ISO27000 series
The goal in developing the standard was to provide guidance to organisations on how to design, implement, and maintain policies, processes and technologies to manage risks to its sensitive information assets.
Industry best practise.
ISO27001 (ISMS management)
ISO 27001 specifies requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) within the context of the organization.
ISO27002
Code of practise for information security controls
Code of practice for information security controls.
ISO 27002 provides a checklist of general security controls to be considered implemented/used in organizations.
What’s the purpose of ISMS?
An ISMS outlines the controls that need to be put into place, and provides direction on how those controls should be managed throughout their life cycle.
Handling personnel/ employee departure
Different reasons for departure:
- Voluntary, Redundancy, Termination
Different types of actions:
- Former employee may keep some privileges
- Revoke all privileges
- Escort to the exit.
Staff who lose their job due to redundancy are at greater risk to become insider attackers. To mitigate this risk:
- The redundancy process must be seen as fair
- Try to keep a good dialogue
- During exit interview, review the original employment agreement (i.e. non-compete, wrongful disclosure, etc.
Social engineering
The act of tricking another person into providing confidential information by posing as an individual who is authorized to receive that information.
Phishing attacks
A kind of social-engineering attack in which criminals use spoofed emails to trick people into sharing sensitive information or installing malware on their computer.
- Sending phishing email, getting through spam-filters. Increasingly difficult to get through email filtering (SPF, DKIM, DMARC). Content must be sufficiently credible to trick the user.
- The victim taking the suggested action in the message.
- Got to a fake website.
- Replying with sensitive information
- Installing malware - The criminals exploiting and monetizing the stolen information
Elements of the IS Management Cycle
- Planning
- Risk Assessment
- Security Controls
- Evaluation
- Reporting
Personnel integrity
Preventing employees from becoming attackers
Personnel as defence
Making sure personnel do not fall victim to social engineering attacks
Cybersecurity culture in organisations
Stimulate behaviour which strengthens security
Security usability
Making sure users operate security correctly
Multilevel defence against social engineering attacks
- Foundation level. (Policies to address SE attacks)
- Awareness level. (Awareness training for all staff)
- Fortress level. (Resistance training for all staff)
- Persistence level. (Ongoing reminders)
- Gotcha level. (Social engineering detectors)
- Offensive level. (Incident response)
Types of phishing
Mass Phishing, large-volume attack intended to reach as many people as possible.
Spear Phishing, a targeted attack directed at specific individuals or companies using gathered information to personalize the message and make the scam more difficult to detect.
Whaling, including high-profile individuals or those with a great deal of authority or access.
Clone Phishing, a spoofed copy of a legitimate and previously delivered email, with original attachments or hyperlinks replaced with malicious versions, which is sent from a forged email address so it appears to come from the original sender or another legitimate source.
CMMI / CMM
Capability maturity Model Integration
(For information security management)
- Initial / Ad Hoc
+ Processes are ad-hoc and disorganised.
+ Risks are considered on an ad hoc basis, but no formal processes exist. - Repeatable but intuitive
+ Processes follow a regular pattern.
+ Emerging understanding of risk and the need for security - Defined process
+ Processes are documented and communicated.
+ Company-
+ Awareness of security and security policy
4. Managed and measurable \+ Processes are monitored and measured. \+ Risks assessment standard procedures \+ Roles and responsibilities are assigned \+ Policies and standards are in place
- Optimized
+ Security culture permeates organisation
+ Organisation-wide security processes are implemented, monitored and followed
