Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Managing Information Security International Computing Centre Ed Gelbstein, International Computing Centre, Geneva

advertisement 
Managing Information Security
Information Security
Computing Centre,
Centre Geneva
Ed Gelbstein,International
International Computing
OECD, April 2001
Information Security
OECD, April 2001
International Computing Centre
Asset valuation
What is the business value of
 Data
disclosed
modified
unavailable
destroyed
 Intellectual property
 Systems (sw/hw)
 Documents
 The Organisation’s reputation
etc
Information Security
OECD, April 2001
International Computing Centre
How do you respond ?
Option 1
Hackers please note
This facility is secured
Monday and Friday, 09:00 to 17:00 CET
Please do not visit at any other time
We thank you for your understanding
Option 2
Emergency response plan + team
Information Security
OECD, April 2001
International Computing Centre
Key components
Ownership and culture
Policies
Processes and tools
Autopsies, diagnostics, audits
Information Security
OECD, April 2001
International Computing Centre
Ownership
Anybody
Everybody
Nobody
Somebody
Information Security
OECD, April 2001
International Computing Centre
Culture
Security management is a way of life
It relies on everyone
It requires many processes
It may contain many projects but it has no end
Only the paranoid survive
Information Security
OECD, April 2001
International Computing Centre
Threatscape
Sabotage
Misuse/ fraud
Unauthorised access
Unauthorised change
Unauthorised disclosure
Destruction of data
Malicious software
Stupidity
Weaknesses in systems
Weaknesses in products
Cyber-attack (DoS/ DDoS)
Cyber-attack (EMP)
Data blackmail
and many more...
Information Security
OECD, April 2001
International Computing Centre
Internal
External
Physical
Logical
Threatscape
Most pervasive
Virus, worm, trojan horse
Most publicised
Attacks on e-business
- theft of credit card data
- Denial of Service
Information Security
OECD, April 2001
(2)
Most expensive
Insider fraud, sabotage
Theft of proprietary information
Most frequent
Developers’ mistakes
Poor configuration
Poor system administration
International Computing Centre
Building blocks
Policies
Best practices
Standards
Action plans
Change Control
Backup /restore
Media management
Disaster recovery
Business continuity
Crisis management
Information Security
OECD, April 2001
Physical access control
Logical access control
Infrastructure
- No single point of failure
- UPS and standby
- Clusters, fail-soft, alternative
routing, RAID, …
Diagnostics and monitoring
System administration
Audits
Key word: OWNERSHIP
International Computing Centre
Building blocks
Staff vetting
Training
Tests and audits
Risk assessment
Communications
Risk management
Alert monitoring
Tools and products
Organisation
- incident detection
- incident response
Information Security
OECD, April 2001
(2)
Confidentiality
Integrity
Authorisation
Authentication
Audit trail
Non-repudiation
Key word: OWNERSHIP
International Computing Centre
Policies
Scope
Documentation
Dissemination
Maintenance
Compliance
Non-compliance
Information Security
OECD, April 2001
International Computing Centre
Scope of policies
 E-mail 
 Passwords
 System / Resource access
 Database administration
 Encryption
 Backup/ Restore/ Disaster recovery
 Physical access and remote access
 Software installation
 Change control
list continues...
Information Security
OECD, April 2001
International Computing Centre
Scope of policies
(2)
 Acceptable use
 Monitoring and audits
 Mobile computing
 Wireless computing
 Privacy
 Staff background checks
and more...
Information Security
OECD, April 2001
International Computing Centre
e-mail policy includes...











Virus, worm, other infectious software
Executable code
Audio and video files
Other large files
Encryption
Non-disclosure
Offensive language/material
Legal liability (harassment, copyright, libel, etc)
Junk e-mail and other loss of productivity
Personal use of corporate e-mail
Archival
and so on...
Information Security
OECD, April 2001
International Computing Centre
Vigilance
Alerts (Vendor, CERT, FBI, other)
Attacks (who, when, how)
Hacker tools, communiques, websites
Disgruntled staff, behavioural changes
etc
Information Security
OECD, April 2001
International Computing Centre
Security rings
What does it take
to get through
each of these layers
Data access rights
Database security
System security
LAN and server security
Firewall security
Authentication
etc
etc
etc
Information Security
OECD, April 2001
International Computing Centre
Tools and products
Firewalls and antivirus software
Resource access controls
Encryption
Digital certificates
Proxy / Reverse Proxy servers
Intrusion detection systems
Software integrity checkers
Log analysis tools
many
choices
and so on...
“out of the box” may not be e-nough
Information Security
OECD, April 2001
International Computing Centre
Certification, audits, etc
How do you know you have not been attacked ?




tests
audits
post-mortems
certification
Who tests the testers?
Information Security
OECD, April 2001
Like your annual medical
it’s no guarantee of good health
but it might diagnose a problem
International Computing Centre
Be vigilant, be silent...
Yes, we have been attacked
and are very aware of the
flaws in our security
A challenge to every
cracker and script kiddie
to prove you wrong
Information Security
OECD, April 2001
Risk of losing credibility
and of inviting trouble
Our security is superb
and we are totally confident
in our ability to stay ahead
International Computing Centre
Related documents
at this link
at this link
Download
advertisement