Download - ISO27001 - Awareness Presentation v1.2
YALAMANCHILI Software Exports YALAMANCHILI Software Exports LtdLtd
INFORMATION SECURITY INFORMATION SECURITY
YALAMANCHILI : Information Security OrganizationInformation Security Steering Committee
Information Security Task Force
Information Security Task Force
3 Company Confidential
ISMS OverviewEstablishment of ISMSThe Organization has defined the scope of the ISMS in terms of its business, location, assets & technology. The Security Policy Statement and the objectives are defined and they are aligned with the business goals of the organization. The risk assessment is based on the assets identified and their criticality to the Business functioning. The control mechanisms are selected based on the risk assessment carried out formally. The management has formally approved the implementation & operation of the ISMS with its full support. A Statement of Applicability (SOA) has been prepared based on the control objectives and the controls selected with the justification for the controls excluded.
Monitoring and review the ISMSSecurity Incident Response Team (SIRT) is established to monitor the security breaches. Internal Audit Team is established to monitor and review the continuous implementation of the information security system in the organization. Regular Meetings are conducted by the Core Team with the SIRT and Audit teams to review the effectiveness of the system and to improve it on the continuous basis. A management review process has been established and carried out to continuously improve the ISMS. Internal Audits are carried out on the regular basis to ensure conformity to the requirements that forms the input to the management review process.
Maintenance and Improvement of the ISMSThe output of the Internal Audits, Management Review and security incidents forms the basis for improving the ISMS. Appropriate corrective actions are taken and preventive measures are also enforced to remove the causes of non-conformity. This is reviewed and implemented by the ISMS Team.
Information
What is Information?
◦ An asset that has value to an organization◦ Exist in several forms:
Messages written on paper, stored in tapes, transmitted in electronic forms, etc
◦ Needs to be suitably protected against wide range of threats to ensure: Business continuity Minimize business loss Maximize ROI and business opportunities
1. Protects Business information from a range of threats
2. Ensures business continuity
3. Minimizes financial loss
4. Increases business opportunities
5. Improve security posture and culture
Why is Information Security necessary?Why is Information Security necessary?
Reputation loss
Financial loss
Intellectual property loss
Legislative Breaches leading to legal actions (Cyber Law)
Loss of customer confidence
Business interruption costs
Security breaches leads to…
Evolution of Information Security?Evolution of Information Security?
• ISO 27001 provides the specification for ISMS. It has evolved from BS7799, a Standard published by the British Standard Institute (BSI)
• The Information Security Management System is intended to ensure C-I-A
• CONFIDENTIALITY : Ensuring that information is accessible only to those authorized to have access
• INTEGRITY : Safeguarding the accuracy and completeness of information and processing methods
• AVAILABILITY : Ensuring that authorized users have access to information and associated assets when required
PEOPLE
PROCESSES
TECHNOLOGYOrganization
Staff
Business
Processes
Technology
used by
Organization
Information Security Components Information Security Components
ISO 27001 Standard
Main components of ISO 27001
◦ Compulsory Clause 4 to 8• Information security & Risk management system (Clause 4)• Management responsibility (Clause 5)• Internal ISMS audits (Clause 6)• Management review of the ISMS (Clause 7)• ISMS improvement (Clause 8)
◦ ISO 27001 (ISMS Domains) 11 domains, 39 control objectives & 133 controls
Information Security Policy
Organisation of Information
Security
Asset Management
Human Resource Security
Physical & Environmental
Security
Communication & Operations Management
Access Control
Information acquisition,
development &maintenance
Security Incident
Management
Business Continuity
Management
Compliance
Confiden
tialit
y Integrity
Availability
ISO 27001 (ISMS Domains)
ISO 27001 (ISMS Domains)1. Security policy (A.5)
– Info Security Document– Review of the Info Security Policy
1. Organization of information security (A.6)– Management Commitment– Roles and Responsibilities defined– Confidentiality Agreements– Contact with authorities and special interest groups– Addressing security when dealing with 3rd-parties e.g. suppliers, customers, etc.
ISO 27001 (ISMS Domains)
3. Asset management (A.7)– Inventory, Ownership and acceptable use of assets– Information classification guidelines and labeling
4. Human resources security (A.8)– Security roles and responsibilities– Screening and terms & conditions of employment– Disciplinary process– Termination or change of employment
ISO 27001 (ISMS Domains)
5. Physical and environmental security (A.9)
– Physical entry controls, Working in secure areas, isolation for sensitive areas
– Equipment Security
• Sitting & supporting utilities• Maintenance• Secure Disposal or re-use of equipment
ISO 27001 (ISMS Domains)
6. Communications and operations management (A.10)
– Change Management– Segregation of duties– Third party service delivery management
• SLA definition• Monitoring of their services
– Capacity Management– Protection against malicious code and mobile code– Backup – Network Security Management– Media Handling & Exchange of information– Monitoring
ISO 27001 (ISMS Domains)
7. Access Control (A.11)
– Access control policy– User access management– User responsibilities– Network, O.S., Application access control– Mobile Computing & Teleworking
ISO 27001 (ISMS Domains)
8. Information systems acquisition, development & maintenance (A.12)
– Security requirements of information system– Correct processing in applications– Cryptographic controls– Security in development and support processes– Technical Vulnerability Management
ISO 27001 (ISMS Domains)
9. Information Security Incident Management (A.13)– Reporting & Management of information security events and weaknesses
10. Business Continuity Management (A.14)– Business continuity & risk assessment– BC plan– Testing
11.Compliance (A.15)– Compliance with legal requirements– Compliance with security policies & standards and
technical compliance
ISO 27001 (ISMS Domains)
FEATURES of ISO 27001FEATURES of ISO 27001
Plan, Do, Check, Act (PDCA) Process ModelProcess Based Approach Stress on Continual Process ImprovementsScope covers Information Security not only IT SecurityCovers People, Process and Technology5600 plus organizations worldwide have been certified11 Domains, 39 Control objectives, 133 controls
19
Technical Vulnerability Assessment : Key Components
Technical Vulnerability Assessment : Activities
Footprinting Network Scan
Enumeration
Vulnerability Discovery
Vulnerability Exploitation
The foot-printing phase queries information in the public domain. The goal is to discover how much useful information an attacker can obtain about the target
The scanning phase is used to determine what services are running on the systems. These services are the attacker’s entry points into the network.
The enumeration phase is where the open services found during the scanning phase are queried to see what information they leak to the outside world
During this phase, Technical consultants attempt to discover vulnerabilities in all the systems that are reachable from the Internet
In this phase, Technical consultants attempt to actively exploit the vulnerabilities discovered to gain some level of access on the target systems
WHAT IS RISK?WHAT IS RISK?
Risk: A possibility that a Threat exploits a Vulnerability in an asset and causes damage or loss to the asset.
Threat: Something that can potentially cause damage to the organization, IT Systems or network.
Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat.
• Risk Management is the name given to a logical and systematic method of identifying, analyzing, treating and monitoring the risks involved in any activity or process.
• Risk Management is a methodology that helps managers make best use of their available resources
1. Identification of Critical Assets
2. Determination of Asset Values (CIA)
3. Identification of Threats & Vulnerability
4. Determination of Probability
5. Determination of Risk Impact Values
6. Identification of controls to mitigate risk (Treatment)
Risk Assessment : 4 Way Approach
VulnerabilitiesImpact
Threats Likelihood
Asset ExamineAsset Value
ExamineCause of
Risks
CalculateRisk
L
Balance between
Likelihood of Occurrence
Expenditure on controls
Business Harm
RiskTreatment
Plan
AssetList
HM
Risk Assessment:
• How likely is the risk event to happen? (Probability and frequency?)
• What would be the impact, cost or consequences of that event occurring? (Economic, political, social?)
Risk Treatment:
• Develop and implement a plan with specific counter-measures to address the identified risks.
Consider:
• Priorities (Strategic and operational)
• Resources (human, financial and technical)
• Risk acceptance, (i.e., low risks)
• Document your risk management plan and describe the reasons behind selecting the risk and for the treatment chosen.
High User Knowledge of IT
Systems
Theft, Sabotage,
Misuse, Social Engineering
Virus Attacks
Systems & Network Failure
Lack Of Documentation
Lapse in Physical Security
Natural Calamities &
Fire
RISKS & THREATSRISKS & THREATS
SO HOW DO WE SO HOW DO WE OVERCOME THESE OVERCOME THESE PROBLEMS?PROBLEMS?
Information Security is an integral part of our commitment to establish a safe and secure environment. YALAMANCHILI aims to establish controls for confidentiality, integrity and availability by,
Managing key information assets including customer data
Complying to the security aspects of business requirements, legal, regulatory &
contractual obligations
Ensuring that any risks involved, are formally and periodically assessed, towards
promoting & enhancing organization-wide information security practices
Evaluating the Information Security Management System in terms of its effectiveness &
efficiency, towards continual process improvement of the Organization’s security
standards
Spreading awareness on information security practices through induction and
continuous training
30
NARADA - Overview
YSE uses the NARADA™ V4.0 application to provide the services stated above to banking clients. The NARADA™ application developed by YSE is a card management switch equipped to handle various requirements such as card management, online card authorization and transaction processing for the banks. It connects to the MasterCard and VISA services by connecting to the External Access Server - VISA Extended Access Server (EAS) for VISA and MasterCard Interface Processor (MIP) for MasterCard issuer transactions. A separate instance of the NARADA™ application is created for each bank depending on the type of services requested by the banks. The cards issued and processed for each bank is segregated from the rest of the banks. The NARADA™ application has various modules to carry out the processes such as transaction processing, billing issuing and acquiring as mentioned above. The various modules and their functionalities are –
31
NARADA - Overview
NARADA™ Debit V4.0 – This system acts as a gateway for processing of issuer transactions from the VISA gateway to the bank host gateway for debit card transactions.
NARADA™ ATMC V4.0 – This module of the application is the ATM connect application which is used for driving various ATM’s transactions through the standard messaging protocol.
NARADA™ Credit Host V4.0 – This application module processes Credit Card Transactions as a third party processor for the banks and acts as a gateway for processing online ATM and POS transactions through EAS or the MIP interface. This application module also manages the credit card bill generation process.
NARADA™ Prepaid Host – This system processes prepaid transactions as a third party processor for the banks and acts as a gateway for processing online ATM and POS transactions through the VISA or the MasterCard interface.
PCI DSS (Payment Card Industry - Data Security PCI DSS (Payment Card Industry - Data Security Standard)Standard)
• PCI DSS is a standard framed by the payment brands (VISA, Master, Amex, JCB, Discover) to protect card holder data
• Compliance is required of all entities that store, process, or transmit cardholder data.
• The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data.
• Certification Cycle of PCI DSS is once in every year
1.Install and maintain a firewall configuration to protect card holder data.
2.Do not use vendor-supplied defaults for system passwords or for other security parameters.
3.Protect stored cardholder data.
4.Encrypt transmission of cardholder data across open, public networks.
5.Use and regularly update anti-virus software or programs
6.Develop and maintain secure systems and applications.
7.Restrict access to cardholder data by business need-to-know.
8.Assign a unique ID to each person with computer access.
9.Restrict physical access to cardholder data.
10.Track and monitor all access to network resources and cardholder data.
11.Regularly test security systems and processes.
12.Maintain a policy that addresses information security for employees and contractors.
PCI DSS RequirementsPCI DSS Requirements
34 Company Confidential
Tools For Compliance
Log management – Kiwi Log Viewer
IDS/IPS – part of Firewall
File Integrity - OSIRIS
AV - AVG
VA – MacAfee (External)
Pen Test – PCI approved Vendor - SISA
Card Scanning – Files are encrypted and deleted after a period
Log Management Log management is nothing but It's about keeping your logs in a safe place, putting
them where you can easily inspect them with tools
Keep an eye on your log files
They tell you something important...
• Lots of things happen, and someone needs to keep an eye on them...• Not really practical to do it by hand!
First, need to centralize and consolidate log files
Log all messages from routers, switches and servers to a single machine – a logserver
All logging from network equipment and UNIX servers is done using syslog
Windows can be configured to use syslog as well, with some tools
Log locally, but also to the central server
Log Management
PCI-DSS Requirement 12 says…
Logging mechanisms and the ability to track user activities are critical in reverting, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.
So the Logs should be placed in a centralized manner for ease of reference.
Local disk
serversyslog
Router Switch
SyslogServer
Syslog Server
IDS/IPS IDS (Intrusion Detection System):
•Passive ~ Out of band
•These devices can monitor and analyze events that occur on a network or system, thus looking for intrusion attempts based on signatures or patterns.
•IDS requires careful tuning to network conditions to be effective, otherwise false positives are too high to make the system useful.
IPS (Intrusion Prevention System)
•IPS can provide more accurate alerts.
•IPS uses multi-method detection.
•False Positive ~ may unnecessarily suspend a connection and therefore block legal traffic immediately.
•Gartner: “This real-time response which registers attacks as legitimate events, even if those attacks have no bearing on the network, could be too disruptive to operations.” (Ratzlaff)
IDS/IPS
PCI-DSS Requirement 11.4 Guidance Use intrusion detection systems, and/or intrusionprevention systems to monitor all traffic in thecardholder data environment and alert personnel to suspected compromises. Keep all intrusion detection and prevention engines up-to-date.
These tools compare the traffic coming into the network with known “signatures” of thousands of compromise types (hacker tools, Trojans andother malware), and send alerts and/or stop the attempt as it happens. Without a proactive approach to unauthorized activity detection via these tools, attacks on (or misuse of) computer resources could go unnoticed in real time. Security alerts generated by these tools should be monitored, so that the attempted intrusions can be stopped.
There are thousands of compromise types, with more being discovered on adaily basis. Stale versions of these systems will not have current “signatures”and will not identify new vulnerabilities that could lead to an undetectedbreach. Vendors of these products provide frequent, often daily, updates.
File Integrity Monitoring
File integrity monitoring is critical for security and compliance initiatives, and is a requirement for PCI compliance. File Integrity Monitor™ provides an agent less file integrity auditing solution that gives you the ability to monitor an asset’s details all the way down to the file level without requiring software agents on the monitored system. File Integrity Monitoring solution discovers significant file integrity detail, such as:
• File size• Version• When it was created• When it was modified• The login name of any user who modifies the file• Its attributes (e.g., Read-Only, Hidden, System, etc.)
As an extra safeguard against file tampering, the solution also monitors file checksums – MD5 or SHA-1 on Windows-based systems and MD5 or any user-defined hash algorithm on Unix-based systems - providing cryptography-based monitoring for file changes.
File Integrity Monitoring PCI-DSS Requirement 11.5 and 10.5.5 Guidance
Deploy file-integrity monitoring software to alert personnel to unauthorized modification of criticalsystem files, configuration files, or content files, andconfigure the software to perform critical filecomparisons at least weekly.
File-integrity monitoring (FIM) systems check for changes to critical files, and notify when such changes are detected. There are both off-the-shelf and open source tools available for file integrity monitoring. If not implemented properly and the output of the FIM monitored, a malicious individual could alter configuration file contents, operating system programs, or applicationexecutables. Such unauthorized changes, if undetected, could render existing security controls ineffective and/or result in cardholder data being stolen with no perceptible impact to normal processing.
Use file-integrity monitoring and change detectionsoftware on logs to ensure thatexisting log data cannot be changed withoutgenerating alerts (although new data beingadded should not cause an alert).
File-integrity monitoring systems check for changes to critical files, and notify when such changes are noted. For file-integrity monitoring purposes, an entity usually monitors files that don’t regularly change, but when changed indicate apossible compromise. For log files (which do change frequently) what should be monitored are, for example, when a log file is deleted, suddenly grows or shrinks significantly, and any other indicators that a malicious individual hastampered with a log file. There are both off-the-shelf and open source tools available for file-integrity monitoring.
Anti-Virus• Malicious software, commonly referred to as “malware”—including viruses,
worms, and Trojans—enters the network during many business approved activities including employees’ e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities.
• Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats.
• An Antivirus (or "anti-virus") software is a class of program that searches your hard drive and floppy disks for any known or potential viruses.
• The market for this kind of program has expanded because of Internet growth and the increasing use of the Internet by businesses concerned about protecting their computer assets.
• To help prevent the most current viruses, you must update your antivirus software regularly. You can set up most types of antivirus software to update automatically.
Anti-VirusPCI-DSS Requirement 5 Guidance
5.1 Deploy anti-virus software on all systems commonlyaffected by malicious software (particularly personalcomputers and servers).
There is a constant stream of attacks using widely published exploits, often “0 day" (published and spread throughout networks within an hour of discovery) against otherwise secured systems. Without anti-virus software that is updated regularly, these new forms of malicious software can attack and disable your network.Malicious software may be unknowingly downloaded and/or installed from the internet, but computers are also vulnerable when using removable storage devices such as CDs and DVDs, USB memory sticks and hard drives, digital cameras, personal digital assistants (PDAs) and other peripheral devices. Without anti-virus software installed, these computers may become access points into your network, and/or maliciously target information within the network.
5.1.1 Ensure that all anti-virus programs arecapable of detecting, removing, andprotecting against all known types ofmalicious software.
It is important to protect against ALL types and forms of malicious software.
5.2 Ensure that all anti-virus mechanisms are current,actively running, and capable of generating auditlogs.
The best anti-virus software is limited in effectiveness if it does not have current anti-virus signatures or if it isn't active in the network or on an individual‘s computer. Audit logs provide the ability to monitor virus activity and anti-virus reactions.
Vulnerability Assessment
• Vulnerabilities in IT systems can be considered as ‘holes’ or ‘errors’
• The vulnerabilities may be due to improper system design or coding or both.
• When a vulnerability is exploited, then it results in “Security violation” or in simple terms called “impact”
• Denial of service, privilege escalation are some of the examples of impacts.
• “Vulnerability Identification is a process in which IT systems are scanned for known and unknown vulnerabilities by using proper tools (called vulnerability scanners)”
• “Vulnerability Analysis is a process by which the identified vulnerabilities are analyzed and for severity based on the criticality of the System”
Vulnerability Assessment
PCI-DSS Requirement 11.2 Guidance Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
A vulnerability scan is an automated tool run against external and internal network devices and servers, designed to expose potential vulnerabilities and identify ports in networks that could be found and exploited by maliciousindividuals. Once these weaknesses are identified, the entity corrects them, and repeats the scan to verify the vulnerabilities have been corrected.At the time of an entity’s initial PCI DSS assessment, it is possible that four quarterly scans have not yet been performed. If the most recent scan result meets the criteria for a passing scan, and there are policies and procedures in place for future quarterly scans, the intent of this requirement is met. It is notnecessary to delay an “in place” assessment for this requirement due to a lack of four scans if these conditions are satisfied.
Penetration Testing Testing the security of systems and architectures from a hacker’s point of
view
A “simulated attack” with a predetermined goal
Access points to your Network
• Internet gateways• Modems• Wireless networks• Physical entry• Social engineering
Two Types of Testing Approach
• External View (Hacker)• Internal View ( Disgruntled Employee or Contractors)
46
PCI DSS - Certificate
Thank You