Lecture 02

Information Security
Management System
Instructor
Muhammad Owais
muhammad.owais@riphah.ed
u.pk

Top 5 Internet Security

Threats
(RSA, 2012)
Idealistic young Hacktivists will continue to attack
Big Data Companies are taking control of users while
profiting from user information.
Attackers will make more use of Mobile Exploits for
hacking into corporate networks.
Insiders (Employees, Consultants, Business Partners) can
always pose security risks.
Foreign Governments will start to target clouds and
more types of businesses with APTs

Source: http://www.notebookreview.com/default.asp?newsID=63

Big Data Company Threat

Example
Googles Android Backup
Functionality
Helps you to migrate all your data and apps to a

new device quite easily

It also used to store passwords to all WLANs you
ever used on your device
on Google servers in the US (!)
unencrypted (!!!)

Source: https://code.google.com/p/android/issues/detail?id=57

Advanced Persistent
Threat (APT)
Group with both the capability
and the intent to persistently and
effectively target a specific entity
APT refers to a network attack in
which an unauthorized malware
penetrates into a network and
stays there undetected for a long
period of time
Example: The Stuxnet Creators
can be considered an APT to the
Iranian Government

Source: http://en.wikipedia.org/wiki/Advanced_persistent_thre

Security Threat Reports

& Statistics

Traditional Security is
Reactive
Firewalls do very little to protect networks
Intrusion detection products themselves
contains many errors and cause too many
false positives
Little protection from insider attacks

Service companies do man-years of work,

yet code is still hacked

Traditional Security is Reactive

Traditional Security is Reactive

Stuxnet (2009-2011)

Source: http://noramintel.com/stuxnet-virus-opens-new-era-of-cyber-w

When Stuxnet Surprised

the world !!!!!!
Sergey Ulasen was working for a relatively small security
company in Belarus
software development, threat analysis, technical
consulting & latest reported malwares
On a sunny Saturday, one of his technical support guys
informed him about a rather unusual case.
a customer in Iran reported arbitraryBSODsand
computer reboots.
info about their preliminary scanning reports were
also communicated
Sergey thought that it was a usual software conflict
problem or something similar
He asked the guy to send him the details of applications
installed on the system.

Stuxnet unconventional
and the worst Malware
Ever
Then the scene changes and he was told that its not
the only system with this problem
Even a system with freshly installed Windows OS has
identical problem
His eyes lit up and he knew that an unusual malware is
causing this
And probably a Rootkit is also involved because all
his usual detection methods failed
His friend in Iran is also an expert but he simply had
no option other than calling Mr. Sergey
Now think of a case that you are in a wedding
ceremony of your friend when all this drama catches up
Peoples are enjoying the wedding and Mr. Sergey

Stuxnet unconventional
and the worst Malware Ever
Finally Mr. Sergey realizes that it is useless to keep talking
on phone
Lets meet on Monday and continue he asked his
friend
Monday was a busy day for him
He remotely logged into the infected system and
started investigating the problem
His surprises continue to mount unless he completely
unleashed the monster Stuxnet
a malware which experts say can only be prepared
at a nation-wide scale (USA & Israel got a chargesheet in this case)
And Mr. Sergey says that malware was a fearsome
beast with nothing else like it in the world

Stuxnet unconventional
and the worst Malware Ever
Stuxnet is an Advanced Persistent Threat
(APT) that was targeted at a specific
manufacturing facility.
Named for a string of letters buried in its
code
It is (was at the time of its discovery) the
most complicated virus / worm ever
discovered.
Average viruses are about 10k bytes in

Heartbleed the vulnerability

of the year(2014)
Heartbleed, discovered in April 2014 by a
Finland-based company
"On the scale of 1 to 10, this [Heartbleed] is an
11," respected security expertBruce
Schneiersaid on his blog

The bug allowed attackers to snatch

sensitive data from servers running
OpenSSL
A hacker can grab all kinds of data, including
SSL site keys, usernames and passwords, email,

Shellshock the second

vulnerability of the
year(2014)
Shellshock, the flaw was in the Bash shell,
a standard component on any Unix systems
like Linux and OS X
Shellshock allowed hackers to run critical shell
commands on an affected machine

Experts consider Shellshock to be a

muchbigger problem than Heartbleed
it allows such devastating access to a target
machine and affects a far broader range of
devices.

Emerging Cyber Threats

Report (2015)
Security Awareness training is a neglected practice
49 % of companies do not perform employee securityawareness training
Price is in terms of increased annual losses
4 times greater than those that do have a training process in
place, according to accounting firm PwC US

Defenders need to be right every time

Attackers only need to be right once to gain access to the
defenders network

The number of reports of online espionage and

information operations, seemingly sponsored by

Emerging Cyber Threats

Report (2015)
Humans remain the link most often exploited in
attacks
Convince a user to open an attachment and dismiss a
security warning, and an attackers job is mostly done.

Not only is social engineering common, but

extremely effective

That scared me, says Jason Belford, associate

director of cyber security for Georgia Techs OIT.
One out of every four people responded, and they
were all technical. These are the people that had

Why Manage Information Security???

Why Manage Information

Security???
IT Security
Incidents
Statistics

Alarming Data on
InfoSec Skills Shortage
According to the UK National Audit
Office, it could take up to 20 years to
address the current skills gap.
(Source: The Guardian, 26 September
2013)
47% of organizations say that the
number of employees dedicated to
network security is inadequate in
some, most, or all cases. (Source:
Network World September 2014)
86% of respondents see a global
cybersecurity skills gap - and 92% of
those
planning
to
hire
more
cybersecurity professionals this year
say they expect to have difficulty

IS IT A PROBLEM ???
YES
How do we overcome
these Problems ?????

We Need a Solution

Solution

ISO/IEC 27001:2013
Information technology Security techniques
Information security management systems
Requirements

What is Information
Security Management
System
Information Security Management is a process by which the value of each
assessed and, if appropriate,
protected on ongoing basis.
Organisation information is

Building a Information Security Management system is achieved through

the systematic assessment of the systems, technologies
and media contained information, appraisal of the loss of
information, cost of security breaches, and development &
deployment of counter measures to threats.
If simplify, ISMS provide a platform where organisation recognizes most
valuable spots of in an organisation and builds armor-plating to protect
them.

What are the InfoSec

related standards, laws and
regulations?
ISO
27000
Family
International Standards

of Other Standards

Provides the best practice recommendations

on InfoSec management, risks and controls
within the context of an overall ISMS.
ISO 27000: Overview and Vocabulary (2014)
ISO 27001: ISMS Requirements (2013)
ISO 27002: Code of Practice (2013)
ISO 27003: ISMS Implementation Guidance
(2010)
ISO 27004: ISM Measurement (2009)
ISO 27005: InfoSec Risk Management (2011)
ISO 27006: Requirements for Bodies Providing
Audit and Certification of ISMS (2011)
ISO 27007 27008: Guidelines for
Auditing InfoSec Controls (2011)
ISO 27014: Governance of InfoSec (2013)
ISO 27015: ISM Guidelines for Financial
Services (2012)
www.iso.org

Payment Card Industry Data

Security Standard (PCI DSS)
US National Institute of
Standards and Technology
(NIST)
Security and Privacy Controls for
Federal Information Systems
and Organizations (NIST Special
Publication 80053)
Framework for Improving
Critical Infrastructure
Cybersecurity
(Cybersecurity
Framework)
ISACA Cybersecurity Nexus
The IIA GTAG 15: Information
Security Governance (2010)

What are the InfoSecrelated

standards, laws and regulations?
Governmental laws and regulations with (or will

have) a
significant effect on InfoSec
UK Data Protection Act 1998
The Computer Misuse Act 1990 (UK)
Federal Information Security Management Act 2001
(US)
GrammLeachBliley Act (GLBA) 1999 (US)
Federal Financial Institutions Examination Councils
(FFIEC) security guidelines (US)
SarbanesOxley Act (SOX) 2002 (US)
State security breach notification laws (e.g.
California) (US)

Benefits of ISO/IEC 27001

Identify critical assets via the Business Risk
Assessment
Improved understanding of business aspects
Provide a structure for continuous improvement
Be a confidence factor internally as well as

externally
Systematic approach
Reductions in security breaches and/or claims
Provide a structured way of managing information
security.
Provide an independent assessment.

Benefits of ISO/IEC 27001

Enhance the organizations global positioning and

reputation.
Increase the level of information security in the
organization.
Framework will take account of legal and regulatory

requirements
Proves management commitment to the security
of information
Helps provide a competitive edge
Independently verifies, Information Security

processes, procedures and documentation

What is the ISMS

Standard about?
Controls
Controls
Establish
EstablishISMS
ISMS
framework
framework
Set
Setup
upsecurity
security
&&checking
policy
policy
Routine
Routine
checking
objectives
objectives
Self-policing
Self-policing
Improvement
Risk
Plan
procedures
Improvement
Risk
Plan
procedures
Assessment
&&
Non-conformity
Assessment
Management
Risk
Treatment
Non-conformity
Management
Risk
Treatment
Treatment
review
Treatment
Corrective
review &&
Implement
Corrective
Implement
preventive
Audit
preventive
actions
measures
Audit actions
measures
Trend
Resources
Trendanalysis
analysis
Resources
allocation
allocation

PLAN
PLAN
Establish
Establish
ISMS
ISMS
DO
DO
Implement
Implement&&
Operate
OperateISMS
ISMS

ACT
ACT
Maintain
Maintain&&
Improve
ImproveISMS
ISMS

CHECK
CHECK
Monitor
Monitor&&
Review
ReviewISMS
ISMS

Questions?