Vous êtes sur la page 1sur 46

HG00.

062

Introduction to information
security management
http://www.cs.ru.nl/E.Verheul/SIO2017/

Security in Organizations
2017
Eric Verheul

Outline

About the course


Introduction
Information Security incidents in the media
Recap on Information Security
Study for next week

This document is freely distributable


as long as it is unmodified in any
way. 1
About the course

The goal of this class is twofold.


The first goal is to demonstrate a structured approach
towards security in an organization, and covers the
necessary standards and tools.
Secondly, it aims to introduce students to the 'security
mindset', and will allow to gain an understanding on
what usually goes wrong and how to avoid such
pitfalls in an organization.

About the course

This document is freely distributable


as long as it is unmodified in any
way. 2
About the course
The course closely follows the ISO2700* standards.
Focus on risk assessments and multidisciplinary
character.
It starts with four classes on security management in
line with these standards.
After that we focus on the various aspects mentioned
in these standards by guest speakers from
organizations.
Students have to do six assignments and have to
pass the exam; TRU/e only need to do five
assignments. See the SIO Website.
5

About the course


Prerequisite knowledge
It is expected that you a have basic understanding of technical computer
security, including:
Basic (IP) networking including firewalling
WIFI Security
HTTP and cookies
SSL/TLS
Basic attacks, e.g. cross site scripting, SQL Injection, buffer overflows
Cryptography, e.g. SHA256, AES-ECB, AES-CBC, HMAC, RSA, ECC,
ECDSA
Basic knowledge of Microsoft Windows security
If you experience lacking knowledge during class or when working on
assignments it is expected that you acquire this knowledge by self study.

This document is freely distributable


as long as it is unmodified in any
way. 3
Literature
The main literature of the class (apart from the slides) can be
found on the SIO website
http://www.cs.ru.nl/E.Verheul/SIO2017/.
Assessments are also placed on the SIO website; submission
is through BlackBoard.
Dr. Ilya Kizhvatov will grade the assignments.
please put on all your assignments:
- your student numbers (RU and TUE if you have one)
- the course you follow: NWI-I00153 (information sciences
master) or NWI-IMC053 (TRUE)
Slides are placed in blackboard. Note: not all speakers will
provide slides. Students are advised to attend class.

Visit to NCSC October 30, 2017 (non-mandatory!)


On Monday October 30 2017, 12:15 -17:00 we have arranged
for a visit to the Dutch National Cyber Security Centre (NCSC)
in The Hague.
The NCSC will explain what they do and will also have some
discussions based on propositions, e.g. Current focus on
security is too much reactive and too little preventive.
If you want to attend, please inform me by email
eric.verheul@cs.ru.nl.
Note: there is only room for 25 students (50% of the
registered users) and registration is based on first come
first served.
If you have propositions we can discuss, please let me know
them.
8

This document is freely distributable


as long as it is unmodified in any
way. 4
DCYPHER

https://www.dcypher.nl/en/

Outline

About the course


Introduction
Information Security incidents in the media
Recap on Information Security
Study for next week

10

This document is freely distributable


as long as it is unmodified in any
way. 5
Introduction
What do you think is an organization?
What do you think is meant with security in organizations?
When do you think an organization is secure?
Test:
identity security vulnerabilities in the next scene from Episode
20 of the series The Americans titled Arpanet.

11

Radboud University organizational chart

12

This document is freely distributable


as long as it is unmodified in any
way. 6
Delta Lloyd organizational chart

13

A fictive organisation

Board of directors

Facilities HR Finance
Procurement
Operations Customer
Service Communication Legal Internal Audit

Division #1 Division #2 Division #3 ICT

Helpdesk

Dep #1 Dep #2 Dep #3 Dep #1 Dep #2 Dep #3 Dep #1 Dep #2 Dep #3 Authorisation
Management
Unit1 Unit1 Unit1 Unit1 Unit1 Unit1 Unit1 Unit1 Unit1
Operations
Unit2 Unit2 Unit2 Unit2 Unit2 Unit2 Unit2 Unit2 Unit2
Infrastructure
Unit3 Unit3 Unit3 Unit3 Unit3 Unit3 Unit3 Unit3 Unit3
Development

Which parts do you think are relevant for information security?

14

This document is freely distributable


as long as it is unmodified in any
way. 7
Intuitive definition of IS

A security incident is an event where


confidentiality, integrity or availability of
information was lost.
Information security is ensuring that security
incidents from the past cannot occur (again) in the
organisation, at least not with high impact.
Our approach to IS is based on (potential)
security incidents.
We can distinguish two kind of incidents, those
where deliberate and malicious human behaviour
was the cause and others. For the first category
one can identity a motive.
15

Intuitive definition of IS
Information security making sure that your ICT
cannot be hacked.
Information security taking all the technical security
controls you can think of.
Information security is only partially a technical
matter.
You can have too much security!

16

This document is freely distributable


as long as it is unmodified in any
way. 8
Intuitive definition of IS
Almost all security incidents occurring have their root cause in (un)intentional
erroneous human behaviour.
Employees can:
not be aware of risks,
can be aware of risks, but simply dont give a damn about them
underestimate them
can be aware of risks but do not have enough time, resources or budget to
deal with them..
Management can:
not be aware of risks (think IS is a technical matter)
not give a enough budget (money)
not be in control of implementing security (policies), e.g. do not supervise
the behaviour of line management and employees
implement new business processes and systems without giving any
appropriate attention to information security
As information security issues are often in the details, this further complicates
things. IS is a multidisciplinary problem and not only a technical problem.
17

Intuitive definition of IS
And it all boils down to risk appetite

.. No drinking or
eating behind the
wheel in France..

18

This document is freely distributable


as long as it is unmodified in any
way. 9
ISO 27002:2013
C ISO 27002:2013
5 Information security policies
6 Organization of information security
7 Human resource security
8 Asset management
9 Access control
10 Cryptography
11 Physical and environmental security
12 Operations security
13 Communications security
14 System acquisition, development and maintenance
15 Supplier relationships
16 Information security incident management
17 Information security aspects of business continuity management
18 Compliance
Red means new in ISO27002:2013.

19

ISO 27002:2005
C ISO 27002 NEN Vertaling
5 Security Policy Beveiligingsbeleid
6 Organization of Information Security Beveiligingsorganisatie
7 Asset Management Classificatie en beheer van
bedrijfsmiddelen
8 Human resources security Beveiligingseisen ten aanzien van
personeel
9 Physical and Environmental Security Fysieke beveiliging en beveiliging
van de omgeving
10 Communications and Operations Beheer van communicatie- en
Management bedieningsprocessen
11 Access Control Toegangsbeveiliging
12 Information Systems Acquisition, Ontwikkeling en onderhoud van
Development and Maintenance systemen
13 Information Security Incident Incidentmanagement
Management
14 Business Continuity Management Continuteitsmanagement
15 Compliance Naleving

20

This document is freely distributable


as long as it is unmodified in any
way. 10
Outline

About the course


Introduction
Information Security incidents in the media
Recap on Information Security
Study for next week

21

Citibank admits: we've


lost the backup tape

This document is freely distributable


as long as it is unmodified in any
way. 11
ISO 27002 Chapter 5: SECURITY POLICIES

Objective: To provide management direction and support for information security in accordance
with business requirements and relevant laws and regulations.

23

ISO 27002 Chapter 5: SECURITY POLICIES


2005

[..]
2013

24

This document is freely distributable


as long as it is unmodified in any
way. 12
Management commitment

Motive: financial gain

ISO 27002 Chapter 5: Security policies


25

ISO 27002 Chapter 6: Organization of Information Security

Objective: To establish a management framework to initiate and control the implementation


and operation of information security within the organization.

PDCA cycle
Organization

26

This document is freely distributable


as long as it is unmodified in any
way. 13
Outline of security organization
Information security is the concern of the security
officer but ultimately he/she is not responsible for it!
This is a big misunderstanding.

ISO 27002 Chapter 6: Organization of Information Security


27

ISO 27002 Chapter 7: HUMAN RESOURCE SECURITY

Objective: To ensure that employees and contractors understand their responsibilities and are
suitable for the roles for which they are considered.

28

This document is freely distributable


as long as it is unmodified in any
way. 14
ISO 27002 Chapter 7: HUMAN RESOURCE SECURITY

Source http://www.rtl.nl

VID3 - Four ways to reveal secret intelligence, starring Bob Quick


http://www.youtube.com/watch?v=u4tLYpa6ee4

29

ISO 27002 Chapter 7: Human resources security

Motive: revenge

30

This document is freely distributable


as long as it is unmodified in any
way. 15
ISO 27002 Chapter 7: Human resources security

Police employee arrested for


leaking data to GeenStijl.

www.geenstijl.nl

Motive: ?

31

Screening
He drove a Porsche Cayenne, regularly went on holiday and had
tons of cash at home. The 28-year-old Mark M. of Weert, the
agent who is suspected to have sold their police records on
criminals, lived like a king.
[..]
Police mole had access to highly confidential information for four
years as his superiors
had forgotten to remove his authorisations.
[..]
118 police officers had access to secret information without AIVD
check. That those agents are not properly screened does not
mean that have leaked confidential information.
Sources:
http://www.rtlnieuws.nl/nieuws/binnenland/pol
itiemol-mark-m-ontmaskerd-dure-autos-
horloges-en-luxe-vakanties
nrc.nl, 30 Oktober 2015
nrc.nl, 3 December 2015
AIVD gave negative advice on police mole.
Cause: financial gain

ISO 27002 Chapter 7: Human resources security


32

This document is freely distributable


as long as it is unmodified in any
way. 16
Screening
In some countries, e.g., Belgium, Luxembourg, you can just go
to town hall (gemeentehuis) to get a certified copy of your
criminal records (if any).
NEANT
nicht eingetragen
In the Netherlands we have the Verklaring omtrent Gedrag
(Statement relating to your behavior). Here an governmental
organization (Centraal Orgaan Verklaring Omtrent het Gedrag
or COVOG), checks if there are any criminal records over the
last 4 years that are relevant for the job profile you are
applying for.
VOG cost is EURO 41,35.
How effective do you think VOGs are?

ISO 27002 Chapter 7: Human resources security


33

Screening

Only 10% of organisations reports internal theft to police.

ISO 27002 Chapter 7: Human resources security


34

This document is freely distributable


as long as it is unmodified in any
way. 17
Segregation of duties
Intern at town hall issues 13 rogue passports.

Source:
http://www.vocativ.com/241487/f
ake-passport-prices-black-
market/

http://www.ad.nl/ad/nl/1039/Utrecht/article/detail/3993409/2015/05/01/Stagiair-stadskantoor-Utrecht-maakt-13-valse-paspoorten.dhtml

Motive: financial gain

ISO 27002 Chapter 7: Human resources security


35

Segregation of duties

ISO 27002 Chapter 7: Human resources security


36

This document is freely distributable


as long as it is unmodified in any
way. 18
ISO 27002 Chapter 8: Asset management

Objective: To identify organizational assets and define appropriate protection responsibilities.

How can you protect something:


if you dont even know you have it?
if no one is (or feels) responsible for it?

37

Losing personal data

ISO 27002 Chapter 8: Asset management


38

This document is freely distributable


as long as it is unmodified in any
way. 19
ISO 27002 Chapter 9: Access control

Objective: To limit access to information and information processing facilities.

Motive: ego?

Source
https://www.theguardian.com/business/je
rome-kerviel

Kerviel conducted unauthorized trading for Society General resulting in a EURO 5 billion loss
in 2008.
Allegedly, Kerviel kept his authorisations when he changed job within SG (autorisation creep).
In this way he could bypass segregation of duties (four eyes principle).
He was sentenced to 3 years jail in 2010.

39

ISO 27002 Chapter 9: Access control

Snowden possible still has access to NSA systems.


Motive: legitimate concern, activism, ego, espionage?
40

This document is freely distributable


as long as it is unmodified in any
way. 20
ISO 27002 Chapter 10: Cryptography

Objective: To ensure proper and effective use of cryptography to protect the confidentiality,
authenticity and/or integrity of information.

Three kind of security incidents exist with respect to this chapter,


organisations:
A. invent their own crypto instead of using publically scrutinized
crypto primitives like AES, SHA256, DSA, RSA
B. use publically scrutinized crypto primitives in a wrong way
C. Use bad key management

41

ISO 27002 Chapter 10: Cryptography

In Section 3, we analyze the RKE schemes employed in


most VW Group group vehicles between 1995 and today.
By reverse engineering the rmware of the respective
Electronic Control Units (ECUs), we discovered that VW
Group RKE systems rely on cryptographic schemes with a
single, worldwide master key, which allows an adversary
to gain unauthorized access to an aected vehicle after
eavesdropping a single rolling code.

42

This document is freely distributable


as long as it is unmodified in any
way. 21
ISO 27002 Chapter 10: Cryptography
Sony implemented the EC-DSA standard incorrectly in the
PS3.
It is imperative that each EC-DSA signature is based on a
random number k.
Sony erroneously did not do this thereby compromising their
code signing key. See
https://www.youtube.com/watch?v=84WI-jSgNMQ

EC-DSA, see wikipedia

43

ISO 27002 Chapter 10: Cryptography

A really easy attack for thieves is to focus on cars


with key-less entry systems.

See
https://www.youtube.com/watch?v=0AHSDy6AiV0

44

This document is freely distributable


as long as it is unmodified in any
way. 22
ISO 27002 Chapter 10: Cryptography
It is important that RSA key generation uses random prime p,
q numbers in the RSA modulus n = p*q.
The RSA key generation routine in the Taiwan eID card did
not properly do this, thereby generating RSA moduli with
share prime numbers. As these prime numbers can be
calculated as the GCD, the corresponding RSA keys are
compromised. This lead to the compromise of more than 100
RSA keys/eID smartcards.
See http://smartfacts.cr.yp.to/smartfacts-20130916.pdf

45

ISO 27002 Chapter 11: Physical and environmental security

Objective: To prevent unauthorized physical access, damage and interference to the


organizations information and information processing facilities.

46

This document is freely distributable


as long as it is unmodified in any
way. 23
ISO 27002 Chapter 11: Physical and environmental security

47

ISO 27002 Chapter 11: Physical and environmental security

Many organizations do not give physical


security enough attention. They often think
there is a lock on this door so ...

48

This document is freely distributable


as long as it is unmodified in any
way. 24
Power

No radio and television broadcast by power malfunction

ISO 27002 Chapter 11: Physical and environmental security

49

Fire
Outage Vodafone by fire Rotterdam

As a consequence customers of Vodafone (e.g. public


transport) also had outage in their own services.

April 2012

http://nos.nl/artikel/358731-storing-vodafone-door-brand.html

ISO 27002 Chapter 11: Physical and environmental security

50

This document is freely distributable


as long as it is unmodified in any
way. 25
ISO 27002 Chapter 12: Operations security
ISO 27002 Chapter 13: Communications Security

51

Importance of correct procedures

By a blunder at the police, founder


Klaas Otto of motor club No Surrender
in prison received talks of co-
defendants and could listen. These
are phone calls that other prisoners
have committed from the custody
house in Middelburg. A spokesman for
the Brabant police confirmed that to
the ANP on Wednesday.
Source: telegraaf.nl (Google Translate)

ISO 27002 Chapter 12/13: Operations and communications security

52

This document is freely distributable


as long as it is unmodified in any
way. 26
Protection against malware

Source: http://investor.maersk.com

ISO 27002 Chapter 12/13: Operations and communications security

53

Malicious code protection

Head of ENISA states


that anti-virus is only effective in
only 30% of the cases

ISO 27002 Chapter 12/13: Operations and communications security

54

This document is freely distributable


as long as it is unmodified in any
way. 27
Malicious code protection

ISO 27002 Chapter 12/13: Operations and communications security

55

Targeted Attacks

Motive: political suppression?


See Motive: economic espionage
http://www.scribd.com/doc/13731776/Tracking- See:
GhostNet-Investigating-a-Cyber-Espionage- http://www.bbc.co.uk/news/technology-
Network. 20204671.

Motive: economic espionage Motive: political suppression?

ISO 27002 Chapter 12/13: Operations and communications security

56

This document is freely distributable


as long as it is unmodified in any
way. 28
Targeted attacks

Stepping stone attack on EMC/RSA (March 2011)

Incident
Targeted attacks on the PC of an HR employee through an email
attachment with an Excel file containing malicious code. The attackers
gained attacks to a substantial number of cryptographic keys in Securid
tokens.

Threat/motivation
Military motivated from China.
Not directly targeted at RSA but the US defense contracter Lockheed
Martin
http://www.youtube.com/watch?v=UZNF1-1Hk1Y

ISO 27002 Chapter 12/13: Operations and communications security

57

Targeted attacks

Motive: political influence?


ISO 27002 Chapter 12/13: Operations and communications security

58

This document is freely distributable


as long as it is unmodified in any
way. 29
Targeted attacks

Motive: espionage
ISO 27002 Chapter 12/13: Operations and communications security

59

Targeted attacks

http://www.washingtonpost.com/blogs/federal-eye/wp/2015/07/09/hack-of-security-clearance-system-affected-21-5-million-people-federal-authorities-say/

Motive: espionage?

http://www.ibtimes.com/cia-mulls-pulling-us-spies-out-china-after-massive-opm-hack-likely-compromised-2024894

ISO 27002 Chapter 12/13: Operations and communications security

60

This document is freely distributable


as long as it is unmodified in any
way. 30
Targeted attacks

Motive: revenge?

http://www.bbc.com/news/entertainment-arts-30512032
ISO 27002 Chapter 12/13: Operations and communications security

61

Malicious code protection

Motive: destruction

ISO 27002 Chapter 12/13: Operations and communications security

62

This document is freely distributable


as long as it is unmodified in any
way. 31
Targeted attacks

http://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/

Motive: revenge?

ISO 27002 Chapter 12/13: Operations and communications security

63

Targeted attacks

ISO 27002 Chapter 12/13: Operations and communications security

64

This document is freely distributable


as long as it is unmodified in any
way. 32
Targeted attacks

From published dump


ISO 27002 Chapter 12/13: Operations and communications security

65

Targeted attacks

From second published dump (source: http://am.peen.es)


ISO 27002 Chapter 12/13: Operations and communications security

66

This document is freely distributable


as long as it is unmodified in any
way. 33
Advanced Persistent Threat by Office macros

Motive: ego?

ISO 27002 Chapter 12/13: Operations and communications security

67

Targeted attacks on e-banking


Year Total loss # incidents Average damage
2009 1,9 Million Euro 154 12.337 EURO
2010 9,8 Million Euro 1.383 7.086 EURO
2011 35 Million Euro 7.600 4.605 EURO Motive: financial gain
2012 34,8 Million Euro 10.900 3.192 EURO
2013 9,6 Million Euro 3.485 2.755 EURO
2014 4,6 Million Euro 2.250 2.045 EURO
2015 3,7 Million Euro 1.420 2.605 EURO
Source: Nederlandse Vereniging van Banken

ISO 27002 Chapter 12/13: Operations and communications security

68

This document is freely distributable


as long as it is unmodified in any
way. 34
Targeted attacks on e-banking

Source: Nederlandse Vereniging van Banken

How do you explain this graph?

ISO 27002 Chapter 12/13: Operations and communications security

69

Targeted attacks on e-banking


# internet banking fraud 40 Loss in millions of Euro
incidents 35
12000
30
10000
25
8000
20
6000
15
4000
10
2000
5
0
0
2009 2010 2011 2012 2013 2014 2015
2009 2010 2011 2012 2013 2014 2015
Source: Nederlandse Vereniging van Banken

How do you explain this graph?

ISO 27002 Chapter 12/13: Operations and communications security

70

This document is freely distributable


as long as it is unmodified in any
way. 35
Targeted attacks on banks

Motive: financial gain

Why target the clients of a bank, if you can target the bank itself?
Attackers managed to get $81 million from accounts at the Bangladesh
Central Bank in just a few hours.
The attackers apparently targeted at even $1 billion but did not
succeed due to an typing error.
It seems that the attackers got a position in the banks network from the
internet, e.g. on a employee workstation, from which they succeeded to
place the transactions (more than three dozen).
Some money was recovered; it seems that about $40 million is lost.

71

Targeted attacks on banks

July 14, 2016: 12:06 PM ET

Motive: financial gain

72

This document is freely distributable


as long as it is unmodified in any
way. 36
ISO 27002 Chapter 14: System acquisition, development and maintenance

Objective: To ensure that information security is an integral part of


information systems across the entire lifecycle.
OWASP TOP 10

See
https://www.cbsnews.com/news/eddie-tipton-lottery-fraud-admits-he-
rigged-jackpots/

73

ISO 27002 Chapter 14: System acquisition, development and maintenance

Many Android smartphones are running back


with security updates
Half of the Android operating system
smartphones have a dated six-year-old or older
security update, or do not provide information
about security updates at all. This is evident from
research by the Consumentenbond. Only 5% of
the Android smartphones have the latest security
update from August 2017, 11% have the July
2017 update.

74

This document is freely distributable


as long as it is unmodified in any
way. 37
ISO 27002 Chapter 14: System acquisition, development and maintenance

Wikipedia

75

ISO 27002 Chapter 14: System acquisition, development and maintenance

Suppose that a (web)shop would allow to buy an arbitrary number of


lottery tickets whereby you would only need to pay for them 2 weeks
after the lottery draw. How could want commit fraud with this?

76

This document is freely distributable


as long as it is unmodified in any
way. 38
ISO 27002 Chapter 14: System acquisition, development and maintenance

Big stock option fraude at Rabobank en ABN Amro

77

ISO 27002 Chapter 15: Supplier relationships

Objective: To ensure protection of the organizations assets that are


accessible, maintained or provided by suppliers.

Computers of Dutch government nearly went down as result of DigiNotar attack.

78

This document is freely distributable


as long as it is unmodified in any
way. 39
ISO 27002 Chapter 16: Information security incident management

Objective: To ensure a consistent and effective approach to the management of information


security incidents, including communication on security events and weaknesses.

79

ISO 27002 Chapter 16: Information security incident management

80

This document is freely distributable


as long as it is unmodified in any
way. 40
ISO 27002 Chapter 17: Information security aspects of business continuity management

Objective: Information security continuity should be embedded in the organizations


business continuity management systems. information processing facilities should
be available.

81

ISO 27002 Chapter 17: Information security aspects of business continuity management

Outage at Vodafone due to fire Rotterdam

VID8 - NOS Nieuws - Storing Vodafone door brand Rotterdam.mp4


http://nos.nl/artikel/358731-storing-vodafone-door-brand.html

82

This document is freely distributable


as long as it is unmodified in any
way. 41
Massive loss of information and employees

September 11, 2001

83

ISO 27002 Chapter 17: Information security aspects of business continuity management

84

This document is freely distributable


as long as it is unmodified in any
way. 42
ISO 27002 Chapter 17: Information security aspects of business continuity management

How do you think organisations can deal with DDOS attacks? 85

ISO 27002 Chapter 18: Compliance

Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to


information security and of any security requirements.

86

This document is freely distributable


as long as it is unmodified in any
way. 43
ISO 27002 Chapter 18: Compliance

C15

87

ISO 27002
C ISO 27002:2013 NEN Vertaling
5 Information security policies Informatiebeveiligingsbeleid
6 Organization of information security Organiseren van informatiebeveiliging
7 Human resource security Veilig personeel
8 Asset management Beheer van bedrijfsmiddelen
9 Access control Toegangsbeveiliging
10 Cryptography Cryptografie
11 Physical and environmental security Fysieke beveiliging en beveiliging van de
omgeving
12 Operations security Beveiliging bedrijfsvoering
13 Communications security Communicatiebeveiliging
14 System acquisition, development and Acquisitie, ontwikkeling en onderhoud van
maintenance informatiesystemen
15 Supplier relationships Leveranciersrelaties
16 Information security incident Beheer van
management informatiebeveiligingsincidenten
17 Information security aspects of Informatiebeveiligingsaspecten van
business continuity management bedrijfscontinuteitsbeheer
88
18 Compliance Naleving

This document is freely distributable


as long as it is unmodified in any
way. 44
Outline

About the course


Information Security incidents in the media
Recap on Information Security
Study for next week

89

Recap on information security


The objective of information security in an organisation is to
get the management of the organisation in control of risks
related to the loss of confidentiality, integrity and availability
of information.
In essence, Information Security is a non-technical problem
as it is about getting the right attention (and budget!) from
management.
Complicating factors in implementing Information Security
(IS) are its multidisciplinary nature and constraints on budget,
effort and getting management attention
ISO 27002 is a (long) of list of IS controls divided over many
chapters originally dating from the nineties
Practice shows that just implementing ISO 27002 is not the
way to secure organizations because not all controls are
equally relevant for all organizations and circumstances
To address this ISO 27002 was supplemented with ISO
27001 which describes security management that we will
discuss in the next weeks.
90

This document is freely distributable


as long as it is unmodified in any
way. 45
Outline

About the course


Information Security incidents in the media

Recap
Study for next week

91

Study for next week

Study for next week:


The ISO 27001 and 27002 standards
First four chapters of How to Achieve 27001 Certification, Sigurjon
Thor Arnason, Keith D. Willett, Auerbach publications, 2008.
Accessible through SIO webpage
http://www.iso27001security.com
Assignment #1 is on the SIO website:
Make analysis how to protect against malware
Make an analysis of the DigiNotar incident

92

This document is freely distributable


as long as it is unmodified in any
way. 46