D3.1 Anti-Cybercrime technologies and best practices assessment and monitoring

Size: px
Start display at page:

Download "D3.1 Anti-Cybercrime technologies and best practices assessment and monitoring"

Transcription

1 FP7-SEC Grant Agreement Number Collaborative Project E-CRIME The economic impacts of cybercrime D3.1 Anti-Cybercrime technologies and best practices assessment and monitoring Deliverable submitted in January in fulfilment of the requirements of the FP7 project, E-CRIME The economic impacts of cybercrime This project has received funding from the European Union s Seventh Framework Programme for research, technological development and demonstration under grant agreement n E-CRIME Coordinator: Trilateral Research & Consulting (TRI) Crown House 72 Hammersmith Road London 14 8 TH T:

2 Project Acronym Project full title Website E-CRIME Grant Agreement # Funding Scheme Deliverable number: D3.1 The economic impacts of cybercrime FP7-SEC Title Anti-Cybercrime Technologies and Best Practices assessment and monitoring Due date: 31/01/15 Actual submission date: 31/01/15 Lead contractor: Contact: Warwick Bil Hallaq Authors: Collaborative Work between assigned partners of WP3 Reviewers: WWU GCSEC Dissemination Level: Restricted (to be decided by Security Committee) Version control: Word document Version Action Name Date Title 0.21 To be Reviewed BH 25/01/ Internal Review MC 27/01/ Internal JN 27/01/ Sectional Review 0.24 Internal Review PW, BH 27/01/ Internal Review PW 27/01/ a Merge changes and BH 28/01/ share with partner reviewer 0.27 Reviewing Partners AC/MC/TN 29/01/ Consolidated Comments BH 30/01/ and reviews 0.31 Internal Review ML/MC 30/01/15 Final 2

3 Contents 1. Abstract Executive Summary Introduction Context Objectives Methodology Applying existing cyber security classifications as criteria Introduction Security control Classification of security controls Theoretical approach Practical approach Assessment of security controls Review & considerations Criteria for assessing anti-cybercrime technologies and best practices Criteria Criteria effectiveness by type of cybercrime Relevance and effectiveness of criteria to industry use Use in the stages of the cybercrime Maturity Costs Usability Impact on business processes Accuracy and resilience Impact on privacy and societal rights bility to work within the law Level of diffusion/adoption Should criteria be industry specific? Anti-cybercrime technologies Technological

4 6.1.1 Authentication Multi-factor authentication Smart cards Secure federated identity management and relative protocols Access Control Policy modelling and enforcement (XACML) Semantic web for access control Cryptography TLS/SSL for web server authentication and encryption Signed and/or encrypted mail Trusted platform modules Homomorphic cryptography Quantum Key Distribution Other techniques Intrusion detection & prevention systems and security information & event management Semantic networks Secure platform for mobile applications Best practices evaluation criteria Cyber security exercises Information security awareness training Sector-agnostic information security standards Sector-specific information security standards Enterprise risk management frameworks International information security best-practices Secure information sharing and analysis centres Application security & vulnerability testing Pathways of cybercrime Data theft crime scenario Cyber espionage scenario Phishing attack scenario Ransomware attack scenario Conclusion & future work Bibliography

5 APPENDIX A Risk components APPENDIX B ISO security controls APPENDIX C NIST security controls APPENDIX D NIST assessment procedure APPENDIX E Security INdustry Actors APPENDIX F ISO - NIST ConTrols

6 1. Abstract Current techniques of mitigating, preventing and recovering from cybercrimes rely heavily on the use of technologies and best practices. First, this report proposes a set of criteria to assess such anticybercrime technologies and industry best practices, which are flexible enough to be adopted for various Non-ICT sector types and all sizes of organisations. These assessment approaches can also be adapted by industries and categorisation of crimes. Finally, this document also presents the findings of a second task, which was a desktop analysis of 20 representative examples of existing anticybercrime technologies and best practices. Using a mix of case studies and cyber range replication in a controlled environment a selection of criminal journeys from WP2 (D2.3) have been explored in order to derive evaluation insights on the selected anti-cyber crime technologies and best practices. The appropriate findings are compared against the assessment criteria and presented in this report. 2. Executive Summary Vast majorities of society and industry are now dependent on digital communications and networked devices for tasks, ranging from simple instant messaging to complex financial transactions and mission critical activities such as national critical infrastructure controls. Our reliance on the internet and the growth of the Internet of Things (IoT) has increased our reliance on cyber domain within a plethora of routine daily activities. This interconnectivity is a critical component for driving collaboration, productivity and innovation for industry. This positive growth has also provided criminals the ability to develop new channels and take advantage of more covert platforms for their malicious activities. Criminals are finding new ways of creating technologies and take advantage of vulnerabilities within the sometimes poorly woven cyber fabric that we are connected to. News reports on data thefts, hacktivism, denial of service attacks and fraud perpetrated via cyber methods are in the press daily. In order to combat these attacks, organisations often rely on anti-cybercrime technologies, risk management programs and a range of best practice guidelines. However within these there is no one size fits all. Furthermore, defining a set of criteria in which the usefulness and efficacy of such programmes is often elusive. Within this report, we initially suggest a robust set of criteria for evaluating anti-cybercrime technologies and best practices, then such a set of criteria is assessed and deployed against a selection of 20 representative examples of such anti-cybercrime technologies and best practices. This report represents an early milestone within the E-CRIME project and is a component of identifying and developing concrete measures to manage and deter cybercrime, one of the overall objectives of this project. 3. Introduction This work carries on from the previous findings from Work Package 2 of this project, where a general taxonomy of cybercrime was provided along with a framework and categorisation of cybercrime in non-ict sectors, which we then used to develop perpetrator and victim 6

7 journeys. As a reminder, the various types of cybercrime as defined in the DoW and further developed in Deliverable 1.2 were defined as; Traditional crimes: Those that are now cyber because they are also conducted online and makes uses of cyberspace as providing more opportunities for crime. Hybrid cybercrimes: Those which are traditional crimes whose effectiveness, nature and modus operandi have significantly changed as result of new opportunities provided by the Internet. True cybercrimes: Those consisting of opportunities created purely by the Internet and carried out only within cyberspace. Cyber platform crimes: Such as the provision of botnets which facilitate other crimes rather than being used to extract money from victims directly. Based on this initial definition and the initial general, cross-sector criminal journeys identified in D2.3 as key concerns for stakeholders, key examples of cybercrime related to several e non-ict industry sectors are presented in the table below. Traditional Crimes (now cybercrimes) Hybrid Cybercrimes True Cybercrimes Platform Cybercrimes Traditional fraud ID theft Click Fraud Botnets Piracy Pornography Denial of service Hire a hacker Espionage Dating Scams Phishing Illegal shops 1 Table 1: Non-ICT Industry related cybercrime In the fight against these defined cybercrimes the identification of the main classes of vulnerabilities and the most effective technologies and best practices to avoid or mitigate the associated risk is crucial. To help toward addressing this, we have defined a set of evaluation criteria, in order to analyse different aspects of these cybercrime examples, which can aid Non-ICT organisations measure and select the most effective anti-cybercrime technologies and best practices for their requirements. These proposed evaluation criteria assess amongst other things, the maturity, effectiveness, and the applicability of the technologies and best practices, taking into account social aspects and regulatory differences among the EU Member States. The evaluation criteria also consider possible differences among sectors. For an industry organisation, it is important to understand how a specific technology can actually mitigate the risk associated to possible cyber-attacks. The same set of evaluation criteria is applied not only to anti-cybercrime technologies but also to best practices. 20 representative examples of technologies and best practices have been identified for the testing. Due to the rapid growth of technological solutions, considering only mature technologies may be 1 These would include shops which may also sell counterfeit copies of products or illegitimately represent themselves as associated or maliciously clone an actual organisations presence online. 7

8 limited, therefore our research on technologies against cybercrime tries to look ahead towards the more immediate horizon, considering emerging and promising solutions. Best practice examples represent different families of approaches. Common security standards and guidelines are considered, both the sector-agnostic (i.e. the ISO series) and the more technical ones that are usually sector-specific (such as some NIST special publications). Standards and guidelines do not cover completely the relevant best practices. For this reason the utilisation of controlled cyber synthetic environments and consideration of growing information sharing initiatives (often sector specific like FS-ISAC) were included. Such activities and initiatives provide insights and foster collaboration, crucial components in the fight against cybercrime. 3.1 Context This work is the output of Task 3.1 in Work Package 3, which focuses on providing criteria to assess anti-cybercrime technologies and industry best practices. It builds on the journey mapping from WP2, Tasks 2.1 and 2.2, and also provides a review of existing classification approaches and/or controls used in the cyber security sector. These controls are compared and contrasted against typical existing security controls such as those laid out as part of the ISO series and those from the National Institute for Standards and Technology (NIST). An inventory of 20 representative examples of existing anti-cybercrime technologies best practices is researched through collecting and studying technology reports and roadmaps in the field of cybercrime. Each of these technologies and best practices are evaluated according to the criteria defined. In addition, a selected number of cybercrime journeys have been mapped, based on the current output from WP2. These are presented as case studies for the selected technologies and best practices via a mix of desktop analysis as well as physical mapping across a cyber-synthetic environment (cyber range). 2 Further work will continue in this area as additional journeys are provided. This work will be added as a further Appendix to this report and made available ahead of WP7, which identifies gaps and solutions for cybercrime, and WP8, which enhances sector specific countermeasures as they are both dependent upon the output of this work. Ongoing monitoring of anti-cybercrime technologies and best practices will be reviewed during the lifetime of this project. 3.2 Objectives The objective of this work is to both define the criteria for the assessment of existing cybercrime practices and anti-cybercrime technologies and best practices and assess the selected anticybercrime technologies and best practices via case studies. It assesses the effectiveness of these counter-measures for preventing, deterring and managing cybercrime and includes the on-going monitoring of these counter-measures through the lifespan of the project with a specific focus on non-ict sectors. 2 A cyber range is a realistic environment that is used for cyber warfare training, cyber resiliency testing and cyber technology development. Historically these had a military focus to test and run simulations on cyber assets as well as training personnel. More recently, these have had greater use across industry and critical infrastructure. 8

9 3.3 Methodology In defining the criteria for assessing anti-cybercrime technologies and best practices, desktop analysis and direct contact with stakeholders and contacts from law enforcements and industry were made. From this a proposed set of criteria was established and then contrasted against existing security controls such as those from the ISO series and NIST. The proposed criteria were documented and then validated at the E-CRIME Workshop in Rome January 19 th -20 th, The anti-cybercrime technologies were selected after an extensive desktop analysis. While it was impossible to cover all the possibilities, these examples provide a well-rounded view on the technologies that are effectively used today while considering those which represent realistic possibilities of important breakthrough in the near future. Some examples, like smart cards and TLS/SSL, are very mature and widely used technologies to protect confidential data and to provide secure authentication method. Others such as semantic web, are mature technologies that have been applied within the cyber security domain only recently. Further examples such as, quantum key cryptography and homomorphic encryption are very promising techniques that might be ground breaking solutions once they obtain greater maturity and adoption, yet are already important to analyse and consider. Similarly, the best practice examples have been selected to give a good perspective of how procedures, guidelines, exercise, and information sharing can be as effective as technologies against cybercrime. Each example works to summarise families of best practices rather than specific ones. These were both validated at the E-CRIME Workshop in Rome January 19 th -20 th, Selected criminal journeys from D2.3 were then physically replicated in a highly controlled environment (the cyber range). Through a mix of desktop analysis and testing on the cyber range, the proposed criteria were then assessed against the representative examples to evaluate the performance of the examples. The scale used for rating has been qualitatively constructed from insights coming from the desktop analysis and the result of the testing on the cyber range. 4. Applying existing cyber security classifications as criteria 4.1 Introduction This section provides a review of classifications currently used in the cyber security sector. These are proposed to aid in developing the project s own criteria to assess anti-cybercrime technologies and best practices. This section ties the notion of anti-cybercrime technologies and best practices to the notion of security controls that is widely used in information security standards. 3 A security control, in a simplified way, can be explained as any measure that helps to protect an entity from unwanted incidents. It can be a technical measure, e.g. a firewall that helps to protect a network from cyber-attacks; a physical measure, e.g. the restriction of physical access to entities premises or network; an administrative control, e.g. courses to educate personal not to open attachments with potentially malicious files. The essence of anti-cybercrime technologies and best practices can be seen as a series of security controls. 3 ISO, NIST, COBIT, ETSI, ENISA 9

10 4.2 Security control Most IT security standards rely on the notion of security control. Common definitions, which are used in different security standards, are provided below; o o o (ISO2700) Control measure that is modifying risk; *Note 1 to entry: Controls include any process, policy, device, practice, or other actions which modify risk. (ISO.ORG 2014) (ISACA, COBIT) Control The means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of an administrative, technical, management, or legal nature. *Scope Note: Also used as a synonym for safeguard or countermeasure. (ISACA 2014) (NIST) Security Control A safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements. (NIST SP800-53r4) Security controls are usually based on the notion of risk. 4 Risk is one of the key elements of information security and in particular of security controls. 4.3 Classification of security controls Before the criteria to assess security controls are defined, this section will give a brief overview of the different classifications of security controls. Although the project does not yet touch upon classification of anti-cybercrime technologies and best practices (i.e. security controls), a short insight will surely be useful Theoretical approach Security controls can be classified in many different ways. One approach is rather theoretical (taxonomical), and it usually can be found in information security literature (Harris, Shon 2013). The categorization in this case has a treelike structure that aims to look at security controls from different perspectives, to aid explaining the nature of security controls. The excerpt below provides an example of such an approach. 4 But not in NIST s definition. 10

11 Figure 1: Categorization of Security Controls 5 In this taxonomy security controls are divided into three types Preventive, Detective and Corrective. The NIST security standard distinguishes between five functions Identify, Protect, Detect, Respond and Recover. ISHandbook (Sewell, 2009) defines three commonly accepted forms of Controls: a) Administrative These are the laws, regulations, policies, practices and guidelines that govern the overall requirements and controls for an Information Security or other operational risk program. For example, a law or regulation may require merchants and financial institutions to protect and implement controls for customer account data to prevent identity theft. The business, in order to comply with the law or regulation, may adopt policies and procedures laying out the internal requirements for protecting this data. These requirements are a form of control. (Sewell, 2009) b) Logical These are the virtual, application and technical controls (systems and software), such as firewalls, anti-virus software, encryption and maker/checker application routines. (Sewell, 2009) c) Physical Whereas a firewall provides a "logical" key to obtain access to a network, a "physical" key to a door can be used to gain access to an office space or storage room. Other examples of physical controls are video surveillance systems, gates and barricades, the use of guards or other personnel to govern access to an office, and remote backup facilities. (Sewell, 2009) Sewell states that all three forms are critical to the creation of an effective control environment. However, these elements do not provide clear guidance on measuring the degree to which the controls mitigate the risk. Instead, [sic] the risk model presented here utilizes an alternative set of elements that provide better means of assessing the level of mitigation: a) Preventive, b) Detective and c) Corrective 11

12 Sewell goes on to state that As well as classifying the type of control, this simple risk model also has a series of classifications on the value of that control. These are listed below. a) Effective, b) Efficient, c) Complexity, d) Access and e) Privilege Practical approach Information security standards 7, on the other hand, usually use another approach to classify security controls. It is a more practical and goal driven approach. ISO and NIST standards, for example, have very broad lists of security controls, which are divided into categories. The objective of such divisions is to cover all possible aspects of information security from the perspective of different entities. Below are stated examples of ISO s and NIST s groups. 4.4 Assessment of security controls Instead of having universal criteria for assessing security controls, NIST has specific assessment criteria for every group.8 NIST s assessment has such characteristics as: a) assessment method (examine, interview and test); b) assessment expectations (low, moderate and high); c) assessment procedure (consists of objectives, methods and objects). An example illustrating the assessment procedure for the subgroup Malicious Code Protection (group System and Information Integrity) is given in Appendix C. At a high level the ISO s recommendations on the assessment of security controls are that he level of risk depends on the adequacy and effectiveness of existing controls. Questions which need to be addressed include: What are the existing controls for a particular risk? Are those controls capable of adequately treating the risk so that it is controlled to a level that is tolerable? In practice, are the controls operating in the manner intended and can they be demonstrated to be effective when required? (ISO, 2013) Within these guidelines it is also noted that in the majority of instances that a high level of accuracy is not warranted 9 (ISO27001, 2013) 4.5 Review & considerations As was described above, two approaches in classification for convenience can be distinguished - theoretical and practical. To determine which better fits E-CRIME needs and specifically, Deliverable 3.1, categorisation of the type of industry actor should also be considered. As established by a 6 As defined under control types, control effectiveness and control limitations, ishandbook.bswell.com 7 NIST, ISO. 8 NIST SP800-53A (Guide for Assessing the Security Controls). 9 ISO27001, 2013 Information security management systems Requirements 12

13 consortium partner 10 incentives: there are three types of industry actors with different capabilities and 1. Security providers: actors who in principle are in a position to decide (explicitly or implicitly) about the security properties in ICT infrastructures typical examples: ICT industry, standard setters, infrastructure providers. 2. Security consumers: actors who depend on the security properties available in products and services offered on the marketplace typical examples: non-ict companies, public institutions, individuals. 3. Security industry: specialises on selling security products and services to security providers (e.g., code review, hardening, security libraries) and to security consumers (off-the-shelf security tools, diagnostics & filters). While such categorisation is not codified yet, it is used within some academic circles to describe the security ecosystem. The term security provider might be confusing, as these are in fact all ICT providers. However, it should be stressed, that ICT providers are the ones than can and need to provide security in their products. The distinction between these actors is important, because each actor applies substantially different defensive technologies and best practices, due to their varying capabilities and incentives based on their role in the value network (See Appendix E). If it were to be mainly information security specialists, then a more practical approach might be preferable (similar to the NIST s security standard where specific assessment criteria are used for the narrowly predefined groups of security controls). Such an example is presented in the table below. Function (NIST) 11 identify protect detect respond recover Effectiveness (ISO) - Adequateness (ISO) - Information (Figure 2) confidentiality integrity availability Nature (generally used) Physical controls Procedural controls Technical controls Legal and regulatory or compliance controls 10 Prof: Dr Rainer Böhme (See Appendix E)- WWU. 11 Type on Figure 2. 13

14 Limitations (Figure 2) complexity access privilege Table 2: Security Controls However, it should also be considered that the results of this assessment will be disseminated and used by the project stakeholders and/or those who are mentioned in the dissemination strategy decision-makers in the EU and other categories of key stakeholders and citizens 12. Therefore it not just limited to one type of industry actor or simply to information security specialists. With these points considered, the next section proposes a set of criteria for assessing anti-cybercrime technologies and best practices that are flexible and could be applied by various industry actors (as defined in this section), organisational sizes and industry verticals. 5. Criteria for assessing anti-cybercrime technologies and best practices 5.1 Criteria Criteria effectiveness by type of cybercrime a) Do they prevent a crime? b) Do they identify a crime? c) Do they limit the potential damage of a crime? d) Do they successfully identify the criminal(s) (attribution)? Relevance and effectiveness of criteria to industry use Best practice guidelines and regulatory requirements are often industry specific and it is within these specific contexts that their relevance and efficacy is understood and appreciated. While cybercrimes may vary by industry, in some cases there is an overlap between industry sectors. This should be considered when measuring relevance and efficacy of any anti-cybercrime technologies Use in the stages of the cybercrime a) Pre-Crime/Preventative; Technologies and best practices that work to identify cybercrime before it occurs or while it is in the early planning stages. 12 E-Crime Work Package 9 14

15 b) During Crime; Technologies and best practices which provide detection of cybercrime, with possible mitigation and/or real time attribution. c) Post Crime; Technologies and best practices which provide the ability to successfully triage, investigate and attribute cybercrimes after they have occurred or when they are suspected (post incident). These should also include a recovery aspect (allowing recovering the attacked systems back to their original state, prior to the criminal incident). We also include in this category all the technologies and best practices that aim to increase resilience to cybercrimes Maturity This is based directly on how long have the technologies and best practices been established and how widely are they accepted across industry or within specific industry sectors. New technologies or best practice guidelines should not be dismissed but included and balanced against more mature guidelines and technologies. The method in which weight or ranking of maturity is allocated should be considered in the context of the industry in which it is being used. For example in industries where innovation is lacking, less mature technologies may need to be considered even if they are not presently widely adopted. Additional consideration should be given to newer technologies, which may be widely adopted but have limited maturity Costs The cost to acquire or implement the technology or best practice is a key factor. Some consideration should be given to the cost effectiveness for the industry sector they relate to as some industry sectors may have more complex business and regulatory requirements than others. Equally important are ongoing and subsequent operating costs, such as maintenance, upgrades, training and residual license fees. Within the validation 13 workshop, stakeholders commented that the link between this criterion and those in should be considered in tandem when possible and useful Usability The level of difficulty for users and/or administrators within the industry to operate or adopt specific technologies and best practices should be taken into account before such technologies and/or practices are ultimately taken up. This ensures that the users and/or administrators do not end up looking for shortcuts or ways to bypass key features or controls and thereby invalidating their efficacy Impact on business processes It is imperative to ensure that the technology or best practice adopted, which may be effective in addressing certain issues, does not have a negative impact significant enough to directly or indirectly disrupt the business processes. It is also important to ensure that they do not have a negative impact on innovation and/or generative processes within an organisation. 13 E-Crime Workshop January th, Rome Italy. 15

16 5.1.8 Accuracy and resilience There are established and specific guidelines and/or frameworks which provide methodologies in which to test specific technologies, to ensure resilience and accuracy. In the field of digital forensics one such example is the National Institute for Standards and Technology Computer Forensic Tool Testing Methodology (CFTT). This guideline provides assurances that the tools that have been tested are both accurate and resilient. By way of a different example, the accuracy of identifying attacks is a key component to an Intrusion Prevention System and its ability to maintain fidelity during an attack is a critical part of ensuring resilience Impact on privacy and societal rights Assessments should be made to ensure that any technologies or best practices take into account privacy and key and agreed societal rights Ability to work within the law Anti-cybercrime technologies and best practices need to work within the laws of a given country and ideally they need to display the ability to be utilised across all EU Member States without the need for modification. However tools and best practice guidelines which are specific to certain jurisdictions should not be ruled out as they may provide best value for crimes focused within those jurisdictions Level of diffusion/adoption This point was specifically brought up by various stakeholders and consortium partners at the validation workshop. It was agreed that this was a critical point to include in such a set of criteria, as it is often the way that while some technologies or guidelines might meet many of the other proposed criteria, they are not widely adopted for various reasons. Reasons include a lack of awareness (amongst the relevant personnel in the non-ict organisations) of the availability of such guidelines and technologies. This is different than maturity as not all mature technologies or best practices are widely adopted. In such cases it would be beneficial to identify and understand why such solutions are not being adopted or used. 5.2 Should criteria be industry specific? A report released July 2014 titled, Critical Infrastructure: Security Preparedness and Maturity, by the Ponemon Institute (sponsored by UNISYS), outlines in section 6b what respondents believe are the least effective security technologies in addressing cybersecurity in threats (Ponemon, 2014). These (in order) are: 1. Web application firewalls (WAF) 2. Data Loss Prevention Systems (DLP) 3. Automated code review or debugger 4. Virtual private network (VPN) 5. Encryption of data in motion 16

17 This report documents what a specific (Critical Infrastructure) industry feels is important and not important. The views change by industry for example an online retailer would consider a WAF as a key and highly effective part of their security infrastructure, while or remote file storage service provider would consider the encryption of data in motion as a key and highly useful part of their anti-crime arsenal. Exploring this further we can determine that cybercrimes by industry may vary. Some examples of recent high profile cybercrimes are: Retail: Target Retail (2013): the thieves had installed data-stealing code on to card-swipe machines at tills in all 1,797 Target stores. (RetailFraud, 2013) TJMaxx Retail (2007) :..the company later learned that thieves had used the store s wireless networks to access systems at its Massachusetts headquarters that were used to store data related to payment card, check and return transactions at stores across the country (infosecmaestros.com, 2014) Finance: Heartland Payment Systems (2009):..disclosed that thieves had broken into is internal card processing network, and installed malicious software that allowed them to steal track data on more than 130 million cards. (krebsonsecurity.com, 2013) Japanese PostBank (2014):..hackers target banking credentials by dropping malware when users visit popular Japanese porn-sites. (Symantec, 2014) Media & Entertainment: SkyTV (2014).criminals sell hacked SKY boxes [sic] (which work around the encryption) at a fraction of the cost of normal sky subscription (BBC, 2014) Game of Thrones (2012); Game of Thrones is the top TV show on the internet piracy chart: Torrentfreak (BBC, 2012) Education: University of Iowa (2014) Records of current and former students were exposed due to a server breach, [sic] however the University stated the primary purpose of the attackers was to use the server to mine bitcoins. These examples highlight the variance in types of crimes in different Industries. The attack vector to commit a cybercrime against a retailer s Electronic Point of Sale System (epos) system by placing malware is different than reverse engineering SKY TV proprietary encryption in order to get a free or cheap service. While the issue of hijacking banking details via drive by malware has its own attack footprint. Further supporting this point, are examples of cybercrimes against supervisory control and data acquisition (SCADA) systems, where unique technologies are used to prevent and mitigate attacks and have been launched specifically for these environments. (automationworld.com, 2014) Also to be considered is the example of the Chinese barcode readers being shipped with spyware which was recently reported (Scharr, 2014). Additionally, there is the issue of cyber security 17

18 vulnerabilities in embedded healthcare appliances which could potentially require different or specially created anti-crime technologies. (FDA.GOV, 2013) These examples serve as a reminder that anti-cybercrime technologies are not just limited to solutions which can protect an enterprises Internet facing servers and build a strong case for them being industry specific. To further determine this, using a similar validation approach contrasting against traditional security controls, a review of the ISO standards is undertaken. Starting with a set of industry independent technologies and best practices and then selecting those which are industry specific. In the family of the ISO standards, for example, ISO/IEC is sector independent, and it sets up a general approach. Other ISO standards are sector specific: Telecommunication - ISO/IEC Information technology - Security Techniques - Information security management guidelines for telecommunications organizations based on ISO/IEC 27002; Financial services - Payment Card Industry Data Security Standard (PCI DSS); ISO/IEC TR Information security management guidelines for financial services; Health - ISO Information security management in health using ISO/IEC 27002; Energy utility - ISO/IEC (In preparation) Information security management guidelines based on ISO/IEC for process control systems specific to the energy utility industry. Therefore it can be concluded that the criteria to assess them should be based on the attack vector as well as the industry yet with the understanding that some of the industries may not need a fully separate assessment as there will be very similar technologies deployed elsewhere (e.g. Retail and Hospitality) Consolidating these, the consensus was that while some of the criteria will be general, many may be sector specific. Therefore the recommendation is to start with a sector specific approach in order to accurately identify and also allow a better insight into cultural or environmental differences which are important. In any areas where overlaps have been identified, only one set of criteria is required. Criteria for Assessing Anti-Cybercrime Technologies and Best Practices Effectiveness for traditional crimes (which are now cyber) Effectiveness for hybrid cybercrimes Effectiveness for true cybercrimes Use in the relevant stage of the cyber-crime Maturity Accuracy and resilience Diffusion/Adoption 18

19 Relevance and effectiveness to the industry Impact on privacy and societal rights Ability to work within local laws (by EU member country) Ability to be utilised across all EU member states without the need for modification Usability Costs (initial and ongoing) Impact on business Table 2: Validated Criteria These were presented and validated at the E-Crime Workshop January 19 th -20 th, Anti-cybercrime technologies The identification of existing cybercrime technologies and industry best practices has been undertaken by collecting and studying technology reports and roadmaps in the field of cybercrime. This desktop analysis provides an inventory of 20 representative examples of existing technologies and relative best practices which can be used against cybercrime. A description is provided, together with a short explanation about how the technologies or the best practices can mitigate the security issue related to cybercrime. Moreover, each technology and best practice is evaluated according to the criteria validated in the previous section of this report and summarised below. For clarity, three specific criteria, currently, are under study; Cost, Usability and Impact. The research revealed that in these three areas there is a common theme and that often these criteria become subjective depending upon industry and organisations risk appetite. To determine their value, deeper analysis from the organisation would be required. In fact, the choice of a countermeasure depends strongly on the level of risk, a company wants to accept and how much they are willing or able to invest in it. The deployment of an Intrusion Detection System, for example, could be cost effective and considered a key objective at board level by an organisation with a resilient and extensive IT network. However, the same might not always be the case for those organisations with extensive level of complexities within their IT model or even organisations of significant magnitude, but less related to information technology, in which the cost of the countermeasure could be much higher of the likelihood and impact of an attack to the IT infrastructure. Furthermore, the solutions, proposed by vendors, are usually built on modules and this creates other issues related to the cost. Affordability can vary significantly by industry and even by organisations within the same industry sectors. These also directly link to the impact on business. It is an established fact that the risk appetite and level of affordability varies across industries and organisations sizes. There is no one size fits all for these as already clarified, factors such as topologies and enterprise structure can affect how the business perceives and evaluates cost, usability and business impact. Therefore, while these three criteria are highly relevant, they should be evaluated for segment and/or individual organisation on a segment by segment or case by case. This is reflected in the comments within the findings of the following section. 19

20 Certain technologies such as firewalls, anti-virus technologies and back-up solutions were left off deliberately from the 20 representative examples as it was agreed that the awareness and implementation of these is generally widespread. Within Section 6 Cybercrime pathways, some of them have been cited, confirming that they are still useful examples of technological countermeasures. Regardless of how widely established these technologies are it does not mean that such solutions are always configured accurately, patched regularly and monitored effectively, hence the need for incorporating best practices. Highly specific guidelines such as Payment Card Industry Data Security Standard (PCI-DSS) or similar industry specific guidelines were not included in order to reflect those which could be useful across a wide range of organisations. 6.1 Technological Authentication Multi-factor authentication Description Authentication factors are usually classified as: 1. knowledge factor: something that the user knows e.g. a secure password 2. possession factor: something that the user has e.g. a token or a proper configured mobile device 3. inherence factor: something that the user is e.g. a biometric characteristic such as a fingerprint or eye iris Multi-factor authentication is an approach requiring two or more factors belonging to different classes. For example, a service can require a user to authenticate using both a password and a fingerprint. Of course the probability that an attacker is able to provide both authentication factor is lower than providing only one, thus this approach reduces the likelihood of false authentication. On the other hand, this approach relies on the user s ability to provide both, and it is generally less usable. As a consequence users tend to avoid this kind of authentication for services that they perceive do not require a high level of security. Relevance to anti-cybercrime Multi-factor authentication combats online identity theft and fraud through adding an extra layer of verification when accessing online services and accounts. Attacks such as phishing or spyware may successfully steal the first factor, however without the second factor the cyber-criminal cannot gain access to the account or service. Evaluation criteria 20

This deliverable has been assessed by the E-CRIME Security Committee as suitable for public dissemination

This deliverable has been assessed by the E-CRIME Security Committee as suitable for public dissemination This deliverable has been assessed by the E-CRIME Security Committee as suitable for public dissemination 1 FP7-SEC-2013.2.5-2 Grant Agreement Number 607775 Collaborative Project E-CRIME The economic impacts

More information

D2.2 Executive summary and brief: Cyber crime inventory and networks in non-ict sectors

D2.2 Executive summary and brief: Cyber crime inventory and networks in non-ict sectors FP7-SEC-2013.2.5-2 Grant Agreement Number 607775 Collaborative Project E-CRIME The economic impacts of cyber crime D2.2 Executive summary and brief: Cyber crime inventory and networks in non-ict sectors

More information

Digital Identity & Authentication Directions Biometric Applications Who is doing what? Academia, Industry, Government

Digital Identity & Authentication Directions Biometric Applications Who is doing what? Academia, Industry, Government Digital Identity & Authentication Directions Biometric Applications Who is doing what? Academia, Industry, Government Briefing W. Frisch 1 Outline Digital Identity Management Identity Theft Management

More information

Who s Doing the Hacking?

Who s Doing the Hacking? Who s Doing the Hacking? 1 HACKTIVISTS Although the term hacktivist refers to cyber attacks conducted in the name of political activism, this segment of the cyber threat spectrum covers everything from

More information

THE WHITE HOUSE Office of the Press Secretary

THE WHITE HOUSE Office of the Press Secretary FOR IMMEDIATE RELEASE February 13, 2015 THE WHITE HOUSE Office of the Press Secretary FACT SHEET: White House Summit on Cybersecurity and Consumer Protection As a nation, the United States has become highly

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC. Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies

More information

Cyber Essentials Scheme

Cyber Essentials Scheme Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these

More information

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED The FBI Cyber Program Bauer Advising Symposium October 11, 2012 Today s Agenda What is the threat? Who are the adversaries? How are they attacking you? What can the FBI do to help? What can you do to stop

More information

Unisys Security Insights: Germany A Consumer Viewpoint - 2015

Unisys Security Insights: Germany A Consumer Viewpoint - 2015 Unisys Security Insights: Germany A Consumer Viewpoint - 2015 How consumers in Germany feel about: Personal data security, ranked by industry Experiences concerning security of personal data Research by

More information

Security Overview. BlackBerry Corporate Infrastructure

Security Overview. BlackBerry Corporate Infrastructure Security Overview BlackBerry Corporate Infrastructure Published: 2015-04-23 SWD-20150423095908892 Contents Introduction... 5 History... 6 BlackBerry policies...7 Security organizations...8 Corporate Security

More information

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global

More information

Encyclopedia of Information Assurance Suggested Titles: March 25, 2013 The following titles have not been contracted.

Encyclopedia of Information Assurance Suggested Titles: March 25, 2013 The following titles have not been contracted. Encyclopedia of Information Assurance Suggested Titles: March 25, 2013 The following titles have not been contracted. Administrative Awareness Case Study: Government Offices Certification and Accreditation:

More information

Research Topics in the National Cyber Security Research Agenda

Research Topics in the National Cyber Security Research Agenda Research Topics in the National Cyber Security Research Agenda Trust and Security for our Digital Life About this document: This document summarizes the research topics as identified in the National Cyber

More information

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS MARCH 2011 Acknowledgements This Viewpoint is based upon the Recommended Practice: Configuring and Managing Remote Access

More information

NATIONAL CYBER SECURITY AWARENESS MONTH

NATIONAL CYBER SECURITY AWARENESS MONTH NATIONAL CYBER SECURITY AWARENESS MONTH Tip 1: Security is everyone s responsibility. Develop an awareness framework that challenges, educates and empowers your customers and employees to be part of the

More information

CYBERSECURITY: ISSUES AND ISACA S RESPONSE

CYBERSECURITY: ISSUES AND ISACA S RESPONSE CYBERSECURITY: ISSUES AND ISACA S RESPONSE June 2014 KEY TRENDS AND DRIVERS OF SECURITY Consumerization Emerging Trends Continual Regulatory and Compliance Pressures Mobile devices Social media Cloud services

More information

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's: Security.01 Penetration Testing.02 Compliance Review.03 Application Security Audit.04 Social Engineering.05 Security Outsourcing.06 Security Consulting.07 Security Policy and Program.08 Training Services

More information

How to ensure control and security when moving to SaaS/cloud applications

How to ensure control and security when moving to SaaS/cloud applications How to ensure control and security when moving to SaaS/cloud applications Stéphane Hurtaud Partner Information & Technology Risk Deloitte Laurent de la Vaissière Directeur Information & Technology Risk

More information

Security Management. Keeping the IT Security Administrator Busy

Security Management. Keeping the IT Security Administrator Busy Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching

More information

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist Cyber- Attacks: The New Frontier for Fraudsters Daniel Wanjohi, Technology Security Specialist What is it All about The Cyber Security Agenda ; Protecting computers, networks, programs and data from unintended

More information

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards A Websense Research Brief Prevent Loss and Comply with Payment Card Industry Security Standards Prevent Loss and Comply with Payment Card Industry Security Standards Standards for Credit Card Security

More information

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008 U.S. D EPARTMENT OF H OMELAND S ECURITY 7 Homeland Fiscal Year 2008 HOMELAND SECURITY GRANT PROGRAM ty Grant Program SUPPLEMENTAL RESOURCE: CYBER SECURITY GUIDANCE uidelines and Application Kit (October

More information

A brief on Two-Factor Authentication

A brief on Two-Factor Authentication Application Note A brief on Two-Factor Authentication Summary This document provides a technology brief on two-factor authentication and how it is used on Netgear SSL312, VPN Firewall, and other UTM products.

More information

Beyond the Hype: Advanced Persistent Threats

Beyond the Hype: Advanced Persistent Threats Advanced Persistent Threats and Real-Time Threat Management The Essentials Series Beyond the Hype: Advanced Persistent Threats sponsored by Dan Sullivan Introduction to Realtime Publishers by Don Jones,

More information

National Cyber Security Policy -2013

National Cyber Security Policy -2013 National Cyber Security Policy -2013 Preamble 1. Cyberspace 1 is a complex environment consisting of interactions between people, software and services, supported by worldwide distribution of information

More information

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808 cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available

More information

future data and infrastructure

future data and infrastructure White Paper Smart Grid Security: Preparing for the Standards-Based Future without Neglecting the Needs of Today Are you prepared for future data and infrastructure security challenges? Steve Chasko Principal

More information

This is a preview - click here to buy the full publication

This is a preview - click here to buy the full publication TECHNICAL REPORT IEC/TR 62443-3-1 Edition 1.0 2009-07 colour inside Industrial communication networks Network and system security Part 3 1: Security technologies for industrial automation and control systems

More information

Middle Class Economics: Cybersecurity Updated August 7, 2015

Middle Class Economics: Cybersecurity Updated August 7, 2015 Middle Class Economics: Cybersecurity Updated August 7, 2015 The President's 2016 Budget is designed to bring middle class economics into the 21st Century. This Budget shows what we can do if we invest

More information

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector New York State Department of Financial Services Report on Cyber Security in the Insurance Sector February 2015 Report on Cyber Security in the Insurance Sector I. Introduction Cyber attacks against financial

More information

Cybersecurity The role of Internal Audit

Cybersecurity The role of Internal Audit Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government

More information

Defending Against Data Beaches: Internal Controls for Cybersecurity

Defending Against Data Beaches: Internal Controls for Cybersecurity Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity

More information

Sound Business Practices for Businesses to Mitigate Corporate Account Takeover

Sound Business Practices for Businesses to Mitigate Corporate Account Takeover Sound Business Practices for Businesses to Mitigate Corporate Account Takeover This white paper provides sound business practices for companies to implement to safeguard against Corporate Account Takeover.

More information

plantemoran.com What School Personnel Administrators Need to know

plantemoran.com What School Personnel Administrators Need to know plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Ed McMurray, CISA, CISSP, CTGA CoNetrix Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats

More information

WHITE PAPER. How to simplify and control the cardholder security environment

WHITE PAPER. How to simplify and control the cardholder security environment WHITE PAPER How to simplify and control the cardholder security environment Document Version V1-0 Document Set: QCC Information Security Prepared By Nick Prescot - QCC Information Security Ltd Sponsored

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

More information

Security Services. 30 years of experience in IT business

Security Services. 30 years of experience in IT business Security Services 30 years of experience in IT business Table of Contents 1 Security Audit services!...!3 1.1 Audit of processes!...!3 1.1.1 Information security audit...3 1.1.2 Internal audit support...3

More information

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft) 1- A (firewall) is a computer program that permits a user on the internal network to access the internet but severely restricts transmissions from the outside 2- A (system failure) is the prolonged malfunction

More information

Click to edit Master title style

Click to edit Master title style EVOLUTION OF CYBERSECURITY Click to edit Master title style IDENTIFYING BEST PRACTICES PHILIP DIEKHOFF, IT RISK SERVICES TECHNOLOGY THE DARK SIDE AGENDA Defining cybersecurity Assessing your cybersecurity

More information

ITAR Compliance Best Practices Guide

ITAR Compliance Best Practices Guide ITAR Compliance Best Practices Guide 1 Table of Contents Executive Summary & Overview 3 Data Security Best Practices 4 About Aurora 10 2 Executive Summary & Overview: International Traffic in Arms Regulations

More information

Enterprise Cybersecurity: Building an Effective Defense

Enterprise Cybersecurity: Building an Effective Defense : Building an Effective Defense Chris Williams Scott Donaldson Abdul Aslam 1 About the Presenters Co Authors of Enterprise Cybersecurity: How to Implement a Successful Cyberdefense Program Against Advanced

More information

Unit 3 Cyber security

Unit 3 Cyber security 2016 Suite Cambridge TECHNICALS LEVEL 3 IT Unit 3 Cyber security Y/507/5001 Guided learning hours: 60 Version 1 September 2015 ocr.org.uk/it LEVEL 3 UNIT 3: Cyber security Y/507/5001 Guided learning hours:

More information

The Protection Mission a constant endeavor

The Protection Mission a constant endeavor a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring

More information

Network Security Administrator

Network Security Administrator Network Security Administrator Course ID ECC600 Course Description This course looks at the network security in defensive view. The ENSA program is designed to provide fundamental skills needed to analyze

More information

Technology Risk Management

Technology Risk Management 1 Monetary Authority of Singapore Technology Risk Guidelines & Notices New Requirements for Financial Services Industry Mark Ames Director, Seminar Program ISACA Singapore 2 MAS Supervisory Framework Impact

More information

2012 Bit9 Cyber Security Research Report

2012 Bit9 Cyber Security Research Report 2012 Bit9 Cyber Security Research Report Table of Contents Executive Summary Survey Participants Conclusion Appendix 3 4 10 11 Executive Summary According to the results of a recent survey conducted by

More information

EU Cybersecurity Policy & Legislation ENISA s Contribution

EU Cybersecurity Policy & Legislation ENISA s Contribution EU Cybersecurity Policy & Legislation ENISA s Contribution Steve Purser Head of Core Operations Oslo 26 May 2015 European Union Agency for Network and Information Security Agenda 01 Introduction to ENISA

More information

This Time. Safety & Security in ICT Systems INFO 2. Threats to ICT systems. Hacking

This Time. Safety & Security in ICT Systems INFO 2. Threats to ICT systems. Hacking This Time Safety & Security in ICT Systems INFO 2 Oliver Boorman-Humphrey www.oliverboorman.biz This time we look at the need to protect data in ICT systems and the subsequent threats if these measures

More information

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015 Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

SECURITY. Risk & Compliance Services

SECURITY. Risk & Compliance Services SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize

More information

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8. micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Aadhaar. Security Policy & Framework for UIDAI Authentication. Version 1.0. Unique Identification Authority of India (UIDAI)

Aadhaar. Security Policy & Framework for UIDAI Authentication. Version 1.0. Unique Identification Authority of India (UIDAI) Aadhaar Security Policy & Framework for UIDAI Authentication Version 1.0 Unique Identification Authority of India (UIDAI) Table of Contents ACRONYMS AND TERMS... 3 1. INTRODUCTION... 4 2. SECURITY CONSIDERATION...

More information

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Managed Hosting & Datacentre PCI DSS v2.0 Obligations Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version

More information

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA

More information

KEY TRENDS AND DRIVERS OF SECURITY

KEY TRENDS AND DRIVERS OF SECURITY CYBERSECURITY: ISSUES AND ISACA S RESPONSE Speaker: Renato Burazer, CISA,CISM,CRISC,CGEIT,CISSP KEY TRENDS AND DRIVERS OF SECURITY Consumerization Emerging Trends Continual Regulatory and Compliance Pressures

More information

The Cancer Running Through IT Cybercrime and Information Security

The Cancer Running Through IT Cybercrime and Information Security WHITE PAPER The Cancer Running Through IT Prepared by: Richard Brown, Senior Service Management Consultant Steve Ingall, Head of Consultancy 60 Lombard Street London EC3V 9EA T: +44 (0)207 464 8883 E:

More information

Online security. Defeating cybercriminals. Protecting online banking clients in a rapidly evolving online environment. The threat.

Online security. Defeating cybercriminals. Protecting online banking clients in a rapidly evolving online environment. The threat. Defeating cybercriminals Protecting online banking clients in a rapidly evolving online environment The threat As the pace of technological change accelerates, so does the resourcefulness and ingenuity

More information

RSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief

RSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief RSA SecurID Authentication in Action: Securing Privileged User Access RSA SecurID solutions not only protect enterprises against access by outsiders, but also secure resources from internal threats The

More information

Nine Steps to Smart Security for Small Businesses

Nine Steps to Smart Security for Small Businesses Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...

More information

Brainloop Cloud Security

Brainloop Cloud Security Whitepaper Brainloop Cloud Security Guide to secure collaboration in the cloud www.brainloop.com Sharing information over the internet The internet is the ideal platform for sharing data globally and communicating

More information

Identity: The Key to the Future of Healthcare

Identity: The Key to the Future of Healthcare Identity: The Key to the Future of Healthcare Chief Medical Officer Anakam Identity Services July 14, 2011 Why is Health Information Technology Critical? Avoids medical errors. Up to 98,000 avoidable hospital

More information

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology ARCHITECT S GUIDE: Comply to Connect Using TNC Technology August 2012 Trusted Computing Group 3855 SW 153rd Drive Beaverton, OR 97006 Tel (503) 619-0562 Fax (503) 644-6708 admin@trustedcomputinggroup.org

More information

Into the cybersecurity breach

Into the cybersecurity breach Into the cybersecurity breach Tim Sanouvong State Sector Cyber Risk Services Deloitte & Touche LLP April 3, 2015 Agenda Setting the stage Cyber risks in state governments Cyber attack vectors Preparing

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

Developing a National Strategy for Cybersecurity FOUNDATIONS FOR SECURITY, GROWTH, AND INNOVATION. Cristin Flynn Goodwin J.

Developing a National Strategy for Cybersecurity FOUNDATIONS FOR SECURITY, GROWTH, AND INNOVATION. Cristin Flynn Goodwin J. Developing a National Strategy for Cybersecurity FOUNDATIONS FOR SECURITY, GROWTH, AND INNOVATION Cristin Flynn Goodwin J. Paul Nicholas October 2013 Contents Executive Summary... 3 What Is a National

More information

A Decision Maker s Guide to Securing an IT Infrastructure

A Decision Maker s Guide to Securing an IT Infrastructure A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

More information

The Impact of Cybercrime on Business

The Impact of Cybercrime on Business The Impact of Cybercrime on Business Studies of IT practitioners in the United States, United Kingdom, Germany, Hong Kong and Brazil Sponsored by Check Point Software Technologies Independently conducted

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

The SMB Cyber Security Survival Guide

The SMB Cyber Security Survival Guide The SMB Cyber Security Survival Guide Stephen Cobb, CISSP Security Evangelist The challenge A data security breach can put a business out of business or create serious unbudgeted costs To survive in today

More information

IDENTITY MANAGEMENT. February 2008. The Government of the Hong Kong Special Administrative Region

IDENTITY MANAGEMENT. February 2008. The Government of the Hong Kong Special Administrative Region IDENTITY MANAGEMENT February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

Multi-factor authentication

Multi-factor authentication CYBER SECURITY OPERATIONS CENTRE (UPDATED) 201 (U) LEGAL NOTICE: THIS PUBLICATION HAS BEEN PRODUCED BY THE DEFENCE SIGNALS DIRECTORATE (DSD), ALSO KNOWN AS THE AUSTRALIAN SIGNALS DIRECTORATE (ASD). ALL

More information

Cybersecurity Enhancement Account. FY 2017 President s Budget

Cybersecurity Enhancement Account. FY 2017 President s Budget Cybersecurity Enhancement Account FY 2017 President s Budget February 9, 2016 Table of Contents Section 1 Purpose... 3 1A Mission Statement... 3 1.1 Appropriations Detail Table... 3 1B Vision, Priorities

More information

Information Security Basic Concepts

Information Security Basic Concepts Information Security Basic Concepts 1 What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment,

More information

TUSKEGEE CYBER SECURITY PATH FORWARD

TUSKEGEE CYBER SECURITY PATH FORWARD TUSKEGEE CYBER SECURITY PATH FORWARD Preface Tuskegee University is very aware of the ever-escalating cybersecurity threat, which consumes continually more of our societies resources to counter these threats,

More information

9. Information Assurance and Security, Protecting Information Resources. Janeela Maraj. Tutorial 9 21/11/2014 INFO 1500

9. Information Assurance and Security, Protecting Information Resources. Janeela Maraj. Tutorial 9 21/11/2014 INFO 1500 INFO 1500 9. Information Assurance and Security, Protecting Information Resources 11. ecommerce and ebusiness Janeela Maraj Tutorial 9 21/11/2014 9. Information Assurance and Security, Protecting Information

More information

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security

More information

Opinion and recommendations on challenges raised by biometric developments

Opinion and recommendations on challenges raised by biometric developments Opinion and recommendations on challenges raised by biometric developments Position paper for the Science and Technology Committee (House of Commons) Participation to the inquiry on Current and future

More information

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. Gunnar Wahlgren 1, Stewart Kowalski 2 Stockholm University 1: (wahlgren@dsv.su.se), 2: (stewart@dsv.su.se) ABSTRACT

More information

DeltaV Cyber Security Solutions

DeltaV Cyber Security Solutions TM DeltaV Cyber Security Solutions A Guide to Securing Your Process A long history of cyber security In pioneering the use of commercial off-the-shelf technology in process control, the DeltaV digital

More information

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model--- ---Information Technology (IT) Specialist (GS-2210) IT Security Model--- TECHNICAL COMPETENCIES Computer Forensics Knowledge of tools and techniques pertaining to legal evidence used in the analysis of

More information

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises Appendix Key Areas of Concern i. Inadequate coverage of cybersecurity risk assessment exercises The scope coverage of cybersecurity risk assessment exercises, such as cybersecurity control gap analysis

More information

MEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

MEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile

More information

University of Sunderland Business Assurance PCI Security Policy

University of Sunderland Business Assurance PCI Security Policy University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial

More information

PACB One-Day Cybersecurity Workshop

PACB One-Day Cybersecurity Workshop PACB One-Day Cybersecurity Workshop WHAT IS CYBERSECURITY? PRESENTED BY: JON WALDMAN, SBS CISA, CRISC 1 Contact Information Jon Waldman Partner, Senior IS Consultant CISA, CRISC Masters of Info Assurance

More information

Cyber Security Strategy

Cyber Security Strategy NEW ZEALAND S Cyber Security Strategy 2015 A secure, resilient and prosperous online New Zealand Ministerial Foreword The internet and technology have become a fundamental element in our lives. We use

More information

Cyber Security Management

Cyber Security Management Cyber Security Management Focusing on managing your IT Security effectively. By Anthony Goodeill With the news cycles regularly announcing a recurrently theme of targets of hacker attacks and companies

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

Legislative Council Panel on Information Technology and Broadcasting. Information Security

Legislative Council Panel on Information Technology and Broadcasting. Information Security For Information on 8 July 2013 LC Paper No. CB(4)834/12-13(05) Legislative Council Panel on Information Technology and Broadcasting Information Security Purpose This paper updates Members on the latest

More information

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

defending against advanced persistent threats: strategies for a new era of attacks agility made possible defending against advanced persistent threats: strategies for a new era of attacks agility made possible security threats as we know them are changing The traditional dangers IT security teams have been

More information

Strategic Platforms Information Security 2014

Strategic Platforms Information Security 2014 Strategic Platforms Information Security 2014 -------------------------- Data Mining for security process monitoring New authentication mechanism for System Information Call for «Expression of Interest»

More information

Central and Eastern European Data Theft Survey 2012

Central and Eastern European Data Theft Survey 2012 FORENSIC Central and Eastern European Data Theft Survey 2012 kpmg.com/cee KPMG in Central and Eastern Europe Ever had the feeling that your competitors seem to be in the know about your strategic plans

More information