chapter 1 introduction. overview relevance background terms general procedures 2
TRANSCRIPT
Chapter 1
Introduction
2
Overview Relevance
Background
Terms
General procedures
3
Relevance Why study
information security? Demand BLS estimates
Bureau of Labor Studies US Govt data collection
organization
Classified as 15-1122 15 = Computing
occupations 15-112 = analysts
All occupations
11-0000 Management occupations
...
15-0000 Computer and mathematical occupations
15-1110 Computer and
information research scientists15-1120
Computer and information
analysts
15-1121 Computer systems analysts
15-1122 Information
security analysts15-1130 Software
developers and programmers
...
...
55-0000 Military specific
occupations
4
Relevance (contd.) Total employment in 15-1122
BLS, May 2010 Count = 243,330 Mean wage = $79,370
Industry estimates International Information Systems Security
Certification Consortium – IISSCC, (ISC)2
2.28 million information security professionals worldwide
900,000 in the Americas Growth rate of 13% Median wage $78,000 (probably US-centric)
5
Demand drivers Increasing criticality of information
To individuals Photographs, school work
And organizations Payroll, intellectual property, business processes etc
Increasing quantity of information Customer details, purchase history, clickstream
etc
Increasing computerization of information No more paper ledgers
6
Demand drivers (contd.) More copies of information
Laptops (can be stolen) Smart phones BYOD (personally owned devices)
More diverse population of users Not necessarily computer-savvy Less aware
Hence, more committed attackers Recent incidents generally motivated by profit
7
A day in the life What do information security professionals do?
Technical work BLS
Plan, implement, upgrade, monitor security measures for the protection of computer networks and
information May ensure appropriate security controls are in place to
safeguard digital files and vital electronic infrastructure May respond to computer security breaches and viruses
Non-technical work Research new technologies Internal/ political issues Regulatory compliance Develop internal security policies, standards and
procedures
8
A day in the life (contd.) Time spent by information security professionals
Source: (ISC)2
Developing internal security policies, standards and procedures
Meeting regulatory compliance
Internal/ political issues
Researching new technologies
39%
45%
46%
49%
9
Desired competencies
Planning for business continuity and disaster recovery
Security management practices
Access control
Security architecture
End-user awareness
Forensics
Secure SDLC
Risk management
10
Brief history Many current security procedures are the
result of well-known past incidents Part of industry folklore
Professional vocabulary More comprehensive list available from many
sources Online (e.g. Wikipedia) Industry publications (e.g. InformationWeek,
ComputerWorld)
1981 TCP/ IP finalized
No mention of security Internet community generally considered benign
11
Brief history (contd.) 1982-83
Gang of 414’s 6 teenagers from Milwaukee, WI
Hence the name (from area code) Looking for excitement
Broke into 60 high-profile computer systems E.g. Los Alamos
Newsweek cover story Introduced term “hacker” into information security
vocabulary U.S. Congress hearings on computer security Computer Fraud and Abuse act, 1986
12
Brief history (contd.) 1988
Morris Worm Nov. 2, 1988
Robert Morris Jr. Graduate student at Cornell
99-line program designed to count the size of the Internet Program bug caused computers to crash 10% of Internet crashed
Possibly largest percentage damage of Internet ever First conviction under 1986 act CERT/ CC established at CMU
13
Brief history (contd.) 1995-1998
Windows 95 released on 8/24/1995 Low cost Widely expanded computer ownership
Windows 95 designed primarily as stand-alone desktop Almost no security
Windows 95 + TCP/ IP Fertile ground for information security problems
Windows 98 released on 6/25/1998 Added Internet But almost no improvement in security
14
Brief history (contd.) 1996
Health insurance portability and accountability act (HIPAA)
Push for electronic health records (EHR)
Hopes are to reduce wastage and hence healthcare costs
Healthcare industry responsible for ensuring confidentiality of patient information
Push to move completely to EHR by 2014
15
Brief history (contd.) 2000
I LOVE YOU virus May 5, 2000 Deleted images on affected computers Estimates damage exceeded $ 8bn globally
Primarily lost employee time in cleaning infected computers Created by 2 college students
In the Philippines Reomel Ramores and Onel de Guzman
Traced immediately But no charges filed
Virus writing not an offense in the Philippines at the time Differences even today across countries
16
Brief history (contd.) 2002
Sarbanes-Oxley act Corporate fraud
MCI-Worldcom, Enron Publicly traded companies
Affected pension investments Key executives personally accountable for
correctness in financial reporting All financial statements produced by IT systems Section 404
Formal internal controls
17
Brief history (contd.) 2005 – 2007
Retail industry TJ Maxx, BJ’s wholesale club, Office Max etc
Millions of credit card and debit cards stolen Many sold on specialized black markets
Exploited IT insecurities Store wireless networks
Unencrypted Web applications
SQL injection
Albert Gonzalez identified as ring-leader March 2010
Sentenced to 20 years
18
Brief history (contd.) 2008
War between Georgia and Russia Accompanied by
Cyberwar Massive denial of
service attacks in Georgia
Many government web sites defaced
Russian state involvement suspected If true
First known state-sponsored cyber warfare
19
Brief history (contd.) June 23, 2009
Establishment of US Cyber Command Defend US military computer networks Respond in cyberspace as necessary
Following numerous alarming media reports Joint Strike Fighter
$300 Bn weapons program Largest ever weapons program of the US military
Terabytes of data stolen from project contractors US electricity grid
Reported to be penetrated by other countries Could be stopped at will
20
Brief history (contd.) January 12, 2010
Google-China
Operation Aurora Attempt to steal code base
Unencrypted version control system Access emails of Chinese human-rights activists Attacks traced to two educational institutions in China
China called attacks an attempt by students to refine their skills
Congress announced intention to investigate
21
Brief history (contd.) April 17, 2011
SONY PlayStation Network compromised
70 million subscribers on the network
Credit card information suspected to have been stolen
Network down almost all of summer break
Difficult time for parents Students had planned to catch up on new games over the
summer break
22
Brief history (contd.) February 2013
Mandiant report released
Identifies APT1 unit of Chinese army as source of most cyber attacks on US entities
Demonstrates state-sponsored industrial espionage
23
Definitions Information security
Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability US code section 3542, chapter 35, title 44 RFC 2196
CIA triad Confidentiality Integrity Availability
24
Definitions (contd.) Confidentiality
Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information Individual right to privacy
Extends to personal information Confidentiality is the mechanism by which custodians of
information maintain privacy of individual information
Most common interpretation of information security
But social expectations keep changing E.g. Facebook
25
Definitions (contd.) Integrity
Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity Makes information actionable Huge focus of regulators
E.g. Sarbanes-Oxley
Availability Ensuring timely and reliable access to and use of
information Very important to end-users Has revenue implications in e-commerce systems
26
Personal information security Recommendations
From the authors’ perspective Your mileage may vary
1. Anti-virus2. Automatic software updates3. At least two passwords
One for financial institutions Preferably separate password for each financial
institution A different password for “fun” accounts
Websites, coupons, email etc
27
Example case - Wikileaks February 2010
Wikileaks released classified memos from U.S. State Department archives
Published in leading newspapers of the world E.g. New York Times
Cables went back to 1966 Very embarrassing to U.S. government Violated trust of foreign leaders in U.S. Government’s
ability to keep secrets Source: Pfc Bradley Manning
One of 3 million U.S. personnel with access to the cables Part of U.S. Government effort to leverage information to
stop terrorist attacks
28
Summary Overview of information security
Professional relevance of information security
Brief history of information security incidents
Definition of information security Confidentiality Integrity Availability