SIG ISM WORKSHOP LONDON 2015 Alf Moens
SIG ISM The aims of the SIG-ISM are: * Establish a community of NREN security management professionals develop, maintain and promote trust framework between NRENs based on international standards * promote the use of international security standards and share best practices for security management within NRENs * discuss and promote issues of information security management of particular interest to NRENs In the direction of these fundamental points, the 1st SIG-ISM that will be held at the Imperial College in London wishes to bring together CISOs and all people interested on ISM to develop and strengthen the ISM Community around the globe.
Agenda Tuesday 12:30-13:30 Arrival and registration 13:30-13:45 Welcome and introduction Alf Moens (SURF) 13:45-14:15 How to gain and maintain ISO 27001 certification Urpo Kaila (CSC) 14:15-14:45 Jisc and the ISO27001 James Davis (Jisc) 14:15-14:45 Coffee break 14:45-16:45 Round-table discussions What do NREN need to implement as a standard? The aim of this discussion is to generate a document to highlight the basic steps NRENS should follow to implement security management. 16:45-17:00 Summary of the day 17:00-19:00 Checking in... 19:00-21:00 Joint dinner
Introduction SIG ISM Steering committee: Started autumn 2014, at workshop in Utrecht, monthly VC meetings: James, Rolf, Wayne, Alf Charter: approved! Participation: free for anyone but aimed at security opfficers of NRENs It s not about incidents, it s about security management. Reach out to other Task forces and SIGs Maintain register of security officers Should we work on a trust framework?
Agenda Wednesday 09:00-9:30 Risk Registers, the good and the bad Making Real Change Wayne Routly (GEANT) 9:30-10:30 Round-table discussions Risk analysis The aim of this discussion is to generate a short paper around the current risks and the new threads coming up. 10:30-11:00 Coffee break 11:00-11:30 Finalising the discussion on Risks 11:30-12:20 REFEDS and SIG-ISM Nicole Harris (GEANT) 12:20-12:30 Discussion about future meetings and Wrap-up
Participants Alf Moens - SURFnet bv Wayne Routly - DANTE Alessandra Scicchitano - GEANT Association Dominique Launay - GIP RENATER Maciej Milostan - PSNC / PIONIER John Chapman - Jisc Antonio Fuentes Bermejo - RedIRIS Fernand De Decker - BELNET Rolf Sture Normann - UNINETT AS Cynthia Wagner - Fondation RESTENA Thomas Tam - Canada's Advanced Research and Innovation Network Jacob Asbæk Wolf - NORDUnet A/S Øivind Høiem - UNINETT AS James Davis - Jisc Urpo Kaila - CSC - IT Center for Science Ltd. Nicole Harris - GÉANT Association apologized [4] Aidan Carty - HEAnet David Simonsen - WAYF - Where are you from Vlado Pribolsan - AAI@EduHr - Croatian Research and Education Federation Ralf Groeper - DFN
Standards and certifications Inventory - Do you have a security officer? An approved security policy? - Which standard for information security are you using? - Are you implementing any certifications? - Which? - Who is asking for this? - How much effort is it? Discussion - What standard should a NREN use for information security?
Risk Identification and Management Do you perform any risk analysis? Company wide, for a project or for an information system? What do you need to protect? What are the core assets of a NREN? What are the main threats for a NREN? What are the main threats for a university?
Type of Threath Example sof Threath Relevance (chance * imoact) # Type of Threath Event Actor Example incidents Education Research Operations 1" Accessing"or"(unautorised)"" publishing""data" Theft"of"reasearch"data" Privacysensitive"information""is"leaked"and"published" Design"of"a"research"lab"falls"into"wrong"hands"" Cybercriminals" Activists" States" Tentamenfraude" door" openbaarmaking" van" tentamenopgaven"" Privacygevoelige" gegevens" over" students" en" leerlingen"op"straat"beland" MIDDLE HIGH MIDDLE Fraude"bij"gaining"access"to""information"abouth"exams"and" test"questions"" Employees" Kamervragen"over"intranetlek"Hogeschool" 2" Identity"fraude" Student"has"someone"else"do"his"examn" Student"poses"as"other"student"or"employee"to"gain"access" to"exams." Activist"poses"as"a"researcher" Student"poses"as"an"employee"and"changes"examresults" Students" Cybercriminals" Activists" " Kamervragen" naar" identiteitsfraude" Hogeschool" Windesheim" Fraude"in"toelating"examens" HIGH MIDDLE LOW 3" Manipulation"of""data" Studieresultaten"worden"vervalst" Manipulatie"van"research"data" Aanpassing"van"bedrijfsvoering"data" " Students" Employees" Student" krijgt" vier" jaar" celstraf" voor" het" wijzigen" van"zijn"cijfers" Massale"fraude"economiestudents" Student" hackt" website" en" inleversysteem" Informatica" HIGH LOW LOW 4" Espionage" Research"data"worden"afgetapt" Via"een"derde"partij"wordt"intellectueel"eigendom"gestolen" States" Companies" &" commercial"partners" MI5" waarschuwde" Britse" universiteiten" voor" cyberattacklen" NSA"hackt"Belgische"cyberprofessor" LOW HIGH LOW Cybercriminals" Chinezen"bespioneren"denk"tanks"met"expertise"in" Irak" 5" Disruption"of"ICT" DDoSVattack"legt"ITVinfrastructuur"plat" Kritieke""research"data"of"examendata"wordt"vernietigd" Opzet"van"onderzoeksinstellingen"wordt"gesaboteerd" Onderwijsmiddelen" worden" onbruikbaar" door" malware" (bijv."elearning"of"het"netwerk)" Cyberresearchers" Activists" Students" Employees" Distributed" Denial" of" Service" attack" treft" SETI" project" Dorifelvirus"treft"ook"universiteiten" Server"legde"netwerk"Universiteit"Utrecht"plat" MIDDLE MIDDLE MIDDLE 6" Take"over"or"abuse"ofCT" Opstelling"van"onderzoeksinstellingen"overgenomen" Systemen" of" accounts" worden" misbruikt" voor" andere" doeleinden"(botnet,"mining,"spam)" Cybercriminals" Students" Employees" Yahoo" blokkeert" Universiteit" Maastricht" wegens" spam" Student" gebruikt" universiteit" computers" om" dogecoin"te"minen" LOW MIDDLE MIDDLE 7" Create"negative"image"on" purpose" Defacement"of"website" Social"media"account"hacked"and"abused" Activists" Students" Homepage"Faculteit"Letteren"beklad" Hackers"bekladden"website"van"MIT" Cyberresearchers" LOW LOW LOW Cybervandalen" Legenda relevantie - Bron:-Cybersecuritybeeld-Nederland"(Nationaal"Cyber"Security"Centrum,"2014)" LOW MIDDLE HIGH
Sources for threat information SURF Cyberdreigingsbeeld 2014 https://www.surf.nl/nieuws/2014/11/handvatten-omcybersecurity-instellingen-te-verbeteren.html Cyber Security Beeld Nederland 4 (NCSC) https://www.ncsc.nl/dienstverlening/expertise-advies/ kennisdeling/trendrapporten/cybersecuritybeeldnederland-4.html Dutch Cyber Security Council (CSR) (cyber security guide for the board room) http://www.cybersecurityraad.nl/assets/ 1502517_VENJ_Cybersecurity_UK_vdef.pdf Enisa Threat Landscape http://www.enisa.europa.eu/activities/risk-management/ evolving-threat-environment/enisa-threat-landscape-midyear-2013/at_download/fullreport World Economic Forum http://www.enisa.europa.eu/activities/risk-management/ evolving-threat-environment/enisa-threat-landscape-midyear-2013/at_download/fullreport 10
Threat types Threats Asset types Threat Landscape and Good Practice Guide Unauthorised physical access/unauthorised entries to Hardware, Infrastructure premises for Internet Infrastructure Physical attacks Sabotage Hardware, Infrastructure Disasters Natural disasters Hardware, Software, Information, Services, Interconnection, Infrastructure, Human resources Environmental disasters Hardware, Software, Information, Services, Interconnection, Infrastructure, Human resources Failures/Malfunctions Failures of parts of devices Protocols, Hardware, Software, Information, Services Configuration errors Protocols, Hardware, Software, Information, Services Outages Lack of resources Hardware, Software, Information, Services, Interconnection, Infrastructure, Human resources Network outages Hardware, Software, Information, Services Unintentional damages (accidental) Information leakage/sharing Hardware, Software, Information, Services, Interconnection Unintentional change of data in an information systems Protocols, Hardware, Software, Information, Services Damage/Loss (IT assets) Damage caused by a third parties Hardware, Software, Information, Services, Interconnection, Infrastructure, Human resources Loss of reputation Interconnection, Human resources Nefarious activity/abuse Manipulation of hardware and software Protocols, Hardware, Software, Information, Services Denial of service attacks (DoS/DDoS) Hardware, Software, Information, Services Eavesdropping /Interception/Hijacking Interception compromising emissions Protocols, Software, Information, Services Man in the middle/session hijacking Software, Information, Services Legal Violations of law or regulation/breaches of legislation Software, Information, Interconnection, Human resources Failure to meet contractual requirements Software, Information, Interconnection, Human resources Source: Enisa Threat Landscape and Good Practice Guide for Internet Infrastructure, jan. 2015