Information Security Management

Information Security Overview

• Information security is a critical and huge topic encompassing cyber-risk measurement and assessment.
• Effective security involves communication and education for both employees and consumers.
• A common language is needed to discuss risk, attack, and defense strategies.
• Cyber-risk models are in early stages and require a shared knowledge base.
• Quantifying cyber risk involves understanding the business, state of controls, and potential reputational damage and recovery costs.
• Anonymity is key for data sharing within trusted circles to address complexity in data valuation.

Progression of Threats

• The Industrial Revolution has progressed through four stages, each introducing new cyber and physical threats:
  • Industry 1.0: Steam-based mechanical production.
  • Industry 2.0: Electricity-based mass production.
  • Industry 3.0: Controller-based automation.
  • Industry 4.0: Ubiquitous production and control with online-ordered mass customization.

Odds and Costs of Data Breaches

• The probability of experiencing a data breach is 1 in 4.
• A significant percentage (87%) of breaches occur in minutes or less.
• Cyber attacks can cost small-to-medium businesses an average of 2,640,000.
• 60% of businesses go out of business within 6 months of a cyber attack.
• The average total cost of a data breach is highest in the United States (7.91m).

Goal of Information Systems Security

• The goal is to block threats using safeguards, addressing vulnerabilities to prevent loss.
• The EU General Data Protection Regulation (GDPR) covers all personal data, defines data protection rights, introduces new obligations, and applies worldwide.
• California Consumer Privacy Act (CCPA) has similar provisions to GDPR, including consumer rights to demand disclosure of collected personal information.
• Regulations extend to Internet-of-Things (IoT) devices, requiring reasonable security features.

Privacy and Confidentiality

• Privacy is the right to be left alone and control personal possessions without unwanted observation.
• Confidentiality ensures that messages and information are available only to authorized individuals.
• Common workplace abuses include surfing the internet and sending personal emails during work hours.
• Organizations monitor web visits, block websites, review emails, and track keystrokes.
• Email privacy policies are essential to mitigate risks associated with email and messaging.

Threat Landscape

• The perimeter is gone; data is everywhere, and threats are sophisticated.
• The attack surface is expanding to endpoints, networks, cloud, users, mobile devices, and IoT.
• The modern threat landscape includes malicious insiders, terrorists, organized crime, and nation-states.
• A well-established cyber-crime economy exists with varying prices for compromised data and services.
• Attacks are creative and sophisticated, including spear-phishing, custom malware, and social engineering.

Malware and Mobile Threats

• Malware types include viruses, trojans, worms and beacons, leading to symptoms like slow system startup and unusual disk activity.
• Top mobile threats include web-based attacks, malware, resource abuse, data loss, and social engineering.

Bots and Botnets

• Bot: A computer program that executes specific tasks according to instructions.
• BotNet: A network of compromised computers forwarding transmissions.
• BotHerder: A hacker controlling compromised computers.

HTTP/2 Rapid Reset Botnets

• Leverage cloud computing platforms and exploit HTTP/2 to generate up to x5,000 more force per botnet node.
• This allows hyper-volumetric DDoS attacks with small botnets.

Data Breaches

• Largest Hacking and Identity Case: Albert Gonzalez indicted in August 2009.
• Worst breaches include Yahoo, Heartland Payment Systems and TRW.

Security Safeguards

• Five IS Components: Hardware, Software, Data, Procedures, People.
• Technical Safeguards: Identification, Authorization, Encryption, Firewalls and Malware protection.
• Data Safeguards: Data rights, responsibilities and Backup and recovery.
• Human Safeguards: Hiring, Training, Education, Procedure design, Administration, Assessment, Compliance and Accountability.

Internal Threats

• Most security incidents originate within the organization.
• Employees misuse their access, leading to business-affecting incidents.
• Ignoring internal threats, careless behavior, insider collusion, and malicious intent are significant risks.
• Remote workers present risks due to personal use of work computers and uncertain security control.

Lines of Defense

• First Line: People (develop, communicate, identify, test and obtain stakeholder support).
• Second Line: Technology (Authentication, Authorization, Prevention, Resistance, Detection and Response).

Security Measures

• Authentication (something you know, have, or are).
• Security Monitors (intrusion detection).
• Prevention and Resistance (Content filtering, Encryption and Firewalls).
• Content Filtering (prevent transmission of sensitive info).
• Encryption (scrambles information).
• Firewalls (prevent security breaches).
• Businesses need Secure Networks (Virtual Private Networks (VPNs)).
• Email Security (anti-spam, anti-phishing, anti-spoofing and anti-virus protection).

Security Policy

• Security Policy for In-House Staff (position definition, separate duties and authorities, hiring and screening).
• SIEM (Security Information & Event Management).

Information/Security Management Policies

• Policies include Cybersecurity policy, Ethical computer use policy, Information privacy policy, Acceptable use policy, E-mail privacy policy and Internet use policy.