Practical Information Security Management A Complete Guide to Planning and Implementation — Tony Campbell Practical Information Security Management A Complete Guide to Planning and Implementation Tony Campbell Practical Information Security Management: A Complete Guide to Planning and Implementation Tony Campbell Burns Beach Australia ISBN-13 (pbk): 978-1-4842-1684-2 ISBN-13 (electronic): 978-1-4842-1685-9 DOI 10.1007/978-1-4842-1685-9 Library of Congress Control Number: 2016960737 Copyright © 2016 by Tony Campbell This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights. While the advice and information in this book are believed to be true and accurate at the date of publication, neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions that may be made. The publisher makes no warranty, express or implied, with respect to the material contained herein. Managing Director: Welmoed Spahr Acquisitions Editor: Susan McDermott Developmental Editor: Matt Moodie Technical Reviewer: Nigel Hardy, Tristan Bennett Editorial Board: Steve Anglin, Pramila Balen, Laura Berendson, Aaron Black, Louise Corrigan, Jonathan Gennick, Robert Hutchinson, Celestin Suresh John, Nikhil Karkal, James Markham, Susan McDermott, Matthew Moodie, Natalie Pao, Gwenan Spearing Coordinating Editor: Rita Fernando Copy Editor: Kim Burton-Weisman Compositor: SPi Global Indexer: SPi Global Cover image: Designed by Hurca - Freepik.com Distributed to the book trade worldwide by Springer Science+Business Media New York, 233 Spring Street, 6th Floor, New York, NY 10013. Phone 1-800-SPRINGER, fax (201) 348-4505, e-mail o [email protected] , or visit w ww.springer.com . Apress Media, LLC is a California LLC and the sole member (owner) is Springer Science + Business Media Finance Inc (SSBM Finance Inc). SSBM Finance Inc is a Delaware corporation. For information on translations, please e-mail [email protected] , or visit w ww.apress.com . Apress and friends of ED books may be purchased in bulk for academic, corporate, or promotional use. eBook versions and licenses are also available for most titles. For more information, reference our Special Bulk Sales–eBook Licensing web page at w ww.apress.com/bulk-sales . Any source code or other supplementary materials referenced by the author in this text is available to readers at w ww.apress.com . For detailed information about how to locate your book’s source code, go to w ww.apress.com/source-code/ . Printed on acid-free paper “I saw the angel in the marble and carved until I set him free.” —Michelangelo This book is dedicated to the two people in my life that inspire me the most. For Sharon and Lara: set your angels free. Contents at a Glance About the Author .....................................................................................................xv About the Technical Reviewers .............................................................................xvii Acknowledgments ..................................................................................................xix Introduction ............................................................................................................xxi ■ Chapter 1: Evolution of a Profession .....................................................................1 ■ Chapter 2: Threats and Vulnerabilities ................................................................15 ■ Chapter 3: The Information Security Manager ....................................................31 ■ Chapter 4: Organizational Security .....................................................................43 ■ Chapter 5: Information Security Implementation ................................................63 ■ Chapter 6: Standards, Frameworks, Guidelines, and Legislation ........................71 ■ Chapter 7: Protection of Information ...................................................................95 ■ Chapter 8: Protection of People .........................................................................113 ■ Chapter 9: Protection of Premises .....................................................................131 ■ Chapter 10: Protection of Systems ....................................................................155 ■ Chapter 11: Digital Evidence and Incident Response ........................................179 ■ Chapter 12: Cloud Computing Security..............................................................193 ■ Chapter 13: Industrial Control Systems ............................................................205 ■ Chapter 14: Secure Systems Development ........................................................213 Index .....................................................................................................................229 v Contents About the Author .....................................................................................................xv About the Technical Reviewers .............................................................................xvii Acknowledgments ..................................................................................................xix Introduction ............................................................................................................xxi ■ Chapter 1: Evolution of a Profession .....................................................................1 What’s in a Name? ...........................................................................................................3 The Language of Security.................................................................................................5 CIA .........................................................................................................................................................5 Non-Repudiation .....................................................................................................................................9 Threats and Vulnerabilities .....................................................................................................................9 Risk and Consequence ........................................................................................................................10 Glossary of Useful Terms ................................................................................................12 ■ Chapter 2: Threats and Vulnerabilities ................................................................15 Threats ...........................................................................................................................16 Hiding in Plain Sight .............................................................................................................................17 Malware as a Service ...........................................................................................................................21 Physical Threats .............................................................................................................24 Vulnerabilities .................................................................................................................25 Technical Vulnerabilities .......................................................................................................................26 Non-Technical Vulnerabilities ...............................................................................................................27 vii ■ CONTENTS ■ Chapter 3: The Information Security Manager ....................................................31 Information Security Job Roles ......................................................................................32 Training, Experience, and Professionalism .....................................................................34 Career Planning with Professional and Academic Certifi cations .........................................................35 Getting Started in Security Management .......................................................................40 The Information Security Manager’s Responsibilities ..........................................................................40 The Information Security Management System ...................................................................................42 ■ Chapter 4: Organizational Security .....................................................................43 Security in Organizational Structures .............................................................................43 Where Does Security Fit? .....................................................................................................................43 License to Operate: Get Your Guys Certifi ed .........................................................................................46 Encourage a Culture of Security Awareness .........................................................................................47 Working with Specialist Groups .....................................................................................50 Working with Standards and Regulations ......................................................................50 Working with Risk Management ...................................................................................52 Risk Identifi cation .................................................................................................................................53 Risk Analysis .........................................................................................................................................54 Risk Treatment ......................................................................................................................................56 Risk Monitoring ....................................................................................................................................58 Business Continuity Management and Disaster Planning ....................................................................58 Working with Enterprise Architecture ............................................................................59 Working with Facilities Management .............................................................................62 Conclusion ......................................................................................................................62 ■ Chapter 5: Information Security Implementation ................................................63 Integration with Risk Management ................................................................................64 The Language of Risk ...........................................................................................................................64 Use Existing Frameworks .....................................................................................................................65 Secure Development .....................................................................................................66 Security Architecture Awareness ..........................................................................................................67 Security Requirements ........................................................................................................................68 viii ■ CONTENTS Organizational Interfaces ...............................................................................................69 Post Implementation ......................................................................................................70 Conclusion ......................................................................................................................70 ■ Chapter 6: Standards, Frameworks, Guidelines, and Legislation ........................71 Why Do We Need Standards? .........................................................................................72 Legislation ......................................................................................................................73 Privacy .................................................................................................................................................75 US-EU Safe Harbor and Privacy Shield .................................................................................................76 Employer and Employee Rights ............................................................................................................76 Computer Fraud and Abuse Laws .........................................................................................................77 Records Retention ................................................................................................................................79 Intellectual Property and Copyright ......................................................................................................79 The ISO/IEC 27000 Series of Standards .........................................................................80 ISO/IEC 27001 .......................................................................................................................................80 ISO/IEC 27002 .......................................................................................................................................82 ISO/IEC 27035 .......................................................................................................................................84 List of Published ISO/IEC 27000 Standards ..........................................................................................85 Business Continuity .......................................................................................................86 Risk Management Standards .........................................................................................87 COBIT ..............................................................................................................................90 Payment Card Industry Data Security Standard .............................................................91 Health Insurance Portability and Accountability Act .......................................................92 Conclusion ......................................................................................................................93 ■ Chapter 7: Protection of Information ...................................................................95 Information Classifi cation ..............................................................................................95 Business Impact Levels ........................................................................................................................98 Implementing Information Classifi cation ...........................................................................................100 Strategic Implementation ...................................................................................................................103 ix ■ CONTENTS Identifi cation, Authentication, and Authorization ..........................................................104 Access Control Models .......................................................................................................................104 System Privileges ...............................................................................................................................108 Separation of Duties ...........................................................................................................................109 Delegation of Privileges ......................................................................................................................110 ■ Chapter 8: Protection of People .........................................................................113 Human Vulnerabilities ..................................................................................................113 Social Engineering ..............................................................................................................................115 Building a Security Culture ...........................................................................................118 Negligent Staff ....................................................................................................................................119 Shoulder Surfi ng and Eavesdropping .................................................................................................122 Codes of Conduct................................................................................................................................122 Acceptable Use Policies......................................................................................................................122 Employment Contracts .......................................................................................................................123 Personnel Security Life Cycle .......................................................................................124 Recruitment ........................................................................................................................................126 Selection .............................................................................................................................................126 Performance and Succession .............................................................................................................128 Transition ...........................................................................................................................................129 Conclusion ....................................................................................................................129 ■ Chapter 9: Protection of Premises .....................................................................131 What Is Physical Security? ..........................................................................................131 Physical Security in ISO/IEC 27001:2013............................................................................................132 Start with a Risk Assessment ......................................................................................133 Threats and Vulnerabilities ................................................................................................................134 Complete the Risk Assessment ..........................................................................................................138 Perimeter Design ..........................................................................................................139 Barriers, Walls, and Fences ................................................................................................................141 Mailrooms and Loading Bays .............................................................................................................142 x ■ CONTENTS Security Guards and Dogs ..................................................................................................................144 Crime Prevention through Environmental Design (CPTED) ................................................................144 CCTV ..................................................................................................................................................145 Lighting ...............................................................................................................................................146 Administrative Security Controls ........................................................................................................147 Internal Building Security .............................................................................................147 Reception Areas ..................................................................................................................................147 Access Control and Identity Management ..........................................................................................148 Intrusion Detection Systems ..............................................................................................................148 Alarms and Sensors ...........................................................................................................................149 Clear Desk, Clear Screen ....................................................................................................................150 Clear Desk Policy ................................................................................................................................151 Security of Equipment .......................................................................................................................151 Security Considerations when Relocating ..........................................................................................152 Conclusion ....................................................................................................................153 ■ Chapter 10: Protection of Systems ....................................................................155 Introducing Malware ....................................................................................................155 What Is Malware? ...............................................................................................................................156 Classifying Malware ..........................................................................................................................156 Active Content Attacks ........................................................................................................................163 Content Injection Attacks ....................................................................................................................164 Threat Vectors ..............................................................................................................164 Technical Countermeasures .........................................................................................165 Network Security .........................................................................................................169 What Are Firewalls? ............................................................................................................................170 The Demilitarized Zone (DMZ) ............................................................................................................171 Network Encryption ............................................................................................................................172 Wireless Networks ..............................................................................................................................175 Governance Over Network Management ............................................................................................176 xi