Tema 1

HG00.
062
Introduction to information
security management
http://www.cs.ru.nl/E.Verheul/SIO2017/
Security in Organizations
2017
Eric Verheul
Outline
About the course

Introduction
Information Security incidents in the media
Recap on Information Security
Study for next week
This document is freely distributable

as long as it is unmodified in any
way. 1
About the course
The goal of this class is twofold.

The first goal is to demonstrate a structured approach
towards security in an organization, and covers the
necessary standards and tools.
Secondly, it aims to introduce students to the 'security
mindset', and will allow to gain an understanding on
what usually goes wrong and how to avoid such
pitfalls in an organization.
About the course

way. 2
About the course
The course closely follows the ISO2700* standards.
Focus on risk assessments and multidisciplinary
character.
It starts with four classes on security management in
line with these standards.
After that we focus on the various aspects mentioned
in these standards by guest speakers from
organizations.
Students have to do six assignments and have to
pass the exam; TRU/e only need to do five
assignments. See the SIO Website.
5
About the course

Prerequisite knowledge
It is expected that you a have basic understanding of technical computer
security, including:
Basic (IP) networking including firewalling
WIFI Security
HTTP and cookies
SSL/TLS
Basic attacks, e.g. cross site scripting, SQL Injection, buffer overflows
Cryptography, e.g. SHA256, AES-ECB, AES-CBC, HMAC, RSA, ECC,
ECDSA
Basic knowledge of Microsoft Windows security
If you experience lacking knowledge during class or when working on
assignments it is expected that you acquire this knowledge by self study.

way. 3
Literature
The main literature of the class (apart from the slides) can be
found on the SIO website
http://www.cs.ru.nl/E.Verheul/SIO2017/.
Assessments are also placed on the SIO website; submission
is through BlackBoard.
Dr. Ilya Kizhvatov will grade the assignments.
please put on all your assignments:
- your student numbers (RU and TUE if you have one)
- the course you follow: NWI-I00153 (information sciences
master) or NWI-IMC053 (TRUE)
Slides are placed in blackboard. Note: not all speakers will
provide slides. Students are advised to attend class.
Visit to NCSC October 30, 2017 (non-mandatory!)

On Monday October 30 2017, 12:15 -17:00 we have arranged
for a visit to the Dutch National Cyber Security Centre (NCSC)
in The Hague.
The NCSC will explain what they do and will also have some
discussions based on propositions, e.g. Current focus on
security is too much reactive and too little preventive.
If you want to attend, please inform me by email
eric.verheul@cs.ru.nl.
Note: there is only room for 25 students (50% of the
registered users) and registration is based on first come
first served.
If you have propositions we can discuss, please let me know
them.
8

way. 4
DCYPHER
https://www.dcypher.nl/en/
Outline
About the course

Introduction
Study for next week
10

way. 5
Introduction
What do you think is an organization?
What do you think is meant with security in organizations?
When do you think an organization is secure?
Test:
identity security vulnerabilities in the next scene from Episode
20 of the series The Americans titled Arpanet.
11
Radboud University organizational chart
12

way. 6
Delta Lloyd organizational chart
13
A fictive organisation
Board of directors
Facilities HR Finance
Procurement
Operations Customer
Service Communication Legal Internal Audit
Division #1 Division #2 Division #3 ICT
Helpdesk
Dep #1 Dep #2 Dep #3 Dep #1 Dep #2 Dep #3 Dep #1 Dep #2 Dep #3 Authorisation
Management
Unit1 Unit1 Unit1 Unit1 Unit1 Unit1 Unit1 Unit1 Unit1
Operations
Infrastructure
Development
Which parts do you think are relevant for information security?
14

way. 7
Intuitive definition of IS
A security incident is an event where

confidentiality, integrity or availability of
information was lost.
Information security is ensuring that security
incidents from the past cannot occur (again) in the
organisation, at least not with high impact.
Our approach to IS is based on (potential)
security incidents.
We can distinguish two kind of incidents, those
where deliberate and malicious human behaviour
was the cause and others. For the first category
one can identity a motive.
15
Information security making sure that your ICT
cannot be hacked.
Information security taking all the technical security
controls you can think of.
Information security is only partially a technical
matter.
You can have too much security!
16

way. 8
Almost all security incidents occurring have their root cause in (un)intentional
erroneous human behaviour.
Employees can:
not be aware of risks,
can be aware of risks, but simply dont give a damn about them
underestimate them
can be aware of risks but do not have enough time, resources or budget to
deal with them..
Management can:
not be aware of risks (think IS is a technical matter)
not give a enough budget (money)
not be in control of implementing security (policies), e.g. do not supervise
the behaviour of line management and employees
implement new business processes and systems without giving any
appropriate attention to information security
As information security issues are often in the details, this further complicates
things. IS is a multidisciplinary problem and not only a technical problem.
17
And it all boils down to risk appetite
.. No drinking or
eating behind the
wheel in France..
18

way. 9
ISO 27002:2013
C ISO 27002:2013
5 Information security policies
6 Organization of information security
7 Human resource security
8 Asset management
9 Access control
10 Cryptography
11 Physical and environmental security
12 Operations security
13 Communications security
14 System acquisition, development and maintenance
15 Supplier relationships
16 Information security incident management
17 Information security aspects of business continuity management
18 Compliance
Red means new in ISO27002:2013.
19
ISO 27002:2005
C ISO 27002 NEN Vertaling
5 Security Policy Beveiligingsbeleid
6 Organization of Information Security Beveiligingsorganisatie
7 Asset Management Classificatie en beheer van
bedrijfsmiddelen
8 Human resources security Beveiligingseisen ten aanzien van
personeel
9 Physical and Environmental Security Fysieke beveiliging en beveiliging
van de omgeving
10 Communications and Operations Beheer van communicatie- en
Management bedieningsprocessen
11 Access Control Toegangsbeveiliging
12 Information Systems Acquisition, Ontwikkeling en onderhoud van
Development and Maintenance systemen
13 Information Security Incident Incidentmanagement
Management
14 Business Continuity Management Continuteitsmanagement
15 Compliance Naleving
20

way. 10
Outline
About the course

Introduction
Study for next week
21
Citibank admits: we've

lost the backup tape

way. 11
ISO 27002 Chapter 5: SECURITY POLICIES
Objective: To provide management direction and support for information security in accordance
with business requirements and relevant laws and regulations.
23
ISO 27002 Chapter 5: SECURITY POLICIES

2005
[..]
2013
24

way. 12
Management commitment
Motive: financial gain
ISO 27002 Chapter 5: Security policies

25
ISO 27002 Chapter 6: Organization of Information Security
Objective: To establish a management framework to initiate and control the implementation

and operation of information security within the organization.
PDCA cycle
Organization
26

way. 13
Outline of security organization
Information security is the concern of the security
officer but ultimately he/she is not responsible for it!
This is a big misunderstanding.
ISO 27002 Chapter 6: Organization of Information Security

27
ISO 27002 Chapter 7: HUMAN RESOURCE SECURITY
Objective: To ensure that employees and contractors understand their responsibilities and are
suitable for the roles for which they are considered.
28

way. 14
ISO 27002 Chapter 7: HUMAN RESOURCE SECURITY
Source http://www.rtl.nl
VID3 - Four ways to reveal secret intelligence, starring Bob Quick

http://www.youtube.com/watch?v=u4tLYpa6ee4
29
ISO 27002 Chapter 7: Human resources security
Motive: revenge
30

way. 15
Police employee arrested for

leaking data to GeenStijl.
www.geenstijl.nl
Motive: ?
31
Screening
He drove a Porsche Cayenne, regularly went on holiday and had
tons of cash at home. The 28-year-old Mark M. of Weert, the
agent who is suspected to have sold their police records on
criminals, lived like a king.
[..]
Police mole had access to highly confidential information for four
years as his superiors
had forgotten to remove his authorisations.
[..]
118 police officers had access to secret information without AIVD
check. That those agents are not properly screened does not
mean that have leaked confidential information.
Sources:
http://www.rtlnieuws.nl/nieuws/binnenland/pol
itiemol-mark-m-ontmaskerd-dure-autos-
horloges-en-luxe-vakanties
nrc.nl, 30 Oktober 2015
nrc.nl, 3 December 2015
AIVD gave negative advice on police mole.
Cause: financial gain

32

way. 16
Screening
In some countries, e.g., Belgium, Luxembourg, you can just go
to town hall (gemeentehuis) to get a certified copy of your
criminal records (if any).
NEANT
nicht eingetragen
In the Netherlands we have the Verklaring omtrent Gedrag
(Statement relating to your behavior). Here an governmental
organization (Centraal Orgaan Verklaring Omtrent het Gedrag
or COVOG), checks if there are any criminal records over the
last 4 years that are relevant for the job profile you are
applying for.
VOG cost is EURO 41,35.
How effective do you think VOGs are?

33
Screening
Only 10% of organisations reports internal theft to police.

34

way. 17
Segregation of duties
Intern at town hall issues 13 rogue passports.
Source:
http://www.vocativ.com/241487/f
ake-passport-prices-black-
market/
http://www.ad.nl/ad/nl/1039/Utrecht/article/detail/3993409/2015/05/01/Stagiair-stadskantoor-Utrecht-maakt-13-valse-paspoorten.dhtml

35
Segregation of duties

36

way. 18
ISO 27002 Chapter 8: Asset management
Objective: To identify organizational assets and define appropriate protection responsibilities.
How can you protect something:

if you dont even know you have it?
if no one is (or feels) responsible for it?
37
Losing personal data
ISO 27002 Chapter 8: Asset management

38

way. 19
ISO 27002 Chapter 9: Access control
Objective: To limit access to information and information processing facilities.
Motive: ego?
Source
https://www.theguardian.com/business/je
rome-kerviel
Kerviel conducted unauthorized trading for Society General resulting in a EURO 5 billion loss
in 2008.
Allegedly, Kerviel kept his authorisations when he changed job within SG (autorisation creep).
In this way he could bypass segregation of duties (four eyes principle).
He was sentenced to 3 years jail in 2010.
39
ISO 27002 Chapter 9: Access control
Snowden possible still has access to NSA systems.

Motive: legitimate concern, activism, ego, espionage?
40

way. 20
ISO 27002 Chapter 10: Cryptography
Objective: To ensure proper and effective use of cryptography to protect the confidentiality,
authenticity and/or integrity of information.
Three kind of security incidents exist with respect to this chapter,

organisations:
A. invent their own crypto instead of using publically scrutinized
crypto primitives like AES, SHA256, DSA, RSA
B. use publically scrutinized crypto primitives in a wrong way
C. Use bad key management
41
In Section 3, we analyze the RKE schemes employed in

most VW Group group vehicles between 1995 and today.
By reverse engineering the rmware of the respective
Electronic Control Units (ECUs), we discovered that VW
Group RKE systems rely on cryptographic schemes with a
single, worldwide master key, which allows an adversary
to gain unauthorized access to an aected vehicle after
eavesdropping a single rolling code.
42

way. 21
Sony implemented the EC-DSA standard incorrectly in the
PS3.
It is imperative that each EC-DSA signature is based on a
random number k.
Sony erroneously did not do this thereby compromising their
code signing key. See
https://www.youtube.com/watch?v=84WI-jSgNMQ
EC-DSA, see wikipedia
43
A really easy attack for thieves is to focus on cars

with key-less entry systems.
See
https://www.youtube.com/watch?v=0AHSDy6AiV0
44

way. 22
It is important that RSA key generation uses random prime p,
q numbers in the RSA modulus n = p*q.
The RSA key generation routine in the Taiwan eID card did
not properly do this, thereby generating RSA moduli with
share prime numbers. As these prime numbers can be
calculated as the GCD, the corresponding RSA keys are
compromised. This lead to the compromise of more than 100
RSA keys/eID smartcards.
See http://smartfacts.cr.yp.to/smartfacts-20130916.pdf
45
ISO 27002 Chapter 11: Physical and environmental security
Objective: To prevent unauthorized physical access, damage and interference to the

organizations information and information processing facilities.
46

way. 23
47
Many organizations do not give physical

security enough attention. They often think
there is a lock on this door so ...
48

way. 24
Power
No radio and television broadcast by power malfunction
49
Fire
Outage Vodafone by fire Rotterdam
As a consequence customers of Vodafone (e.g. public

transport) also had outage in their own services.
April 2012
http://nos.nl/artikel/358731-storing-vodafone-door-brand.html
50

way. 25
ISO 27002 Chapter 12: Operations security
ISO 27002 Chapter 13: Communications Security
51
Importance of correct procedures
By a blunder at the police, founder

Klaas Otto of motor club No Surrender
in prison received talks of co-
defendants and could listen. These
are phone calls that other prisoners
have committed from the custody
house in Middelburg. A spokesman for
the Brabant police confirmed that to
the ANP on Wednesday.
Source: telegraaf.nl (Google Translate)
ISO 27002 Chapter 12/13: Operations and communications security
52

way. 26
Protection against malware
Source: http://investor.maersk.com
53
Malicious code protection
Head of ENISA states

that anti-virus is only effective in
only 30% of the cases
54

way. 27
55
Targeted Attacks
Motive: political suppression?

See Motive: economic espionage
http://www.scribd.com/doc/13731776/Tracking- See:
GhostNet-Investigating-a-Cyber-Espionage- http://www.bbc.co.uk/news/technology-
Network. 20204671.
Motive: economic espionage Motive: political suppression?
56

way. 28
Targeted attacks
Stepping stone attack on EMC/RSA (March 2011)
Incident
Targeted attacks on the PC of an HR employee through an email
attachment with an Excel file containing malicious code. The attackers
gained attacks to a substantial number of cryptographic keys in Securid
tokens.
Threat/motivation
Military motivated from China.
Not directly targeted at RSA but the US defense contracter Lockheed
Martin
http://www.youtube.com/watch?v=UZNF1-1Hk1Y
57
Targeted attacks
Motive: political influence?

58

way. 29
Targeted attacks
Motive: espionage
59
Targeted attacks
http://www.washingtonpost.com/blogs/federal-eye/wp/2015/07/09/hack-of-security-clearance-system-affected-21-5-million-people-federal-authorities-say/
Motive: espionage?
http://www.ibtimes.com/cia-mulls-pulling-us-spies-out-china-after-massive-opm-hack-likely-compromised-2024894
60

way. 30
Targeted attacks
Motive: revenge?
http://www.bbc.com/news/entertainment-arts-30512032
61
Motive: destruction
62

way. 31
Targeted attacks
http://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/
Motive: revenge?
63
Targeted attacks
64

way. 32
Targeted attacks
From published dump

65
Targeted attacks
From second published dump (source: http://am.peen.es)

66

way. 33
Advanced Persistent Threat by Office macros
Motive: ego?
67
Targeted attacks on e-banking

Year Total loss # incidents Average damage
2009 1,9 Million Euro 154 12.337 EURO
2010 9,8 Million Euro 1.383 7.086 EURO
2011 35 Million Euro 7.600 4.605 EURO Motive: financial gain
Source: Nederlandse Vereniging van Banken
68

way. 34
How do you explain this graph?
69

# internet banking fraud 40 Loss in millions of Euro
incidents 35
12000
30
10000
25
8000
20
6000
15
4000
10
2000
5
0
0
2009 2010 2011 2012 2013 2014 2015
2009 2010 2011 2012 2013 2014 2015
How do you explain this graph?
70

way. 35
Targeted attacks on banks
Why target the clients of a bank, if you can target the bank itself?
Attackers managed to get $81 million from accounts at the Bangladesh
Central Bank in just a few hours.
The attackers apparently targeted at even $1 billion but did not
succeed due to an typing error.
It seems that the attackers got a position in the banks network from the
internet, e.g. on a employee workstation, from which they succeeded to
place the transactions (more than three dozen).
Some money was recovered; it seems that about $40 million is lost.
71
Targeted attacks on banks
July 14, 2016: 12:06 PM ET
72

way. 36
ISO 27002 Chapter 14: System acquisition, development and maintenance
Objective: To ensure that information security is an integral part of

information systems across the entire lifecycle.
OWASP TOP 10
See
https://www.cbsnews.com/news/eddie-tipton-lottery-fraud-admits-he-
rigged-jackpots/
73
Many Android smartphones are running back

with security updates
Half of the Android operating system
smartphones have a dated six-year-old or older
security update, or do not provide information
about security updates at all. This is evident from
research by the Consumentenbond. Only 5% of
the Android smartphones have the latest security
update from August 2017, 11% have the July
2017 update.
74

way. 37
Wikipedia
75
Suppose that a (web)shop would allow to buy an arbitrary number of

lottery tickets whereby you would only need to pay for them 2 weeks
after the lottery draw. How could want commit fraud with this?
76

way. 38
Big stock option fraude at Rabobank en ABN Amro
77
ISO 27002 Chapter 15: Supplier relationships
Objective: To ensure protection of the organizations assets that are

accessible, maintained or provided by suppliers.
Computers of Dutch government nearly went down as result of DigiNotar attack.
78

way. 39
ISO 27002 Chapter 16: Information security incident management
Objective: To ensure a consistent and effective approach to the management of information

security incidents, including communication on security events and weaknesses.
79
ISO 27002 Chapter 16: Information security incident management
80

way. 40
ISO 27002 Chapter 17: Information security aspects of business continuity management
Objective: Information security continuity should be embedded in the organizations

business continuity management systems. information processing facilities should
be available.
81
Outage at Vodafone due to fire Rotterdam
VID8 - NOS Nieuws - Storing Vodafone door brand Rotterdam.mp4

http://nos.nl/artikel/358731-storing-vodafone-door-brand.html
82

way. 41
Massive loss of information and employees
September 11, 2001
83
84

way. 42
How do you think organisations can deal with DDOS attacks? 85
ISO 27002 Chapter 18: Compliance
Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to

information security and of any security requirements.
86

way. 43
ISO 27002 Chapter 18: Compliance
C15
87
ISO 27002
C ISO 27002:2013 NEN Vertaling
5 Information security policies Informatiebeveiligingsbeleid
6 Organization of information security Organiseren van informatiebeveiliging
7 Human resource security Veilig personeel
8 Asset management Beheer van bedrijfsmiddelen
9 Access control Toegangsbeveiliging
10 Cryptography Cryptografie
11 Physical and environmental security Fysieke beveiliging en beveiliging van de
omgeving
12 Operations security Beveiliging bedrijfsvoering
13 Communications security Communicatiebeveiliging
14 System acquisition, development and Acquisitie, ontwikkeling en onderhoud van
maintenance informatiesystemen
15 Supplier relationships Leveranciersrelaties
16 Information security incident Beheer van
management informatiebeveiligingsincidenten
17 Information security aspects of Informatiebeveiligingsaspecten van
business continuity management bedrijfscontinuteitsbeheer
88
18 Compliance Naleving

way. 44
Outline
About the course

Study for next week
89
Recap on information security

The objective of information security in an organisation is to
get the management of the organisation in control of risks
related to the loss of confidentiality, integrity and availability
of information.
In essence, Information Security is a non-technical problem
as it is about getting the right attention (and budget!) from
management.
Complicating factors in implementing Information Security
(IS) are its multidisciplinary nature and constraints on budget,
effort and getting management attention
ISO 27002 is a (long) of list of IS controls divided over many
chapters originally dating from the nineties
Practice shows that just implementing ISO 27002 is not the
way to secure organizations because not all controls are
equally relevant for all organizations and circumstances
To address this ISO 27002 was supplemented with ISO
27001 which describes security management that we will
discuss in the next weeks.
90

way. 45
Outline
About the course

Recap
Study for next week
91
Study for next week
Study for next week:

The ISO 27001 and 27002 standards
First four chapters of How to Achieve 27001 Certification, Sigurjon
Thor Arnason, Keith D. Willett, Auerbach publications, 2008.
Accessible through SIO webpage
http://www.iso27001security.com
Assignment #1 is on the SIO website:
Make analysis how to protect against malware
Make an analysis of the DigiNotar incident
92

way. 46

Tema 1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Tema 1

Uploaded by

Copyright:

Available Formats

HG00.

About the course

This document is freely distributable

The goal of this class is twofold.

About the course

This document is freely distributable

About the course

This document is freely distributable

Visit to NCSC October 30, 2017 (non-mandatory!)

This document is freely distributable

About the course

This document is freely distributable

Radboud University organizational chart

This document is freely distributable

Division #1 Division #2 Division #3 ICT

Which parts do you think are relevant for information security?

This document is freely distributable

A security incident is an event where

This document is freely distributable

This document is freely distributable

This document is freely distributable

About the course

Citibank admits: we've

This document is freely distributable

ISO 27002 Chapter 5: SECURITY POLICIES

This document is freely distributable

Motive: financial gain

ISO 27002 Chapter 5: Security policies

ISO 27002 Chapter 6: Organization of Information Security

Objective: To establish a management framework to initiate and control the implementation

This document is freely distributable

ISO 27002 Chapter 6: Organization of Information Security

ISO 27002 Chapter 7: HUMAN RESOURCE SECURITY

This document is freely distributable

VID3 - Four ways to reveal secret intelligence, starring Bob Quick

ISO 27002 Chapter 7: Human resources security

This document is freely distributable

Police employee arrested for

ISO 27002 Chapter 7: Human resources security

This document is freely distributable

ISO 27002 Chapter 7: Human resources security

Only 10% of organisations reports internal theft to police.

ISO 27002 Chapter 7: Human resources security

This document is freely distributable

Motive: financial gain

ISO 27002 Chapter 7: Human resources security

ISO 27002 Chapter 7: Human resources security

This document is freely distributable

Objective: To identify organizational assets and define appropriate protection responsibilities.

How can you protect something:

Losing personal data

ISO 27002 Chapter 8: Asset management

This document is freely distributable

Objective: To limit access to information and information processing facilities.

ISO 27002 Chapter 9: Access control

Snowden possible still has access to NSA systems.

This document is freely distributable

Three kind of security incidents exist with respect to this chapter,

ISO 27002 Chapter 10: Cryptography

In Section 3, we analyze the RKE schemes employed in

This document is freely distributable

EC-DSA, see wikipedia

ISO 27002 Chapter 10: Cryptography

A really easy attack for thieves is to focus on cars