Cybercrime Prevention Act Sponsorship Speech - "Quashing Cybercrime" (05.11.2011)
Cybercrime
-
Upload
sensepost -
Category
Technology
-
view
985 -
download
0
description
Transcript of Cybercrime
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
charl van der waltjaco van graan
roelof temmingh
CYBERCRIMECYBERCRIME
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
1. INFORMATION SECURITY AWARENESSJaco van Graan
2. PROFILING THE ENEMYRoelof Temmingh
3. SECURITY TRENDS AND STATICSCharl van der Walt
4. INFORMATION SECURITY FUNDAMENTALSCharl van der Walt
5. SECURITY DEMONSTRATEDSensePost Information Security
6. THE INFORMATION SECURITY PROCESSJaco van Graan
7. INFORMATION SECURITY CERTIFICATIONCharl van der Walt
8. THE BOTTOM LINEJaco van GraanCYBERCRIME
charl van der waltjaco van graan
roelof temmingh
AGENDAAGENDAAGENDAAGENDA
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
INTRODUCTIONINTRODUCTIONINTRODUCTIONINTRODUCTION
• About the speakers– jaco van graan
– charl van der walt
– roelof temmingh
• Objective
• Approach
• References:– http://wips.sensepost.com/misc/cybercrime.zip
– http://www.sensepost.com
– [email protected] CYBERCRIME
jaco van graan
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
1. The Age of the Net
2. Threats and Risks in IT
3. Examples
4. What’s this hacking stuff?
5. What do hackers do?
6. But why hack?
7. Why they do it
8. Security Breaches in the past 12 months
AGENDAAGENDAAGENDAAGENDA
INFORMATION SECURITY
AWARENESS
jaco van graan
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Age of the Net...Age of the Net...Age of the Net...Age of the Net...
• Global village
• Information overload
• Evernet
• E - Commerce
• Removing the middleman
• Information replaces inventory
INFORMATION SECURITY
AWARENESS
jaco van graan
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Threats and Risks in ITThreats and Risks in IT Threats and Risks in ITThreats and Risks in IT
• Lack of security in IT
• Networks transfer data without security
• System administrators are trusted
(completely)
• Theft
• People
– Untrusted, Outsourcing
• Internet designed with open architecture
• HackingINFORMATION SECURITY
AWARENESS
jaco van graan
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
What’s this hacking stuff?What’s this hacking stuff?What’s this hacking stuff?What’s this hacking stuff?
• “Hacker”
– clever programmer
– Enjoys learning details of a programming
language or system
– Enjoys actually doing the programming rather
than just theorizing about it
– Capable of appreciating someone else's hacking
– Picks up programming quickly
– Expert at a particular programming language or
system, as in “UNIX ”hacker" INFORMATION
SECURITY AWARENESS
jaco van graan
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
What hackers do:What hackers do:What hackers do:What hackers do:
• Steal
– information - to use and to sell
– money from accounts
– goods through e-buying
– resource - time and equipment
• Talk
• Leave backdoors open
• Launch new attacks
INFORMATION SECURITY
AWARENESS
jaco van graan
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
But why hack?But why hack?But why hack?But why hack?
• Fun– technical challenges
– curiosity
– harmless pranks
– thrills
• Emotional– pride
– hate
– revenge
– psychological
INFORMATION SECURITY
AWARENESS
jaco van graan
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
How do they do it?How do they do it?How do they do it?How do they do it?
• Social engineering
• Networking
• Resources from the web...
INFORMATION SECURITY
AWARENESS
jaco van graan
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Security breaches past 12 monthsSecurity breaches past 12 monthsSecurity breaches past 12 monthsSecurity breaches past 12 months
INFORMATION SECURITY
AWARENESS
jaco van graan
87%
80%
27%
8%
26%
73%
1%
18%
22%
14%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Virus Theft Mail intrusion External attacks Internal attacks
South Africa
Europe
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
1. Statistics on Commercial Crime
2. Statistics on Computer Crime
3. Computers and Commercial Crime
4. The value of Trends and Statistics
5. Trends in Computer Security
6. Determining your own Risk Profile…
TRENDS & STATISTICSTRENDS & STATISTICSTRENDS & STATISTICSTRENDS & STATISTICS
SECURITY TRENDS
&STATISTICS
charl van der walt
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Statistics on Commercial CrimeStatistics on Commercial CrimeStatistics on Commercial CrimeStatistics on Commercial Crime
• Commercial crime up 3.5% from last year
– R 3.4 billion in the first half of '99 alone
• 84.3% of cases involved fraud
– 25,000 incidents
– R 2.9 billion
• Gauteng occupies a first position with regard to Commercial Crime
• www.saps.org.za
SECURITY TRENDS
&STATISTICS
charl van der walt
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Statistics on Computer CrimeStatistics on Computer CrimeStatistics on Computer CrimeStatistics on Computer Crime
• 61% of the organizations surveyed have experienced losses due to unauthorized computer use.
• The average loss from theft of proprietary information is over $1.2M.
• The average loss from data or network sabotage is over $1.1M.
• 50% of all organizations surveyed reported insider abuse of net access.
FBI / CSI Survey, 1999SECURITY TRENDS
&STATISTICS
charl van der walt
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Statistics on Computer CrimeStatistics on Computer CrimeStatistics on Computer CrimeStatistics on Computer Crime
SECURITY TRENDS
&STATISTICS
charl van der walt
“Just ask Edgars, the clothing retail group, which lost more than R1m after a
computer programmer brought down more than 600 stores for an entire day.”
Financial Mail - April 2000
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Threat Distribution - InternationalThreat Distribution - InternationalThreat Distribution - InternationalThreat Distribution - International
SECURITY TRENDS
&STATISTICS
charl van der walt
Theft of proprietary info 20%
Sabotage of data or networks 15%
Telecom eavesdropping 10%
System penetration by outsider 24%
Insider abuse of net access 76%
Financial fraud 11%
Denial of service 25%
Virus contamination 70%
Unauthorized access to info by insider 43%
Telecom fraud 13%
Active wiretapping 2%
Laptop theft 54%
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Threat Distribution - RSAThreat Distribution - RSAThreat Distribution - RSAThreat Distribution - RSA
SECURITY TRENDS
&STATISTICS
charl van der walt
Some form of breach 89%
Virus incident 87%
Theft of equipment 80%
E-mail intrusion 27%
Loss of company documents 12%
Breach of confidentiality 8%
External systems attack 8%
Internal systems attack 6%
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Computers & Commercial CrimeComputers & Commercial CrimeComputers & Commercial CrimeComputers & Commercial Crime
SECURITY TRENDS
&STATISTICS
charl van der walt
KPMG:
‘63% of top-level managers in South Africa rate their company's dependence on IT for the
successful running of business as "Extremely High”’
Business today simply doesn't run without IT
Neither does fraud or other commercial crime
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
The value of statisticsThe value of statisticsThe value of statisticsThe value of statistics
SECURITY TRENDS
&STATISTICS
charl van der walt
• Local and International statistics differ
– “Internal”: 76% vs 6%
– “External”: 24% vs 8%
• Statistical methodologies differ
• Many incidents are never discovered
• Most are never reported
• Statistics probably won’t tell you much,
• Except:
– Create an awareness
– Stimulate technology
– Indicate trends
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Trends in IT securityTrends in IT securityTrends in IT securityTrends in IT security
SECURITY TRENDS
&STATISTICS
charl van der walt
The industry is typically technology driven:
• Host Security
• Firewalls
• Virus scanners
• Proxies
• VPN
• Content Scanners
• Intrusion Detection
• Hacker-in-a-Box
• Host Security
• File Security
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Determining your own riskDetermining your own riskDetermining your own riskDetermining your own risk
SECURITY TRENDS
&STATISTICS
charl van der walt
The magnitude of the risk is a product of the value of the
information and the degree to which the vulnerability can be
exploited.
ICM: Effective Fraud Prevention &
Detection Strategies
August 20001. Media and "hackers" - utter confusion
2. The intellectual and emotional makeup of a good "hacker"
3. Types of "hackers"
4. What motivates "hackers" ?
5. The real threat - should we be worried about "hackers"?
PROFILING THE ENEMYPROFILING THE ENEMYPROFILING THE ENEMYPROFILING THE ENEMY
PROFILING THE ENEMY
roelof temmingh
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
1. Understanding the Internet
2. The four Pillars
3. Control Methods
4. More about Encryption
5. Security Technologies
6. Security Products
7. Case Study
SECURITY FUNDAMENTALSSECURITY FUNDAMENTALSSECURITY FUNDAMENTALSSECURITY FUNDAMENTALS
INFORMATION SECURITY
FUNDAMENTALS
charl van der walt
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Understanding the InternetUnderstanding the InternetUnderstanding the InternetUnderstanding the Internet
INFORMATION SECURITY
FUNDAMENTALS
charl van der walt
• Host
• Network
• LAN
• WAN
• Internet
• Protocol
• IP
• Packet
• Server / Service
• Port
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Four Pillars of Information SecurityFour Pillars of Information SecurityFour Pillars of Information SecurityFour Pillars of Information Security
INFORMATION SECURITY
FUNDAMENTALS
charl van der walt
• Access Control
– Control who may and who may not access data
• Confidentiality
– Ensure data is viewed only by intended audience
• Integrity
– Ensure data is not changed by unauthorized parties
• Authenticity– Ensure that data originated where you think
• #5 - Availability
– Ensure data is there when you need it
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Security Control MethodsSecurity Control MethodsSecurity Control MethodsSecurity Control Methods
INFORMATION SECURITY
FUNDAMENTALS
charl van der walt
• Information Security Policy
• Sound system design
• Access Control
– Physical
– Network
– Operating System
– Application
• Encryption
• Audit and Review
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
More about EncryptionMore about EncryptionMore about EncryptionMore about Encryption
INFORMATION SECURITY
FUNDAMENTALS
charl van der walt
• Encrypt– Convert information into unreadable format
• Crypto-Text
• Decrypt– Change data back to normal format
• Clear-Text
• Algorithm– Steps followed to encrypt or decrypt the
information
• Key– Secret shared between parties
• Key Length– An indication of how hard the key is to guess
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Still more about EncryptionStill more about EncryptionStill more about EncryptionStill more about Encryption
INFORMATION SECURITY
FUNDAMENTALS
charl van der walt
• Public Key Cryptography
– A special type of encryption using a key pair
• Private Key
– Kept strictly secret
• Public Key
– Published with a Certificate
• Certificate
– A way of linking your Key to your Identity
• Certificate Authority (CA)
– Responsible for verifying the Certificate
• Public Key Infrastructure (PKI)
– Structures needed to make the process work
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Security TechnologiesSecurity TechnologiesSecurity TechnologiesSecurity Technologies
INFORMATION SECURITY
FUNDAMENTALS
charl van der walt
• Firewalls– Network Level
– Application Level
– Content Level
• Authentication Systems– Something you know
– Something you have
– Something you are
• Encryption Protocols– SSH
– SSL
– IPSec
• Intrusion Detection Systems
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Security ProductsSecurity ProductsSecurity ProductsSecurity Products
INFORMATION SECURITY
FUNDAMENTALS
charl van der walt
• Firewalls– Check Point FW-1 (www.checkpoint.com)
– NAI Gauntlet (www.nai.com)
– Linux IPchains (www.linux.org)
• Authentication Systems– RSA SecurID (www.rsa.com)
– Alladin eToken (www.aks.com)
• Encryption– Windows EFS -
– Trispen IPGranite (www.trispen.com)
• Intrusion Detection Systems– AXENT Netprowler (www.axent.com)
– SNORT (www.snort.org)
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Case Study - www.bluebean.comCase Study - www.bluebean.comCase Study - www.bluebean.comCase Study - www.bluebean.com
INFORMATION SECURITY
FUNDAMENTALS
charl van der walt
• Use a firewall– Restrict access to port 80 and 443 only
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Case Study - www.bluebean.comCase Study - www.bluebean.comCase Study - www.bluebean.comCase Study - www.bluebean.com
INFORMATION SECURITY
FUNDAMENTALS
charl van der walt
• Use a secure web server– Netscape Enterprise 3/6
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Case Study - www.bluebean.comCase Study - www.bluebean.comCase Study - www.bluebean.comCase Study - www.bluebean.com
INFORMATION SECURITY
FUNDAMENTALS
charl van der walt
• Use SSL to encrypt the connection
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Case Study - www.bluebean.comCase Study - www.bluebean.comCase Study - www.bluebean.comCase Study - www.bluebean.com
INFORMATION SECURITY
FUNDAMENTALS
charl van der walt
• Use SSL for authentication
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Case Study - www.bluebean.comCase Study - www.bluebean.comCase Study - www.bluebean.comCase Study - www.bluebean.com
INFORMATION SECURITY
FUNDAMENTALS
charl van der walt
• Data Confidentiality– No credit card numbers to foreign sites
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Case Study - www.bluebean.comCase Study - www.bluebean.comCase Study - www.bluebean.comCase Study - www.bluebean.com
INFORMATION SECURITY
FUNDAMENTALS
charl van der walt
• Use two-factor authentication– The BlueBean credit card
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Case Study - www.bluebean.comCase Study - www.bluebean.comCase Study - www.bluebean.comCase Study - www.bluebean.com
INFORMATION SECURITY
FUNDAMENTALS
charl van der walt
• Account Lockout
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Case Study - www.bluebean.comCase Study - www.bluebean.comCase Study - www.bluebean.comCase Study - www.bluebean.com
INFORMATION SECURITY
FUNDAMENTALS
charl van der walt
• Potential Weaknesses– Credit card number can be guessed
– User PC could be attacked
– User could be tricked
– Cycle through the card numbers, not the PINs?
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
SECURITY DEMONSTRATEDSECURITY DEMONSTRATEDSECURITY DEMONSTRATEDSECURITY DEMONSTRATED
THE INFORMATION
SECURITY PROCESS
1. Connecting to the firewall
2. Using passwords to restrict access to data
3. Using a firewall to protect or servers
4. Using IDS to warn us of attacks
jaco van graan
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
SECURITY DEMONSTRATEDSECURITY DEMONSTRATEDSECURITY DEMONSTRATEDSECURITY DEMONSTRATED
SECURITY DEMO
1. A server is connected to the Internet.
2. Passwords are used to restrict access to the MS file service.
roelof temmingh
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
SECURITY DEMONSTRATEDSECURITY DEMONSTRATEDSECURITY DEMONSTRATEDSECURITY DEMONSTRATED
SECURITY DEMO
3. An firewall is used to restrict server access to the web service port - 80.
roelof temmingh
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
SECURITY DEMONSTRATEDSECURITY DEMONSTRATEDSECURITY DEMONSTRATEDSECURITY DEMONSTRATED
SECURITY DEMO
4. An IDS system is used to detect and report on attempted attacks on the web server.
roelof temmingh
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
THE SECURITY PROCESSTHE SECURITY PROCESSTHE SECURITY PROCESSTHE SECURITY PROCESS
THE INFORMATION
SECURITY PROCESS
1. Proactive or Reactive?
2. The Process
3. Threat / Risk Analysis
4. Security Policy
5. Planning
6. Implementation
7. Manage & Monitor
8. Internal & External Audit
9. Intrusion Detection
10. Adjust Security Policy
jaco van graan
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Proactive or Reactive?Proactive or Reactive?Proactive or Reactive?Proactive or Reactive?
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Locate weaknesses
• Controls in place
• LT cost effective
• No or weak controls
• Try plug security
holes
• Least effective
• Costly
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
The Process…The Process…The Process…The Process…
THE INFORMATION
SECURITY PROCESS
jaco van graan
Threat/RiskAnalysis
Security PolicyCreation
PlanningPolicy Enforcement/Implementation
Monitor & Manage
Intrusion detection
Security Audit
1
2
3
4
5
67
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Threat/risk AnalysisThreat/risk AnalysisThreat/risk AnalysisThreat/risk Analysis
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Value you assets (information/reputation).
• Determine the acceptable level of loss.
• Some losses will inevitably occur.
– Eliminating ALL loses would be either too
costly or impossible.
• Level of acceptable losses need to be set
– dictates how much you are willing to
spend on security.
• Set time period for the acceptable losses.
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Security PolicySecurity PolicySecurity PolicySecurity Policy
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Practical, understandable.• Control document.• Communicated.• Endorsed by management.• Applies to all users of infrastructure.• Gives security administrator a mandate
A security policy helps to define what you consider to be valuable, and it specifies what steps should be taken to safeguard
those assets.
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
PlanningPlanningPlanningPlanning
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Enforcement of controls - security policy
• Select products to ensure compliance
• Determine required implementation and
maintenance skills
• Evaluate impact on business
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
PlanningPlanningPlanningPlanning
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Resources– People
– Time
– $$$
• Evaluate possible security partner– Experience: references
– Financial backing
– Trust relationship
– Support: training/skills transfer/SLA’s
– Product range
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
ImplementationImplementationImplementationImplementation
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Remember your exposure!
• Security partner?
• Schedule change control - security policy
• Inform all users / business partners
• Ensure skill level of implementers
• Roll back plan
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Manage & MonitorManage & MonitorManage & MonitorManage & Monitor
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Physical audit of infrastructure
• Responsibility handover
– Security alerts, advisories, bug fixes
– Equipment load
– Configuration changes
• Catch ‘em! (If you can…)
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Internal & External AuditInternal & External AuditInternal & External AuditInternal & External Audit
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Collect and evaluate evidence to
determine whether a computer system:– safeguards assets.
– maintain data integrity.
– allow the goals of an organisation to be
achieved efficiently and effectively.
• Security policy as control document.
• International standards: SAS 70; Bs 7799.
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Internal AuditInternal AuditInternal AuditInternal Audit
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Compare to internal audit division.
• Independence, thus not involved in
implementation or operations.
• Report to IT manager.
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
External Audit - EvaluationExternal Audit - EvaluationExternal Audit - EvaluationExternal Audit - Evaluation
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Organisation– Independence
– References
– Experience
– Certification
– Cost
– Ethics
– Services offered
– Backing: subsidiary/insurance
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
External Audit - EvaluationExternal Audit - EvaluationExternal Audit - EvaluationExternal Audit - Evaluation
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Methodology– Certification/benchmark
– Audit plan
– Execution according to plan
– Report
– Recommendations & resolution
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
External Audit - EvaluationExternal Audit - EvaluationExternal Audit - EvaluationExternal Audit - Evaluation
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Resources– Business skills
– Experience: qualification; Certifications; Bodies
– Individual background
• The brief… How; What; Where?– Type: logical; Physical or social
– Restrictions / conditions
– Internal /external
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
External Audit - EvaluationExternal Audit - EvaluationExternal Audit - EvaluationExternal Audit - Evaluation
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Toolbox.– Tool combinations: wider vulnerability
exposure.– Proprietary or off the shelf.
• Confidentiality.
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Intrusion DetectionIntrusion DetectionIntrusion DetectionIntrusion Detection
THE INFORMATION
SECURITY PROCESS
jaco van graan
• If all else failed…
• Regular updates.
• Follow up of intrusion attempts.
• Play it again, Sam.
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Adjust Security PolicyAdjust Security PolicyAdjust Security PolicyAdjust Security Policy
THE INFORMATION
SECURITY PROCESS
jaco van graan
• Recommendations from internal &
external audits.
• New business requirements.
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
SECURITY CERTIFICATIONSECURITY CERTIFICATIONSECURITY CERTIFICATIONSECURITY CERTIFICATION
INFORMATION SECURITY
CERTIFICATION
1. Definition
2. The purpose of Certification
3. Leading standards today
4. Is Certification for you?
5. Choosing the right standard
charl van der walt
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
DefinitionDefinitionDefinitionDefinition
INFORMATION SECURITY
CERTIFICATION
charl van der walt
The evaluation of the security of a computer system by a recognised third party.
If the system being tested meets all the criteria it receives certification (also called accreditation) which is an indication of the level of security of the system being tested.
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
ObjectiveObjectiveObjectiveObjective
• To enforce structure on your security program
• A means of assessing your own security
• A means of measuring against best-of-breed
• A means of convincing others of your security
INFORMATION SECURITY
CERTIFICATION
charl van der walt
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Leading StandardsLeading StandardsLeading StandardsLeading Standards
INFORMATION SECURITY
CERTIFICATION
charl van der walt
• BS 7799– British Standards Institute– Outlines 10 controls that must be addressed– Uses the c:cure program for accreditation– www.bsi.org.uk / www.bsi.org.za– www.c:cure.org
• TCSEC – Trusted Computer System Evaluation Criteria– “Orange Book”– Published by the US National Security Agency– Defines different ‘Levels’ of trust
• Minimal -> Formally Proven
– www.radium.ncsc.mil/tpep
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Leading StandardsLeading StandardsLeading StandardsLeading Standards
• ITSEC– Information Technology Security Evaluation
Criteria– Recognised by most European countries– Concentrates on product evaluations– Defines different levels (E0 - E6)– www.itsec.gov.uk
• CCITSE– Common Criteria for IT Security Evaluation– Joint American / European Evaluation Standard– Successor to TCSEC and ITSEC– Defines ‘levels’ similar to TCSEC, but more
flexible• Protection Profiles
– http://csrc.nist.gov/cc/INFORMATION
SECURITY CERTIFICATION
charl van der walt
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Leading StandardsLeading StandardsLeading StandardsLeading Standards
INFORMATION SECURITY
CERTIFICATION
charl van der walt
• ISO / GMITS – Guidelines to the Management of IT Security– Published by the JTC
• Joint Technical Committee of ISO and IEC
– www.iso.ch– www.diffuse.org/secure.html
• COBIT– Control Objectives for Information and Related
Technologies– Information Systems Audit and Control
Association• ISACA
– ‘Business Oriented & Practical’– www.isaca.org
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Leading StandardsLeading StandardsLeading StandardsLeading Standards
INFORMATION SECURITY
CERTIFICATION
charl van der walt
• ICSA– International Computer Security Association– Commercial Venture represented world-wide– Product certification and security assurance
services• TrueSecure
– Internet focused– www.icsa.net
• Ernst & Young SAS70– Statement of Auditing Standards # 70– American version of a similar international
standard– Specifically for the outsourced environment– Business focused– www.ey.com
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Is Certification for you?Is Certification for you?Is Certification for you?Is Certification for you?
INFORMATION SECURITY
CERTIFICATION
charl van der walt
• Yes, if:– You’re a large corporation– You’re publicly owned– You offer IT-based services to clients– You have legal obligations– You’re comfortable with formal processes
• No, if:– You have a small, manageable infrastructure– You’re only responsibility is to yourself– You have an informal culture and strong skills– You believe certification will make you secure
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
Choosing the right standardChoosing the right standardChoosing the right standardChoosing the right standard
INFORMATION SECURITY
CERTIFICATION
charl van der walt
• Recognition– Respect in your target market
• Focus– Support for your own security objectives
• Local Presence– A program that can be certified in SA
• Total cost– Good return on investment
• Overhead– Reasonable implementation time and life-span
• Impact– A tangible effect on your systems
ICM: Effective Fraud Prevention &
Detection Strategies
August 2000
THE BOTTOM LINETHE BOTTOM LINETHE BOTTOM LINETHE BOTTOM LINE
THE BOTTOM LINE
1. Take security seriously
2. Don’t panic!
3. Value your information
4. Evaluate your risk
5. Be requirement driven,
not technology driven
6. Enable your business
jaco van graan