introduction to infosec professional
DESCRIPTION
Presented to KMUTT CPE 4rd yr students on 21/9/2010TRANSCRIPT
IntroductionInfosec Professional
Presented at
King Mongkut’s University of Technology Thonburi (KMUTT)
by Chaiyakorn ApiwathanokulCISSP, GCFA, IRCA:ISMS
Chief Security Officer
PTT ICT Solutions Co., Ltd.A Company of PTT Group
Sep. 2010
• Advisor of Department of Special Investigation (DSI)
วทิยากรบรรยาย• กองบัญชาการกองทพัไทย
• ส านักงานปลัดกระทรวงกลาโหม
• หลักสูตรหลักประจ าโรงเรียนเสนาธิการทหารบก สถาบันวิชาการทหารบกชัน้สูง
• ธนาคารแห่งประเทศไทย
• ส านักงานปลัดกระทรวงพาณิชย์
• ชมรมเทคโนโลยสีารสนเทศรัฐวิสาหกิจแห่งประเทศไทย
• สมาคมเวชสารสนเทศไทย Thai Medical Informatics Association
• หลักสูตร Strategic IT Governance, Software Park 2007-2009
• Mini-MBA Program, Thammasat University
• Micro-MBA Program, Thammasat University
• MIS Program, Thammasat University
• มหาวิทยาลัยเทคโนโลยพีระจอมเกล้าธนบุรี
• ITU ASP COE : Training Workshop on Information Management Framework for CIOs
• CIO Conference 2007
• Information Security Asia 2007
• 2nd Annual ASIA IT Congress 2007
• Cyber Defence Initiative Conference (CDIC) 2008, 2009 and 2010
• SCADA Asia Summit 2009 and 2010
1st Visit at KMUTT
21/9/2007
CIA Admits Cyber attacks Blacked Out Cities
• The disclosure was made at a New Orleans security conference Friday attended by international government officials, engineers, and security managers.
• The CIA on Friday admitted that cyberattackshave caused at least one power outage affecting multiple cities outside the United States. By Thomas
Claburn InformationWeek January 18, 2008 06:15 PM
In the real world
Maroochy Waste Water
Event: More than 750,000 gallons of untreated sewage intentionally released into parks, rivers, and hotel grounds
Impact: Loss of marine life, public health jeopardized, $200,000 in cleanup and monitoring costs
Specifics: SCADA system had 300 nodes (142 pumping stations) governing sewage and drinking water
Used OPC ActiveX controls, DNP3, and ModBus protocols
Used packet radio communications to RTUs
Used commercially available radios and stolen SCADA software to make laptop appear as a pumping station
Caused as many as 46 different incidents over a 3-month period (Feb 9 to April 23)
Lessons learned:
Suspend all access after
terminations
Investigate anomalous system
behavior
Secure radio and wireless
transmissions
Browns Ferry Power Plant
Event: Aug, 2006 Two circulation pumps at Unit 3 of the nuclear power plant failed
Impact: The unit had to be shut down manually
Specifics: The failure of the pumps was traced to excessive traffic on the control system network, possibly caused by the failure of another control system device
Recovery time:
SPDS – 4hours 50 minutes
PPC – 6 hours 9 minutes
Lessons learned:
Provide adequate network
segmentation
Place controls on multiple
segments to limit congestion and
cascading effects
Provide active network
monitoring tools
Hatch Nuclear Power Plant
…there was full two-way communication between
certain computers on the plant's corporate and
control networks. 8
Lessons learned: Patch management policy
must address testing
requirements before
integration in production
environment
IT and ICS must be aware
of connectivity
Event: A software update caused
control system to initiate plant
shutdown.
Impact: The Plant was shutdown for 48
hours
Specifics: . An engineer installed a
software update on a computer
operating on the plant's business
network. When the updated computer
rebooted, it reset the data on the
control system, causing safety systems
to errantly interpret the lack of data as
a drop in coolant water reservoirs
Recovery time: 48 Hours
Davis Besse Nuclear Power Plant
Event: Aug 20, 2003 Slammer worm infects plant
Impact: Complete shutdown of digital portion of Safety Parameter Display System (SPDS) and Plant Process Computer (PPC)
Specifics: Worm started at contractors site
Worm jumped from corporate to plant network and found an unpatched server
Patch had been available for 6 months
Recovery time:
SPDS – 4hours 50 minutes
PPC – 6 hours 9 minutes
Lessons learned: Secure remote (trusted) access
channels
Ensure Defense-in-depth
strategies with appropriate
procurement requirements
Critical patches need to be
applied
Olympic Pipeline ExplosionEvent: 16-inch gasoline pipeline explosion and fire, exacerbated by inability of SCADA system to perform control and monitoring functions.
Impact: 3 fatalities, property damage >$45M, matching fines of $7.86M against two companies.
Specifics: Erroneous changes to live historical database caused critical slowdown in system responsiveness (evidenced by sensor scan rate changing from 3 second poll to over 6 minutes!)
Communication link between main computer, field sensors, and controllers was a combination of leased phone lines and frame relay.
photo by David Willoughby copyright Bellingham Herald
Lessons learned:
Identify controls to Critical Assets
Do not use administrative controls to solve system anomalies
Do not perform database updates on live systems
Apply appropriate security to remote access
Big Bang Experiment is Hacked
Event: Sept, 2008 - Computer hackers broke into the Large Hadron Collider and defaced one of the project websites.
Impact: “There seems to be no harm done. From what they can tell, it was someone making the point that CMS was hackable," said James Gillies, spokesman for European Organization for Nuclear Research (also known as CERN)
Specifics: Hackers targeted the Compact Muon Solenoid Experiment, or CMS, one of the experiments at facility that will be analyzing the fallout of the Big Bang
CERN expressed concerned over what the hackers could do as they were “one step away” from the computer control system
Lessons learned:
Provide adequate network
segmentation
Place controls on another
segment with no direct outside
access
Provide active network
monitoring tools
Ensure defense-in-depth
strategies, firewalls & Intrusion
Detection Systems
Space Station – Air Gap Bridged
12
Lessons learned: Due to the human factor – there is no
true airgap, for example, thumb drives,
laptop connection, modems, VPN,
CD/DVD, etc.
Event: Aug. 2008, Viruses intended to
steal passwords and send them to a
remote server infected laptops in the
International Space Station (again).
Impact: Created a “nuisance” to non-
critical space station laptops
Specifics:The virus did make it onto
more than one laptop -- suggesting that
it spread via some sort of intranet on
the space station or via a thumb drive.
Security Guard Busted For Hacking Hospital's HVAC, Patient
Information Computers, July 2009
• "A former security guard for a Dallas hospital hasbeen arrested by federal authorities for allegedlybreaking into the facility's HVAC and confidentialpatient information computer systems. In a bizarretwist, he posted videos of his hacks on YouTube,and was trying to recruit other hackers to help himwage a massive DDoS attack on July 4 -- one dayafter his planned last day on the job.
• Jesse William McGraw, 25, also known as"GhostExodus," "PhantomExodizzmo," as well as bya couple of false names, was charged withdownloading malicious code onto a computer atthe Carrell Clinic in order to cause damage and as aresult, "threatened public health and safety,"according to an affidavit filed by the FBI . McGrawworked as a night security guard for UnitedProtection Services, which was on contract withhospital, which specializes in orthopedics andsports medicine."
In the real world
TISA in Bangkok Post : When Hacking risks health
TISA web site : http://www.tisa.or.th
In the real world
has Manufacture
PlantOperationControl
Systems
National Critical
Infrastructure
Adversary/Disgruntled employee
Government
Malicious code/Virus/Worm
Vulnerabilities/Weaknesses
Terrorist/Hacker
Law/Compliance/
Standard/Guideline
Industry-specific
Regulator
Cyber Threats in A Plant
Qualified professional undersupply
IT Professional
InfosecProf.
Control System
Prof.
Control System Cybersecurity Prof.
The Implication
• Only small number of professional with right competency to help you out
• Collaboration and support from professional community is highly needed
3.2 Update ประเด็นกฎหมายธุรกรรมอิเล็กทรอนิกส์ลา่สดุและความสมัพนัธ์กบั ISO 27001
ประกาศคณะกรรมการธรุกรรมทางอิเลก็ทรอนิกส์เร่ือง แนวนโยบายและแนวปฏิบติัในการรักษาความมัน่คงปลอดภยั
ด้านสารสนเทศของหน่วยงานของรัฐ พ.ศ. ๒๕๕๓
[ ใช้บงัคบั 31 พ.ค. 53 ]
[ประกาศในในราชกิจจานเุบกษา เมื่อ 3 ก.ย. 53]
[ มาตรา 5, 7 และ 8]
กฎหมายทีเ่กีย่วกบัการบริหารจัดการเทคโนโลยสีารสนเทศ เร่ืองการบริหารจดัการความมัน่คงปลอดภยั
20
ISO 27001 (ISMS) [ รอประกาศในในราชกิจจานเุบกษา ]
กฎหมายทีเ่กีย่วกบัการบริหารจัดการเทคโนโลยสีารสนเทศ เร่ืองการบริหารจดัการความมัน่คงปลอดภยั
21
กฎหมายทีเ่กี่ยวกบัการบริหารจัดการเทคโนโลยสีารสนเทศ เร่ืองการบริหารจดัการความมัน่คงปลอดภยั
22
“Security Awareness/Training”
[ อ้างอิง มาตรา 5, 7 และ 8 ของ พรฎ ม. 35]
[ ใช้บงัคบั 31 พ.ค. 53 ]
กฎหมายทีเ่กีย่วกบัการบริหารจัดการเทคโนโลยสีารสนเทศ เร่ืองการบริหารจดัการความมัน่คงปลอดภยั
23
“IT Security assessment”
3.3 กรณีศกึษา “Hack e-Banking สญูเงิน 7 แสนบาท ทัง้ปี 53 เสยีหายกว่า 100 ล้านบาท”
แหลง่ขา่ว www.mcot.net/cfcustom/cache_page/88092.html
ความอันตรายทีแ่ฝงเขา้มากบัสิง่ทีเ่หมอืนจะไมม่อีะไร
3.3 กรณีศกึษา “Hack e-Banking สญูเงิน 7 แสนบาท ทัง้ปี 53 เสยีหายกว่า 100 ล้านบาท”
Trojan Horse
3.3 กรณีศกึษา “Hack e-Banking สญูเงิน 7 แสนบาท ทัง้ปี 53 เสยีหายกว่า 100 ล้านบาท”
Cybersecurity Professional vs. Cyber Punk
Key Differentiation
• Ethic
• Methodology
ยทุธศาสตรก์ารพฒันา ICT Master Plan II
SMART Thailand
พัฒนาก าลงัคน(ICT Professionals and “Information-Literate” People)
1
บรหิารจัดการ ICT ของประเทศอย่างมธีรรมาภบิาล(Institutional arrangement, Rules and Regulation, Financing, …)
2
พัฒนาโครงสรา้งพืน้ฐาน ICT3
พัฒนาขดีความสามารถของอตุสาหกรรม ICT5
ใช ้ICT เพือ่สนับสนุนใหเ้กดิธรรมาภบิาลในการบรหิารและ
บรกิารของรัฐ 4
ใช ้ICT เพือ่เพิม่ขดีความสามารถในการแขง่ขนัอยา่งย ัง่ยนื (Strategic Sectors, SMEs) 6
Hardware Software Communication
รากฐานของทุกสิ่ง
ยทุธศาสตรท์ ี ่1 : พฒันาก าลงัคน เป้าหมาย : Information Literacy
เร่งรัดผลิตบุคลากรด้านความม่ันคงปลอดภัยของระบบสารสนเทศท่ีมีคุณภาพตามมาตรฐานสากล
People
Technology(Tool)
Process
Confidentiality
AvailabilityIntegrity
3 Pillars of ICT 3 Pillars of SecurityDisclosure
Alteration Destruction
Areas of Expertise
• Access Control Systems and Methodology(how people enter and leave the system)
• Administration(planning, implementating and evaluating information security programs)
• Application and Systems Development Security(creating new computer programs to protect an organization)
• Auditing and Monitoring (collecting information for identification and response to security breaches)
• Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)(uninterrupted access to critical data systems)
• Cryptography (the coding and decoding of data and messages)
• Law, Investigation and Ethics (computer crime laws and regulations and ethics)
• Malicious Code (counter measures and prevention techniques for dealing with viruses,worms and other forms of deviant code)
• Operations Security (setting identity controls; auditing and monitoring the mechanisms and tools)
• Physical Security (giving physical systems access solely to those who need it)
• Risk, Response and Recovery (processes to identify, measure and control loss)
• Security Architecture and Models(building the security infrastructure for a complex organization)
• Security Management Practices (identification of information assets and development of policies and procedures)
• Telecommunications and Network Security (ensuring security through remote access management, network availability, firewall architectures,VPNs, data networking, LAN devices, etc.)
Common Job Titles
• Security auditor CISA, IRCA:ISMS, OPSA, OPST
• Security specialist GIAC, SSCP, CISSP
• Security consultant GIAC, CISSP
• Security administrator GIAC, SSCP
• Security analyst/engineer GIAC, CISSP
• Web security manager OWASP
• Director/Manager of security CISSP, CISM
• Chief privacy officer CISSP, CISM
• Chief risk officer (CRO) CISSP, CISM
• Chief Security Officer (CSO) CISSP, CISM
• Chief Information Security Officer (CISO) CISSP, CISM
CISSP® 10 CBK® Domains
• Access Control • Application Security • Business Continuity and Disaster Recovery Planning• Cryptography • Information Security and Risk Management • Legal, Regulations, Compliance and Investigations • Operations Security • Physical (Environmental) Security • Security Architecture and Design • Telecommunications and Network Security
Career Path – (ISC)2
11 ISMS Control Areas in ISO27001:2005 Annex A
Information Technology (IT) Security
Essential Body of Knowledge (EBK)A Competency and Functional Framework
for IT Security Workforce Development
United States Department of Homeland Security
September 200836
Key Dimensions
4 functional perspectives
14 competency areas
10 roles
37
Functional Perspectives (MDIE)
Manage
Design
Implement
Evaluate
38
M D
I E
Competency Areas (MDIE in each)
1. Data Security
2. Digital Forensics
3. Enterprise Continuity
4. Incident Management
5. IT Security Training and Awareness
6. IT System Operations and Maintenance
7. Network and Telecommunication Security
39
8. Personnel Security
9. Physical and Environmental Security
10. Procurement
11. Regulatory and Standards Compliance
12. Security Risk Management
13. Strategic Security Management
14. System and Application Security
Roles of Information Security
1. Chief Information Officer
2. Digital Forensics Professional
3. Information Security Officer
4. IT Security Compliance Officer
5. IT Security Engineer
6. IT Security Professional
7. IT Systems Operations and Maintenance Professional
8. Physical Security Professional
9. Privacy Professional
10. Procurement Professional
40
41
ACIS Professional Center
TISA TISET Examination
TISET = TISA IT Security EBK Test
The Example of TISA TISET Exam Information Security Competency Score Card
43
Enterprise Infosec Competency Profile
* Organization assess Infosec competency requirement against EBK
* Assess current competency within the enterprise
* Identify competency gap training requirement, recruitment
Infosec training provider maps training courses to EBK
EBK
Enterprise/PersonnelCapability
TrainingProvider
TISA Pilot Exam Summary: TISA ITS-EBK Model
45
Competency Profile
46
TISA Pilot Exam 2009-10-17
Max Score Min Score
Avg Score
1.Data Security
2.Digital Forensics
3.Enterprise Continuity
4. Incident Management
5. IT Security Training and Awareness
6. IT System Operations and Maintenance
7.Network and Telecommunication
Security
8. Personnel Security
9. Physical and Environmental Security
10.Procurement
11.Regulatory and Standards
Compliance
12.Security Risk Management
13.Strategic Security Management
14.System and Application Security
Functional Perspective
47
TISA Pilot Exam 2009-10-17
Max Score Min Score
Avg Score
M – ManageD – DesignI – ImplementE - Evaluate
IT Security Role Match
48
TISA Pilot Exam 2009-10-17
Max Score Min Score
Avg Score
Example of TISA TISET Report
49
TISA Pilot Exam 2009-10-17
TISET Certificate – Pass criteria
Summary Score by Competency Areas
Average Role Matching
Summary by Functional Perspective
TISA Pilot Exam Summary: Certification Roadmap
54
TISA TISET Exam
FOUNDATION (Localized)on IT / Information Security Competencies Test
TISA TISET Certification
International Certified IT & Information Security Professional
ManagementAudit Technical
ADVANCE
EXPERT
Step to CISSP,SSCP, CISA,CISM
55