Information Security
Management System
Instructor
Muhammad Owais
muhammad.owais@riphah.ed
u.pk
Source: http://www.notebookreview.com/default.asp?newsID=63
Source: https://code.google.com/p/android/issues/detail?id=57
Advanced Persistent
Threat (APT)
Group with both the capability
and the intent to persistently and
effectively target a specific entity
APT refers to a network attack in
which an unauthorized malware
penetrates into a network and
stays there undetected for a long
period of time
Example: The Stuxnet Creators
can be considered an APT to the
Iranian Government
Source: http://en.wikipedia.org/wiki/Advanced_persistent_thre
Traditional Security is
Reactive
Firewalls do very little to protect networks
Intrusion detection products themselves
contains many errors and cause too many
false positives
Little protection from insider attacks
Stuxnet (2009-2011)
Source: http://noramintel.com/stuxnet-virus-opens-new-era-of-cyber-w
Stuxnet unconventional
and the worst Malware
Ever
Then the scene changes and he was told that its not
the only system with this problem
Even a system with freshly installed Windows OS has
identical problem
His eyes lit up and he knew that an unusual malware is
causing this
And probably a Rootkit is also involved because all
his usual detection methods failed
His friend in Iran is also an expert but he simply had
no option other than calling Mr. Sergey
Now think of a case that you are in a wedding
ceremony of your friend when all this drama catches up
Peoples are enjoying the wedding and Mr. Sergey
Stuxnet unconventional
and the worst Malware Ever
Finally Mr. Sergey realizes that it is useless to keep talking
on phone
Lets meet on Monday and continue he asked his
friend
Monday was a busy day for him
He remotely logged into the infected system and
started investigating the problem
His surprises continue to mount unless he completely
unleashed the monster Stuxnet
a malware which experts say can only be prepared
at a nation-wide scale (USA & Israel got a chargesheet in this case)
And Mr. Sergey says that malware was a fearsome
beast with nothing else like it in the world
Stuxnet unconventional
and the worst Malware Ever
Stuxnet is an Advanced Persistent Threat
(APT) that was targeted at a specific
manufacturing facility.
Named for a string of letters buried in its
code
It is (was at the time of its discovery) the
most complicated virus / worm ever
discovered.
Average viruses are about 10k bytes in
Alarming Data on
InfoSec Skills Shortage
According to the UK National Audit
Office, it could take up to 20 years to
address the current skills gap.
(Source: The Guardian, 26 September
2013)
47% of organizations say that the
number of employees dedicated to
network security is inadequate in
some, most, or all cases. (Source:
Network World September 2014)
86% of respondents see a global
cybersecurity skills gap - and 92% of
those
planning
to
hire
more
cybersecurity professionals this year
say they expect to have difficulty
IS IT A PROBLEM ???
YES
How do we overcome
these Problems ?????
We Need a Solution
Solution
ISO/IEC 27001:2013
Information technology Security techniques
Information security management systems
Requirements
What is Information
Security Management
System
Information Security Management is a process by which the value of each
assessed and, if appropriate,
protected on ongoing basis.
Organisation information is
of Other Standards
have) a
significant effect on InfoSec
UK Data Protection Act 1998
The Computer Misuse Act 1990 (UK)
Federal Information Security Management Act 2001
(US)
GrammLeachBliley Act (GLBA) 1999 (US)
Federal Financial Institutions Examination Councils
(FFIEC) security guidelines (US)
SarbanesOxley Act (SOX) 2002 (US)
State security breach notification laws (e.g.
California) (US)
externally
Systematic approach
Reductions in security breaches and/or claims
Provide a structured way of managing information
security.
Provide an independent assessment.
reputation.
Increase the level of information security in the
organization.
Framework will take account of legal and regulatory
requirements
Proves management commitment to the security
of information
Helps provide a competitive edge
Independently verifies, Information Security
PLAN
PLAN
Establish
Establish
ISMS
ISMS
DO
DO
Implement
Implement&&
Operate
OperateISMS
ISMS
ACT
ACT
Maintain
Maintain&&
Improve
ImproveISMS
ISMS
CHECK
CHECK
Monitor
Monitor&&
Review
ReviewISMS
ISMS
Questions?