投影片 1 - Tamkang University

投影片 1 - Tamkang University

ISMS/BS7799 (ISMS)ISMS) / / [email protected] BS7799 L.A. / CISSP (ISMS)ISMS) BS 7799

2 < ISMS < BS 7799 Part-(ISMS)1) ~ Part (ISMS)4) ISMS/BS7799 1996/9 2000/3 DDos Yahoo A mazon CNN eBay 2001/7 Amazon.com Bibliofind 1 8 2001/5 2002/3 2003/08

2003/09 88 20 2003/10 ATM 4 5 93/05/03 92/10 ~ 93/05 NT 2 ~ 10 CNet 2004/06/17 EarthLink Webroot 42.1 13.37 1,130 26.9

- MIS / DB AP 6 B2B/

Internet User - 7 (ISMS)Assets) (ISMS)Information Assets) (ISMS)Software Assets) (ISMS)Hardware Assets) (ISMS)Paper Document) (ISMS)Service) (ISMS)Company Image)

8 (ISMS)1/3) - - - / 9 (ISMS)2/3)

AP 10 (ISMS)3/3) 11

12 13 14 (ISMS)ISMS) BS 7799

15 < ISMS < BS 7799 Part-(ISMS)1) ~ Part (ISMS)4) ISMS/BS7799 = , , , , ! 17 IT : E-Business ERP/MRP PDM Intranets Extranets : : 18

IT IT : (ISMS)Confidential) (ISMS)Integrity) (ISMS)Available) 19

SARS 20 (ISMS) , , , ) Unstructured Structured External Internal Network Threats and Vulnerabilities 21

22 Web (ISMS)ASP/CGI/Perl)) (ISMS)1/2) Executive Summary We have scanned your host/s XXX.XXX.XXX.XXX for YYY known security holes. This scan took place on 22:43:02 09/09/2002 and took 0 hours and 50 minutes to complete. A total of 17 vulnerabilities were found; Out of the 17 vulnerabilities that were found: High Risk Vulnerabilities (ISMS)Should be attended to as soon as possible) Medium Risk Vulnerabilities (ISMS)Should be repaired in the next couple of days)

Intelligence Gathering or Low Risk Vulnerabilities (ISMS)Should be added to work list can be attended at later time) Security 'holes' that allow a remote attacker to: 3 o o o Have read / write access to any file on the server Login to the server remotely easily as administrator Ability to run commands in order to continue hacking to the network Security 'holes' that allow a remote attacker to attack a server by: o 5 o o 9 Conducting a combination attack (ISMS)using several vulnerabilities simultaneously) Having access to 'sensitive' files Running 'Denial of Service' attacks that will crash the network Security 'holes' which will not help an attacker to gain access to server, but, it will give him information about the local network or hosts

In addition, 11 open TCP or UDP ports were found; Make sure all those services are really needed. Remember: Useless services are possible entry points for attackers!! 23 (ISMS)2/2) 24 SARS 25

26 (ISMS)Risk Analysis) , , Threat Threat Agent Agent Give Rise to

Threat Threat Exploits Vulnerability Vulnerability Directly Affects Risk Risk Asset Asset Safeguard Safeguard (Control) (Control) 27 Exposure Exposure Leads to And Causes an Can be Countermeasured by a Can Damage

/ e-mail / Bug XXX / / / / 28

(R.A.) (R.M.) Security = + Detect Vulnerabilities & Threats Respond 29 = High $ Costs of Security vs. Exposure ,, ,, ,, Security Costs in balance Exposure

Low 30 Security Level High CIA

31

(ISMS)ISMS) BS 7799 32 < ISMS < BS 7799 Part-(ISMS)1) ~ Part (ISMS)4) ISMS/BS7799 (ISMS)ISMS) BS7799 BS7799 ISMS ISMS 34

ISMS/BS7799 BS 7799/ CNS 17800 BS 7799-2 (Security Policy) (1 2) (Personnel Security) (3 10) (Security Organization) (3 10) (Asset Classification and Control) (2 3) (Physical and Environmental Security) (3 13) (Communications and Operations Management) (7 24) (Access Control) (8 31)

(Business Continuity Management) (1 5) (Compliance) (3 11) 36 (Systems Development and Maintenance) (5 18) ISO/IEC 17799 & BS 7799 - 2 BSi BS 7799 Part 1 & 2 BS 7799 1 : (ISMS) ) 2000 ISO ISO/IEC 17799 ISMS 1999 BS 7799 2 : (ISMS) ) BS 7799-2 ISMS 37 BS 7799 - 2

Source : IUG web site, Oct.-2003 Region Argentina Australia Austria Brazil China Egypt Finland Finland & Sweden Germany Greece Hong Kong Hungary Iceland India Ireland 38 Number of Certificates Region 1 7 2 2 5 1 8 1 10 2

12 5 1 16 4 Total : 399 (ISMS)OCT-2003) Italy Japan Korea Malaysia Mexico Netherlands Norway Singapore Spain Sweden Switzerland Taiwan UAE UK USA Number of Certificates 11 152 14 1 2 1 7 8 1

3 2 5 2 109 4 BS 7799 1 (ISMS)ISO 17799) ISO/IEC 17799:2000 (ISMS)BS 7799-1:1999) ISMS 10 Code of Practice 39 BS 7799-2: 1999 BS 7799-2: 1999 BS 7799-1:1999 ISMS (ISMS)Requirement) (ISMS)Need), (ISMS)Security Controls) .

(ISMS)Control Clause) 36 (ISMS)Control Objectives) 127 (ISMS)Controls) 10 40 CNS (ISMS) ) 41 17800 Information technology-Specification for information security management systems X600041 35.040 91/12/05 32 /

? ? ? ? ? ? : Email Server File Server WWW Server Database Server ) 42 (ISMS)Security Security Controls) Administrative Controls Policies, Standards, Procedures, Guidelines, Screening Personnel, Security Awareness

Training, System Act. Monitoring Technical Controls Logical Access Controls, Encryption, Security Devices, Identification and Authentication Physical Controls Technical Controls Administrative Controls Company Data and Assets 43 Physical Controls Facility Protection, Security Guards, Locks, Monitoring, Environmental Controls, Intrusion Detection 1. 2. ISMS

------------------------- ------------44 3. 4.

6. 5. BS-7799 Part II 45 -(ISMS) )

row 1 SSB 7 2

2 2 1 2 2 13 B B D 4.6.1.3 2 SSB - 2 2 1 1 3 1 1 11 C B F 4.4.1.3

3 SSB 1 , 2 3 3 2 1 1 14 B B D 4 SSB 1 ,

2 2 3 2 1 1 13 B B D 5 SSB 1 , 2 2 3 2 1 2 14 B B D 6 SD

AXX, SolXXX 20 (8H) 2 2 3 3 2 2 16 B A C 4.6.1.3 7 SD Notes Client/Windows 9X/2k 61 (24H) 2 2 2 2 2 2 14 B B

D 4.6.1.3 8 SD Windows NT/2k Server 11 (8H) 2 2 3 3 2 2 16 B A C 4.6.1.3 9 SD - 3 (24H) 2 3 3 3 3

3 19 B A C 4.6.1.3 - 1 2 1 1 3 1 1 11 C B F 4.4.1.3 2 3 2 2 1 16 B A C

10 SD 11 SD () 1 (8H) 12 SD 1 (8H) 2 3 3 3 1 1 15 B B D AXX, SolXXX 1 (8H) 2 2 3 3 2

2 16 B A C 4.6.1.3 (24H) 2 2 2 2 2 2 14 B B D 4.6.1.3 13 NLS 14 NLS NoXX Client/Windows 9X/2k 37

46 3 -(ISMS) ) (1) 1 SSB 2 SSB 3 SSB

4 5 row / 7 , ,,, , 1 2 2 1 2 2 11 B 4.5.3.1, 4.6.1.1~4.6.1.3, 4.6.2.2, 4.6.3.1, 4.6.4.1~4.6.4.3, 4.7.2.1~4.7.2.4, 4.7.3.1, 4.7.5.1~4.7.5.8, 4.7.6.1, 4.7.7.1~4.7.7.3 - 2 1 1 1 3 1

1 9 C 4.4.1.1~4.4.1.4, 4.4.2.1, 4.4.3.1~4.4.3.5, 4.5.3.1, 4.7.2.1, 4.7.3.1, 4.7.3.2 ,4.7.8.1,4.7.8.2 1 ,, 2 3 3 2 1 1 14 B 4.3.2.1, 4.3.2.2, 4.5.3.1, 4.6.4.1, 4.6.6.1, 4.6.7.1~4.6.7.4, 4.7.2.1, 4.7.6.1, 4.8.3.1~4.8.3.5 SSB

1 , 2 2 3 2 1 1 13 B 4.3.2.1, 4.3.2.2, 4.5.3.1, 4.6.4.1, 4.6.6.1, 4.6.7.1~4.6.7.4, 4.7.2.1, 4.7.6.1, 4.8.3.1~4.8.3.5 SSB 1 , 2 2 3 2 1 2 14

B 4.3.2.1, 4.3.2.2, 4.5.3.1, 4.6.4.1, 4.6.6.1, 4.6.7.1~4.6.7.4, 4.7.2.1, 4.7.6.1, 4.8.3.1~4.8.3.5 1 2 3 3 2 2 14 B 4.5.3.1, 4.6.1.1~4.6.1.3, 4.6.2.2, 4.6.3.1, 4.6.4.1~4.6.4.3, 4.7.2.1~4.7.2.4, 4.7.3.1, 4.7.5.1~4.7.5.8, 4.7.6.1, 4.7.7.1~4.7.7.3 1 2 2 2 2 2 12 B 4.5.3.1, 4.6.1.1, 4.6.3.1, 4.7.1.1, 4.7.2.1, 4.7.2.2, 4.7.3.1, 4.8.2.1, 4.8.2.2, 4.8.2.4, 4.8.4.1, 4.10.1.2 AXX, SolXXX , ,,, 20

,, 6 SD 7 SD Notes Client/Windows 61 9X/2k 47 -(ISMS) ) row

1 SSB 7 2 SSB - 2 , 3 4 5 SSB

1 1 1 AXX, SolXXX (2) 4.10.1.2 1 1 1 3 1 1 9 11 C 4.10.1.1

1 3 3 2 1 1 2 3 2 1 1 2 3 2 1 1 12 16 B 1 11 15 B 2 12 16 B 4.10.1.2 4.10.1.2 4.10.1.2 20 1 2 3 3 2 2 14 16 B 4.10.1.2 61 11 3 NA 1 2 2 2 2 1 2 3 3 2 3 3 3 3

2 12 14 B 2 14 16 B 3 15 17 B 4.10.1.2 4.10.1.2 NA 1 1 1 1 3 1 1 9 11 C 4.10.1.1 11 SD () 1 1 2 3 2 2 1 12 16 B 4.10.1.2 12 SD

1 1 3 3 3 1 1 13 15 B 4.10.1.2 AXX, SolXXX SSB 6 SD 7 SD Notes Client/Windows 9X/2k 8 SD Windows NT/2k Server 9 SD - 10 SD - 2 2 1 2

2 13 15 B SSB 2 13 NLS 1 1 2 3 3 2 2 14 16 B 4.10.1.2 14 15 NLS NoXX Client/Windows 9X/2k 37 2

Windows NT/2k Server 1 2 2 2 2 1 2 2 3 2 2 12 14 B 2 13 15 B 4.10.1.2 4.10.1.2 48 NLS 49

- - - - - -

- - - - -

50 BS 7799-2 (Security Policy) (1 2) (Personnel Security) (3 10) (Security Organization) (3 10) (Asset Classification and Control) (2 3) (Physical and Environmental Security) (3 13) (Communications and Operations Management) (7 24) (Access Control) (8 31)

(Business Continuity Management) (1 5) (Compliance) (3 11) 51 (Systems Development and Maintenance) (5 18) ISMS 52

A.3 (ISMS)4.1) (ISMS)1,2)

53 A.4 (ISMS)4.2) (ISMS)3,10) (ISMS)Infrastructure) (ISMS)Third-Party)

54 / (( )) 55 (( ))

YYY 56 XXX( ) XXX( ) XXX( ) XXX( ) XXX( ) XXX( ) ISMS A.5 (ISMS)4.3) (ISMS)2,3)

/ 57 (ISMS)Assets) (ISMS)Information Assets) (ISMS)Software Assets) (ISMS)Hardware Assets) (ISMS)Paper Document) (ISMS)Service) (ISMS)Company Image) 58 Commercial

Military Confidential Top Secret Private Secret Sensitive Confidential Public Sensitive but unclassified (ISMS)SBU) Unclassified Focus on Integrity Availability Focus on Non-Disclosure of Confidential 59

60 A.6 (ISMS)4.4) (ISMS)3,10) 61

.. Non-Disclosure Agreement s

Separation of duties Job rotation Termination 62 :

.. 63 64 , , 65 (ISMS)SOP SOP) SARS

? 66 ? ? ? ? !

, ? , ? ? , ? 67

.. .. 68 .. -

69 -

Email Pager SNMP Trap Telephone SMS 70 Mobile Phone Alarm

http://www.ncert.nat.gov.tw/infosec/data.asp , , , , , , , 71 - 72 A.7 (ISMS)4.5) (ISMS)3,1 3)

73 ,

A.7.1.4 A.7.1.1~3 A.6.1.1~4 A.6.2.1 A.6.3.1~5 A.7.2.5 A.7.3.1~2 A.8.3.1 A.8.6.1~3 A.9.1.1 4.9.2.1~3

A.9.3.1~2 A.9.4.1,3,4 A.9.5.1~5.7. 8 A.9.6.1 A.9.8.1~2 A.10.3.2~4 A.11.1.5 A.12.1.2~7 4~7 A.3~A.4 A.7.1.1~3 A.9.1.5 74

A.7.1.1~3 A.9.1.1~3 A.6.3.1~4 A.7.1.4 A.7.2.1~6 A.8.1~7 A.9.1~8 A.10.1~5 A.11.1 A.12.3.2 A.7.1.1~3 A.9.1.1~3 A.5.1.1 A.5.2.1,2 A.7.1~3 A.7.2.1,4~6 A.7.3 A.8.7.2 A.12.1.1 A.12.2 A.12.3.1 A.6.1~2 A.6.3.5

A.8 (ISMS)4.6) (ISMS)7,1 5) (ISMS) / ) (ISMS) / ) (ISMS) /Log/Event/Error) 75 A.9 (ISMS)4.7) (ISMS)8,31) 76 A.10 (ISMS)4.8) (ISMS)5, 18) SA/SD

77 A.11 (ISMS)4.9) (ISMS)1, 5) BCP/DRP

(ISMS)BCP) 78 A.12 (ISMS)4.10) (ISMS)3,11) , , , , PDCA 79 ISMS/BS7799

81 ISMS, , , ISMS Internet 82 IDS CCD

Intranet Extranet Content Security 83 IPS /XML 84

Recently Viewed Presentations

  • Urbanization Models - Loudoun County Public Schools

    Urbanization Models - Loudoun County Public Schools

    Urban realms model recognized that many people's daily lives and activities occurred within a fixed activity space within a portion , or urban realm, of a larger metro region. In these "urban realms" on could find suburban downtowns filled with...
  • Enterprise Frameworks

    Enterprise Frameworks

    Wikipedia Initial research & posting of <insert software name here> page. Skype Ad hoc instant messaging between weekly conference calls. Project Management 440 - May 30th, 2009 Project Deliverables Using Collaboration Tools such as Conference Calls, Skype and the Web...
  • SHARED GOVERNANCE Can Shared Governance improve Staff satisfaction?

    SHARED GOVERNANCE Can Shared Governance improve Staff satisfaction?

    The Magnet status shows that the hospital has created an environment that supports nursing practice and focuses on professional autonomy, decision making at the bedside, nursing involvement in determining the nursing work environment, professional education, career development and nursing leadership....
  • The Shoppes at Fox Run - University of Connecticut

    The Shoppes at Fox Run - University of Connecticut

    Competitive Supply Thesis. Compared to its competition, the Shoppes at Fox Run differentiates itself with a unique anchor tenant (Whole Foods) as well as a solid core of supporting tenants.
  • Illustrative Example of Design of A Cement Concrete Pavement ...

    Illustrative Example of Design of A Cement Concrete Pavement ...

    Design Period. The design methodology given in these guidelines is based on wheel load stresses. The repetitions of wheel loads and the consumption of fatigue, which form the basis of design in IRC:58-2012, need not be considered for the very...
  • Chapter 3 Effects of IT on Strategy and Competition

    Chapter 3 Effects of IT on Strategy and Competition

    6,500 e - Choupals installed. Recognitions: One of World's Most Reputable Companies by Forbes. Top 50 Asia's best performing companies by Business Week. ... Chapter 3 Effects of IT on Strategy and Competition Last modified by: Chen, Chou-Hong (Jason)
  • 16 - vigoschools.com

    16 - vigoschools.com

    Paracrines: locally acting chemicals that affect cells other than those that secrete them. Autocrines and paracrines are local chemical messengers and will not be considered part of the endocrine system
  • TYPES OF LOANS - Leeds School of Business

    TYPES OF LOANS - Leeds School of Business

    Times New Roman Default Design Microsoft Word Document TYPES OF LOANS TYPES OF LOANS PURE DISCOUNT LOANS TYPES OF LOANS PURE DISCOUNT LOANS TYPES OF LOANS INTEREST ONLY LOANS TYPES OF LOANS CONSTANT PAYMENT LOANS TYPES OF LOANS CONSTANT PAYMENT...