CYBERSECURITY NEXUS – CSX
INTRODUCTION
Career
•International Brewer, various roles (1991-1996)
•KPMG, IT Risk Service Line Leader (1996-2012)
•Betfair, Head of Governance, Risk & Assurance (2012-2014)
•Vodafone, Technology Risk, Compliance and Assurance Leader (2014..)
ISACA involvement – past and present
•RiskIT TF, COBIT 5 TF, Cloud Computing TF, Framework Committee
Chair
•COBIT 5 for Risk TF Chair, COBIT Growth Strategy TF
•International Vice President, SAC Member, Knowledge Board Chair
Steven Babb
ABOUT ISACA
“Trust in, and value from, information systems”
Global association serving 115,000 IT security, assurance, governance
and risk professionals
Established in 1969
Members in 180 countries
200+ chapters
Established the COBIT framework
AGENDA
“CSX is helping shape the future of cybersecurity through cutting-edge thought leadership, as
well as training and certification programs. It gives cybersecurity professionals a smarter way to
keep organizations and their information more secure.
With CSX, business leaders and cyber professionals can obtain the knowledge, tools, guidance
and connections to be at the forefront of a vital and rapidly changing industry. Because
Cybersecurity Nexus is at the centre of everything that’s coming next...
”•The evolving security landscape – the driver for change
•How do I respond
•Cybersecurity Nexus
•Questions
THE
EVOLVING
SECURITY
LANDSCAPE –
THE DRIVER
FOR CHANGE
12 JANUARY 2010... THE WORLD CHANGED
12 January 2010...
Google honourably disclosed to the world that it had been a
victim of modern
malware
. It was soon discovered that Google was one of more than
20 companies successfully
targeted
by a
well organized and coordinated effort
to gain access to sensitive systems and
information
Companies targeted were within a range of industries, including the financial, technology and
chemical sectors
HEARTBLEED
Source: http://heartbleed.com/
Watch the video here on Heartbleed: https://www.youtube.com/watch?v=8oI_laHhGjE
The Heartbleed Bug is a
serious vulnerability
in the popular
OpenSSL cryptographic software library
. This weakness allows
stealing the information protected
, under normal conditions, by the
SSL/TLS encryption used to secure the Internet. SSL/TLS provides
communication security and privacy over the Internet for
applications such as web, email, instant messaging (IM) and some
virtual private networks (VPNs)
The Heartbleed bug allows anyone on the Internet to read the
memory of the systems protected by the vulnerable versions of the
OpenSSL software. This
compromises the secret keys
used to
identify the service providers and to encrypt the traffic, the names
and passwords of the users and the actual content. This allows
attackers to
eavesdrop on communications
,
steal data directly
from
the services and users and to
impersonate services and users
SHELLSHOCK
Shellshock is the name given to a
security vulnerability
in the Bash
"shell," or command-line user interface, first made public on 24
September 2014
Like other shells,
Bash translates the text-based commands
that
power users type into
command-line interfaces
— such as Terminal
in Apple OS X or Command Prompt in Microsoft Windows — into
languages that computers can understand
. Bash is the default
shell in OS X and many varieties of Linux, but, except for
specialized software, does not run in Windows
Shellshock is a quirk in Bash that could let an
attacker remotely
replace environment variables
in Bash with functions, or actual
commands, which the computer would
carry out without verification
The computers and devices most vulnerable to Shellshock are
t
hose that "listen" to the Internet for commands
from other
computers. For example, a Web server, which constantly gets
document requests from Web clients
BECOMING ALL TOO COMMON...
Email addresses and other contact information stored at the
European Central Bank (ECB) have been stolen, the organization confirmed on Thursday
Security that protects a database serving its public website has been breached, it said in a statement published on its website, meaning users registering for information on conferences and visits at the ECB have been compromised
It stated that no "internal systems or market-sensitive" information had been part of the data theft and was physically separate from the compromised data
"The theft came to light after an anonymous email was sent to the ECB seeking financial compensation for the data. While most of the data were encrypted, parts of the database included email addresses, some street addresses and phone numbers that were not encrypted," the central bank said
Users whose information might be part of the beach are in the process of being contacted, the ECB said, and advised that all passwords on the system have been changed as a precaution
The bank is just the latest in a long line of companies and public bodies that have experienced a breach. In May, eBay admitted that hackers had attacked its network and accessed some 145 million user records. It now faces an investigation in the US and UK
ADVANCED PERSISTENT THREATS
ADVANCED, STEALTHY AND CHAMELEON-LIKE in its adaptability, APTs were once thought to be limited to attacks on government networks
APTs can happen to any enterprise
Repeated pursuit of objectives, adaptation and persistence differentiate APTs from a typical attack
Primarily, the purpose of the majority of APTs is to extract information from systems – this could be critical research, enterprise intellectual property or government information, among other things
APT DEFINITION
“An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives”
BECOMING ALL TOO COMMON...
The Pitty Tiger APT has been targeting telcos, defence companies and at least one government in a cyber-espionage campaign that relies on spear phishing and malware prying on vulnerabilities in Microsoft Office
In a new whitepaper, security experts at Airbus Defence & Space Cybersecurity Unit detail how the APT has been undetected since at least 2011 and say that its operators have been reliant on an assortment of
different malware, including some developed exclusively by the threat actor
Instead of looking to exploit any zero-day vulnerability, the group relies “extensively” on spear phishing, malware and vulnerabilities existing on older versions of Microsoft Office as well as the Heartbleed bug, which continues to affect some 300,000 open-source web servers worldwide
The campaign apparently starts with a phishing email, with one example promising a holiday along with a Microsoft Office Word attachment. Airbus admits that this is “amateur” – with the attached Word file infecting the computer with malware, while others relied on an older vulnerability, which effected MS Office versions 2003 through to 2010, SQL Server and other popular enterprise software applications
The report's authors are in little doubt that the group behind the APT is not state-sponsored, despite China being the likely origin of the group. “They lack the experience and financial support that one would expect from state-sponsored attackers. We suppose this group is opportunistic and sells its services to probable competitors of their targets in the private sector.”
ISACA APT SURVEY – JULY 2014
•92% say APTs pose a credible threat to national security or economic
stability
•1 in 5 have experienced an APT attack
•63% believe it is only a matter of time before their business is
targeted
•The majority of survey takers – up to 60% – believed that they have
the ability to identify, respond to and stop a successful APT attack
•Up to 82% of survey takers have not updated their agreements with
vendors who provide protection against APT
•67% reported that they haven’t held any APT awareness training
programs for their employees
ISACA STUDENT SURVEY – APRIL 2014
•The majority of ISACA’s student members
(88%) plan to work in a field requiring
cybersecurity knowledge
•57% said their University did not offer
cybersecurity courses
•Fewer than half say they will have adequate
skills for the job
•74% you plan to pursue a cybersecurity
related certificate
HOW DO I
RESPOND
YOU NEED TO BE ON THE OFFENSIVE
•Traditional prevention and detection is not enough you
need to move from defensive to offensive
•Governments cannot prevent intrusions
•Data loss is inevitable
•Attacks will continue
•Companies often breached for years
•New approaches required
Source: http://booksonwaraustralia.com/battle-vietnam-history-
IF YOU HAVE IP YOU ARE A TARGET!
•Assume you are breached
•Prepare for the inevitable
•Start planning
•Define your “Win”
• Delay the ‘Threat’ from reaching its goal • Minimize the loss
• Improvise as you go along
• Are your approaches outdated? If so review and revise!
WHAT DO I DO?
•Build a team
•Establish key relationships
•Inventory Existing Technologies
•Standardize the Investigation Process
•Training and Governance
•Establish Critical Capabilities
Source: http://www.cascadestrategy.com/wp-content/uploads/2012/10/Strategy-Small1.jpg
CYBERSECURITY
NEXUS
WHAT IS IT?
With CSX, business leaders and cyber professionals can obtain the knowledge, tools, guidance and connections to be at the forefront of a vital and rapidly changing industry
•Join a global community of more than 115,000 professionals, innovators and thought leaders – Professional and Student membership
•Enhance your cybersecurity knowledge and skills at our global conferences, workshops and training events
•Find the latest research and expert thinking on standards, best practices, emerging trends and beyond •Secure recognition for your expertise. Our globally accepted certifications help advance skills and careers
WHAT IS IT?
•Cybersecurity Fundamentals knowledge certificate – available now – knowledge based
exam for those with 0 to 3 years experience
• Foundational level covers five domains: • Cybersecurity concepts
• Cybersecurity architecture principles
• Security of networks, systems, applications and data • Incident response
• Security of evolving technology
• Online exam. Results are shared immediately, and those who pass receive a certificate
• The content aligns with the US NICE framework and the Skills Framework for the Information Age (SFIA) and was developed by a team of cybersecurity professionals from around the world. The team is involved in all areas of development through content contribution and subject matter expert reviews
WHAT IS IT?
•Professional membership
• Membership for IT Audit, Security, Governance and Risk Professionals
•Student membership
• ISACA student members join a community of students from more than 300 universities worldwide. ISACA student members major in a variety of areas including:
• Information systems, Business administration, Accounting, Information technology, Engineering and Computer science
• Student membership provides the knowledge and tools to develop your professional identity. You'll make connections with people who work in your target field, plus those who hire for the positions you seek
ISACA has consistently maintained a standard that will continue to be a lever for anyone that wants to meet the challenges of the changing world of IT.”
“It is the best professional membership I have in terms of value for money.”
“Hands down the best association I have ever been involved in – very affordable, valuable information. ISACA magazine (the ISACA Journal) and webinars are my most valuable sources of information.”
WHAT IS IT?
•Conferences
• Euro CACS / ISRM + Global CyberLympics Finals • North America ISRM, Latin CACS / ISRM
•Webinars
• Self-Defense Strategies to Thwart Cloud Intruders: Keep Your Data Safe in the Cloud • Breaches: A Risk-Based Approach to Identification, Impact Estimation and Effective
Remediation •Virtual Conferences
• Full-day educational events, presented online. The virtual event consists of an exhibit hall, conference hall, networking lounge and resource center
• Archived – Mobile Security: Overcoming Obstacles, Reducing Risk • 9 December – Cloud Security
•Workshops
• Cybersecurity Fundamentals Workshop
• ISACA was the exclusive host sponsor of the Global
CyberLympics World Finals, held in conjunction with the first day of the EuroCACS/ISRM 2014
• Global CyberLympics is an international online
cybersecurity competition dedicated to finding the top computer network defense teams. Global CyberLympics tests the skills of information security and assurance
professionals in teams of 4 to 6 people in areas including:
•Ethical hacking •Computer network defense
WHAT IS IT?
•Articles from ISACA Journal
•Cybersecurity Blog Posts – The CSX Newsroom •White Papers & Publications
• European Cybersecurity Implementation Series • Cybersecurity Fundamentals Study Guide**
• Cybersecurity: What the Board of Directors Needs to Ask • Implementing the NIST Cybersecurity Framework*
• Responding to Targeted Cyberattacks* • Transforming Cybersecurity*
• Advanced Persistent Threats: How To Manage the Risk To Your Business* • Advanced Persistent Threat Awareness Study Results
*PDF is free to members; non-members may purchase PDF **Available for purchase
AVAILABLE NOW
Cybersecurity Fundamentals Certificate and study guide
Implementing the NIST Cybersecurity Framework Using COBIT 5
European Cybersecurity Implementation Series Transforming Cybersecurity Using COBIT 5 Responding to Targeted Cyberattacks
Advanced Persistent Threats: Managing the Risks to Your Business
2014 APT Awareness Study
Cybersecurity webinars and conference
tracks (six-part webinar series)
Cybersecurity Knowledge Center
community
COMING SOON
Cybersecurity practitioner-level certification (first exam: 2015)
Cybersecurity training courses (November 2014) SCADA guidance
Digital forensics guidance
CAREER PATH
0-3 years: Cybersecurity Fundamentals Certificate
No experience required, must pass knowledge-based exam
3-5 years:
Cybersecurity practitioner-level certification
Coming in mid-2015
5+ years:
Certified Information Security Manager certification
• Among the resources also coming from ISACA this month are: • Two free webinars:
• Why Implement the NICE Cybersecurity Workforce Framework?
• Data-centric Audit and Protection: Reducing Risk and Improving Security Posture • A cybersecurity Twitter chat on 22 October with ISACA International President Rob
Stround) and International Vice President Ramsés Gallego • Two cybersecurity training courses:
• Implementing the NIST Cybersecurity Framework Using COBIT 5 • COBIT 5 for Security Assessors
• Cybersecurity Teaching Materials • Cybersecurity Student Handbook
http://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?utm_campaign=ISACA+Main&cid=sm_1104943&utm_content=1413225083&utm_source =googleplus&utm_medium=social&appeal=sm&ID=450
EUROPEAN CYBERSECURITY IMPLEMENTATION SERIES
• Cybersecurity is emerging to address increases in cybercrime and, in some instances, cyberwarfare
• Factors contributing to the need for improved cybersecurity include: ubiquitous broadband, IT-centric business and society, and social stratification of IT skills. To address cybercrime, many governments and institutions launched cybersecurity initiatives, ranging from guidance, through standardisation, to comprehensive legislation and regulation
• ISACA has released the European Cybersecurity Implementation Series primarily to provide practical implementation guidance that is aligned with European requirements and good practice
• Available now!
http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/European-Cybersecurity-Implementation-Series.aspx
EUROPEAN CYBERSECURITY IMPLEMENTATION SERIES
• European Cybersecurity Implementation: Overview – a high-level overview of implementing cybersecurity in
line with existing laws, standards and other guidance
• European Cybersecurity Implementation: Assurance – this paper focuses on assurance in cybersecurity. In
Europe, cybersecurity assurance is an integral part of the internal system of controls that was introduced by EU directive, and implemented subsequently as statutes in the member states
• European Cybersecurity Implementation: Resilience – this paper focuses on resilience in cybersecurity. In the
EU and associated countries, the concepts of resilience and cybersecurity are rapidly converging
• European Cybersecurity Implementation: Risk Guidance – this paper focuses on risk guidance in a
cybersecurity context, and drills down into the risk management aspects of European cybersecurity
• European Cybersecurity Audit/Assurance Program – this audit/assurance program provides management with
an impartial and independent assessment relating to the effectiveness of cybersecurity and related governance, management and assurance
TRANSFORMING CYBERSECURITY USING COBIT 5
Eight Key Principles:
1. Understand the potential impact of cybercrime and warfare on your enterprise. 2. Understand end users, their cultural values and their behavior patterns.
3. Clearly state the business case for cybersecurity and the risk appetite of the enterprise. 4. Establish cybersecurity governance.
5. Manage cybersecurity using principles and enablers. (The principles and enablers found in COBIT 5 will help your organization ensure end-to-end governance that meets stakeholder needs, covers the enterprise to end and provides a holistic approach, among other benefits. The processes, controls, activities and key performance indicators associated with each enabler will provide the enterprise with a comprehensive picture of cybersecurity.)
6. Know the cybersecurity assurance universe and objectives.
7. Provide reasonable assurance over cybersecurity. (This includes monitoring, internal reviews, audits and, as needed, investigative and forensic analysis.)