Attacks, Services and mechanisms

Security Attack

Any action that compromises the security of information owned by an organization

Security mechanism

A mechanism that is designed to detect, prevent or recover from a security attack.

A service that enhances the security of information transfers in an organisation.

Security Service

Security Attacks
Normal Flow Interruption

Interception

Modification

Fabrication

Active & Passive

Passive threats
Release of message contents Traffic analysis

Active threats
Masquerade Replay Modification of message contents Denial of service

Security Services
Confidentiality Authentication Integrity Nonrepudiation Access control Availability

Confidentiality Is the protection of messages from passive attacks

Release of message contents Traffic analysis

Authentication Confirms that the sender and the receiver are authentic
Also that there is not interference from third parties

Integrity Makes sure that there is no stream modification and denial of service

Nonrepudiation This prevents either the sender or receiver from denying a transmitted message.

Access control Availatbility

A model from network security

Trusted third party (e.g. arbiter, distributor of secret informaiton)

Principal

Principal

Message

Information channel

Message

Secret Information

Secret Information

Security related transformation

Opponent

Security related transformation

What exactly are information assets ?

People Assets The professionals who are a part of the Org.

Data Assets
Paper Documents

Databases, Intellectual property, Procedures etc.

Contracts, Business documents etc.

Software Assets
Physical Assets Services

Application systems, Development tools etc.

Computers, Servers, Routers etc. Telecommunications, Power systems, ACs etc.

Your people are your greatest asset.

But sometimes they are also, unfortunately your greatest vulnerability.

You are only strong as your weakest link .!

Some dangerous statements commonly made

Nothing has happened to me till date .. ( it may be happening now ) Just wait for a week there is something new coming up in security. ( the wait never ends ) Is it really worth spending so much money just for information security ? . ( we normally realize that too late ) Our security systems are up-to-date. We just rebuild our whole system last month ( sir, do you know what happened today morning ? )

Do you seriously have answer to these questions ?

? Are you prepared for an external attack with inside knowledge ? What will happen if a hacker attacks your network

? Is your data & network secured internally

? Are your employees aware of the value of information ? Are they taking care of information like any other physical asset

? Do you have a physical & logical security in place

? Are you aware of Disaster recovery planning ? Do you have a business continuity plan in place

Well frankly in most cases NO !

The fundamental reason is lack of awareness.

Let us identify the threats

You let web content, e-mail and files into your networks without being questioned - You are inviting trouble
Use of unauthorized CDs and other storage devices - they could make your system vulnerable Lack of a defined security policy, password policy or poor password can cause a compromise in the security Access of ex-employees could prove the most dangerous Natural disasters

What is information security management ?

Security is the reduction of risk. We can never eliminate risk, but effective security can reduce the risk to a business and its information resources Any effective security system will have three stages

PREVENTION

DETECTION
REACTION

Let us now look at the most dangerous of them all The insider
Always remember that the Principal threats to information assets (Company) are from the inside.

Most of the system managers believed that the threat was always from outside and therefore all security systems were preventive.
Now they have started realizing that people back home are more dangerous.

SOME FACTS
The U.S. Chamber of Commerce reported that 75 % of all employees steal from their employers, causing one third of all corporate bankruptcies. The FBI found that insider information theft accounts for 40% of all computer related losses. They have also reported that insider information theft losses have increased on average by 49 % annually for the past 5 years.

DANGEROUS INSIDERS ?
Insiders have the means to access the information we protect so vigilantly from attackers from the outside. Insiders have the means to invisibly copy your information and communicate it to others One in every three business-closures is the direct result of employee theft Hackers have never put a company out of business (though they cause damage ), but insiders have shut businesses down.

THE IMPACT
PERSONAL INFORMATION WARFARE PUBLIC INFORMATION WARFARE CORPORATE INFORMATION WARFARE GOVERNMENT INFORMATION WARFARE

Current Solutions
The best of technology
Firewalls, IDSs, Anti-Viruses, Encryption, Content Filters Automatic lock out 2 Way Authentication

The best of processes

ISO 27001 Earlier BS7799 Safe Harbor Act

Are we safe ?
Look at the instances of frauds in-spite of the controls
Instances of frauds in the finance/banking sector Many of them are not publicized, but they exist Common thread:
Internal employee sells information for money Internal employee sends source code to unauthorized personal account

3 biggest threats.

Human Fraud Human Incompetence Human Error

External Pressure Oppression to Authority

Desire for Recognition Obedience to Authority/ Fear

Character Weakness

Emotions/ Behavior

Reluctance to Change

Desire to Help Self Preservation Low Involvement

Curiosity

Threats.
Attacker calls random employees in an organization The following conversation takes Place
I am calling from the CFOs room I am your ERP consultant. We are implementing a new system to process your salaries starting from next month onwards We need your user name and password to integrate your salary processing to your user account

5 out of 5 targets provided user name and passwords

Threats.
External Security Consultant places 6 CD-ROMs in specific locations Rest Room, Conference Room CD-ROM is titled 2006 Financials and Lay Offs Within a few hours each of these CD-ROMs are grabbed by employees Employees run the CDs Each CD has a hidden script which records IP address of host machine

All behavior is learned through the consequences that follow. If the person likes the consequence, the behavior will be repeated; if the person does not like the consequence, the behavior is less likely to be repeated

Information Technology Act 2000

Passed in May 2000 by both houses of parliament, the IT ACT 2000 aims at providing a legal framework under which legal sanctity is accorded to all electronic records and other activities carried out by electronic means.

Objectives
Grant legal recognition for transactions carried out by electronic means. Legal recognition to digital signature Facilitate electronic filing of documents Electronic storage of data Legal sanction to fund transfer Legal recognition to books of accounts by bankers in electronic forms To amend the Indian Penal code, the Indian Evidence act, 1872, the bankers book evidence act 1891 and the RBI Act 1934.

Scope
Use of asymmetric digital signatures Authentication of records using digital signatures Electronic governance Attribution, receipt and despatch of electronic records. Certifying authorities and regulations Digital signature certification Cyber regulations Offences and implications Network service providers liabilities and exceptions