Presentation by Murad Assafi on Information security

1. Information Security
RECIPA-IMT

2. • Understanding of information security and Key
concepts
• Understanding role model for having robust
Information Security Management System
Implementation
• Empowerment of Information Security Management
System through implementing best practices for
People, Process and Technology.
• Few Guidelines to maintain Network and Personal
Security
Aims
I
N
F
O
S
E
C

3. The Growth of Internet Crime
“Of the top five categories of offenses reported to law enforcement during
2009, non-delivered merchandise and/or payment ranked 19.9%; identity
theft, 14.1%; credit card fraud, 10.4%; auction fraud, 10.3%; and computer
fraud (destruction/damage/vandalism of property), 7.9%.”

4. Information Security
• What is it?
- The process in which “Confidentiality”,
“Integrity” & “Availability” of information
ensured.
• In other words:
- protecting information and information
systems from unauthorized access, use,
disclosure, disruption, modification,
perusal, inspection, recording or
destruction.
(United States Code, title 44)

5. Main Concepts
– Confidentiality
Preventing unauthorized
persons, or parties to get
access to the information
– Integrity
Safeguarding the accuracy and
completeness of information
and processing methods
– Availability
Ensuring access for
authorized persons/parties
anytime it’s needed.

6. Information classification
• Act of tagging information with labels to make divide them to
different groups.
• When it’s related to information security, It should be first
step!
• It enables to treat information in sets with similar procedures
for easier handling and better management.

7. Information classification
• It clarifies information usage with respect to access
control and confidentiality protection.
– First is the issue of who is qualified to determine this
– Mostly context and content dependent
– Normally can be changed by Time and Circumstances
• Best example is military classical classification
– Unclassified
– Secret
– Top secret
• In data world both “data” and “persons” are
categorized to manage access control

8. Confidentiality
• Confidentiality ensures that only those with the
rights and privileges to access information are able
to do so.
• Having complete Confidentiality can be impossible to
insure at times.
• Examples:
– research data,
– medical and insurance records,
– new product specifications
– corporate investment strategies.

9. Integrity
• Information has integrity when it is whole, complete,
and uncorrupted.
• The integrity of information is threatened when the
information is exposed to corruption, damage,
destruction, or other disruption of its authentic state.
• When information is modified in unexpected ways, the
result is known as loss of integrity.
• It defines authenticity and level of trust

10. Availability
• Timely, reliable access to data and information
services for authorized users, and has three main
factors;
– Reliability: degree in which a system performs its purpose
for the period of time intended under the operating conditions
encountered
– Accessibility: degree in which a system is usable by as
many people as possible without modification and is
characterized in terms of the ability of users to have physical
access to the system.
– Timeliness: is the responsiveness of a system or resource to
a user request. In fact,

11. Availability
• Traditionally Info AV has
mostly been measured by the
amount of time an information
resource is either processing or
not (uptime and downtime)
• Other secondary factors;
– Redundancy and thorough
system backups
– Preventative and correctative
maintenance

12. Possible Threats
High User
Knowledge of IT
Systems
Theft,
Sabotage,
Misuse
Virus Attacks
Systems &
Network
Failure
Lack Of
Documentation
Lapse in
Physical
Security
Natural
Calamities &
Fire

13. SO HOW DO
WE
OVERCOME
THESE
PROBLEMS?

14. Planning of InfoSec
• An Strategic view will be:
– Analysis of the current situation;
– Identification of business-strategy requirements;
– Identification of legal and regulatory requirements;
– Identification of requirements due to external trends;
– Definition of the target situation;
– Definition and prioritization of strategic initiatives;
– Distribution of the draft strategy;
– Agreement and publication of final strategy.
InfoSec Policy is approved by Top
Management

15. History
Early 1990
• DTI (UK) established a working group
• Information Security Management Code of Practice produced as
BSI-DISC publication
1995
• BS 7799 published as UK Standard
1999
• BS 7799 - 1:1999 second revision published
2000
• BS 7799 - 1 accepted by ISO as ISO - 17799 published
• BS 7799-2:2002 published

16. History
• ISO 27001:2005
Information technology — Security techniques — Information
security management systems — Requirements
• ISO 27002:2005
Information technology — Security techniques — Code of
practice for information security management

17. Security Triangle again
Information
Security Policy
Organisation
of Information
Security
Asset
Management
Human
Resource
Security
Physical
Security
Communication
& Operations
Management
Access Control
System
Development
&
Maintenance
Incident
Management
Business
Continuity
Planning
Compliance
Availability

18. A Security System Components
PEOPLE
PROCESSES
TECHNOLOGY

19. Technologies
• Prevention of physical access by unauthorized people
• Data Network Security by using proper access control
• Communication line Security
– Preventing eavesdroppers
– Avoid tapping to line
– Stopping intruders attacks

20. Technologies
• Proper Hardware design is
main Solution:
– Firewalls; Prevents
unauthorized access from
outside network
– VPN; Provides Secure
channels for transferring
sensitive information
– Antivirus; Ensures security of
stored data by stopping
worms, viruses, malwares,
Trojans

21. Processes
• The processes refer to "work practices" or workflow. Processes are
the repeatable steps to accomplish business objectives.
• Generally this part which managed by software in data networks
and administrative paperwork in physical environment, works
under supervision of set of rules called “Policies”
• As mentioned before Policy makers are made by strategic planners
and approved by top management.
• Asset management is main process of any InfoSec Solution

22. Human Factor
• People are biggest assets
• But also they are biggest threat
– More than 70% of Threats are Internal
– More than 2/3rd express their inability to determine “Whether
my systems are currently compromised?”
– Psychological manipulation “Social Engineering”
• Human awareness is most important issue
• Also handled under asset management part

23. THE 10 RULES OF THE SOHO INTERNET
• 1. Safeguard your computer.
• 2. Use strong passwords and a screensaver.
• 3. Update and patch your operating system.
• 4. Have an up-to-date firewall.
• 5. Have up-to-date anti-virus software.
• 6. Act anti-spam.
• 7. Use up-to-date anti-spyware/adware tools.
• 8. Be sensible – don’t take unnecessary risks.
• 9. Back it up.
• 10. Fix problems as soon as they arise.

24. Safe Password
 Always use at least 8 character password with combination of
alphabets, numbers and special characters (*, %, @, #, $, ^)
 Use passwords that can be easily remembered by you
 Change password regularly as per policy
 Use password that is significantly different from earlier passwords
Use passwords which reveals your personal
information or words found in dictionary
Write down or Store passwords
Share passwords over phone or Email
Use passwords which do not match above complexity
criteria

25. Enterprise Security Evaluation
• Five Questions:
– What assets are you trying to protect?
– What are the risks to these assets?
– How well does the security solution mitigate those risks?
– What other risks does the security solution cause?
– What costs and trade-offs does the security solution impose?
• These Questions doesn’t bring solution but
evaluates a particular one

26. • InfoSec is up-to-date sense of understanding of Risks and
Assurance Controls.
• Balancing between Protection from Risks and Controls is
guarantee of business continuity Availability of Information
• Policies are statements of management intentions and goals
• Value defines the importance of info and required protection
level
• Protection level determines procedures and policies
• Policies are approved by high level managers
• Senior Management support and approval is vital to success
• Successful system should have different level of Security to
urge flexibility
Concluding Remarks

27. Information Security
RECIPA-IMT