Cybersecurity as a Risk Factor in doing business

Cybersecurity as a Risk Factor in doing business 1 Data is the new raw material of business Economist UK, 2013. In trying to defend everything he defended nothing Frederick the Great, Prussia 1712-86. A M C H A M A P C A C 2 0 1 4 M A N I L A P H I L I P P I N E S M I C H A E L M U D D S E C R E T A R Y G E N E R A L - A P A C T H E O P E N C O M P U T I N G A L L I A N C E L O N D O N U K 3/12/2014

Today 2 The Threat The Framework The Action The Future 3/12/2014

The Threat: Why am I here today?

Cyber attacks on the increase 4 Web-based malware attacks doubled in the second half of 2013* Web-based attacks represented 26% of total Conficker worm next with 20%. Macattacks saw 51 new variants Mobile attacks on the increase Android accounted for 97% of all in 2013; 208>804 Symbian 3% Nil on any other mobile O/S (BB/MSFT/IOS) Ouroboros Cyber weapon used in Ukraine 2014 * F-Secure Labs March 2014 3/12/2014

One Example - Target stores 5 Date; Nov. 27 to Dec. 15 Credit card data stolen ; 40 Million Estimate used for fraud ; 10-15%* Estimate fraud per card ; $300* Value of Fraud ;$1.4-2.2bn* Losses to both banks and Target Does not include fines for data breach Or reputational damage Card holders put on credit watch lists VISA now insisting on Chip/Pin deployment *Jeffries Securities 2014 3/12/2014

Encountered Malware by Region 2Q13 Microsoft

RSA 2012 Cybercrime Report 8 3/12/2014

Percent of reporting computers Threat categories 12% 10% 8% 6% 4% 2% 0% Singapore Worldwide Microsoft

Its not all about software 10 From Team Cymru; cross-site request forgery 3/12/2014

The NIST Cybersecurity Framework Executive Order 13636 Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties NIST is directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure This Cybersecurity Framework is being developed in an open manner with input from stakeholders in industry, academia, and government, including a public review and comment process, workshops, and other means of engagement. Courtesy Tim Grance, Cybersecurity Head, NIST 11

The Cybersecurity Framework include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. identify areas for improvement that should be addressed through future collaboration with particular sectors and standardsdeveloping organizations able technical innovation and account for organizational differences include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework. Courtesy Tim Grance, Cybersecurity Head, NIST 12

THEMES CATEGORY Cybersecurity Framework Categories and Themes FRAMEWORK PRINCIPLES COMMON POINTS INITIAL GAPS Flexibility Impact on Global Operations Risk Management Approaches Leverage Existing Approaches, Standards, and Best Practices Senior Management Engagement Understanding Threat Environment Business Risk / Risk Assessment Separation of Business and Operational Systems Models / Levels of Maturity Incident Response Cybersecurity Workforce Metrics Privacy / Civil Liberties Tools Dependencies Industry Best Practices Resiliency Critical Infrastructure Cybersecurity Nomenclature Courtesy Tim Grance, Cybersecurity Head, NIST 13

Framework Core Functions and Profile 14 Enables organizations to establish a roadmap to reducing cybersecurity risk Can be used to describe current state and desired target state of specific cybersecurity activities Created by determining which Categories are relevant to a particular organization, sector, or other entity An organization s risk management processes, legal / regulatory requirements, business / mission objectives, and organizational constraints guide the selection of activities during Profile development Courtesy Tim Grance, Cybersecurity Head, NIST

Organizational Information and Decision Flows Courtesy Tim Grance, Cybersecurity Head, NIST 15

The Action : Do s and Don ts Someone must be ultimately responsible If you protect your paper clips and diamonds with equal vigor, you will soon have more paper clips and fewer diamonds Dean Rusk (US Secretary of State, 1961 1969) Start with simple data classification Know your risks. What are they, where are they? Behind every security problem is a human being Do have anti virus on every machine - Including mobile and tablets If you need help, consider Cloud Providers Microsoft

The Australian Government approach Patch & update to current applications Patch & update to current operating systems Host inspection of Microsoft Office Files Host based intrusion detection & prevention Patch & update to current operating systems Australia s Top 35 Network Segmentation & Segregation Monitor System Infrastructure Protect the Endpoint Inbound Host-based Firewall Use gateway and desktop antivirus Lock down operating environments Restrict NetBIOS Monitor Traffic with Network IDPS Capture All Network Traffic Monitor the Network Educate Users Social engineering education Enforce strong passphrases Filter email content by whitelist Force domain IP lookup Protect Email Strong Authentications Restrict administrative privileges Use multi-factor authentication Implement TLS between email servers Filterweb content Whitelist web domains Whitelist HTTP/SSL connections Enforced border gateway Firewall Force domain IP lookup Defend the Web Harden Web & Server Apps Implement data execution prevention Harden server applications Disable LanMan Blacklist domains at the border gateway

The top four actions that will stop 90% 0f all threats Australia s Top 4 Updating applications and using the latest version of an application (Turn on autoupdate) Patching operating systems Keeping admin rights under strict control (and forbidding the use of administrative accounts for email and browsing) Whitelisting applications Microsoft

The Future 19 A new model of computing in emerging. Layered security from the edge (the weakest) to the centre (the Fort Knox ). Protect what is important, not what is just data. What is important is critical infrastructure, national heritage, personal data and the financial system - ultimately every citizens personal data and wealth. As was seen in Japan in 2011 and Leyte in 2013, this all can be destroyed in minutes unless this risk is mitigated. 3/12/2014

Securing Critical Data via the Cloud 10 years ago Security and privacy top of mind Hacking, virus propagation, cyberespionage and cyberwarfare on the rise Enforcement officials need tools & training Vehicles for cross-border collaboration inadequate Today Security and privacy top of mind Hacking, virus propagation, cyberespionage and cyberwarfare on the rise Enforcement officials need tools & training Vehicles for cross-border collaboration inadequate

So what has changed? Its all about trust What are the security issues (and benefits) of the cloud? Service provider practices Does the service provider have a documented information security program, and what does it say? What security certifications does the service provider have? Do they comply with your audit and the regulators, needs? What are the responsibilities of each party, e.g., in the event of a data breach? The key is in the contract the same as captive outsource service providers today

Audits and Certifications 27001 SAS 70 Certified

Cross - Border Data Flows Efficiencies and benefits of cloud computing are best achieved when data information - flows freely across borders APEC, TPP, AEC. The same as business in general; its all global now Privacy laws that overly restrict such flows can be an impediment to economic growth. Its the audit trail that is Govt regulators - customers and investors - real concern. This has been done for decades by the FSI via captive outsourcing.

A Regulatory Framework for your Money Security is about deterring attack Privacy is about creating trust Framework and certifications on security Digital privacy is a top of mind concern for customers of banks, insurance and securities Protect what is critical, not what is just data. How much should the location of the data matter? A ten point approach for regulators

A Framework CONFIDENTIALITY System and Location Transparency SP s should be fully transparent as to where data will be located. Limits On Data Use An SP must not use customers data for any purpose other than that which is necessary to provide the contracted cloud service(s). Data Separation/Isolation A customer s data must be segregated from other data held by the SP. Conditions on Subcontracting SP s may only use subcontractors if the subcontractors are subject to equivalent controls as the SP

A Framework INTEGRITY Due Diligence and Service Provider Compliance A customer should have in place a risk management plan that includes measures to address the risks associated with the use of a SP s cloud service(s). Security and Confidentiality Customers should only contract for services with a SP that has been certified to have and to maintain robust security measures and comprehensive security policies in place Review, Monitoring and Control An SP must provide regular reporting and information to demonstrate their continued compliance with agreed standards, legal and contractual requirements throughout the duration of service provision. Audit and Access Rights An SP should provide access and inspection rights to Regulators (and those regulated) and to demonstrate compliance with all legal and contractual requirements, including regular independent third party audit results (to SSAE 16 SOC1 type ii, for example).

A Framework AVAILABILITY Resilience and Business Continuity An SP must have an effective business continuity plan with appropriate service recovery and resumption times Conditions on Termination Customers must have contractual rights to terminate their contracts with SP s. To the extent the customers requires doing so, the SP s must, upon termination of the contract, work with the customer to return the customers data within the agreed contractual period. The SP must permanently delete all backups/copies of the data from the SP s systems after the customers data is returned. If the Data is not to be returned the SP must permanently delete the Customers Data upon termination of the contract

Acknowledgments; NIST; Tim Grance Microsoft; Pierre Noel 28 THANK YOU! MICHAEL MUDD +(852) 2830 9936 0 9 0 6 4 7 13450 M M U D D @ A S I A P O L I C Y P A R T N E R S. C O M W W W. O P E N C O M P U T I N G A L L I A N C E. O R G 3/12/2014