• No results found

CYBERSECURITY NEXUS CSX. 15 October 2014 ISACA Winchester Chapter

N/A
N/A
Protected

Academic year: 2021

Share "CYBERSECURITY NEXUS CSX. 15 October 2014 ISACA Winchester Chapter"

Copied!
31
0
0

Loading.... (view fulltext now)

Full text

(1)

CYBERSECURITY NEXUS – CSX

(2)

INTRODUCTION

Career

•International Brewer, various roles (1991-1996)

•KPMG, IT Risk Service Line Leader (1996-2012)

•Betfair, Head of Governance, Risk & Assurance (2012-2014)

•Vodafone, Technology Risk, Compliance and Assurance Leader (2014..)

ISACA involvement – past and present

•RiskIT TF, COBIT 5 TF, Cloud Computing TF, Framework Committee

Chair

•COBIT 5 for Risk TF Chair, COBIT Growth Strategy TF

•International Vice President, SAC Member, Knowledge Board Chair

Steven Babb

[email protected]

(3)

ABOUT ISACA

“Trust in, and value from, information systems”

Global association serving 115,000 IT security, assurance, governance

and risk professionals

Established in 1969

Members in 180 countries

200+ chapters

Established the COBIT framework

(4)

AGENDA

“CSX is helping shape the future of cybersecurity through cutting-edge thought leadership, as

well as training and certification programs. It gives cybersecurity professionals a smarter way to

keep organizations and their information more secure.

With CSX, business leaders and cyber professionals can obtain the knowledge, tools, guidance

and connections to be at the forefront of a vital and rapidly changing industry. Because

Cybersecurity Nexus is at the centre of everything that’s coming next...

•The evolving security landscape – the driver for change

•How do I respond

•Cybersecurity Nexus

•Questions

(5)

THE

EVOLVING

SECURITY

LANDSCAPE –

THE DRIVER

FOR CHANGE

(6)

12 JANUARY 2010... THE WORLD CHANGED

12 January 2010...

Google honourably disclosed to the world that it had been a

victim of modern

malware

. It was soon discovered that Google was one of more than

20 companies successfully

targeted

by a

well organized and coordinated effort

to gain access to sensitive systems and

information

Companies targeted were within a range of industries, including the financial, technology and

chemical sectors

(7)

HEARTBLEED

Source: http://heartbleed.com/

Watch the video here on Heartbleed: https://www.youtube.com/watch?v=8oI_laHhGjE

The Heartbleed Bug is a

serious vulnerability

in the popular

OpenSSL cryptographic software library

. This weakness allows

stealing the information protected

, under normal conditions, by the

SSL/TLS encryption used to secure the Internet. SSL/TLS provides

communication security and privacy over the Internet for

applications such as web, email, instant messaging (IM) and some

virtual private networks (VPNs)

The Heartbleed bug allows anyone on the Internet to read the

memory of the systems protected by the vulnerable versions of the

OpenSSL software. This

compromises the secret keys

used to

identify the service providers and to encrypt the traffic, the names

and passwords of the users and the actual content. This allows

attackers to

eavesdrop on communications

,

steal data directly

from

the services and users and to

impersonate services and users

(8)

SHELLSHOCK

Shellshock is the name given to a

security vulnerability

in the Bash

"shell," or command-line user interface, first made public on 24

September 2014

Like other shells,

Bash translates the text-based commands

that

power users type into

command-line interfaces

— such as Terminal

in Apple OS X or Command Prompt in Microsoft Windows — into

languages that computers can understand

. Bash is the default

shell in OS X and many varieties of Linux, but, except for

specialized software, does not run in Windows

Shellshock is a quirk in Bash that could let an

attacker remotely

replace environment variables

in Bash with functions, or actual

commands, which the computer would

carry out without verification

The computers and devices most vulnerable to Shellshock are

t

hose that "listen" to the Internet for commands

from other

computers. For example, a Web server, which constantly gets

document requests from Web clients

(9)

BECOMING ALL TOO COMMON...

Email addresses and other contact information stored at the

European Central Bank (ECB) have been stolen, the organization confirmed on Thursday

Security that protects a database serving its public website has been breached, it said in a statement published on its website, meaning users registering for information on conferences and visits at the ECB have been compromised

It stated that no "internal systems or market-sensitive" information had been part of the data theft and was physically separate from the compromised data

"The theft came to light after an anonymous email was sent to the ECB seeking financial compensation for the data. While most of the data were encrypted, parts of the database included email addresses, some street addresses and phone numbers that were not encrypted," the central bank said

Users whose information might be part of the beach are in the process of being contacted, the ECB said, and advised that all passwords on the system have been changed as a precaution

The bank is just the latest in a long line of companies and public bodies that have experienced a breach. In May, eBay admitted that hackers had attacked its network and accessed some 145 million user records. It now faces an investigation in the US and UK

(10)

ADVANCED PERSISTENT THREATS

ADVANCED, STEALTHY AND CHAMELEON-LIKE in its adaptability, APTs were once thought to be limited to attacks on government networks

APTs can happen to any enterprise

Repeated pursuit of objectives, adaptation and persistence differentiate APTs from a typical attack

Primarily, the purpose of the majority of APTs is to extract information from systems – this could be critical research, enterprise intellectual property or government information, among other things

APT DEFINITION

“An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives”

(11)

BECOMING ALL TOO COMMON...

The Pitty Tiger APT has been targeting telcos, defence companies and at least one government in a cyber-espionage campaign that relies on spear phishing and malware prying on vulnerabilities in Microsoft Office

In a new whitepaper, security experts at Airbus Defence & Space Cybersecurity Unit detail how the APT has been undetected since at least 2011 and say that its operators have been reliant on an assortment of

different malware, including some developed exclusively by the threat actor

Instead of looking to exploit any zero-day vulnerability, the group relies “extensively” on spear phishing, malware and vulnerabilities existing on older versions of Microsoft Office as well as the Heartbleed bug, which continues to affect some 300,000 open-source web servers worldwide

The campaign apparently starts with a phishing email, with one example promising a holiday along with a Microsoft Office Word attachment. Airbus admits that this is “amateur” – with the attached Word file infecting the computer with malware, while others relied on an older vulnerability, which effected MS Office versions 2003 through to 2010, SQL Server and other popular enterprise software applications

The report's authors are in little doubt that the group behind the APT is not state-sponsored, despite China being the likely origin of the group. “They lack the experience and financial support that one would expect from state-sponsored attackers. We suppose this group is opportunistic and sells its services to probable competitors of their targets in the private sector.”

(12)

ISACA APT SURVEY – JULY 2014

•92% say APTs pose a credible threat to national security or economic

stability

•1 in 5 have experienced an APT attack

•63% believe it is only a matter of time before their business is

targeted

•The majority of survey takers – up to 60% – believed that they have

the ability to identify, respond to and stop a successful APT attack

•Up to 82% of survey takers have not updated their agreements with

vendors who provide protection against APT

•67% reported that they haven’t held any APT awareness training

programs for their employees

(13)

ISACA STUDENT SURVEY – APRIL 2014

•The majority of ISACA’s student members

(88%) plan to work in a field requiring

cybersecurity knowledge

•57% said their University did not offer

cybersecurity courses

•Fewer than half say they will have adequate

skills for the job

•74% you plan to pursue a cybersecurity

related certificate

(14)

HOW DO I

RESPOND

(15)

YOU NEED TO BE ON THE OFFENSIVE

•Traditional prevention and detection is not enough you

need to move from defensive to offensive

•Governments cannot prevent intrusions

•Data loss is inevitable

•Attacks will continue

•Companies often breached for years

•New approaches required

Source: http://booksonwaraustralia.com/battle-vietnam-history-

(16)

IF YOU HAVE IP YOU ARE A TARGET!

•Assume you are breached

•Prepare for the inevitable

•Start planning

•Define your “Win”

• Delay the ‘Threat’ from reaching its goal • Minimize the loss

• Improvise as you go along

• Are your approaches outdated? If so review and revise!

(17)

WHAT DO I DO?

•Build a team

•Establish key relationships

•Inventory Existing Technologies

•Standardize the Investigation Process

•Training and Governance

•Establish Critical Capabilities

Source: http://www.cascadestrategy.com/wp-content/uploads/2012/10/Strategy-Small1.jpg

(18)

CYBERSECURITY

NEXUS

(19)
(20)

WHAT IS IT?

With CSX, business leaders and cyber professionals can obtain the knowledge, tools, guidance and connections to be at the forefront of a vital and rapidly changing industry

•Join a global community of more than 115,000 professionals, innovators and thought leaders – Professional and Student membership

•Enhance your cybersecurity knowledge and skills at our global conferences, workshops and training events

•Find the latest research and expert thinking on standards, best practices, emerging trends and beyond •Secure recognition for your expertise. Our globally accepted certifications help advance skills and careers

(21)

WHAT IS IT?

•Cybersecurity Fundamentals knowledge certificate – available now – knowledge based

exam for those with 0 to 3 years experience

• Foundational level covers five domains: • Cybersecurity concepts

• Cybersecurity architecture principles

• Security of networks, systems, applications and data • Incident response

• Security of evolving technology

• Online exam. Results are shared immediately, and those who pass receive a certificate

• The content aligns with the US NICE framework and the Skills Framework for the Information Age (SFIA) and was developed by a team of cybersecurity professionals from around the world. The team is involved in all areas of development through content contribution and subject matter expert reviews

(22)

WHAT IS IT?

•Professional membership

• Membership for IT Audit, Security, Governance and Risk Professionals

•Student membership

• ISACA student members join a community of students from more than 300 universities worldwide. ISACA student members major in a variety of areas including:

• Information systems, Business administration, Accounting, Information technology, Engineering and Computer science

• Student membership provides the knowledge and tools to develop your professional identity. You'll make connections with people who work in your target field, plus those who hire for the positions you seek

ISACA has consistently maintained a standard that will continue to be a lever for anyone that wants to meet the challenges of the changing world of IT.”

“It is the best professional membership I have in terms of value for money.”

“Hands down the best association I have ever been involved in – very affordable, valuable information. ISACA magazine (the ISACA Journal) and webinars are my most valuable sources of information.”

(23)

WHAT IS IT?

•Conferences

• Euro CACS / ISRM + Global CyberLympics Finals • North America ISRM, Latin CACS / ISRM

•Webinars

• Self-Defense Strategies to Thwart Cloud Intruders: Keep Your Data Safe in the Cloud • Breaches: A Risk-Based Approach to Identification, Impact Estimation and Effective

Remediation •Virtual Conferences

• Full-day educational events, presented online. The virtual event consists of an exhibit hall, conference hall, networking lounge and resource center

• Archived – Mobile Security: Overcoming Obstacles, Reducing Risk • 9 December – Cloud Security

•Workshops

• Cybersecurity Fundamentals Workshop

• ISACA was the exclusive host sponsor of the Global

CyberLympics World Finals, held in conjunction with the first day of the EuroCACS/ISRM 2014

• Global CyberLympics is an international online

cybersecurity competition dedicated to finding the top computer network defense teams. Global CyberLympics tests the skills of information security and assurance

professionals in teams of 4 to 6 people in areas including:

•Ethical hacking •Computer network defense

(24)

WHAT IS IT?

•Articles from ISACA Journal

•Cybersecurity Blog Posts – The CSX Newsroom •White Papers & Publications

• European Cybersecurity Implementation Series • Cybersecurity Fundamentals Study Guide**

• Cybersecurity: What the Board of Directors Needs to Ask • Implementing the NIST Cybersecurity Framework*

• Responding to Targeted Cyberattacks* • Transforming Cybersecurity*

• Advanced Persistent Threats: How To Manage the Risk To Your Business* • Advanced Persistent Threat Awareness Study Results

*PDF is free to members; non-members may purchase PDF **Available for purchase

(25)

AVAILABLE NOW

 Cybersecurity Fundamentals Certificate and study guide

Implementing the NIST Cybersecurity Framework Using COBIT 5

European Cybersecurity Implementation Series Transforming Cybersecurity Using COBIT 5 Responding to Targeted Cyberattacks

Advanced Persistent Threats: Managing the Risks to Your Business

 2014 APT Awareness Study

Cybersecurity webinars and conference

tracks (six-part webinar series)

Cybersecurity Knowledge Center

community

COMING SOON

 Cybersecurity practitioner-level certification (first exam: 2015)

 Cybersecurity training courses (November 2014)  SCADA guidance

 Digital forensics guidance

(26)

CAREER PATH

0-3 years: Cybersecurity Fundamentals Certificate

No experience required, must pass knowledge-based exam

3-5 years:

Cybersecurity practitioner-level certification

Coming in mid-2015

5+ years:

Certified Information Security Manager certification

(27)

• Among the resources also coming from ISACA this month are: • Two free webinars:

• Why Implement the NICE Cybersecurity Workforce Framework?

• Data-centric Audit and Protection: Reducing Risk and Improving Security Posture • A cybersecurity Twitter chat on 22 October with ISACA International President Rob

Stround) and International Vice President Ramsés Gallego • Two cybersecurity training courses:

• Implementing the NIST Cybersecurity Framework Using COBIT 5 • COBIT 5 for Security Assessors

• Cybersecurity Teaching Materials • Cybersecurity Student Handbook

http://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?utm_campaign=ISACA+Main&cid=sm_1104943&utm_content=1413225083&utm_source =googleplus&utm_medium=social&appeal=sm&ID=450

(28)

EUROPEAN CYBERSECURITY IMPLEMENTATION SERIES

• Cybersecurity is emerging to address increases in cybercrime and, in some instances, cyberwarfare

• Factors contributing to the need for improved cybersecurity include: ubiquitous broadband, IT-centric business and society, and social stratification of IT skills. To address cybercrime, many governments and institutions launched cybersecurity initiatives, ranging from guidance, through standardisation, to comprehensive legislation and regulation

• ISACA has released the European Cybersecurity Implementation Series primarily to provide practical implementation guidance that is aligned with European requirements and good practice

• Available now!

http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/European-Cybersecurity-Implementation-Series.aspx

(29)

EUROPEAN CYBERSECURITY IMPLEMENTATION SERIES

European Cybersecurity Implementation: Overview – a high-level overview of implementing cybersecurity in

line with existing laws, standards and other guidance

European Cybersecurity Implementation: Assurance – this paper focuses on assurance in cybersecurity. In

Europe, cybersecurity assurance is an integral part of the internal system of controls that was introduced by EU directive, and implemented subsequently as statutes in the member states

European Cybersecurity Implementation: Resilience – this paper focuses on resilience in cybersecurity. In the

EU and associated countries, the concepts of resilience and cybersecurity are rapidly converging

European Cybersecurity Implementation: Risk Guidance – this paper focuses on risk guidance in a

cybersecurity context, and drills down into the risk management aspects of European cybersecurity

European Cybersecurity Audit/Assurance Program – this audit/assurance program provides management with

an impartial and independent assessment relating to the effectiveness of cybersecurity and related governance, management and assurance

(30)

TRANSFORMING CYBERSECURITY USING COBIT 5

Eight Key Principles:

1. Understand the potential impact of cybercrime and warfare on your enterprise. 2. Understand end users, their cultural values and their behavior patterns.

3. Clearly state the business case for cybersecurity and the risk appetite of the enterprise. 4. Establish cybersecurity governance.

5. Manage cybersecurity using principles and enablers. (The principles and enablers found in COBIT 5 will help your organization ensure end-to-end governance that meets stakeholder needs, covers the enterprise to end and provides a holistic approach, among other benefits. The processes, controls, activities and key performance indicators associated with each enabler will provide the enterprise with a comprehensive picture of cybersecurity.)

6. Know the cybersecurity assurance universe and objectives.

7. Provide reasonable assurance over cybersecurity. (This includes monitoring, internal reviews, audits and, as needed, investigative and forensic analysis.)

(31)

THANK YOU

www.isaca.org/cyber

For more information:

References

Related documents

• Look to your incident response plan / activate response team • Stop additional data loss. • Stop additional

The objective is to establish a Digital Threat Detection Model to mitigate cybersecurity risks in organizations by evaluating the influence of cybersecurity

Razvoj SSRS poroˇ cil Aktivnost Preverba kode Aktivnost Testiranje Aktivnost Izobraˇ zevanja standardnih funkcionalnosti Aktivnost Sestanki v sklopu projektnega vodenja Aktivnost

A high reactant concentration favors the reaction of higher order, a low concentration favors the reaction of lower order, while the concentration level has n o effect o n

• Since many of the member states treat in-house counsel as a profession separate from that of an attorney, these decisions did not extend the privilege to in-house counsel at

The Michigan Healthcare Cybersecurity Council (MHCC) was established to protect the critical healthcare infrastructure in the State of Michigan from cybersecurity threats, and

Proxim al junctional kyphosis in adult spinal deform it y after segm ental posterior spinal instru- m entation and fusion: m inim um ve-year follow -up.. Risk factor

High strength concrete is less liable to shrinkage cracks and cracks and has lighter modulus of elasticity and smaller ultimate creep strain resulting in a has lighter modulus