CYBERSECURITY NEXUS CSX. 15 October 2014 ISACA Winchester Chapter

Similar documents
KEY TRENDS AND DRIVERS OF SECURITY

CYBERSECURITY: ISSUES AND ISACA S RESPONSE

Over 20 years experience in Information Security Management, Risk Management, Third Party Oversight and IT Audit.

CYBERSECURITY NEXUS ROBERT E STROUD INTERNATIONAL PRESIDENT, ISACA RAMSÉS GALLEGO INTERNATIONAL VICE PRESIDENT, ISACA

Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

HOW TO ADDRESS THE CURRENT IT SECURITY SKILLS SHORTAGE

THE CYBERSECURITY SKILL GAP: WHAT EMPLOYERS WANT YOU TO KNOW

INSIGHTS AND RESOURCES FOR THE CYBERSECURITY PROFESSIONAL

ISACA Tools Help Develop Cybersecurity Expertise

ISACA S CYBERSECURITY NEXUS (CSX) October 2015

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

WRITTEN TESTIMONY OF

KEY STEPS FOLLOWING A DATA BREACH

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Strategy, COBIT and Vision: HOW DO THEY RELATE? Ken Vander Wal, CISA, CPA, Past President, ISACA

Defending Against Data Beaches: Internal Controls for Cybersecurity

October 24, Mitigating Legal and Business Risks of Cyber Breaches

Cyber Risk Management with COBIT 5

10 Smart Ideas for. Keeping Data Safe. From Hackers

Middle Class Economics: Cybersecurity Updated August 7, 2015

Protecting Your Organisation from Targeted Cyber Intrusion

Information Security and Risk Management

Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Cloud Computing Technologies Achieving Greater Trustworthiness and Resilience

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

How To Protect Your Computer From Attack

A Case for Managed Security

Malware. Stopping cyberattacks. Sponsored by

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

Collateral Effects of Cyberwar

Advanced Threat Protection with Dell SecureWorks Security Services

Security & privacy in the cloud; an easy road?

Cyber Security 2014 SECURE BANKING SOLUTIONS, LLC

Information Security Services

Fighting Advanced Threats

Cybersecurity The role of Internal Audit

24/7 Visibility into Advanced Malware on Networks and Endpoints

EY Cyber Security Hacktics Center of Excellence

Security Intelligence Services.

Presented by Evan Sylvester, CISSP

CYBER SECURITY THREAT REPORT Q1

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

InfoSec Academy Application & Secure Code Track

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Statement for the Record. Richard Bejtlich. Chief Security Strategist. FireEye, Inc. Before the. U.S. House of Representatives

Anti-exploit tools: The next wave of enterprise security

Data Breach Response Planning: Laying the Right Foundation

What Data? I m A Trucking Company!

Zak Khan Director, Advanced Cyber Defence

Enterprise Cybersecurity: Building an Effective Defense

Cybersecurity and internal audit. August 15, 2014

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Software that provides secure access to technology, everywhere.

SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles

Cyber Security Strategy

Mobile Application Security. Helping Organizations Develop a Secure and Effective Mobile Application Security Program

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

Into the cybersecurity breach

A Network Administrator s Guide to Web App Security

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

A NEW APPROACH TO CYBER SECURITY

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Beyond the Hype: Advanced Persistent Threats

THE WORLD IS MOVING FAST, SECURITY FASTER.

Threat Landscape. Threat Landscape. Israel 2013

Cyber Security Metrics Dashboards & Analytics

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

CYBER SECURITY AND CYBER DEFENCE IN THE EUROPEAN UNION OPPORTUNITIES, SYNERGIES AND CHALLENGES

Re: Experience with the Framework for Improving Critical Infrastructure Cybersecurity ( Framework )

Breaking the Cyber Attack Lifecycle

Executive Summary 3. Snowden and Retail Breaches Influencing Security Strategies 3. Attackers are on the Inside Protect Your Privileges 3

U. S. Attorney Office Northern District of Texas March 2013

Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen. 14th Annual Risk Management Convention

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

Agenda , Palo Alto Networks. Confidential and Proprietary.

How We're Getting Creamed

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

Ed McMurray, CISA, CISSP, CTGA CoNetrix

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management

Encyclopedia of Information Assurance Suggested Titles: March 25, 2013 The following titles have not been contracted.

NASCIO 2015 State IT Recognition Awards

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

FedVTE Training Catalog SPRING advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

Transcription:

CYBERSECURITY NEXUS CSX 15 October 2014 ISACA Winchester Chapter

INTRODUCTION Career International Brewer, various roles (1991-1996) KPMG, IT Risk Service Line Leader (1996-2012) Betfair, Head of Governance, Risk & Assurance (2012-2014) Vodafone, Technology Risk, Compliance and Assurance Leader (2014..) ISACA involvement past and present RiskIT TF, COBIT 5 TF, Cloud Computing TF, Framework Committee Chair COBIT 5 for Risk TF Chair, COBIT Growth Strategy TF International Vice President, SAC Member, Knowledge Board Chair Steven Babb sababb@email.com @StevenABabb

ABOUT ISACA Trust in, and value from, information systems Global association serving 115,000 IT security, assurance, governance and risk professionals Established in 1969 Members in 180 countries 200+ chapters Established the COBIT framework Offers the CISA, CISM, CGEIT and CRISC certifications

AGENDA CSX is helping shape the future of cybersecurity through cutting-edge thought leadership, as well as training and certification programs. It gives cybersecurity professionals a smarter way to keep organizations and their information more secure. With CSX, business leaders and cyber professionals can obtain the knowledge, tools, guidance and connections to be at the forefront of a vital and rapidly changing industry. Because Cybersecurity Nexus is at the centre of everything that s coming next... The evolving security landscape the driver for change How do I respond Cybersecurity Nexus Questions

THE EVOLVING SECURITY LANDSCAPE THE DRIVER FOR CHANGE

12 JANUARY 2010... THE WORLD CHANGED Source: http://www.eweek.com/c/a/security/google-china-and-the-anatomy-of-the-aurora-attack-255807/ 12 January 2010... Google honourably disclosed to the world that it had been a victim of modern malware. It was soon discovered that Google was one of more than 20 companies successfully targeted by a well organized and coordinated effort to gain access to sensitive systems and information Companies targeted were within a range of industries, including the financial, technology and chemical sectors

HEARTBLEED The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs) The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users Source: http://heartbleed.com/ Watch the video here on Heartbleed: https://www.youtube.com/watch?v=8oi_lahhgje

SHELLSHOCK Shellshock is the name given to a security vulnerability in the Bash "shell," or command-line user interface, first made public on 24 September 2014 Like other shells, Bash translates the text-based commands that power users type into command-line interfaces such as Terminal in Apple OS X or Command Prompt in Microsoft Windows into languages that computers can understand. Bash is the default shell in OS X and many varieties of Linux, but, except for specialized software, does not run in Windows Shellshock is a quirk in Bash that could let an attacker remotely replace environment variables in Bash with functions, or actual commands, which the computer would carry out without verification The computers and devices most vulnerable to Shellshock are those that "listen" to the Internet for commands from other computers. For example, a Web server, which constantly gets document requests from Web clients Source: http://www.tomsguide.com/us/shellshock-primer,news-19737.html

BECOMING ALL TOO COMMON... Email addresses and other contact information stored at the European Central Bank (ECB) have been stolen, the organization confirmed on Thursday Security that protects a database serving its public website has been breached, it said in a statement published on its website, meaning users registering for information on conferences and visits at the ECB have been compromised It stated that no "internal systems or market-sensitive" information had been part of the data theft and was physically separate from the compromised data "The theft came to light after an anonymous email was sent to the ECB seeking financial compensation for the data. While most of the data were encrypted, parts of the database included email addresses, some street addresses and phone numbers that were not encrypted," the central bank said Users whose information might be part of the beach are in the process of being contacted, the ECB said, and advised that all passwords on the system have been changed as a precaution The bank is just the latest in a long line of companies and public bodies that have experienced a breach. In May, ebay admitted that hackers had attacked its network and accessed some 145 million user records. It now faces an investigation in the US and UK Source: http://www.cnbc.com/id/101862753

ADVANCED PERSISTENT THREATS ADVANCED, STEALTHY AND CHAMELEON-LIKE in its adaptability, APTs were once thought to be limited to attacks on government networks APTs can happen to any enterprise Repeated pursuit of objectives, adaptation and persistence differentiate APTs from a typical attack Primarily, the purpose of the majority of APTs is to extract information from systems this could be critical research, enterprise intellectual property or government information, among other things APT DEFINITION An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives Source: http://csrc.nist.gov/publications/nistpubs/800-39/sp800-39-final.pdf

BECOMING ALL TOO COMMON... The Pitty Tiger APT has been targeting telcos, defence companies and at least one government in a cyber-espionage campaign that relies on spear phishing and malware prying on vulnerabilities in Microsoft Office In a new whitepaper, security experts at Airbus Defence & Space Cybersecurity Unit detail how the APT has been undetected since at least 2011 and say that its operators have been reliant on an assortment of different malware, including some developed exclusively by the threat actor Instead of looking to exploit any zero-day vulnerability, the group relies extensively on spear phishing, malware and vulnerabilities existing on older versions of Microsoft Office as well as the Heartbleed bug, which continues to affect some 300,000 open-source web servers worldwide The campaign apparently starts with a phishing email, with one example promising a holiday along with a Microsoft Office Word attachment. Airbus admits that this is amateur with the attached Word file infecting the computer with malware, while others relied on an older vulnerability, which effected MS Office versions 2003 through to 2010, SQL Server and other popular enterprise software applications The report's authors are in little doubt that the group behind the APT is not state-sponsored, despite China being the likely origin of the group. They lack the experience and financial support that one would expect from state-sponsored attackers. We suppose this group is opportunistic and sells its services to probable competitors of their targets in the private sector. Source: http://www.scmagazineuk.com/pitty-tiger-apt-exploits-older-version-office-flaws/article/360847/

ISACA APT SURVEY JULY 2014 92% say APTs pose a credible threat to national security or economic stability 1 in 5 have experienced an APT attack 63% believe it is only a matter of time before their business is targeted The majority of survey takers up to 60% believed that they have the ability to identify, respond to and stop a successful APT attack Up to 82% of survey takers have not updated their agreements with vendors who provide protection against APT 67% reported that they haven t held any APT awareness training programs for their employees

ISACA STUDENT SURVEY APRIL 2014 The majority of ISACA s student members (88%) plan to work in a field requiring cybersecurity knowledge 57% said their University did not offer cybersecurity courses Fewer than half say they will have adequate skills for the job 74% you plan to pursue a cybersecurity related certificate or certification

HOW DO I RESPOND

YOU NEED TO BE ON THE OFFENSIVE Traditional prevention and detection is not enough you need to move from defensive to offensive Governments cannot prevent intrusions Data loss is inevitable Attacks will continue Companies often breached for years New approaches required Source: http://booksonwaraustralia.com/battle-vietnam-historyaustralian-/180-vietnam-war-offensive-australia-officialhistory.html

IF YOU HAVE IP YOU ARE A TARGET! Assume you are breached Prepare for the inevitable Start planning Define your Win Delay the Threat from reaching its goal Minimize the loss Improvise as you go along Are your approaches outdated? If so review and revise! Source: http://startupcalgary.ca/wp-content/uploads/2014/01/startupip.png

WHAT DO I DO? Build a team Establish key relationships Inventory Existing Technologies Standardize the Investigation Process Training and Governance Establish Critical Capabilities Source: http://www.cascadestrategy.com/wpcontent/uploads/2012/10/strategy-small1.jpg

CYBERSECURITY NEXUS

WHAT IS IT? With CSX, business leaders and cyber professionals can obtain the knowledge, tools, guidance and connections to be at the forefront of a vital and rapidly changing industry Secure recognition for your expertise. Our globally accepted certifications help advance skills and careers Join a global community of more than 115,000 professionals, innovators and thought leaders Professional and Student membership Enhance your cybersecurity knowledge and skills at our global conferences, workshops and training events Find the latest research and expert thinking on standards, best practices, emerging trends and beyond

WHAT IS IT? Cybersecurity Fundamentals knowledge certificate available now knowledge based exam for those with 0 to 3 years experience CISM Foundational level covers five domains: Cybersecurity concepts Cybersecurity architecture principles Security of networks, systems, applications and data Incident response Security of evolving technology Online exam. Results are shared immediately, and those who pass receive a certificate The content aligns with the US NICE framework and the Skills Framework for the Information Age (SFIA) and was developed by a team of cybersecurity professionals from around the world. The team is involved in all areas of development through content contribution and subject matter expert reviews

WHAT IS IT? Professional membership Membership for IT Audit, Security, Governance and Risk Professionals Student membership ISACA student members join a community of students from more than 300 universities worldwide. ISACA student members major in a variety of areas including: Information systems, Business administration, Accounting, Information technology, Engineering and Computer science Student membership provides the knowledge and tools to develop your professional identity. You'll make connections with people who work in your target field, plus those who hire for the positions you seek ISACA has consistently maintained a standard that will continue to be a lever for anyone that wants to meet the challenges of the changing world of IT. It is the best professional membership I have in terms of value for money. Hands down the best association I have ever been involved in very affordable, valuable information. ISACA magazine (the ISACA Journal) and webinars are my most valuable sources of information.

WHAT IS IT? Conferences Euro CACS / ISRM + Global CyberLympics Finals North America ISRM, Latin CACS / ISRM Webinars Self-Defense Strategies to Thwart Cloud Intruders: Keep Your Data Safe in the Cloud Breaches: A Risk-Based Approach to Identification, Impact Estimation and Effective Remediation Virtual Conferences Full-day educational events, presented online. The virtual event consists of an exhibit hall, conference hall, networking lounge and resource center Workshops Archived Mobile Security: Overcoming Obstacles, Reducing Risk 9 December Cloud Security Cybersecurity Fundamentals Workshop ISACA was the exclusive host sponsor of the Global CyberLympics World Finals, held in conjunction with the first day of the EuroCACS/ISRM 2014 Global CyberLympics is an international online cybersecurity competition dedicated to finding the top computer network defense teams. Global CyberLympics tests the skills of information security and assurance professionals in teams of 4 to 6 people in areas including: Ethical hacking Computer network defense Computer forensics

WHAT IS IT? Articles from ISACA Journal Cybersecurity Blog Posts The CSX Newsroom White Papers & Publications European Cybersecurity Implementation Series Cybersecurity Fundamentals Study Guide** Cybersecurity: What the Board of Directors Needs to Ask Implementing the NIST Cybersecurity Framework* Responding to Targeted Cyberattacks* Transforming Cybersecurity* Advanced Persistent Threats: How To Manage the Risk To Your Business* Advanced Persistent Threat Awareness Study Results *PDF is free to members; non-members may purchase PDF **Available for purchase

RECAP AVAILABLE NOW Cybersecurity Fundamentals Certificate and study guide Implementing the NIST Cybersecurity Framework Using COBIT 5 European Cybersecurity Implementation Series Transforming Cybersecurity Using COBIT 5 Responding to Targeted Cyberattacks Advanced Persistent Threats: Managing the Risks to Your Business 2014 APT Awareness Study Cybersecurity webinars and conference tracks (six-part webinar series) Cybersecurity Knowledge Center community COMING SOON Cybersecurity practitioner-level certification (first exam: 2015) Cybersecurity training courses (November 2014) SCADA guidance Digital forensics guidance

CAREER PATH 0-3 years: Cybersecurity Fundamentals Certificate No experience required, must pass knowledge-based exam 3-5 years: Cybersecurity practitioner-level certification Coming in mid-2015 5+ years: Certified Information Security Manager certification 25,000+ professionals certified since inception

Among the resources also coming from ISACA this month are: Two free webinars: Why Implement the NICE Cybersecurity Workforce Framework? Data-centric Audit and Protection: Reducing Risk and Improving Security Posture A cybersecurity Twitter chat on 22 October with ISACA International President Rob Stround) and International Vice President Ramsés Gallego Two cybersecurity training courses: Implementing the NIST Cybersecurity Framework Using COBIT 5 COBIT 5 for Security Assessors Cybersecurity Teaching Materials Cybersecurity Student Handbook http://www.isaca.org/knowledge- Center/Blog/Lists/Posts/Post.aspx?utm_campaign=ISACA+Main&cid=sm_1104943&utm_content=1413225083&utm_source =googleplus&utm_medium=social&appeal=sm&id=450

EUROPEAN CYBERSECURITY IMPLEMENTATION SERIES Cybersecurity is emerging to address increases in cybercrime and, in some instances, cyberwarfare Factors contributing to the need for improved cybersecurity include: ubiquitous broadband, IT-centric business and society, and social stratification of IT skills. To address cybercrime, many governments and institutions launched cybersecurity initiatives, ranging from guidance, through standardisation, to comprehensive legislation and regulation ISACA has released the European Cybersecurity Implementation Series primarily to provide practical implementation guidance that is aligned with European requirements and good practice Available now! http://www.isaca.org/knowledge-center/research/researchdeliverables/pages/european-cybersecurity-implementation- Series.aspx

EUROPEAN CYBERSECURITY IMPLEMENTATION SERIES European Cybersecurity Implementation: Overview a high-level overview of implementing cybersecurity in line with existing laws, standards and other guidance European Cybersecurity Implementation: Assurance this paper focuses on assurance in cybersecurity. In Europe, cybersecurity assurance is an integral part of the internal system of controls that was introduced by EU directive, and implemented subsequently as statutes in the member states European Cybersecurity Implementation: Resilience this paper focuses on resilience in cybersecurity. In the EU and associated countries, the concepts of resilience and cybersecurity are rapidly converging European Cybersecurity Implementation: Risk Guidance this paper focuses on risk guidance in a cybersecurity context, and drills down into the risk management aspects of European cybersecurity European Cybersecurity Audit/Assurance Program this audit/assurance program provides management with an impartial and independent assessment relating to the effectiveness of cybersecurity and related governance, management and assurance

TRANSFORMING CYBERSECURITY USING COBIT 5 Eight Key Principles: 1. Understand the potential impact of cybercrime and warfare on your enterprise. 2. Understand end users, their cultural values and their behavior patterns. 3. Clearly state the business case for cybersecurity and the risk appetite of the enterprise. 4. Establish cybersecurity governance. 5. Manage cybersecurity using principles and enablers. (The principles and enablers found in COBIT 5 will help your organization ensure end-to-end governance that meets stakeholder needs, covers the enterprise to end and provides a holistic approach, among other benefits. The processes, controls, activities and key performance indicators associated with each enabler will provide the enterprise with a comprehensive picture of cybersecurity.) 6. Know the cybersecurity assurance universe and objectives. 7. Provide reasonable assurance over cybersecurity. (This includes monitoring, internal reviews, audits and, as needed, investigative and forensic analysis.) 8. Establish and evolve systemic cybersecurity.

THANK YOU www.isaca.org/cyber For more information: news@isaca.org

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information