Mohamed ElHarras CIIP Strategies and Policies Executive Director



Similar documents
Big Data, Big Risk, Big Rewards. Hussein Syed

Information Security Policy

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

The State of Industrial Control Systems Security and National Critical Infrastructure Protection

TEL2813/IS2820 Security Management

Italy. EY s Global Information Security Survey 2013

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

Information Security Services

Address C-level Cybersecurity issues to enable and secure Digital transformation

ACE European Risk Briefing 2012

The Human Factor of Cyber Crime and Cyber Security

Cyber Security & Data Privacy. January 22, 2014

2015 Information Security Awareness Catalogue

Research Topics in the National Cyber Security Research Agenda

Contents The College of Information Science and Technology Undergraduate Course Descriptions

Threats to Local Governments and What You Can Do to Mitigate the Risks

CUSTOMER SECURITY AWARENESS: A Key Defense Against Corporate Account Takeover & Cyber Fraud

Secure Code Development

資 通 安 全 產 品 研 發 與 驗 證 (I) ICT Security Overview. Prof.. Albert B. Jeng ( 鄭 博 仁 教 授 ) 景 文 科 技 大 學 資 訊 工 程 系

Applying LT Auditor+ to Address Regulatory Compliance Issues

OECD PROJECT ON CYBER RISK INSURANCE

What legal aspects are needed to address specific ICT related issues?

Compliance Services CONSULTING. Gap Analysis. Internal Audit

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s

Impact of Cybersecurity Innovations in Key Sectors (Technical Insights)

Qatar Computer Emergency Team

GLOBAL BUSINESS DIALOGUE ON ELECTRONIC COMMERCE CYBER SECURITY AND CYBER CRIME SEPTEMBER 26, CEO EDS Corporation

White Paper. Information Security -- Network Assessment

Fostering Incident Response and Digital Forensics Research

Cybersecurity. Considerations for the audit committee

Introduction to Cybersecurity Overview. October 2014

Cyber Security Recommendations October 29, 2002

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

CONSULTING IMAGE PLACEHOLDER

NIST National Institute of Standards and Technology

Privacy and Security in Healthcare

Defending Against Data Beaches: Internal Controls for Cybersecurity

ITU National Cybersecurity/CIIP Self-Assessment Tool

Changing the Enterprise Security Landscape

CYBER SECURITY, A GROWING CIO PRIORITY

Assessing the strength of your security operating model

How To Handle A Threat From A Corporate Computer System

Social Engineering and Reverse Social Engineering Ira S. Winkler Payoff

Course Design Document. Information Security Management. Version 2.0

The Human Firewall How Security Awareness Impacts Your Control Environment

Syllabus: AIT Best Practices Managing Security and Privacy for Cloud Computing

A Detailed Strategy for Managing Corporation Cyber War Security

TUSKEGEE CYBER SECURITY PATH FORWARD

Welcome to this ACT webinar

Security Awareness & Securing the Human. By: Chandos J. Carrow, CISSP System Office - Information Security Officer Virginia Community College System

OIG Security Audit: What You Need To Know

SECURITY CONSIDERATIONS FOR LAW FIRMS

Bellevue University Cybersecurity Programs & Courses

Session 9: 20 Questions You Should Answer About Your Cyber Security Readiness Jeff Thomas, Partner, KPMG Ivan Alcoforado, Senior Manager, KPMG

10 Smart Ideas for. Keeping Data Safe. From Hackers

safe surfer seminar Martin Hellweg, Author

ALM Virtual Corporate Counsel Managing Cybersecurity Risks and Mitigating Data Breach Damage

defense through discovery

Cyber Stability 2015 Geneva, 09 July African Union Perspectives on Cybersecurity and Cybercrime Issues.

Central Asian Information Security Survey Results (2014) Insight into the information security maturity of organisations, with a

Security Defense Strategy Basics

Cyber security initiatives in European Union and Greece The role of the Regulators

Internet Safety and Security: Strategies for Building an Internet Safety Wall

Patching & Malicious Software Prevention CIP-007 R3 & R4

Developing a Successful Security Awareness Training Program. Shea Garber, Sr. Account Executive Wombat Security Technologies, Inc.

Energy Industry Cybersecurity Report. July 2015

HOW SECURE IS YOUR ORGANIZATION FROM CYBER CRIME? Presented by

The Security Organization p. 1 Anecdote p. 2. Introduction

Penetration Testing Getting the Most out of Your Assessment. Chris Wilkinson Crowe Horwath LLP September 22, 2010

Exam 1 - CSIS 3755 Information Assurance

Information Security in Business: Issues and Solutions

State of Vermont. Intrusion Detection and Prevention Policy. Date: Approved by: Tom Pelham Policy Number:

Cyber Security Research and Development: A Homeland Security Perspective

Security Issues with the Military Use of Cellular Technology Brad Long, Director of Engineering, IFONE, Inc.

Developing a robust cyber security governance framework 16 April 2015

NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense

Northrop Grumman Cybersecurity Research Consortium

National Cyber Security Strategy of Afghanistan (NCSA)

Protecting your business interests through intelligent IT security services, consultancy and training

Why Encryption is Essential to the Safety of Your Business

(Instructor-led; 3 Days)

Supplier Security Assessment Questionnaire

Introduction. Special thanks to the following individuals who were instrumental in the development of the toolkits:

Ahead of the threat with Security Intelligence

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Education as a defense strategy. Jeannette Jarvis Group Program Manager PSS Security Microsoft

Cybersecurity Strategic Consulting

ESKISP Manage security testing

Security for the Cloud of Clouds

Industrial Security & Compliance Using the Holistic Lifecycle Model

The Senior Executive s Role in Cybersecurity. By: Andrew Serwin and Ron Plesco.

An Overview of Cybersecurity and Cybercrime in Taiwan

IT Security & Compliance Risk Assessment Capabilities

Cybersecurity Definitions and Academic Landscape

Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues

NIST Cybersecurity Framework Impacting Your Company? April 24, 2014 Presented By Sheila FitzPatrick, NetApp Jeff Greene, Symantec Andy Serwin, MoFo

Country Case Study on Incident Management Capabilities CERT-TCC, Tunisia

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage. CERT Insider Threat Center

How Companies Can Improve Website & Web Application Security. Even with a Tight IT Budget

Transcription:

EGYPT National Telecom Regulatory Authority Integrating The Information Security Awareness in Critical Infrastructure Firms Mohamed ElHarras CIIP Strategies and Policies Executive Director Agenda The Connectivity Dissemination. Current / Proposed Defense Models. The Critical Infrastructure Information (CII). The Importance of Awareness. Case Study: Mobile Operators. Q&A 2 1

The Dissolve of Political Borders The Internet has made it possible to connect (hence access or attempt to access) any computing device on/off the net. 3 The Consequences The Threat of pervasive and ubiquitous computing while tools of attacks becomes more available as wrap up for non technical people. 4 2

The Current Defense Model With that large number of connections, it will not be feasible (or possible) for effective defense to the individual citizen level. Cyber warfare Cyber terrorism Government Responsibility Industrial espionage Cyber crime Private Sector Responsibility 5 As Per this Model The cyber security staff is the focal point to handle : Detection. Reaction. Correction. Prevention. The current model requires: On going increase in the number of specialized staff. Associated increasing costs. Does not cover all possible weak points. 6 3

Balancing the Model Push the line of defense to non specialized individuals. Rely more on human element to help detecting basic threats / anomalies at early stage. The Individual is the First Line of Defense. We need to build his capacity of self-defense. 7 Massive impact. Quick win. Selecting the Points of Defense Fast deployment. Minimum cost. On going. 8 4

The Critical Infrastructure Sectors Affects large sectors of the society or the ability of the government to do its function. Usually owned or operated by the private sector. Each CI sector affects other sectors in a domino effect model. The list of CI Sectors includes: Government services Financial service Telecommunication Energy Transportation Health Services Etc. 9 Case Study: Mobile Telecoms 10 5

The Telecom Critical Information Infrastructure Pervasive and ubiquitous information on : Call details social patterns and relations..etc. Location details movement patterns, spontaneous location check..etc. Live call (on air). Network architecture layout (BTS, BSC, MSC,..etc.) Network coverage plans. Network security measures (on air, core network,..etc.) Affects majority of the society. Finance Media Emergency Service Telecom Health Energy / Transportation Etc. 11 The Telecom in the Arab Countries 120 100 80 60 40 Connections (m.) Population (m.) Unique subscriber (m.) 20 0 Mobile penetration in the Middle East (Source: GSMA Report, 2014) 12 6

How to Measure Awareness Check list auditing approach. The questionnaire approach. Interviews: sample staff. Observation : staff / processes. Focus group: representing business areas. Case study (usually after incidents). id 13 Common Corporate Perception of Security Top Management : security is necessary but to the minimum required by law. Employees: computer security is an obstacle to productivity. A common feeling is that we are paid to produce, not to protect or Security is not on my objectives list. 14 7

Security Knowledge Matrix Awareness Training Education Level Information Knowledge Insight Objective Recognition Skill Understanding Channel Media Practical Instruction Example Test Method Video, Newsletter, Poster, giveaways True/False MCQ Lectures, case study, hands-on practice Problem solving Theoretical Instruction Seminars, essays Essay Attribute What How Why Source: NIST800 15 Security Awareness Program Life Cycle Execute Different Get channels Commitment Embed in Objectives Top management Planning HR Timeframe CS, Sales,..etc. Objectives Audience Measure Depth Snap Channels shot of Cost current status Team/ materials KPIs Measure Change in behavior Consider feed back Improve program Change in staff behavior is the best result we can get 16 8

Message Delivery Gathering Points. Firm restaurants. Banners by access points (doors / elevator). Stickers by electronic gates. Internal Communications: Newsletter. Company briefing meetings. Monthly message from the CEO. Interaction with Company Systems: Screen savers. Screen wallpapers. Logon message. Daily tips. Quick quiz. Computer-based training. 17 Background work Human Resources. Incorporate security awareness in job responsibilities when applicable. Proportionately add security awareness to employees appraisal system. Prepare the rewarding system for program heroes. Review materials for message correctness and balance. Legal / Regulatory: Add relevant laws / regulations to awareness program. Highlight law penalties in case of violations. Add other related issues (e.g. fraud, corruption..etc.) Give examples from legal arena. 18 9

Not fitting the environment. Inadequate planning. Common Pitfalls Not addressing applicable legal / regulatory requirements. No motivation for staff. Budget mismanagement or inadequate budget. No leadership support. Information overload Not sharing experience. Not evaluating the effectiveness of training. 19 The Impact of Social Engineering Psychological manipulation of people to do action / divulging confidential information. Most common in people-facing functions (e.g. customer care agents, technical support, marketing ). Best technique: The familiar customer normal to be there so the CC lowers selfdefense. The angry customer angry at someone else rather than the target CC agent. The knowledgeable customer customer equipped with the necessary information about the company. How to fight? Training listen to customer calls, give examples. Prepare scripts to handle social engineering situations. Stick to the process. Train fro non-verbal communications. 20 10

Data Leak Crafted Attacks Exploits zero-day / undocumented vulnerabilities. Involves highly-skilled preparation and know how. Aims at getting the information giving commercial advantage to the company. Target individual functions, typically the C level; the R&D and the Marketing departments. How to fight? Awareness program for the company executive. Proportionate technical measures (e.g. encrypt data, secure email, stringent email rules..etc.) Internal / external stake holders involvement. 21 Channels of Communications 22 Source: multiple internet sites 11

Model Benefits Massive capacity builder. Awareness is a take-home skill. Lower coast per individual compared to building large specialized technical force. Filters false positives. Off load specialized staff to more serious threats. Early detection of some threats. Strategict Organizational Individual 23 Key References 2013 US State of cybercrime Survey. PWC, The Global State of Information Security Survey 2014. Homeland Security Cyber Security Publications at :http://www.dhs.gov/cybersecurity publications publications Homeland Security Critical Infrastructure Security at: http://www.dhs.gov/topic/criticalinfrastructure security ENISA : The European Union Agency for Network and Information Security, publications. GSMA, The Mobile Economy 2014 Report, The Arab States, https://gsmaintelligence.com/research/ The International Society of Security Awareness Professionals http://www.iasapgroup.org/ Rebecca Herold, Managing an Information Security and Privacy Awareness and Program and Training Program, CRC 2011 24 12

Q & A 25 XXXX YYYY 26 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information