• No results found

Cybersecurity as a Risk Factor in doing business

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Cybersecurity as a Risk Factor in doing business"

Copied!
28
0
0

Loading.... (view fulltext now)

Download now ( 28 Page )

Full text

(1)

A M C H A M A P C A C 2 0 1 4 M A N I L A P H I L I P P I N E S M I C H A E L M U D D

S E C R E TA R Y G E N E R A L - A PA C T H E O P E N C O M P U T I N G A L L I A N C E

L O N D O N U K

Cybersecurity as a Risk

Factor in doing business

3/12/2014

1

Data is the new “…raw material of business” Economist

UK, 2013.

“In trying to defend everything he defended nothing”

Frederick the Great, Prussia 1712-86.

(2)

Today

3/12/2014

2

The Threat

The Framework

The Action

The Future

(3)
(4)

Cyber attacks on the increase

3/12/2014

4

Web-based malware attacks

doubled

in

the second

half of 2013*

Web-based attacks represented 26% of total

Conficker worm next with 20%.

Macattacks saw 51 new variants

Mobile attacks on the increase

Android accounted for 97% of all in 2013; 208>804

Symbian 3%

Nil on any other mobile O/S (BB/MSFT/IOS)

Ouroboros Cyber weapon used in Ukraine 2014

* F-Secure Labs March 2014

(5)

One Example - Target stores

3/12/2014

5

Date; Nov. 27 to Dec. 15

Credit card data stolen ; 40 Million

Estimate used for fraud ; 10-15%

*

Estimate fraud per card ; $300

*

Value of Fraud ;$1.4-2.2bn

*

Losses to both banks and Target

Does not include fines for data breach

Or reputational damage

Card holders put on credit watch lists

VISA now insisting on Chip/Pin deployment

(6)
(7)

Encountered Malware by Region –

2Q13

(8)

RSA 2012 Cybercrime Report

3/12/2014

(9)

Threat categories

0% 2% 4% 6% 8% 10% 12%

Perc

ent

of reporting

c

ompute

rs

Singapore Worldwide

(10)

Its not all about software…

3/12/2014

10

(11)

The NIST Cybersecurity Framework

Executive Order 13636—Improving Critical Infrastructure Cybersecurity

“It

is the policy of the United States to enhance the security and

resilience of the Nation’s critical infrastructure and to maintain a

cyber environment that encourages efficiency, innovation, and

economic prosperity while promoting safety, security, business

confidentiality, privacy, and civil liberties”

NIST is directed to work with stakeholders to develop a voluntary

framework for reducing cyber risks to critical infrastructure

This Cybersecurity Framework is being developed in an open

manner with input from stakeholders in industry, academia, and

government, including a public review and comment process,

workshops, and other means of engagement.

11

(12)

The Cybersecurity Framework

include

a set of standards, methodologies, procedures, and

processes that align policy, business, and technological approaches

to address cyber risks.

provide

a prioritized, flexible, repeatable, performance-based,

and cost-effective approach, including information security

measures and controls, to help owners and operators of critical

infrastructure identify, assess, and manage cyber risk.

identify

areas for improvement that should be addressed through

future collaboration with particular sectors and

standards-developing organizations able technical innovation and account

for organizational differences include guidance for measuring the

performance of an entity in implementing the Cybersecurity

Framework.

12

(13)

Cybersecurity Framework Categories and Themes

C A T E G O R Y FRAMEWORK

PRINCIPLES COMMON POINTS INITIAL GAPS

T H E M E S • Flexibility

• Impact on Global Operations

• Risk Management Approaches

• Leverage Existing Approaches,

Standards, and Best Practices

• Senior Management Engagement

• Understanding Threat Environment

• Business Risk / Risk Assessment

• Separation of Business and Operational Systems • Models / Levels of

Maturity

• Incident Response

• Cybersecurity Workforce

• Metrics

• Privacy / Civil Liberties • Tools

• Dependencies

• Industry Best Practices • Resiliency

• Critical Infrastructure Cybersecurity

Nomenclature

13

(14)

Framework Core Functions and Profile

• Enables organizations to establish a roadmap to reducing cybersecurity risk • Can be used to describe

current state and desired target state of specific cybersecurity activities

• Created by determining

which Categories are relevant to a particular organization, sector, or other entity

• An organization’s risk

management processes,

legal / regulatory requirements, business / mission objectives, and organizational constraints guide the selection of activities during Profile development 

14

(15)

Organizational Information and Decision Flows

15

(16)

The Action : Do’s and Don’ts

“If you protect your paper clips

and diamonds with equal vigor,

you will soon have more paper

clips and fewer diamonds”

Dean Rusk (US Secretary of State , 1961 – 1969)

Start with simple data classification Know your risks. What are they, where are they? Behind every security

problem is a human being

Do have anti virus on every

machine - Including mobile and tablets Someone must be ultimately responsible

If you need help, consider Cloud

Providers

(17)

Patch & update to current applications

Patch & update to current operating systems

Host based intrusion detection & prevention Host inspection of Microsoft Office Files

Patch & update to current operating systems

Inbound Host-based Firewall

Use gateway and desktop antivirus Lock down operating environments

Social engineering education

Enforce strong passphrases

Restrict administrative privileges

Use multi-factor authentication

Implement data execution prevention Harden server applications

Disable LanMan Filterweb content

Whitelist web domains Whitelist HTTP/SSL connections

Enforced border gateway Firewall Force domain IP lookup

Blacklist domains at the border gateway Filter email content by whitelist

Force domain IP lookup Implement TLS between email servers

Capture All Network Traffic Monitor Traffic with Network IDPS

Restrict NetBIOS Network Segmentation & Segregation

Monitor System Infra-structure Educate Users Monitor the Network Protect Email Defend the Web Protect the Endpoint Harden Web & Server Apps Strong Authenti- cations

Australia’s Top 35

The Australian Government

approach

(18)

Australia’s Top 4

Updating

applications

and using the

latest version of

an application

(Turn on

auto-update)

Patching

operating

systems

Keeping admin

rights under

strict control

(and forbidding the

use of

administrative

accounts for email

and browsing)

Whitelisting

applications

The

top four actions that will stop 90% 0f all threats

(19)

The Future

3/12/2014

19

A new model of computing in emerging.

Layered security from the edge (the weakest) to the

centre (the ‘Fort Knox’).

Protect what is important, not what is just ‘data’.

What is important is critical infrastructure, national

heritage, personal data and the financial system -

ultimately every citizens personal data and wealth.

As was seen in Japan in 2011 and Leyte in 2013, this

all can be destroyed in minutes…unless this risk is

mitigated.

(20)

Securing Critical Data via the Cloud

10 years ago…

Security and privacy top

of mind

Hacking, virus

propagation,

espionage and

cyber-warfare on the rise

Enforcement officials

need tools & training

Vehicles for cross-border

collaboration inadequate

Today…

Security and privacy top

of mind

Hacking, virus

propagation,

espionage and

cyber-warfare on the rise

Enforcement officials

need tools & training

Vehicles for cross-border

(21)

So what has changed? Its all about trust

What are the security issues (and benefits) of the

cloud?

Service provider practices

Does the service provider have a documented information

security program, and what does it say?

What security certifications does the service provider have?

Do they comply with your audit – and the regulators, needs?

What are the responsibilities of each party, e.g., in

the event of a data breach?

The key is in the contract – the same as captive

outsource service providers today

(22)

SAS 70

Certified

Audits and Certifications

(23)

Cross - Border Data Flows

Efficiencies and benefits of cloud computing are best

achieved when data – information - flows freely across

borders – APEC, TPP, AEC.

The same as business in general; its all global now

Privacy laws that overly restrict such flows can be an

impediment to economic growth.

Its the audit trail that is Govt regulators - customers

and investors - real concern.

This has been done for decades by the FSI via captive

(24)

A Regulatory Framework for your Money

Security is about deterring

attack

Privacy is about creating

trust

Framework and certifications on security

Digital privacy is a top of mind concern for

customers of banks, insurance and securities

Protect what is critical, not what is just data.

How much should the location of the data matter?

A ten point approach for regulators

(25)

A Framework – CONFIDENTIALITY

System and Location Transparency

SP’s should be fully transparent as to where data will be located.

Limits On Data Use

An SP must not use customers data for any purpose other than

that which is necessary to provide the contracted cloud

service(s).

Data Separation/Isolation

A customer’s data must be segregated from other data held by

the SP.

Conditions on Subcontracting

SP’s may only use subcontractors if the subcontractors are

subject to equivalent controls as the SP

(26)

A Framework – INTEGRITY

Due Diligence and Service Provider Compliance

A customer should have in place a risk management plan that includes measures to address the risks associated with the use of a SP’s cloud

service(s).

Security and Confidentiality

Customers should only contract for services with a SP that has been

certified to have and to maintain robust security measures and comprehensive security policies in place

Review, Monitoring and Control

An SP must provide regular reporting and information to demonstrate their

continued compliance with agreed standards, legal and contractual requirements throughout the duration of service provision.

Audit and Access Rights

An SP should provide access and inspection rights to Regulators (and those regulated) and to demonstrate compliance with all legal and contractual

requirements, including regular independent third party audit results (to SSAE 16 SOC1 type ii, for example).

(27)

A Framework – AVAILABILITY

Resilience and Business Continuity

An SP must have an effective business continuity plan with

appropriate service recovery and resumption times

Conditions on Termination

Customers must have contractual rights to terminate their

contracts with SP’s.

To the extent the customers requires doing so, the SP’s must,

upon termination of the contract, work with the customer to

return the customers data within the agreed contractual period.

The SP must permanently delete all backups/copies of the data from

the SP’s systems after the customers data is returned.

If the Data is not to be returned the SP must permanently delete the

Customers Data upon termination of the contract

(28)

THANK YOU!

MICHAEL MUDD

+(852) 2830 9936

09064713450

M M U D D @ A S I A P O L I C Y P A R T N E R S . C O M

W W W . O P E N C O M P U T I N G A L L I A N C E . O R G

Acknowledgments;

NIST; Tim Grance

Microsoft; Pierre Noel

3/12/2014

References

Download now ( PDF - 28 Page - 1.63 MB )

Related documents

Faculty Profile. Name. B. Sc. (H) Zoology Hans Raj College, University of Delhi M. Sc. Zoology Hans Raj College, University of Delhi 1985

National Conference on ‘Redefining Science Teaching: Future of Education’ organized by Acharya Narendra Dev College at University of Delhi South Campus, March

THE PHILADELPHIA CENTER !!!! Annual Report. Reported for: June 1, 2014 May 31, 2015

In an e ff ort to provide more holistic health and social services to our community, the Board elected to revise our Mission Statement to the following: “The Philadelphia

Technical Note. vsphere Deployment Worksheet on page 2. Express Configuration on page 3. Single VLAN Configuration on page 5

Page 3 of 6 - 4 Management and 1+ DB Access VLAN Configuration 14 Carries management traffic between the vCenter Server and the Data Director Management Server. This network

A novel remote sensing approach for prediction of maize yield under different conditions of nitrogen fertilization

The tested vegetation indices based on RGB images and to a lesser extent the NDVI demonstrated a high-throughput for the accurate prediction of several traits that are highly

Identifying and addressing sexual health in serious mental illness: views of mental health staff working in two National Health Service organizations in England

5 Seven main themes were identified: sexual health provision is a complex issue; sexual health issues raised: current provision regarding sexual health is “neglected”; barriers

Incidence. Upper limb involvement. Manual Ability Classification System. Upper limb involvement 02/03/2015

Joint rebalancing -contracture release -tendon transfer No active control Joint stabilisation -splints, arthrodesis Management Upper motor neuron. • Muscle

Free basic education strategy development volume 5: Survey of parental contributions in basic education

The proportion of parental expenditure on education consumed by schools fees, defined as any contribution paid directly to the schools or school committees,

A cohort study of the effects of older adult care dependence upon household economic functioning, in Peru, Mexico and China

First, we study social and economic impact at the household level, classifying households according to the needs for care of older residents at the time of the baseline and