CYBERSECURITY NEXUS CSX. 15 October 2014 ISACA Winchester Chapter

Transcription

1 CYBERSECURITY NEXUS CSX 15 October 2014 ISACA Winchester Chapter

2 INTRODUCTION Career International Brewer, various roles ( ) KPMG, IT Risk Service Line Leader ( ) Betfair, Head of Governance, Risk & Assurance ( ) Vodafone, Technology Risk, Compliance and Assurance Leader (2014..) ISACA involvement past and present RiskIT TF, COBIT 5 TF, Cloud Computing TF, Framework Committee Chair COBIT 5 for Risk TF Chair, COBIT Growth Strategy TF International Vice President, SAC Member, Knowledge Board Chair Steven Babb

3 ABOUT ISACA Trust in, and value from, information systems Global association serving 115,000 IT security, assurance, governance and risk professionals Established in 1969 Members in 180 countries 200+ chapters Established the COBIT framework Offers the CISA, CISM, CGEIT and CRISC certifications

4 AGENDA CSX is helping shape the future of cybersecurity through cutting-edge thought leadership, as well as training and certification programs. It gives cybersecurity professionals a smarter way to keep organizations and their information more secure. With CSX, business leaders and cyber professionals can obtain the knowledge, tools, guidance and connections to be at the forefront of a vital and rapidly changing industry. Because Cybersecurity Nexus is at the centre of everything that s coming next... The evolving security landscape the driver for change How do I respond Cybersecurity Nexus Questions

5 THE EVOLVING SECURITY LANDSCAPE THE DRIVER FOR CHANGE

6 12 JANUARY THE WORLD CHANGED Source: 12 January Google honourably disclosed to the world that it had been a victim of modern malware. It was soon discovered that Google was one of more than 20 companies successfully targeted by a well organized and coordinated effort to gain access to sensitive systems and information Companies targeted were within a range of industries, including the financial, technology and chemical sectors

7 HEARTBLEED The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, , instant messaging (IM) and some virtual private networks (VPNs) The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users Source: Watch the video here on Heartbleed:

8 SHELLSHOCK Shellshock is the name given to a security vulnerability in the Bash "shell," or command-line user interface, first made public on 24 September 2014 Like other shells, Bash translates the text-based commands that power users type into command-line interfaces such as Terminal in Apple OS X or Command Prompt in Microsoft Windows into languages that computers can understand. Bash is the default shell in OS X and many varieties of Linux, but, except for specialized software, does not run in Windows Shellshock is a quirk in Bash that could let an attacker remotely replace environment variables in Bash with functions, or actual commands, which the computer would carry out without verification The computers and devices most vulnerable to Shellshock are those that "listen" to the Internet for commands from other computers. For example, a Web server, which constantly gets document requests from Web clients Source:

9 BECOMING ALL TOO COMMON... addresses and other contact information stored at the European Central Bank (ECB) have been stolen, the organization confirmed on Thursday Security that protects a database serving its public website has been breached, it said in a statement published on its website, meaning users registering for information on conferences and visits at the ECB have been compromised It stated that no "internal systems or market-sensitive" information had been part of the data theft and was physically separate from the compromised data "The theft came to light after an anonymous was sent to the ECB seeking financial compensation for the data. While most of the data were encrypted, parts of the database included addresses, some street addresses and phone numbers that were not encrypted," the central bank said Users whose information might be part of the beach are in the process of being contacted, the ECB said, and advised that all passwords on the system have been changed as a precaution The bank is just the latest in a long line of companies and public bodies that have experienced a breach. In May, ebay admitted that hackers had attacked its network and accessed some 145 million user records. It now faces an investigation in the US and UK Source:

10 ADVANCED PERSISTENT THREATS ADVANCED, STEALTHY AND CHAMELEON-LIKE in its adaptability, APTs were once thought to be limited to attacks on government networks APTs can happen to any enterprise Repeated pursuit of objectives, adaptation and persistence differentiate APTs from a typical attack Primarily, the purpose of the majority of APTs is to extract information from systems this could be critical research, enterprise intellectual property or government information, among other things APT DEFINITION An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives Source:

11 BECOMING ALL TOO COMMON... The Pitty Tiger APT has been targeting telcos, defence companies and at least one government in a cyber-espionage campaign that relies on spear phishing and malware prying on vulnerabilities in Microsoft Office In a new whitepaper, security experts at Airbus Defence & Space Cybersecurity Unit detail how the APT has been undetected since at least 2011 and say that its operators have been reliant on an assortment of different malware, including some developed exclusively by the threat actor Instead of looking to exploit any zero-day vulnerability, the group relies extensively on spear phishing, malware and vulnerabilities existing on older versions of Microsoft Office as well as the Heartbleed bug, which continues to affect some 300,000 open-source web servers worldwide The campaign apparently starts with a phishing , with one example promising a holiday along with a Microsoft Office Word attachment. Airbus admits that this is amateur with the attached Word file infecting the computer with malware, while others relied on an older vulnerability, which effected MS Office versions 2003 through to 2010, SQL Server and other popular enterprise software applications The report's authors are in little doubt that the group behind the APT is not state-sponsored, despite China being the likely origin of the group. They lack the experience and financial support that one would expect from state-sponsored attackers. We suppose this group is opportunistic and sells its services to probable competitors of their targets in the private sector. Source:

12 ISACA APT SURVEY JULY % say APTs pose a credible threat to national security or economic stability 1 in 5 have experienced an APT attack 63% believe it is only a matter of time before their business is targeted The majority of survey takers up to 60% believed that they have the ability to identify, respond to and stop a successful APT attack Up to 82% of survey takers have not updated their agreements with vendors who provide protection against APT 67% reported that they haven t held any APT awareness training programs for their employees

13 ISACA STUDENT SURVEY APRIL 2014 The majority of ISACA s student members (88%) plan to work in a field requiring cybersecurity knowledge 57% said their University did not offer cybersecurity courses Fewer than half say they will have adequate skills for the job 74% you plan to pursue a cybersecurity related certificate or certification

14 HOW DO I RESPOND

15 YOU NEED TO BE ON THE OFFENSIVE Traditional prevention and detection is not enough you need to move from defensive to offensive Governments cannot prevent intrusions Data loss is inevitable Attacks will continue Companies often breached for years New approaches required Source:

16 IF YOU HAVE IP YOU ARE A TARGET! Assume you are breached Prepare for the inevitable Start planning Define your Win Delay the Threat from reaching its goal Minimize the loss Improvise as you go along Are your approaches outdated? If so review and revise! Source:

17 WHAT DO I DO? Build a team Establish key relationships Inventory Existing Technologies Standardize the Investigation Process Training and Governance Establish Critical Capabilities Source:

18 CYBERSECURITY NEXUS

19

20 WHAT IS IT? With CSX, business leaders and cyber professionals can obtain the knowledge, tools, guidance and connections to be at the forefront of a vital and rapidly changing industry Secure recognition for your expertise. Our globally accepted certifications help advance skills and careers Join a global community of more than 115,000 professionals, innovators and thought leaders Professional and Student membership Enhance your cybersecurity knowledge and skills at our global conferences, workshops and training events Find the latest research and expert thinking on standards, best practices, emerging trends and beyond

21 WHAT IS IT? Cybersecurity Fundamentals knowledge certificate available now knowledge based exam for those with 0 to 3 years experience CISM Foundational level covers five domains: Cybersecurity concepts Cybersecurity architecture principles Security of networks, systems, applications and data Incident response Security of evolving technology Online exam. Results are shared immediately, and those who pass receive a certificate The content aligns with the US NICE framework and the Skills Framework for the Information Age (SFIA) and was developed by a team of cybersecurity professionals from around the world. The team is involved in all areas of development through content contribution and subject matter expert reviews

22 WHAT IS IT? Professional membership Membership for IT Audit, Security, Governance and Risk Professionals Student membership ISACA student members join a community of students from more than 300 universities worldwide. ISACA student members major in a variety of areas including: Information systems, Business administration, Accounting, Information technology, Engineering and Computer science Student membership provides the knowledge and tools to develop your professional identity. You'll make connections with people who work in your target field, plus those who hire for the positions you seek ISACA has consistently maintained a standard that will continue to be a lever for anyone that wants to meet the challenges of the changing world of IT. It is the best professional membership I have in terms of value for money. Hands down the best association I have ever been involved in very affordable, valuable information. ISACA magazine (the ISACA Journal) and webinars are my most valuable sources of information.

23 WHAT IS IT? Conferences Euro CACS / ISRM + Global CyberLympics Finals North America ISRM, Latin CACS / ISRM Webinars Self-Defense Strategies to Thwart Cloud Intruders: Keep Your Data Safe in the Cloud Breaches: A Risk-Based Approach to Identification, Impact Estimation and Effective Remediation Virtual Conferences Full-day educational events, presented online. The virtual event consists of an exhibit hall, conference hall, networking lounge and resource center Workshops Archived Mobile Security: Overcoming Obstacles, Reducing Risk 9 December Cloud Security Cybersecurity Fundamentals Workshop ISACA was the exclusive host sponsor of the Global CyberLympics World Finals, held in conjunction with the first day of the EuroCACS/ISRM 2014 Global CyberLympics is an international online cybersecurity competition dedicated to finding the top computer network defense teams. Global CyberLympics tests the skills of information security and assurance professionals in teams of 4 to 6 people in areas including: Ethical hacking Computer network defense Computer forensics

24 WHAT IS IT? Articles from ISACA Journal Cybersecurity Blog Posts The CSX Newsroom White Papers & Publications European Cybersecurity Implementation Series Cybersecurity Fundamentals Study Guide** Cybersecurity: What the Board of Directors Needs to Ask Implementing the NIST Cybersecurity Framework* Responding to Targeted Cyberattacks* Transforming Cybersecurity* Advanced Persistent Threats: How To Manage the Risk To Your Business* Advanced Persistent Threat Awareness Study Results *PDF is free to members; non-members may purchase PDF **Available for purchase

25 RECAP AVAILABLE NOW Cybersecurity Fundamentals Certificate and study guide Implementing the NIST Cybersecurity Framework Using COBIT 5 European Cybersecurity Implementation Series Transforming Cybersecurity Using COBIT 5 Responding to Targeted Cyberattacks Advanced Persistent Threats: Managing the Risks to Your Business 2014 APT Awareness Study Cybersecurity webinars and conference tracks (six-part webinar series) Cybersecurity Knowledge Center community COMING SOON Cybersecurity practitioner-level certification (first exam: 2015) Cybersecurity training courses (November 2014) SCADA guidance Digital forensics guidance

26 CAREER PATH 0-3 years: Cybersecurity Fundamentals Certificate No experience required, must pass knowledge-based exam 3-5 years: Cybersecurity practitioner-level certification Coming in mid years: Certified Information Security Manager certification 25,000+ professionals certified since inception

27 Among the resources also coming from ISACA this month are: Two free webinars: Why Implement the NICE Cybersecurity Workforce Framework? Data-centric Audit and Protection: Reducing Risk and Improving Security Posture A cybersecurity Twitter chat on 22 October with ISACA International President Rob Stround) and International Vice President Ramsés Gallego Two cybersecurity training courses: Implementing the NIST Cybersecurity Framework Using COBIT 5 COBIT 5 for Security Assessors Cybersecurity Teaching Materials Cybersecurity Student Handbook Center/Blog/Lists/Posts/Post.aspx?utm_campaign=ISACA+Main&cid=sm_ &utm_content= &utm_source =googleplus&utm_medium=social&appeal=sm&id=450

28 EUROPEAN CYBERSECURITY IMPLEMENTATION SERIES Cybersecurity is emerging to address increases in cybercrime and, in some instances, cyberwarfare Factors contributing to the need for improved cybersecurity include: ubiquitous broadband, IT-centric business and society, and social stratification of IT skills. To address cybercrime, many governments and institutions launched cybersecurity initiatives, ranging from guidance, through standardisation, to comprehensive legislation and regulation ISACA has released the European Cybersecurity Implementation Series primarily to provide practical implementation guidance that is aligned with European requirements and good practice Available now! Series.aspx

29 EUROPEAN CYBERSECURITY IMPLEMENTATION SERIES European Cybersecurity Implementation: Overview a high-level overview of implementing cybersecurity in line with existing laws, standards and other guidance European Cybersecurity Implementation: Assurance this paper focuses on assurance in cybersecurity. In Europe, cybersecurity assurance is an integral part of the internal system of controls that was introduced by EU directive, and implemented subsequently as statutes in the member states European Cybersecurity Implementation: Resilience this paper focuses on resilience in cybersecurity. In the EU and associated countries, the concepts of resilience and cybersecurity are rapidly converging European Cybersecurity Implementation: Risk Guidance this paper focuses on risk guidance in a cybersecurity context, and drills down into the risk management aspects of European cybersecurity European Cybersecurity Audit/Assurance Program this audit/assurance program provides management with an impartial and independent assessment relating to the effectiveness of cybersecurity and related governance, management and assurance

30 TRANSFORMING CYBERSECURITY USING COBIT 5 Eight Key Principles: 1. Understand the potential impact of cybercrime and warfare on your enterprise. 2. Understand end users, their cultural values and their behavior patterns. 3. Clearly state the business case for cybersecurity and the risk appetite of the enterprise. 4. Establish cybersecurity governance. 5. Manage cybersecurity using principles and enablers. (The principles and enablers found in COBIT 5 will help your organization ensure end-to-end governance that meets stakeholder needs, covers the enterprise to end and provides a holistic approach, among other benefits. The processes, controls, activities and key performance indicators associated with each enabler will provide the enterprise with a comprehensive picture of cybersecurity.) 6. Know the cybersecurity assurance universe and objectives. 7. Provide reasonable assurance over cybersecurity. (This includes monitoring, internal reviews, audits and, as needed, investigative and forensic analysis.) 8. Establish and evolve systemic cybersecurity.

31 THANK YOU For more information: