A security awareness presentation created for an audience of senior officials from MTNL (India's foremost telecom PSU). The presentation covers fundamentals of Information Security, it's evolution, present day risks from the IT and Telecom infrastructure perspective.
2.
Introduction
Audience
Us.. Pyramid & Dinesh
Todays Program Plan
Information Security Fundamentals
Why Security (cases and incidents; critical
infrastructure concept for MTNL and telecom,
national intranet and lights on concept)
What to Secure (current state analysis, maturity
plan, essentials, goals and objectives –
certification / compliance / reputation etc
When and How to Secure
First steps and discussions
3. Established and well known Cyber
Security and Forensics Consulting
organization since past decade
Cyber Forensics Labs in 22 states across
India
Qualified, experienced and certified
team of Forensic and InfoSec
professionals
Full range of InfoSec services – strategy,
design, implement, maintain, test,
response, investigation, protection
4.
Managed Security Services as per
RBI/IDRBT guidelines
Compliance with ISO, RBI, IDBRT, IT Act
etc as applicable
ISMS Policies, Procedures, Audit
Program as per ISO27001
Ethical hacking, Software Security
Open Source technology adoption
Security Awareness Training
Forensic and Incident Response…
5.
Professional Positions
Jharkhand Police – Cyber Defence Research Centre (Cyber Security
Advisor)
Bombay Stock Exchange - IGRC (Technical Member)
Open Security Alliance (CEO)
Pyramid Cyber Security & Forensics (Principal Advisor)
Indian Honeynet Project (Co Founder)
Professional skills and special interest areas
Technologies: SOC, DLP, IRM, SIEM…
Practices: Incident Response, SAM, Forensics, Regulatory guidance..
Security Consulting and Advisory services for IS Architecture, Analysis,
Optimization in Government and Enterprises
Community: mentoring, training, citizen outreach, India research..
Opinioned Blogger, occasional columnist, wannabe photographer
6. MTNL was set up on 1st April, 1986
by the Government of India
Started as Bombay Telephone in
1882, in pre-independence era,
MTNL is the largest Broadband
service provider in Mumbai
National Critical Infrastructure provides landline services, high
speed broadband through ADSL, 3g,
VoIP, IPTV among a range of
telecom services
7.
Introduction
Audience
Us.. Pyramid & Dinesh
Information
/ Data Security
Todays Program Plan
Information Security Fundamentals
Why Security (cases and incidents; critical
infrastructure concept for MTNL and telecom,
national intranet and lights on concept)
What to Secure (current state analysis, maturity
plan, essentials, goals and objectives –
certification / compliance / reputation etc
When and How to Secure
First steps and discussions
8. When data is processed,
organized, structured or
presented in a given
context so as to make it
useful, it is called
Information.
X
Data is raw, unorganized facts that
need to be processed. Data can be
something simple and seemingly
random and useless until it is organized.
http://www.infogineering.net/datainformation-knowledge.htm
Knowledge is a combination of information,
experience and insight that may benefit the
individual or the organization.
11. DATA
Interpret data so
that it has some
value and meaning
for the user
INFORMATION
A combination of
information & data,
experience, insight
that is built thru’ a
brain’s processes
KNOWLEDGE
14. Even a young
man has to
use a walking
stick !
Technology advancement has brought about dramatic change
in life and work and continues it’s march of dynamic growth
It was an era of innocence and invention when computing
started upto the time when the internet was unveiled
Over the years it has metamorphosed into a force we are still
trying to understand and has brought with it ‘great
expectations’ from the human beings who are in charge!
19. Requires ABSOLUTE management
support – absolutely and
unconditionally
Management MUST have high level
of awareness of risks and must
maintain a high level of visibility
Risks, Threats and Metrics arising
from IT / IS must be a regular item
on the board
Board must receive regular
intelligence advisories
Fires, floods,
and such
disasters will see
the CxO on the
frontlines…
earning respect
20.
Empower security teams
Define roles and responsibilities
Ensure strong and well defined
processes for managing risk,
controls, BCP/DR, communication
Automate processes
InfoSec Management systems must
have strong governance
21.
Various standards like ISO27001,
ISo22301, ISO 20000, ISO 14000
Frameworks like ITIL, PCI-DSS, NIST
Laws and Regulatory requirements –
IT Act, Guidelines, Data Protection
etc
25. 11 Domains
11
Domains
Organization
of Information
Security
Security
Policy
Access Control
Physical and
Environment
Security
Asset
Management
39
Controls
Objectives
133
Controls
Human
Resource
Security
Communicatio
n and
Operations
Management
Information
Systems
Acquisition
Development
Maintenance
Information
Security
Incident
Managament
Compliance
Business
Continuity
Management
33.
Policies and Procedures
Risk Management
Asset Information
Data Classification
Incident Management
BCP/DR
Configuration, Change
Compliance Requirements
34.
35.
36.
37. SHODAN (http://www.shodanhq.com/)
is a computer search engine designed by
web developer John Matherly
(http://twitter.com/achillean)
While SHODAN is a search engine, it is
much different than content search
engines like Google, Yahoo or Bing
Rather than to locate specific content on
a particular search term, SHODAN is
designed to help the user find specific
nodes (desktops, servers, routers,
switches, etc.) with specific content in
their banners
38.
39.
40.
41.
42.
43. PwC – State of Information Security in India Report 2013
50.
An unexplained suicide
Reputation loss for Vodafone
Rootkit Ericcson AXE MSE
Involvement of CIA ?? Not proven
Case is not yet resolved
Motive is unknown
57. 23.7(i)
Security
23.7(i) Security Responsibility
-
Responsibi
lity
Complete and Total Responsibility for Security of Networks under which the
following must be done – Network Forensics, Network Hardening, Network PT, Risk
Assessment
23.7(ii) Security Audit
- Conduct a network security audit once a year by network audit certification agency,
as per ISO15408 and ISO27001
23.7(iii) Security Testing
- Network elements must be tested as per defined standards – IT and IT related against
ISO15048, ISMS against ISO27001; Telecom elements against 3GPP. 3GPP2 security
standards. Up to 31 Mar 2013 this can be done overseas and after this date in India
23.7(iv) Security Configuration
- Include all security features, as per standards, while procuring equipment and
implement the same.
- Maintain list of all features while equipment is in use
- List is subject to inspection by Licensing Authority
23.7(v) Security Personnel
- CISO, System Administrators, Nodal Executives for handling NLD/ILD switches,
central database, softswitches … all must be Indian Nationals.
58.
59.
60.
61.
Introduction
Audience
Us.. Pyramid & Dinesh
Information / Data Security
Todays Program Plan
Information Security Fundamentals
Why Security (cases and incidents;
critical infrastructure concept for MTNL
and telecom, national intranet and
lights on concept)
What to Secure (current state analysis, maturity plan, essentials,
goals and objectives – certification / compliance / reputation
etc
When and How to Secure
First steps and discussions
62. Hacked on Aug 14, and site was down as on Aug 16
Earlier hack in June 2013, by Anonymous to protest
against censorship. Site was down for 6 hours
69. Low Orbit Cannon – used by
Anonymous to launch DDOS attacks
Blackhole Exploit Kit (pre-made attack tools and packages.
Available for download it is a full-fledged, highly sophisticated attack suite - a widelyused, web-based software package which includes a collection of tools that leverage
web browser security gaps. It enables the downloading of viruses, bots, trojans and
other forms of malicious software onto the computers of unsuspecting victims. Prices
for such kit range from $50 for a single day’s usage, up to $1,500 for a full year)
Managed Crime Services
Card Markets
Information Exchange
Cyber Mercenaries for Hire
Botnets (available for as low as $500)
70.
71.
Introduction
Audience
Us.. Pyramid & Dinesh
Information / Data Security
Todays Program Plan
Information Security Fundamentals
Why Security (cases and incidents; critical infrastructure concept for
MTNL and telecom, national intranet and lights on concept)
What to
Secure (current state analysis,
maturity plan, essentials, goals and
objectives – certification / compliance /
reputation etc
When and How to Secure
First steps and discussions
76.
Introduction
Audience
Us.. Pyramid & Dinesh
Information / Data Security
Todays Program Plan
Information Security Fundamentals
Why Security (cases and incidents; critical
infrastructure concept for MTNL and telecom,
national intranet and lights on concept)
What to Secure (current state analysis, maturity
plan, essentials, goals and objectives – certification
/ compliance / reputation etc
When and How to Secure
First steps and discussions
77.
78.
79. The revelation of PRISM has changed the way we look
at the future.
What was to happen is already happening – the NSA
can keep tabs on the global population!
Microsoft, Google, Adobe and all the big names in
technology are implicated - we have been dreaming
and planning to get out of commercial systems into the
open source domain and these events have pushed the
future into the present
80.
Policies / Procedures /
Documentation
DLP
SIEM
Network Forensics
Secure Web Application
Periodic VA and PT
Audit and Review
81.
82.
Malware
APT
Data Breach
Denial of Service
Slow response in the face of change
Lack of actionable intelligence
Insufficient Capability and Capacity
Weak Incident Response and Crisis
Management
84.
Introduction
Audience
Us.. Pyramid & Dinesh
Information / Data Security
Todays Program Plan
Information Security Fundamentals
Why Security (cases and incidents; critical
infrastructure concept for MTNL and telecom,
national intranet and lights on concept)
What to Secure (current state analysis, maturity
plan, essentials, goals and objectives –
certification / compliance / reputation etc
When and How to Secure
Next steps and discussions
92.
Current State Evaluation – People,
Process and Technology
Gap Analysis as per ISO / ITA
Forensics as a Service
Incident Response
Policy Development aligned to
Enterprise and National Strategies
Build internal Governance Structures
Emergency & Crisis Response Team
Awareness Program
IS Controls Implementation
Training