Rethinking Cyber Security Threats

Transcription

1 Rethinking Cyber Security Threats (ISC)² Update U.S. Government Advisory Board Meeting February 17, 2010 Frank Chow CISSP ISSAP ISSMP CSSLP CGEIT CRISC CISM CISA Chairperson of Professional Information Security Association / Security Manager of Automated Systems (HK) Ltd. Copyright , 2013, (ISC) 2 All Rights Reserved

2 Who is (ISC) 2? The International Information Systems Security Certification Consortium HQs in US and with Office in London, Hong Kong and Tokyo A global not-for-profit organization known for world class education and Gold Standard certifications. Founded in 1989 by multiple professional associations. Develops and maintains the (ISC)² CBK, a taxonomy of information security topics. The CBK is a critical body of knowledge that defines global industry standards, serving as a common framework of terms and principles that allow professionals worldwide to discuss, debate and resolve matters pertaining to the field. Nearly 90,000 security professionals worldwide in over 135 countries 2

3 PISA ( 專 業 資 訊 保 安 協 會 ) PISA SIG -(ISC) 2 Hong Kong Chapter Not-for-profit organization Facilitate knowledge and information sharing among the PISA members Promote the highest quality of technical and ethical standards to the information security profession, Promote best-practices in information security control, Promote security awareness to the IT industry and general public in Hong Kong, Be the de facto representative body of local information security professionals 3

4 Agenda Definition Cyber Security Challenges Cyber Security Inside Out How to Survive in Cyber Attack? Addressing Cyber Security Challenges on a Global Scale 4

5 Copyright , (ISC) 2 All Rights Reserved DEFINITION

6 Definition According to H.R Cyber Security Information Act : cybersecurity: The vulnerability of any computing system, software program, or critical infrastructure to, or their ability to resist, intentional interference, compromise, or incapacitation through the misuse of, or by unauthorized means of, the Internet, public or private telecommunications systems or other similar conduct that violates Federal, State, or international law, that harms interstate commerce of the United States, or that threatens public health or safety. Source: U.S. National CyberSecurity 6

7 (ISC)² Update U.S. Government Advisory Board Meeting February 17, 2010 CYBER SECURITY CHALLENGES Copyright , 2013, (ISC) 2 All Rights Reserved

8 How many devices you have? 8

9 They use tablet Is it secure? 9

10 Tablets in meeting room Is it secure? 10

11 ecrime Market Current Pricing Source: APWG 11

12 Hack Household Appliances Source: ScienceNordic 12

13 Global Risk Trends Cyber Attack is considered as one of the top five in the most likely Risk in 2012 as per Global Risks Report. Source: World Economic Forum 13

14 Global Risk 2013 Source: World Economic Forum 14

15 Motivations Behind Attacks Source: 15

16 Cyber Attack Trends Source: 16

17 Distribution of Attack Techniques Source: 17

18 Distribution of Targets Source: 18

19 Ranking of Five Types of Cyber Crime Source: The Impact of Cybercrime on Business Ponemon Institute Research Report,

20 (ISC)² Update U.S. Government Advisory Board Meeting February 17, 2010 Cyber Security Inside Out Copyright , 2013, (ISC) 2 All Rights Reserved

21 Cyber Security Game Changers Source: ISACA/ 21

22 Cyber Attack Approach 22

23 Cyber Attack Approach Perform SQL ARP EXEC Scan Send with malware Admin Admin Opens with Malware Operator Internet Acct Operator Hacker Hacker performs sends an an ARP with (Address malware Resolution Protocol) Scan 2. recipient opens the and the 5. Once malware the Slave gets installed Database quietly is found, hacker sends 3. an SQL Using EXEC the information commandthat malware gets, hacker is able to take control of the recipient s PC! 6. Performs another ARP Scan 7. Takes control of Data Slave Database Master DB Master DB Source: Example from 2006 SANS SCADA Security Summit, INL 23

24 What we can do in Cyber Security? Social Media Security Computer Forensics Physical Access Logical Access Organization Data Cyber Security Incident Response Mobile Security Source: ISACA/ 24

25 Cyber Security Components Well Defined Structure Roles & Responsibility Skilled Resources R&D Lab & Testing Lab Standards & Best Practices Security Operation Center Cyber Security Cell Security Analytics Malware Detection Cyber Security Command Centre Threat Intelligence Feed Evolving Threat Research Anomaly Detection Contextualized Intelligence Interface & Interlock Source: ISACA/ Law Enforcement Agency CERT Risk Intelligence Service Providers Other Countries CERT & Intelligence Agencies 25

26 Cyber Security Components Cyber Security Resources Strategic Advisory Cyber Security Service Portfolio Operational / Post-Event BCP / DR Preparedness against Cyber attacks Cyber Security Training and Awareness Computer Forensics DDOS Test Enterprise Security Architecture Threat Modeling Social Media Security Mobile Security Simulation Exercises Regulatory Readiness(FISMA, TRA, Indian Act etc.) Incident Response (Virus/Malware/Botnets) Cloud Security Effectiveness Measurement of Policies/Procedures/Infra Design of Security Intelligence Centre Penetration Testing Vulnerability Assessment Interface & Interlock Law Enforcement Agency CERT Risk Intelligence Service Provider Enterprise Risk Management Source: ISACA/ 26

27 Computer Forensic Computer Forensic provides a post-intrusion / incident analysis in order to identify, preserve, analyse meaningful evidence and provide a detailed forensic report and recommendation on the security incident. Computer Forensics Coverage Network Forensics Media Forensics System Forensics Web Server Forensics LAN/WAN Network USB/CD Media Laptop/Desktop Log Analysis Wireless Network Mobile Device Database/ Operating Systems Mobile Trading Hard Disk Mobile Devices Intrusion/ Malware Analysis Source: ISACA/ 27

28 Approach for Computer Forensics The following are the broad steps involved in this assessment 1. Initial Study Situation awareness, identify the potential source of data Confidentiality 5. Reporting Logical Conclusion, Management and Technical Presentation 2. Data Collection Data duplication, Cloning, Extractions using specialized S/W and H/W Media Remote or Onsite Seamless Access & Secure Storage of Data Break Through Preserve Chain of Custody Intelligent Search of Suspect Data Evidence Investigation Examination, Decryption, Intelligent search on information on interest Data Concurrent Analysis Information 4. Analysis Data Interpretation, Event Correlation, Chain of Custody, Pattern Matching Source: ISACA/ 28

29 Social Media Security Rise in the use of Social Networking sites such as Twitter, LinkedIn, Facebook by corporate to communicate and build their brand names as well as by individual to share information increase the risk of data security Social Media Security Sensitive & Customer Information Gathering over Social Networking Social Engineering Awareness Assessment Corporate Social Networking Website Security Crisis Response over Social Media Social Networking Sites (FB, Orkut etc.) Community Sites, Forums & Blogs Using Search Engines Phishing Through Calls Phishing Though Mails and Websites Dumpster Drive Employee Awareness Assessment Evaluation of Social Media & Acceptable Usage Policy Malware Detection Phishing Attack Detection Hacking Attack Detection Crisis Response Plan Observing incident over Social Media Training and Awareness Source: ISACA/ 29

30 Approach for Social Media Security A comprehensive and structured approach for Social Media Security Assessment, Sensitive Customer Information from different sources like social engineering sites, forums, community sites, blogs and hacking sites will be gathered along with the automated tools and search engines like Google, AltaVista, Baidu etc. The following are the broad steps involved in this assessment Identifying & understanding Sensitive Customer Data Define the Search Pattern on the Sensitive Customer Data Information gathering from automated tools using search patterns Analysis, Validation and Reporting Social Engineering Techniques Manual Information Gathering Using Search Engines like Google Source: ISACA/ 30

31 Incident Response Incident Response Service provides on field or remote analysis by experts to identify, contaminate, recover and eradicate different variety of cyber attacks to the organisation. Virus Outbreaks DOS/DDOS/ Botnet Attacks Incident Response Service Malware Attacks Phishing Attacks Hacking Attacks Source: ISACA/ 31

32 Cyber Security Incident Response Approach A structured and proven approach for handling and responding to any kind of Cyber Security Attacks. In line with the industry best practices and experts armored with specialized tools help customer to react effectively and immediately. Preparation Identification Collection Assessment Reporting Reassess and Train Mobilize Resources Tools & Kits Authorization and Approvals Legal considerations Situation Awareness Sources of information Chain of custody Suspected behavior Live Data Acquisition Log/Network Data Acquisition OS and Database Acquisition Analyze acquired evidences Identify the level of impact Identify the source of intrusion & vulnerability Management report on extent of Damage Report on nature of the incident and compromise Eradication and recovery measures Reassess the fix Develop learning and Lessons Training and Awareness Secure Guidelines Source: ISACA/ 32

33 (ISC)² Update U.S. Government Advisory Board Meeting February 17, 2010 How to Survive in Cyber Attack? Copyright , 2013, (ISC) 2 All Rights Reserved

34 Defense in Depth 34

35 Security for Industrial Control Systems (SCADA) CYBER SECURITY CONTROLS Air-gap networks, apps and control data with firewalls, proxies PHYSICAL SECURITY CONTROLS SECURITY CONTROLS 35

36 Everything is a Target Security Management Polices, Procedures & Awareness Policy Assessments Operational Framework Consulting Training & Consulting Application Vulnerability Assessments Code Reviews Application Hardening Centralized Tool Integration Centralized Monitoring Private Public Server Internal Network Vulnerability Assessments Intrusion Detection Wireless Design Consulting Intrusion Prevention Authentication & Authorization Perimeter Vulnerability Assessments Firewalls & Proxies Intrusion Detection VPN Remote Access Data Authentication Management Identity Management Data Privacy Vulnerability Assessments Intrusion Prevention Patch Management Anti-Virus & Anti-SPAM Mobile Client Security Server Hardening Authentication & Authorization 36

37 (ISC)² Update U.S. Government Advisory Board Meeting February 17, 2010 Addressing Cyber Security Challenges on a Global Scale Copyright , 2013, (ISC) 2 All Rights Reserved

38 Introduction This CybersecurityManagement System consists of 4 main components: Cyber Security Framework; Maturity Model; Roles and Responsibilities chart; Implementation Guide. Source: ITU Regional Cyber security Forum for Africa and Arab States,

39 National Cybersecurity Management System Source: ITU Regional Cyber security Forum for Africa and Arab States,

40 National Cyber Security Framework : 5 Domains Source: ITU Regional Cyber security Forum for Africa and Arab States,

41 National Cyber Security Framework (5 Domains and 34 Processes) 1 -SP : Strategy and Policies 3 -AC : Awareness and Communication SP1 NCSec Strategy: Promulgate & endorse a National Cybersecurity Strategy AC1 SP2 Lead Institutions: Identify a lead institutions for developing a national strategy, and 1 lead institution per stakeholder category AC2 Leaders in the Government : Persuade national leaders in the government of the need for national action to address threats to and vulnerabilities of the NCSec through policy-level discussions National Cybersecurity and Capacity : Manage National Cybersecurity and capacity at the national level SP3 NCSecPolicies : Identify or define policies of the NCSec strategy AC3 Continuous Service: Ensure continuous service within each stakeholder and among stakeholders SP4 SP5 IO1 IO2 IO3 IO4 Critical Information Infrastructures Protection : Establish & integrate risk management for identifying & prioritizing protective efforts regarding CII Stakeholders : Identify the degree of readiness of each stakeholder regarding to the implementation of NCSec strategy & how stakeholders pursue the NCSec strategy & policies AC4 AC5 2 -IO : Implementation and Organisation AC6 NCSec Council : Define National Cybersecurity Council for coordination between all stakeholders, to approve the NCSec strategy NCSec Authority: Define Specific high level Authority for coordination among cybersecurity stakeholders AC8 National CERT: Identify or establish a national CERT to prepare for, detect, respond to, and recover from national cyber incidents Privacy and Personnal Data Protection : Review existing privacy regime and update it to the on-line environment AC7 AC9 AC10 National Awareness : Promote a comprehensive national awareness program so that all participants businesses, the general workforce, and the general population secure their own parts of cyberspace Awareness Programs : Implement security awareness programs and initiatives for users of systems and networks Citizens and Child Protection: Support outreach to civil society with special attention to the needs of children and individual users Research and Development : Enhance Research and Development (R&D) activities (through the identification of opportunities and allocation of funds) CSecCulture for Business: Encourage the development of a culture of security in business enterprises Available Solutions: Develop awareness of cyber risks and available solutions NCSec Communication : Ensure National Cybersecurity Communication IO5 Laws : Ensure that a lawful framework is settled and regularly levelled 4 - CC : Compliance and Communication IO6 IO7 Institutions : Identify institutions with cybersecurity responsibilities, and procure resources that enable NCSec implementation National Experts and Policymakers : Identify the appropriate experts and policymakers within government, private sector and university IO8 Training : Identify training requirements and how to achieve them CC3 IO9 IO10 Government : Implement a cybersecurity plan for government-operated systems, that takes into account changes management International Expertise: Identify international expert counterparts and foster international efforts to address cybersecurity issues, including information sharing and assistance efforts CC1 CC2 CC4 CC5 5 -EM : Evaluation and Monitoring EM1 NCSec Observatory: Set up the NCSec observatory EM3 Mechanisms for Evaluation : Define mechanisms that can be used to coordinate the activities of the EM2 lead institution, the government, the private sector and civil society, in order to monitor and evaluate the global NCSec performance Source: ITU Regional Cyber security Forum for Africa and Arab States, 2009 EM4 International Compliance & Cooperation : Ensure regulatory compliance with regional and international recommendations, standards National Cooperation: Identify and establish mechanisms and arrangements for cooperation among government, private sector entities, university and ONGs at the national level Private sector Cooperation : Encourage cooperation among groups from interdependent industries (through the identification of common threats). Incidents Handling : Manage incidents through national CERT to detect, respond to, and recover from national cyber incidents, through cooperative arrangement (especially between government and private sector) Points of Contact: Establish points of contact (or CSIRT) within government, industry and university to facilitate consultation, cooperation and information exchange with national CERT, in order to monitor and evaluate NCSec performance in each sector NCSec Assessment: Assess and periodically reassess the current state of cybersecurity efforts and develop program priorities NCSec Governance : Provide National Cybersecurity Governance 41

42 National Cyber Security Maturity Model PS Process Description Level 1 Level 2 Level 3 Level 4 Level 5 SP 1 Promulgate & endorse a National Cybersecurity Strategy Recognition of the need for a National strategy NCSec is announced & planned. NCSec is operational for all key activities NCSec is under regular review NCSec is under continuous improvement SP2 Identify a lead institution for developing a national strategy, and 1 lead institution per stakeholder category Some institutions have an individual cybersecurity strategy Lead institutions are announced for all key activities Lead institutions are operational for all key activities Lead institutions are under regular review Lead institutions are under continuous improvement SP3 Identify or define policies of the NCSec strategy Ad-hoc & Isolated approaches to policies & practices Similar & common processes announced & planned Policies and procedures are defined, documented, operational National best practices are applied &repeatable Integrated policies & procedures Transnational best practice SP4 Establish & integrate Risk management process for Identifying & prioritizing protective efforts regarding NCSec (CIIP) Recognition of the need for risk management process in CIIP CIIP are identified & planned. Risk management process is announced Risk management process is approved & operational for all CIIP CIIP risk management process is complete, repeatable, and lead to CI best practices CIIP risk management process evolves to automated workflow & integrated to enable improvement Source: ITU Regional Cyber security Forum for Africa and Arab States,

43 ce National Cybersecurity Assessment SP1 5 EM4 4 SP4 Legend: CC2 CC IO3 IO2 SP1: National Cybersecurity Strategy SP4: CIIP IO2: National Cybersecurity Authority IO3: National-CERT IO5: Cyber Law AC5: Awareness Programme CC1: International Cooperation CC2: National Coordination EM4: Cybersecurity Governance AC5 IO5 Source: ITU Regional Cyber security Forum for Africa and Arab States,

44 RACI Chart / Stakeholders SP1 SP2 SP3 NCSec Strategy Promulgate & endorse a National Cybersecurity Strategy Lead Institutions Identify a lead institutions for developing a national strategy, and 1 lead institution per stakeholder category NCSec Policies Identify or define policies of the NCSec strategy I A C C R C C C I I R I I I I I A C R C C I I R C C C C A C R C I C I R I I SP4 Critical Infrastructures Establish & integrate risk management for identifying & prioritizing protective efforts regarding NCSec (CIIP) A R R C I R C R I Source: ITU Regional Cyber security Forum for Africa R and = Arab Responsible, States, 2009 A = Accountable, C = Consulted, I = Informed Copyright ,(ISC) 2 All Rights Reserved CONFIDENTIAL 44

45 National CybersecurityManagement System Implementation Guide Source: ITU Regional Cyber security Forum for Africa and Arab States,

46 Example: Measuring the effectiveness of Security Apply the vulnerability management lifecycle... Inventory assets Identify vulnerabilities Develop baseline Prioritize based on vulnerability data, threat data, and asset classification plan Monitor known vulnerabilities Watch unpatched systems Alert other suspicious activity Eliminate highpriority vulnerabilities Establish controls Demonstrate progress Source: ITU Regional Cyber security Forum for Africa and Arab States,

47 (ISC)² Update U.S. Government Advisory Board Meeting February 17, 2010 Thank You Copyright , 2013, (ISC) 2 All Rights Reserved