introduction to infosec professional

of 55 /55
Introduction Infosec Professional Presented at King Mongkut’s University of Technology Thonburi (KMUTT) by Chaiyakorn Apiwathanokul CISSP, GCFA, IRCA:ISMS Chief Security Officer PTT ICT Solutions Co., Ltd. A Company of PTT Group Sep. 2010

Upload: narinrit-prem-apiwathanokul

Post on 29-May-2015

422 views

Category:

Documents


2 download

DESCRIPTION

Presented to KMUTT CPE 4rd yr students on 21/9/2010

TRANSCRIPT

Page 1: Introduction to INFOSEC Professional

IntroductionInfosec Professional

Presented at

King Mongkut’s University of Technology Thonburi (KMUTT)

by Chaiyakorn ApiwathanokulCISSP, GCFA, IRCA:ISMS

Chief Security Officer

PTT ICT Solutions Co., Ltd.A Company of PTT Group

Sep. 2010

Page 2: Introduction to INFOSEC Professional

• Advisor of Department of Special Investigation (DSI)

Page 3: Introduction to INFOSEC Professional

วทิยากรบรรยาย• กองบัญชาการกองทพัไทย

• ส านักงานปลัดกระทรวงกลาโหม

• หลักสูตรหลักประจ าโรงเรียนเสนาธิการทหารบก สถาบันวิชาการทหารบกชัน้สูง

• ธนาคารแห่งประเทศไทย

• ส านักงานปลัดกระทรวงพาณิชย์

• ชมรมเทคโนโลยสีารสนเทศรัฐวิสาหกิจแห่งประเทศไทย

• สมาคมเวชสารสนเทศไทย Thai Medical Informatics Association

• หลักสูตร Strategic IT Governance, Software Park 2007-2009

• Mini-MBA Program, Thammasat University

• Micro-MBA Program, Thammasat University

• MIS Program, Thammasat University

• มหาวิทยาลัยเทคโนโลยพีระจอมเกล้าธนบุรี

• ITU ASP COE : Training Workshop on Information Management Framework for CIOs

• CIO Conference 2007

• Information Security Asia 2007

• 2nd Annual ASIA IT Congress 2007

• Cyber Defence Initiative Conference (CDIC) 2008, 2009 and 2010

• SCADA Asia Summit 2009 and 2010

Page 4: Introduction to INFOSEC Professional

1st Visit at KMUTT

21/9/2007

Page 5: Introduction to INFOSEC Professional

CIA Admits Cyber attacks Blacked Out Cities

• The disclosure was made at a New Orleans security conference Friday attended by international government officials, engineers, and security managers.

• The CIA on Friday admitted that cyberattackshave caused at least one power outage affecting multiple cities outside the United States. By Thomas

Claburn InformationWeek January 18, 2008 06:15 PM

In the real world

Page 6: Introduction to INFOSEC Professional

Maroochy Waste Water

Event: More than 750,000 gallons of untreated sewage intentionally released into parks, rivers, and hotel grounds

Impact: Loss of marine life, public health jeopardized, $200,000 in cleanup and monitoring costs

Specifics: SCADA system had 300 nodes (142 pumping stations) governing sewage and drinking water

Used OPC ActiveX controls, DNP3, and ModBus protocols

Used packet radio communications to RTUs

Used commercially available radios and stolen SCADA software to make laptop appear as a pumping station

Caused as many as 46 different incidents over a 3-month period (Feb 9 to April 23)

Lessons learned:

Suspend all access after

terminations

Investigate anomalous system

behavior

Secure radio and wireless

transmissions

Page 7: Introduction to INFOSEC Professional

Browns Ferry Power Plant

Event: Aug, 2006 Two circulation pumps at Unit 3 of the nuclear power plant failed

Impact: The unit had to be shut down manually

Specifics: The failure of the pumps was traced to excessive traffic on the control system network, possibly caused by the failure of another control system device

Recovery time:

SPDS – 4hours 50 minutes

PPC – 6 hours 9 minutes

Lessons learned:

Provide adequate network

segmentation

Place controls on multiple

segments to limit congestion and

cascading effects

Provide active network

monitoring tools

Page 8: Introduction to INFOSEC Professional

Hatch Nuclear Power Plant

…there was full two-way communication between

certain computers on the plant's corporate and

control networks. 8

Lessons learned: Patch management policy

must address testing

requirements before

integration in production

environment

IT and ICS must be aware

of connectivity

Event: A software update caused

control system to initiate plant

shutdown.

Impact: The Plant was shutdown for 48

hours

Specifics: . An engineer installed a

software update on a computer

operating on the plant's business

network. When the updated computer

rebooted, it reset the data on the

control system, causing safety systems

to errantly interpret the lack of data as

a drop in coolant water reservoirs

Recovery time: 48 Hours

Page 9: Introduction to INFOSEC Professional

Davis Besse Nuclear Power Plant

Event: Aug 20, 2003 Slammer worm infects plant

Impact: Complete shutdown of digital portion of Safety Parameter Display System (SPDS) and Plant Process Computer (PPC)

Specifics: Worm started at contractors site

Worm jumped from corporate to plant network and found an unpatched server

Patch had been available for 6 months

Recovery time:

SPDS – 4hours 50 minutes

PPC – 6 hours 9 minutes

Lessons learned: Secure remote (trusted) access

channels

Ensure Defense-in-depth

strategies with appropriate

procurement requirements

Critical patches need to be

applied

Page 10: Introduction to INFOSEC Professional

Olympic Pipeline ExplosionEvent: 16-inch gasoline pipeline explosion and fire, exacerbated by inability of SCADA system to perform control and monitoring functions.

Impact: 3 fatalities, property damage >$45M, matching fines of $7.86M against two companies.

Specifics: Erroneous changes to live historical database caused critical slowdown in system responsiveness (evidenced by sensor scan rate changing from 3 second poll to over 6 minutes!)

Communication link between main computer, field sensors, and controllers was a combination of leased phone lines and frame relay.

photo by David Willoughby copyright Bellingham Herald

Lessons learned:

Identify controls to Critical Assets

Do not use administrative controls to solve system anomalies

Do not perform database updates on live systems

Apply appropriate security to remote access

Page 11: Introduction to INFOSEC Professional

Big Bang Experiment is Hacked

Event: Sept, 2008 - Computer hackers broke into the Large Hadron Collider and defaced one of the project websites.

Impact: “There seems to be no harm done. From what they can tell, it was someone making the point that CMS was hackable," said James Gillies, spokesman for European Organization for Nuclear Research (also known as CERN)

Specifics: Hackers targeted the Compact Muon Solenoid Experiment, or CMS, one of the experiments at facility that will be analyzing the fallout of the Big Bang

CERN expressed concerned over what the hackers could do as they were “one step away” from the computer control system

Lessons learned:

Provide adequate network

segmentation

Place controls on another

segment with no direct outside

access

Provide active network

monitoring tools

Ensure defense-in-depth

strategies, firewalls & Intrusion

Detection Systems

Page 12: Introduction to INFOSEC Professional

Space Station – Air Gap Bridged

12

Lessons learned: Due to the human factor – there is no

true airgap, for example, thumb drives,

laptop connection, modems, VPN,

CD/DVD, etc.

Event: Aug. 2008, Viruses intended to

steal passwords and send them to a

remote server infected laptops in the

International Space Station (again).

Impact: Created a “nuisance” to non-

critical space station laptops

Specifics:The virus did make it onto

more than one laptop -- suggesting that

it spread via some sort of intranet on

the space station or via a thumb drive.

Page 13: Introduction to INFOSEC Professional

Security Guard Busted For Hacking Hospital's HVAC, Patient

Information Computers, July 2009

• "A former security guard for a Dallas hospital hasbeen arrested by federal authorities for allegedlybreaking into the facility's HVAC and confidentialpatient information computer systems. In a bizarretwist, he posted videos of his hacks on YouTube,and was trying to recruit other hackers to help himwage a massive DDoS attack on July 4 -- one dayafter his planned last day on the job.

• Jesse William McGraw, 25, also known as"GhostExodus," "PhantomExodizzmo," as well as bya couple of false names, was charged withdownloading malicious code onto a computer atthe Carrell Clinic in order to cause damage and as aresult, "threatened public health and safety,"according to an affidavit filed by the FBI . McGrawworked as a night security guard for UnitedProtection Services, which was on contract withhospital, which specializes in orthopedics andsports medicine."

In the real world

Page 14: Introduction to INFOSEC Professional

TISA in Bangkok Post : When Hacking risks health

TISA web site : http://www.tisa.or.th

In the real world

Page 15: Introduction to INFOSEC Professional

has Manufacture

PlantOperationControl

Systems

National Critical

Infrastructure

Adversary/Disgruntled employee

Government

Malicious code/Virus/Worm

Vulnerabilities/Weaknesses

Terrorist/Hacker

Law/Compliance/

Standard/Guideline

Industry-specific

Regulator

Page 16: Introduction to INFOSEC Professional

Cyber Threats in A Plant

Page 17: Introduction to INFOSEC Professional

Qualified professional undersupply

IT Professional

InfosecProf.

Control System

Prof.

Control System Cybersecurity Prof.

Page 18: Introduction to INFOSEC Professional

The Implication

• Only small number of professional with right competency to help you out

• Collaboration and support from professional community is highly needed

Page 19: Introduction to INFOSEC Professional

3.2 Update ประเด็นกฎหมายธุรกรรมอิเล็กทรอนิกส์ลา่สดุและความสมัพนัธ์กบั ISO 27001

ประกาศคณะกรรมการธรุกรรมทางอิเลก็ทรอนิกส์เร่ือง แนวนโยบายและแนวปฏิบติัในการรักษาความมัน่คงปลอดภยั

ด้านสารสนเทศของหน่วยงานของรัฐ พ.ศ. ๒๕๕๓

[ ใช้บงัคบั 31 พ.ค. 53 ]

[ประกาศในในราชกิจจานเุบกษา เมื่อ 3 ก.ย. 53]

[ มาตรา 5, 7 และ 8]

Page 20: Introduction to INFOSEC Professional

กฎหมายทีเ่กีย่วกบัการบริหารจัดการเทคโนโลยสีารสนเทศ เร่ืองการบริหารจดัการความมัน่คงปลอดภยั

20

ISO 27001 (ISMS) [ รอประกาศในในราชกิจจานเุบกษา ]

Page 21: Introduction to INFOSEC Professional

กฎหมายทีเ่กีย่วกบัการบริหารจัดการเทคโนโลยสีารสนเทศ เร่ืองการบริหารจดัการความมัน่คงปลอดภยั

21

Page 22: Introduction to INFOSEC Professional

กฎหมายทีเ่กี่ยวกบัการบริหารจัดการเทคโนโลยสีารสนเทศ เร่ืองการบริหารจดัการความมัน่คงปลอดภยั

22

“Security Awareness/Training”

[ อ้างอิง มาตรา 5, 7 และ 8 ของ พรฎ ม. 35]

[ ใช้บงัคบั 31 พ.ค. 53 ]

Page 23: Introduction to INFOSEC Professional

กฎหมายทีเ่กีย่วกบัการบริหารจัดการเทคโนโลยสีารสนเทศ เร่ืองการบริหารจดัการความมัน่คงปลอดภยั

23

“IT Security assessment”

Page 24: Introduction to INFOSEC Professional

3.3 กรณีศกึษา “Hack e-Banking สญูเงิน 7 แสนบาท ทัง้ปี 53 เสยีหายกว่า 100 ล้านบาท”

แหลง่ขา่ว www.mcot.net/cfcustom/cache_page/88092.html

Page 25: Introduction to INFOSEC Professional

ความอันตรายทีแ่ฝงเขา้มากบัสิง่ทีเ่หมอืนจะไมม่อีะไร

3.3 กรณีศกึษา “Hack e-Banking สญูเงิน 7 แสนบาท ทัง้ปี 53 เสยีหายกว่า 100 ล้านบาท”

Trojan Horse

Page 26: Introduction to INFOSEC Professional

3.3 กรณีศกึษา “Hack e-Banking สญูเงิน 7 แสนบาท ทัง้ปี 53 เสยีหายกว่า 100 ล้านบาท”

Page 27: Introduction to INFOSEC Professional

Cybersecurity Professional vs. Cyber Punk

Key Differentiation

• Ethic

• Methodology

Page 28: Introduction to INFOSEC Professional

ยทุธศาสตรก์ารพฒันา ICT Master Plan II

SMART Thailand

พัฒนาก าลงัคน(ICT Professionals and “Information-Literate” People)

1

บรหิารจัดการ ICT ของประเทศอย่างมธีรรมาภบิาล(Institutional arrangement, Rules and Regulation, Financing, …)

2

พัฒนาโครงสรา้งพืน้ฐาน ICT3

พัฒนาขดีความสามารถของอตุสาหกรรม ICT5

ใช ้ICT เพือ่สนับสนุนใหเ้กดิธรรมาภบิาลในการบรหิารและ

บรกิารของรัฐ 4

ใช ้ICT เพือ่เพิม่ขดีความสามารถในการแขง่ขนัอยา่งย ัง่ยนื (Strategic Sectors, SMEs) 6

Hardware Software Communication

รากฐานของทุกสิ่ง

Page 29: Introduction to INFOSEC Professional

ยทุธศาสตรท์ ี ่1 : พฒันาก าลงัคน เป้าหมาย : Information Literacy

เร่งรัดผลิตบุคลากรด้านความม่ันคงปลอดภัยของระบบสารสนเทศท่ีมีคุณภาพตามมาตรฐานสากล

Page 30: Introduction to INFOSEC Professional

People

Technology(Tool)

Process

Confidentiality

AvailabilityIntegrity

3 Pillars of ICT 3 Pillars of SecurityDisclosure

Alteration Destruction

Page 31: Introduction to INFOSEC Professional

Areas of Expertise

• Access Control Systems and Methodology(how people enter and leave the system)

• Administration(planning, implementating and evaluating information security programs)

• Application and Systems Development Security(creating new computer programs to protect an organization)

• Auditing and Monitoring (collecting information for identification and response to security breaches)

• Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)(uninterrupted access to critical data systems)

• Cryptography (the coding and decoding of data and messages)

• Law, Investigation and Ethics (computer crime laws and regulations and ethics)

• Malicious Code (counter measures and prevention techniques for dealing with viruses,worms and other forms of deviant code)

• Operations Security (setting identity controls; auditing and monitoring the mechanisms and tools)

• Physical Security (giving physical systems access solely to those who need it)

• Risk, Response and Recovery (processes to identify, measure and control loss)

• Security Architecture and Models(building the security infrastructure for a complex organization)

• Security Management Practices (identification of information assets and development of policies and procedures)

• Telecommunications and Network Security (ensuring security through remote access management, network availability, firewall architectures,VPNs, data networking, LAN devices, etc.)

Page 32: Introduction to INFOSEC Professional

Common Job Titles

• Security auditor CISA, IRCA:ISMS, OPSA, OPST

• Security specialist GIAC, SSCP, CISSP

• Security consultant GIAC, CISSP

• Security administrator GIAC, SSCP

• Security analyst/engineer GIAC, CISSP

• Web security manager OWASP

• Director/Manager of security CISSP, CISM

• Chief privacy officer CISSP, CISM

• Chief risk officer (CRO) CISSP, CISM

• Chief Security Officer (CSO) CISSP, CISM

• Chief Information Security Officer (CISO) CISSP, CISM

Page 33: Introduction to INFOSEC Professional

CISSP® 10 CBK® Domains

• Access Control • Application Security • Business Continuity and Disaster Recovery Planning• Cryptography • Information Security and Risk Management • Legal, Regulations, Compliance and Investigations • Operations Security • Physical (Environmental) Security • Security Architecture and Design • Telecommunications and Network Security

Page 34: Introduction to INFOSEC Professional

Career Path – (ISC)2

Page 35: Introduction to INFOSEC Professional

11 ISMS Control Areas in ISO27001:2005 Annex A

Page 36: Introduction to INFOSEC Professional

Information Technology (IT) Security

Essential Body of Knowledge (EBK)A Competency and Functional Framework

for IT Security Workforce Development

United States Department of Homeland Security

September 200836

Page 37: Introduction to INFOSEC Professional

Key Dimensions

4 functional perspectives

14 competency areas

10 roles

37

Page 38: Introduction to INFOSEC Professional

Functional Perspectives (MDIE)

Manage

Design

Implement

Evaluate

38

M D

I E

Page 39: Introduction to INFOSEC Professional

Competency Areas (MDIE in each)

1. Data Security

2. Digital Forensics

3. Enterprise Continuity

4. Incident Management

5. IT Security Training and Awareness

6. IT System Operations and Maintenance

7. Network and Telecommunication Security

39

8. Personnel Security

9. Physical and Environmental Security

10. Procurement

11. Regulatory and Standards Compliance

12. Security Risk Management

13. Strategic Security Management

14. System and Application Security

Page 40: Introduction to INFOSEC Professional

Roles of Information Security

1. Chief Information Officer

2. Digital Forensics Professional

3. Information Security Officer

4. IT Security Compliance Officer

5. IT Security Engineer

6. IT Security Professional

7. IT Systems Operations and Maintenance Professional

8. Physical Security Professional

9. Privacy Professional

10. Procurement Professional

40

Page 41: Introduction to INFOSEC Professional

41

ACIS Professional Center

Page 42: Introduction to INFOSEC Professional

TISA TISET Examination

TISET = TISA IT Security EBK Test

Page 43: Introduction to INFOSEC Professional

The Example of TISA TISET Exam Information Security Competency Score Card

43

Page 44: Introduction to INFOSEC Professional

Enterprise Infosec Competency Profile

* Organization assess Infosec competency requirement against EBK

* Assess current competency within the enterprise

* Identify competency gap training requirement, recruitment

Infosec training provider maps training courses to EBK

EBK

Enterprise/PersonnelCapability

TrainingProvider

Page 45: Introduction to INFOSEC Professional

TISA Pilot Exam Summary: TISA ITS-EBK Model

45

Page 46: Introduction to INFOSEC Professional

Competency Profile

46

TISA Pilot Exam 2009-10-17

Max Score Min Score

Avg Score

1.Data Security

2.Digital Forensics

3.Enterprise Continuity

4. Incident Management

5. IT Security Training and Awareness

6. IT System Operations and Maintenance

7.Network and Telecommunication

Security

8. Personnel Security

9. Physical and Environmental Security

10.Procurement

11.Regulatory and Standards

Compliance

12.Security Risk Management

13.Strategic Security Management

14.System and Application Security

Page 47: Introduction to INFOSEC Professional

Functional Perspective

47

TISA Pilot Exam 2009-10-17

Max Score Min Score

Avg Score

M – ManageD – DesignI – ImplementE - Evaluate

Page 48: Introduction to INFOSEC Professional

IT Security Role Match

48

TISA Pilot Exam 2009-10-17

Max Score Min Score

Avg Score

Page 49: Introduction to INFOSEC Professional

Example of TISA TISET Report

49

TISA Pilot Exam 2009-10-17

Page 50: Introduction to INFOSEC Professional

TISET Certificate – Pass criteria

Page 51: Introduction to INFOSEC Professional

Summary Score by Competency Areas

Page 52: Introduction to INFOSEC Professional

Average Role Matching

Page 53: Introduction to INFOSEC Professional

Summary by Functional Perspective

Page 54: Introduction to INFOSEC Professional

TISA Pilot Exam Summary: Certification Roadmap

54

TISA TISET Exam

FOUNDATION (Localized)on IT / Information Security Competencies Test

TISA TISET Certification

International Certified IT & Information Security Professional

ManagementAudit Technical

ADVANCE

EXPERT

Step to CISSP,SSCP, CISA,CISM

Page 55: Introduction to INFOSEC Professional

55