Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
Transcript of Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
1/28
Copyright 1989 2014, (ISC)2All Rights Reserved
Cultivating a SECURITYCulture into Business
DimensionsAnthony Lim
MBA FCITIL CSSLPMember, Application Security Advisory Board
ISC)
2
ISC2.org
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
2/28
Copyright 1989 2014, (ISC)2All Rights Reserved
THE INTERNET IS USEFUL AND FUN
- BUT IS ALSO A DANGEROUS
PLACE WITH NO LAWS
We need to be CAREFUL, VIGILANT, SUSPICIOUS.
We CANNOT TRUST EASILY!
We need PROCESS, PROCEDURE, PROTOCOL.- enforcement, training ,reminders
We need to CHECK and AUDIT PERIODICALLY.
We need to keep LEARNING and IMPROVING- education, implementation of standards e.g. ISC-27000
We cannot always think its another persons job!
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
3/28
We Use NetworkVulnerability Scanners
Neglect the security of thesoftware on the network/web
server
The Myth: Our Site Is Safe
We Have Firewallsand IPS in Place
Port 80 & 443 are openfor the right reasons
We Audit It Once aQuarter with Pen Testers
Applications are constantlychanging
We Use SSL Encryption
Only protects data betweensite and user not the web
application itself
Over the past 20 years, we have invested much resources and
efforts in network and infrastructure security.
We Outsource
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
4/28
SOMETHING IS STILL OUT THERE
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
5/28
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
6/28
6
Copyright 1989 2014, (ISC)2All Rights Reserved
CyberSecurity In the Workplace- per McGraw Hill
Be informed of your responsibilities and
liability
Choose and maintain safe passwords
Maintain email and Internet security
Limit access to your workspace
Protect sensitive company information
Ensure secure remote access
Be aware of new Social Engineering tactics
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
7/28 Copyright 1989 2014, (ISC)2All Rights Reserved
Top 10 Security Tips for Gen-Y1. GET BACK TO BASICS
2. DONT CLICK TOO EASILY
3. PAY ATTENTION TO LATEST SOCIAL CHANGES
4. PASSWORDS! PASSWORDS! PASSWORDS!
5. GAMERSKEEP SECURITY SOFTWARE ON!
6. BE CAREFUL OF P2P (PEER-TO-PEER) & PIRATED SOFTWAR
7. BEWARE OF SOCIAL ENGINEERING ATTACKS
8. CHOOSE YOUR FRIENDS CAREFULLY9. BE CAREFUL WHEN DOWNLOADING
10.BE CAREFUL WHEN USING WI-FI HOT-SPOTS
Courtesy Skyler Kin g, Zone, Masahable 08/12
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
8/28 Copyright 1989 2014, (ISC)2All Rights Reserved
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
9/28
9
Copyright 1989 2014, (ISC)2All Rights Reserved
Wireless LAN Icons
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
10/28
10
Copyright 1989 2014, (ISC)2All Rights Reserved
BE SURE THE SITE IS THE CORRECT ONE
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
11/28
11
Copyright 1989 2014, (ISC)2All Rights Reserved
BE CAREFUL WHAT YOU SHARE
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
12/28
12
Copyright 1989 2014, (ISC)2All Rights Reserved
DONT BE GREEDY
- FREE THINGS ARE DANGEROUS
-
YOU DONT KNOW WHO ITS FROM
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
13/28
13
Copyright 1989 2014, (ISC)2All Rights Reserved
STRANGE INCOMING EMAILS - Phishing
Do not click on links or open attachments in emails
which seem suspicious or unfamiliar. Be like a
detective
EVEN IF FROM FRIENDS OR RELATIVES
BE SUSPICIOUS ABOUT THE WRITING STYLE, LANGUAGE,
THEME
SEE WHO ELSE IS COPIED ON THE EMAIL
Never reply to the email
Never open the attachment
Never click on the link
USE A DIFFERENT WAY TO CHECK WITH THE SENDER.
IF YOU ARE BUSY OR THE SENDER IS NOT FAMILIAR THEN
JUST DELETE THE EMAIL DONT WORRY ABOUT IT
SAME FOR
STRANGE
SMS OR
WHATSAPP
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
14/28
14
Copyright 1989 2014, (ISC)2All Rights Reserved
DONT JUST AGREE TO ANY EMAIL INSTRUCTION
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
15/28
15
Copyright 1989 2014, (ISC)2All Rights Reserved
Are You Sure its OK Safe) to Click?
WHEN NOT SURE, PLEASE ASK FOR HELP
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
16/28
16
Copyright 1989 2014, (ISC)2All Rights Reserved
DO NOT READILY TRUST ONLINE-BASED MATERIAL
When researching on Internet, make sure 2 or 3 sites say
same thing first!
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
17/28
17
Copyright 1989 2014, (ISC)2All Rights Reserved
Another customers transaction
slip is revealed, including theemail address
Real Example : WEB APPLICATION ATTACKReading another users transaction
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
18/28
Why do hackers attack Apps?
Because they know you have firewalls
So they need to find a new weak spot to hack through and steal or compromiseyour data
Because firewalls do not protect against app attacks
Very few people are actively aware of application security issues
Most IT security professionals, from network & sys-admin side, have little
experience or interest in software development. Programmers have little
experience or interest in security or infrastructure.
IT security staff are also often overworked and are focusing on other issues
Because web sites have a large footprint; cloud makes it even bigger.
Because they can
Many organizations today still lack a software development security
policy
Many applications especially legacy ones still in use, were not built
defensively
Applications today are hundreds of thousands of lines long
It is a nightmare to QA the application, and requires discipline
So many people, even if aware, will skip or procrastinate this tedious
process
Additional loss of control when outsourcing development work
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
19/28
Why Software Development has flawsNo developer goes to work with the intention of writing bad code.
Cheap
Fast
Good
-> Choo se 2!
Developers are often not trained or experienced in secure
coding techniques, and have never needed to worry aboutthis before
Developers face pressures of demands for quality and
functionality, and are often short on timeline, resources,
information, budget, quality assurance tools investment.
Plus heavy demands on outsourcing parties
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
20/28
20
Copyright 1989 2014, (ISC)2All Rights Reserved
Unplanned Proliferation of Data
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
21/28
59% not following a rigorous Security process
26% have no hint of Security within their software
development lifecycle
48% claim to audit procedures regularly
69% Blame Culture as reason for current practices
57% blame lack of Education
70% claim to have insufficient guidance for key
technology models
(ISC)2Survey & Global Information SecurityWorkforce Study -Stats 2012/3
A
U
D
I
T
The worst reason to have security is Governance Regulation
-You must know why you want security, not because someone said so
-we end up trying all sorts of ways to get by or get past the feared (or hated) auditor
59% of staff will try tobypass a security process
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
22/28
Technical Component
Access Control
Authenticated Access
Encryption & Privacy
Policy-based traffic filtering
Enterprise Management etc
Human & Policy Component
Education
Enforcement
Reinforcement
Diligence & Vigilance
CLEAR OWNERSHIP
Conclusion:
2 Components to I.T. Security
Technologies today can provide the technical component.
Only commitment at the highest levels can the human factor be successful.
AS LONG AS
HUMANS BEHAVE
LIKE HUMANS WE
WILL STILL HAVE A
JOB IN I.T.
SECURITY
I.T. SECURITY TODAY
IS NO LONGER A
TECHNOLOGY
THING IT IS A
HUMAN AND SOCIAL
MATTER
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
23/28
EMPOWERING THE HUMAN FACTORSecurity CERTIFICATION for Application Development Team
www.isc2.org
CISSPCOS DEVELOPERS NEVER HAD
TO WORRY ABOUT THIS BEFORE
UNTIL NOW
BUT EVEN SO - IN ORDER TO USE THE PROFESSIONAL Q A TOOLS WELL
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
24/28
24
Copyright 1989 2014, (ISC)2All Rights Reserved
About (ISC)2 CISSP
Established in 1989 Non-profit consortium of
information security industry leaders -- Celebrating 25th
Anniversary this year
Global leaders in certifying and educating information
security professionals throughout their careers
Global standard for information security (ISC) CBK,
a compendium of information security topics
Nearly 100,000 certified professionals more than 135countries
Isc2.org
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
25/28
25
Copyright 1989 2014, (ISC)2All Rights Reserved
(ISC)2Credential Offerings
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
26/28
26
Copyright 1989 2014, (ISC)2All Rights Reserved
White Papers on Computer Security
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
27/28
27
Copyright 1989 2014, (ISC)2All Rights Reserved
Upcoming Events/Activities
Call for Nomination for Asia-Pacific ISLA
early April 2014
Held annually by (ISC) in cooperation
with the (ISC) Asian Advisory Board
Recognize outstanding leadership and
achievements information security
and management professionalsin the
Asia-Pacific region.
Email blast will be sent to members
and (ISC)
2
chapter
Cultivating a SECURITY Culture into Business Dimensions
-
8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf
28/28
Cultivating a SECURITY Culture into Business Dimensions
Anthony Lim
cmn
Thank
you