Information Security Management

Information Security Overview

  • Information security is a critical and huge topic encompassing cyber-risk measurement and assessment.
  • Effective security involves communication and education for both employees and consumers.
  • A common language is needed to discuss risk, attack, and defense strategies.
  • Cyber-risk models are in early stages and require a shared knowledge base.
  • Quantifying cyber risk involves understanding the business, state of controls, and potential reputational damage and recovery costs.
  • Anonymity is key for data sharing within trusted circles to address complexity in data valuation.

Progression of Threats

  • The Industrial Revolution has progressed through four stages, each introducing new cyber and physical threats:
    • Industry 1.0: Steam-based mechanical production.
    • Industry 2.0: Electricity-based mass production.
    • Industry 3.0: Controller-based automation.
    • Industry 4.0: Ubiquitous production and control with online-ordered mass customization.

Odds and Costs of Data Breaches

  • The probability of experiencing a data breach is 1 in 4.
  • A significant percentage (87%) of breaches occur in minutes or less.
  • Cyber attacks can cost small-to-medium businesses an average of 2,640,000.
  • 60% of businesses go out of business within 6 months of a cyber attack.
  • The average total cost of a data breach is highest in the United States (7.91m).

Goal of Information Systems Security

  • The goal is to block threats using safeguards, addressing vulnerabilities to prevent loss.
  • The EU General Data Protection Regulation (GDPR) covers all personal data, defines data protection rights, introduces new obligations, and applies worldwide.
  • California Consumer Privacy Act (CCPA) has similar provisions to GDPR, including consumer rights to demand disclosure of collected personal information.
  • Regulations extend to Internet-of-Things (IoT) devices, requiring reasonable security features.

Privacy and Confidentiality

  • Privacy is the right to be left alone and control personal possessions without unwanted observation.
  • Confidentiality ensures that messages and information are available only to authorized individuals.
  • Common workplace abuses include surfing the internet and sending personal emails during work hours.
  • Organizations monitor web visits, block websites, review emails, and track keystrokes.
  • Email privacy policies are essential to mitigate risks associated with email and messaging.

Threat Landscape

  • The perimeter is gone; data is everywhere, and threats are sophisticated.
  • The attack surface is expanding to endpoints, networks, cloud, users, mobile devices, and IoT.
  • The modern threat landscape includes malicious insiders, terrorists, organized crime, and nation-states.
  • A well-established cyber-crime economy exists with varying prices for compromised data and services.
  • Attacks are creative and sophisticated, including spear-phishing, custom malware, and social engineering.

Malware and Mobile Threats

  • Malware types include viruses, trojans, worms and beacons, leading to symptoms like slow system startup and unusual disk activity.
  • Top mobile threats include web-based attacks, malware, resource abuse, data loss, and social engineering.

Bots and Botnets

  • Bot: A computer program that executes specific tasks according to instructions.
  • BotNet: A network of compromised computers forwarding transmissions.
  • BotHerder: A hacker controlling compromised computers.

HTTP/2 Rapid Reset Botnets

  • Leverage cloud computing platforms and exploit HTTP/2 to generate up to x5,000 more force per botnet node.
  • This allows hyper-volumetric DDoS attacks with small botnets.

Data Breaches

  • Largest Hacking and Identity Case: Albert Gonzalez indicted in August 2009.
  • Worst breaches include Yahoo, Heartland Payment Systems and TRW.

Security Safeguards

  • Five IS Components: Hardware, Software, Data, Procedures, People.
  • Technical Safeguards: Identification, Authorization, Encryption, Firewalls and Malware protection.
  • Data Safeguards: Data rights, responsibilities and Backup and recovery.
  • Human Safeguards: Hiring, Training, Education, Procedure design, Administration, Assessment, Compliance and Accountability.

Internal Threats

  • Most security incidents originate within the organization.
  • Employees misuse their access, leading to business-affecting incidents.
  • Ignoring internal threats, careless behavior, insider collusion, and malicious intent are significant risks.
  • Remote workers present risks due to personal use of work computers and uncertain security control.

Lines of Defense

  • First Line: People (develop, communicate, identify, test and obtain stakeholder support).
  • Second Line: Technology (Authentication, Authorization, Prevention, Resistance, Detection and Response).

Security Measures

  • Authentication (something you know, have, or are).
  • Security Monitors (intrusion detection).
  • Prevention and Resistance (Content filtering, Encryption and Firewalls).
  • Content Filtering (prevent transmission of sensitive info).
  • Encryption (scrambles information).
  • Firewalls (prevent security breaches).
  • Businesses need Secure Networks (Virtual Private Networks (VPNs)).
  • Email Security (anti-spam, anti-phishing, anti-spoofing and anti-virus protection).

Security Policy

  • Security Policy for In-House Staff (position definition, separate duties and authorities, hiring and screening).
  • SIEM (Security Information & Event Management).

Information/Security Management Policies

  • Policies include Cybersecurity policy, Ethical computer use policy, Information privacy policy, Acceptable use policy, E-mail privacy policy and Internet use policy.