SlideShare a Scribd company logo

Is iso 27001, an answer to security

Download as PPTX, PDF
R
Raghunath G

- ISO 27001 is an international standard for information security management systems that specifies requirements for implementing controls around information security risks. It includes 114 controls grouped into 14 domains. - Recent large-scale data breaches at companies like JP Morgan, Sony Pictures, Anthem Healthcare, and a small accounting firm could potentially have been avoided or detected earlier if the organizations had implemented appropriate controls aligned with the ISO 27001 standard, such as access control policies, encryption of data at rest, logging and monitoring of administrator activities, independent security reviews, and physical security measures. - While the full details of the breaches are not public, lack of implementation of basic security practices around access controls, encryption, logging, monitoring, reviews, and

Education
1 of 14
Downloaded 40 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Is ISO 27001, an answer to Security Breaches? RAMANA KROTHAPALLI
Agenda Terms & Definitions Information Security Standards & Best Practices What is ISO 27001? Why is ISO 27001 Popular? Security breaches – could these have been avoided? Things you can do..
Terms & Definitions ISO: International Organization for Standardization IEC: International Electrotechnical Commission HLS: High Level Structure Control: any process, policy, procedure, guideline, practice or organisational structure, which can be administrative, technical, management, or legal in nature which manage information security risk Objective: statement describing what is to be achieved as a result of implementing controls Data Breach: is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so
Information Security Standards / Best Practices ISO 27001: 2013 NIST SP 800 Series - National Institute of Standards and Technology Special Publications COBIT - Control Objectives for Information and Related Technology SOGP – Standard of Good Practice PCI DSS - Payment Card Industry Data Security Standard HIPAA - Health Insurance Portability and Accountability Act of 1996 SANS Best Practices
What is ISO 27001? ISO 27001: 2013 is an International Standard specifying requirements for information security management systems (ISMS) This is a certifiable standard from the ISO 27000 series of standards aka ISMS family of standards Published by ISO & IEC Organisations meeting the requirements may gain an official certification issued by an independent and accredited certification body on completion of a formal audit process The official title of the standard is "Information technology— Security techniques — Information security management systems — Requirements“ Has 10 clauses and an annexure that lists 114 controls and their objectives grouped into 14 domains
Why ISO 27001 is popular? Information security is the biggest driver for companies Generic standard for implementing an ISMS Technology neutral Globally recognised & accepted Compliance with business, legal, contractual and regulatory requirements HLS that allows easier integration with other ISO Standards Risk Based approach to identify appropriate security requirements Process approach – alignment with business objectives
Recent Security Breaches
Disclaimer The discussions are based on the news in the public domain and a few assumptions . The complete information about the massive security breaches is not available in the public domain. The sole idea of this session is to see if a management system approach to information security could help to prevent similar breaches, or at least improve the time to detection.
JP Morgan Chase Hackers “exploited an employee’s access to a development server as part of the attack on a JPMorgan Chase & Co. server that led the theft of data on 76 million households and 7 million small businesses”. Source: JPMorgan Password Leads Hackers to 76 Million Households So much data accessible using just one employee access right? A.9.4.3: “Password systems shall be interactive and shall ensure quality passwords” A.12.1.4: Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment Hackers used multiple custom-crafted bits of malware to infiltrate A.12.2.1: Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness Hackers spent months pulling data from the servers A. 12.6.1: Organization’s exposure to such vulnerabilities to be evaluated and appropriate measures taken to address the associated risk.
Sony Pictures The hack was a release of confidential data belonging to Sony Pictures Entertainment; the data included personal information about Sony Pictures employees and their families, e-mails between employees, information about executive salaries at the company, copies of (previously) unreleased Sony films, and other information. Duration of the hack is unknown, though evidence suggests that the intrusion occurred for more than a year. Article on SC Magazine: (Could the Sony breach have been prevented) http://www.scmagazine.com/could-the-sony-breach-have-been-prevented/article/394249/ One of Sony's biggest problems wasn't being hacked; it was failing to detect the hack until it became public. A.12.7: Information systems audit considerations - minimise the impact of audit activities on operational systems A.18.2.1: Independent review of information security A. 12.6.1: Organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. Sony hack leaked 47,000 Social Security numbers A.10.1: Cryptographic controls - to protect the confidentiality, authenticity and/or integrity of information
Anthem Healthcare Personal records of as many as 80 million individuals were compromised. Anthem data was encrypted on-the-wire but not in storage A.10.1: Cryptographic controls - to protect the confidentiality, authenticity and/or integrity of information The attack was discovered when a database administrator noticed unauthorized queries running with admin credentials A.12.4.3: System administrator and system operator activities shall be logged and the logs protected and regularly reviewed An outsider could have phished the credentials from an employee A.9.1.1: An access control policy shall be established, documented and reviewed based on business and information security requirements (Context-aware access control could have stopped an outsider, even with phished credentials, by examining where the authentication session was coming from, what platform was in use etc.)
Green's Accounting Stolen Server Exposes Accounting Clients' Personal Data. The server held unencrypted data, including clients' names, addresses and Social Security numbers, Bank account numbers. The burglars broke in by smashing the office's back window with the rock, then stole the firm's network server. A.11.1: Controls to prevent unauthorized physical access A.11.2.1: Equipment shall be sited and protected to reduce the risks from unauthorized access A.10.1: Cryptographic controls - to protect the confidentiality, authenticity and/or integrity of information
Things you can do.. Implement Security Policies & Procedures Security Awareness Training Vulnerability Assessments – Internal & External Penetration Testing – Internal & External Social Engineering Exercises Enterprise Security Assessments  Administrative Safeguards  Technical Safeguards  Physical Safeguards
THANK YOU!

More Related Content

PPTX
Basic introduction to iso27001
Imran Ahmed
 
PPTX
Iso 27001 isms presentation
Midhun Nirmal
 
PPT
Popular Pitfalls In Isms Compliance
Ramkumar Ramachandran
 
PDF
Isms awareness presentation
Pranay Kumar
 
PDF
NQA ISO 27001 Implementation Guide
NQA
 
PDF
ISO 27001 Certification - The Benefits and Challenges
Certification Europe
 
PPTX
Iso 27001 awareness
Ãsħâr Ãâlâm
 
PPT
ISMS Part I
khushboo
 
Basic introduction to iso27001
Imran Ahmed
 
Iso 27001 isms presentation
Midhun Nirmal
 
Popular Pitfalls In Isms Compliance
Ramkumar Ramachandran
 
Isms awareness presentation
Pranay Kumar
 
NQA ISO 27001 Implementation Guide
NQA
 
ISO 27001 Certification - The Benefits and Challenges
Certification Europe
 
Iso 27001 awareness
Ãsħâr Ãâlâm
 
ISMS Part I
khushboo
 

What's hot (20)

PPT
Iso27001 Isaca Seminar (23 May 08)
samsontamwaiho
 
PPTX
Iso iec 27001 foundation training course by interprom
Mart Rovers
 
PPT
Information Security Management Systems(ISMS) By Dr Wafula
Discover JKUAT
 
PDF
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
PPSX
Isms Implementer Course Module 1 Introduction To Information Security
anilchip
 
PPT
Overview of ISO 27001 ISMS
Akhil Garg
 
PPT
ISO 27001 Benefits
Dejan Kosutic
 
PDF
Iso 27001 2013
Magda CHELLY, Ph.D, S-CISO, CISSP®
 
PDF
ISO 27001 - IMPLEMENTATION CONSULTING
Arul Nambi
 
PDF
What is ISO 27001 ISMS
Business Beam
 
PDF
Implementing a Security Framework based on ISO/IEC 27002
pgpmikey
 
PPTX
Presentation on iso 27001-2013, Internal Auditing and BCM
Shantanu Rai
 
ODP
Iso 27001 10_apr_2006
Khawar Nehal khawar.nehal@atrc.net.pk
 
PPTX
Iso 27001 2013 clause 6 - planning - by Software development company in india
iFour Consultancy
 
DOCX
Iso 27001 2013 Standard Requirements
Uppala Anand
 
PPTX
What is iso 27001 isms
Craig Willetts ISO Expert
 
PPTX
ISO 27001 - three years of lessons learned
Jisc
 
PDF
Why ISO27001 For My Organisation
Vigilant Software
 
PDF
Transitioning to iso 27001 2013
SAIGlobalAssurance
 
DOC
Reporting about Overview Summery of ISO-27000 Se.(ISMS)
AHM Pervej Kabir
 
Iso27001 Isaca Seminar (23 May 08)
samsontamwaiho
 
Iso iec 27001 foundation training course by interprom
Mart Rovers
 
Information Security Management Systems(ISMS) By Dr Wafula
Discover JKUAT
 
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
Isms Implementer Course Module 1 Introduction To Information Security
anilchip
 
Overview of ISO 27001 ISMS
Akhil Garg
 
ISO 27001 Benefits
Dejan Kosutic
 
Iso 27001 2013
Magda CHELLY, Ph.D, S-CISO, CISSP®
 
ISO 27001 - IMPLEMENTATION CONSULTING
Arul Nambi
 
What is ISO 27001 ISMS
Business Beam
 
Implementing a Security Framework based on ISO/IEC 27002
pgpmikey
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Shantanu Rai
 
Iso 27001 10_apr_2006
Khawar Nehal khawar.nehal@atrc.net.pk
 
Iso 27001 2013 clause 6 - planning - by Software development company in india
iFour Consultancy
 
Iso 27001 2013 Standard Requirements
Uppala Anand
 
What is iso 27001 isms
Craig Willetts ISO Expert
 
ISO 27001 - three years of lessons learned
Jisc
 
Why ISO27001 For My Organisation
Vigilant Software
 
Transitioning to iso 27001 2013
SAIGlobalAssurance
 
Reporting about Overview Summery of ISO-27000 Se.(ISMS)
AHM Pervej Kabir
 
Ad

Viewers also liked (20)

PPTX
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
PDF
ISO/IEC 27001:2013 An Overview
Ahmed Riad .
 
PPTX
ISO 27001 - information security user awareness training presentation - Part 1
Tanmay Shinde
 
PDF
ISO 27001
n|u - The Open Security Community
 
PDF
ISO 27001 Information Security Management Systems Trends and Developments
Certification Europe
 
DOC
Buying a business in florida
James Lavigne
 
PDF
Null July - OWTF - Bharadwaj Machiraju
Raghunath G
 
PPTX
Pengenalan Pillow Lava di Berbah,Sleman,Yogyakarta
Nicholas Vincento
 
PPT
Null dec 2014
Raghunath G
 
PDF
Social engineering by-rakesh-nagekar
Raghunath G
 
PDF
Security News Bytes
Raghunath G
 
PPTX
Ted talk newest
niki298
 
PDF
Nomadic Display Instand Instructions
Nomadic Display
 
PDF
z/OS Communications Server: z/OS Resolver
zOSCommserver
 
PDF
World Cup! Young Germany Guest Blogging
steffan
 
DOC
SAmador CV
Susan Amador
 
PPTX
Newsbytes_NULLHYD_Dec
Raghunath G
 
PDF
Investor alert—investment scams exploit immigrant investor program
James Lavigne
 
PDF
Raspberry pi 2
Raghunath G
 
PPTX
Marvella city a complete township in haridwar
Marvella city
 
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
ISO/IEC 27001:2013 An Overview
Ahmed Riad .
 
ISO 27001 - information security user awareness training presentation - Part 1
Tanmay Shinde
 
ISO 27001
n|u - The Open Security Community
 
ISO 27001 Information Security Management Systems Trends and Developments
Certification Europe
 
Buying a business in florida
James Lavigne
 
Null July - OWTF - Bharadwaj Machiraju
Raghunath G
 
Pengenalan Pillow Lava di Berbah,Sleman,Yogyakarta
Nicholas Vincento
 
Null dec 2014
Raghunath G
 
Social engineering by-rakesh-nagekar
Raghunath G
 
Security News Bytes
Raghunath G
 
Ted talk newest
niki298
 
Nomadic Display Instand Instructions
Nomadic Display
 
z/OS Communications Server: z/OS Resolver
zOSCommserver
 
World Cup! Young Germany Guest Blogging
steffan
 
SAmador CV
Susan Amador
 
Newsbytes_NULLHYD_Dec
Raghunath G
 
Investor alert—investment scams exploit immigrant investor program
James Lavigne
 
Raspberry pi 2
Raghunath G
 
Marvella city a complete township in haridwar
Marvella city
 
Ad

Similar to Is iso 27001, an answer to security (20)

PDF
1678784047-mid_sem-2.pdf
Rimurutempest594985
 
PPTX
ISMS End-User Training Presentation.pptx
comstarndt
 
PDF
Chapter 12 iso 27001 awareness
newbie2019
 
PDF
1 info sec+risk-mgmt
madunix
 
PPTX
Topic11
Anne Starr
 
PPTX
Dancyrityshy 1foundatioieh
Anne Starr
 
PDF
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
IGN MANTRA
 
PDF
Accounting Information Systems 11th Edition Bodnar Solutions Manual
grachalyako20
 
PDF
ISO / IEC 27001:2005 – An Intorduction
n|u - The Open Security Community
 
PPTX
Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]
n|u - The Open Security Community
 
PDF
Accounting Information Systems 11th Edition Bodnar Solutions Manual
camitatse
 
PPT
Information Security Identity and Access Management Administration 07072016
Leon Blum
 
PDF
Accounting Information Systems 11th Edition Bodnar Solutions Manual
gayosacissey70
 
PPTX
ISO 27001 2022 REQUIREMENTS EXPLAINED 4.pptx
JustinNickaf3
 
PPT
ch01.ppt
samsam693199
 
PPT
educational content, educational contented educational content
Olajide Kuku
 
PPT
information security presentation topics
Olajide Kuku
 
PPT
CISSP Certified Information System Security Professional_009.ppt
careerbdaugx
 
PPTX
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
PPT
INFORMATION SECURITY STUDY GUIDE for STUDENTS
henlydailymotion
 
1678784047-mid_sem-2.pdf
Rimurutempest594985
 
ISMS End-User Training Presentation.pptx
comstarndt
 
Chapter 12 iso 27001 awareness
newbie2019
 
1 info sec+risk-mgmt
madunix
 
Topic11
Anne Starr
 
Dancyrityshy 1foundatioieh
Anne Starr
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
IGN MANTRA
 
Accounting Information Systems 11th Edition Bodnar Solutions Manual
grachalyako20
 
ISO / IEC 27001:2005 – An Intorduction
n|u - The Open Security Community
 
Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]
n|u - The Open Security Community
 
Accounting Information Systems 11th Edition Bodnar Solutions Manual
camitatse
 
Information Security Identity and Access Management Administration 07072016
Leon Blum
 
Accounting Information Systems 11th Edition Bodnar Solutions Manual
gayosacissey70
 
ISO 27001 2022 REQUIREMENTS EXPLAINED 4.pptx
JustinNickaf3
 
ch01.ppt
samsam693199
 
educational content, educational contented educational content
Olajide Kuku
 
information security presentation topics
Olajide Kuku
 
CISSP Certified Information System Security Professional_009.ppt
careerbdaugx
 
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
INFORMATION SECURITY STUDY GUIDE for STUDENTS
henlydailymotion
 

More from Raghunath G (16)

PPSX
Securitynewsbytes
Raghunath G
 
PPT
Whats app forensic
Raghunath G
 
PPTX
Seh based exploitation
Raghunath G
 
PPSX
Securitynewsbytes april2015-150418153901-conversion-gate01
Raghunath G
 
PPTX
Analysis of malicious pdf
Raghunath G
 
PPTX
Mobile application security 101
Raghunath G
 
PPTX
Security News Bytes
Raghunath G
 
PDF
Null HYD Playing with shodan null
Raghunath G
 
PDF
Null HYD VRTDOS
Raghunath G
 
PPTX
Metasploit
Raghunath G
 
PPTX
Decoy documents
Raghunath G
 
PDF
Spear phishing attacks-by-hari_krishna
Raghunath G
 
PDF
Netcat 101 by-mahesh-beema
Raghunath G
 
PDF
Xss 101 by-sai-shanthan
Raghunath G
 
PDF
The art of_firewalking-by-sujay
Raghunath G
 
PDF
Heartbleed by-danish amber
Raghunath G
 
Securitynewsbytes
Raghunath G
 
Whats app forensic
Raghunath G
 
Seh based exploitation
Raghunath G
 
Securitynewsbytes april2015-150418153901-conversion-gate01
Raghunath G
 
Analysis of malicious pdf
Raghunath G
 
Mobile application security 101
Raghunath G
 
Security News Bytes
Raghunath G
 
Null HYD Playing with shodan null
Raghunath G
 
Null HYD VRTDOS
Raghunath G
 
Metasploit
Raghunath G
 
Decoy documents
Raghunath G
 
Spear phishing attacks-by-hari_krishna
Raghunath G
 
Netcat 101 by-mahesh-beema
Raghunath G
 
Xss 101 by-sai-shanthan
Raghunath G
 
The art of_firewalking-by-sujay
Raghunath G
 
Heartbleed by-danish amber
Raghunath G
 

Recently uploaded (20)

PDF
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
PPTX
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
PDF
Mark Klimek Lecture Notes_240423 revision books _173037.pdf
pascalgumisiriza1
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PPTX
Introduction to Child Health Nursing – Unit I | Child Health Nursing I | B.Sc...
RAKESH SAJJAN
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PDF
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PDF
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
PDF
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
PPTX
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
PDF
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PPTX
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
PDF
Classroom Observation Tools for Teachers
Nicaramirez
 
PDF
Pre independence Education in Inndia.pdf
goofy5603
 
PDF
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
Mark Klimek Lecture Notes_240423 revision books _173037.pdf
pascalgumisiriza1
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
Introduction to Child Health Nursing – Unit I | Child Health Nursing I | B.Sc...
RAKESH SAJJAN
 
RMMM.pdf make it easy to upload and study
sajedul2
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
Classroom Observation Tools for Teachers
Nicaramirez
 
Pre independence Education in Inndia.pdf
goofy5603
 
Complications of Minimal Access Surgery at WLH
mohitsuren827
 

Is iso 27001, an answer to security

  • 1. Is ISO 27001, an answer to Security Breaches? RAMANA KROTHAPALLI
  • 2. Agenda Terms & Definitions Information Security Standards & Best Practices What is ISO 27001? Why is ISO 27001 Popular? Security breaches – could these have been avoided? Things you can do..
  • 3. Terms & Definitions ISO: International Organization for Standardization IEC: International Electrotechnical Commission HLS: High Level Structure Control: any process, policy, procedure, guideline, practice or organisational structure, which can be administrative, technical, management, or legal in nature which manage information security risk Objective: statement describing what is to be achieved as a result of implementing controls Data Breach: is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so
  • 4. Information Security Standards / Best Practices ISO 27001: 2013 NIST SP 800 Series - National Institute of Standards and Technology Special Publications COBIT - Control Objectives for Information and Related Technology SOGP – Standard of Good Practice PCI DSS - Payment Card Industry Data Security Standard HIPAA - Health Insurance Portability and Accountability Act of 1996 SANS Best Practices
  • 5. What is ISO 27001? ISO 27001: 2013 is an International Standard specifying requirements for information security management systems (ISMS) This is a certifiable standard from the ISO 27000 series of standards aka ISMS family of standards Published by ISO & IEC Organisations meeting the requirements may gain an official certification issued by an independent and accredited certification body on completion of a formal audit process The official title of the standard is "Information technology— Security techniques — Information security management systems — Requirements“ Has 10 clauses and an annexure that lists 114 controls and their objectives grouped into 14 domains
  • 6. Why ISO 27001 is popular? Information security is the biggest driver for companies Generic standard for implementing an ISMS Technology neutral Globally recognised & accepted Compliance with business, legal, contractual and regulatory requirements HLS that allows easier integration with other ISO Standards Risk Based approach to identify appropriate security requirements Process approach – alignment with business objectives
  • 8. Disclaimer The discussions are based on the news in the public domain and a few assumptions . The complete information about the massive security breaches is not available in the public domain. The sole idea of this session is to see if a management system approach to information security could help to prevent similar breaches, or at least improve the time to detection.
  • 9. JP Morgan Chase Hackers “exploited an employee’s access to a development server as part of the attack on a JPMorgan Chase & Co. server that led the theft of data on 76 million households and 7 million small businesses”. Source: JPMorgan Password Leads Hackers to 76 Million Households So much data accessible using just one employee access right? A.9.4.3: “Password systems shall be interactive and shall ensure quality passwords” A.12.1.4: Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment Hackers used multiple custom-crafted bits of malware to infiltrate A.12.2.1: Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness Hackers spent months pulling data from the servers A. 12.6.1: Organization’s exposure to such vulnerabilities to be evaluated and appropriate measures taken to address the associated risk.
  • 10. Sony Pictures The hack was a release of confidential data belonging to Sony Pictures Entertainment; the data included personal information about Sony Pictures employees and their families, e-mails between employees, information about executive salaries at the company, copies of (previously) unreleased Sony films, and other information. Duration of the hack is unknown, though evidence suggests that the intrusion occurred for more than a year. Article on SC Magazine: (Could the Sony breach have been prevented) http://www.scmagazine.com/could-the-sony-breach-have-been-prevented/article/394249/ One of Sony's biggest problems wasn't being hacked; it was failing to detect the hack until it became public. A.12.7: Information systems audit considerations - minimise the impact of audit activities on operational systems A.18.2.1: Independent review of information security A. 12.6.1: Organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. Sony hack leaked 47,000 Social Security numbers A.10.1: Cryptographic controls - to protect the confidentiality, authenticity and/or integrity of information
  • 11. Anthem Healthcare Personal records of as many as 80 million individuals were compromised. Anthem data was encrypted on-the-wire but not in storage A.10.1: Cryptographic controls - to protect the confidentiality, authenticity and/or integrity of information The attack was discovered when a database administrator noticed unauthorized queries running with admin credentials A.12.4.3: System administrator and system operator activities shall be logged and the logs protected and regularly reviewed An outsider could have phished the credentials from an employee A.9.1.1: An access control policy shall be established, documented and reviewed based on business and information security requirements (Context-aware access control could have stopped an outsider, even with phished credentials, by examining where the authentication session was coming from, what platform was in use etc.)
  • 12. Green's Accounting Stolen Server Exposes Accounting Clients' Personal Data. The server held unencrypted data, including clients' names, addresses and Social Security numbers, Bank account numbers. The burglars broke in by smashing the office's back window with the rock, then stole the firm's network server. A.11.1: Controls to prevent unauthorized physical access A.11.2.1: Equipment shall be sited and protected to reduce the risks from unauthorized access A.10.1: Cryptographic controls - to protect the confidentiality, authenticity and/or integrity of information
  • 13. Things you can do.. Implement Security Policies & Procedures Security Awareness Training Vulnerability Assessments – Internal & External Penetration Testing – Internal & External Social Engineering Exercises Enterprise Security Assessments  Administrative Safeguards  Technical Safeguards  Physical Safeguards