This deliverable has been assessed by the E-CRIME Security Committee as suitable for public dissemination
|
|
- Imogene Stewart
- 8 years ago
- Views:
Transcription
1 This deliverable has been assessed by the E-CRIME Security Committee as suitable for public dissemination 1
2 FP7-SEC Grant Agreement Number Collaborative Project E-CRIME The economic impacts of cybercrime D3.1 Anti-Cybercrime technologies and best practices assessment and monitoring Deliverable submitted in January in fulfilment of the requirements of the FP7 project, E-CRIME The economic impacts of cybercrime This project has received funding from the European Union s Seventh Framework Programme for research, technological development and demonstration under grant agreement n E-CRIME Coordinator: Trilateral Research & Consulting (TRI) Crown House 72 Hammersmith Road London 14 8 TH T:
3 Project Acronym Project full title Website E-CRIME Grant Agreement # Funding Scheme Deliverable number: D3.1 Title The economic impacts of cybercrime FP7-SEC Due date: 31/01/15 Actual submission date: 31/01/15 Lead contractor: Contact: Anti-Cybercrime Technologies and Best Practices assessment and monitoring Warwick Bil Hallaq Authors: Collaborative Work between assigned partners of WP3 Reviewers: Dissemination Level: WWU GCSEC Public Version control: Word document Version Action Name Date Title 0.21 To be Reviewed BH 25/01/ Internal Review MC 27/01/ Internal JN 27/01/ Sectional Review 0.24 Internal Review PW, BH 27/01/ Internal Review PW 27/01/ a Merge changes and BH 28/01/ share with partner reviewer 0.27 Reviewing Partners AC/MC/TN 29/01/ Consolidated Comments BH 30/01/ and reviews 0.31 Internal Review ML/MC 30/01/15 Final 3
4 Contents 1. Abstract Executive Summary Introduction Context Objectives Methodology Applying existing cyber security classifications as criteria Introduction Security control Classification of security controls Theoretical approach Practical approach Assessment of security controls Review & considerations Criteria for assessing anti-cybercrime technologies and best practices Criteria Criteria effectiveness by type of cybercrime Relevance and effectiveness of criteria to industry use Use in the stages of the cybercrime Maturity Costs Usability Impact on business processes Accuracy and resilience Impact on privacy and societal rights Ability to work within the law Level of diffusion/adoption Should criteria be industry specific? Anti-cybercrime technologies Technological Authentication
5 Multi-factor authentication Smart cards Secure federated identity management and relative protocols Access Control Policy modelling and enforcement (XACML) Semantic web for access control Cryptography TLS/SSL for web server authentication and encryption Signed and/or encrypted mail Trusted platform modules Homomorphic cryptography Quantum Key Distribution Other techniques Intrusion detection & prevention systems and security information & event management Semantic networks Secure platform for mobile applications Best practices evaluation criteria Cyber security exercises Information security awareness training Sector-agnostic information security standards Sector-specific information security standards Enterprise risk management frameworks International information security best-practices Secure information sharing and analysis centres Application security & vulnerability testing Pathways of cybercrime Data theft crime scenario Cyber espionage scenario Phishing attack scenario Ransomware attack scenario Conclusion & future work Bibliography APPENDIX A Risk components
6 APPENDIX B ISO security controls APPENDIX C NIST security controls APPENDIX D NIST assessment procedure APPENDIX E Security INdustry Actors APPENDIX F ISO - NIST ConTrols
7 1. Abstract Current techniques of mitigating, preventing and recovering from cybercrimes rely heavily on the use of technologies and best practices. First, this report proposes a set of criteria to assess such anticybercrime technologies and industry best practices, which are flexible enough to be adopted for various Non-ICT sector types and all sizes of organisations. These assessment approaches can also be adapted by industries and categorisation of crimes. Finally, this document also presents the findings of a second task, which was a desktop analysis of 20 representative examples of existing anticybercrime technologies and best practices. Using a mix of case studies and cyber range replication in a controlled environment a selection of criminal journeys from WP2 (D2.3) have been explored in order to derive evaluation insights on the selected anti-cyber crime technologies and best practices. The appropriate findings are compared against the assessment criteria and presented in this report. 2. Executive Summary Vast majorities of society and industry are now dependent on digital communications and networked devices for tasks, ranging from simple instant messaging to complex financial transactions and mission critical activities such as national critical infrastructure controls. Our reliance on the internet and the growth of the Internet of Things (IoT) has increased our reliance on cyber domain within a plethora of routine daily activities. This interconnectivity is a critical component for driving collaboration, productivity and innovation for industry. This positive growth has also provided criminals the ability to develop new channels and take advantage of more covert platforms for their malicious activities. Criminals are finding new ways of creating technologies and take advantage of vulnerabilities within the sometimes poorly woven cyber fabric that we are connected to. News reports on data thefts, hacktivism, denial of service attacks and fraud perpetrated via cyber methods are in the press daily. In order to combat these attacks, organisations often rely on anti-cybercrime technologies, risk management programs and a range of best practice guidelines. However within these there is no one size fits all. Furthermore, defining a set of criteria in which the usefulness and efficacy of such programmes is often elusive. Within this report, we initially suggest a robust set of criteria for evaluating anti-cybercrime technologies and best practices, then such a set of criteria is assessed and deployed against a selection of 20 representative examples of such anti-cybercrime technologies and best practices. This report represents an early milestone within the E-CRIME project and is a component of identifying and developing concrete measures to manage and deter cybercrime, one of the overall objectives of this project. 3. Introduction This work carries on from the previous findings from Work Package 2 of this project, where a general taxonomy of cybercrime was provided along with a framework and categorisation of cybercrime in non-ict sectors, which we then used to develop perpetrator and victim journeys. As a reminder, 7
8 the various types of cybercrime as defined in the DoW and further developed in Deliverable 1.2 were defined as; Traditional crimes: Those that are now cyber because they are also conducted online and makes uses of cyberspace as providing more opportunities for crime. Hybrid cybercrimes: Those which are traditional crimes whose effectiveness, nature and modus operandi have significantly changed as result of new opportunities provided by the Internet. True cybercrimes: Those consisting of opportunities created purely by the Internet and carried out only within cyberspace. Cyber platform crimes: Such as the provision of botnets which facilitate other crimes rather than being used to extract money from victims directly. Based on this initial definition and the initial general, cross-sector criminal journeys identified in D2.3 as key concerns for stakeholders, key examples of cybercrime related to several e non-ict industry sectors are presented in the table below. Traditional Crimes (now cybercrimes) Hybrid Cybercrimes True Cybercrimes Platform Cybercrimes Traditional fraud ID theft Click Fraud Botnets Piracy Pornography Denial of service Hire a hacker Espionage Dating Scams Phishing Illegal shops 1 Table 1: Non-ICT Industry related cybercrime In the fight against these defined cybercrimes the identification of the main classes of vulnerabilities and the most effective technologies and best practices to avoid or mitigate the associated risk is crucial. To help toward addressing this, we have defined a set of evaluation criteria, in order to analyse different aspects of these cybercrime examples, which can aid Non-ICT organisations measure and select the most effective anti-cybercrime technologies and best practices for their requirements. These proposed evaluation criteria assess amongst other things, the maturity, effectiveness, and the applicability of the technologies and best practices, taking into account social aspects and regulatory differences among the EU Member States. The evaluation criteria also consider possible differences among sectors. For an industry organisation, it is important to understand how a specific technology can actually mitigate the risk associated to possible cyber-attacks. The same set of evaluation criteria is applied not only to anti-cybercrime technologies but also to best practices. 20 representative examples of technologies and best practices have been identified for the testing. Due to the rapid growth of technological solutions, considering only mature technologies may be 1 These would include shops which may also sell counterfeit copies of products or illegitimately represent themselves as associated or maliciously clone an actual organisations presence online. 8
9 limited, therefore our research on technologies against cybercrime tries to look ahead towards the more immediate horizon, considering emerging and promising solutions. Best practice examples represent different families of approaches. Common security standards and guidelines are considered, both the sector-agnostic (i.e. the ISO series) and the more technical ones that are usually sector-specific (such as some NIST special publications). Standards and guidelines do not cover completely the relevant best practices. For this reason the utilisation of controlled cyber synthetic environments and consideration of growing information sharing initiatives (often sector specific like FS-ISAC) were included. Such activities and initiatives provide insights and foster collaboration, crucial components in the fight against cybercrime. 3.1 Context This work is the output of Task 3.1 in Work Package 3, which focuses on providing criteria to assess anti-cybercrime technologies and industry best practices. It builds on the journey mapping from WP2, Tasks 2.1 and 2.2, and also provides a review of existing classification approaches and/or controls used in the cyber security sector. These controls are compared and contrasted against typical existing security controls such as those laid out as part of the ISO series and those from the National Institute for Standards and Technology (NIST). An inventory of 20 representative examples of existing anti-cybercrime technologies best practices is researched through collecting and studying technology reports and roadmaps in the field of cybercrime. Each of these technologies and best practices are evaluated according to the criteria defined. In addition, a selected number of cybercrime journeys have been mapped, based on the current output from WP2. These are presented as case studies for the selected technologies and best practices via a mix of desktop analysis as well as physical mapping across a cyber-synthetic environment (cyber range). 2 Further work will continue in this area as additional journeys are provided. This work will be added as a further Appendix to this report and made available ahead of WP7, which identifies gaps and solutions for cybercrime, and WP8, which enhances sector specific countermeasures as they are both dependent upon the output of this work. Ongoing monitoring of anti-cybercrime technologies and best practices will be reviewed during the lifetime of this project. 3.2 Objectives The objective of this work is to both define the criteria for the assessment of existing cybercrime practices and anti-cybercrime technologies and best practices and assess the selected anti-cybercrime technologies and best practices via case studies. It assesses the effectiveness of these countermeasures for preventing, deterring and managing cybercrime and includes the on-going monitoring of these counter-measures through the lifespan of the project with a specific focus on non-ict sectors. 2 A cyber range is a realistic environment that is used for cyber warfare training, cyber resiliency testing and cyber technology development. Historically these had a military focus to test and run simulations on cyber assets as well as training personnel. More recently, these have had greater use across industry and critical infrastructure. 9
10 3.3 Methodology In defining the criteria for assessing anti-cybercrime technologies and best practices, desktop analysis and direct contact with stakeholders and contacts from law enforcements and industry were made. From this a proposed set of criteria was established and then contrasted against existing security controls such as those from the ISO series and NIST. The proposed criteria were documented and then validated at the E-CRIME Workshop in Rome January 19 th -20 th, The anti-cybercrime technologies were selected after an extensive desktop analysis. While it was impossible to cover all the possibilities, these examples provide a well-rounded view on the technologies that are effectively used today while considering those which represent realistic possibilities of important breakthrough in the near future. Some examples, like smart cards and TLS/SSL, are very mature and widely used technologies to protect confidential data and to provide secure authentication method. Others such as semantic web, are mature technologies that have been applied within the cyber security domain only recently. Further examples such as, quantum key cryptography and homomorphic encryption are very promising techniques that might be ground breaking solutions once they obtain greater maturity and adoption, yet are already important to analyse and consider. Similarly, the best practice examples have been selected to give a good perspective of how procedures, guidelines, exercise, and information sharing can be as effective as technologies against cybercrime. Each example works to summarise families of best practices rather than specific ones. These were both validated at the E-CRIME Workshop in Rome January 19 th -20 th, Selected criminal journeys from D2.3 were then physically replicated in a highly controlled environment (the cyber range). Through a mix of desktop analysis and testing on the cyber range, the proposed criteria were then assessed against the representative examples to evaluate the performance of the examples. The scale used for rating has been qualitatively constructed from insights coming from the desktop analysis and the result of the testing on the cyber range. 4. Applying existing cyber security classifications as criteria 4.1 Introduction This section provides a review of classifications currently used in the cyber security sector. These are proposed to aid in developing the project s own criteria to assess anti-cybercrime technologies and best practices. This section ties the notion of anti-cybercrime technologies and best practices to the notion of security controls that is widely used in information security standards. 3 A security control, in a simplified way, can be explained as any measure that helps to protect an entity from unwanted incidents. It can be a technical measure, e.g. a firewall that helps to protect a network from cyberattacks; a physical measure, e.g. the restriction of physical access to entities premises or network; an administrative control, e.g. courses to educate personal not to open attachments with potentially malicious files. The essence of anti-cybercrime technologies and best practices can be seen as a series of security controls. 3 ISO, NIST, COBIT, ETSI, ENISA 10
11 4.2 Security control Most IT security standards rely on the notion of security control. Common definitions, which are used in different security standards, are provided below; o o o (ISO27000) Control measure that is modifying risk; *Note 1 to entry: Controls include any process, policy, device, practice, or other actions which modify risk. Within this, the prime series standard that covers information security risk management is ISO27005 which can be defined as; [sic] Providing guidelines for information security risk management (ISRM) in an organization, specifically supporting the requirements of an information security management system defined by ISO (ISO.ORG 2014) (ISACA, COBIT) Control The means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of an administrative, technical, management, or legal nature. *Scope Note: Also used as a synonym for safeguard or countermeasure. (ISACA 2014) (NIST) Security Control A safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements. (NIST SP800-53r4) Security controls are usually based on the notion of risk. 4 Risk is one of the key elements of information security and in particular of security controls. Specifically ISO/IEC is the name of the prime series standard covering information security risk management Classification of security controls Before the criteria to assess security controls are defined, this section will give a brief overview of the different classifications of security controls. Although the project does not yet touch upon classification of anti-cybercrime technologies and best practices (i.e. security controls), a short insight will surely be useful Theoretical approach Security controls can be classified in many different ways. One approach is rather theoretical (taxonomical), and it usually can be found in information security literature (Harris, Shon 2013). The categorization in this case has a treelike structure that aims to look at security controls from different perspectives, to aid explaining the nature of security controls. The excerpt below provides an example of such an approach. 4 But not in NIST s definition. 11
12 Figure 1: Categorization of Security Controls 5 In this taxonomy security controls are divided into three types Preventive, Detective and Corrective. The NIST security standard distinguishes between five functions Identify, Protect, Detect, Respond and Recover. ISHandbook (Sewell, 2009) defines three commonly accepted forms of Controls: a) Administrative These are the laws, regulations, policies, practices and guidelines that govern the overall requirements and controls for an Information Security or other operational risk program. For example, a law or regulation may require merchants and financial institutions to protect and implement controls for customer account data to prevent identity theft. The business, in order to comply with the law or regulation, may adopt policies and procedures laying out the internal requirements for protecting this data. These requirements are a form of control. (Sewell, 2009) b) Logical These are the virtual, application and technical controls (systems and software), such as firewalls, anti-virus software, encryption and maker/checker application routines. (Sewell, 2009) c) Physical Whereas a firewall provides a "logical" key to obtain access to a network, a "physical" key to a door can be used to gain access to an office space or storage room. Other examples of physical controls are video surveillance systems, gates and barricades, the use of guards or other personnel to govern access to an office, and remote backup facilities. (Sewell, 2009) Sewell states that all three forms are critical to the creation of an effective control environment. However, these elements do not provide clear guidance on measuring the degree to which the controls mitigate the risk. Instead, [sic] the risk model presented here utilizes an alternative set of elements that provide better means of assessing the level of mitigation: a) Preventive, b) Detective and c) Corrective 5 As referred to in the ISHandbook, Sewell,
13 Sewell goes on to state that As well as classifying the type of control, this simple risk model also has a series of classifications on the value of that control. These are listed below. a) Effective, b) Efficient, c) Complexity, d) Access and e) Privilege Practical approach Information security standards 7, on the other hand, usually use another approach to classify security controls. It is a more practical and goal driven approach. ISO and NIST standards, for example, have very broad lists of security controls, which are divided into categories. The objective of such divisions is to cover all possible aspects of information security from the perspective of different entities. Below are stated examples of ISO s and NIST s groups. 4.4 Assessment of security controls Instead of having universal criteria for assessing security controls, NIST has specific assessment criteria for every group. 8 NIST s assessment has such characteristics as: a) assessment method (examine, interview and test); b) assessment expectations (low, moderate and high); c) assessment procedure (consists of objectives, methods and objects). An example illustrating the assessment procedure for the subgroup Malicious Code Protection (group System and Information Integrity) is given in Appendix C. At a high level the ISO s recommendations on the assessment of security controls are that he level of risk depends on the adequacy and effectiveness of existing controls. Questions which need to be addressed include: What are the existing controls for a particular risk? Are those controls capable of adequately treating the risk so that it is controlled to a level that is tolerable? In practice, are the controls operating in the manner intended and can they be demonstrated to be effective when required? (ISO, 2013) Within these guidelines it is also noted that in the majority of instances that a high level of accuracy is not warranted 9 (ISO27001, 2013) 4.5 Review & considerations As was described above, two approaches in classification for convenience can be distinguished - theoretical and practical. To determine which better fits E-CRIME needs and specifically, Deliverable 3.1, categorisation of the type of industry actor should also be considered. As established by a 6 As defined under control types, control effectiveness and control limitations, ishandbook.bswell.com 7 NIST, ISO. 8 NIST SP800-53A (Guide for Assessing the Security Controls). 9 ISO27001, 2013 Information security management systems Requirements 13
14 consortium partner 10 incentives: there are three types of industry actors with different capabilities and 1. Security providers: actors who in principle are in a position to decide (explicitly or implicitly) about the security properties in ICT infrastructures typical examples: ICT industry, standard setters, infrastructure providers. 2. Security consumers: actors who depend on the security properties available in products and services offered on the marketplace typical examples: non-ict companies, public institutions, individuals. 3. Security industry: specialises on selling security products and services to security providers (e.g., code review, hardening, security libraries) and to security consumers (off-the-shelf security tools, diagnostics & filters). While such categorisation is not codified yet, it is used within some academic circles to describe the security ecosystem. The term security provider might be confusing, as these are in fact all ICT providers. However, it should be stressed, that ICT providers are the ones than can and need to provide security in their products. The distinction between these actors is important, because each actor applies substantially different defensive technologies and best practices, due to their varying capabilities and incentives based on their role in the value network (See Appendix E). If it were to be mainly information security specialists, then a more practical approach might be preferable (similar to the NIST s security standard where specific assessment criteria are used for the narrowly predefined groups of security controls). Such an example is presented in the table below. Function (NIST) 11 identify protect detect respond recover Effectiveness (ISO) - Adequateness (ISO) - Information (Figure 2) confidentiality integrity availability Nature (generally used) Physical controls Procedural controls Technical controls Legal and regulatory or compliance controls 10 Prof: Dr Rainer Böhme (See Appendix E)- WWU. 11 Type on Figure 2. 14
15 Limitations (Figure 2) complexity access privilege Table 2: Security Controls However, it should also be considered that the results of this assessment will be disseminated and used by the project stakeholders and/or those who are mentioned in the dissemination strategy decision-makers in the EU and other categories of key stakeholders and citizens 12. Therefore it not just limited to one type of industry actor or simply to information security specialists. With these points considered, the next section proposes a set of criteria for assessing anti-cybercrime technologies and best practices that are flexible and could be applied by various industry actors (as defined in this section), organisational sizes and industry verticals. 5. Criteria for assessing anti-cybercrime technologies and best practices 5.1 Criteria Criteria effectiveness by type of cybercrime a) Do they prevent a crime? b) Do they identify a crime? c) Do they limit the potential damage of a crime? d) Do they successfully identify the criminal(s) (attribution)? Relevance and effectiveness of criteria to industry use Best practice guidelines and regulatory requirements are often industry specific and it is within these specific contexts that their relevance and efficacy is understood and appreciated. While cybercrimes may vary by industry, in some cases there is an overlap between industry sectors. This should be considered when measuring relevance and efficacy of any anti-cybercrime technologies Use in the stages of the cybercrime a) Pre-Crime/Preventative; Technologies and best practices that work to identify cybercrime before it occurs or while it is in the early planning stages. 12 E-Crime Work Package 9 15
16 b) During Crime; Technologies and best practices which provide detection of cybercrime, with possible mitigation and/or real time attribution. c) Post Crime; Technologies and best practices which provide the ability to successfully triage, investigate and attribute cybercrimes after they have occurred or when they are suspected (post incident). These should also include a recovery aspect (allowing recovering the attacked systems back to their original state, prior to the criminal incident). We also include in this category all the technologies and best practices that aim to increase resilience to cybercrimes Maturity This is based directly on how long have the technologies and best practices been established and how widely are they accepted across industry or within specific industry sectors. New technologies or best practice guidelines should not be dismissed but included and balanced against more mature guidelines and technologies. The method in which weight or ranking of maturity is allocated should be considered in the context of the industry in which it is being used. For example in industries where innovation is lacking, less mature technologies may need to be considered even if they are not presently widely adopted. Additional consideration should be given to newer technologies, which may be widely adopted but have limited maturity Costs The cost to acquire or implement the technology or best practice is a key factor. Some consideration should be given to the cost effectiveness for the industry sector they relate to as some industry sectors may have more complex business and regulatory requirements than others. Equally important are ongoing and subsequent operating costs, such as maintenance, upgrades, training and residual license fees. Within the validation 13 workshop, stakeholders commented that the link between this criterion and those in should be considered in tandem when possible and useful Usability The level of difficulty for users and/or administrators within the industry to operate or adopt specific technologies and best practices should be taken into account before such technologies and/or practices are ultimately taken up. This ensures that the users and/or administrators do not end up looking for shortcuts or ways to bypass key features or controls and thereby invalidating their efficacy Impact on business processes It is imperative to ensure that the technology or best practice adopted, which may be effective in addressing certain issues, does not have a negative impact significant enough to directly or indirectly disrupt the business processes. It is also important to ensure that they do not have a negative impact on innovation and/or generative processes within an organisation. 13 E-Crime Workshop January th, Rome Italy. 16
17 5.1.8 Accuracy and resilience There are established and specific guidelines and/or frameworks which provide methodologies in which to test specific technologies, to ensure resilience and accuracy. In the field of digital forensics one such example is the National Institute for Standards and Technology Computer Forensic Tool Testing Methodology (CFTT). This guideline provides assurances that the tools that have been tested are both accurate and resilient. By way of a different example, the accuracy of identifying attacks is a key component to an Intrusion Prevention System and its ability to maintain fidelity during an attack is a critical part of ensuring resilience Impact on privacy and societal rights Assessments should be made to ensure that any technologies or best practices take into account privacy and key and agreed societal rights Ability to work within the law Anti-cybercrime technologies and best practices need to work within the laws of a given country and ideally they need to display the ability to be utilised across all EU Member States without the need for modification. However tools and best practice guidelines which are specific to certain jurisdictions should not be ruled out as they may provide best value for crimes focused within those jurisdictions Level of diffusion/adoption This point was specifically brought up by various stakeholders and consortium partners at the validation workshop. It was agreed that this was a critical point to include in such a set of criteria, as it is often the way that while some technologies or guidelines might meet many of the other proposed criteria, they are not widely adopted for various reasons. Reasons include a lack of awareness (amongst the relevant personnel in the non-ict organisations) of the availability of such guidelines and technologies. This is different than maturity as not all mature technologies or best practices are widely adopted. In such cases it would be beneficial to identify and understand why such solutions are not being adopted or used. 5.2 Should criteria be industry specific? A report released July 2014 titled, Critical Infrastructure: Security Preparedness and Maturity, by the Ponemon Institute (sponsored by UNISYS), outlines in section 6b what respondents believe are the least effective security technologies in addressing cybersecurity in threats (Ponemon, 2014). These (in order) are: 1. Web application firewalls (WAF) 2. Data Loss Prevention Systems (DLP) 3. Automated code review or debugger 4. Virtual private network (VPN) 5. Encryption of data in motion 17
18 This report documents what a specific (Critical Infrastructure) industry feels is important and not important. The views change by industry for example an online retailer would consider a WAF as a key and highly effective part of their security infrastructure, while or remote file storage service provider would consider the encryption of data in motion as a key and highly useful part of their anti-crime arsenal. Exploring this further we can determine that cybercrimes by industry may vary. Some examples of recent high profile cybercrimes are: Retail: Target Retail (2013): the thieves had installed data-stealing code on to card-swipe machines at tills in all 1,797 Target stores. (RetailFraud, 2013) TJMaxx Retail (2007) :..the company later learned that thieves had used the store s wireless networks to access systems at its Massachusetts headquarters that were used to store data related to payment card, check and return transactions at stores across the country (infosecmaestros.com, 2014) Finance: Heartland Payment Systems (2009):..disclosed that thieves had broken into is internal card processing network, and installed malicious software that allowed them to steal track data on more than 130 million cards. (krebsonsecurity.com, 2013) Japanese PostBank (2014):..hackers target banking credentials by dropping malware when users visit popular Japanese porn-sites. (Symantec, 2014) Media & Entertainment: SkyTV (2014).criminals sell hacked SKY boxes [sic] (which work around the encryption) at a fraction of the cost of normal sky subscription (BBC, 2014) Game of Thrones (2012); Game of Thrones is the top TV show on the internet piracy chart: Torrentfreak (BBC, 2012) Education: University of Iowa (2014) Records of current and former students were exposed due to a server breach, [sic] however the University stated the primary purpose of the attackers was to use the server to mine bitcoins. These examples highlight the variance in types of crimes in different Industries. The attack vector to commit a cybercrime against a retailer s Electronic Point of Sale System (epos) system by placing malware is different than reverse engineering SKY TV proprietary encryption in order to get a free or cheap service. While the issue of hijacking banking details via drive by malware has its own attack footprint. Further supporting this point, are examples of cybercrimes against supervisory control and data acquisition (SCADA) systems, where unique technologies are used to prevent and mitigate attacks and have been launched specifically for these environments. (automationworld.com, 2014) Also to be considered is the example of the Chinese barcode readers being shipped with spyware which was recently reported (Scharr, 2014). Additionally, there is the issue of cyber security 18
19 vulnerabilities in embedded healthcare appliances which could potentially require different or specially created anti-crime technologies. (FDA.GOV, 2013) These examples serve as a reminder that anti-cybercrime technologies are not just limited to solutions which can protect an enterprises Internet facing servers and build a strong case for them being industry specific. To further determine this, using a similar validation approach contrasting against traditional security controls, a review of the ISO standards is undertaken. Starting with a set of industry independent technologies and best practices and then selecting those which are industry specific. In the family of the ISO standards, for example, ISO/IEC is sector independent, and it sets up a general approach. Other ISO standards are sector specific: Telecommunication - ISO/IEC Information technology - Security Techniques - Information security management guidelines for telecommunications organizations based on ISO/IEC 27002; Financial services - Payment Card Industry Data Security Standard (PCI DSS); ISO/IEC TR Information security management guidelines for financial services; Health - ISO Information security management in health using ISO/IEC 27002; Energy utility - ISO/IEC (In preparation) Information security management guidelines based on ISO/IEC for process control systems specific to the energy utility industry. Therefore it can be concluded that the criteria to assess them should be based on the attack vector as well as the industry yet with the understanding that some of the industries may not need a fully separate assessment as there will be very similar technologies deployed elsewhere (e.g. Retail and Hospitality) Consolidating these, the consensus was that while some of the criteria will be general, many may be sector specific. Therefore the recommendation is to start with a sector specific approach in order to accurately identify and also allow a better insight into cultural or environmental differences which are important. In any areas where overlaps have been identified, only one set of criteria is required. Criteria for Assessing Anti-Cybercrime Technologies and Best Practices Effectiveness for traditional crimes (which are now cyber) Effectiveness for hybrid cybercrimes Effectiveness for true cybercrimes Use in the relevant stage of the cyber-crime Maturity Accuracy and resilience Diffusion/Adoption 19
20 Relevance and effectiveness to the industry Impact on privacy and societal rights Ability to work within local laws (by EU member country) Ability to be utilised across all EU member states without the need for modification Usability Costs (initial and ongoing) Impact on business Table 2: Validated Criteria These were presented and validated at the E-Crime Workshop January 19 th -20 th, Anti-cybercrime technologies The identification of existing cybercrime technologies and industry best practices has been undertaken by collecting and studying technology reports and roadmaps in the field of cybercrime. This desktop analysis provides an inventory of 20 representative examples of existing technologies and relative best practices which can be used against cybercrime. A description is provided, together with a short explanation about how the technologies or the best practices can mitigate the security issue related to cybercrime. Moreover, each technology and best practice is evaluated according to the criteria validated in the previous section of this report and summarised below. For clarity, three specific criteria, currently, are under study; Cost, Usability and Impact. The research revealed that in these three areas there is a common theme and that often these criteria become subjective depending upon industry and organisations risk appetite. To determine their value, deeper analysis from the organisation would be required. In fact, the choice of a countermeasure depends strongly on the level of risk, a company wants to accept and how much they are willing or able to invest in it. The deployment of an Intrusion Detection System, for example, could be cost effective and considered a key objective at board level by an organisation with a resilient and extensive IT network. However, the same might not always be the case for those organisations with extensive level of complexities within their IT model or even organisations of significant magnitude, but less related to information technology, in which the cost of the countermeasure could be much higher of the likelihood and impact of an attack to the IT infrastructure. Furthermore, the solutions, proposed by vendors, are usually built on modules and this creates other issues related to the cost. Affordability can vary significantly by industry and even by organisations within the same industry sectors. These also directly link to the impact on business. It is an established fact that the risk appetite and level of affordability varies across industries and organisations sizes. There is no one size fits all for these as already clarified, factors such as topologies and enterprise structure can affect how the business perceives and evaluates cost, usability and business impact. Therefore, while these three criteria are highly relevant, they should be evaluated for segment and/or individual organisation on a segment by segment or case by case. This is reflected in the comments within the findings of the following section. 20
21 Certain technologies such as firewalls, anti-virus technologies and back-up solutions were left off deliberately from the 20 representative examples as it was agreed that the awareness and implementation of these is generally widespread. Within Section 6 Cybercrime pathways, some of them have been cited, confirming that they are still useful examples of technological countermeasures. Regardless of how widely established these technologies are it does not mean that such solutions are always configured accurately, patched regularly and monitored effectively, hence the need for incorporating best practices. Highly specific guidelines such as Payment Card Industry Data Security Standard (PCI-DSS) or similar industry specific guidelines were not included in order to reflect those which could be useful across a wide range of organisations. 6.1 Technological Authentication Multi-factor authentication Description Authentication factors are usually classified as: 1. knowledge factor: something that the user knows e.g. a secure password 2. possession factor: something that the user has e.g. a token or a proper configured mobile device 3. inherence factor: something that the user is e.g. a biometric characteristic such as a fingerprint or eye iris Multi-factor authentication is an approach requiring two or more factors belonging to different classes. For example, a service can require a user to authenticate using both a password and a fingerprint. Of course the probability that an attacker is able to provide both authentication factor is lower than providing only one, thus this approach reduces the likelihood of false authentication. On the other hand, this approach relies on the user s ability to provide both, and it is generally less usable. As a consequence users tend to avoid this kind of authentication for services that they perceive do not require a high level of security. Relevance to anti-cybercrime Multi-factor authentication combats online identity theft and fraud through adding an extra layer of verification when accessing online services and accounts. Attacks such as phishing or spyware may successfully steal the first factor, however without the second factor the cyber-criminal cannot gain access to the account or service. Evaluation criteria 21
22 Effectiveness for traditional crimes (which are now cyber) Effectiveness for hybrid cybercrimes Effectiveness for true cybercrimes Use in the relevant stage of cyber-crime Maturity medium-high medium-high medium-high Preventive High Diffusion/adoption Medium, the use of digital identities will increase year by year following the market digitalization that will require strong authentication solutions to protect digital identities 14 Accuracy and resilience Relevance and effectiveness to the industry Impact on privacy and societal rights Ability to work within local laws (by EU member country) Ability to be utilised across all EU member states without the need for modification Usability Costs (initial and ongoing) Impact on business High high (very sector-agnostic concept) Low very high very high Sector-specific remarks Multi-factor authentication is sector-agnostic. However, it cannot be used in all contexts where authentication is necessary. This can depend on the nature of the installation: for example systems of persistent authentication (combining standard RFID technologies with CCTV running face recognition for example), which may equate to two-factor authentication. These are and/or will-be increasingly introduced into high-value targets within our considered industries (i.e. airports, government buildings, financial trading-floors, power-stations, critical infrastructure, etc.). This will not be usable in all industrial installations but may be used in those determined to be the most critical by end-users on a sector-by-sector risk analysis
23 Smart cards Description Smart cards are pocket-sized cards with an embedded microchip that can store large amounts of data, encrypt data and communicate with other devices. In particular they can store secret keys and present different tamper-proof characteristics. The computational capabilities of smart cards allow them to make computations using the secret keys without the need to extract them, thereby enabling cryptographic mechanisms suitable for different security services such as data origin authentication and confidentiality to be used. Relevance to anti-cybercrime Smart cards combat cybercrime in a number of ways including: automatically encrypting the data transferred in an online transaction to prevent tampering providing extra sources of verification, such as encrypted card identifiers and unique PINs to increase the difficulty of committing identity theft and fraud providing a possession factor token for secure authentication providing a sophisticated but simple-to-use device able to keep the digital signature keys and the related required cryptographic algorithm providing a platform that can be customised to provide secure services for different sectors; electronic payments and mobile communication being the best known examples. Evaluation Criteria Effectiveness for traditional crimes (which are now cyber) Effectiveness for hybrid cybercrimes Effectiveness for true cybercrimes Use in the relevant stage of the cyber-crime Maturity Diffusion/adoption Accuracy and resilience Relevance and effectiveness to the industry Impact on privacy and societal rights medium-high medium-high medium-high Preventive high high in some sectors (electronic payment, mobile communications) NFC and contactless technologies contribute to the adoption of smart cards in different contexts, e.g. as access token to working buildings or even hotel rooms or houses. High High very low 23
24 Ability to work within local laws (by EU member country) Ability to be utilised across all EU member states without the need for modification Usability Costs (initial and ongoing) Impact on business very high very high 15 Sector-specific comments The banking sector has been using smart cards for several years. Credit cards and ATMs are now based around smart cards and provided a good payment platform which is supported by detailed standards adopted by all the major e-payment companies. Telco operators have been using smart cards in order to authenticate users and encrypt their voice traffic since GSM adoption. The flexibility of smart cards, their tamper-proof characteristics, and ease of use for the user make smart cards suitable for a plethora of uses across different sectors Secure federated identity management and relative protocols Description Most web applications and services require a user authentication phase in order to identify the user and then to provide the services according to his/her access rights. This requires a system able to manage the identity of the users and the related information. Originally each service provider used to have its own identity management system, but recently large corporations such as Facebook and Google provided identity management as a service for other service providers. Federated identity management systems are currently based on standard protocols such as SAML and OAuth. These protocols provide a way to demand the authentication of the user to the third party upon receipt for a particular request of information about the user. Relevance to anti-cybercrime Standards technologies for identity management enable service providers to avoid customer data handling. This means that they are less attractive targets of attacks. The adoption of a proper identity management system increases the security level of authentication because the available solutions are well studied and mature. Moreover, if the identity provider is a 15 The Regulation (EU) n 910/2014 in electronic identification and trust services for electronic transactions in the internal market (eidas Regulation) provides a regulatory environment to enable secure and seamless electronic interactions. This regulation will allow european citizens to be identified in each country through the national digital identity they have (one solution is Smart Card) 24
25 well trusted entity, like national public administrations and governments, a service provider that demands user authentication to such an identity provider receives reliable information about users. Evaluation Criteria Effectiveness for traditional crimes (which are now cyber) Effectiveness for hybrid cybercrimes Effectiveness for true cybercrimes Use in the relevant stage of the cyber-crime Maturity Diffusion/adoption Accuracy and resilience Relevance and effectiveness to the industry Impact on privacy and societal rights High High High preventive medium-high It depends on the sector. Web services are increasingly adopting third party identity management (typically Google and Facebook account authentication). A federated multi-national identity management system, providing strong authentication of strong identities for tax/legal/administrative services for the citizens are not yet available. medium-high High Potential to be high. An assessment should be done case-by-case. Privacy is a relevant issue Ability to work within local laws (by EU member country) National and international regulations are still limited in their scope and reach across industry and borders. Federated digital identity management is the subject of different initiatives of e- government and public services. Belgium and Estonia seem the most advanced EU member states on this subject. EU projects like STORK 16 and similar initiatives provide research and development effort in order to reach agreed and secure technologies and platform
D3.1 Anti-Cybercrime technologies and best practices assessment and monitoring
FP7-SEC-2013.2.5-2 Grant Agreement Number 607775 Collaborative Project E-CRIME The economic impacts of cybercrime D3.1 Anti-Cybercrime technologies and best practices assessment and monitoring Deliverable
More informationD2.2 Executive summary and brief: Cyber crime inventory and networks in non-ict sectors
FP7-SEC-2013.2.5-2 Grant Agreement Number 607775 Collaborative Project E-CRIME The economic impacts of cyber crime D2.2 Executive summary and brief: Cyber crime inventory and networks in non-ict sectors
More informationDigital Identity & Authentication Directions Biometric Applications Who is doing what? Academia, Industry, Government
Digital Identity & Authentication Directions Biometric Applications Who is doing what? Academia, Industry, Government Briefing W. Frisch 1 Outline Digital Identity Management Identity Theft Management
More informationWho s Doing the Hacking?
Who s Doing the Hacking? 1 HACKTIVISTS Although the term hacktivist refers to cyber attacks conducted in the name of political activism, this segment of the cyber threat spectrum covers everything from
More informationTHE WHITE HOUSE Office of the Press Secretary
FOR IMMEDIATE RELEASE February 13, 2015 THE WHITE HOUSE Office of the Press Secretary FACT SHEET: White House Summit on Cybersecurity and Consumer Protection As a nation, the United States has become highly
More informationInformation security controls. Briefing for clients on Experian information security controls
Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face
More informationExperience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.
Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies
More informationMiddle Class Economics: Cybersecurity Updated August 7, 2015
Middle Class Economics: Cybersecurity Updated August 7, 2015 The President's 2016 Budget is designed to bring middle class economics into the 21st Century. This Budget shows what we can do if we invest
More informationResearch Topics in the National Cyber Security Research Agenda
Research Topics in the National Cyber Security Research Agenda Trust and Security for our Digital Life About this document: This document summarizes the research topics as identified in the National Cyber
More informationEncyclopedia of Information Assurance Suggested Titles: March 25, 2013 The following titles have not been contracted.
Encyclopedia of Information Assurance Suggested Titles: March 25, 2013 The following titles have not been contracted. Administrative Awareness Case Study: Government Offices Certification and Accreditation:
More informationCYBERSECURITY: ISSUES AND ISACA S RESPONSE
CYBERSECURITY: ISSUES AND ISACA S RESPONSE June 2014 KEY TRENDS AND DRIVERS OF SECURITY Consumerization Emerging Trends Continual Regulatory and Compliance Pressures Mobile devices Social media Cloud services
More informationUnisys Security Insights: Germany A Consumer Viewpoint - 2015
Unisys Security Insights: Germany A Consumer Viewpoint - 2015 How consumers in Germany feel about: Personal data security, ranked by industry Experiences concerning security of personal data Research by
More informationThe FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED
The FBI Cyber Program Bauer Advising Symposium October 11, 2012 Today s Agenda What is the threat? Who are the adversaries? How are they attacking you? What can the FBI do to help? What can you do to stop
More informationCyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist
Cyber- Attacks: The New Frontier for Fraudsters Daniel Wanjohi, Technology Security Specialist What is it All about The Cyber Security Agenda ; Protecting computers, networks, programs and data from unintended
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationCyber Essentials Scheme
Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these
More informationBeyond the Hype: Advanced Persistent Threats
Advanced Persistent Threats and Real-Time Threat Management The Essentials Series Beyond the Hype: Advanced Persistent Threats sponsored by Dan Sullivan Introduction to Realtime Publishers by Don Jones,
More informationNational Cyber Security Policy -2013
National Cyber Security Policy -2013 Preamble 1. Cyberspace 1 is a complex environment consisting of interactions between people, software and services, supported by worldwide distribution of information
More informationSecurity Management. Keeping the IT Security Administrator Busy
Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching
More informationSecurity Overview. BlackBerry Corporate Infrastructure
Security Overview BlackBerry Corporate Infrastructure Published: 2015-04-23 SWD-20150423095908892 Contents Introduction... 5 History... 6 BlackBerry policies...7 Security organizations...8 Corporate Security
More information7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008
U.S. D EPARTMENT OF H OMELAND S ECURITY 7 Homeland Fiscal Year 2008 HOMELAND SECURITY GRANT PROGRAM ty Grant Program SUPPLEMENTAL RESOURCE: CYBER SECURITY GUIDANCE uidelines and Application Kit (October
More informationThe President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
More informationA brief on Two-Factor Authentication
Application Note A brief on Two-Factor Authentication Summary This document provides a technology brief on two-factor authentication and how it is used on Netgear SSL312, VPN Firewall, and other UTM products.
More informationEd McMurray, CISA, CISSP, CTGA CoNetrix
Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationITAR Compliance Best Practices Guide
ITAR Compliance Best Practices Guide 1 Table of Contents Executive Summary & Overview 3 Data Security Best Practices 4 About Aurora 10 2 Executive Summary & Overview: International Traffic in Arms Regulations
More informationThis is a preview - click here to buy the full publication
TECHNICAL REPORT IEC/TR 62443-3-1 Edition 1.0 2009-07 colour inside Industrial communication networks Network and system security Part 3 1: Security technologies for industrial automation and control systems
More informationNATIONAL CYBER SECURITY AWARENESS MONTH
NATIONAL CYBER SECURITY AWARENESS MONTH Tip 1: Security is everyone s responsibility. Develop an awareness framework that challenges, educates and empowers your customers and employees to be part of the
More informationSecurity Services. 30 years of experience in IT business
Security Services 30 years of experience in IT business Table of Contents 1 Security Audit services!...!3 1.1 Audit of processes!...!3 1.1.1 Information security audit...3 1.1.2 Internal audit support...3
More informationA Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards
A Websense Research Brief Prevent Loss and Comply with Payment Card Industry Security Standards Prevent Loss and Comply with Payment Card Industry Security Standards Standards for Credit Card Security
More information9. Information Assurance and Security, Protecting Information Resources. Janeela Maraj. Tutorial 9 21/11/2014 INFO 1500
INFO 1500 9. Information Assurance and Security, Protecting Information Resources 11. ecommerce and ebusiness Janeela Maraj Tutorial 9 21/11/2014 9. Information Assurance and Security, Protecting Information
More informationBy: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
More informationSound Business Practices for Businesses to Mitigate Corporate Account Takeover
Sound Business Practices for Businesses to Mitigate Corporate Account Takeover This white paper provides sound business practices for companies to implement to safeguard against Corporate Account Takeover.
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More information10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)
1- A (firewall) is a computer program that permits a user on the internal network to access the internet but severely restricts transmissions from the outside 2- A (system failure) is the prolonged malfunction
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationKEY TRENDS AND DRIVERS OF SECURITY
CYBERSECURITY: ISSUES AND ISACA S RESPONSE Speaker: Renato Burazer, CISA,CISM,CRISC,CGEIT,CISSP KEY TRENDS AND DRIVERS OF SECURITY Consumerization Emerging Trends Continual Regulatory and Compliance Pressures
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationTop Three POS System Vulnerabilities Identified to Promote Data Security Awareness
CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA
More informationBrainloop Cloud Security
Whitepaper Brainloop Cloud Security Guide to secure collaboration in the cloud www.brainloop.com Sharing information over the internet The internet is the ideal platform for sharing data globally and communicating
More informationInto the cybersecurity breach
Into the cybersecurity breach Tim Sanouvong State Sector Cyber Risk Services Deloitte & Touche LLP April 3, 2015 Agenda Setting the stage Cyber risks in state governments Cyber attack vectors Preparing
More information2012 Bit9 Cyber Security Research Report
2012 Bit9 Cyber Security Research Report Table of Contents Executive Summary Survey Participants Conclusion Appendix 3 4 10 11 Executive Summary According to the results of a recent survey conducted by
More informationRegulations on Information Systems Security. I. General Provisions
Riga, 7 July 2015 Regulations No 112 (Meeting of the Board of the Financial and Capital Market Commission Min. No 25; paragraph 2) Regulations on Information Systems Security Issued in accordance with
More informationCyber Security Management
Cyber Security Management Focusing on managing your IT Security effectively. By Anthony Goodeill With the news cycles regularly announcing a recurrently theme of targets of hacker attacks and companies
More informationCompliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:
Security.01 Penetration Testing.02 Compliance Review.03 Application Security Audit.04 Social Engineering.05 Security Outsourcing.06 Security Consulting.07 Security Policy and Program.08 Training Services
More informationNetwork Security Administrator
Network Security Administrator Course ID ECC600 Course Description This course looks at the network security in defensive view. The ENSA program is designed to provide fundamental skills needed to analyze
More informationplantemoran.com What School Personnel Administrators Need to know
plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationWhat is Really Needed to Secure the Internet of Things?
What is Really Needed to Secure the Internet of Things? By Alan Grau, Icon Labs alan.grau@iconlabs.com The Internet of Things (IoT) has become a ubiquitous term to describe the tens of billions of devices
More informationSECURITY. Risk & Compliance Services
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
More informationTUSKEGEE CYBER SECURITY PATH FORWARD
TUSKEGEE CYBER SECURITY PATH FORWARD Preface Tuskegee University is very aware of the ever-escalating cybersecurity threat, which consumes continually more of our societies resources to counter these threats,
More informationIT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.
IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. Gunnar Wahlgren 1, Stewart Kowalski 2 Stockholm University 1: (wahlgren@dsv.su.se), 2: (stewart@dsv.su.se) ABSTRACT
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationNew York State Department of Financial Services. Report on Cyber Security in the Insurance Sector
New York State Department of Financial Services Report on Cyber Security in the Insurance Sector February 2015 Report on Cyber Security in the Insurance Sector I. Introduction Cyber attacks against financial
More informationAppendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises
Appendix Key Areas of Concern i. Inadequate coverage of cybersecurity risk assessment exercises The scope coverage of cybersecurity risk assessment exercises, such as cybersecurity control gap analysis
More informationCyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown
Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available
More informationRSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief
RSA SecurID Authentication in Action: Securing Privileged User Access RSA SecurID solutions not only protect enterprises against access by outsiders, but also secure resources from internal threats The
More informationEnterprise Cybersecurity: Building an Effective Defense
: Building an Effective Defense Chris Williams Scott Donaldson Abdul Aslam 1 About the Presenters Co Authors of Enterprise Cybersecurity: How to Implement a Successful Cyberdefense Program Against Advanced
More informationClick to edit Master title style
EVOLUTION OF CYBERSECURITY Click to edit Master title style IDENTIFYING BEST PRACTICES PHILIP DIEKHOFF, IT RISK SERVICES TECHNOLOGY THE DARK SIDE AGENDA Defining cybersecurity Assessing your cybersecurity
More informationManaged Hosting & Datacentre PCI DSS v2.0 Obligations
Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationThe Impact of Cybercrime on Business
The Impact of Cybercrime on Business Studies of IT practitioners in the United States, United Kingdom, Germany, Hong Kong and Brazil Sponsored by Check Point Software Technologies Independently conducted
More informationUnit 3 Cyber security
2016 Suite Cambridge TECHNICALS LEVEL 3 IT Unit 3 Cyber security Y/507/5001 Guided learning hours: 60 Version 1 September 2015 ocr.org.uk/it LEVEL 3 UNIT 3: Cyber security Y/507/5001 Guided learning hours:
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationCyber Security Strategy
NEW ZEALAND S Cyber Security Strategy 2015 A secure, resilient and prosperous online New Zealand Ministerial Foreword The internet and technology have become a fundamental element in our lives. We use
More informationfuture data and infrastructure
White Paper Smart Grid Security: Preparing for the Standards-Based Future without Neglecting the Needs of Today Are you prepared for future data and infrastructure security challenges? Steve Chasko Principal
More informationThe SMB Cyber Security Survival Guide
The SMB Cyber Security Survival Guide Stephen Cobb, CISSP Security Evangelist The challenge A data security breach can put a business out of business or create serious unbudgeted costs To survive in today
More informationBellevue University Cybersecurity Programs & Courses
Undergraduate Course List Core Courses: CYBR 250 Introduction to Cyber Threats, Technologies and Security CIS 311 Network Security CIS 312 Securing Access Control CIS 411 Assessments and Audits CYBR 320
More informationStrategic Plan On-Demand Services April 2, 2015
Strategic Plan On-Demand Services April 2, 2015 1 GDCS eliminates the fears and delays that accompany trying to run an organization in an unsecured environment, and ensures that our customers focus on
More informationOver 20 years experience in Information Security Management, Risk Management, Third Party Oversight and IT Audit.
CYBERSECURITY: ISSUES AND ISACA S RESPONSE June 2014 BILL S BIO Over 20 years experience in Information Security Management, Risk Management, Third Party Oversight and IT Audit. Vice President Controls
More informationCybersecurity Enhancement Account. FY 2017 President s Budget
Cybersecurity Enhancement Account FY 2017 President s Budget February 9, 2016 Table of Contents Section 1 Purpose... 3 1A Mission Statement... 3 1.1 Appropriations Detail Table... 3 1B Vision, Priorities
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationInformation Security Basic Concepts
Information Security Basic Concepts 1 What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment,
More information---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---
---Information Technology (IT) Specialist (GS-2210) IT Security Model--- TECHNICAL COMPETENCIES Computer Forensics Knowledge of tools and techniques pertaining to legal evidence used in the analysis of
More informationThe Cancer Running Through IT Cybercrime and Information Security
WHITE PAPER The Cancer Running Through IT Prepared by: Richard Brown, Senior Service Management Consultant Steve Ingall, Head of Consultancy 60 Lombard Street London EC3V 9EA T: +44 (0)207 464 8883 E:
More informationThe SQL Injection Threat & Recent Retail Breaches
The SQL Injection Threat & Recent Retail Breaches Sponsored by DB Networks Independently conducted by Ponemon Institute LLC Publication Date: June 2014 1 Part 1. Introduction The SQL Injection Threat &
More information(Instructor-led; 3 Days)
Information Security Manager: Architecture, Planning, and Governance (Instructor-led; 3 Days) Module I. Information Security Governance A. Introduction to Information Security Governance B. Overview of
More informationIntroduction to Cyber Security / Information Security
Introduction to Cyber Security / Information Security Syllabus for Introduction to Cyber Security / Information Security program * for students of University of Pune is given below. The program will be
More informationStrategic Platforms Information Security 2014
Strategic Platforms Information Security 2014 -------------------------- Data Mining for security process monitoring New authentication mechanism for System Information Call for «Expression of Interest»
More informationOpinion and recommendations on challenges raised by biometric developments
Opinion and recommendations on challenges raised by biometric developments Position paper for the Science and Technology Committee (House of Commons) Participation to the inquiry on Current and future
More informationInformation Security Summit 2005
Information Security Summit 2005 Forensically Sound Information Security Management in a Risk Compliance Era Keynote Opening Address by Mr. Howard C Dickson Government Chief Information Officer Government
More informationPACB One-Day Cybersecurity Workshop
PACB One-Day Cybersecurity Workshop WHAT IS CYBERSECURITY? PRESENTED BY: JON WALDMAN, SBS CISA, CRISC 1 Contact Information Jon Waldman Partner, Senior IS Consultant CISA, CRISC Masters of Info Assurance
More informationCyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013
Cyber Security and Information Assurance Controls Prevention and Reaction 1 About Enterprise Risk Management Capabilities Cyber Security Risk Management Information Assurance Strategic Governance Regulatory
More informationNine Steps to Smart Security for Small Businesses
Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationCPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS
CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS MARCH 2011 Acknowledgements This Viewpoint is based upon the Recommended Practice: Configuring and Managing Remote Access
More informationOCR LEVEL 3 CAMBRIDGE TECHNICAL
Cambridge TECHNICALS OCR LEVEL 3 CAMBRIDGE TECHNICAL CERTIFICATE/DIPLOMA IN IT NETWORKED SYSTEMS SECURITY J/601/7332 LEVEL 3 UNIT 28 GUIDED LEARNING HOURS: 60 UNIT CREDIT VALUE: 10 NETWORKED SYSTEMS SECURITY
More information08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview
Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data
More informationIdentity: The Key to the Future of Healthcare
Identity: The Key to the Future of Healthcare Chief Medical Officer Anakam Identity Services July 14, 2011 Why is Health Information Technology Critical? Avoids medical errors. Up to 98,000 avoidable hospital
More informationHow to ensure control and security when moving to SaaS/cloud applications
How to ensure control and security when moving to SaaS/cloud applications Stéphane Hurtaud Partner Information & Technology Risk Deloitte Laurent de la Vaissière Directeur Information & Technology Risk
More informationWHITE PAPER. How to simplify and control the cardholder security environment
WHITE PAPER How to simplify and control the cardholder security environment Document Version V1-0 Document Set: QCC Information Security Prepared By Nick Prescot - QCC Information Security Ltd Sponsored
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationMEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance
MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile
More informationCYBER SECURITY GUIDANCE
CYBER SECURITY GUIDANCE With the pervasiveness of information technology (IT) and cyber networks systems in nearly every aspect of society, effectively securing the Nation s critical infrastructure requires
More informationDid you know your security solution can help with PCI compliance too?
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
More informationSECTION: SUBJECT: PCI-DSS General Guidelines and Procedures
1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities
More information