Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf

8/10/2019 Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf

1/28

Copyright 1989 2014, (ISC)2All Rights Reserved

Cultivating a SECURITYCulture into Business

DimensionsAnthony Lim

MBA FCITIL CSSLPMember, Application Security Advisory Board

ISC)

2

ISC2.org


2/28


THE INTERNET IS USEFUL AND FUN

- BUT IS ALSO A DANGEROUS

PLACE WITH NO LAWS

We need to be CAREFUL, VIGILANT, SUSPICIOUS.

We CANNOT TRUST EASILY!

We need PROCESS, PROCEDURE, PROTOCOL.- enforcement, training ,reminders

We need to CHECK and AUDIT PERIODICALLY.

We need to keep LEARNING and IMPROVING- education, implementation of standards e.g. ISC-27000

We cannot always think its another persons job!


3/28

We Use NetworkVulnerability Scanners

Neglect the security of thesoftware on the network/web

server

The Myth: Our Site Is Safe

We Have Firewallsand IPS in Place

Port 80 & 443 are openfor the right reasons

We Audit It Once aQuarter with Pen Testers

Applications are constantlychanging

We Use SSL Encryption

Only protects data betweensite and user not the web

application itself

Over the past 20 years, we have invested much resources and

efforts in network and infrastructure security.

We Outsource


4/28

SOMETHING IS STILL OUT THERE


5/28


6/28

6


CyberSecurity In the Workplace- per McGraw Hill

Be informed of your responsibilities and

liability

Choose and maintain safe passwords

Maintain email and Internet security

Limit access to your workspace

Protect sensitive company information

Ensure secure remote access

Be aware of new Social Engineering tactics


7/28 Copyright 1989 2014, (ISC)2All Rights Reserved

Top 10 Security Tips for Gen-Y1. GET BACK TO BASICS

2. DONT CLICK TOO EASILY

3. PAY ATTENTION TO LATEST SOCIAL CHANGES

4. PASSWORDS! PASSWORDS! PASSWORDS!

5. GAMERSKEEP SECURITY SOFTWARE ON!

6. BE CAREFUL OF P2P (PEER-TO-PEER) & PIRATED SOFTWAR

7. BEWARE OF SOCIAL ENGINEERING ATTACKS

8. CHOOSE YOUR FRIENDS CAREFULLY9. BE CAREFUL WHEN DOWNLOADING

10.BE CAREFUL WHEN USING WI-FI HOT-SPOTS

Courtesy Skyler Kin g, Zone, Masahable 08/12


9/28

9


Wireless LAN Icons


10/28

10


BE SURE THE SITE IS THE CORRECT ONE


11/28

11


BE CAREFUL WHAT YOU SHARE


12/28

12


DONT BE GREEDY

- FREE THINGS ARE DANGEROUS

-

YOU DONT KNOW WHO ITS FROM


13/28

13


STRANGE INCOMING EMAILS - Phishing

Do not click on links or open attachments in emails

which seem suspicious or unfamiliar. Be like a

detective

EVEN IF FROM FRIENDS OR RELATIVES

BE SUSPICIOUS ABOUT THE WRITING STYLE, LANGUAGE,

THEME

SEE WHO ELSE IS COPIED ON THE EMAIL

Never reply to the email

Never open the attachment

Never click on the link

USE A DIFFERENT WAY TO CHECK WITH THE SENDER.

IF YOU ARE BUSY OR THE SENDER IS NOT FAMILIAR THEN

JUST DELETE THE EMAIL DONT WORRY ABOUT IT

SAME FOR

STRANGE

SMS OR

WHATSAPP


14/28

14


DONT JUST AGREE TO ANY EMAIL INSTRUCTION


15/28

15


Are You Sure its OK Safe) to Click?

WHEN NOT SURE, PLEASE ASK FOR HELP


16/28

16


DO NOT READILY TRUST ONLINE-BASED MATERIAL

When researching on Internet, make sure 2 or 3 sites say

same thing first!


17/28

17


Another customers transaction

slip is revealed, including theemail address

Real Example : WEB APPLICATION ATTACKReading another users transaction


18/28

Why do hackers attack Apps?

Because they know you have firewalls

So they need to find a new weak spot to hack through and steal or compromiseyour data

Because firewalls do not protect against app attacks

Very few people are actively aware of application security issues

Most IT security professionals, from network & sys-admin side, have little

experience or interest in software development. Programmers have little

experience or interest in security or infrastructure.

IT security staff are also often overworked and are focusing on other issues

Because web sites have a large footprint; cloud makes it even bigger.

Because they can

Many organizations today still lack a software development security

policy

Many applications especially legacy ones still in use, were not built

defensively

Applications today are hundreds of thousands of lines long

It is a nightmare to QA the application, and requires discipline

So many people, even if aware, will skip or procrastinate this tedious

process

Additional loss of control when outsourcing development work


19/28

Why Software Development has flawsNo developer goes to work with the intention of writing bad code.

Cheap

Fast

Good

-> Choo se 2!

Developers are often not trained or experienced in secure

coding techniques, and have never needed to worry aboutthis before

Developers face pressures of demands for quality and

functionality, and are often short on timeline, resources,

information, budget, quality assurance tools investment.

Plus heavy demands on outsourcing parties


20/28

20


Unplanned Proliferation of Data


21/28

59% not following a rigorous Security process

26% have no hint of Security within their software

development lifecycle

48% claim to audit procedures regularly

69% Blame Culture as reason for current practices

57% blame lack of Education

70% claim to have insufficient guidance for key

technology models

(ISC)2Survey & Global Information SecurityWorkforce Study -Stats 2012/3

A

U

D

I

T

The worst reason to have security is Governance Regulation

-You must know why you want security, not because someone said so

-we end up trying all sorts of ways to get by or get past the feared (or hated) auditor

59% of staff will try tobypass a security process


22/28

Technical Component

Access Control

Authenticated Access

Encryption & Privacy

Policy-based traffic filtering

Enterprise Management etc

Human & Policy Component

Education

Enforcement

Reinforcement

Diligence & Vigilance

CLEAR OWNERSHIP

Conclusion:

2 Components to I.T. Security

Technologies today can provide the technical component.

Only commitment at the highest levels can the human factor be successful.

AS LONG AS

HUMANS BEHAVE

LIKE HUMANS WE

WILL STILL HAVE A

JOB IN I.T.

SECURITY

I.T. SECURITY TODAY

IS NO LONGER A

TECHNOLOGY

THING IT IS A

HUMAN AND SOCIAL

MATTER


23/28

EMPOWERING THE HUMAN FACTORSecurity CERTIFICATION for Application Development Team

www.isc2.org

CISSPCOS DEVELOPERS NEVER HAD

TO WORRY ABOUT THIS BEFORE

UNTIL NOW

BUT EVEN SO - IN ORDER TO USE THE PROFESSIONAL Q A TOOLS WELL


24/28

24


About (ISC)2 CISSP

Established in 1989 Non-profit consortium of

information security industry leaders -- Celebrating 25th

Anniversary this year

Global leaders in certifying and educating information

security professionals throughout their careers

Global standard for information security (ISC) CBK,

a compendium of information security topics

Nearly 100,000 certified professionals more than 135countries

Isc2.org


25/28

25


(ISC)2Credential Offerings


26/28

26


White Papers on Computer Security


27/28

27


Upcoming Events/Activities

Call for Nomination for Asia-Pacific ISLA

early April 2014

Held annually by (ISC) in cooperation

with the (ISC) Asian Advisory Board

Recognize outstanding leadership and

achievements information security

and management professionalsin the

Asia-Pacific region.

Email blast will be sent to members

and (ISC)

2

chapter

Cultivating a SECURITY Culture into Business Dimensions


28/28

Cultivating a SECURITY Culture into Business Dimensions

Anthony Lim

cmn

Thank

you

Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf

Documents

Transcript of Cultivating a Security Culture into business dimensions(key_3.Mr.AnthonyLimISC2).pdf