Asia Policy Partners LLC 2015

Transcription

1 MoDev Hong Kong FinTech Seminar April 11 Hong Kong Cyberport Mr. Michael Mudd Secretary - General,Asia Pacific and MEA, The Open Computing Alliance

2 Health check: Customers demands are changing Developing a robust cyber security governance framework Managing risk factors in Technology Outsourcing KPIs to assess your readiness Recommendations

3 Technology Mega Trends Internet + Cloud Mobility Social Media Big Data Business Landscape Cost Effective Drive Innovation Enhance Customer Services Attract and Retain Customers Service - Anytime, any place, any device, any channel Mostly delivered by some form of Cloud Service

4 Recent security breaches ( 2014-) EBay 145 million records Target Stores 40 million records Home Depot 46 million records JP Morgan Chase 76 million records Anthem Insurance - 80 million records Various reasons Poor technical security controls and standards Stolen employee log in credentials Malware on POS systems Insider knowledge of programs and software -biggest-data-breaches-hacks/

5

6 Kaspersky Lab, INTERPOL, Europol report. 100 banks, e-payment systems. 30 countries. Up to $10 million per bank. spear phishing - infect employees computer. Inserts Carbanak malware that tracked Administrators computers for video surveillance. Learned procedures over many months. Individual customers unaware it was the bank that was robbed

7 Build on Assume Breach as a foundational concept Making sure the risk qualifiers used within the cybersecurity program are similar to the ones used by the Organization s Enterprise Risk Management program (same levels of impact and likelihood) Be crystal clear on Governance: who is responsible for evaluating the security posture of each department, who is responsible to deploy and monitor the mitigating controls. Ensure a very clear policy on escalation and managing disagreement (between you security team and business line managers for example).

8

9 While not a risk management process itself, a framework fosters: Cyber-security risk management approaches that take into account the interaction of multiple risks; Cyber-security risk management approaches that address both traditional information technology and operational technology. Cyber-security risk management practices that encompass the entire organization, exposing dependencies that often exist within large, mature, and/or diverse entities, and with the interaction between the entities and their partners, vendors, suppliers, and others; Cybersecurity risk management practices that are internalized by the organisation to ensure that decision making is conducted by a risk-informed process of continuous improvement; and Cyber-security standards (including privacy controls) that can be used to support risk management activities Courtesy Tim Grance, Cybersecurity Head, NIST

10 To Build a resilient infrastructure over the need to build a secure infrastructure recovery and continuity are the end goal. To Include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. To Provide a prioritized, flexible, repeatable, performancebased, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. To Identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations, enable technical innovation and account for organizational differences include guidance for measuring the performance of an entity in implementing a Cybersecurity Framework.

11 cybercriminals whose objective may be to steal money or information for commercial gain, nation states that may acquire information to advance national objectives, and hacktivists whose objectives may be to disrupt and embarrass an entity. documents/industry/p pdf

12 Obtain a better understanding of the types of cyber threats Determine the members risk appetites, exposure, and major areas of vulnerabilities in their IT systems Determine whether the members are managing these threats Share observations and finding with the members

13 HM Treasury, working with the relevant Government agencies, the PRA, the Bank s financial market infrastructure supervisors and the FCA should work with the core UK financial system and its infrastructure to put in place a programme of work to improve and test resilience to cyber attack. CBEST Threat Intelligence Framework: Threat Intelligence Concept of Operations* LEAD IDENTIFY PROTECT DETECT RESPOND RECOVER LEARN * Documents/cbestthreatintelligenceframework.pdf

14 Testing Waking Shark Exercise sector s collective response to largescale cyber attack Industry-led with Authorities support 22 participant firms (investment banks, financial market infrastructure providers and the UK Financial Authorities) plus experts Objectives Assess if firms adopted lessons from WS I ; Exercise communication & information flows established in WS I; Improve understanding of cyber impacts and sector s response fsc/documents/cyberseminarmay2014.pdf

15 Cyber Governance arrangements (Mission, Vision, Strategy, Leadership) Dependence on technology systems and communication networks Identification, assessment and mitigation of relevant cyber-security risks Threat intelligence capabilities Cyber-security incident management capabilities Resilience measures to ensure availability of critical processes Measures to prevent, detect and minimise social engineering attacks Independent assurance to assess adequacy of cybersecurity measures

16 Not all data is created equal! Ensure that Data is classified according to importance and regulatory need (Note this does not apply to SWIFT Messaging) Example levels Low - Internal communications of low information content, customer facing, no encryption. No risk to the business. 2 Moderate - Internal/External communications, all PII moderate encryption. Medium Risk of data loss to reputation 3- High - Critical data such as admin. keys, back up keys High encryption. High Risk to the business with potential regulator intervention should be automated as to content above so the appropriate levels of encryption and controls are applied without user intervention or ability to override. Mail server to automatically classify/encrypt s containing PII etc.).

17 A full-spectrum DLP strategy is required to ensure there is no date loss. Growing use of proliferation of mobile devices and apps, the rise of 'shadow IT', the decline of perimeter security, the data explosion, and the increasingly complex virtualised environments operated by IT can all make DLP more challenging. Cloud services can mitigate data loss and should be part of any DLP strategy

18 To manage online risk in an appropriate way to deliver services with: Data Security Confidentiality Integrity Availability To respond to customers concerns about their data. To reduce costs and improve service. To comply with regulators.

19 2005 to October November 12, 2014 Total Number of Recorded Breaches = 4,912 Total Number of Records Exposed = 673,293,959 and this is just in the US

20 Example; MAS in Singapore is looking at the 3 P s * Principles Preparedness Partnerships This may enable Banks to deliver services with : Confidentiality Integrity Availability Satisfying their regulatory process and managing Data Privacy and Security risks. * -statements/2013/managing-technology-risks-in-the-financial-sector.aspx

21 Today it is essential that security and personal data privacy protection become a priority throughout all levels of the organization. Develop a security and privacy protection framework based on Industry and ISO security standards, universal personal data protection principles and compliance with national regulations and privacy laws. Have the Framework externally certified for adequacy, to build and maintain customers trust and confidence. Build and sustain a culture to protect information and respect privacy through education, technology, processes and procedures. Senior Management and Board of Directors commitment is critical, any failures will reflect directly on them. ( recall Target ) 21

22 The Internet of Things (IoT) where billions of devices will connect through the Cloud, including banks. No comprehensive Data Protection or PII Laws in every jurisdiction that banks do business ISO Standards from the series may provide the framework for national DP and PII laws The ISO series ERM program is a good starting point to bring together cyber security risk management and enterprise risk management which will increase resilience leading to increased consumer trust in online services, be they Cloud based or on premise.

23 ISO was developed to provides appropriate technical and organizational measures to protect personal data Compliance with ISO by CSP s can be assessed by a 3 rd party during an ISO audit ISO will also complement ISO Security techniques Code of practice for information security controls based on ISO/IEC for cloud services (Due mid ) One major CSP has been certified globally (Feb )

24 Shadow IT unapproved apps on corporate hardware inc mobile; E.g. WhatsApp, Viber. Uploading, of data via apps to storage sites outside the corporate network. (20%*). Forwarding of s to unsecure services; e.g. Gmail. 90% of apps are not enterprise grade.* May be addressed by Cloud enabled single sign - on identity lifecycle management. Trustmarque,UK;Netskope research

25 Cloud is a collection of resources that may be accessed via the global IT network. NIST provides a working definition Of Cloud * Cloud computing is a service model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. *Dr. Peter Mell and Tim Grance, NIST Information Technology Laboratory

26 Data and Location Transparency Limits On Data Use (ISO27018 was developed to cover this) Data Separation or Isolation Conditions on Subcontracting

27 Service Provider Reputation and Competence Confidentiality and Certified Security Standards - ISO27001 at a minimum Review, Monitoring and Control Audit

28 Resilience and Business Continuity (ISO 23001) Conditions on Termination

29 Help protect on-premises, hybrid and cloud infrastructure with layered security Encrypt individual files, folders, and removable storage devices Create persistent, secured connections & enable multi-factor authentication Unify management with a single administrator console Proactively meet your compliance needs and ensure data privacy Microsoft

30 Use devices with secured start-up and full-featured anti-malware Prevent unauthorized access to data and remotely wipe devices Provide single sign-on with support for virtual smartcards and biometrics Manage PCs, Windows devices, Apple ios, and Android devices Configure policies with granularity to lock down functionality as needed Microsoft

31 Third party Vulnerability Assessment Services Social Engineering and Penetration Testing Social Engineering and Spear Phishing Testing Wireless Penetration Testing Services Cloud Penetration Testing Services Mobile Device Testing Services Red Team Testing (ethical hacking) Supervisory Control and Data Acquisition (SCADA) Testing

32 Perform a regular SWOT analysis. Benchmark to peers Budget and resource allocation in public records. Staff skill sets and reallocation against peers. Technological and business model changes Outsourcing, Mobile Services Cloud Computing. Matching technology to customers and regulators needs while continually innovating

33 Standards and control testing against industry regulator compliance protocols. Standards and control testing against Privacy Regulator compliance protocols. Standards and control testing against Audit standards compliance protocols. Standards and control testing against Stock Exchange compliance protocols.

34 A day-long session where a consultant would challenge you with specific incident scenario s. Objective is to test the adequacy of the policies/governance and people s behaviour under stress in front of a serious issue, This is so that the organization (not only IT) gets more prepared to handle future real incidents. Preparedness and regular testing is the key!

35 The HKMA has surveyed Banks use of Cloud for non core banking operations. The MAS (Singapore) has approved Cloud for banks on a case by case basis and is now formulating new directives. The APRA (Australia) has approved Cloud for banks subject to approval and a risk management plan for Audit. The Bank of Thailand is currently evaluating Office productivity software delivered in the Cloud. The Bangko Sentral ng Pilipinas (BSP) has issued guidelines for outsourcing in the Cloud.

36 Cloud Outsourcing for Banks is here now

37 Assure adequate staff. This means at least some staff dedicated to incident response. Clearly define roles and responsibilities within IT, risk and regulatory functions, legal, and PR. Increase user awareness/training to anticipate advanced threats. Formalize response processes and procedures Improve vulnerability management.

38 Learn from past incidents and breaches Institute or improve formalized incident response tracking/workflow. Employ centralized or real-time monitoring/alerting covering major portions of the enterprise Improve forensic analysis. Develop or improve cyber threat intelligence

39 Layered security - from the edge (the weakest) to the centre (the Fort Knox ) - is the goal. Protect what is important, not what is just data. critical infrastructure, national heritage, personal data and the financial system - ultimately every citizens personal data and wealth. After ISO270001, move toward NIST 800 security standards Even if the regulator is not asking it, consider standardizing all ebanking activities with 2 factor authentication, mobile phone ubiquity make this cheap. The Singapore Govt is mandating this for their online govt services from July.

40 You need to continually reassess your risk framework for all outsourced services, including Cloud. The pace of technology change is accelerating. Bank robbers have changed. Banks have to change faster. Don t rely just on technology or regulations. Be proactive and equip staff with the skills and budget to beat the bad guys. Test, test and test again!

41 Thank You! Michael Mudd +(852)