General Introduction Information Systems Backup & Recovery Physical Security Wireless Security... 20

Transcription

1 Contents Prologue... 2 General Introduction... 3 Information Systems... 5 Passwords... 9 PC Security Backup & Recovery Physical Security Wireless Security Identity Theft Social Engineering Security Internet Security Computer Viruses Copyright Hacked Selling Information Security to Top Management

2 PROLOGUE From the standpoint of an Organization, Information has value and is therefore an asset. It needs to be protected just like any other corporate asset. And because as Information must be protected, the infrastructure that supports information must also be protected. This infrastructure includes all the networks, systems and functions that allow an organization to manage and control its information assets. The question is how do you protect your information assets? That s where this course comes in. The Information Security Awareness Course explains what you can do to protect your organization s information assets. The course objective is to raise Information Security Awareness and recognize your role in protecting the organization s information and information systems. The course is covering 12 topics planned to cover the whole spectrum of information security, in chunks easy to digest manner. The course will be concluded by an exam and a course wash-up. 2

3 39

4 Hacked Introduction In today s complex and Internet-dependent environments, the potential risk of a malicious hacker incident or security breach is growing at an alarming rate. The security of systems and applications remains an ongoing challenge for IT and business leadership. Many cyber-attacks are simply automated and indiscriminately target identifiable vulnerabilities in hardware and software, irrespective of the organization that uses them. These vulnerabilities include unpatched software, inadequate passwords, poorly coded websites and insecure applications. Pre Cautions Secure Coding Writing your applications and networks codes in a secure way is vital for the process of defending your applications and network as it assists in minimizing the risk of being hacked. Generally, it is much less expensive to build secure software than to correct security issues after the software package has been completed, not to mention the costs that may be associated with a security breach. Securing critical software resources is more important than ever as the focus of attackers has steadily moved toward the application layer as it has been proved with the top recent attacks. Your development team should be security masterful in order to implement and assess the security level of an application during its full lifecycle. Thus the develop team members should have the responsibility, adequate training, tools and resources to validate that the design and implementation of the entire system is secure. SANS Institute and EC Council are the leaders in this industry and can provide developers with the required tools and skills to attain an acceptable level of secure coding. Security Coding Checklist: Input Validation Output Encoding Authentication and Password Management Session Management Access Control Cryptographic Practices Error Handling and Logging 40

5 Data Protection Communication Security System Configuration Database Security File Management Memory Management Servers Hardening Server Hardening is the process of enhancing server security through a variety of means which results in a much more secure server operating environment. This is due to the advanced security measures that are put in place during the server hardening process. Probably one of the most important tasks to be handled on your servers, becomes more understandable when you realize all the risks involved. The default configuration of most operating systems is not designed with security as the primary focus. Instead, default setups focus more on usability, communications and functionality. To protect your servers you must establish solid and sophisticated server hardening policies for all servers in your organization. Developing a server hardening checklist would likely be a great first step in increasing your server and network security. Make sure that your checklist includes minimum security practices that you expect of your staff. If you go with a consultant you can provide them with your server hardening checklist to use as a baseline. The server hardening checklist varies from an Operating system to another, however the bellow list has the general tasks that should be followed for any operating system: Configure a security policy Disable or delete unnecessary accounts, ports and services Uninstall Unnecessary Applications Configure the operating system internal Firewall / Iptables Configure Auditing Disable unnecessary shares Configure Encryption Updates and Hot Fixes Install trusted Anti-Virus & Anti-Malware Least Privilege Disable Server Banner and Information Enable only the following methods, POST and GET Disable IP6 unless required Review Access Logs and system Error Logs There are a number of tools that could automate the process of Server hardening and the best products includes: Nessus, URL Scan, Microsoft security compliance management toolkit (SCM) and Microsoft baseline security analyzer (MBSA) 41

6 Routine Penetration Tests The most effective way to protect your data is to identify the potential vulnerabilities that exist and close them before you are attacked. By applying a series of thorough tests delivered by highly skilled, experienced experts who can find those holes and vulnerabilities fast, you will be able to quickly fix those areas, which in turn will increase your security posture. Penetration tests are designed to test networks, servers, applications, mobile platforms, laptops, wireless systems, printers and any other hardware or system that can store, transmit or process data that a cyber-criminal can exploit to take control of your systems. Types of Penetration Testing External pen-testing is the traditional, more common approach to pen-testing. It addresses the ability of a remote attacker to get to the internal network. The goal of the pen-test is to access specific servers and crown jewels within the internal network by exploiting externally exposed servers, clients, and people. Whether it is an exploit against a vulnerable Web application or tricking a user into giving you his password over the phone, allowing access to the VPN, the end game is getting from the outside to the inside. Internal pen-testing takes a different approach as it simulates what an insider attack could accomplish. The target is typically the same as external pen-testing, but the major differentiator is the attacker either has some sort of authorized access or is starting from a point within the internal network. Insider attacks have the potential of being much more devastating than an external attack because insiders already have the knowledge of what s important within a network and where it is located, something that external attackers don t usually know from the start. With the rapid changes in the IT industry in terms of technologies and tools, a cyber-criminal could be able to exploit a secure environment after a certain time and thus a routine penetration testing is required to identify the new emerging threats. OCERT Penetration Testing Service Oman National CERT provides penetration testing and Vulnerability assessment to all government and Critical National Infrastructure organizations. You can apply for the service through its website After conducting the Penetration testing and vulnerability assessment you ll receive a detailed report of the discovered vulnerabilities categorized according to their level risk and impact, including the suggested solution according to the best practice. ITA Web Security Policy Information Technology Authority has created a Web Security Policy with the 42

7 guidance of many information security specialists which you can easily follow to implement the best security measures to your web applications and servers. The policy can be downloaded here: Backups There is no doubt that backups are very important in any organization and it is one of the major security measures that must be implemented to ensure the data availability. However, it is important to understand the risks with backups and how to mitigate them. Backups should be stored in a Backup server and hard drives or tapes on daily/ weekly/monthly basis based on the data sensitivity and frequency of updates. The location where backups are stored in must be secured and controlled by an access control to ensure any illegal or unauthorized access. Moreover, Sensitive backups should be encrypted during the transit and the storage in case it falls into the wrong hands. Backup servers are no exception and must be hardened and penetration tested to ensure no vulnerability exists. The physical security of the storage location must be controlled and regulated to deny any unauthorized access. In case the physical storage devices are to be transported to an off-shore location it must be transported in locked containers and a background check on the transportation company and its staff must be conducted. As a regulatory process, all backup operations must be logged so incidents can be traced to their sources. Nowadays automated backups are getting very common as it provides an efficient solution to frequent backups. It is important to select a solution that implements security measures and logging service to keep track of the processes and their status. Such solutions must be updated and patched regularly. Testing the backup files is vital and must be done on regular basis on a test environment to ensure the data accuracy and its retention process. Monitoring Monitoring can assist greatly in detecting server performance, network performance, access logs and any malicious activities happening at the server level. Moreover, monitoring during testing phase could detect the threats that could be addressed and fixed before going live. As new threats emerge, monitoring could also detect them by identifying suspicious behavior which needs further investigation. Monitoring Benefits: 1. Protect against internal and external threats 2. Make the most of existing and future security investments 43

8 3. Bolster security with advanced research and global security intelligence 4. Obtain comprehensive visibility into the security activity on your network 5. Meet and exceed regulatory requirements for log monitoring It is important to follow an international standard when it comes to Log Monitoring like PCI-DSS and ISO Some organizations MUST follow these standards in order to get a license to conduct business like Critical National Infrastructure organizations i.e. Banks, Traffic Management, Oil and Gas etc. There are also a number of Operation Monitoring Frameworks that you can follow including Microsoft Operations Framework, and such frameworks can assist in: 1. Assess business exposure and identify which assets to secure. 2. Identify ways to reduce risk to acceptable levels. 3. Design a plan to mitigate security risks. 4. Monitor the efficiency of security mechanisms. 5. Re-evaluate effectiveness and security requirements regularly. As a best practice, it is important to acquire a monitoring solution that could gather all the monitoring logs in a central secured location to ease the process of viewing the logs and dealing with them. It is also advisable to have a dedicated monitoring team to do such task since they will play a vital role in viewing tons of logs and do the necessary security checks to identify high risk activities. The sections below will discuss what to monitor along with processes and solutions: Unauthorized Access (Security Audit) There are two types of events that are recorded in the Security event log: success audits and failure audits. Success Audit events indicate an operation that a user, service, or program performed has completed successfully. Failure Audit events detail operations that have not completed successfully. For example, failed user logon attempts would be examples of Failure Audit events and would be recorded in the Security event log if logon audits were enabled. In theory, Users must only be permissible to carry out certain tasks that were given to them by the administrator, so any tasks that are not allowed should be investigated, reported and restricted. Failure audits in most cases means an attack is happening and must be dealt with as quickly as possible to minimize the risks of any cyber-attacks. A policy should also be created to block any further attempts i.e. IP lockdown, username lockout etc. To assess your Security Audit policies it is important to: 1. Review current security audit settings. 2. Assess administrator roles and normal user tasks. 3. Review business policies and procedures. 44

9 4. Identify vulnerable systems. 5. List high-value assets. 6. Identify sensitive or suspicious accounts. 7. List authorized programs. 8. Investigate attempts from unusual geographic areas. It is also recommended to have a written process of adding new users to your Active Directory along with the roles they will be assigned to according to their level of access. Malicious Activity Monitoring Malicious activities can range from scanning for ports to planting worms and viruses. Such activities can be easily spotted by applying the above mentioned strategy and having an IDS/IPS in place. It is very important to capture as much information as possible in order to prevent and investigate such activities. Many advanced IDSs can notify the monitoring team of those activities which needs to be addressed in real time to minimize the impact and allow the team to investigate them further to avoid any false-positive notifications. The damage caused by an insider threat can take many forms, including the introduction of viruses, worms, or trojan horses; the theft of information or corporate secrets; the theft of money; the corruption or deletion of data; the altering of data to produce inconvenience or false criminal evidence; and the theft of the identities of specific individuals in the enterprise. Protection against the insider threat involves measures similar to those recommended for Internet users, such as the use of multiple spyware scanning programs, anti-virus programs, firewalls, and a rigorous data backup and archiving routine. Intrusion Detection An intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. IDS can play a vital role in early detecting security threats to your network, servers and websites. An IDS can be configured to detect certain types of malicious activities and notify the monitoring team about them. IDS Types Misuse detection vs. anomaly detection: in misuse detection, the IDS analyzes the information it gathers and compares it to large databases of attack signatures. Essentially, the IDS looks for a specific attack that has already been documented. Like a virus detection system, misuse detection software is only as good as the database of attack signatures that it uses to compare packets against. In anomaly detection, the system administrator defines the baseline, or normal, state of the network s traffic load, breakdown, protocol, and typical packet size. The anomaly 45

10 detector monitors network segments to compare their state to the normal baseline and look for anomalies. Network-based vs. host-based systems: in a network-based system, or NIDS, the individual packets flowing through a network are analyzed. The NIDS can detect malicious packets that are designed to be overlooked by a firewall s simplistic filtering rules. In a host-based system, the IDS examines at the activity on each individual computer or host. Passive system vs. reactive system: in a passive system, the IDS detects a potential security breach, logs the information and signals an alert. In a reactive system, the IDS responds to the suspicious activity by logging off a user or by reprogramming the firewall to block network traffic from the suspected malicious source. Intrusion Prevention Intrusion prevention system is used in computer security. It provides policies and rules for network traffic along with an intrusion detection system for alerting system or network administrators to suspicious traffic, but allows the administrator to provide the action upon being alerted. Some compare an IPS to a combination of IDS and an application layer firewall for protection. Intrusion prevention systems can be classified into four different types: 1. Network-based intrusion prevention system (NIPS): monitors the entire network for suspicious traffic by analyzing protocol activity. 2. Wireless intrusion prevention systems (WIPS): monitor a wireless network for suspicious traffic by analyzing wireless networking protocols. 3. Network behavior analysis (NBA): examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware and policy violations. 4. Host-based intrusion prevention system (HIPS): an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host. Having an IPS in place helps in taking an early action to prevent such activities and give more time to the monitoring team to investigate them. OCERT Monitoring Service Oman National CERT provides monitoring services for different levels and environments including: 1. Network Monitoring 2. Website Logs Monitoring 3. Website URL monitoring 4. Server Monitoring To read more about OCERT monitoring service please visit the following page: 46

11 Updates / Patching With the new emerging threats and zero-day-attacks it is important to keep your servers and appliances updated and patched to avoid any sudden attacks. Moreover, registering with reputable information security advisories is recommended to be notified of any alert. Automatic OS Updates Having automatic updates could save the administrators valuable time updating and patching in big organizations. Moreover, to hasten the process and ensure all machines are updated and patched is to use a central updates and patching deployment system which can be managed and pushed by the administrators. Latest Threats and Notifications Oman National Provides an online Threats and Alerts Notification (TNAS) service which you can join to be updated with the latest threats in Arabic and English. In addition, you can register through to receive the latest TNASs in your inbox. Scanning Having Anti-virus and Anti-spam solutions in your servers and machines would protect you from harmful and malicious viruses, Trojans and Bot Nets. Keeping your anti-virus definitions up to date is critical and should be managed professionally through an enterprise solution that pushes the updates to all the organization computers. With such enterprise solutions administrators can control the updates and also prohibit users from turning the AV off by using a password protected features that are only accessible to administrators. Malware Scanning Oman National CERT provides administrators and normal users an option to scan their machines against known malicious codes via the Cyber Clean Project which is accessible through OCERT CCP Security Auditing Passwords Passwords are generally the first line of defense against hackers and thus it is important to choose a password that is complex, hard to guess and non-dictionary. However the main challenge is to ensure the password rotation and renewal. At the active directory level, passwords must be set to be complex and by complex it must have at least one of the following: 1. Lowercase letter [abcdefghijklmnopqrstuvwxyz] 2. Uppercase letter [ABCDEFGHIJKLMNOPQRSTUVWXYZ] 3. Number [ ] 4. Character [!@#$%^&*()_+{} :»<>?~`-=[];,./] 47

12 Moreover, password must expire! Many databases gets hacked and users profiles gets leaked and thus it is important to routinely change the passwords and that is doable via enabling the password expiry rule in most advanced servers. For very sensitive data, there is a concept of two way authentication which requests the users to enter their passwords along with a second token or key that is securely generated and shared with the users. Many large organization uses hardware based token generators that are tied with the user account to ensure maximum security. In addition, there are software based token generators such as Google Authenticator which generates token numbers that keep changing over a short period of time. Many users think that having complex password, password rotation and 2-way authentication are inconvenient but those users must be educated about the importance of such procedure and how it assists in protecting theirs and their organizations information. Access Control Access control determines who should access what and what their level of access and their roles generally. Administrators should be ready with certain access templates to authenticate them against the Active Directory and ensure that only genuine users can access the organization network to carry their allotted tasks. Roles are very crucial since it determine the level of access granted to the users and ensure that users can get leveraged access to restricted and confidential data they are not supposed to access. Hackers will always try to get access to an organization network to steal information or to carry out an attack by leveraging certain rules, cracking password or through a backdoor. Such attempts must be identified in real-time and blocked immediately. Secure Remote Communication In many cases users would need to access their confidential data outside the organization premises i.e. s, and that should be done through secure channels to minimize the leakage of information. This can be done over: Secure FTP: is a computing network protocol for accessing and managing files on remote file systems. The main role of SFTP is to encrypt commands and data both, preventing passwords and sensitive information from being transmitted in the clear over a network. Secure Forms (SSL): Web servers and web browsers rely on the Secure Sockets Layer (SSL) protocol to help users protect their data during transfer by creating a uniquely encrypted channel for private communications over the public Internet. Each SSL Certificate consists of a key pair as well as verified identification information. When a web browser (or client) points to a secured website, the server shares the public key with the client to establish an encryption method 48

13 and a unique session key. The client confirms that it recognizes and trusts the issuer of the SSL Certificate. This process is known as the «SSL handshake» and it begins a secure session that protects message privacy, message integrity, and server security. SSL certificates can be purchased online through reputable companies such as Verisign, Symantec and other authorized Certificate Authorities (CA). VPN Access: VPNs, or Virtual Private Networks, allow users to securely access a private network and share data remotely through public networks. Much like a firewall protects your data on your computer, VPNs protect it online. And while a VPN is technically a WAN (Wide Area Network), the front end retains the same functionality, security, and appearance as it would on the private network. Secure Shell (SSH): SSH creates both the VPN tunnel and the encryption that protects it. This allows users to transfer information unsecured data by routing the traffic from remote fileservers through an encrypted channel. The data itself isn t encrypted but the channel its moving through is. SSH connections are created by the SSH client, which forwards traffic from a local port one on the remote server. All data between the two ends of the tunnel flow through these specified ports. Encryption It is always advisable to encrypt the data stored in the user s machines, servers and any storage device that contain sensitive data. Encryption can cause a delay in retrieving large amounts of data as it need to decrypt the data into a readable format before sending it back to the user. However, with the advancement in the processers these days this shouldn t an obstacle since the advantages outweigh the disadvantages. Many large organizations including ITA has enforced a policy to encrypt all portable devices including Laptops to add an additional layer of security in case the theft or lose of such devices which mostly contain sensitive data. Firewall A firewall is a system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. Firewalls can be either hardware or software but the ideal firewall configuration will consist of both. In addition to limiting access to your computer and network, a firewall is also useful for allowing remote access to a private network through secure authentication certificates and logins. Hardware firewalls can be purchased as a stand-alone product but are also typically found in broadband routers, and should be considered an important part of your system and network set-up. Most hardware firewalls will have a minimum of four 49

14 network ports to connect other computers, but for larger networks, business networking firewall solutions are available. Software firewalls are installed on your computer (like any software) and you can customize it; allowing you some control over its function and protection features. A software firewall will protect your computer from outside attempts to control or gain access your computer. Application Firewall Application firewalls secure and protect application communications, in much the same way that network firewalls secure and protect network communications. By being aware of the language that applications use to transmit information, application firewalls can deny or modify invalid or suspicious activity. The widely used application firewalls include: ModSecurity and URLScan. Environment Segregation It is always a good practice to segregate your environments as it helps in minimizing the risk of publicly publishing harmful or buggy applications and codes. The 3 main advisable environments are: Testing Environment This environment provides limited restriction to the administrators and developers within an organization to test their application under different circumstances i.e. testing wrong data, penetration testing, code security check, sending harmful packages, creating non reversible actions etc. This environment is important since developers will have a replica of their production environment but with no fear of destroying it while conducting their tests since it is a private environment and not accessible by the public. Development Environment This environment is considered as the heaven of developers, they control the whole environment in terms of access and freedom to control the applications, installations, deletions etc. Developers can develop, test, and experiment with this environment as they see fit with their needs and requirements. Production Environment This is a very sensitive environment and the level of access should and must be controlled by professional administrators to ensure that it is up and running all the time. All the controls, firewalls, IPSs and IDSs should be configured and in place to protect this environment from hackers and cyber criminals. Usually an application or data must go through the two above mentioned environments to ensure their stability before being transferred to this environment by professional administrators. 50

15 Recovery Data recovery is the process of restoring data that has been lost, accidentally deleted, corrupted or made inaccessible for any reason. In enterprise information technology (IT), data recovery typically refers to the restoration of data to a desktop, laptop, server, or external storage system from a backup. The data recovery process may vary, depending on the circumstances of the data loss, the data recovery software used to create the backup, and the backup target media. For example, many desktop and laptop backup software platforms allow end users to restore lost files themselves, while restoration of a corrupted database from a tape backup is a more complicated process that requires IT intervention. Data recovery can also be provided as service. Such services are typically used to retrieve important files that were not backed up and accidentally deleted from a computer s file system but still remain on disk in fragments. An organization s disaster recovery plan should make known who in the organization is responsible for recovering data, provide a strategy for how data will be recovered and document acceptable recovery point and recovery time objectives. In case of emergencies a partial or full recovery should be made to make systems go live with the accurate data. How to deal with it This section will outline how to deal with successful hacking attempts to your system, website, network, database etc. The first step is to report such incident to a reputable organization that has the capabilities to investigate and resolve any cyber incidents while maintaining your privacy and confidentiality. Oman National CERT does fit that profile and will assist you with no additional cost and will act immediately. Oman National CERT How & Where to report OCERT provides different reporting channels including: 1. Online Incident Report 2. ocert999@ita.gov.om 3. Phone: (+968) What to prepare While waiting for a reply from OCERT, you can prepare the following items which will be required for the investigation process: 1. Log Files (Access Log Files, Server Log Files, Error Log File) 2. Copy of the infected file(s) 3. Full copy of the infected system 51

16 Additional items might be requested based on the results of the initial investigation and that will be requested at an earlier stage. Evidence Handling You infected or hacked machine, server, network is considered a crime scene and must be dealt with accordingly. Machines must not be restarted or normally shutdown under any circumstances. Internet/intranet connection cables can and should be disconnected immediately to start the damage control process. In case of criminal charges the infected machines will be used as evidence and the digital forensics team will analyze the evidence and write their final report which will be used in the court of law. Regain control With the above items kept in mind, it is important to regain control over your infected machines by: 1. Take your infected machine Offline! Disconnect it from local and external access. 2. Try to remove the infected files, scripts or malware. Once done with this process and you have reported the incident, you re welcome to assess the damage occurred of such an attack including: 1. Were they looking for sensitive information? 2. Did they want to gain control of your site for other purposes? 3. Look for any modified or uploaded files on your web server. 4. Check your server logs for any suspicious activity, such as failed login attempts, command history (especially as root), unknown user accounts, etc. 5. Determine the scope of the problem do you have other sites that may be affected? It is also important to understand that so far you haven t fixed the source of the problem so don t try to recover the website and publish it yet. 52

17 Investigations Log Reviews Oman National CERT team will send you a fully detailed report of the findings along with the possible fixes and will guide you through the recovery process. In addition since your organization is a target it would be advisable to forward all your access logs to OCERT monitoring team to do live monitoring to detect and prevent any malicious activities. There re a number of scripts and applications built in OCERT that could assist administrators in detecting and preventing possible hacking attempts. Such tools include the CIA Content Integrity Agent which prevents hackers from adding or altering any files on web servers. References 1. OWASP SCP Quick Reference Guide v2 2. Server Hardening Website Steps to harden Windows Servers 4. Linux Server Hardening Tips 5. Why penetration testing is important? 6. Internal vs. External Pen-Testing 7. Security Monitoring and Attack Detection 8. Secure Sockets Layer (SSL): How It Works 53

18 SELLING INFORMATION SECURITY TO TOP MANAGEMENT Introduction In order to really enforce people, you need to get top level buy-in, Ira Winkler, chief security strategist at Codenomicon. According to a survey that was done by Infosectoday.com in 2013 Top management support was the number 1 issue facing information security adaptation in most organizations in the US. Thus it s important to tackle this issue and propose solutions to overcome the reluctance of top management. Security has traditionally been viewed as a tradeoff with business productivity. It s been this way for years. But it doesn t have to be. CIOs and CISOs need to have their finger on the pulse of security and how it affects their business from a tactical and strategic perspective. Information security if practiced right shouldn t slow down the business, but actually complement it and even improve business agility. Proving security pays is difficult. In fact, with many security technologies, there s no demonstrable return on investment (ROI) justification for their deployment. But during the different sections of the course you ll possess the skills and techniques to sell Information Security to the Top Management. In this chapter we ll focus on the possible ways you as a security officer can sell Information Security to your organization s top management. Why top management doesn t understand information security! Before discussing the methods and solutions, it s important to understand how top management think in any organization that doesn t have a functional information security office. Information security is viewed as an operation Most c-level managers doesn t view information security as a strategic review, but more of an operational issue that could function on its own with the least amount of resources provided. This attitude has caused many organizations to either ignore information security or isolate the security team from other parts of the business and eliminate any possibility of communication between the security team and the business managers. 54

19 Different communication language Most managers are concerned about financial figures, Expenses, Profits and Return on Investment (ROI), so in concept they don t speak the same language as information security managers whom are concerned about data loss prevention, intrusion detection, policies, controls etc. Information security is not tangibly measured Most managers focuses on tangible results, unfortunately information security success is not tangibly measured since most of the investment to be made will protect intangible items even though what information security policies and controls protect is very crucial and critical to the business. IT and information security roles conflict Top management still believe that information security should be an IT operational Task and should be managed by the IT department without understanding the real role of Information security offices and how they should be totally independent in terms of management to carry their tasks efficiently. Top management isn t techically aware of the risks associated When the subject of information security is raised in management meetings it usually gets the lowest priority and least amount of time to be discussed since senior managers aren t technically aware of computer security crimes and cybercrimes. Solutions After knowing how top management think and precieve information security it would be great to know how to change their mindset and persuade them of the importance of information security to the organization. Get to know the right persons within your organization Having friendly discussion with the CFO, CEO or internal audit director could give you excellent insight on how best to approach the board. Also, make sure you have some space for discussing Information Security. These are your opportunities to keep the CEO up to date on your company s major risks and protective measures. Keep your ceo updated on laws and regulations Information protection is now mandatory. Laws, regulations, insurance requirements and shareholder expectations now make information protection a business requirement. Based on your organization s reporting structure, the CEO is the one who will deliver the InfoSec message to the board. You then need to win the heart and mind of your CEO and, hence, the board. Be very opportunistic CEOs are very selective about what they present to the board. You can take advantage of this to put information security on the agenda. For example, a well- 55

20 publicized computer crime (e.g. the recent Heartbleed vulnerability) is bound to have their attention. You can do the same with incidents within your own organization. Demonstrate that a major computer breach could mean that next quarter s numbers may be considerably lower. You should be very specific and provide numbers estimation. Leverage (and try to influence) the work performed by others The Internal Audit department work is usually very valuable. External audits and security testing services can also help a lot. As an ISP, you might be subject to ISAE audits. Use those to push your needs and concerns to the board. For example, I have recently performed an Information Security Governance audit for a big company. The client was their Internal Audit department, who was informally «hired» to do it by the CSO / Security department in order to move things forward with the board. Point out how good information security can be a value-add for your company Even though a CEO or some other top executive might understand the need for compliance, other members of top management probably won t buy into this idea this is why it is important to find some other benefits for implementing information security. I usually recommend thinking about four types of benefits: compliance, marketing, lowering costs, and optimizing business processes. The benefits of information security, especially the implementation of ISO are numerous. The following four are the most important: Compliance It might seem odd to list this as the first benefit, but it often shows the quickest return on investment if an organization must comply to various regulations regarding data protection, privacy and IT governance (particularly if it is a financial, health or government organization), then ISO can bring in the methodology which enables to do it in the most efficient way. Marketing edge In a market which is more and more competitive, it is sometimes very difficult to find something that will differentiate you in the eyes of your customers. ISO could be indeed a unique selling point, especially if you handle clients sensitive information. Lowering the expenses Information security is usually considered as a cost with no obvious financial gain. However, there is financial gain if you lower your expenses caused by incidents. You probably do have interruption in service, or occasional data leakage, or disgruntled employees. Or disgruntled former employees. The truth is, there is still no methodology and/or technology to calculate how much money you could save if you prevented such incidents. But it always sounds good if you bring such cases to management s attention. 56

21 Putting your business in order This one is probably the most underrated if you are a company which has been growing sharply for the last few years, you might experience problems like who has to decide what, who is responsible for certain information assets, who has to authorize access to information systems etc. Use well-accepted techniques of finance and decision-making processes to justify infosec investments Business executives spend money based on ROI, and may not react well to an approach based on unquantified, albeit very real, fears. It s not always easy -the available solutions often don t lend themselves to a by-the-numbers analysis- but your best shot is to present an objective and quantified estimate of the returns on InfoSec investments. These are would help you a lot when talking about finance and decision making processes: Company or executive liability The CEO and board of directors can be held personally liable if they re shown to have known that a business risk existed and they did nothing to remediate the risk. So, you can leverage this (gently) in your communication. Once they re on board with the need to self-assess, they may even elect to conduct physical pen testing of the company premises. «fire inspection» install key-logging USB sticks that phone home, on all the machines.) Costs or lost revenue from pci-dss If you receive payments through credit cards, the PCI-DSS «standard» mandates that certain security solutions must be implemented within the business infrastructure. Credit card companies have come up with this as a way of shifting the liability for fraudulent transactions from them, to you (the customer-facing business). If you were to be audited (and I m dealing with a medium-sized business that s being audited right now), you could be forced to bring in 3rd-party security vendors or managed-service-providers to assess and implement security, all at a much higher cost than you could do on your own, or risk being cut off from processing by Visa, MC, and/or AmEx until you can prove that you ve corrected the issues and have paid for an independent audit. You should seek more info on this on your own, as this is a real-world liability that s showing up for more and more businesses. Downtime and revenue-impact from government intervention In case of a successful cyber attacks targeting your organization the risk here is that legal enforcement agencies could confiscate computers or have your backbone drop(s) cut off until the exploited systems were cleaned. If you run your own datacenter, then you could see servers or racks disappear or at least be taken offline for some time while forensics are performed. This downtime could be devastating to the business. 57

22 Hackers An unprotected network, or insufficiently protected endpoints, could end up being the target (pun intended) of black-hat, grey-hat, or white-hat hackers. In other words, an independent 3rd-party may find a way to breach your systems for fun or profit. The outcomes of cyber-attacks could include: Company funds stolen through compromised banking login credentials, or directly accessed (owned) internal systems; Having to notify your customers that your systems have been breached, and their customer data (passwords, credit-card numbers, etc) has been stolen; Having to negotiate ransom payments with attackers to regain access to critical internal systems that they ve encrypted in order to lock you out and force you to pay; Having to negotiate with «security researchers» to gain sufficient time to patch internal systems or close security holes, before they «go public» with information that they ve defeated your perimeter security or layered defense mechanisms. The more aggressive «researchers» may provide proof-ofconcept tools or even detailed instructions on how to replicate the attack, so that other researchers may validate their findings (while hackers leverage the newly-disclosed info for an actual attack). Promoting a culture of security A culture of security is not an end in itself, but a pathway to achieve and maintain other objectives, such as proper use of information. The greatest benefit of a culture of security is the effect it has on other dynamic interconnections within an enterprise. It leads to greater internal and external trust, consistency of results, easier compliance with laws and regulations and greater value in the enterprise as whole. Who should information security office reports to? It seems like a simple question. After all, there seems to be little debate about where other C-suite officers should report. While there have been some discussions about the reporting structure for such C-level executives as the chief privacy officer and the chief compliance officer. As a best practice the CISO or the whole Information Security Office should report to the CEO since it s easier to convince the management and the board through him/her, however reporting to the CTO shouldn t stop you from carrying out your tasks as long you get the support required. 58

23 Oman national CERT role Oman National CERT has established a full program to promote Information Security Offices in the government and CNI entities providing the IS officers with the required tools including policies, office structure, controls, awareness programs to promote a security culture within their organizations. In addition Oman National CERT is willing to meet the top management to present the importance of information security and ultimately assist the implementation of a successful information security program. Conclusion In conclusion, it s important to know how to sell Information Security to your organization s top management to get the support required to carry your responsibilities easily and efficiently. We believe that by end of this course you have the skills and techniques required to convince the top management to support your department and team to fulfil their tasks and projects. References 1. ISO/IEC 17799:2005. Information Technology - Security Techniques - Code of Practice for Information Security Management, ISO, Geneve. (2005). 2. ISO/IEC 27001:2005. Information Technology - Security Techniques - Information Security Management Systems - Requirements, ISO, Geneve. (2005). 3. Heikkinen, I., Ramet, T., E-Learning as a Part of Information Security Education Development from Organisational Point of View». Oulu University, Oulu, Finland., In Finnish (2004). 4. Kajava, J., Critical Success Factors in Information Security Management in Organizations: The Commitment of Senior Management and the Information Security Awareness Programme (Abstract in English). Hallinnon tutkimus - Administrative Studies, Volume 22, Number 1, Tampere. (2003). 5. Lempinen H., Security Model as a Part of the Strategy of a Private Hospital (In Finnish), University of Oulu, Finland. (2002). 6. OECD, OECD Guidelines for the Security of Information Systems and Networks - Towards a Culture of Security, OECD Publications, Paris, France, 29 p. (2002). 59

24 EPILOGUE During this course you have covered a large concept and material. You should now be prepared to handle many of the potential treats that may confront you regarding information security. It is important to reemphasize a couple of points. First, the technology resources that you use and the information that you use, manipulate, access, create, or store in the process of doing your job, Their function is to make your job easier. Second, security policies and procedures were created not only protected us information but to help us achieve our objectives. It is your responsibility to help in the protection of this information. 60