Rethinking Cyber Security Threats

© Copyright 1989 – 2010, (ISC)

2

_{All Rights Reserved}

(ISC)² Update

U.S. Government Advisory Board Meeting

February 17, 2010

© Copyright 1989 – 2013, (ISC)

2

_{All Rights Reserved}

Rethinking Cyber Security

Threats

Frank Chow

CISSP ISSAP ISSMP CSSLP CGEIT CRISC CISM CISA

Chairperson of Professional Information Security

Association /

2

• The International Information Systems Security Certification

Consortium

• HQs in US and with Office in London, Hong Kong and Tokyo

• A global not-for-profit organization known for world class education

and Gold Standard certifications.

• Founded in 1989 by multiple professional associations.

• Develops and maintains the (ISC)² CBK

®

_{, a taxonomy of information}

security topics. The CBK is a critical body of knowledge that defines

global industry standards, serving as a common framework of terms

and principles that allow professionals worldwide to discuss, debate

and resolve matters pertaining to the field.

• Nearly 90,000 security professionals worldwide in over 135

countries

© Copyright 1989 – 2013, (ISC)

2

_{All Rights Reserved}

CONFIDENTIAL

3

•

PISA SIG - (ISC)

2

_{Hong Kong Chapter}

•

Not-for-profit organization

•

Facilitate knowledge and information sharing among the PISA members

•

Promote the highest quality of technical and ethical standards to the

information security profession,

•

Promote best-practices in information security control,

•

Promote security awareness to the IT industry and general public in Hong

Kong,

•

Be the de facto representative body of local information security

professionals

4

Agenda

Definition

Cyber Security Challenges

Cyber Security Inside Out

How to Survive in Cyber Attack?

Addressing Cyber Security Challenges

on a Global Scale

© Copyright 1989 – 2013, (ISC)

2

_{All Rights Reserved}

6

According to H.R. 4246 “Cyber Security Information Act”:

cybersecurity: “The vulnerability of any computing system, software

program, or critical infrastructure to, or their ability to resist, intentional

interference, compromise, or incapacitation through the misuse of, or by

unauthorized means of, the Internet, public or private

telecommunications systems or other similar conduct that violates

Federal, State, or international law, that harms interstate commerce of

the United States, or that threatens public health or safety.”

Definition

© Copyright 1989 – 2010, (ISC)

2

_{All Rights Reserved}

(ISC)² Update

U.S. Government Advisory Board Meeting

February 17, 2010

© Copyright 1989 – 2013, (ISC)

2

_{All Rights Reserved}

CYBER SECURITY

CHALLENGES

8

© Copyright 1989 – 2013, (ISC)

2

_{All Rights Reserved}

CONFIDENTIAL

9

10

© Copyright 1989 – 2013, (ISC)

2

_{All Rights Reserved}

CONFIDENTIAL

11

eCrime Market Current Pricing

12

Hack Household Appliances

© Copyright 1989 – 2013, (ISC)

2

_{All Rights Reserved}

CONFIDENTIAL

13

Global Risk Trends

• Cyber Attack is considered as one of the top five in the most

likely Risk in 2012 as per Global Risks Report

.

14

Global Risk 2013

© Copyright 1989 – 2013, (ISC)

2

_{All Rights Reserved}

CONFIDENTIAL

15

Motivations Behind Attacks

16

Cyber Attack Trends

© Copyright 1989 – 2013, (ISC)

2

_{All Rights Reserved}

CONFIDENTIAL

17

Distribution of Attack Techniques

18

Distribution of Targets

© Copyright 1989 – 2013, (ISC)

2

_{All Rights Reserved}

CONFIDENTIAL

19

Ranking of Five Types of Cyber Crime

(ISC)² Update

U.S. Government Advisory Board Meeting

February 17, 2010

© Copyright 1989 – 2013, (ISC)

2

_{All Rights Reserved}

CONFIDENTIAL

21

Cyber Security Game Changers

22

© Copyright 1989 – 2013, (ISC)

2

_{All Rights Reserved}

CONFIDENTIAL

23

Master

DB

Cyber Attack Approach

Source: Example from 2006 SANS SCADA Security Summit, INL

Internet

Admin

Acct

Opens Email

with Malware

Admin

Send e-mail

with malware

1.

Hacker sends an e-mail with malware

2.

E-mail recipient opens the e-mail and the

malware gets installed quietly

3.

Using the information that malware gets, hacker

is able to take control of the e-mail recipient’s PC!

4.

Hacker performs an ARP (Address Resolution

Protocol) Scan

5.

Once the Slave Database is found, hacker sends

an SQL EXEC command

6.

Performs another ARP Scan

7.

Takes control of Data

Slave Database

Operator

Operator

Master

DB

Perform

ARP Scan

SQL

EXEC

Perform

ARP Scan

24

What we can do in Cyber Security?

Social Media Security

Social Media Security

Computer Forensics

Computer Forensics

Mobile Security

Mobile Security

Cyber Security

Incident Response

Cyber Security

Incident Response

Physical Access

Logical Access

Organization

Data

Source: ISACA/

© Copyright 1989 – 2013, (ISC)

2

_{All Rights Reserved}

CONFIDENTIAL

25

Cyber Security Components

Cyber Security

Command Centre

Law Enforcement Agency

CERT

Risk Intelligence Service

Providers

Interface & Interlock

Other Countries CERT &

Intelligence Agencies

Security

Operation

Center

Security

Analytics

Malware

Detection

Anomaly

Detection

Cyber

Security Cell

Threat

Intelligence

Feed

Evolving

Threat

Research

Contextualized

Intelligence

Well Defined Structure

Roles & Responsibility

Skilled Resources

R&D Lab & Testing

Lab

Standards & Best

Practices

26

• Cyber Security Service Portfolio

Cyber Security Components

Cyber Security Resources

Computer Forensics

Social Media Security

Incident Response

(Virus/Malware/Botnets)

DDOS Test

Mobile Security

Cloud Security

Operational / Post-Event

BCP / DR Preparedness against

Cyber attacks

Enterprise Security

Architecture

Simulation Exercises

Effectiveness Measurement of

Policies/Procedures/

Infra

Strategic Advisory

Law Enforcement Agency

CERT

Risk Intelligence Service

Provider

Enterprise Risk Management

Interface & Interlock

Cyber Security Training and

Awareness

Threat Modeling

Regulatory Readiness(FISMA,

TRA, Indian Act etc.)

Penetration Testing

Vulnerability Assessment

Design of Security Intelligence

Centre

© Copyright 1989 – 2013, (ISC)

2

_{All Rights Reserved}

CONFIDENTIAL

27

Computer Forensic

Network

Forensics

LAN/WAN

Network

Wireless

Network

Mobile Trading

Media

Forensics

USB/CD Media

Mobile Device

Hard Disk

System

Forensics

Laptop/Desktop

Database/

Operating

Systems

Mobile Devices

Web Server

Forensics

Log Analysis

Intrusion/

Malware

Analysis

Computer Forensics Coverage

Computer Forensic provides a post-intrusion / incident analysis in order to

identify, preserve, analyse meaningful evidence and provide a detailed forensic

report and recommendation on the security incident.

28

Approach for Computer Forensics

The following are the broad steps involved in this assessment

1. Initial Study

Situation awareness,

identify the potential

source of data

3.

3. Investigation

Examination, Decryption,

Intelligent search on

information on interest

2. Data Collection

Data duplication, Cloning,

Extractions using

specialized S/W and H/W

4. Analysis

Data Interpretation, Event

Correlation, Chain of

Custody, Pattern Matching

5. Reporting

Logical Conclusion,

Management and Technical

Presentation

Data

Media

Information

Evidence

Break

Through

Confidentiality

Preserve

Chain of

Custody

Intelligent

Search of

Suspect Data

Concurrent

Analysis

Seamless

Access &

Secure

Storage of

Data

Remote or

Onsite

Source: ISACA/

© Copyright 1989 – 2013, (ISC)

2

_{All Rights Reserved}

CONFIDENTIAL

29

Social Media Security

Social Media Security

Rise in the use of Social Networking sites such as Twitter, LinkedIn, Facebook by corporate to

communicate and build their brand names as well as by individual to share information increase the

risk of data security

Sensitive &

Customer

Information

Gathering

over Social

Networking

Social

Networking

Sites (FB,

Orkut etc.)

Community

Sites,

Forums &

Blogs

Using Search

Engines

Social

Engineering

Phishing

Through

Calls

Phishing

Though

Mails and

Websites

Dumpster

Drive

Awareness

Assessment

Employee

Awareness

Assessment

Evaluation of

Social Media

&

Acceptable

Usage Policy

Corporate

Social

Networking

Website

Security

Malware

Detection

Phishing

Attack

Detection

Hacking

Attack

Detection

Crisis Response

over Social

Media

Crisis

Response

Plan

Observing

incident over

Social Media

Training and

Awareness

Source: ISACA/

30

Approach for Social Media Security

A comprehensive and structured approach for Social Media Security Assessment, Sensitive Customer

Information from different sources like social engineering sites, forums, community sites, blogs and

hacking sites will be gathered along with the automated tools and search engines like Google,

AltaVista, Baidu etc.

The following are the broad steps involved in this assessment

Identifying &

understanding

Sensitive

Customer Data

Define the

Search Pattern

on the Sensitive

Customer Data

Information

gathering from

automated tools

using search

patterns

Analysis,

Validation and

Reporting

Social

Engineering

Techniques

Manual

Information

Gathering Using

Search Engines

like Google

Source: ISACA/

© Copyright 1989 – 2013, (ISC)

2

_{All Rights Reserved}

CONFIDENTIAL

31

Incident Response

Incident

Response

Service

Incident

Response

Service

Virus

Outbreaks

Virus

Outbreaks

Malware

Attacks

Malware

Attacks

Hacking

Attacks

Hacking

Attacks

Phishing

Attacks

Phishing

Attacks

DOS/DDOS/

Botnet Attacks

DOS/DDOS/

Botnet Attacks

Incident Response Service provides on field or remote analysis by experts to

identify, contaminate, recover and eradicate different variety of cyber attacks to

the organisation.

32

Preparation

Identification

Collection

Assessment

Reporting

Reassess and

Train

Cyber Security Incident Response Approach

• Mobilize

Resources

• Tools & Kits

• Authorization

and Approvals

• Legal

considerations

• Situation

Awareness

• Sources of

information

• Chain of custody

• Suspected

behavior

• Live Data

Acquisition

•

Log/Network

Data Acquisition

• OS and

Database

Acquisition

• Analyze

acquired

evidences

• Identify the

level of impact

• Identify the

source of

intrusion &

vulnerability

• Reassess the fix

• Develop

learning and

Lessons

• Training and

Awareness

• Secure

Guidelines

• Management

report on extent

of Damage

• Report on

nature of the

incident and

compromise

• Eradication and

recovery

measures

A structured and proven approach for handling and responding to any kind of Cyber

Security Attacks. In line with the industry best practices and experts armored with

specialized tools help customer to react effectively and immediately.

© Copyright 1989 – 2010, (ISC)

2

_{All Rights Reserved}

(ISC)² Update

U.S. Government Advisory Board Meeting

February 17, 2010

© Copyright 1989 – 2013, (ISC)

2

_{All Rights Reserved}

34

© Copyright 1989 – 2013, (ISC)

2

_{All Rights Reserved}

CONFIDENTIAL

35

Security for Industrial Control Systems

(SCADA)

CYBER SECURITY CONTROLS

P

H

Y

S

IC

A

L

S

E

C

U

R

IT

Y

C

O

N

T

R

O

LS

SECURITY

CONTROLS

Air-gap

networks,

apps and

control data

with firewalls,

proxies

36

Everything is a Target

Public

Private

Internal Network

Server

Application

Vulnerability Assessments

Firewalls & Proxies

Intrusion Detection

VPN Remote Access

Vulnerability Assessments

Intrusion Detection

Wireless Design Consulting

Intrusion Prevention

Authentication & Authorization

Perimeter

Vulnerability Assessments

Intrusion Prevention

Patch Management

Anti-Virus & Anti-SPAM

Mobile Client Security

Server Hardening

Authentication & Authorization

Data

Authentication Management

Identity Management

Data Privacy

Vulnerability Assessments

Code Reviews

Application Hardening

Polices, Procedures & Awareness

Policy Assessments

Operational Framework Consulting

Training & Consulting

Security Management

Centralized Tool Integration

Centralized Monitoring

© Copyright 1989 – 2010, (ISC)

2

_{All Rights Reserved}

(ISC)² Update

U.S. Government Advisory Board Meeting

February 17, 2010

© Copyright 1989 – 2013, (ISC)

2

_{All Rights Reserved}

Addressing Cyber Security

Challenges on a Global Scale

38

Source: ITU Regional Cyber security Forum for Africa and Arab States, 2009

This Cybersecurity Management System consists

of 4 main components:

• Cyber Security Framework;

• Maturity Model;

• Roles and Responsibilities chart;

• Implementation Guide.

© Copyright 1989 – 2013, (ISC)

2

_{All Rights Reserved}

CONFIDENTIAL

39

National Cybersecurity Management

System

40

National Cyber Security Framework :

5 Domains

© Copyright 1989 – 2013, (ISC)

2

_{All Rights Reserved}

CONFIDENTIAL

41

National Cyber Security Framework

(5 Domains and 34 Processes)

1 - SP : Strategy and Policies

3 - AC : Awareness and Communication

SP1

NCSec Strategy

: Promulgate & endorse a National Cybersecurity Strategy

AC1

Leaders in the Government : Persuade national leaders in the government of the need for national _{action to address threats to and vulnerabilities of the NCSec through policy-level discussions}

SP2

Lead Institutions

: Identify a lead institutions for developing a national strategy, and 1 lead institution

per stakeholder category

AC2

National Cybersecurity and Capacity : Manage National Cybersecurity and capacity at the national level

SP3

NCSec Policies

: Identify or define policies of the NCSec strategy

AC3

Continuous Service : Ensure continuous service within each stakeholder and among stakeholders

SP4

Critical Information Infrastructures Protection : Establish & integrate risk management for identifying & _{prioritizing protective efforts regarding CII}

AC4

National Awareness : Promote a comprehensive national awareness program so that all

participants—businesses, the general workforce, and the general population—secure their own parts of cyberspace

SP5

Stakeholders : Identify the degree of readiness of each stakeholder regarding to the implementation of

NCSec strategy & how stakeholders pursue the NCSec strategy & policies

AC5

Awareness Programs : Implement security awareness programs and initiatives for users of systems and networks

2 - IO : Implementation and Organisation

AC6

Citizens and Child Protection : Support outreach to civil society with special attention to the needs of

children and individual users

IO1

NCSec Council : Define National Cybersecurity Council for coordination between all stakeholders, to _{approve the NCSec strategy}

AC7

Research and Development : Enhance Research and Development (R&D) activities (through the _{identification of opportunities and allocation of funds)}

IO2

NCSec Authority : Define Specific high level Authority for coordination among cybersecurity stakeholders

AC8

CSec Culture for Business : Encourage the development of a culture of security in business _enterprises

IO3

National CERT : Identify or establish a national CERT to prepare for, detect, respond to, and recover _{from national cyber incidents}

AC9

Available Solutions : Develop awareness of cyber risks and available solutions

IO4

Privacy and Personnal Data Protection : Review existing privacy regime and update it to the on-line _environment

AC10

NCSec Communication : Ensure National Cybersecurity Communication

IO5

Laws : Ensure that a lawful framework is settled and regularly levelled

4 - CC : Compliance and Communication

IO6

Institutions : Identify institutions with cybersecurity responsibilities, and procure resources that enable _{NCSec implementation}

CC1

International Compliance & Cooperation : Ensure regulatory compliance with regional and _{international recommendations, standards …}

IO7

National Experts and Policymakers : Identify the appropriate experts and policymakers within

government, private sector and university

CC2

National Cooperation : Identify and establish mechanisms and arrangements for cooperation among government, private sector entities, university and ONGs at the national level

IO8

Training : Identify training requirements and how to achieve them

CC3

Private sector Cooperation : Encourage cooperation among groups from interdependent industries _{(through the identification of common threats) .}

IO9

Government : Implement a cybersecurity plan for government-operated systems, that takes into _{account changes management}

CC4

Incidents Handling : Manage incidents through national CERT to detect, respond to, and recover from national cyber incidents, through cooperative arrangement (especially between government and private sector)

IO10

International Expertise : Identify international expert counterparts and foster international efforts to _{address cybersecurity issues, including information sharing and assistance efforts}

CC5

Points of Contact : Establish points of contact (or CSIRT) within government, industry and university to facilitate consultation, cooperation and information exchange with national CERT, in order to monitor and evaluate NCSec performance in each sector

5 - EM : Evaluation and Monitoring

EM1

NCSec Observatory : Set up the NCSec observatory

EM3

NCSec Assessment : Assess and periodically reassess the current state of cybersecurity efforts and

develop program priorities

EM2

Mechanisms for Evaluation : Define mechanisms that can be used to coordinate the activities of the lead institution, the government, the private sector and civil society, in order to monitor and evaluate the global NCSec performance

EM4

NCSec Governance : Provide National Cybersecurity Governance

42

PS

Process

Description

Level 1

Level 2

Level 3

Level 4

Level 5

SP 1

Promulgate &

endorse a National

Cybersecurity

Strategy

Recognition of the

need for a

National strategy

NCSec is

announced &

planned.

NCSec is

operational for all

key activities

NCSec is under

regular review

NCSec is under

continuous

improvement

SP2

Identify a lead

institution for

developing a national

strategy, and 1 lead

institution per

stakeholder category

Some institutions

have an

individual

cyber-security strategy

Lead institutions

are announced

for all key

activities

Lead institutions

are operational

for all key

activities

Lead institutions

are under regular

review

Lead institutions

are under

continuous

improvement

SP3

Identify or define

policies of the

NCSec strategy

Ad-hoc & Isolated

approaches to

policies & practices

Similar &

common

processes

announced &

planned

Policies and

procedures are

defined,

documented,

operational

National best

practices are

applied

&repeatable

Integrated

policies &

procedures

Transnational

best practice

SP4

Establish & integrate

Risk management

process for

Identifying &

prioritizing

protective efforts

regarding NCSec

(CIIP)

Recognition of the

need for risk

management

process in CIIP

CIIP are

identified &

planned. Risk

management

process is

announced

Risk management

process is

approved &

operational for all

CIIP

CIIP risk

management

process is

complete,

repeatable, and

lead to CI best

practices

CIIP risk

management

process evolves

to automated

workflow &

integrated to

enable

improvement

National Cyber Security Maturity

Model

© Copyright 1989 – 2013, (ISC)

2

_{All Rights Reserved}

CONFIDENTIAL

43

National Cybersecurity Assessment

0

1

2

3

4

5

SP1

SP4

IO2

IO3

IO5

AC5

CC1

CC2

EM4

ce

Legend:

SP1: National Cybersecurity Strategy

SP4: CIIP

IO2: National Cybersecurity Authority

IO3: National-CERT

IO5: Cyber Law

AC5: Awareness Programme

CC1: International Cooperation

CC2: National Coordination

EM4: Cybersecurity Governan

ce

44

SP1

NCSec Strategy

Promulgate & endorse

a

National Cybersecurity

Strategy

I

A

C

C

R

C

C

C

I

I

R

I

I

I

SP2

Lead Institutions

Identify a lead

institutions

for developing a

national

strategy, and 1 lead

institution per

stakeholder

category

I

I

A

C

R

C

C

I

I

R

C

C

C

C

SP3

NCSec Policies

Identify or define

policies

of the NCSec strategy

A

C

R

C

I

C

I

R

I

I

SP4

Critical

Infrastructures

Establish & integrate

risk

management for

identifying & prioritizing

protective efforts

regarding NCSec

(CIIP)

A

R

R

C

I

R

C

R

I

RACI Chart / Stakeholders

R = Responsible, A = Accountable, C = Consulted, I = Informed

Source: ITU Regional Cyber security Forum for Africa and Arab States, 2009

© Copyright 1989 – 2013, (ISC)

2

_{All Rights Reserved}

CONFIDENTIAL

45

National Cybersecurity Management

System Implementation Guide

46

Example: Measuring the effectiveness

of Security

Apply the vulnerability management lifecycle...

Prioritize based on

vulnerability data,

threat data, and

asset classification

plan

Eliminate

high-priority

vulnerabilities

Establish controls

Demonstrate

progress

Monitor known

vulnerabilities

Watch unpatched

systems

Alert other

suspicious activity

Inventory assets

Identify

vulnerabilities

Develop baseline

© Copyright 1989 – 2010, (ISC)

2

_{All Rights Reserved}

(ISC)² Update

U.S. Government Advisory Board Meeting

February 17, 2010

© Copyright 1989 – 2013, (ISC)

2

_{All Rights Reserved}

Thank You