Wolfpack 2016 Cyber Security Guide

CYBER SECURITY

GUIDE 2016

W

OLFP

A

CK INFORM

ATION RISK

RESEARCH | THREAT INTELLIGENCE | ADVISORY | TRAINING AWARENESS | MONITORING | TALENT MANAGEMENT

Introduction 4

Approach 5

Cyberwolf Cartoon - Reconnaissance 7

ASSESS

- Health Check Phase 8

S

takeholder Engagement – Setting the scene

8

Cyberwolf Cartoon - Infiltration

9

Health Check – Determine the Current State 10

Conduct an Information Risk Assessment 10

Conduct a Cyber Risk Analysis 11

Define a Priority Road map 12

Cyberwolf Cartoon - Revenge 13

IMPROVE - Remediation Phase 14

Define an Information Risk Management Framework 15

Establish an Information Security Management System 15

ISMS: PLAN Phase 15

Cyberwolf Cartoon - Compromise 16

ISMS: DO Phase 17

ISMS: CHECK & ACT Phase 17

Simulated Red and Blue Team Exercises 18

Information Security & Privacy Incident Management 19

Cyberwolf Cartoon - Spear Phished 21

Information Security Programme 22

Awareness 23

Training Programme 24

Training Courses 25

Cyberwolf Cartoon - Ransomware 26

MONITOR – Threat Monitoring Phase 27

Cyberwolf Cartoon - Command and Control 28

About Wolfpack Information Risk 29

28 Professional Service Offering 30

Contents



INTRODUCTION



ASSESS



IMPROVE



IMPROVE



MONITOR

Introduction

Introduction



INTRODUCTION

Any organisation today faces a constant challenge in preserving the confidentiality, integrity and availability of its information assets, against the broad range of external and internal threats. The failure to take a proactive approach to information risk management is leaving many organisations vulnerable with potentially devastating consequences.

We have on many occasions seen how organisations are battling to. establish a business-aligned, risk-based cyber security programme that can adapt to a constantly changing regulatory, customer, and threat environment.

Wolfpack have over the years established an approach that will:

• Provide you with the highest return on investment (ROI) for your information security spend.

• Protect your organisation from a large majority of threats thereby reducing risk.

• Demonstrate a proactive posture to safeguard critical assets.

• Elevate security from an operational function to a strategic business enabler.

Cyberspace is where

online

communication

happens

It is the interconnection of

humans through technology,

without regard to physical

geography.

Cyber security is the

preservation of

confidentiality,

integrity and

availability of

information in

cyberspace

(ISO 27032)

M

ON

ITO

R

AS

SE

SS

TH REAT & V ULNE RABIL ITY MA

NAGEMENT INFO_RMA

TIO N R ISK _A SS_ES SM EN T & C YB ER R IS K A NA LY SIS

IMPRO

_VE

_RE M ED IAT ION , SIM ULAT

ED ATTA_{CKS & INCIDENT RESP}ONSE

THREAT INTELLIG_EN CE

TR A IN IN G & A_W AR EN ESS

AD

VIS ORY

Approach

This document outlines our approach to:



INTRODUCTION

• Define a suggested improvement priority road map for the establishment of an Information Risk Management Framework and an Information Security Management System (ISMS) in accordance with ISO 27001:2013 specifications.

• Performing realistic threat testing to ensure the controls are effective.

• Ensure a robust incident management programme is in place.

• Provide a training and awareness programme to transfer skills.

• Correlate and analyse event data.

• Determine suspicious network behaviour, conduct active network scanning and respond to threats more effectively.

• Identify the specific information threats facing your business environment.

• Validate acceptable information risk levels in accordance with business requirements.

• Determine the maturity of existing information risk, people, process and technology controls across the areas within scope.

• Highlight key vulnerabilities and risk areas across the organisation.



ASSESS



IMPROVE



MONITOR

Stakeholder Engagement – Setting the scene

An information risk workshop will be conducted with key stakeholders in the organisation to highlight major threats facing the organisation, to reinforce the importance of information risk management and ensure all stakeholder teams understand their roles and responsibilities in the upcoming assessment. This will improve the accuracy of responses from all applicable sections within scope of the assessment and encourage open dialogue in order to highlight all major vulnerabilities within the organisation.

Reconnaissance

ASSESS - Health Check Phase

Inadequate capacity Poor siting of equipment Insufficient software testing Lack of documentation Technology Communication Unencrypted communication Inadequate bandwidth Diagnostic ports active Weak wifi security Process Inadequate management oversight Unstable power supply Poor physical security Lack of regular audits Weak change management No procedure to report weaknesses Poor log management SLAs not monitored Poor screening Shortage of key skills Lack of awareness Insufficient monitoring Technology Organisation People ASSESS Health Check Phase Stakeholder Engagement Information Risk Assessment Priority Roadmap 400 vulnerabilities reviewed across 14 key domains Cyber Risk Analysis Deep technical monitoring exercise to identify cyber risks

A workshop is conducted with senior management and operations to reinforce the importance of information risk management and ensure all stakeholders understand their

roles and responsibilities in the upcoming health check.

Following a rigorous analysis of the assessment results and management concerns, an improvement roadmap is agreed

upon to address high priority risks.



Conduct an Information Risk Assessment

Our proposal intends to review your current capability to provide assurance to senior management that relevant Information Risk requirements are being managed effectively.

We will determine the maturity of your Information Risk capability through the review of existing Information Security, IT Governance and Privacy processes. We propose performing an assessment against a consolidated set of baseline controls from a range of best practices, international standards and legal requirements.

It is recommended the assessment includes members from Strategic (C-Level) , Management and Operational levels to ensure the correct balance of IT governance, business continuity, information security, privacy and cyber security controls are in place.

Health Check – Determine the Current State

Infiltration



ASSESS

Information Risk

Assessment Cyber Risk Analysis Open Source Intelligence (OSINT) and community threat intelligence reviews are conducted

Our health check also factors in concerns raised by

stakeholders, audit findings and past incidents 400 vulnerabilities are reviewed in interviews with strategic and tactical teams

Technical review covers asset discovery, vulnerability management, threat analysis and anomalous behaviour

Wolfpack will help determine your current cyber risk status by running simulated threats against different aspects of your environment. Although the threat simulations are passive, they will present data using realistic potential events. This includes IP reputational data from the Open Threat Exchange (OTX) collaboration platform. These simulations identify activity from known threat actors across the globe, including advanced persistent threats

.

Simulated threats include:

• Network and port scanning. • Suspicious database activity. • Scans against web services. • Brute force attacks.

• Open Source Intelligence (OSINT) gathering. • Other simulations.

The information risk assessment and cyber risk analysis results will be reviewed in consultation with management, and a priority road map established to address high impact risks.

The following will be considered as part of the risk impact rating

scale:

• Business operations impact

(The potential negative impact on the achievement of the objectives of the Organisation).

• Financial impact

(The potential financial loss that could be suffered by the Organisation as a result of the risk materialising).

• Reputational impact

(The potential negative impact on the reputation / image / credibility of the Organisation).

• National impact

(The potential negative impact on the critical information infrastructure of the Country).

Conduct a Cyber Risk Analysis

Define a Priority Road Map

“

Cyber security is more than an IT issue – it requires a

multi-disciplinary approach for preparedness, oversight and execution.” 5 10 15 20 25 30 4 8 12 16 20 24 3 6 9 12 15 18 2 4 6 8 10 12 1 2 3 4 5 6 1 2 3 4 5 Business Impact

Priorities Jan Feb Mar Apr May

Risk 1 Risk 2 Risk 3 Risk 4 Risk 5 Risk 6 FLEXIBLE _PRO AC TIV E EX TE RN A L IN TE RN A L TRA CK CO MPLIA NCE Behavioral MANAGE THREATS IN CID EN T R ESP ONSE FAST D EPLO YMEN T 1 2 3 Asset Discovery Vulnerabilities Threats Network Analysis Service Availability Full Packet Capture Log Management Event Correlation

Active Network Scanning Passive Network Monitoring Asset Inventory Software Inventory Network Vulnerability Testing Continuous Vulnerability Monitoring Network IDS Host IDS

File Integrity Monitoring (FIM)

Reporting and Alarms



We provide a combination of managed services, “battle-hardened” methods as well as training and awareness to help remediate vulnerabilities and accelerate the implementation of ISMS deliverables. This will ensure that project momentum is maintained and cross-skilling occurs within all applicable sectors of the organisation.

“

There’s no silver bullet solution with cyber security - a layered

defence covering the full spectrum of prevention, detection, incident response and business resilience is the only viable option”

IMPROVE Remediation Phase Information Risk Framework & ISMS Simulated Red

& Blue Team Exercises

Incident Response

An information risk management framework and information security management system (ISMS)

aligned to ISO 27001 specifications is implemented.

We run a number of information & cyber security simulations to help clients test their security against real-world threats and high-profile attacks. We establish a comprehensive information security & privacy incident management capability based on ISO 27035. Training and testing is included. Business Benefits & Continual Improvement Phase

Revenge

_{IMPROVE - Remediation Phase}



ASSESS



Establish an Information Security Management System

A business-aligned ISMS is an essential vehicle to implement the necessary information security controls to address risks identified in the health check phase.

ISMS: PLAN Phase

Review of ISMS and current state of documents:

• Validate scope – To ensure the ISMS scope supports business objectives, audit, compliance, risk, governance & technology requirements.

• ISMS Gap Analysis - to identify and ensure key information assets are protected.

• Policy Management – Review and updating of relevant information security policies and standards.

• Information Risk Management – Review of information risk assessment methodology.

IT & OPERATIONS MANAGEMENT IT Operations Infrastructure Security Capacity Management Change Management Application Security IT Service Continuity Management Release Management Configuration Management IT Vulnerability Management Service Desk HR Processes Information & Asset Management Third Party Management IT Incident Management Performance Management Facilities Management Problem Management Event Management Physical Security Systems Management Service Level Management INFORMATION RISK MANAGEMENT (Tactical )

Governance & Risk Management Legal & Compliance Human Resource & Supplier Mngt Physical & Environmental Security Asset Management Security Architecture & Design Access Control Telecoms & _Networking Development Software

& Acquisition

Operations Security

Cryptography Incident Mngt, _{BCM & DR} GOVERNANCE Executive Board Committee IR Steering Committee Programme / Project Office Committee Change Management Committee Procurement / Supplier Management HR / Communications / Training IT Governance Council Performance Metrics &

Incentives Enterprise Risk Committee Compliance Committee Organisational Objectives Governance, Risk & Compliance Audit &

Assurance ContinuityBusiness Innovation Programme & Project Requirements BUSINESS (Strategic)

Define an Information Risk Management Framework

Compromise



IMPROVE The information risk management framework provides an interactive

dash-board to ensure that high priority risks are identified and allocated resources according to business priority.

ISMS Do Phase

Ensure that vital building blocks are in place when implementing

the ISMS:

• ISMS Scope. • ISMS Manual. • Risk Management. • Business Impact Analysis. • Statement of Applicability.

• Awareness & Training Programmes – Design a skills transfer programme to ensure sustainability.

• Incident Management – Implement an incident management programme.

• Management Review of ISMS – Ensure that adequate senior management review sessions are taking place.

ISMS: CHECK & ACT Phase

Review & improve the ISMS:

• ISMS Internal Audit – Ensure an internal audit review of the ISMS against ISO27001:2013.

• Determine organisation’s appetite for ISO27001:2013 certification. • If so assist with:Stage 1 /2 Audit - Finalise logistics with external

auditor for stage 1 audit.

Wolfpack offers a full information & cyber security threat assessment testing programme to help clients protect against evolving cyber security threats and advanced persistent threat (APT) attacks.

The full portfolio of solutions assesses cyber threats, understands defensive capabilities and actively tests an organisation’s battle readiness through various simulated attacks such as phishing, social engineering, unauthorised devices, vulnerability scanning and more. These assessment services help organisations understand risks and take immediate action to strengthen information & cyber security defences, processes and procedures.

Information Security Management System (ISMS)

Simulated Red and Blue Team Exercises

PARTNERS • Global • Local • Internal PROCESSES _PEOPLE • Management • Staff • IT • Contractors PROCESSES CUSTOMERS CONTROLS CONTROLS VULNERABILITIES

(Technology / Communications / Process / People)

THREAT INTELLIGENCE

(Threat Actors / Internal Sources / External Sources) • Global • Local • Internal



Information security policies or controls alone will not guarantee total protection of information, information systems, services or networks. After controls have been implemented, residual vulnerabilities are likely to remain that can reduce the effectiveness of information security and facilitate the occurrence of information security incidents. This can potentially have direct and indirect adverse impacts on an organisation's business operations. Furthermore, it is inevitable that new instances of previously unidentified threats will occur.

Wolfpack offers a full information security & privacy incident management approach based on ISO 27035 along with on-site training to assist

organisations to mitigate the impact of incidents in their environment.

INFORMATION SECURITY INCIDENT MANAGEMENT

PLAN AND

PREPARE DETECTIONAND REPORTING ASSESSMENTAND DECISION RESPONSES LESSONSLEARNT

Information Security Incident Management Policy

Policy Gap Analysis Establishment of IRT Incident Management Awareness Plan Information Security Incident Management Plan Situational Awareness information Monitor Systems and Networks Detecting and Alerting Collection of Security Event Reports Report Events Event Assessment Incident Determination How to Respond How to Contain Incidents Recovery Resolution and Closure Lessons Learnt Info Security Improvements Assessment Improvements Management Plan Improvements IRT Evaluation

Information Security & Privacy Incident Management



IMPROVE

“Security is a business issue, not a technical issue.”

-T. Glaessner

Insufficient preparation by an organisation to deal with such incidents will make any response less effective, and increase the degree of potential adverse business impact. Therefore, it is essential for any organisation desiring a strong information security programme to have a structured and planned approach to:

• Detect, report and assess information security incidents.

• Respond to information security incidents, including the activation of appropriate controls to prevent, reduce, and recover from impacts. • Report information security vulnerabilities, so they can be assessed and

dealt with appropriately.

• Learn from information security incidents and vulnerabilities, institute preventive controls, and make improvements to the overall approach to information security incident management.

I

nformation protection is a human capital issue. A large majority of breaches are due to human involvement, not a lack of technology protection.

Culture plays a huge role in setting the standards for behaviour throughout an organisation, starting with buy-in from senior management.

Wolfpack provides a full turnkey awareness solution that includes business needs analysis, content development and customisation, programme management, an intuitive learning management system, as well as various human vulnerability tests conducted using our online threat platform Camo Wolf. Stakeholder Change Management Tailored Awareness Programme with Professional Content Exec Management Users & Third Parties

Information Security Programme

Spear Phished



1. INFORMATION RISK BASELINE PROGRAMME 1.1 Executive / Management (1 hour) 1.2 GRC / IS / IT teams (1-2 days) 1.3 User Awareness Programme (1 - 4 hours) 2. SPECIALIST PROGRAMMES 2.1 Governance, Risk & Compliance Programme 2.2 Information Security Programme 2.3 Privacy & Incident Management Programme 2.4 Vulnerability Management Programme 2.5 Security Operations Programme 2.6 Secure Development Programme

Training Programme

Awareness



IMPROVE

Review our Awareness Premium Pack:

An annual license with access to the following content: • 15 animated awareness videos (10 security / 5 privacy).

• 15 posters.

• 10 screen savers.

• 10 cartoons.

• 4 web simulations.

• Cybercrime survival guide.

• Awareness programme management toolkit.

• Easy policy communicator with associated induction training slides in Microsoft Power point.

Note – The annual fee covers all new content or upgrades within

your licence year.

Grey Wolf Learning Management System (LMS)

• A powerful LMS to run your animated videos.

• Includes a set of questions per video that can be used to track compliance.

• LMS can be configured to include training for other departments in your organisation.

• Initial fee covers installation, configuration to client requirements and a training session for local admin staff.

Let us not look back in anger,

nor forward in fear,

but around in awareness.

- James Thurber

Companies urgently need to develop in-house skills to ensure they can prevent, detect and respond to the increase in information threats. The Wolfpack Cyber Academy offers over 20 courses in Risk Management, IT Governance, Information Security, Cyber Security and a range of other complimentary areas.

We have furthermore developed the Information Risk Baseline Programme which directly aligns to their Information Risk Methodology and is a cost effective way to train up teams within any organisation or industry.

Ransomware

Wolfpack Cyber Academy Training Courses



IMPROVE

Wolfpack Cyber Academy Courses

Duration Course

Foundation

2 DAYS Wolfpack Security Baseline Training – Over 14 information and cyber security domains are covered in this comprehensive course.

3 DAYS COBIT 5 Foundation - Forms a maturity model which will provide a wealth of insight and understanding on practical issues of IT Governance.

2 DAYS ISO 27001 Foundation - Learn about the best practices for implementing and managing an Information Security Management System (ISMS).

2 DAYS ISO 22301:2010 BCM Foundation - Learn about the best practices for implementing and managing a Business Continuity Management System (BCMS).

2 DAYS ISO 31000 Risk Foundation - Learn about the best practices in Risk Management and the essential concepts and processes that are considered most effective in risk management

2 DAYS ISO 27005 IT Risk Foundation - Learn about the best practices in risk management and understanding how different parts of a risk management program and the implementation stages of an optimal risk assessment are synchronised

Intermediate

5 DAYS CompTIA Security+ - A vendor neutral credential and internationally recognised validation of foundation level security skills and knowledge.

5 DAYS Certified Cyber Security First Responder – This course introduces the strategies, frameworks, methodologies and tools, which are used to manage cybersecurity risks and identify various types of common threats.

5 DAYS ISO 27001:2013 Lead Implementer - Develop the necessary expertise to support an organisation in implementing and managing an Information Security Management System (ISMS).

5 DAYS ISO 22301:2010 BCM Lead Implementer - Develop the necessary expertise to support an organisation in implementing and managing a Business Continuity Management System (BCMS).

2 DAYS ISO 31010 Risk Assessment Techniques - The ISO/IEC 31010 Standard is a supporting standard for ISO 31000 Risk Management. It provides guidance on the selection and application of systematic techniques for Risk Assessment.

2 DAYS ISO 31000:2009 Risk Manager - Develop the competence to master a model for implementing risk management processes throughout your organisation.

2 DAYS ISO 27005:2011 IT Risk Manager - Develops the competence to master the basic risk management elements related to all assets of relevance for information security.

Advanced

5 DAYS CompTIA CASP - A vendor neutral credential and an internationally targeted validation of advanced-level security skills and knowledge.

4 DAYS CISM Exam Prep Course - This uniquely management-focused certification ensures holders understand business, and know how to manage and adapt technology to their enterprise and industry.

5 DAYS ISO 27001 Lead Auditor - Develop the necessary expertise to audit an Information Security Management System (ISMS), as well as to manage a team of auditors by applying widely recognised audit principles, procedures and techniques.

The Wolfpack Monitoring platform provides five essential security capabilities in a single managed service. Understanding the sensitive nature of IT environments, we include active, passive and host-based technologies so that you can maintain the requirements of your particular environment.

Asset Discovery

• Active Network Scanning. • Passive Network Monitoring. • Asset Inventory.

• Software Inventory.

Vulnerability Assessment

• Network Vulnerability Testing. • Continuous Vulnerability Monitoring.

Threat Detection

• Network Intrusion Detection System (IDS). • Host IDS.

• File Integrity Monitoring (FIM).

Behavioral Monitoring

• Netflow Analysis.

• Service Availability Monitoring. • Full packet capture.

Security Intelligence

• Log Management. • Event Correlation. • Incident Response. • Reporting and Alarms.

“Connecting your organisation to the Internet makes it vulnerable to the full spectrum of global threats. Without constant monitoring you have no way of

knowing where you have been compromised!”

MONITOR – Threat Monitoring Phase

Command and Control



Who do we work with?

We partner with local and international governments, organisations, industry bodies and individuals.

What do we do?

We specialise in information and cyber threat management covering the full spectrum of prevention, detection, incident response and business

resilience capabilities.

About Wolfpack Information Risk

Wolfpack is a privately owned company. We are respected for our dynamic, independent thought leadership in the information and cyber security domains. We undertake a number of pro bono projects each year to improve cyber threat collaboration with a cyber community of over 9,000 stakeholders on the African continent.

5 New National Projects in 2016 Established in 2011 Core Team 22 National Research Level 1 BBBEE 9000+ Cyber Community Threat Intel Reports Sign out info@wolfpackrisk.com Inbox (6) Outbox Drafts Sent

Research & Threat Intelligence Advisory Awareness Training Monitoring Talent Management 30+ TV / Radio Interviews 60+

Print / Online Interviews

90+

Conference / Event Talks

Professional Service Offering

We are a specialist cyber security services company

CONFIDENTIAL

Research - Cyber security research into national security vulnerabilities



Threat Intelligence – Local insight into strategic and operational cyber threats facing Africa

Advisory – Business aligned security and privacy professional services

Awareness – Establish a strong security-aware culture from the top to the bottom

Training – Tailored training programmes to ensure optimal skills-transfer

Monitoring – Cyber Threat Intelligence Centre offering threat and vulnerability monitoring

Talent Management – Talent solutions to attract, assess and retain scarce skills



WE SPECIALISE IN CYBER SECURITY

RESEARCH | THREAT INTELLIGENCE | ADVISORY | TRAINING AWARENESS | MONITORING | TALENT MANAGEMENT

M

ON

ITO

R

_AS

SE

SS

T HRE AT & VUL NERA BILITY MANAG EMENT INFO RMA_TIO N R ISK _A SS ES SM EN T & C YB ER R ISK A NA LY SIS

IMPRO

_VE

_RE M ED IAT ION , SIM ULAT

ED ATTA_{CKS & INCIDENT RESP}ONSE

THREAT INTELLIG_EN CE

TR A IN IN G & A_W AR EN ESS

AD

VIS ORY