part of IT planning involves planning to control and secure the IT resource

Control Systems

• The components of control systems are– Standards for performance– Sensory determination of actual conditions– Comparison of standard with actual conditions– Compensatory action if the deviation is too great

When there are Failures of Control

• Examples of control breakdowns– Worldcom– Qwest– Global Crossing

• What caused these? Probably, it was in part the reward systems for senior managers that consisted of stock options. Managers were rewarded for inflating the bottom line.

• IS has an important role to play in strengthening control systems– Audits– Monitoring– Information dissemination– Reporting

Vulnerability of Systems: Where Does Control Fail?

• Errors in and intrusion of the operating system• Errors in application programs• Problems with database security• Lack of network reliability and security• Problems with adequate control of manual procedures• Failure of management to maintain proper organizational

control• Open networks and connectivity• Misuse or mistakes made by users

Control in the Organization: Controls can be created through…

• The structure of the organization– Decentralized or centralized

• Rewards• Management committee• Budget• Direct supervision• Routine audits

• Establish and enforce standards and procedures

• Develop a plan and policy for managing database resources– Data Backup/Recovery– Data Concurrency

Management– Data Security

Control in the Organization

A Key Requirement for Control is Establishing IT Security

• Without security, the integrity of organizational IT resources will be at risk – therefore, security is everyone’s business

• Security is an increasingly important issue because of an increasing number of threats– According to the statistics reported to CERT/CC over the past several

years (CERT/CC 2003) the number of cyber attacks grew from approximately 22,000 in 2000 to 137,529 2003

– According to the 2004 E-Crime Watch Survey, 43% of respondents report an increase in e-crimes and intrusions versus the previous year and 70% reported at least one e-crime or intrusion was committed against their organization

Security Concepts• Authentication: The process by which one entity verifies that another entity

is who they claim to be • Authorization: The process that ensures that a person has the right to

access certain resources• Confidentiality: Keeping private or sensitive information from being

disclosed to unauthorized individuals, entities, or processes• Integrity: Being about to protect data from being altered or destroyed in an

unauthorized or accidental manner• Confidentiality: Keeping private or sensitive information from being

disclosed to unauthorized individuals, entities, or processes• Nonrepudiation: The ability to limit parties from refuting that a legitimate

transaction took place, usually by means of a signature

Types of Threats and Attacks

• Nontechnical attack: An attack that uses chicanery to trick people into revealing sensitive information or performing actions that compromise the security of a network

Types of Threats and Attacks (cont.)

• Social engineering: A type of nontechnical attack that uses social pressures to trick computer users into compromising computer networks to which those individuals have access

Types of Threats and Attacks (cont.)

• Multiprong approach used to combat social engineering:

1. Education and training2. Policies and procedures3. Penetration testing

Types of Threats and Attacks (cont.)

• Technical attack: An attack perpetrated using software and systems knowledge or expertise

Types of Threats and Attacks (cont.)

• Denial-of-service (DoS) attack: An attack on a Web site in which an attacker uses specialized software to send a flood of data packets to the target computer with the aim of overloading its resources

Types of Threats and Attacks (cont.)

• Distributed denial-of-service (DDoS) attack: A denial-of-service attack in which the attacker gains illegal administrative access to as many computers on the Internet as possible and uses these multiple computers to send a flood of data packets to the target computer

Types of Threats and Attacks (cont.)

• Malware: A generic term for malicious software– The severity of virus attacks are increasing

substantially, requiring much more time and money to recover

– 85% of survey respondents said that their organizations had been the victims of e-mail viruses in 2002

Types of Threats and Attacks– Malware takes a variety of forms - both pure and hybrid

• Virus: A piece of software code that inserts itself into a host, including the operating systems, to propagate; it requires that its host program be run to activate it

• Worm: A software program that runs independently, consuming the resources of its host in order to maintain itself and is capable of propagating a complete working version of itself onto another machine

• Macro virus or macro worm: A virus or worm that is executed when the application object that contains the macro is opened or a particular procedure is executed

• Trojan horse: A program that appears to have a useful function but that contains a hidden function that presents a security risk

CERT: Recommendations for Governing Organizational Security

• Questions to ask:– What is at risk?– How much security is enough– How should an organization …

• Develop policies on security• Achieve and sustain proper security

The CERT recommendations are derived from a report written by Julia Allen entitled Governing for Enterprise Security, which may be found at http://www.cert.org/archive/pdf/05tn023.pdf

CERT: Recommendations for Governing Organizational Security

• What is at risk?– Trust that the public has in your organization– Reputation and brand– Shareholder value– Market confidence – Regulatory compliance

• Fines• Jail time

– Market share– Customer privacy– Ongoing, uninterrupted operations– Morale of organizational members

CERT: Recommendations for Governing Organizational Security

• How Much Security is Enough?– “Management’s perspective needs to shift

From ToScope: Technical problem Enterprise problemOwnership: Enterprise ITFunding: Expense InvestmentFocus: Intermittent IntegratedDriver: External EnterpriseApplication: Platform/practice ProcessGoal: IT security Enterprise

CERT: Recommendations for Governing Organizational Security

• Good Security Strategy Questions– What needs to be protected?

• Why does it need to be protected? • What happens if it is not protected?

– What potential adverse consequences need to be prevented? • What will be the cost? • How much of a disruption can we stand before we take action?

– How do we effectively manage the residual risk when protection and prevention actions are not taken?

CERT: Recommendations for Evolving the Security Approach

CERT: Recommendations for Evolving the Security Approach

CERT: Recommendations for Evolving the Security Approach

• What Does Effective Security Look Like at the Enterprise Level?– It’s no longer solely under IT’s control– Achievable, measurable objectives are defined and

included in strategic and operational plans– Functions across the organization view security as part of

their job (e.g., Audit) and are so measured– Adequate and sustained funding is a given– Senior executives visibly sponsor and measure this work

against defined performance parameters– Considered a requirement of being in business

Wireless Network Hacking

Security Information

• Symantec Guide to Scary Internet Stuff – Botnets– Phishing– Net Threats– Underground Economy

Symantec Guide to Scary Internet Stuff - Botnets

VOIP Threats

Hacking a Desktop

Mac aren’t immune