1. No category

Information Security Awareness Book

Contents
Prologue......................................................................................................... 2
General Introduction...................................................................................... 3
Information Systems....................................................................................... 5
Passwords....................................................................................................... 9
PC Security.................................................................................................... 12
Backup & Recovery........................................................................................ 14
Physical Security............................................................................................ 17
Wireless Security........................................................................................... 20
Identity Theft................................................................................................. 22
Social Engineering......................................................................................... 24
E-mail Security............................................................................................... 27
Internet Security............................................................................................ 30
Computer Viruses.......................................................................................... 33
Copyright....................................................................................................... 37
Hacked .......................................................................................................... 40
Selling Information Security to Top Management ........................................54
1
PROLOGUE
From the standpoint of an Organization, Information has value and is therefore
an asset. It needs to be protected just like any other corporate asset.
And because as Information must be protected, the infrastructure that supports
information must also be protected.
This infrastructure includes all the networks, systems and functions that allow
an organization to manage and control its information assets.
The question is how do you protect your information assets? That’s where this
course comes in.
The Information Security Awareness Course explains what you can do to protect
your organization’s information assets.
The course objective is to raise Information Security Awareness and recognize
your role in protecting the organization’s information and information systems.
The course is covering 12 topics planned to cover the whole spectrum of
information security, in chunks easy to digest manner.
The course will be concluded by an exam and a course wash-up.
2
39
Hacked
Introduction
In today’s complex and Internet-dependent environments, the potential risk of
a malicious hacker incident or security breach is growing at an alarming rate.
The security of systems and applications remains an ongoing challenge for IT
and business leadership.
Many cyber-attacks are simply automated and indiscriminately target identifiable
vulnerabilities in hardware and software, irrespective of the organization that
uses them. These vulnerabilities include unpatched software, inadequate
passwords, poorly coded websites and insecure applications.
Pre Cautions
Secure Coding
Writing your applications and networks codes in a secure way is vital for the
process of defending your applications and network as it assists in minimizing
the risk of being hacked.
Generally, it is much less expensive to build secure software than to correct
security issues after the software package has been completed, not to mention
the costs that may be associated with a security breach.
Securing critical software resources is more important than ever as the focus of
attackers has steadily moved toward the application layer as it has been proved
with the top recent attacks.
Your development team should be security masterful in order to implement
and assess the security level of an application during its full lifecycle. Thus the
develop team members should have the responsibility, adequate training, tools
and resources to validate that the design and implementation of the entire
system is secure.
SANS Institute and EC Council are the leaders in this industry and can provide developers
with the required tools and skills to attain an acceptable level of secure coding.
Security Coding Checklist:
• Input Validation
• Output Encoding
• Authentication and Password Management
• Session Management
• Access Control
• Cryptographic Practices
• Error Handling and Logging
40
• Data Protection
• Communication Security
• System Configuration
• Database Security
• File Management
• Memory Management
Servers Hardening
Server Hardening is the process of enhancing server security through a variety of
means which results in a much more secure server operating environment. This
is due to the advanced security measures that are put in place during the server
hardening process.
Probably one of the most important tasks to be handled on your servers,
becomes more understandable when you realize all the risks involved. The default
configuration of most operating systems is not designed with security as the
primary focus. Instead, default setups focus more on usability, communications
and functionality. To protect your servers you must establish solid and sophisticated
server hardening policies for all servers in your organization. Developing a server
hardening checklist would likely be a great first step in increasing your server
and network security. Make sure that your checklist includes minimum security
practices that you expect of your staff. If you go with a consultant you can provide
them with your server hardening checklist to use as a baseline.
The server hardening checklist varies from an Operating system to another,
however the bellow list has the general tasks that should be followed for any
operating system:
• Configure a security policy
• Disable or delete unnecessary accounts, ports and services
• Uninstall Unnecessary Applications
• Configure the operating system internal Firewall / Iptables
• Configure Auditing
• Disable unnecessary shares
• Configure Encryption
• Updates and Hot Fixes
• Install trusted Anti-Virus & Anti-Malware
• Least Privilege
• Disable Server Banner and Information
• Enable only the following methods, POST and GET
• Disable IP6 unless required
• Review Access Logs and system Error Logs
There are a number of tools that could automate the process of Server hardening and
the best products includes: Nessus, URL Scan, Microsoft security compliance management
toolkit (SCM) and Microsoft baseline security analyzer (MBSA)
41
Routine Penetration Tests
The most effective way to protect your data is to identify the potential
vulnerabilities that exist and close them before you are attacked. By applying
a series of thorough tests delivered by highly skilled, experienced experts who
can find those holes and vulnerabilities fast, you will be able to quickly fix those
areas, which in turn will increase your security posture.
Penetration tests are designed to test networks, servers, applications, mobile
platforms, laptops, wireless systems, printers and any other hardware or system
that can store, transmit or process data that a cyber-criminal can exploit to take
control of your systems.
Types of Penetration Testing
External pen-testing is the traditional, more common approach to pen-testing.
It addresses the ability of a remote attacker to get to the internal network. The
goal of the pen-test is to access specific servers and crown jewels within the
internal network by exploiting externally exposed servers, clients, and people.
Whether it is an exploit against a vulnerable Web application or tricking a user
into giving you his password over the phone, allowing access to the VPN, the
end game is getting from the outside to the inside.
Internal pen-testing takes a different approach as it simulates what an insider
attack could accomplish. The target is typically the same as external pen-testing,
but the major differentiator is the “attacker” either has some sort of authorized
access or is starting from a point within the internal network. Insider attacks
have the potential of being much more devastating than an external attack
because insiders already have the knowledge of what›s important within a
network and where it is located, something that external attackers don›t usually
know from the start.
With the rapid changes in the IT industry in terms of technologies and tools, a
cyber-criminal could be able to exploit a “secure” environment after a certain
time and thus a routine penetration testing is required to identify the new
emerging threats.
OCERT Penetration Testing Service
Oman National CERT provides penetration testing and Vulnerability assessment
to all government and Critical National Infrastructure organizations. You can
apply for the service through its website www.cert.gov.om.
After conducting the Penetration testing and vulnerability assessment you’ ll
receive a detailed report of the discovered vulnerabilities categorized according
to their level risk and impact, including the suggested solution according to the
best practice.
ITA Web Security Policy
Information Technology Authority has created a “Web Security Policy” with the
42
guidance of many information security specialists which you can easily follow to
implement the best security measures to your web applications and servers.
The policy can be downloaded here:
http://www.ita.gov.om/ITAPortal/MediaCenter/Document_detail.aspx?NID=12
Backups
There is no doubt that backups are very important in any organization and it is
one of the major security measures that must be implemented to ensure the data
availability. However, it is important to understand the risks with backups and how
to mitigate them.
Backups should be stored in a Backup server and hard drives or tapes on daily/
weekly/monthly basis based on the data sensitivity and frequency of updates.
The location where backups are stored in must be secured and controlled by an
access control to ensure any illegal or unauthorized access. Moreover, Sensitive
backups should be encrypted during the transit and the storage in case it falls into
the wrong hands.
Backup servers are no exception and must be hardened and penetration tested
to ensure no vulnerability exists. The physical security of the storage location
must be controlled and regulated to deny any unauthorized access. In case the
physical storage devices are to be transported to an off-shore location it must be
transported in locked containers and a background check on the transportation
company and its staff must be conducted.
As a regulatory process, all backup operations must be logged so incidents can be
traced to their sources.
Nowadays automated backups are getting very common as it provides an efficient
solution to frequent backups. It is important to select a solution that implements
security measures and logging service to keep track of the processes and their
status. Such solutions must be updated and patched regularly.
Testing the backup files is vital and must be done on regular basis on a test
environment to ensure the data accuracy and its retention process.
Monitoring
Monitoring can assist greatly in detecting server performance, network
performance, access logs and any malicious activities happening at the server
level. Moreover, monitoring during testing phase could detect the threats that
could be addressed and fixed before going live. As new threats emerge, monitoring
could also detect them by identifying suspicious behavior which needs further
investigation.
Monitoring Benefits:
1.Protect against internal and external threats
2.Make the most of existing and future security investments
43
3.Bolster security with advanced research and global security intelligence
4.Obtain comprehensive visibility into the security activity on your network
5.Meet and exceed regulatory requirements for log monitoring
It is important to follow an international standard when it comes to Log
Monitoring like PCI-DSS and ISO 27001. Some organizations MUST follow these
standards in order to get a license to conduct business like Critical National
Infrastructure organizations i.e. Banks, Traffic Management, Oil and Gas … etc.
There are also a number of Operation Monitoring Frameworks that you can
follow including Microsoft Operations Framework, and such frameworks can
assist in:
1.Assess business exposure and identify which assets to secure.
2.Identify ways to reduce risk to acceptable levels.
3.Design a plan to mitigate security risks.
4.Monitor the efficiency of security mechanisms.
5.Re-evaluate effectiveness and security requirements regularly.
As a best practice, it is important to acquire a monitoring solution that could
gather all the monitoring logs in a central secured location to ease the process of
viewing the logs and dealing with them. It is also advisable to have a dedicated
monitoring team to do such task since they will play a vital role in viewing tons
of logs and do the necessary security checks to identify high risk activities.
The sections below will discuss what to monitor along with processes and
solutions:
Unauthorized Access (Security Audit)
There are two types of events that are recorded in the Security event log: success
audits and failure audits. Success Audit events indicate an operation that a user,
service, or program performed has completed successfully. Failure Audit events
detail operations that have not completed successfully. For example, failed
user logon attempts would be examples of Failure Audit events and would be
recorded in the Security event log if logon audits were enabled.
In theory, Users must only be permissible to carry out certain tasks that were
given to them by the administrator, so any tasks that are not allowed should be
investigated, reported and restricted.
Failure audits in most cases means an attack is happening and must be dealt
with as quickly as possible to minimize the risks of any cyber-attacks. A policy
should also be created to block any further attempts i.e. IP lockdown, username
lockout … etc.
To assess your Security Audit policies it is important to:
1.Review current security audit settings.
2.Assess administrator roles and normal user tasks.
3.Review business policies and procedures.
44
4.Identify vulnerable systems.
5.List high-value assets.
6.Identify sensitive or suspicious accounts.
7.List authorized programs.
8.Investigate attempts from unusual geographic areas.
It is also recommended to have a written process of adding new users to your
Active Directory along with the roles they will be assigned to according to their
level of access.
Malicious Activity Monitoring
Malicious activities can range from scanning for ports to planting worms and
viruses. Such activities can be easily spotted by applying the above mentioned
strategy and having an IDS/IPS in place.
It is very important to capture as much information as possible in order to prevent
and investigate such activities. Many advanced IDSs can notify the monitoring
team of those activities which needs to be addressed in real time to minimize the
impact and allow the team to investigate them further to avoid any false-positive
notifications.
The damage caused by an insider threat can take many forms, including the
introduction of viruses, worms, or trojan horses; the theft of information or
corporate secrets; the theft of money; the corruption or deletion of data; the
altering of data to produce inconvenience or false criminal evidence; and the theft
of the identities of specific individuals in the enterprise.
Protection against the insider threat involves measures similar to those
recommended for Internet users, such as the use of multiple spyware scanning
programs, anti-virus programs, firewalls, and a rigorous data backup and archiving
routine.
Intrusion Detection
An intrusion detection system (IDS) inspects all inbound and outbound network
activity and identifies suspicious patterns that may indicate a network or system
attack from someone attempting to break into or compromise a system.
IDS can play a vital role in early detecting security threats to your network, servers
and websites. An IDS can be configured to detect certain types of malicious
activities and notify the monitoring team about them.
IDS Types
Misuse detection vs. anomaly detection: in misuse detection, the IDS analyzes
the information it gathers and compares it to large databases of attack signatures.
Essentially, the IDS looks for a specific attack that has already been documented.
Like a virus detection system, misuse detection software is only as good as the
database of attack signatures that it uses to compare packets against. In anomaly
detection, the system administrator defines the baseline, or normal, state of the
network›s traffic load, breakdown, protocol, and typical packet size. The anomaly
45
detector monitors network segments to compare their state to the normal
baseline and look for anomalies.
Network-based vs. host-based systems: in a network-based system, or NIDS,
the individual packets flowing through a network are analyzed. The NIDS can
detect malicious packets that are designed to be overlooked by a firewall›s
simplistic filtering rules. In a host-based system, the IDS examines at the activity
on each individual computer or host.
Passive system vs. reactive system: in a passive system, the IDS detects a
potential security breach, logs the information and signals an alert. In a reactive
system, the IDS responds to the suspicious activity by logging off a user or
by reprogramming the firewall to block network traffic from the suspected
malicious source.
Intrusion Prevention
Intrusion prevention system is used in computer security. It provides policies
and rules for network traffic along with an intrusion detection system for
alerting system or network administrators to suspicious traffic, but allows the
administrator to provide the action upon being alerted. Some compare an IPS to
a combination of IDS and an application layer firewall for protection.
Intrusion prevention systems can be classified into four different types:
1.Network-based intrusion prevention system (NIPS): monitors the entire
network for suspicious traffic by analyzing protocol activity.
2.Wireless intrusion prevention systems (WIPS): monitor a wireless network for
suspicious traffic by analyzing wireless networking protocols.
3.Network behavior analysis (NBA): examines network traffic to identify threats
that generate unusual traffic flows, such as distributed denial of service
(DDoS) attacks, certain forms of malware and policy violations.
4.Host-based intrusion prevention system (HIPS): an installed software package
which monitors a single host for suspicious activity by analyzing events
occurring within that host.
Having an IPS in place helps in taking an early action to prevent such activities
and give more time to the monitoring team to investigate them.
OCERT Monitoring Service
Oman National CERT provides monitoring services for different levels and
environments including:
1.Network Monitoring
2.Website Logs Monitoring
3.Website URL monitoring
4.Server Monitoring
To read more about OCERT monitoring service please visit the following page:
http://www.cert.gov.om/contact.aspx
46
Updates / Patching
With the new emerging threats and zero-day-attacks it is important to keep your
servers and appliances updated and patched to avoid any sudden attacks. Moreover,
registering with reputable information security advisories is recommended to be
notified of any alert.
Automatic OS Updates
Having automatic updates could save the administrators valuable time updating
and patching in big organizations. Moreover, to hasten the process and ensure
all machines are updated and patched is to use a central updates and patching
deployment system which can be managed and pushed by the administrators.
Latest Threats and Notifications
Oman National Provides an online Threats and Alerts Notification (TNAS) service
which you can join to be updated with the latest threats in Arabic and English. In
addition, you can register through www.cert.gov.om to receive the latest TNASs in
your email inbox.
Scanning
Having Anti-virus and Anti-spam solutions in your servers and machines would
protect you from harmful and malicious viruses, Trojans and Bot Nets.
Keeping your anti-virus definitions up to date is critical and should be managed
professionally through an enterprise solution that pushes the updates to all the
organization computers.
With such enterprise solutions administrators can control the updates and also
prohibit users from turning the AV off by using a password protected features that
are only accessible to administrators.
Malware Scanning
Oman National CERT provides administrators and normal users an option to scan
their machines against known malicious codes via the Cyber Clean Project which is
accessible through OCERT CCP
Security Auditing
Passwords
Passwords are generally the first line of defense against hackers and thus it is
important to choose a password that is complex, hard to guess and non-dictionary.
However the main challenge is to ensure the password rotation and renewal.
At the active directory level, passwords must be set to be complex and by complex
it must have at least one of the following:
1.Lowercase letter [abcdefghijklmnopqrstuvwxyz]
2.Uppercase letter [ABCDEFGHIJKLMNOPQRSTUVWXYZ]
3.Number [0123456789]
4.Character [!@#$%^&*()_+{}|:»<>?~`-=[];’,./]
47
Moreover, password must expire! Many databases gets hacked and users profiles
gets leaked and thus it is important to routinely change the passwords and that
is doable via enabling the password expiry rule in most advanced servers.
For very sensitive data, there is a concept of two way authentication which
requests the users to enter their passwords along with a second token or key that
is securely generated and shared with the users. Many large organization uses
hardware based token generators that are tied with the user account to ensure
maximum security. In addition, there are software based token generators such
as Google Authenticator which generates token numbers that keep changing
over a short period of time.
Many users think that having complex password, password rotation and 2-way
authentication are inconvenient but those users must be educated about the
importance of such procedure and how it assists in protecting theirs and their
organizations information.
Access Control
Access control determines who should access what and what their level of
access and their roles generally.
Administrators should be ready with certain access templates to authenticate
them against the Active Directory and ensure that only genuine users can access
the organization network to carry their allotted tasks.
Roles are very crucial since it determine the level of access granted to the users
and ensure that users can get leveraged access to restricted and confidential
data they are not supposed to access.
Hackers will always try to get access to an organization network to steal
information or to carry out an attack by leveraging certain rules, cracking
password or through a backdoor. Such attempts must be identified in real-time
and blocked immediately.
Secure Remote Communication
In many cases users would need to access their confidential data outside the
organization premises i.e. Emails, and that should be done through secure
channels to minimize the leakage of information. This can be done over:
Secure FTP: is a computing network protocol for accessing and managing files
on remote file systems. The main role of SFTP is to encrypt commands and data
both, preventing passwords and sensitive information from being transmitted in
the clear over a network.
Secure Forms (SSL): Web servers and web browsers rely on the Secure Sockets
Layer (SSL) protocol to help users protect their data during transfer by creating a
uniquely encrypted channel for private communications over the public Internet.
Each SSL Certificate consists of a key pair as well as verified identification
information. When a web browser (or client) points to a secured website, the
server shares the public key with the client to establish an encryption method
48
and a unique session key. The client confirms that it recognizes and trusts the issuer
of the SSL Certificate. This process is known as the «SSL handshake» and it begins
a secure session that protects message privacy, message integrity, and server
security. SSL certificates can be purchased online through reputable companies
such as Verisign, Symantec and other authorized Certificate Authorities (CA).
VPN Access: VPNs, or Virtual Private Networks, allow users to securely access a
private network and share data remotely through public networks. Much like a
firewall protects your data on your computer, VPNs protect it online. And while
a VPN is technically a WAN (Wide Area Network), the front end retains the same
functionality, security, and appearance as it would on the private network.
Secure Shell (SSH): SSH creates both the VPN tunnel and the encryption that
protects it. This allows users to transfer information unsecured data by routing the
traffic from remote fileservers through an encrypted channel. The data itself isn›t
encrypted but the channel its moving through is. SSH connections are created by
the SSH client, which forwards traffic from a local port one on the remote server.
All data between the two ends of the tunnel flow through these specified ports.
Encryption
It is always advisable to encrypt the data stored in the user’s machines, servers
and any storage device that contain sensitive data. Encryption can cause a delay
in retrieving large amounts of data as it need to decrypt the data into a readable
format before sending it back to the user. However, with the advancement in the
processers these days this shouldn’t an obstacle since the advantages outweigh
the disadvantages.
Many large organizations including ITA has enforced a policy to encrypt all portable
devices including Laptops to add an additional layer of security in case the theft or
lose of such devices which mostly contain sensitive data.
Firewall
A firewall is a system designed to prevent unauthorized access to or from a
private network. Firewalls can be implemented in both hardware and software,
or a combination of both. Firewalls are frequently used to prevent unauthorized
Internet users from accessing private networks connected to the Internet,
especially intranets. All messages entering or leaving the intranet pass through
the firewall, which examines each message and blocks those that do not meet the
specified security criteria.
Firewalls can be either hardware or software but the ideal firewall configuration
will consist of both. In addition to limiting access to your computer and network,
a firewall is also useful for allowing remote access to a private network through
secure authentication certificates and logins.
Hardware firewalls can be purchased as a stand-alone product but are also typically
found in broadband routers, and should be considered an important part of your
system and network set-up. Most hardware firewalls will have a minimum of four
49
network ports to connect other computers, but for larger networks, business
networking firewall solutions are available.
Software firewalls are installed on your computer (like any software) and you
can customize it; allowing you some control over its function and protection
features. A software firewall will protect your computer from outside attempts
to control or gain access your computer.
Application Firewall
Application firewalls secure and protect application communications, in much the
same way that network firewalls secure and protect network communications.
By being aware of the language that applications use to transmit information,
application firewalls can deny or modify invalid or suspicious activity.
The widely used application firewalls include: ModSecurity and URLScan.
Environment Segregation
It is always a good practice to segregate your environments as it helps in
minimizing the risk of publicly publishing harmful or buggy applications and
codes. The 3 main advisable environments are:
Testing Environment
This environment provides limited restriction to the administrators and
developers within an organization to test their application under different
circumstances i.e. testing wrong data, penetration testing, code security check,
sending harmful packages, creating non reversible actions… etc.
This environment is important since developers will have a replica of their
production environment but with no fear of destroying it while conducting their
tests since it is a private environment and not accessible by the public.
Development Environment
This environment is considered as the heaven of developers, they control the
whole environment in terms of access and freedom to control the applications,
installations, deletions … etc.
Developers can develop, test, and experiment with this environment as they see
fit with their needs and requirements.
Production Environment
This is a very sensitive environment and the level of access should and must be
controlled by professional administrators to ensure that it is up and running all
the time. All the controls, firewalls, IPSs and IDSs should be configured and in
place to protect this environment from hackers and cyber criminals.
Usually an application or data must go through the two above mentioned
environments to ensure their stability before being transferred to this
environment by professional administrators.
50
Recovery
Data recovery is the process of restoring data that has been lost, accidentally
deleted, corrupted or made inaccessible for any reason.
In enterprise information technology (IT), data recovery typically refers to the
restoration of data to a desktop, laptop, server, or external storage system from
a backup.
The data recovery process may vary, depending on the circumstances of the data
loss, the data recovery software used to create the backup, and the backup target
media. For example, many desktop and laptop backup software platforms allow
end users to restore lost files themselves, while restoration of a corrupted database
from a tape backup is a more complicated process that requires IT intervention.
Data recovery can also be provided as service. Such services are typically used to
retrieve important files that were not backed up and accidentally deleted from a
computer›s file system but still remain on disk in fragments.
An organization›s disaster recovery plan should make known who in the organization
is responsible for recovering data, provide a strategy for how data will be recovered
and document acceptable recovery point and recovery time objectives.
In case of emergencies a partial or full recovery should be made to make systems
go live with the accurate data.
How to deal with it
This section will outline how to deal with successful hacking attempts to your email
system, website, network, database … etc.
The first step is to report such incident to a reputable organization that has the
capabilities to investigate and resolve any cyber incidents while maintaining your
privacy and confidentiality. Oman National CERT does fit that profile and will assist
you with no additional cost and will act immediately.
Oman National CERT
How & Where to report
OCERT provides different reporting channels including:
1.Online Incident Report
2.Email: [email protected]
3.Phone: (+968) 24166828
What to prepare
While waiting for a reply from OCERT, you can prepare the following items which
will be required for the investigation process:
1.Log Files (Access Log Files, Server Log Files, Error Log File)
2.Copy of the infected file(s)
3.Full copy of the infected system
51
Additional items might be requested based on the results of the initial
investigation and that will be requested at an earlier stage.
Evidence Handling
You infected or hacked machine, server, network is considered a crime scene
and must be dealt with accordingly. Machines must not be restarted or normally
shutdown under any circumstances. Internet/intranet connection cables can
and should be disconnected immediately to start the damage control process.
In case of criminal charges the infected machines will be used as evidence and
the digital forensics team will analyze the evidence and write their final report
which will be used in the court of law.
Regain control
With the above items kept in mind, it is important to regain control over your
infected machines by:
1.Take your infected machine Offline! Disconnect it from local and external
access.
2.Try to remove the infected files, scripts or malware.
Once done with this process and you have reported the incident, you’re welcome
to assess the damage occurred of such an attack including:
1.Were they looking for sensitive information?
2.Did they want to gain control of your site for other purposes?
3.Look for any modified or uploaded files on your web server.
4.Check your server logs for any suspicious activity, such as failed login attempts,
command history (especially as root), unknown user accounts, etc.
5.Determine the scope of the problem—do you have other sites that may be
affected?
It is also important to understand that so far you haven’t fixed the source of
the problem so don’t try to recover the website and publish it yet.
52
Investigations
Log Reviews
Oman National CERT team will send you a fully detailed report of the findings along
with the possible fixes and will guide you through the recovery process. In addition
since your organization is a target it would be advisable to forward all your access
logs to OCERT monitoring team to do live monitoring to detect and prevent any
malicious activities. There’re a number of scripts and applications built in OCERT
that could assist administrators in detecting and preventing possible hacking
attempts. Such tools include the CIA “Content Integrity Agent” which prevents
hackers from adding or altering any files on web servers.
References
1.OWASP SCP Quick Reference Guide v2
2.Server Hardening Website
3.10 Steps to harden Windows Servers
4.Linux Server Hardening Tips
5.Why penetration testing is important?
6.Internal vs. External Pen-Testing
7.Security Monitoring and Attack Detection
8.Secure Sockets Layer (SSL): How It Works
53
SELLING INFORMATION
SECURITY TO
TOP MANAGEMENT
Introduction
“In order to really enforce people, you need to get top level buy-in,” Ira
Winkler, chief security strategist at Codenomicon.
According to a survey that was done by Infosectoday.com in 2013 “Top
management support” was the number 1 issue facing information security
adaptation in most organizations in the US. Thus it›s important to tackle this
issue and propose solutions to overcome the reluctance of top management.
Security has traditionally been viewed as a tradeoff with business productivity.
It’s been this way for years. But it doesn’t have to be. CIOs and CISOs need
to have their finger on the pulse of security and how it affects their business
from a tactical and strategic perspective. Information security if practiced right
shouldn’t slow down the business, but actually complement it and even improve
business agility.
Proving security pays is difficult. In fact, with many security technologies, there›s
no demonstrable return on investment (ROI) justification for their deployment.
But during the different sections of the course you›ll possess the skills and
techniques to sell Information Security to the Top Management.
In this chapter we’ll focus on the possible ways you “as a security officer” can
sell Information Security to your organization’s top management.
Why top management doesn’t understand information
security!
Before discussing the methods and solutions, it’s important to understand
how top management think in any organization that doesn’t have a functional
information security office.
Information security is viewed as an operation
Most c-level managers doesn’t view information security as a strategic review,
but more of an operational issue that could function on its own with the least
amount of resources provided. This attitude has caused many organizations to
either ignore information security or isolate the security team from other parts
of the business and eliminate any possibility of communication between the
security team and the business managers.
54
Different communication language
Most managers are concerned about financial figures, Expenses, Profits and
Return on Investment (ROI), so in concept they don’t speak the same language as
information security managers whom are concerned about data loss prevention,
intrusion detection, policies, controls… etc.
Information security is not tangibly measured
Most managers focuses on tangible results, unfortunately information security
success is not tangibly measured since most of the investment to be made will
protect intangible items even though what information security policies and
controls protect is very crucial and critical to the business.
IT and information security roles conflict
Top management still believe that information security should be an IT operational
Task and should be managed by the IT department without understanding the real
role of Information security offices and how they should be totally independent in
terms of management to carry their tasks efficiently.
Top management isn’t techically aware of the risks associated
When the subject of information security is raised in management meetings it
usually gets the lowest priority and least amount of time to be discussed since
senior managers aren›t technically aware of computer security crimes and cybercrimes.
Solutions
After knowing how top management think and precieve information security it
would be great to know how to change their mindset and persuade them of the
importance of information security to the organization.
Get to know the right persons within your organization
Having friendly discussion with the CFO, CEO or internal audit director could give
you excellent insight on how best to approach the board. Also, make sure you have
some space for discussing Information Security. These are your opportunities to
keep the CEO up to date on your company›s major risks and protective measures.
Keep your ceo updated on laws and regulations
Information protection is now mandatory. Laws, regulations, insurance
requirements and shareholder expectations now make information protection a
business requirement. Based on your organization›s reporting structure, the CEO
is the one who will deliver the InfoSec message to the board. You then need to win
the heart and mind of your CEO and, hence, the board.
Be very opportunistic
CEOs are very selective about what they present to the board. You can take
advantage of this to put information security on the agenda. For example, a well55
publicized computer crime (e.g. the recent Heartbleed vulnerability) is bound
to have their attention. You can do the same with incidents within your own
organization. Demonstrate that a major computer breach could mean that next
quarter›s numbers may be considerably lower. You should be very specific and
provide numbers estimation.
Leverage (and try to influence) the work performed by others
The Internal Audit department work is usually very valuable. External audits
and security testing services can also help a lot. As an ISP, you might be subject
to ISAE audits. Use those to push your needs and concerns to the board. For
example, I have recently performed an Information Security Governance audit
for a big company. The client was their Internal Audit department, who was
informally «hired» to do it by the CSO / Security department in order to move
things forward with the board.
Point out how good information security can be a value-add for your
company
Even though a CEO or some other top executive might understand the need for
compliance, other members of top management probably won’t buy into this
idea – this is why it is important to find some other benefits for implementing
information security. I usually recommend thinking about four types of benefits:
compliance, marketing, lowering costs, and optimizing business processes.
The benefits of information security, especially the implementation of ISO
27001 are numerous. The following four are the most important:
Compliance
It might seem odd to list this as the first benefit, but it often shows the quickest
“return on investment” – if an organization must comply to various regulations
regarding data protection, privacy and IT governance (particularly if it is a
financial, health or government organization), then ISO 27001 can bring in the
methodology which enables to do it in the most efficient way.
Marketing edge
In a market which is more and more competitive, it is sometimes very difficult
to find something that will differentiate you in the eyes of your customers. ISO
27001 could be indeed a unique selling point, especially if you handle clients’
sensitive information.
Lowering the expenses
Information security is usually considered as a cost with no obvious financial
gain. However, there is financial gain if you lower your expenses caused by
incidents. You probably do have interruption in service, or occasional data
leakage, or disgruntled employees. Or disgruntled former employees.
The truth is, there is still no methodology and/or technology to calculate how
much money you could save if you prevented such incidents. But it always
sounds good if you bring such cases to management’s attention.
56
Putting your business in order
This one is probably the most underrated – if you are a company which has been
growing sharply for the last few years, you might experience problems like – who
has to decide what, who is responsible for certain information assets, who has to
authorize access to information systems etc.
Use well-accepted techniques of finance and decision-making processes
to justify infosec investments
Business executives spend money based on ROI, and may not react well to an
approach based on unquantified, albeit very real, fears. It›s not always easy -the
available solutions often don›t lend themselves to a by-the-numbers analysis- but
your best shot is to present an objective and quantified estimate of the returns on
InfoSec investments.
These are would help you a lot when talking about finance and decision making
processes:
Company or executive liability
The CEO and board of directors can be held personally liable if they›re shown to
have known that a business risk existed and they did nothing to remediate the risk.
So, you can leverage this (gently) in your communication. Once they›re on board
with the need to self-assess, they may even elect to conduct physical pen testing of
the company premises. «fire inspection» install key-logging USB sticks that phone
home, on all the machines.)
Costs or lost revenue from pci-dss
If you receive payments through credit cards, the PCI-DSS «standard» mandates that
certain security solutions must be implemented within the business infrastructure.
Credit card companies have come up with this as a way of shifting the liability for
fraudulent transactions from them, to you (the customer-facing business). If you
were to be audited (and I›m dealing with a medium-sized business that›s being
audited right now), you could be forced to bring in 3rd-party security vendors or
managed-service-providers to assess and implement security, all at a much higher
cost than you could do on your own, or risk being cut off from processing by Visa,
MC, and/or AmEx until you can prove that you›ve corrected the issues and have
paid for an independent audit. You should seek more info on this on your own, as
this is a real-world liability that›s showing up for more and more businesses.
Downtime and revenue-impact from government intervention
In case of a successful cyber attacks targeting your organization the risk here is that
legal enforcement agencies could confiscate computers or have your backbone
drop(s) cut off until the exploited systems were cleaned. If you run your own datacenter, then you could see servers or racks disappear or at least be taken offline
for some time while forensics are performed. This downtime could be devastating
to the business.
57
Hackers
An unprotected network, or insufficiently protected endpoints, could end up
being the target (pun intended) of black-hat, grey-hat, or white-hat hackers. In
other words, an independent 3rd-party may find a way to breach your systems
for fun or profit.
The outcomes of cyber-attacks could include:
• Company funds stolen through compromised banking login credentials, or
directly accessed (owned) internal systems;
• Having to notify your customers that your systems have been breached, and
their customer data (passwords, credit-card numbers, etc) has been stolen;
• Having to negotiate ransom payments with attackers to regain access to
critical internal systems that they›ve encrypted in order to lock you out and
force you to pay;
• Having to negotiate with «security researchers» to gain sufficient time to
patch internal systems or close security holes, before they «go public» with
information that they›ve defeated your perimeter security or layered defense
mechanisms. The more aggressive «researchers» may provide proof-ofconcept tools or even detailed instructions on how to replicate the attack, so
that other researchers may validate their findings (while hackers leverage the
newly-disclosed info for an actual attack).
Promoting a culture of security
A culture of security is not an end in itself, but a pathway to achieve and maintain
other objectives, such as proper use of information. The greatest benefit of a
culture of security is the effect it has on other dynamic interconnections within
an enterprise. It leads to greater internal and external trust, consistency of
results, easier compliance with laws and regulations and greater value in the
enterprise as whole.
Who should information security office reports to?
It seems like a simple question. After all, there seems to be little debate about
where other C-suite officers should report. While there have been some
discussions about the reporting structure for such C-level executives as the chief
privacy officer and the chief compliance officer.
As a best practice the CISO or the whole Information Security Office should
report to the CEO since it›s easier to convince the management and the board
through him/her, however reporting to the CTO shouldn›t stop you from
carrying out your tasks as long you get the support required.
58
Oman national CERT role
Oman National CERT has established a full program to promote Information
Security Offices in the government and CNI entities providing the IS officers with
the required tools including policies, office structure, controls, awareness programs
to promote a security culture within their organizations.
In addition Oman National CERT is willing to meet the top management to present
the importance of information security and ultimately assist the implementation
of a successful information security program.
Conclusion
In conclusion, it›s important to know how to sell Information Security to your
organization›s top management to get the support required to carry your
responsibilities easily and efficiently. We believe that by end of this course you have
the skills and techniques required to convince the top management to support
your department and team to fulfil their tasks and projects.
References
1.ISO/IEC 17799:2005. “Information Technology - Security Techniques - Code of
Practice for Information Security Management”, ISO, Geneve. (2005).
2.ISO/IEC 27001:2005. “Information Technology - Security Techniques - Information
Security Management Systems - Requirements”, ISO, Geneve. (2005).
3.Heikkinen, I., Ramet, T., “E-Learning as a Part of Information Security Education
Development from Organisational Point of View»”. Oulu University, Oulu,
Finland., In Finnish (2004).
4.Kajava, J., “Critical Success Factors in Information Security Management in
Organizations: The Commitment of Senior Management and the Information
Security Awareness Programme” (Abstract in English). Hallinnon tutkimus Administrative Studies, Volume 22, Number 1, Tampere. (2003).
5.Lempinen H., “Security Model as a Part of the Strategy of a Private Hospital” (In
Finnish), University of Oulu, Finland. (2002).
6.OECD, “OECD Guidelines for the Security of Information Systems and Networks Towards a Culture of Security”, OECD Publications, Paris, France, 29 p. (2002).
59
EPILOGUE
During this course you have covered a large concept and material. You should
now be prepared to handle many of the potential treats that may confront you
regarding information security.
It is important to reemphasize a couple of points.
First, the technology resources that you use and the information that you use,
manipulate, access, create, or store in the process of doing your job, Their
function is to make your job easier.
Second, security policies and procedures were created not only protected us
information but to help us achieve our objectives.
It is your responsibility to help in the protection of this information.
60

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz