Presentation of Mr. Khondkar Atique-e-Rabbani, FCA PDF

Information Security
Issues that impact an Accountant

Presentation from
by
K. Atique e- Rabbani, B Tech (Hons), UK, FCA
Preamble
1. People look upon us to give a check/opinion on the financial

health of an organization.
2. Information generated from every nook and corner of the
organization goes into making the accounting information
system and the financial statements, the window to the
health of the organization.
3. Information must be captured correctly, transferred
correctly, collated correctly over myriad of networks and
places for our opinions to hold water.
4. This is what Information Security attempts to ensure.
5. Hence our need to understand the issues and the need for
this seminar.
Index
The best Security cant help the most nave
user (1 slide)
For Information Security one cannot also
completely lock away information Obama
gets to keep his blackberry (2 slides)
Information Security (InfoSec) breach stories
(Obama, Bank of New York Mellon) (4 slides)
Introduction to Information Security (3 slides)
4
Index -2
Core Principles of Information Security CIA
(1 slide)
Confidentiality (1 slide)
Integrity (2 slides)
Availability - (2 slides)
The New Information Security Professional (8

slides)
Suggested Information Security Steps

integrated with IT Governance (1 slide)
Index -3
Info Security certifications - CISSP / CISM (2 slides)

Information Security Audit (12 slides)
The Last Word: Information Security a business
requirement (1 slide)
Appendix 1: CISSP Information Security certification
curriculum (4 slides)
Appendix 2: Digital Signature (1 slide)
Appendix 3: Cryptography (1 slide)
Appendix 4: PKI (Public Key Infrastructure) (1 slide)
Appendix 5: Useful websites (3 slides)
The Best Security Cant Help the Most Stupid User

User name and password on display
Lest he forgets!!!
Ive Locked Down My Host to the Point Where Its

Unusable
Hey Secret Service Agent Leave my Blackberry alone

Obama gets to keep his Blackberry but with Super Encryption
package built in
9
Stories/ Facts
An embarrassed State Department admitted
that the passport files of all three presidential
candidates Sens. John McCain, Barack
Obama and Hillary Clinton have been
breached by its employees.
The bombshell announcement came within
hours of the admission that Obamas personal
file was improperly accessed several times in
2008 and no one was notified of the breach.
10
Stories/ Facts -2
Criminal hackers are part of a very mature and
multi-billion dollar industry that reaches
around the world. No organization is immune
to the threat.
The Aug 2008 arrest of 11 alleged hackers
accused of stealing more than 40 million credit
and debit cards is still the largest hack ever.
US Dept of Justice brought charges against 11
alleged hackers from around the globe.
11
Stories/Facts -3
An unencrypted backup tape with 4.5 million
customers of the Bank of New York Mellon
went missing on Feb. 27, 2008 after it was sent
to a storage facility.
The missing tape contained social security
numbers and bank account information on 4.5
million customers.
12
Stories/Facts -4
In Aug 08, a former Countrywide Financial
Corp Senior Financial Analyst was arrested
and charged by the FBI for stealing and selling
sensitive personal information of an estd 2
million mortgage loan applicants.
He did it over a 2 yr period by downloading
20,000 customer profiles each week onto flash
drives, working on Sunday nights, when no
one else was in the office.
13
Introduction
Information Security is not new.
Julius Caesar invented Caesar Cipher in c50 BC
to prevent his messages from falling into
wrong hands
What is new? - The ICT rock star has jumped in
with multitude of tentacles and promises of
nirvana, the heaven and the earth.
And as an aside also brought Information
Security nightmare.
14
Introduction -2
Highly networked business environment is the
order of the day. This has pushed Information
Security to preeminence today.
Information is arguably among an enterprise's
most valuable assets.
Its protection from predators from both within
and outside has taken center stage as an IT
priority and indeed a business priority.
15
Introduction -3
As a Finance Controller, as an Auditor, as a
CEO we breathe, live, rise and fall with
information.
The organizations we serve also breathe, live,
rise and fall with information ofcourse
secure, untampered, authentic information.
But the paradox is we need greater, more
convenient, from anywhere, on the fly access
to more and more secure information.
16
Core Principles of Information Security

Confidentiality, Integrity and Availability
Triad
There is a CBK (Common Body of Knowledge)
propagated by (ISC) which is a collection of
topics relevant to all InfoSec professionals.
CBK is fundamentally based on the CIA triad,
the core information security and assurance
tenets.
17
Confidentiality
Permitting someone to look over your
shoulder at your computer screen while you
have confidential data displayed on it could be
a breach of confidentiality.
Giving out confidential information over the
telephone is a breach of confidentiality if the
caller is not authorized to have the
information.
18
Integrity
Integrity is compromised when an employee is
able to modify his own salary in a payroll
database or say when an unauthorized user
vandalizes a web site.
There are many ways in which integrity could
be violated without malicious intent.
In the simplest case, a user on a system could
mistype someone's address.
19
Integrity -2
On a larger scale, if an automated process is
not written and tested correctly, bulk updates
to a database could alter data in an incorrect
way, leaving the integrity of the data
compromised.
Information security professionals are tasked
with finding ways to implement controls that
prevent errors of integrity.
20
Availability
For any information system to serve its
purpose, the information must be available
when it is needed.
This means that the computing systems used
to store and process the information, the
security controls used to protect it, and the
communication channels used to access it
must be functioning correctly.
21
Availability -2
High availability systems aim to remain
available at all times, preventing service
disruptions due to power outages, hardware
failures, and system upgrades.
Ensuring availability also involves preventing
denial-of-service attacks.
Some add possession, authenticity and utility
to CIA as three more atomic elements of
information.
22
The new InfoSec Professional

There has been a significant change in
responsibilities held by the InfoSec manager.
More often, traditional business functions
such as compliance, risk management and
privacy are being assigned to the InfoSec
manager.
Therefore, the InfoSec professional must
understand not only technological
requirements, but also needs of the business.
23
The new InfoSec Professional -2

The information security professional has thus
evolved from computer operator to chief
information security officer, and from
controlling punched cards to negotiating
strategic plans, defining policies, documenting
processes, managing technology, measuring
performance, controlling costs, supporting
business recovery and demonstrating
regulatory compliance.
24

Some desiarble skills of the Info Sec
professionals are:
Communicate with others - a must ability.
Info Sec professionals must be able to
communicate with all layers of management,
specialist technical staff and convey
ideas/concepts clearly.
25

Application Penetration Skills - understand
how applications work, what protocols they
use to communicate, what information is input
and output from those applications, and best
of all, how to make those applications do
things that the programmer did not intend the
application to do. This is the next major battle
front in information security, and being able to
move effectively in this space is important.
26

Network Penetration Skills - being able to
understand and use network properties to
map, understand, and find vulnerable nodes
on the network.
Knowing what is a real/viable attack and
what is not - Knowing which attacks against
what target are viable and then being able to
prove that viability to the developers and
users of the system.
27

Knowing how data migrates around the
network - how is data used, where is it used,
and who uses it in normal day to day patterns
Network engineering skills - just enough to
know how each component works on the
network, what is its function, what are its
strengths and weaknesses, and how could it
be exploited.
28

IDS/IPS (Intrusion Detection System/
Intrusion Prevention System) - interpretation
of results - being able to work with the IDS/IPS
that is on the network and understanding
what are its limitations.
System Administration - know enough about
system administration so that if presented
with a series of computers, one can safely
secure them allowing the applications to run.
29

Risk Management skills - being able to
understand the concepts of risk management,
and how they are applied in regards to the
companys culture. Not all companies are the
same when it comes to risk management; each
company has their own tolerance to risk. Be
able to work within the confines of the
companies tolerance for risk
Be creative - the ability to be creative
30
Suggested InfoSec Program Steps

Compose an information security program
Cement a relationship between an information
security program and IT governance
Design roles and responsibilities to ensure
accountability
Identify and allocate resources to achieve
information security program objectives
Determine if an information security program
is achieving objectives
31
Certifications
CISSP (Certified Information Systems Security
Professional), an international gold standard, is
given by ISC2 (International Information System
Security Certificate Consortium)
ISACA (www.isaca.org) introduced the Certified
Information Security Manager (CISM)
certification in 2002 for those who manage an
enterprises information security program.
There are other Information Security
certifications too see Appendix
32
Certifications -2
We have included some part of what people
taking such certification learn about in
Appendix 2
ICT obviously constantly changes and these
certifications also has a two to three year shelf
life.
Such certification holders will need to be in
practice and always remain current
We need not all become InfoSec professionals
33
Information Security Audit

What is it?
An information security audit is an audit on the
level of information security in an organization.
Such audit can be of various types and with
various objectives
Audit focuses on physical, technical and
administrative controls of Information Security
Audit may be on physical security of data and
on logical security of databases
34

What is it? (Contd)

Different audit methods can be used for
different components of Information security
Information security encompasses much more
than IT
When audit is centred on IT aspects of
Information Security it becomes part of IT
Audit
35
Audit Process: Audit planning and preparation

Goal congruence must be there between IT,
Information Security and Business objectives
Auditor must understand above and consider
Areas of concern/ IT organization chart/ Job

descriptions of Data Centre employees
Research on OS, Applications and Hardware in Data
Centre
IT Policies & Procedures/ IT Budget/ Disaster
Recovery Plan
36
Audit Process: Establishing Audit Objectives

Data centre Audit objectives defined
Identify audit risks in Data Centre operating
environment and their mitigation controls
Thorough testing and analyses carried out to
ensure control and efficiency in Data Centre
Auditor reviews
Personnel processes and training/ backup proc
Change management processes/ authorised
access/ environmental controls
37
Audit Process: Performing the review

Evidence of trained Data centre personnel
Evidence of quality and performance of Data
Centre Equipment and their maintenance
Evidence of documented Data Centre policies
and procedures for job responsibilities, back
up/ disaster recovery on and off site, security,
termination, SOP and OS overview
Evidence of Physical Security like bolted down
equipment and Environmental control
38
Audit Process: Issuing review report

Summarize auditors findings in a standard
format
Report must mention date of completion of
auditors inquiry and procedures
Identify what was reviewed
Emphasise that audit provides limited
assurance to third parties
39
Auditing Network Security - Vulnerabilities

Obtain a network diagram, assess extent of the
network and what critical information network
must protect
Identify Network vulnerabilities and
corresponding controls at Interception, on
Availability and Access/entry points
Consider specially point of vulnerability where
network connects to Internet
40
Consider Network Security tools used

Firewalls, proxy servers, access control, anti
virus software, encryption, log management
Firewalls basic security, authenticates,
monitors, logs and reports traffic
Proxy server firewalls acts as middleman
Anti virus software locate and dispose
malicious content
Remote access intrusion point, should be
logged
41
Auditing Network Security - Encryption

Assess encryption policies and procedures
COBIT guidelines established by ITGI of ISACA
may be used
Whether management attest that encryption
policies ensure data protection at desired level
Cost of encryption not to exceed value of info
Assess whether encryption system is strong
and compliant with local and international laws
and regulations
42
Auditing Logical Security

Password policies written, mandatory
scheduled changes, user rights in line with job
functions
Security tokens, cryptographic keys, biometric
data
Termination procedures block access
Monitoring of special user accounts
Remote access intrusion point, should be
logged
43
Auditing Application Security

Application Security centres around
Programming, Processing and Access
Security over application development and
changes
Checks against wrong input, wrong or
incomplete processing (rollover) any control
concerns
Employ hacker to break the system from within
and without
44
Auditing Application Security

Segregation of duties (SoD)
Ensure proper SoD such as separation of
developers and implementors
Consider SoD conflicts/breaches and which
user/users have super user access
Consider permission function matrix against
each employees accessibilities
Ultimate goal is to ensure data integrity and
fraud prevention
45
Appendix 1-1: Info Sec Certification Curriculum
Access Control
Categories and Controls

Control Threats and Measures
Application Security
Software Based Controls

Software Development Lifecycle and Principles
Business Continuity and Disaster Recovery

Planning
Response and Recovery Plans
Restoration Activities
46
Cryptography
Basic Concepts and Algorithms

Signatures and Certification
Cryptanalysis
Information Security and Risk Management

Policies, Standards, Guidelines and Procedures
Risk Management Tools and Practices
Planning and Organization
47
Legal, Regulations, Compliance and

Investigations
Major Legal Systems

Common and Civil Law
Regulations, Laws and Information Security
Operations Security
Media, Backups and Change Control Management

Controls Categories
48
Physical (Environmental) Security
Layered Physical Defense and Entry Points

Site Location Principles
Security Architecture and Design
Principles and Benefits

Trusted Systems and Computing Base
System and Enterprise Architecture
Telecommunications and Network Security

Network Security Concepts and Risks
Business Goals and Network Security
49
Appendix 2: Digital Signature

Digital Signature Offers Authentication and Integrity
50
Cryptography
Appendix 3
It is the practice and

study of hiding
information
It is a branch of
mathematics and
computer science
PCs and Internet has
made quality
cryptography
commonplace
A credit card with smart card capabilities. The 3 by 5 mm

chip embedded in the card is shown enlarged in the insert.
Smart cards attempt to combine portability with the power to
compute modern cryptographic algorithms.
51
PKI
Appendix 4
(Public Key Infrastructure)

The Public Key
Infrastructure (PKI) is a
set of hardware,
software, people,
policies, and procedures
needed to create,
manage, store,
distribute, and revoke
digital certificates.
A user applies for a certificate with his public key at a

registration authority (RA). The latter confirms the user's
identity to the certification authority (CA) which in turn
issues the certificate. The user can then digitally sign a
contract using his new certificate. His identity is then
checked by the contracting party with a validation
authority (VA) which again receives information about
issued certificates by the certification authority.
52
Appendix 5-1
Sl Certification
No Name
1
Certified
Information
Systems
Security
Professional
(CISSP)
Certification Awarding Organisation and

relevant information
Global
Information
Assurance
Certification
(GIAC)
SANS Institute founded the certification entity in www.giac.org

1999 and the term GIAC is trademarked by the
The Escal Institute of Advanced Technologies.
GIAC provides a set of vendor-neutral computer
security certifications linked to the training
courses provided by the SANS. GIAC is specific to
the leading edge technological advancement of
IT security in order to keep ahead of "black hat"
53
techniques.
(CISSP) is an independent information security

certification governed by the International
Information Systems Security Certification
Consortium (commonly known as (ISC)). As of
October 10, 2008, (ISC) has reported certifying
61,763 information security professionals in 133
countries
Website
www.isc2.org
Appendix 5-2
Sl Certification
No Name
3
The Certified
Information
Security
Manager
(CISM)

CompTIA
Security+
Certification
Earning a CompTIA Security+ certification

www.comptia.
demonstrates proof of knowledge and expertise org
in security topics, such as system security,
communication security, infrastructure security,
cryptography, access control, authentication,
external attack and operational and organization
security.
CISM certification program is developed

specifically for experienced information security
managers and those who have information
security management responsibilities. The CISM
certification is for the individual who manages,
designs, oversees and/or assesses an
enterprise's information security (IS).
Website
www.isaca.org
54
Appendix 5-3
Sl Certification
No Name
Website
Cisco
Certified
Security
Professional
(CCSP)

SEI
Certificate in
Information
Security
http://www.sei.cm
u.edu/training/certi
ficates/security/inf
osecurity.cfm
M Sc in Info
Security
This certificate is designed to provide

participants with practical techniques for
protecting the security of an organization's
information assets and resources and
increase the depth of knowledge and skills
of technical staff charged with
administering and securing networks.
CCSP validates advanced knowledge and

skills required to secure Cisco networks.
CCSP certification demonstrates the skills
required to secure and manage network
infrastructures, mitigate threats, and
reduce costs.
www.cisco.com
University College London's MSc in

www.mscinfosec.ad
astral.ucl.ac.uk 55
The Last Word
Information Security a business requirement
We must, however, understand that information

security is a business requirement on top of being an
ethical and legal requirement
We therefore need to be constantly aware about
certain Information Security issues and ensure that
proper resources are engaged and best practices
adopted.
We must strive to create a values infrastructure
56
Thank you for lending me your ears
57
The End
Thank you and Good wishes from
58

Presentation of Mr. Khondkar Atique-e-Rabbani, FCA PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Presentation of Mr. Khondkar Atique-e-Rabbani, FCA PDF

Uploaded by

Copyright:

Available Formats

Information Security

Issues that impact an Accountant

1. People look upon us to give a check/opinion on the financial

The New Information Security Professional (8

Suggested Information Security Steps

Info Security certifications - CISSP / CISM (2 slides)

Issues that impact an Accountant

The Best Security Cant Help the Most Stupid User

Issues that impact an Accountant

Ive Locked Down My Host to the Point Where Its

Issues that impact an Accountant

Hey Secret Service Agent Leave my Blackberry alone

Core Principles of Information Security

The new InfoSec Professional

The new InfoSec Professional -2

The new InfoSec Professional -3

The new InfoSec Professional -4

The new InfoSec Professional -5

The new InfoSec Professional -6

The new InfoSec Professional -7

The new InfoSec Professional -8

Suggested InfoSec Program Steps

Information Security Audit

Information Security Audit

What is it? (Contd)

Information Security Audit

Audit Process: Audit planning and preparation

Areas of concern/ IT organization chart/ Job

Information Security Audit

Audit Process: Establishing Audit Objectives

Information Security Audit

Audit Process: Performing the review

Information Security Audit

Audit Process: Issuing review report

Information Security Audit

Auditing Network Security - Vulnerabilities

Information Security Audit

Consider Network Security tools used

Information Security Audit

Auditing Network Security - Encryption

Information Security Audit

Auditing Logical Security

Information Security Audit

Auditing Application Security

Information Security Audit

Auditing Application Security

Appendix 1-1: Info Sec Certification Curriculum

Categories and Controls

Software Based Controls

Business Continuity and Disaster Recovery

Appendix 1-2: Info Sec Certification Curriculum

Basic Concepts and Algorithms

Information Security and Risk Management

Appendix 1-3: Info Sec Certification Curriculum

Legal, Regulations, Compliance and

Major Legal Systems

Media, Backups and Change Control Management

Appendix 1-4: Info Sec Certification Curriculum

Physical (Environmental) Security

Layered Physical Defense and Entry Points

Security Architecture and Design

Principles and Benefits