4. DAY #1
1. Cyber Crimes: In-lining Our Perceptions.
2. Why We Are Here Anyway?
3. Situation and Condition in Indonesia and
Globally.
4. Problems, Causes and Impacts from Business
Perspectives.
5. Identifying Various Threats and Vulnerabilities.
August 2015 4
5. DAY #2
5. Current State of Information (Technology)
Security Across Organizations.
6. Designing Effective Strategies and
Solutions.
7. How Future State Looks Like?
August 2015 5
7. What is Crime?
“An event, which subjects the
doer to legal punishment or any
offence against morality, social
order or any unjust or shameful
act” ~ Oxford Dictionary
August 2015 7
8. What is Crime? (cont’d)
Doing Crime is Illegal?
Being a criminal = a bad person?
Crime = Illegal against Law + Bad Motive(s) + On
Purpose
Crime != Illegal against Law + Unintentional + Good
Motive (s)
Crime != Illegal against Law + Unintentional + Bad
Motive (s)
Crime != Illegal against Law + On Purpose + Good
Motive (s)
August 2015 8
9. What is Crime? (cont’d)
And so CRIMES are NOT to be MEASURED by the
ISSUE of EVENTS, but by BAD INTENSION of a
PERSON or ENTITY.
August 2015 9
10. Defining Cyber Crime
• It’s an unlawful act wherein the computer is either
a tool or a target or both.
• Acts that are punishable by Information
Technology Act.
• Happened in and or through cyber space – a
virtual space that has become as important as
real space for economy, business, educations,
politics, and communities.
August 2015 10
11. Defining Cyber Crime (cont’d)
• Former descriptions were "computer crime",
"computer-related crime" or "crime by computer“.
• With the pervasion of digital technology, some new
terms like "high-technology" or "information-age"
crime were added to the definition. Also, Internet
brought other new terms, like "cybercrime" and "net"
crime.
• Other forms include "digital", "electronic", "virtual" ,
"IT", "high-tech" and technology-enabled" crime.
August 2015 11
14. August 2015 14
Source: IBM
[2] FBI: Crime in the United States 2013
[3] United California Bank Robbery
[4] Center for Strategic and International Studies
17. Cyber Crime Categories
• Computing Devices as a Target
Using those devices to
attacks other devices
e.g. Hacking, virus/worms
attacks, DoS attack, etc.
• Computing Devices as a Weapon
Using those devices to
commit real-world crimes
e.g. cyber terrorism, credit
card fraud and
pornography, etc.
August 2015 17
Image courtesy of chakreview.com
18. Cyber Crime Categories (cont’d)
From victim point of views:
1. Cyber crime on Persons
e.g. Harassment occurred in cyberspace,
or through the use of cyberspace (sexual,
racial, religious, or other) and cyber bullying.
2. Cyber crime on Groups/Organizations
Targeting particular or certain organizations
or groups whether profit or non-profit. Often
time those who reside as financial industry
players.
August 2015 18
19. Cyber Crime Categories (cont’d)
3. Cyber crime on Property
e.g. Computer vandalism (destruction of others'
property), transmission of harmful programs,
unauthorized intrusion through cyber
space, unauthorized possession of computer
information.
4. Cyber crime on Government
e.g. Cyber terrorism is one distinct kind of crime in
this category.
August 2015 19
20. In 2014 Federal Bureau Investigation (FBI)
unveils from the most frequent one:
• Viruses
• Employee abuse of internet privileges
• Unauthorized access by insiders
• Denial of Service
• System penetration from the outside
• Theft of proprietary information
• Sabotage of data/networks
• Proving/scanning systems
• Financial fraud
Notable Cyber Attacks
August 2015
21. Manipulate data
integrity
Installed a sniffer
Stole password
files
Trojan logons
IP spoofing
Notable Cyber Attacks (cont’d)
August 2015
Image courtesy of @TrojanLax
22. Common Cyber Attacks
• Unauthorized access
• Theft of information
• Email bombing
• Data diddling
• Salami attacks
• Denial of Service
August 2015 22
Image courtesy of accidentalcreative.com
23. Common Cyber Attacks (cont’d)
• Virus and worm attacks
• Logic bombs
• Trojan attacks
• Internet time thefts
• Web jacking
• Theft of computer
system
• Physically damaging a
computer system
August 2015 23
Image courtesy of indiatimes.com
24. Cyber Criminals: Who They Are?
• Kids (age group below
17)
• Disgruntled employees
• Organized hacktivists
• Professional hackers
(corporate espionage)
either white or black hats
• Cyber Terrorist (political
motive)
August 2015 24
Image courtesy of Travaux
26. Cyber Crime-as-a-Service Marketplace
• Continues to mature over the past two years.
• Enables more fraudsters to cash in without needing
to understand the chain of fraud, how to phish or
spam, or IT infrastructure requirements.
• Becomes fiercely competitive.
• Cybercrime 'service providers' must work harder than
ever before to win and keep 'customers.’
• Generalized increase in quality of malware produced.
• Enables much larger pool of bad actors with no
technical knowledge to profit from.
August 2015 26
27. Cyber Crime-as-a-Service Marketplace
(cont’d)
• Many types of attack are simple and low
cost.
• Phishing attacks: 500,000 email addresses
cost $30.
• Hosting a phishing site can be more or less
free.
• Thousands of credit cards can be stolen in
return for around $100.
August 2015 27
29. Mobile Encounters Larger Attack Surface
• In 2015 1.5 billion units are shipped.[1]
• Vast majority of mobile malware is still focused on Android
platform due to open platform and popularity with 79%, iOS of
15% and 5% the rests [2]
• Banking Trojans, used with SMS sniffers, are increasing
A user is persuaded through social engineering to
download mobile malware from their PC.
Scenario
During online banking session, a screen pop up
inviting user to download a mobile app (masquerading as
a security feature), which is actually SMS sniffer.
When the user's bank detects unusual activity, such
as high-value wire transfer, and sends an out-of-band
one-time password to user's mobile that must be
entered to authorize the transaction, the criminal can
intercept it and complete the transfer to their own account.
August 2015 29
[1] IDC Worldwide Smart Phone 2015-2019 Forecast and Analysis
[2] IDC Worldwide Quarterly Mobile Phone Tracker
30. Mobile-Only Attack Vectors
• Premium rate scams
Scenario
Scammers persuade user to send SMSs or make
calls to premium-rate numbers from their mobile,
with the scammers collecting the cash that results.
• Data stealers and spying apps
Scenario
These apps switch on a phone's camera or audio, so that a
criminal can watch the user's face to see whether he or she is
being convinced by a social engineering attempt; or record
what the user says during calls to their bank. They can also
steal address book data, lift photos from the phone and get the
device’s geo location.
August 2015 30
31. Mobile-Only Attack Vectors (cont’d)
• Initiated by rogue mobile apps rather than malware.
• Misuse trust to steal information and money by
persuading users to give them permissions during the
installation process.
• Many users simply click 'Next' without reading each
screen, and fail to notice.
• App has gained super-user privileges which provide full
access to the phone's features.
• May even make the app impossible to uninstall.
August 2015 31
33. Ransomware Continues
• In mobile devices, such as Police Locker
capitalizing typical user behavior during
installation.
• Gain privileges needed to lock the device.
• Give instruction to pay a ransom to unlock their
files (or to 'pay a fine' because the phone
supposedly contains 'illegal content').
• Ransoms generally have to be paid via an online
payment system, such as Bitcoin, or prepaid cash
cards (untraceable and non-reversible).
August 2015 33
34. Larger Retail and Financial Attacks
• Shift from attacks on individuals to mass attacks on
retailers and financial institutions.
• Banking botnets becoming more resilient and harder to
take down.
• Utilized deep web and untraceable peer-to-peer networks,
(TOR and I2P), to increase resilience and anonymity, and
hide their infrastructure from law enforcement agencies.
• Private botnets – written specifically for individual gang
(harder to trace and analyze).
• Point of Sale (POS) malware used and RAM scrapers.
August 2015 34
36. Larger Retail and Financial Attacks (cont’d)
• Transferring cash from a bank's system to
criminals' own accounts.
• ATM attacks: directly cashing out an ATM.
• Ransom requests: extorting money based
on locking private information about a
bank's customers.
August 2015 36
37. More Targeted and Advanced Threats
Past Scenario
Advanced Persistent Threats (APTs) and
other similar advanced attacks centered
mainly on spear phishing.
Individuals in an organization are targeted
with documents containing malicious
Trojans.
Once downloaded by unsuspecting
employee, Trojans allow attacker to
establish a foothold in network.
August 2015 37
38. More Targeted and Advanced Threats (cont’d)
Present Scenario
Now, watering-hole attacks.
Attacker compromises an organization that's of
business interest (partner, subcontractor,
vendor, supplier) to primary target organization.
Individual phishing attempts more convincing.
Likelihood of introducing malware into the
target organization's systems is also
increasing.
August 2015 38
39. More Targeted and Advanced Threats (cont’d)
Example
An attacker could steal personal information
from a healthcare organization.
Use it to send target organization's
employees more personalized emails and
links.
Level of personalization (health condition or
medical practitioner's name) will make it more
likely an employee will click on a link and
unwittingly download the Trojan.
August 2015 39
42. Purpose and Methodology
SURVEY SAMPLE
TOTAL
RESPONDENTS
509 executives at U.S.
businesses, law
enforcement services
and government
agencies
MARGIN OF ERROR +/- 4.3%
AUDIENCE BASE CSOonline.com
COLLECTION Online Questionnaire
TOTAL QUESTIONS 62
U.S. State of Cybercrime Survey is
conducted annually to gain insight and
evaluate trends in the frequency and
impact of cybercrime incidents,
cybersecurity threats, information
security spending. Additionally, the study
examines the risks of third-party
business partners in private and public
organizations.
SURVEY GOAL
SURVEY METHOD
Source: The 2015 U.S. State of Cybercrime Survey, in partnership with PwC, CSO, U.S. Secret Service, and CERT Division of Software Engineering Institute at Carnegie Mellon University
43. Concerns About Cybersecurity
Q: Are you more concerned or less concerned about cybersecurity threats posed to your organization this year (2015)
than those you encountered the previous year (2014)?
Q: Please estimate the total monetary value of losses your organization sustained due to cybercrime and advanced
persistent threats during the past 12 months including those costs associated with resolving all issues associated with
the incident.
Source: The 2015 U.S. State of Cybercrime Survey, in partnership with PwC, CSO, U.S. Secret Service, and CERT Division of Software Engineering Institute at Carnegie Mellon University
44. Security Investments See Increase as
Attacks Soar
Q: Compared to the previous year's security budget, how did this past year's security budget
change?
Q: What was your organization’s approximate annual IT Security budget for security products,
systems, services, and/or staff for each of the following areas during the last 12 months (January
2014-2015)?
SMB (<1,000)
Remained the
Same
Remained
the Same
60%
Increased
35%
Decreased
5%
Remained
the Same
35%
Increased
55%
Decreased
9%
Enterprise (1,000+)
Source: The 2015 U.S. State of Cybercrime Survey, in partnership with PwC, CSO, U.S. Secret Service, and CERT Division of Software Engineering Institute at Carnegie Mellon University
45. Increased Budgets Allow for Spending
on Newer Technologies
Q: To address cyber-risks, are your investments and spending focused on:
49%
44%
32%
17%
14%
11%
45%
35% 35%
30%
16% 18%
New technologies Audits & assessments New skills &
capabilities
Redesign
cybersecurity strategy
Redesigning
processes
Particpating in
knowledge sharing
Enterprise (1,000+) SMB (<1,000)
Source: The 2015 U.S. State of Cybercrime Survey, in partnership with PwC, CSO, U.S. Secret Service, and CERT Division of Software Engineering Institute at Carnegie Mellon University
46. 62%
57%
52%
42% 40%
23%
Third-party
vendors
Contractors Software Suppliers Procurements
Assessment of business ecosystem risks
Supply Chains at Risk; Need C-Suite
Attention
Q: Please identify all areas where you consider supply chain/ business ecosystem risks?
Q: On average, how often do you evaluate the security of supply chain/business ecosystem partners with which you share data or network access?
Source: The 2015 U.S. State of Cybercrime Survey, in partnership with PwC, CSO, U.S. Secret Service, and CERT Division of Software Engineering Institute at Carnegie Mellon University
47. Manual patch
management
Change control/
configuration
management
systems
Wireless
monitoring
Automated patch
management
Video surveillance
Not very effective
Not at all effective
Confidence in Security Solutions Varies
Firewalls SPAM filtering Electronic access
control systems
Network-based
anti-virus
Access controls
Very effective
Somewhat effective
Q: How effective do you consider each of the following technologies in place your organization in detecting
and/or countering security events?
86% 82% 76% 74%76%
17%17%18%19%
32%
5 MOST
EFFECTIVE
SOLUTIONS
5 LEAST
EFFECTIVE
SOLUTIONS
Source: The 2015 U.S. State of Cybercrime Survey, in partnership with PwC, CSO, U.S. Secret Service, and CERT Division of Software Engineering Institute at Carnegie Mellon University
49. Here We Go…
• Jan 2015
During State of the Union addressed in January 2015,
Obama spoke about critical role of intelligence in
combating cyber threats and need for legislation in this
area, by saying:
"No foreign nation, no hacker, should be able to shut
down our networks, steal our trade secrets, or
invade the privacy of American families, especially our
kids.”
“So we're making sure our government integrates
intelligence to combat cyber threats, just as we have
done to combat terrorism…”
“I urge this Congress to finally pass the legislation we
need to better meet the evolving threat of cyberattacks,
combat identity theft, and protect our children’s
information."
August 2015 49
50. Here We Go… (cont’d)
• Feb 2015
Obama signed an Executive Order relating to
cyber security
• Mar 2015
Leaders of House of Representatives Intelligence
Committee introduced legislation to make it
easier for companies to share information
about cyber security threats with the government,
without fear of being sued.
August 2015 50
52. Check This Facts Out
Security Threat and Symantec says
• 36,6 million cyber attacks (35% from outside, the rests
from inside the country) from 2012 to 2014.
• 497 cyber crime cases from 2012 to April 2015 with 389
are foreigners and 108 local citizens.
• Fake bank account, money laundering, artificial LC
document, camouflage posting.
• Accounted for 4.1% of the world cyber crimes.
• The highest percentage of PC infected by malware across
the globe.
Government CSRIT says
• 60% of government domains encountered web
defacements and 36% infected by malware
August 2015 52
53. Check This Facts Out (cont’d)
• According to Norton latest Cyber
Crime report, global consumer
cyber crime cost over than USD
150bn annually.
• Yet the figures for Indonesia are
unknown.
• Dakaadvisory predicts around USD
2.3bn in 2013 by multiplying
number of victims with cost per
victim.
• From Ministry of Communication
and IT’s total budget of USD 500m,
1% allocated for Cyber Security.
August 2015 53
54. Estimated Costs of Cyber Crimes in
Indonesia
• DAKAAdvisory reveals from 2011 to 2013
August 2015 54
55. Putting Them into Global Context
• DAKAAdvisory reveals in 2013
August 2015 55
56. How Indonesian Government Respond
• Telecommunication Act No. 36/1999 focused
on Telecommunications Infrastructure briefly; Not
internet in particular.
• Information and Transaction Electronic Act
No. 11/2008 for legal enforcements against cyber
crime.
• Copyright Act No. 19/2002.
• Pornography Act No. 44/2008.
• Electronic System Provider and Electronic
Transaction Regulation No. 82/2012.
August 2015 56
57. Driving Factors
• Positive economic outlook (>4%)
• Stable inflation and interest rate
• Ranked the world's top ten in number of
internet users (75+ million)
• IT spending is still rising (US$19+B)
• 80% of budget goes to corporates and
enterprises
August 2015 57
59. • Market
• 5+% economic growth
• Stable inflation and interest rate
• 260 million population
• 250 million mobile subscribers
• 70 million netizens
• 55 million mobile netizens
• 40+ million feature phone net users
Let’s digging in deeper…
60. • 20% saving account owner
• 7% credit card subscriber
• 50 million Facebookers (Top 5)
• 40 million Twitterers (Top 5)
• 4 million Kaskusers
• Jakarta is the world’s chattiest city
• 85 million middle class
• 245 million domestic trip, 7 million
outbound a year
Let’s digging in deeper…(cont’d)
61. • 5 million middle class per year
• 3% internet users per year
• Feature & smart phone still promising
• Twitterers to surpass FBers soon
• Heats up by social network
• Trust gained from hospitality industry
• Huge potential in e-commerce, online
travel space(98% offline) and game
Let’s digging in deeper…(cont’d)
63. Why India?
131 million Internet users.
68 million Active Internet users.
60 million users shop online on e-
commerce and online shopping
sites.
56+ million Social Network users.
357 million mobile users had
subscribed to Data Packages.
August 2015 63
64. Their Cybercrime Situation in 2014
Third-most targeted country for phishing after US and
UK.
India is the number 1 country in the world for generating
spam.
The majority are centered on forgery, fraud and phishing.
Social networks as well as ecommerce sites are major
targets.
7.9 million bot-infected systems
18,348 website defacements
7,850 .in and 5,150 .com domains were defaced
18,000+ sites hacked
August 2015 64
65. IT Act is Their Answer
• Released in 2000 and amended in 2008.
• Sample clauses
(1)Whoever with the Intent to cause or knowing that he is
likely to cause Wrongful Loss or Damage to the public
or any person Destroys or Deletes or Alters any
Information Residing in a Computer Resource or
diminishes its value or utility or affects it injuriously by
any means, commits hack.
(2) Whoever commits hacking shall be punished with
imprisonment up to three years, or with fine which may
extend up to two lakh rupees, or with both.
August 2015 65
66. IT Amendment Act
Released in 2008 – one of the clauses
• Destroys, Deletes or Alters any Information residing in a
computer resource or diminishes its value or utility or affects it
injuriously by any means;
• Steals, conceals, destroys or alters or causes any person to
steal, conceal, destroy or alter any computer source code used
for a computer resource with an intention to cause damage;
• “If any person, dishonestly, or fraudulently, does any act
referred to in section 43, he shall be punishable with
imprisonment for a term which may extend to two three years
or with fine which may extend to five lakh rupees or with both.”
August 2015 66
68. Growing attacking power of cyber criminals
Cybercrime is big business. Today’s attackers:
• Are more organized – they are not just opportunists
• Have significant funding
• Are patient and sophisticated – they will often gain access
and wait until the right moment to pounce
Cybercrime is an organization-wide issue
• Attackers take advantage of vulnerabilities in the whole
operating environment – including people and process.
• Due to the relative ease of access via IP-addresses,
operational technology systems are often targets for cyber
criminals
70. What Takes Priority with IT Teams?
August 2015 70
Courtesy of DataCenterJournal
71. Most likely source of an attack
41%
46%
27%
53%
14%
12%
10%
35%
57%
Lone wolf hacker
Hacktivists
State sponsored attacker
Criminal syndicates
Other business partner
Supplier
Customer
External contractor working on our site
Employee
Respondents were asked to choose all that apply.
Source: EY Global Information Security Survey 2014
72. Impact on Information Privacy
The relationship between collection
and dissemination of:
•Information
•Technology
•Personal and public expectations
•Laws and regulations surrounding
them
August 2015 72
73. Primary Concerns
• The act of data collection: Legal versus Illegal
• Improper access (Authentication)
• Unauthorized use (Authorization)
August 2015 73
Image courtesy of: City Caucus Image courtesy of:ngshire
74. What does Privacy Mean Now?
• In the past: Privacy is about secrecy.
• These days: Privacy is all about control.
People's relationship with privacy is socially
complicated
Agree or Disagree?
August 2015 74
75. Government
• Edward Snowden,
Hero or Traitor (?)
Company
• Data and information collection
• Revenue lost and recovery costs
• Security awareness
• Protect users’ data and information
(from hacking, cracking and
phreaking activities)
• Safeguard the service-remote
storage service “Cloud”
• Image/Credibility
• Legal charge/fine
Further Impacts
August 2015 75
Image courtesy of Wikipedia
76. Consumer
• Time to learn (learning
curve)
• Credibility/Reputation
• Opportunity/revenue
loss
• Recovery costs
Further Impacts (cont’d)
August 2015 76
Image courtesy of smh.com.au
77. Privacy Challenges
• What is “private” information by now?
• Make information more accessible
• Evolve systems to prevent breaches
August 2015 77
Image courtesy of theinspirationroom.com
79. What Kind of Attacks?
Key findings from 2014 US State of Cybercrime Survey and
PwC:
• 80% of attacks rely on exploits that we can readily defend
against
– Focus on security awareness
– Properly maintained IT Infrastructure
– Effective monitoring
• 15% of the attacks can be mitigated with a solid security
strategy
• 5% are Sophisticated/Nation State
August 2015 79
80. Attacks in Details
Hacking, Cracking and Phreaking
Unauthorized attempts to bypass security mechanisms of an
information system or network
Unauthorized access to a computer system, programs, data and
network resources.
Data Theft
If any person without permission of the owner or any other person,
who is in charge of a computer, computer system of computer
network - downloads, copies or extracts any data, computer data
base or information from such computer, computer system or
computer network including information or data held or stored in any
removable storage medium, then it is data theft.
Spreading Virus or Worms
81. Attacks in Details (cont’d)
Identity Theft
A form of fraud or cheating of another person’s identity
typically in order to access resources or obtain credit and
other benefits in that person’s name.
E-Mail Spoofing
Sending an e-mail to another person in such a way that it
appears the e-mail was sent by someone else.
Appears to originate from one source but actually has been
sent from another source.
Can no longer take for granted the e-mail you are receiving
is truly from person identified as sender.
82. Attacks in Details (cont’d)
• Denial of Service
Floods bandwidth of victims network depriving him/her
of service he/she is entitled to access or provide such
as the ping of death and tear drop attacks.
• Virus, Worm and Trojan
• Cyber Vandalism
Damaging or destroying data rather than stealing or
misusing them.
• Software Piracy
Illegal copying of genuine programs or the
counterfeiting and distribution of products intended to
pass for the original.
83. Attacks in Details (cont’d)
• Vishing
Utilizes social engineering and VoIP to gain access to
private personal and financial information from public for
financial reward.
Exploits public's trust in landline telephone services.
Typically used to steal credit card numbers or other
information used in identity theft schemes from
individuals.
• Cyber Terrorism
Terrorist attacks on Internet is by DDoS, hate websites
and hate e-mails, etc.
• Child Pornography
Reach and abuse children sexually, worldwide.
84. This Threats Have Their Numbers
• Source code leaks will accelerate malware
release cycles
• SMS-forwarding malware is widely used
• Old school malware techniques continues
• Account takeover move to the victim’s device
• Malware research evasion becomes more
popular
August 2015 84
85. GameOver Zeus – Alive, Dead & Resurrected
• Cutwail spam botnet distribution (Blackhole, Pony)
• Ransomware
• DDoS
• P2P infrastructure
• This became a HUGE BOTNET
• Operation Tovar
• etc…
Source: IBM
86. Growth in Device Takeover
• From simple RATs to advance malware and so device
takeover was everywhere.
• PoS attacks targeted built in remote session solutions.
• Citadel’s persistent RDP and new targets.
Source: IBM
87. Major Breaches
• There were so many… Does anyone even remember
P.F.Chang by now?
• If we want the red pill go to http://hackmageddon.com/
• Several (not very surprising) reoccurring themes:
• Zero day exploits in common software
• 3rd party hack
• Use of RATs
Source: hackmageddon.com
89. Mobile Threats: New Vectors
• Having seen classic threats migrate to mobile:
• Phishing
• Ransomware
• Overlay
Bound to see mobile specific exploit kits
Bundling frameworks and services (perhaps
automated)
Device takeover malware for mobile
Mobile malware target more than SMS
91. Rely on Anonymity Networks
• Accessing TOR and other networks is becoming easier
• Safer cybercrime eCommerce platform
• Safer for malware infrastructure (i2Ninja, Chewbacca…)
• Also presents challenges
Broader adaptation of anonymity networks and encryption
Source: IBM
92. EMV for POS and ATM Means CNP Fraud
Chip and PIN cards introduced in the US
Push for more Card Not Present fraud
Look for bad implementation of EMV as it replays attacks
93. Not Just About Bank Accounts and Card Data
Cybercriminals are always looking for other ways to
monetize
• Example: Healthcare
• Seller:
• Easier to steal
• More profitable than a credit card
• Buyer:
• Harder to detect
• Many opportunities
94. The Answers…
• Cyber Security focus and mindset.
• Information Security Risk Management Plan to include
Cyber Crime and Cyber Security.
• Security Incident Prevention Plan, not only its Response
Plan and accommodate Cyber Crime as well.
August 2015 94
96. What Does It Looks Like Now?
• Dedicated I(T) Security Personnel
• IT Security Risk Management
• Security Incidents Plan (Policies and
Procedures)
• Security Incidents Logs or Documentations
• Security Incidents Review Activity
• User Access Rights Policies and Procedures
• User Access Rights Documentation
• User Access Rights Review Activity
• Anti Virus and Firewall
August 2015 96
97. What Does It Looks Like Now? (cont’d)
• Intrusion Prevention Systems
• Intrusion Detection Systems
• Physical Security
• Data Security
• Information Security
• Software/Application Security
• Database Security
• Vulnerability Assessment
• Penetration Testing
August 2015 97
98. That’s Why Cyber Security Takes Place
• Refers to the technologies and processes designed to
protect computers, networks and data from unauthorized
access, vulnerabilities and attacks delivered via the
Internet by cyber criminals.
• Cyber security standards are security standards which
enable organizations to practice safe security techniques
to minimize the number of successful cyber security
attacks.
August 2015 98
99. Roadblocks Facing Today’s organizations
• Roadblock 1 — Lack of agility
• Organizations admit there are still known vulnerabilities in their cyber
defences and they are not moving fast enough to mitigate these. They
are therefore lagging behind in establishing foundational cybersecurity.
• 65% tell us that they lack real-time insight on cyber risks
• Roadblock 2 — Lack of budget
• For the first time, we see more organizations reporting that their
information security budgets will not increase. There is a need for more
money and resources to face the growing threats effectively.
• Roadblock 3 — Lack of cybersecurity skills
• The lack of specialists is a constant and growing issue. Organizations
also need to build skills in non-technical disciplines (like analytics) to
integrate cybersecurity into the core business.
Source: EY’s Global Information Security Survey 2014
100. Roadblocks in Numbers
Source: EY’s Global Information Security Survey 2014
43%
of respondents say that their
organization’s total information
security budget will stay approximately
the same in the coming 12 months
and a further 5% said that their budget
will actually decrease.
53%
of organizations say that lack of
skilled resources is one of the main
obstacles that challenge their
information security.
101. Improvement Needed: Big Time
Across almost every cybersecurity
process, between 35% and 45% of
respondents rated themselves “still a
lot to improve.”
Nearly two thirds of organizations do
not have well-defined and automated
Identity and Access Management
programs.
Source: EY’s Global Information Security Survey 2014
102. Lack of Real Time Insight on Cyber Risk
37%
say that real time insight on
cyber risk is not available.
42%
of organizations do not
have a SOC.
Source: EY’s Global Information Security Survey 2014
103. Duration to Initiate an Investigation on Incidents
33%
4%
13%
13%
25%
12%
Unknown
Longer than 1 day
Within 1 day
Within 4 hours
Within 1 hour
Within 10 minutes
Respondents were asked to choose one.
104. Cybersecurity not Aligned to The Business
In order to get ahead of cybercrime, it is essential to keep your
cybersecurity measures 100% aligned with your business.
Credit: EY’s Global Information Security Survey 2014
Organizations are
continuing to improve
their cybersecurity, but
the changes in the
threat are travelling at
an even faster rate,
meaning they are
effectively going
backwards. 2013 2104
Instead of an expected increase
in the number of organizations
reporting that their Information
Security function fully meets the
needs of their organization, our
survey found a decrease.
2013 2104
Instead of an increase in the number
of organizations reporting that their
Information Security function
partially meets their needs and that
improvements are under way, there
has been a decrease of 5%.
105. Cybersecurity not Meeting Organization Needs
Respondents were asked to choose one.
9%
20%
24%
31%
16%
We have a formal and advanced detection function that brings together
each category of modern technology (host-based malware detection,
antivirus, network-based malware detection, DLP, IDS, next-gen firewalls,
log aggregation) and uses sophisticated data analytics to identify
anomalies, trends and correlations. We have formal processes for threat
collection, dissemination, integration, response, escalation and prediction
of attacks
We have a formal detection program that leverages modern
technologies (host-based and network-based malware
detection, behavioral anomaly detection, etc.) to monitor both
internal and external traffic. We use ad hoc processes for threat
collection, integration, response and escalation
We utilize a security information and event
management (SIEM) solution to actively monitor
network, IDS/IPS and system logs. We have an
informal response and escalation processes in place
We have perimeter network security devices (i.e.,
IDS). We do not have formal processes in place
for response and escalation
We do not have a detection program
106. External Parties Protecting Our Organization’s Information?
13%
8%
24%
34%
27%
27%
27%
56%
No reviews or assessments performed
Fourth parties (also known as sub-service organizations) are identified and assessments
performed (e.g., questionnaires issued, reliance placed on your vendor's assessment
processes)
Only critical or high-risk third parties are assessed
Self-assessments or other certifications performed by partners, vendors or contractors
Independent external assessments of partners, vendors or contractors (e.g., SSAE 16,
ISAE-3402)
Accurate inventory of all third-party providers, network connections and data transfers is
maintained and regularly updated
All third parties are risk-rated and appropriate diligence is applied
Assessments performed by your organization’s information security, IT risk, procurement
or internal audit function (e.g., questionnaires, site visits, security testing)
Respondents were asked to choose all that apply.
107. Organization Planning for the Future?
58%
of organizations do not have a
role or department focused on
emerging technologies and their
impact on information security.
36%
of respondents do not have a threat
intelligence program.
108. Learn From the Past: SONY Case
• Is our organization ready for such threats?
• The threat may move out of the cyber world
• What are our organization’s crown jewels?
Source: IBM
109. Please Be Mindful
• Traditional “tactical view” is not enough
• Different changes in multiple fields effect cyber security
• Close ripples:
• Attacks against other vectors
• New precedents
• New technologies
• Distant ripples:
• Geopolitical
• The squeeze effect
110. Geopolitical & Economical Changes
• Changes may affect:
• Targets
• Methodology
• Threat actors
• Consider:
• The situation in Russia
• The Snowden leaks
111. Where is InfoSec Role?
Quoting Security Expert Elliott Franklin in the US (2012):
• 53% of CISOs now report to C-level execs
• 74% of CISOs struggled to balance strategy and
operations in 2012
• 32% of CISO cover both Information and Physical
Security
“If I need to do strategic planning, I need to come in during
the weekends because ops takes 100% of my time”
In 2014 EMC says across the globe 60% of IT function
working time allocated for Operation.
August 2015 111
112. Incident Response Plan is Very Basic
August 2015 112
Objectives
Respond to events & customer's
concerns
Rapidly & effectively address
disclosures
Type of incidents
Intentional
Unintentional
References
NIST-SP800-61r2
SANS Incident Handler's Handbook
113. Simplest Ways of Prevention
• Disable and log off a specific user account to
prevent access.
• Disable and log off a group of user accounts which
access a particular service that is being attacked.
• Disable and dismount specific (network) devices,
for instance disk devices that are being swamped.
• Disable specific applications, for example, an e-
mail system subjected to a SPAM attack.
• Close down an entire system, and divert
processing to an alternative or backup service on
a secondary network.
August 2015 113
114. Simplest Tips of Controls
• Use antivirus software.
• Install firewalls.
• Uninstall unnecessary software.
• Maintain backup.
• Check security settings.
• Stay anonymous - choose a genderless screen
name.
• Never give your full name or address to
strangers.
• Learn more about Internet privacy.
August 2015 114
118. InfoSec Leadership Is Inevitable
• Information Security Strategic Plan (including Cyber
Security domain).
• Information Security Policies, Procedures, Guidelines,
Framework and Standards.
• IT/Information Security personnel (the higher the better)
who reports directly to organizational leadership.
• Regular monitoring and controlling activities through
measurement and review process.
• Understanding past security and planning for future
security events.
• Governance, Risk, Legal and Compliance (no longer Ops-
focused).
August 2015 118
119. Cyber Security AAA Processes
To get ahead of cybercrime organizations shall adopt a 3-
stage improvement process:
• Activate (a foundational approach)
• Organizations need to establish and improve the solid foundations of
their cybersecurity
• Adapt (a dynamic approach)
• Because organizations are constantly changing and cyber threats are
evolving, cybersecurity needs to be able to adapt to changing
requirements
• Anticipate (a proactive approach)
• Organizations need to make efforts to predict what is coming so they
can be better prepared for the inevitable cyber attacks
120. Activities in Activate Stage
1. Conduct a cyber threat assessment and design an
implementation roadmap
2. Get Board-level support for a security transformation
3. Review and update security policies, procedures and
supporting standards
• Implement an information security management system
4. Establish a Security Operations Center (SOC)
• Develop monitoring and incident response procedures
5. Design and implement cybersecurity controls
• Assess the effectiveness of data loss prevention and
identity and access management processes.
• Harden the security of IT assets.
6. Test business continuity plans and incident response
procedures
121. Activities in Adapt Stage
1. Design and implement a transformation program
• Get external help in designing the program, and
providing program management.
2. Decide what to keep in-house and what to
outsource
3. Define a RACI matrix for cybersecurity
4. Define the organization’s ecosystem
• Make moves to eliminate or lessen potential
security gaps in your interaction with third parties
5. Introduce cybersecurity awareness training for
employees
122. Activities in Anticipate Stage
1. Design and implement a cyber threat intelligence strategy
• Use threat intelligence to support strategic business decisions
2. Define and encompass the organization’s extended cybersecurity
ecosystem
• Define RACI and trust models and enact cooperation, sharing
capabilities where advantageous
3. Take a cyber economic approach
• Understand the value of your most vital cyber assets
4. Use forensics and analytics
• Use the latest technical tools to analyse where the likely
threats are coming from and when
5. Ensure everyone understands what’s happening
• Strong governance, user controls and regular communications
August 2015 122
123. InfoSec Strategic Plan Key Factors
• Determine the direction of the business
• Vision
A descriptive picture of a desired future state
“Where do we want to be?”
• Objectives
High-level achievement
“Improve customer loyalty”
“Grow market share”
Goals
Anything that is measured to help fulfill an objective
• Understand security's current position
– What do we do?
– For whom do we do it?
– How do we excel?
August 2015 123
Source: Forrester’s Building A Strategic Security Program And Organization (2013)
124. InfoSec Strategic Plan Key Factors
(cont’d)
• Strategies
– Those actions we implement on a day-to-day
basis to achieve our objectives
• Projects
– The concrete actions a business takes to
execute its strategic plan
• Capabilities
– An organization’s ability, by virtue of its IT
assets, to create business value
August 2015 124
126. Take a Look at This Example
August 2015 126
Credit: ESET – Cyber Security road map for businesses (2013).
127. Identify the Metrics
Citing Forrester’s Information Security Metrics – Present
Information that Matters to the Business (2013):
• Security metrics need to demonstrate business alignment
• Are we more secure today than yesterday?
– Number of machines reimaged
– Number of phishing attempts blocked
• How do we compare to our competitors?
• Not limited to what your tools provide
• Ask the business
August 2015 127
128. Designing Effective Metrics
• Consistently measured
– Benchmarks and opportunities for continuous
improvement
• Cheap to gather
– If metrics are expensive to gather, they will not be
gathered
• Use numbers that show relationships
– Are these numbers relevant to decision makers?
• Show trends
• Awesome diagram and graphs
August 2015 128
129. Operations Focused is All About
• Limited business interaction
• Deploying, managing and monitoring security
tools
• Vulnerability and Threat Management
• Anti-malware
• Encryption
• Firewalls
• Blocking and tackling
August 2015 129
130. While GRLC Focused is…
• Supports business objectives
• Relationship management
• Manages security priorities
• Forward looking
• Anticipates threats and business needs
August 2015 130
131. How to Do?
A flexible organization with a centralized
core
• Security Oversight
• Information Risk
• (Cyber) Security Risk
• Security Architecture and Engineering
• Security Operations
August 2015 131
132. Organization Culture
• What do your executives expect from
security?
• If not GRLC, then focus on operations
• Build trust and demonstrate value
• Reporting Inside or Outside IT?
• Centralized or Decentralized?
August 2015 132
133. Controls to Enforce Policies
• Log access to data, information and transaction
by unique identifier” as it requires log
management or SIEM.
• Limit access to specific data to specific
individuals as it required unique system
username and password.
• Sensitive data shall not be emailed outside the
organization with DLP or email encryption
system.
August 2015 133
134. Deploy and Test Controls
• A phased approach
– DLP
– Email Encryption
• Test not only if the solution works
technically but also that it does not impose
too great a burden on employees or
processes.
August 2015 134
135. Educate, Educate, Educate
•Our security stakeholders: employees,
executives, partners, suppliers,
vendors
•What are our policies?
•How to comply?
•Consequences of failure to comply
August 2015 135
136. Monitoring and Controlling
• Assessment
• Review
• Audit
• Monitor change control
• New vendor relationships
• Marketing initiatives
• Employee terminations
August 2015 136
139. InfoSec Frameworks (cont’d)
According to Information Systems Security
Certification Consortium (ISC2) CBK, the
principles are:
A. Support the business
• Focus on the business functions and
processes
• Deliver quality and value to stakeholders
• Comply to law and regulation requirements
• Provide timely and accurate information
• Evaluate existing and future information
threats
• Improve information security continuously
August 2015 139
140. InfoSec Frameworks (cont’d)
B. Secure the organization
• Adopt a risk-based approach
• Protect classified information
• Focus on critical business processes
• Develop systems securely
C. Promote information security
• Attain responsible behavior
• Act in professional and ethical manner
• Foster information security positive culture
August 2015 140
141. ISACA Framework on Information Security
August 2015 141
ISMS: Information Security Management Systems
R: Responsible; A: Accountable; C: Coordinate; I: Informed Credit: ISACA
142. NIST Cybersecurity Framework
• Critical Infrastructure
- Vital infrastructure - private and public operators
- Lack of availability would have “debilitating impact”
on the nation’s security, economy, public health,
safety…
• Executive Order 13636; February 12, 2013
• Threat information sharing
• NIST: Baseline Framework to reduce cyber risk
• “Standards, methodologies, procedures and processes that align
policy, business, and technological approaches…”
August 2015 142
145. Framework Profile
• Describe current or desired state of
cybersecurity activities
• Align controls with business requirements,
risk tolerance, and resources
• No templates or format provided
August 2015 145
146. Framework Tiers
• Tiers indicate maturity of:
– Risk management process
– Integrated Risk Management Program
– External Participation
• Number of Tiers
1:Partial
2:Risk Informed
3:Repeatable
4:Adaptive
August 2015 146
147. CSF and ISO 27001: Commonalities
August 2015 147
148. CSF and ISO 27001: Differences
August 2015 148
149. InfoSec Standards
‘ISO/IEC 27001’
Best practice recommendations for initiating,
developing, implementing, and maintaining Information
Security Management Systems (ISMS) with:
• Risk Assessment
• Security Policy
• Asset Management
• Physical/Environmental Security
• Access Control
• And many others
August 2015 149
150. InfoSec Standards (cont’d)
• Payment Card Industry – Data Security Standards (PCI-
DSS) version 3
August 2015 150
153. By Utilizing Such Framework and Standard
Reduce complexity of activities and processes
Deliver better understanding of information
security
Attain cost-effectiveness in managing privacy
and security
Enhance user satisfaction with the
arrangements and outcomes
Improve integration of information security
August 2015 153
154. By Utilizing Such Framework and Standard (cont’d)
Inform risk decisions and risk awareness
Enhance prevention, detection and
recovery
Reduce probability and impact of
security incidents
Leverage support for organization
innovation and competitiveness
August 2015 154
156. New Tech Brings New Challenges
• New technology challenges:
• Wearable tech
• IoT (Internet of Things)
• Apple Pay, NFC, BitCoin (?)
• Will ransomware be applied to IoT?
• A car lockdown?
• A house blackout?
• A pacemaker threat?
Credit: IBM
157. Another Stories…
• Criminal groups will also continue to adopt
nation-state tactics.
• Large enterprises and other organizations
will still be vulnerable through using
commodity equipment, which attackers
quickly learn how to bypass.
• Therefore defending against these attacks
will still be challenging.
August 2015 157
158. Incident Prevention Is Underway
Technologies and services focused on
incident response – rather than just
incident prevention – will be high on the
agenda for security professionals in the
near future.
August 2015 158
159. Managed Security Services Under the
Spotlight
• For most businesses, identifying IT security
incidents in a timely manner requires 24/7
coverage of the network environment.
• As this can be costly; IT security
professionals are scarce, and require
regular training to keep abreast of
continually evolving technologies.
August 2015 159
160. I(T) Security Gets Cloudy
• A continued increase in the adoption of cloud
services for security is predicted.
• This holds true for Software-as-a-Service
solutions, such as secure Web proxy, and secure
email in the cloud.
• These solutions are particularly attractive as the
implementation effort is negligible.
• Simply redirecting traffic to take advantage of the
service through a consumption-based model.
August 2015 160
161. I(T) Security Gets Cloudy (cont’d)
August 2015 161
• This is where professional organization Cloud Security
Alliance and their certification Certified Cloud Security
Knowledge comes into play.
162. From Securing Technologies into
Platforms
• See the notion of security being a secure
platform − rather than a series of point
products or devices on the network –
gaining traction.
• Expectation on security professionals will
be to deliver a secure platform that allows
the business to confidently run multiple
applications, in a secure environment.
August 2015 162
163. InfoSec and Information Privacy Roles
are Expanding
• They face a new test of leadership as Planning
and Communication are getting more and more
essential.
• Manage crucial links between
• Information Security
• Operational performance
• Organization credibility
• Brand protection
• Shareholder value
August 2015 163
164. CCSO on the Rise?
August 2015 164
Image courtesy of Mark E. S. Bernard
166. Reach Me Out at
•LinkedIn: www.linkedin.com/in/goutama
•E-mail: goutama@consultoriagroup.co
•Twitter: @goudotmobi
•SlideShare:
www.slideshare.net/goudotmobi
•Google+: www.gplus.to/goudotmobi
August 2015 166