SlideShare a Scribd company logo

ProjectReport_Finalversion

M
Mamoon Ismail Khalid

ABC Corp experienced a major security breach when an employee inserted an infected USB drive found in the parking lot. This introduced malware that spread throughout ABC's systems and gathered credit card information from 20 million customers over three months. The summary identifies failures in ABC's security policies, design, and controls that allowed this breach to occur, such as lack of awareness training, outdated antivirus software, and failure to properly secure administrative access. It provides both short-term tactical solutions like incident response procedures and long-term strategic solutions such as continuous monitoring, user access controls, and moving to behavioral-based security analytics to prevent future attacks.

1 of 36
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
ABC Corp. Retail Store Information Security Management System By Antony Chou and Mamoon Khalid
 Background  Incident Summary  Failures  Solutions  Strategic (Long term) Solutions  Tactical (Short term) Solutions  ISO 27001  ISMS PDCA Model  NIST Overview  Information Security Management System (ISMS) Framework  ISMS for ABC Corp.  Bibliography
Background ABC Corp is a regular Retail Store with an online business “The financial and reputational damage that can be inflicted on a retailer by a major security breach can be so severe, and so destructive, as to approach the financial and reputational damage a commercial airline might suffer from a serious accident,” - Mark Yourek , IBM’s Global Retail Solution Lead Here are some are some other statistics that highlight the role of a strong security strategy in retail stores, especially ones with e-commerce platforms as well. • Almost one-tenth of retailers haven’t reported any cyber risks in financial documents filed with the SEC since 2011. • Only 9 percent consider outsourced vendors a potential threat source • Less than 10 percent have purchased insurance to cover any cyber exposures, accidental or otherwise. • Almost half (49%) of retail companies cited the use of technical safeguards as a chief remedy for cyber risk - Source: Dark Reading, Report: Some Retail Firms Still Don't Recognize Cyber Security Risks In other words, retailers don’t seem that concerned as far as their cyber security strategies are concerned. Not since attacks like the Target breach came to surface. That is the reason we decided to study a hypothetical attack scenario for a retail corporation with an online business. The following figure illustrates some more statistics about the cyber-attacks to retail businesses over the years.
Incident Summary An ABC Corp. employee accidentally picked an USB drive from the parking lot and bought it to her work station. She plugs into her computer to check if the owner’s information could be found. Not finding anything, the USB sticker was submitted to the helpdesk personal, who has elevated access on his account. When the helpdesk person plugin the USB driver to his computer, the virus named as “Virus”, was copied to the servers and to all the workstations his elevated access allowed him to access. As a result of this the malicious code was be able to check the Active directory for an old contract account. And found that the account was still active. As is usually the case, the virus didn’t get activated right away, and instead it stayed stealth and slowly and gradually was copied to all the POS system. This slow and residual growth of the virus is engineered so as not to arouse suspicion in the usual “signature-based” security solutions that are employed by most corporations. The malware script used the compromised machine as a pivot to launch the exploit which attached the database server, and hence exploited a SQL server using SQL SQL Injection Attack tool. Now wwhenever in-store customers swipe their credit cards and debit cards on the store PCS systems, the virus keeps the records and outputs it to a file. Magnitude of Incident: • After three busy holiday shopping month, the attacker was able to gather 20 million customers credit card information. • This database was sent to overseas servers and later shown up in underground black market.
Attackers Pre-knowledge: • Hacker found vendor name from garbage bin • Discovered that Log files only go back 30 days Current Controls ABC Corp. is a major retail store selling consumer products both online and in the store. As per usual, customer uses Cash, Credit and Debit card on the POS terminal in store. The current controls in place to support ABC Corp.’s current information security policy: – Antiviruses installed on every machine – Incident triggered review policy – “signature-based” security solutions, which tried to identify known, malicious code patterns and block them – Internet De-militarized zone (DMZ )for online store – Dedicated subnets for external facing web servers – Firewalls and router Access Control Lists (ACLs) for access controls – Regular third party penetration tests – Database kept online customers’ contact and payment information – Database encrypted credit and debit card numbers, but not user names and contact information.
Failures To understand the root causes of the attack, we would essentially have to look at the: Policy failures: 1) Failure to properly block USB/Media ports upon the discovery of the breach 2) Lack of awareness on the employees part 3) Failure to install patches for SQL vulnerabilities on time 4) No expiration dates for user accounts – vastly expands the attack exposure surface 5) User account with admin access Design failures: 1) PCI DSS shares same network subnet from the main network - PCI POS systems were not segmented 2) External facing servers directly on public IP address 3) Elevated user accounts were not separated from regular accounts 4) Database server that scheduled patch installs and updates were failing with no further investigation as to why that was happening. 5) Log file only keeps past 30 days data 6) USB/Media ports were not disabled on all workstations. 7) Outside vendor account still active after contract is over 8) Database structure flaws: a. Tables weren’t normalized. Allowed for account information, credit card transactions and order information to be compromised easily
9) Web server code flaws a. Didn’t use parameters which automatically encode data being passed back to the database b. No client or server side user input error handling present c. Allowed unlimited login attempts Solutions Such breach incidents can be fatal to a business, even more so to an online business. The solutions to recovery from such incident can be broken into tactical (short term)and strategic (long term) Strategic (Long Term) There needs to be a paradigm shift in the way retail businesses look at the essentiality of a comprehensive cybersecurity and the implications of not doing that. Along the technology lines, there needs to be as shift in focus from the old and soon to be driven to become obsolete by necessity, “signature” based solutions to a more “behavioural/analytics” based solutions that employ big data technologies to detect minor system anomalies that could potentially be malware attacks.
ProjectReport_Finalversion
• Continuous monitoring system – by both Third-Party vendors and Information Technology/Information Security teams. • Raise employee awareness training – There should be periodic information security awareness seminars and awareness campaigns. Information Security should be inculcated in the Professional Development program (if there is any such initiative already in place). CISO’s need to stress the severity of a compromise to the employees, and educate them to adopt a constant state of caution. The paradigm needs to be shifted from a “if” to a “when” • Deploy Patch Management System – So software patches and security updates are installed immediately. In most breach incidents, an instant system update can result in significant decrement in an attack exposure surface. • User access control – security on every click (multiple authentications) and need-to-know basis policy • Establish a comprehensive Incident Response procedure • PCIDSS Compliance – Elevated access work stations must be segregated from the other network. ABC Corp.’s network architecture design was a violation of Payment Card Industry Data Compliance Standard (PCI DSS) • 3rd party security management, enforce expiration dates for all vendor accounts. • Periodical penetration test • Investment in Analytics team • Administration assets and databases should be made only available on ABC Corp’s internal network and completely removed from our public facing servers. Additionally, it must have a secondary authentication that authenticates users with ABC Corps internal Windows network • Don't store sensitive data. "There is no reason to store thousands of records on your customers, especially credit card numbers, expiration dates and CVV2 [card verification value] codes. The risk of a breach outweighs the convenience for your customers at checkout • Layer the security- Add extra layers of security to the website and applications such as contact forms, login boxes and search queries." These measures will ensure that your ecommerce environment is
protected from application-level attacks like SQL (Structured Query Language) injections and cross-site scripting (XSS). • Monitor site regularly--and make sure whoever is hosting it is, too- Tools like Woopra or Clicky allow you to observe how visitors are navigating and interacting with your website in real time, allowing you to detect fraudulent or suspicious behavior. They are capable of sending our alerts to all personnel on alert roster when there is suspicious activity, allowing them to act quickly and prevent suspicious behavior from causing harm. • Also, make sure whoever is hosting the ecommerce site regularly monitors the servers for malware, viruses and other harmful software. Explore the current or potential Web host if they have a plan that includes at least daily scanning, detection and removal of malware and viruses on the website. • Perform regular PCI scans. Perform regular quarterly PCI scans through services like Trustwave to lessen the risk of the ecommerce platform being vulnerable to hacking attempts. If the company is using third-party downloaded software like (Magento or PrestaShop), they must stay on top of new versions with security enhancement. • Patch the systems immediately- literally the day they release a new version. That includes the Web server itself, as well as other third-party code like Java, Python, Perl, WordPress and Joomla, which are favorite targets for attackers. Tactical (Near term) We recommend the CISO of ABC Corps to follow the following best practices for Online Retail business in dealing with cyber security threats:  To use the latest endpoint security solutions which base their data collection on kernel-level integration:  CYBERREASON  AORATO • Update employee training to raise user awareness.
• Dedicated subnet for PCI systems – This is a huge design flaw, and needs to re- engineered by the Information Technology/Information Security teams. • Third party penetration test to find vulnerability – for immediate diagnosis of system vulnerabilities. • Separate elevated access accounts from regular accounts. • Introduce “Break Glass” policy – which allows for exceptional elevated access to authorized people if admin access is needed in case of an attack. CISO of the ABC Company should induct an information security strategy, the doctrine of which should be centric around the following policies: • Fixation on penetration prevention - focuses on the adversarial activity that is going on within your network by the use of big-data analytics and machine learning technologies. • Accepting simple explanations. Solution: Always dig deeper. Security events are not caused by error or accident. Every piece of evidence should be over-analysed and malicious intent must always be considered. Because your security teams cannot know all adversarial activities, in a sense they are at a disadvantage; therefore, it is crucial for the teams to over-investigate what they can see in order to reveal other unknown and undetected connecting elements. Security teams must always assume they only see half the picture, working diligently to uncover the rest of the pieces of the puzzle. Example of documents to use: system configuration logs, time logs, intrusion detection logs, employee system usage logs, process actions, file access information, network events and configuration changes on the endpoints • Striving for fast remediation. Solution: Leverage the known. Instead of remediating isolated incidents as fast as possible, the security team should closely monitor the known to understand how it connects to other elements within the environment and strive to reveal the
unknown. For example, an unknown malicious process can be revealed if it is connecting to the same IP address as a detected known malicious process. Moreover, when you reveal to the hackers which of their tools are easy to detect, hackers can purposely deploy, in excess, the known tools to distract and waste the defender’s time. • Focusing on malware. Solution: Focus on the entire attack. Although detecting malware is important, solutions that mainly focus on detecting isolated activity on individual endpoints are unable to properly combat complex hacking operations. Instead, employ a more holistic defense. Leverage automation - analytics and threat intelligence in particular - in order to gain context on the entire malicious operation, as opposed to just the code. Keep in mind that your adversary is a person and malware is one of their most powerful tools, but one of many in their tool kits. ISO27001 Overview In helping ABC Corp. draft their updated information security strategy, we propose the use of ISO 270001. Why? Because it: • Most widely recognized security standard in the world • More flexible and comprehensive in its coverage of security controls • Process centric Information Security Management System (ISMS) Framework • Address Information security issues across industries Information Security Management System (ISMS) Framework can be illustrated by the figure below as essentially a 4 step framework.
ISMS PDCA Model • Review/audit security management and controls •Implement identified improvements, corrective/preve ntive actions • Implement and manage Security controls/proc ess • Define Security Policies and procedures PLAN DO CHECKACT
Implementation Approach  Phase I - Baseline Information Security Assessment • Identify the scope and coverage of Information Security • Assess the Current Environment • Prepare baseline information security assessment report  Phase II - Design of Information Security Policy & Procedures • Establish Security Policy, Organization & Governance • Asset Profiling • Risk Assessment • Risk treatment (Identification of ISO27001 Controls& Additional Controls) • Formulate Information Security Policy & Procedures • Prepare Statement of Accountability  Phase III - Implementation of Information Security Policy • Implementation of Controls • Security Awareness training  Phase IV - Pre Certification Audit  Review by Internal team
NIST Overview NIST Architecture is centred on 5 steps: - Identify Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy - Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training;
Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology. - Detect Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes. - Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements. - Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.
In the following section, we will explain how the ISMS Framework, derived from ISO 27001 can be used by ABC Corp. as they define their Information Security Strategy. Information Security Management System (ISMS) Framework 1. Security Policy 2. Organization of Information Security 3. Assets Management 4. Human Resource Security 5. Physical and Environmental Security 6. Communications and Operations Management 7. Access Control 8. Information system acquisition, development and maintenance 9. Information Security Incident Management 10.Business Continuity Planning 11.Compliance
ISMS framework for ABC Corp. • Revisit company policies on a periodic manner -- Security Policy • Assemble an Information Security (IS) group with appointed IS officers who would be responsible for the management and execution of daily tasks and responsibilities required for the security systems and policies to be enforced--Organization of Information Security • Know where everything is, Dispose Assets properly, Maintain inventory of physical and electronic assets-- Asset Management • Awareness and training campaigns aimed at educating employees about the security policy and importance to the company. In the case of ABC Corp. the employee should not have plugged the USB into her workstation to discover its ownership. Neither should the helpdesk personal should have. In addition to employee awareness, the CISO must also implement Vendor Management steps, in order to make sure the third party vendors whose services might be used by ABC Corp. (for example, internet web hosting companies, outsourced data center and help desk services, outsourced security solutions from third party vendors) -- Human Resource Security • Security Cameras must be installed and the corporate facility must be secured. The attacker had access to ABC Corp. employee parking lot and was able to use the garbage disposal to discover vendor name. Corporate perimeters must be secured and budget must be allocated for the hiring of security personnel. -- Physical and Environmental Security • Monitoring the network. Segment PCI network from other subnets -- Operations Management • Elevated access, separate role of duty, need-to-know vs role-based -- Access Control • Process data correctly – Info. system acquisition, development and maintenance • Incident Response Plan -- Information Security Incident Management • Business Continuity Planning (BCP), Public relation -- Business Continuity Planning • Federal, State, International - PCI DSS -- Compliance
1) Security Policy Ensure information security functions are performed by groups. Ensure adequate information security management and coverage. Created to communicate to the organization how to use products (infrastructure/ hardware, applications/software) to make certain there is adequate information security.  An organization’s high level instructions  Computer security rules  Management’s directives or decisions on the use of resources (e.g. email privacy policy.)  Not be confused with the enforcement mechanisms  Benefits  Provides basis and guide for an organization’s security program.  Establish commitment to the security program.  Benchmarks that can be used to track progress.  Ensure consistency within security program.  Provides a due diligence paper trail.  Basic Rules  Don’t conflict with the law.  Can stand up in court, if challenged.  Supported and administered.  Contribute to the success of the organization.  Shared and supported by management.  Formulated with input from end users of information systems.
 Policy: is a high level formal statement sanctioned by senior management about the organization’s information security philosophy and is used to drive the standards.  Standards: are more detailed statements as to what employees must do to comply with policy.  Practices, procedures and guidelines: specify how employees are to comply with policy.  Policy and Law  Policies must be secondary to law.  Polices should specifically state that the law overrides policy if they differ.  Regulators can force organizations to follow policies.  Lawyers should review policies prior to dissemination. o ISO 27001 policy framework The following picture depicts how Policies drive Standards which drive Practices, Procedures and Guidelines.
2) Organization of Information Security  Security Councils  Ensure information security functions are performed by groups  Ensure adequate information security management and coverage.  Coordinate and integrate the information security program across major areas:  Share best practice methods, perform benchmarking and actively work together on industry standards. 3) Assets Management Prioritize assets based on quantifiable metrics that General Management, Information Security and Information must all work in congruence with each other to come up with. Securely dispose of assets that are outdated or provide frivolous access points to a potential attacker. In addition, when data files and physical transaction receipts/files are being disposed, they must be disposed properly and it must be made sure that no body is able to access the information that is disposed. Employees must be trained about the importance of securing their company issued assets like laptops, cell phones, tablets. They must maintain an inventory for the electronic assets of the company so as to keep track of them and also so that all the assets can be backed up when an employee leaves the organisation.
4) Human resource Security  Focus on the security controls needed to minimize the information security and operational risks.  Conduct background checks of employees and companies who are being used for outsourced solutions.  Utilize non-disclosure agreements as needed – to cover the liability issue as well as to make sure that no sensitive information is leaked from the inside.  Create and publish “Need-to-know” and “Need-to-have” policies on information sharing.  Ensure “separation of duties” where appropriate – to ensure that the organizational machinery is not too dependent on any single person or department.  Actively administer user facility and systems access.  Utilize “role-based” access control systems.  Conduct user access reviews.
5) Physical Security The figure above illustrates a labelling mechanism for categorizing the access levels in the physical locations of the company office/headquarter premises.  Physical Security refers to the Practices focused on strategies to protect people, physical assets and the workplace from various threats.  Protect people, physical assets, and the workplace from various threats, including fire, unauthorized access, and natural disasters.  Physical security is at the foundation and core of the “defense-in-depth”  Focuses on:  Security needs for equipment and services  Human resources required for physical security  Financial resources for physical security
 Location of Facility:  Geological risks (seismic zones, flooding, landslides)  Crime, political unrest, social unrest  Accessibility to facility  Review Documentation: check on the up-to-date documentation  Check International/Industry Standards Compliance  Conduct Visual Walk-Through  Evaluate Physical Security Infrastructure 6) Operations Management NIST Special Publication 800-137 – Information Security Continuous Monitoring
Each manager in an organization regardless of their affinity to one of the following communities must make tangible steps to reduce risk in the following manners:  The general management should structure the IT department and the Information Security strategy in such a way that they provide a defence against an attack on the company’s information assets- like data, hardware, software, people, procedures, reports, strategies.  IT management must work to serve the information technology needs of the organization at large, and at the same time leverage the expertise of the information security resources that have been made available to it.  Information Security management must work with diligence, skill and professionalism in congruence with other departments and organizational communities in order to balance the trade-offs between information security and information utility For any organization to manage its risk properly, the managers must be fully aware of the information assets that are valuable to the organization, and how information is stored, transmitted and processed. Risk is inherent in simple organizational decisions like hiring, marketing products, internal//external communication systems, and even in deciding the physical location of the office building. These inherent risks comprise of third party risks (people, processes, technology etc.). All three communities must bear responsibility for the risk management and assessment.  Information Security team : Since this team is the subject matter expert and best understands the risks that are introduced by specific threats and attacks, they must take the leadership role in third party risk assessment.  Information Technology (IT): This team is responsible for building the tools that safeguard a company’s value assets. They have to be very mindful and educated about the risks that are posed to the organization because of the specific technology loopholes and constraints of the software solutions that the company has implemented. They must also implement proper control mechanisms to monitor and control risk.
 Management and users-at-large : This group, if well educated about the importance of information security, often times plays the role of first layer in Detection and Response. They must also be responsible for allocating enough resources (money and human resources) into the IT and Information Security teams. The Information Security Risk Assessment should mandate around the cyclic steps listed below. Of course we can go in great extents about the details of each of the steps, but that would go beyond the scope of the project. START  Evaluation of Risk controls  Determinations of cost-effectiveness of control options  Installation of the proper controls  Overseeing the controls  Identification of the risks  Assessment of the risks  Summarization of the findings GO TO THE FIRST STEP The threats the above proposes cyclic steps should be looking out for are time varying and ever-evolving. However some of the basic and ever present- threats as well as some new ones to look out for are listed below: • Human mistakes • Intellectual Property • Intentional trespassing • Information extortion • Actions aimed at sabotaging and destruction of assets
• Theft • Software assault • Natural calamities • Compromising of quality • Hardware malfunctioning • Software failure • Obsolescence of technology 7) Access Control As discussed previously as well, access control policies include: • Personnel with Elevated Access should be segregated from the regular front facing IP domains. • “Need to know” / “Role-based” Access Control Lists (ACL’s) • “Security on every click” – multiple credentials login for secure resources access • Linux strengthening by standardization using :  Standard Operating Environment (SOE)  Standard Operating Environment Management Platform (SOEMP) • Access Control managed centrally using platforms such as Centrify or IdM.
8) Information System Maintenance • Process data with latest encryption standards. Example: – AES for Wireless Communication  Deploy Patch Management System - literally the day they release a new version. That includes the Web server itself, as well as other third-party code like Java, Python, Perl, WordPress and Joomla, which are favorite targets for attackers." "Breached sites are constantly found running a three-year-old version of PHP or ColdFusion from 2007," says Pogue. So it's critical you install patches on all software: "Your Web apps, Xcart, OSCommerce, ZenCart and any of the others all need to be patched regularly." • Third party maintenance for all functions including functions outsourced to third party services e.g. : – Database management – Software development – Web site hosting Make sure whoever is providing these third party services regularly monitors the servers for malware, viruses and other harmful software. Explore the current or potential Web host if they have a plan that includes at least daily scanning, detection and removal of malware and viruses on the website.
9) Incident Management and Business Continuity planning (BCP) Figure: Threat scenarios response ABC Corp. should use:  Intrusion Detection and Prevention Systems (IDPS)  Log Management technologies and best practices  Threat modeling frame works like:  STRIDE  DREAD  Trike  CVSS  OCTAVE
to come up with threat scenarios responses:  Incident Reaction Planning  Disaster Recovery Planning  Business Continuity Planning After an incident has occurred the analytics and diagnostic tools must be run to immediately report upon the statistics of the breach, and how the business is going to recover from it. Business Continuity Planning refers to a set of procedures, policies, strategies for reaching out to the 20 million customers whose information was stolen, and making sure that their loyalty is retained. BCP for ABC Corp. includes reaching out to the customers, notifying them, enduring then that appropriate measure have been taken to make sure that the organization is doing everything possible to limit the extent of the damage. Public Relations and customer detainment teams must kick into action
10) Compliance ABC Corp. must meet the following necessary information security-related legal and regulatory compliance requirements.  State data breach notification  Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private, governmental or educational entities to notify individuals of security breaches of information involving personally identifiable information.  Security breach laws typically have provisions regarding who must comply with the law (e.g., businesses, data/ information brokers, government entities, etc); definitions of “personal information” (e.g., name combined with SSN, driver’s license or state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for encrypted information).  Federal regulations  Federal Information Security Management Act (FISMA)  Gramm–Leach–Bliley Act (GLBA)  Health Insurance Portability and Accountability Act of 1996 (HIPAA)  Sarbanes–Oxley Act (SOX)  International standards  Payment Card Industry Data Security Standard (PCI DSS)
11) Information Security Measures Information security dashboards used to measure the effectiveness of security controls – both technical and managerial.  Benefits • Increased Accountability • Improve Information Security Effectiveness • Demonstrate Compliance • Provide Quantifiable Inputs for Resource Allocation Decisions  Success Factors • Strong Upper-Level Management Support • Practical Information Security Policies & Procedures • Quantifiable Performance Measures • Results-oriented Measures Analysis  Roles and Responsibilities • Agency Head / Chief Information Officer • Senior Information Security Officer • Program Manager/Information System Owner • Information System Security Officer • Additional stakeholders
12) Security Testing Security testing must be conducted on a regular basis, by both third party services and by in-house information security (IS) and information technology (IT) teams. The security testing must essentially be of three types:  Acceptance Testing o User acceptance testing o Operational acceptance testing (OAT) o Contract and regulation acceptance testing o Alpha and beta testing  Social Engineering o Pretexting o Diversion o Phishing o IVR/Phone Phishing  Penetration Testing – NIST Four Phases o Planning o Discovery o Attack o Reporting
 Thank you
Bibliography  https://www.pcicomplianceguide.org/pci-faqs-2/#21  http://www.networkworld.com/article/2931587/network- security/breach-detection-five-fatal-flaws-and-how-to-avoid-them.html  https://www.solutionary.com/resource-center/blog/2016/02/big-data- advancing-cybersecurity/   https://securityintelligence.com/cyber-security-challenges-how-do- retailers-protect-the-bottom-line/  http://www.darkreading.com/risk/compliance/report-some-retail- firms-still-dont-recognize-cyber-security-risks/d/d-id/1234833  https://www2.deloitte.com/content/dam/Deloitte/pe/Documents/risk /us-risk-2014-retail-cyber-risk-report-040715.pdf  Deloitte, Cyber risk in retail Protecting the retail business to secure tomorrow’s growth  Dell, Easy Patch Management for you IT Department https://software.dell.com/reglanding/2844/
ProjectReport_Finalversion

More Related Content

PPTX
IBM Q-radar security intelligence roadmap
DATA SECURITY SOLUTIONS
 
PDF
IBM Qradar-Advisor
Luigi Perrone
 
PDF
SIEM enabled risk management , SOC and GRC v1.0
Rasmi Swain
 
PDF
cybersecurity_alert_feb_12_2015
Paul Ferrillo
 
PDF
Intrusion Detection System using Data Mining
IRJET Journal
 
PPTX
Privileged Account Management - Keep your logins safe
Jens Albrecht
 
PDF
What’s the State of Your Endpoint Security?
IBM Security
 
PPTX
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
IBM Security
 
IBM Q-radar security intelligence roadmap
DATA SECURITY SOLUTIONS
 
IBM Qradar-Advisor
Luigi Perrone
 
SIEM enabled risk management , SOC and GRC v1.0
Rasmi Swain
 
cybersecurity_alert_feb_12_2015
Paul Ferrillo
 
Intrusion Detection System using Data Mining
IRJET Journal
 
Privileged Account Management - Keep your logins safe
Jens Albrecht
 
What’s the State of Your Endpoint Security?
IBM Security
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
IBM Security
 

What's hot (20)

PDF
Vulnerability Management
GFI Software
 
PDF
Don’t Drown in a Sea of Cyberthreats: Mitigate Attacks with IBM BigFix & QRadar
IBM Security
 
DOC
Daddy Thwane. CV
Daddy Jonathan Thwane
 
PDF
Cutting Through the Software License Jungle: Stay Safe and Control Costs
IBM Security
 
PPTX
Threat Modeling - Writing Secure Code
Caleb Jenkins
 
PDF
Managing privileged account security
Raleigh ISSA
 
PPTX
IBM Security QRadar
Virginia Fernandez
 
PDF
Malware on Smartphones and Tablets: The Inconvenient Truth
IBM Security
 
PPT
Redefining Endpoint Security
Burak DAYIOGLU
 
PDF
Top Cybersecurity Threats and How SIEM Protects Against Them
SBWebinars
 
PDF
How to Choose the Right Security Information and Event Management (SIEM) Solu...
IBM Security
 
PPTX
Extending QRadar’s reach and simplifying incident response with BigFix
Luigi Delgrosso
 
PPTX
4 Ways to Build your Immunity to Cyberthreats
IBM Security
 
PPTX
Managed Security Services from Symantec
Arrow ECS UK
 
PPTX
Owasp Proactive Controls for Web developer
Sameer Paradia
 
PDF
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Andris Soroka
 
PPT
Core.co.enterprise.deck.06.16.10
Core Security Technologies
 
PPTX
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
IBM Security
 
PDF
Use Exabeam Smart Timelines to improve your SOC efficiency
JonathanPritchard12
 
PDF
Cis controls v8_guide (1)
MHumaamAl
 
Vulnerability Management
GFI Software
 
Don’t Drown in a Sea of Cyberthreats: Mitigate Attacks with IBM BigFix & QRadar
IBM Security
 
Daddy Thwane. CV
Daddy Jonathan Thwane
 
Cutting Through the Software License Jungle: Stay Safe and Control Costs
IBM Security
 
Threat Modeling - Writing Secure Code
Caleb Jenkins
 
Managing privileged account security
Raleigh ISSA
 
IBM Security QRadar
Virginia Fernandez
 
Malware on Smartphones and Tablets: The Inconvenient Truth
IBM Security
 
Redefining Endpoint Security
Burak DAYIOGLU
 
Top Cybersecurity Threats and How SIEM Protects Against Them
SBWebinars
 
How to Choose the Right Security Information and Event Management (SIEM) Solu...
IBM Security
 
Extending QRadar’s reach and simplifying incident response with BigFix
Luigi Delgrosso
 
4 Ways to Build your Immunity to Cyberthreats
IBM Security
 
Managed Security Services from Symantec
Arrow ECS UK
 
Owasp Proactive Controls for Web developer
Sameer Paradia
 
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Andris Soroka
 
Core.co.enterprise.deck.06.16.10
Core Security Technologies
 
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
IBM Security
 
Use Exabeam Smart Timelines to improve your SOC efficiency
JonathanPritchard12
 
Cis controls v8_guide (1)
MHumaamAl
 
Ad

Similar to ProjectReport_Finalversion (20)

PPTX
Retail Security: Closing the Threat Gap
Tripwire
 
PPTX
CRI Retail Cyber Threats
OCTF Industry Engagement
 
PDF
Cybersecurity- What Retailers Need To Know
Shantam Goel
 
PPT
Security Compliance Web Application Risk Management
Marco Morana
 
PPTX
2013 PMA Business Security Insights
gotopaz
 
PDF
The challenges of Retail Security
IBM Software India
 
PPTX
Retail Excellence Ireland - Cyber Threats 2015 Overview
OCTF Industry Engagement
 
PPTX
Core Elements of Retail LP Shortened version 15MB
Alan Greggo
 
PDF
BEA Presentation
Glenn E. Davis
 
PDF
IDC Best Practices in Private Sector Cyber Security
inside-BigData.com
 
PPTX
The Evolution of Cybercrime
Stephen Cobb
 
DOCX
Intro to Information AssuranceModule 3Chaston Carter0417.docx
normanibarber20063
 
PPTX
ISACA New York Metro April 30 2012
Ulf Mattsson
 
PDF
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
PPTX
NRF Presentation v2
Pete Pouridis
 
PDF
Protecting Personal Information: A Guide for Business
- Mark - Fullbright
 
PDF
Information Security
Madushan Sandaruwan
 
PPTX
Powerpoint v7
Veronica Pereira
 
PPTX
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
Ulf Mattsson
 
PPT
Powerpoint mack jackson
aiimnevada
 
Retail Security: Closing the Threat Gap
Tripwire
 
CRI Retail Cyber Threats
OCTF Industry Engagement
 
Cybersecurity- What Retailers Need To Know
Shantam Goel
 
Security Compliance Web Application Risk Management
Marco Morana
 
2013 PMA Business Security Insights
gotopaz
 
The challenges of Retail Security
IBM Software India
 
Retail Excellence Ireland - Cyber Threats 2015 Overview
OCTF Industry Engagement
 
Core Elements of Retail LP Shortened version 15MB
Alan Greggo
 
BEA Presentation
Glenn E. Davis
 
IDC Best Practices in Private Sector Cyber Security
inside-BigData.com
 
The Evolution of Cybercrime
Stephen Cobb
 
Intro to Information AssuranceModule 3Chaston Carter0417.docx
normanibarber20063
 
ISACA New York Metro April 30 2012
Ulf Mattsson
 
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
NRF Presentation v2
Pete Pouridis
 
Protecting Personal Information: A Guide for Business
- Mark - Fullbright
 
Information Security
Madushan Sandaruwan
 
Powerpoint v7
Veronica Pereira
 
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
Ulf Mattsson
 
Powerpoint mack jackson
aiimnevada
 
Ad

More from Mamoon Ismail Khalid (20)

PDF
Caring.ai - AI + Voice Agent co-pilot for all things dementia
Mamoon Ismail Khalid
 
PPTX
REMOTE SOLAR MONITORING SYSTEM - A solution to make battery life extend by 300%
Mamoon Ismail Khalid
 
PPTX
Network Traffic Adaptable Image Codec - A solution to make streaming faster
Mamoon Ismail Khalid
 
PDF
Hospital Management and Inventory Control Solution for Public Hospitals in De...
Mamoon Ismail Khalid
 
PDF
ATLAS - Product Requirement Document.pdf
Mamoon Ismail Khalid
 
PDF
T(X) Innoway - Prediction Algorithm design.pdf
Mamoon Ismail Khalid
 
PDF
Joint3DShapeMatching - a fast approach to 3D model matching using MatchALS 3...
Mamoon Ismail Khalid
 
PDF
Golf Swing Analysis and Posture Correction System
Mamoon Ismail Khalid
 
PDF
24 ideas to revive any developing country.pdf
Mamoon Ismail Khalid
 
PDF
#2 - Smart Bins - Returnable Plastic Ecosystem.pdf
Mamoon Ismail Khalid
 
PDF
PyTorch to detect Humans Eating Food.pdf
Mamoon Ismail Khalid
 
PDF
Future of agriculture agriculture - technology is a necessity in 2020 and beyond
Mamoon Ismail Khalid
 
PDF
Nano mos25
Mamoon Ismail Khalid
 
PDF
Real estate in blockchain (2)
Mamoon Ismail Khalid
 
PDF
Cohort analysis saa s (1)
Mamoon Ismail Khalid
 
PDF
ISA backed technology skills platform
Mamoon Ismail Khalid
 
PDF
Start up valuation methods
Mamoon Ismail Khalid
 
PDF
Analysis mvp factory
Mamoon Ismail Khalid
 
DOCX
Detect Negative and Positive sentiment in user reviews using python word2vec ...
Mamoon Ismail Khalid
 
PDF
Detect spam comments youtube videos and app store reviews
Mamoon Ismail Khalid
 
Caring.ai - AI + Voice Agent co-pilot for all things dementia
Mamoon Ismail Khalid
 
REMOTE SOLAR MONITORING SYSTEM - A solution to make battery life extend by 300%
Mamoon Ismail Khalid
 
Network Traffic Adaptable Image Codec - A solution to make streaming faster
Mamoon Ismail Khalid
 
Hospital Management and Inventory Control Solution for Public Hospitals in De...
Mamoon Ismail Khalid
 
ATLAS - Product Requirement Document.pdf
Mamoon Ismail Khalid
 
T(X) Innoway - Prediction Algorithm design.pdf
Mamoon Ismail Khalid
 
Joint3DShapeMatching - a fast approach to 3D model matching using MatchALS 3...
Mamoon Ismail Khalid
 
Golf Swing Analysis and Posture Correction System
Mamoon Ismail Khalid
 
24 ideas to revive any developing country.pdf
Mamoon Ismail Khalid
 
#2 - Smart Bins - Returnable Plastic Ecosystem.pdf
Mamoon Ismail Khalid
 
PyTorch to detect Humans Eating Food.pdf
Mamoon Ismail Khalid
 
Future of agriculture agriculture - technology is a necessity in 2020 and beyond
Mamoon Ismail Khalid
 
Nano mos25
Mamoon Ismail Khalid
 
Real estate in blockchain (2)
Mamoon Ismail Khalid
 
Cohort analysis saa s (1)
Mamoon Ismail Khalid
 
ISA backed technology skills platform
Mamoon Ismail Khalid
 
Start up valuation methods
Mamoon Ismail Khalid
 
Analysis mvp factory
Mamoon Ismail Khalid
 
Detect Negative and Positive sentiment in user reviews using python word2vec ...
Mamoon Ismail Khalid
 
Detect spam comments youtube videos and app store reviews
Mamoon Ismail Khalid
 

ProjectReport_Finalversion

  • 1. ABC Corp. Retail Store Information Security Management System By Antony Chou and Mamoon Khalid
  • 2.  Background  Incident Summary  Failures  Solutions  Strategic (Long term) Solutions  Tactical (Short term) Solutions  ISO 27001  ISMS PDCA Model  NIST Overview  Information Security Management System (ISMS) Framework  ISMS for ABC Corp.  Bibliography
  • 3. Background ABC Corp is a regular Retail Store with an online business “The financial and reputational damage that can be inflicted on a retailer by a major security breach can be so severe, and so destructive, as to approach the financial and reputational damage a commercial airline might suffer from a serious accident,” - Mark Yourek , IBM’s Global Retail Solution Lead Here are some are some other statistics that highlight the role of a strong security strategy in retail stores, especially ones with e-commerce platforms as well. • Almost one-tenth of retailers haven’t reported any cyber risks in financial documents filed with the SEC since 2011. • Only 9 percent consider outsourced vendors a potential threat source • Less than 10 percent have purchased insurance to cover any cyber exposures, accidental or otherwise. • Almost half (49%) of retail companies cited the use of technical safeguards as a chief remedy for cyber risk - Source: Dark Reading, Report: Some Retail Firms Still Don't Recognize Cyber Security Risks In other words, retailers don’t seem that concerned as far as their cyber security strategies are concerned. Not since attacks like the Target breach came to surface. That is the reason we decided to study a hypothetical attack scenario for a retail corporation with an online business. The following figure illustrates some more statistics about the cyber-attacks to retail businesses over the years.
  • 4. Incident Summary An ABC Corp. employee accidentally picked an USB drive from the parking lot and bought it to her work station. She plugs into her computer to check if the owner’s information could be found. Not finding anything, the USB sticker was submitted to the helpdesk personal, who has elevated access on his account. When the helpdesk person plugin the USB driver to his computer, the virus named as “Virus”, was copied to the servers and to all the workstations his elevated access allowed him to access. As a result of this the malicious code was be able to check the Active directory for an old contract account. And found that the account was still active. As is usually the case, the virus didn’t get activated right away, and instead it stayed stealth and slowly and gradually was copied to all the POS system. This slow and residual growth of the virus is engineered so as not to arouse suspicion in the usual “signature-based” security solutions that are employed by most corporations. The malware script used the compromised machine as a pivot to launch the exploit which attached the database server, and hence exploited a SQL server using SQL SQL Injection Attack tool. Now wwhenever in-store customers swipe their credit cards and debit cards on the store PCS systems, the virus keeps the records and outputs it to a file. Magnitude of Incident: • After three busy holiday shopping month, the attacker was able to gather 20 million customers credit card information. • This database was sent to overseas servers and later shown up in underground black market.
  • 5. Attackers Pre-knowledge: • Hacker found vendor name from garbage bin • Discovered that Log files only go back 30 days Current Controls ABC Corp. is a major retail store selling consumer products both online and in the store. As per usual, customer uses Cash, Credit and Debit card on the POS terminal in store. The current controls in place to support ABC Corp.’s current information security policy: – Antiviruses installed on every machine – Incident triggered review policy – “signature-based” security solutions, which tried to identify known, malicious code patterns and block them – Internet De-militarized zone (DMZ )for online store – Dedicated subnets for external facing web servers – Firewalls and router Access Control Lists (ACLs) for access controls – Regular third party penetration tests – Database kept online customers’ contact and payment information – Database encrypted credit and debit card numbers, but not user names and contact information.
  • 6. Failures To understand the root causes of the attack, we would essentially have to look at the: Policy failures: 1) Failure to properly block USB/Media ports upon the discovery of the breach 2) Lack of awareness on the employees part 3) Failure to install patches for SQL vulnerabilities on time 4) No expiration dates for user accounts – vastly expands the attack exposure surface 5) User account with admin access Design failures: 1) PCI DSS shares same network subnet from the main network - PCI POS systems were not segmented 2) External facing servers directly on public IP address 3) Elevated user accounts were not separated from regular accounts 4) Database server that scheduled patch installs and updates were failing with no further investigation as to why that was happening. 5) Log file only keeps past 30 days data 6) USB/Media ports were not disabled on all workstations. 7) Outside vendor account still active after contract is over 8) Database structure flaws: a. Tables weren’t normalized. Allowed for account information, credit card transactions and order information to be compromised easily
  • 7. 9) Web server code flaws a. Didn’t use parameters which automatically encode data being passed back to the database b. No client or server side user input error handling present c. Allowed unlimited login attempts Solutions Such breach incidents can be fatal to a business, even more so to an online business. The solutions to recovery from such incident can be broken into tactical (short term)and strategic (long term) Strategic (Long Term) There needs to be a paradigm shift in the way retail businesses look at the essentiality of a comprehensive cybersecurity and the implications of not doing that. Along the technology lines, there needs to be as shift in focus from the old and soon to be driven to become obsolete by necessity, “signature” based solutions to a more “behavioural/analytics” based solutions that employ big data technologies to detect minor system anomalies that could potentially be malware attacks.
  • 9. • Continuous monitoring system – by both Third-Party vendors and Information Technology/Information Security teams. • Raise employee awareness training – There should be periodic information security awareness seminars and awareness campaigns. Information Security should be inculcated in the Professional Development program (if there is any such initiative already in place). CISO’s need to stress the severity of a compromise to the employees, and educate them to adopt a constant state of caution. The paradigm needs to be shifted from a “if” to a “when” • Deploy Patch Management System – So software patches and security updates are installed immediately. In most breach incidents, an instant system update can result in significant decrement in an attack exposure surface. • User access control – security on every click (multiple authentications) and need-to-know basis policy • Establish a comprehensive Incident Response procedure • PCIDSS Compliance – Elevated access work stations must be segregated from the other network. ABC Corp.’s network architecture design was a violation of Payment Card Industry Data Compliance Standard (PCI DSS) • 3rd party security management, enforce expiration dates for all vendor accounts. • Periodical penetration test • Investment in Analytics team • Administration assets and databases should be made only available on ABC Corp’s internal network and completely removed from our public facing servers. Additionally, it must have a secondary authentication that authenticates users with ABC Corps internal Windows network • Don't store sensitive data. "There is no reason to store thousands of records on your customers, especially credit card numbers, expiration dates and CVV2 [card verification value] codes. The risk of a breach outweighs the convenience for your customers at checkout • Layer the security- Add extra layers of security to the website and applications such as contact forms, login boxes and search queries." These measures will ensure that your ecommerce environment is
  • 10. protected from application-level attacks like SQL (Structured Query Language) injections and cross-site scripting (XSS). • Monitor site regularly--and make sure whoever is hosting it is, too- Tools like Woopra or Clicky allow you to observe how visitors are navigating and interacting with your website in real time, allowing you to detect fraudulent or suspicious behavior. They are capable of sending our alerts to all personnel on alert roster when there is suspicious activity, allowing them to act quickly and prevent suspicious behavior from causing harm. • Also, make sure whoever is hosting the ecommerce site regularly monitors the servers for malware, viruses and other harmful software. Explore the current or potential Web host if they have a plan that includes at least daily scanning, detection and removal of malware and viruses on the website. • Perform regular PCI scans. Perform regular quarterly PCI scans through services like Trustwave to lessen the risk of the ecommerce platform being vulnerable to hacking attempts. If the company is using third-party downloaded software like (Magento or PrestaShop), they must stay on top of new versions with security enhancement. • Patch the systems immediately- literally the day they release a new version. That includes the Web server itself, as well as other third-party code like Java, Python, Perl, WordPress and Joomla, which are favorite targets for attackers. Tactical (Near term) We recommend the CISO of ABC Corps to follow the following best practices for Online Retail business in dealing with cyber security threats:  To use the latest endpoint security solutions which base their data collection on kernel-level integration:  CYBERREASON  AORATO • Update employee training to raise user awareness.
  • 11. • Dedicated subnet for PCI systems – This is a huge design flaw, and needs to re- engineered by the Information Technology/Information Security teams. • Third party penetration test to find vulnerability – for immediate diagnosis of system vulnerabilities. • Separate elevated access accounts from regular accounts. • Introduce “Break Glass” policy – which allows for exceptional elevated access to authorized people if admin access is needed in case of an attack. CISO of the ABC Company should induct an information security strategy, the doctrine of which should be centric around the following policies: • Fixation on penetration prevention - focuses on the adversarial activity that is going on within your network by the use of big-data analytics and machine learning technologies. • Accepting simple explanations. Solution: Always dig deeper. Security events are not caused by error or accident. Every piece of evidence should be over-analysed and malicious intent must always be considered. Because your security teams cannot know all adversarial activities, in a sense they are at a disadvantage; therefore, it is crucial for the teams to over-investigate what they can see in order to reveal other unknown and undetected connecting elements. Security teams must always assume they only see half the picture, working diligently to uncover the rest of the pieces of the puzzle. Example of documents to use: system configuration logs, time logs, intrusion detection logs, employee system usage logs, process actions, file access information, network events and configuration changes on the endpoints • Striving for fast remediation. Solution: Leverage the known. Instead of remediating isolated incidents as fast as possible, the security team should closely monitor the known to understand how it connects to other elements within the environment and strive to reveal the
  • 12. unknown. For example, an unknown malicious process can be revealed if it is connecting to the same IP address as a detected known malicious process. Moreover, when you reveal to the hackers which of their tools are easy to detect, hackers can purposely deploy, in excess, the known tools to distract and waste the defender’s time. • Focusing on malware. Solution: Focus on the entire attack. Although detecting malware is important, solutions that mainly focus on detecting isolated activity on individual endpoints are unable to properly combat complex hacking operations. Instead, employ a more holistic defense. Leverage automation - analytics and threat intelligence in particular - in order to gain context on the entire malicious operation, as opposed to just the code. Keep in mind that your adversary is a person and malware is one of their most powerful tools, but one of many in their tool kits. ISO27001 Overview In helping ABC Corp. draft their updated information security strategy, we propose the use of ISO 270001. Why? Because it: • Most widely recognized security standard in the world • More flexible and comprehensive in its coverage of security controls • Process centric Information Security Management System (ISMS) Framework • Address Information security issues across industries Information Security Management System (ISMS) Framework can be illustrated by the figure below as essentially a 4 step framework.
  • 13. ISMS PDCA Model • Review/audit security management and controls •Implement identified improvements, corrective/preve ntive actions • Implement and manage Security controls/proc ess • Define Security Policies and procedures PLAN DO CHECKACT
  • 14. Implementation Approach  Phase I - Baseline Information Security Assessment • Identify the scope and coverage of Information Security • Assess the Current Environment • Prepare baseline information security assessment report  Phase II - Design of Information Security Policy & Procedures • Establish Security Policy, Organization & Governance • Asset Profiling • Risk Assessment • Risk treatment (Identification of ISO27001 Controls& Additional Controls) • Formulate Information Security Policy & Procedures • Prepare Statement of Accountability  Phase III - Implementation of Information Security Policy • Implementation of Controls • Security Awareness training  Phase IV - Pre Certification Audit  Review by Internal team
  • 15. NIST Overview NIST Architecture is centred on 5 steps: - Identify Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy - Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training;
  • 16. Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology. - Detect Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes. - Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements. - Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.
  • 17. In the following section, we will explain how the ISMS Framework, derived from ISO 27001 can be used by ABC Corp. as they define their Information Security Strategy. Information Security Management System (ISMS) Framework 1. Security Policy 2. Organization of Information Security 3. Assets Management 4. Human Resource Security 5. Physical and Environmental Security 6. Communications and Operations Management 7. Access Control 8. Information system acquisition, development and maintenance 9. Information Security Incident Management 10.Business Continuity Planning 11.Compliance
  • 18. ISMS framework for ABC Corp. • Revisit company policies on a periodic manner -- Security Policy • Assemble an Information Security (IS) group with appointed IS officers who would be responsible for the management and execution of daily tasks and responsibilities required for the security systems and policies to be enforced--Organization of Information Security • Know where everything is, Dispose Assets properly, Maintain inventory of physical and electronic assets-- Asset Management • Awareness and training campaigns aimed at educating employees about the security policy and importance to the company. In the case of ABC Corp. the employee should not have plugged the USB into her workstation to discover its ownership. Neither should the helpdesk personal should have. In addition to employee awareness, the CISO must also implement Vendor Management steps, in order to make sure the third party vendors whose services might be used by ABC Corp. (for example, internet web hosting companies, outsourced data center and help desk services, outsourced security solutions from third party vendors) -- Human Resource Security • Security Cameras must be installed and the corporate facility must be secured. The attacker had access to ABC Corp. employee parking lot and was able to use the garbage disposal to discover vendor name. Corporate perimeters must be secured and budget must be allocated for the hiring of security personnel. -- Physical and Environmental Security • Monitoring the network. Segment PCI network from other subnets -- Operations Management • Elevated access, separate role of duty, need-to-know vs role-based -- Access Control • Process data correctly – Info. system acquisition, development and maintenance • Incident Response Plan -- Information Security Incident Management • Business Continuity Planning (BCP), Public relation -- Business Continuity Planning • Federal, State, International - PCI DSS -- Compliance
  • 19. 1) Security Policy Ensure information security functions are performed by groups. Ensure adequate information security management and coverage. Created to communicate to the organization how to use products (infrastructure/ hardware, applications/software) to make certain there is adequate information security.  An organization’s high level instructions  Computer security rules  Management’s directives or decisions on the use of resources (e.g. email privacy policy.)  Not be confused with the enforcement mechanisms  Benefits  Provides basis and guide for an organization’s security program.  Establish commitment to the security program.  Benchmarks that can be used to track progress.  Ensure consistency within security program.  Provides a due diligence paper trail.  Basic Rules  Don’t conflict with the law.  Can stand up in court, if challenged.  Supported and administered.  Contribute to the success of the organization.  Shared and supported by management.  Formulated with input from end users of information systems.
  • 20.  Policy: is a high level formal statement sanctioned by senior management about the organization’s information security philosophy and is used to drive the standards.  Standards: are more detailed statements as to what employees must do to comply with policy.  Practices, procedures and guidelines: specify how employees are to comply with policy.  Policy and Law  Policies must be secondary to law.  Polices should specifically state that the law overrides policy if they differ.  Regulators can force organizations to follow policies.  Lawyers should review policies prior to dissemination. o ISO 27001 policy framework The following picture depicts how Policies drive Standards which drive Practices, Procedures and Guidelines.
  • 21. 2) Organization of Information Security  Security Councils  Ensure information security functions are performed by groups  Ensure adequate information security management and coverage.  Coordinate and integrate the information security program across major areas:  Share best practice methods, perform benchmarking and actively work together on industry standards. 3) Assets Management Prioritize assets based on quantifiable metrics that General Management, Information Security and Information must all work in congruence with each other to come up with. Securely dispose of assets that are outdated or provide frivolous access points to a potential attacker. In addition, when data files and physical transaction receipts/files are being disposed, they must be disposed properly and it must be made sure that no body is able to access the information that is disposed. Employees must be trained about the importance of securing their company issued assets like laptops, cell phones, tablets. They must maintain an inventory for the electronic assets of the company so as to keep track of them and also so that all the assets can be backed up when an employee leaves the organisation.
  • 22. 4) Human resource Security  Focus on the security controls needed to minimize the information security and operational risks.  Conduct background checks of employees and companies who are being used for outsourced solutions.  Utilize non-disclosure agreements as needed – to cover the liability issue as well as to make sure that no sensitive information is leaked from the inside.  Create and publish “Need-to-know” and “Need-to-have” policies on information sharing.  Ensure “separation of duties” where appropriate – to ensure that the organizational machinery is not too dependent on any single person or department.  Actively administer user facility and systems access.  Utilize “role-based” access control systems.  Conduct user access reviews.
  • 23. 5) Physical Security The figure above illustrates a labelling mechanism for categorizing the access levels in the physical locations of the company office/headquarter premises.  Physical Security refers to the Practices focused on strategies to protect people, physical assets and the workplace from various threats.  Protect people, physical assets, and the workplace from various threats, including fire, unauthorized access, and natural disasters.  Physical security is at the foundation and core of the “defense-in-depth”  Focuses on:  Security needs for equipment and services  Human resources required for physical security  Financial resources for physical security
  • 24.  Location of Facility:  Geological risks (seismic zones, flooding, landslides)  Crime, political unrest, social unrest  Accessibility to facility  Review Documentation: check on the up-to-date documentation  Check International/Industry Standards Compliance  Conduct Visual Walk-Through  Evaluate Physical Security Infrastructure 6) Operations Management NIST Special Publication 800-137 – Information Security Continuous Monitoring
  • 25. Each manager in an organization regardless of their affinity to one of the following communities must make tangible steps to reduce risk in the following manners:  The general management should structure the IT department and the Information Security strategy in such a way that they provide a defence against an attack on the company’s information assets- like data, hardware, software, people, procedures, reports, strategies.  IT management must work to serve the information technology needs of the organization at large, and at the same time leverage the expertise of the information security resources that have been made available to it.  Information Security management must work with diligence, skill and professionalism in congruence with other departments and organizational communities in order to balance the trade-offs between information security and information utility For any organization to manage its risk properly, the managers must be fully aware of the information assets that are valuable to the organization, and how information is stored, transmitted and processed. Risk is inherent in simple organizational decisions like hiring, marketing products, internal//external communication systems, and even in deciding the physical location of the office building. These inherent risks comprise of third party risks (people, processes, technology etc.). All three communities must bear responsibility for the risk management and assessment.  Information Security team : Since this team is the subject matter expert and best understands the risks that are introduced by specific threats and attacks, they must take the leadership role in third party risk assessment.  Information Technology (IT): This team is responsible for building the tools that safeguard a company’s value assets. They have to be very mindful and educated about the risks that are posed to the organization because of the specific technology loopholes and constraints of the software solutions that the company has implemented. They must also implement proper control mechanisms to monitor and control risk.
  • 26.  Management and users-at-large : This group, if well educated about the importance of information security, often times plays the role of first layer in Detection and Response. They must also be responsible for allocating enough resources (money and human resources) into the IT and Information Security teams. The Information Security Risk Assessment should mandate around the cyclic steps listed below. Of course we can go in great extents about the details of each of the steps, but that would go beyond the scope of the project. START  Evaluation of Risk controls  Determinations of cost-effectiveness of control options  Installation of the proper controls  Overseeing the controls  Identification of the risks  Assessment of the risks  Summarization of the findings GO TO THE FIRST STEP The threats the above proposes cyclic steps should be looking out for are time varying and ever-evolving. However some of the basic and ever present- threats as well as some new ones to look out for are listed below: • Human mistakes • Intellectual Property • Intentional trespassing • Information extortion • Actions aimed at sabotaging and destruction of assets
  • 27. • Theft • Software assault • Natural calamities • Compromising of quality • Hardware malfunctioning • Software failure • Obsolescence of technology 7) Access Control As discussed previously as well, access control policies include: • Personnel with Elevated Access should be segregated from the regular front facing IP domains. • “Need to know” / “Role-based” Access Control Lists (ACL’s) • “Security on every click” – multiple credentials login for secure resources access • Linux strengthening by standardization using :  Standard Operating Environment (SOE)  Standard Operating Environment Management Platform (SOEMP) • Access Control managed centrally using platforms such as Centrify or IdM.
  • 28. 8) Information System Maintenance • Process data with latest encryption standards. Example: – AES for Wireless Communication  Deploy Patch Management System - literally the day they release a new version. That includes the Web server itself, as well as other third-party code like Java, Python, Perl, WordPress and Joomla, which are favorite targets for attackers." "Breached sites are constantly found running a three-year-old version of PHP or ColdFusion from 2007," says Pogue. So it's critical you install patches on all software: "Your Web apps, Xcart, OSCommerce, ZenCart and any of the others all need to be patched regularly." • Third party maintenance for all functions including functions outsourced to third party services e.g. : – Database management – Software development – Web site hosting Make sure whoever is providing these third party services regularly monitors the servers for malware, viruses and other harmful software. Explore the current or potential Web host if they have a plan that includes at least daily scanning, detection and removal of malware and viruses on the website.
  • 29. 9) Incident Management and Business Continuity planning (BCP) Figure: Threat scenarios response ABC Corp. should use:  Intrusion Detection and Prevention Systems (IDPS)  Log Management technologies and best practices  Threat modeling frame works like:  STRIDE  DREAD  Trike  CVSS  OCTAVE
  • 30. to come up with threat scenarios responses:  Incident Reaction Planning  Disaster Recovery Planning  Business Continuity Planning After an incident has occurred the analytics and diagnostic tools must be run to immediately report upon the statistics of the breach, and how the business is going to recover from it. Business Continuity Planning refers to a set of procedures, policies, strategies for reaching out to the 20 million customers whose information was stolen, and making sure that their loyalty is retained. BCP for ABC Corp. includes reaching out to the customers, notifying them, enduring then that appropriate measure have been taken to make sure that the organization is doing everything possible to limit the extent of the damage. Public Relations and customer detainment teams must kick into action
  • 31. 10) Compliance ABC Corp. must meet the following necessary information security-related legal and regulatory compliance requirements.  State data breach notification  Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private, governmental or educational entities to notify individuals of security breaches of information involving personally identifiable information.  Security breach laws typically have provisions regarding who must comply with the law (e.g., businesses, data/ information brokers, government entities, etc); definitions of “personal information” (e.g., name combined with SSN, driver’s license or state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for encrypted information).  Federal regulations  Federal Information Security Management Act (FISMA)  Gramm–Leach–Bliley Act (GLBA)  Health Insurance Portability and Accountability Act of 1996 (HIPAA)  Sarbanes–Oxley Act (SOX)  International standards  Payment Card Industry Data Security Standard (PCI DSS)
  • 32. 11) Information Security Measures Information security dashboards used to measure the effectiveness of security controls – both technical and managerial.  Benefits • Increased Accountability • Improve Information Security Effectiveness • Demonstrate Compliance • Provide Quantifiable Inputs for Resource Allocation Decisions  Success Factors • Strong Upper-Level Management Support • Practical Information Security Policies & Procedures • Quantifiable Performance Measures • Results-oriented Measures Analysis  Roles and Responsibilities • Agency Head / Chief Information Officer • Senior Information Security Officer • Program Manager/Information System Owner • Information System Security Officer • Additional stakeholders
  • 33. 12) Security Testing Security testing must be conducted on a regular basis, by both third party services and by in-house information security (IS) and information technology (IT) teams. The security testing must essentially be of three types:  Acceptance Testing o User acceptance testing o Operational acceptance testing (OAT) o Contract and regulation acceptance testing o Alpha and beta testing  Social Engineering o Pretexting o Diversion o Phishing o IVR/Phone Phishing  Penetration Testing – NIST Four Phases o Planning o Discovery o Attack o Reporting
  • 35. Bibliography  https://www.pcicomplianceguide.org/pci-faqs-2/#21  http://www.networkworld.com/article/2931587/network- security/breach-detection-five-fatal-flaws-and-how-to-avoid-them.html  https://www.solutionary.com/resource-center/blog/2016/02/big-data- advancing-cybersecurity/   https://securityintelligence.com/cyber-security-challenges-how-do- retailers-protect-the-bottom-line/  http://www.darkreading.com/risk/compliance/report-some-retail- firms-still-dont-recognize-cyber-security-risks/d/d-id/1234833  https://www2.deloitte.com/content/dam/Deloitte/pe/Documents/risk /us-risk-2014-retail-cyber-risk-report-040715.pdf  Deloitte, Cyber risk in retail Protecting the retail business to secure tomorrow’s growth  Dell, Easy Patch Management for you IT Department https://software.dell.com/reglanding/2844/