Professional Documents
Culture Documents
062
Introduction to information
security management
http://www.cs.ru.nl/E.Verheul/SIO2017/
Security in Organizations
2017
Eric Verheul
Outline
https://www.dcypher.nl/en/
Outline
10
11
12
13
A fictive organisation
Board of directors
Facilities HR Finance
Procurement
Operations Customer
Service Communication Legal Internal Audit
Helpdesk
Dep #1 Dep #2 Dep #3 Dep #1 Dep #2 Dep #3 Dep #1 Dep #2 Dep #3 Authorisation
Management
Unit1 Unit1 Unit1 Unit1 Unit1 Unit1 Unit1 Unit1 Unit1
Operations
Unit2 Unit2 Unit2 Unit2 Unit2 Unit2 Unit2 Unit2 Unit2
Infrastructure
Unit3 Unit3 Unit3 Unit3 Unit3 Unit3 Unit3 Unit3 Unit3
Development
14
Intuitive definition of IS
Information security making sure that your ICT
cannot be hacked.
Information security taking all the technical security
controls you can think of.
Information security is only partially a technical
matter.
You can have too much security!
16
Intuitive definition of IS
And it all boils down to risk appetite
.. No drinking or
eating behind the
wheel in France..
18
19
ISO 27002:2005
C ISO 27002 NEN Vertaling
5 Security Policy Beveiligingsbeleid
6 Organization of Information Security Beveiligingsorganisatie
7 Asset Management Classificatie en beheer van
bedrijfsmiddelen
8 Human resources security Beveiligingseisen ten aanzien van
personeel
9 Physical and Environmental Security Fysieke beveiliging en beveiliging
van de omgeving
10 Communications and Operations Beheer van communicatie- en
Management bedieningsprocessen
11 Access Control Toegangsbeveiliging
12 Information Systems Acquisition, Ontwikkeling en onderhoud van
Development and Maintenance systemen
13 Information Security Incident Incidentmanagement
Management
14 Business Continuity Management Continuteitsmanagement
15 Compliance Naleving
20
21
Objective: To provide management direction and support for information security in accordance
with business requirements and relevant laws and regulations.
23
[..]
2013
24
PDCA cycle
Organization
26
Objective: To ensure that employees and contractors understand their responsibilities and are
suitable for the roles for which they are considered.
28
Source http://www.rtl.nl
29
Motive: revenge
30
www.geenstijl.nl
Motive: ?
31
Screening
He drove a Porsche Cayenne, regularly went on holiday and had
tons of cash at home. The 28-year-old Mark M. of Weert, the
agent who is suspected to have sold their police records on
criminals, lived like a king.
[..]
Police mole had access to highly confidential information for four
years as his superiors
had forgotten to remove his authorisations.
[..]
118 police officers had access to secret information without AIVD
check. That those agents are not properly screened does not
mean that have leaked confidential information.
Sources:
http://www.rtlnieuws.nl/nieuws/binnenland/pol
itiemol-mark-m-ontmaskerd-dure-autos-
horloges-en-luxe-vakanties
nrc.nl, 30 Oktober 2015
nrc.nl, 3 December 2015
AIVD gave negative advice on police mole.
Cause: financial gain
Screening
Source:
http://www.vocativ.com/241487/f
ake-passport-prices-black-
market/
http://www.ad.nl/ad/nl/1039/Utrecht/article/detail/3993409/2015/05/01/Stagiair-stadskantoor-Utrecht-maakt-13-valse-paspoorten.dhtml
Segregation of duties
37
Motive: ego?
Source
https://www.theguardian.com/business/je
rome-kerviel
Kerviel conducted unauthorized trading for Society General resulting in a EURO 5 billion loss
in 2008.
Allegedly, Kerviel kept his authorisations when he changed job within SG (autorisation creep).
In this way he could bypass segregation of duties (four eyes principle).
He was sentenced to 3 years jail in 2010.
39
Objective: To ensure proper and effective use of cryptography to protect the confidentiality,
authenticity and/or integrity of information.
41
42
43
See
https://www.youtube.com/watch?v=0AHSDy6AiV0
44
45
46
47
48
49
Fire
Outage Vodafone by fire Rotterdam
April 2012
http://nos.nl/artikel/358731-storing-vodafone-door-brand.html
50
51
52
Source: http://investor.maersk.com
53
54
55
Targeted Attacks
56
Incident
Targeted attacks on the PC of an HR employee through an email
attachment with an Excel file containing malicious code. The attackers
gained attacks to a substantial number of cryptographic keys in Securid
tokens.
Threat/motivation
Military motivated from China.
Not directly targeted at RSA but the US defense contracter Lockheed
Martin
http://www.youtube.com/watch?v=UZNF1-1Hk1Y
57
Targeted attacks
58
Motive: espionage
ISO 27002 Chapter 12/13: Operations and communications security
59
Targeted attacks
http://www.washingtonpost.com/blogs/federal-eye/wp/2015/07/09/hack-of-security-clearance-system-affected-21-5-million-people-federal-authorities-say/
Motive: espionage?
http://www.ibtimes.com/cia-mulls-pulling-us-spies-out-china-after-massive-opm-hack-likely-compromised-2024894
60
Motive: revenge?
http://www.bbc.com/news/entertainment-arts-30512032
ISO 27002 Chapter 12/13: Operations and communications security
61
Motive: destruction
62
http://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/
Motive: revenge?
63
Targeted attacks
64
65
Targeted attacks
66
Motive: ego?
67
68
69
70
Why target the clients of a bank, if you can target the bank itself?
Attackers managed to get $81 million from accounts at the Bangladesh
Central Bank in just a few hours.
The attackers apparently targeted at even $1 billion but did not
succeed due to an typing error.
It seems that the attackers got a position in the banks network from the
internet, e.g. on a employee workstation, from which they succeeded to
place the transactions (more than three dozen).
Some money was recovered; it seems that about $40 million is lost.
71
72
See
https://www.cbsnews.com/news/eddie-tipton-lottery-fraud-admits-he-
rigged-jackpots/
73
74
Wikipedia
75
76
77
78
79
80
81
ISO 27002 Chapter 17: Information security aspects of business continuity management
82
83
ISO 27002 Chapter 17: Information security aspects of business continuity management
84
86
C15
87
ISO 27002
C ISO 27002:2013 NEN Vertaling
5 Information security policies Informatiebeveiligingsbeleid
6 Organization of information security Organiseren van informatiebeveiliging
7 Human resource security Veilig personeel
8 Asset management Beheer van bedrijfsmiddelen
9 Access control Toegangsbeveiliging
10 Cryptography Cryptografie
11 Physical and environmental security Fysieke beveiliging en beveiliging van de
omgeving
12 Operations security Beveiliging bedrijfsvoering
13 Communications security Communicatiebeveiliging
14 System acquisition, development and Acquisitie, ontwikkeling en onderhoud van
maintenance informatiesystemen
15 Supplier relationships Leveranciersrelaties
16 Information security incident Beheer van
management informatiebeveiligingsincidenten
17 Information security aspects of Informatiebeveiligingsaspecten van
business continuity management bedrijfscontinuteitsbeheer
88
18 Compliance Naleving
89
Recap
Study for next week
91
92