www.senseofsecurity.com.au © Sense of Security 2013 Page 1 – April 2013
Compliance, Protection & Business Confidence
Sense of Security Pty Ltd Sydney Level 8, 66 King Street Sydney NSW 2000 Australia
Melbourne Level 10, 401 Docklands Drv Docklands VIC 3008 Australia
T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455
[email protected] www.senseofsecurity.com.au ABN: 14 098 237 908
Best practice strategies to
improve your enterprise
security
Murray Goldschmidt, Chief Operating Officer
April 2013
2nd Annual Australian Fraud Summit 2013
www.senseofsecurity.com.au © Sense of Security 2013 Page 2 – April 2013
Agenda
1. Recent Security Breaches
2. Identifying & Understanding Security Risks
& Organisational Implications
3. Steps to mitigate risk of breaches & theft
.senseofsecurity.com.au © Sense of Security 2013 Page 3 – April 2013
Increasing threat / consequence
Scope – increasing ability to exploit
Cyber Threat Actors
.senseofsecurity.com.au © Sense of Security 2013 Page 4 – April 2013
Increasing threat / consequence
Scope – increasing ability to exploit
Cyber Threat Actors
Agenda Targets
.senseofsecurity.com.au © Sense of Security 2013 Page 5 – April 2013
Increasing threat / consequence
Scope – increasing ability to exploit
Script Kiddies/Cyber Researchers
Experimentation, Fun, Testing
Cyber Threat Actors
Agenda Targets
.senseofsecurity.com.au © Sense of Security 2013 Page 6 – April 2013
Increasing threat / consequence
Scope – increasing ability to exploit
Script Kiddies/Cyber Researchers
Experimentation, Fun, Testing
Cyber Threat Actors
Agenda Targets
.senseofsecurity.com.au © Sense of Security 2013 Page 7 – April 2013
Increasing threat / consequence
Scope – increasing ability to exploit
Hacktivists
Disruption, Reputational Damage,Political/Social,
Script Kiddies/Cyber Researchers
Experimentation, Fun, Testing
Cyber Threat Actors
Agenda Targets
.senseofsecurity.com.au © Sense of Security 2013 Page 8 – April 2013
Increasing threat / consequence
Scope – increasing ability to exploit
Hacktivists
Disruption, Reputational Damage,Political/Social,
Script Kiddies/Cyber Researchers
Experimentation, Fun, Testing
Cyber Threat Actors
Agenda Targets
.senseofsecurity.com.au © Sense of Security 2013 Page 9 – April 2013
Increasing threat / consequence
Scope – increasing ability to exploit
Organised Crime
Financial gain, fraud, ID theft
Hacktivists
Disruption, Reputational Damage,Political/Social,
Script Kiddies/Cyber Researchers
Experimentation, Fun, Testing
Cyber Threat Actors
Agenda Targets
.senseofsecurity.com.au © Sense of Security 2013 Page 10 – April 2013
Increasing threat / consequence
Scope – increasing ability to exploit
Organised Crime
Financial gain, fraud, ID theft
Hacktivists
Disruption, Reputational Damage,Political/Social,
Script Kiddies/Cyber Researchers
Experimentation, Fun, Testing
Cyber Threat Actors
Agenda Targets
.senseofsecurity.com.au © Sense of Security 2013 Page 11 – April 2013
Increasing threat / consequence
Scope – increasing ability to exploit
Organised Crime
Financial gain, fraud, ID theft
Professionals/Companies/Terrorists
Commercial advantage, Intellectual Property
Hacktivists
Disruption, Reputational Damage,Political/Social,
Script Kiddies/Cyber Researchers
Experimentation, Fun, Testing
Cyber Threat Actors
Agenda Targets
.senseofsecurity.com.au © Sense of Security 2013 Page 12 – April 2013
Increasing threat / consequence
Scope – increasing ability to exploit
Organised Crime
Financial gain, fraud, ID theft
Professionals/Companies/Terrorists
Commercial advantage, Intellectual Property
Hacktivists
Disruption, Reputational Damage,Political/Social,
Script Kiddies/Cyber Researchers
Experimentation, Fun, Testing
Cyber Threat Actors
Agenda Targets
.senseofsecurity.com.au © Sense of Security 2013 Page 13 – April 2013
Increasing threat / consequence
Scope – increasing ability to exploit
Organised Crime
Financial gain, fraud, ID theft
Professionals/Companies/Terrorists
Commercial advantage, Intellectual Property
Nation States
Economic, political or military advantage
Hacktivists
Disruption, Reputational Damage,Political/Social,
Script Kiddies/Cyber Researchers
Experimentation, Fun, Testing
Cyber Threat Actors
Agenda Targets
.senseofsecurity.com.au © Sense of Security 2013 Page 14 – April 2013
Increasing threat / consequence
Scope – increasing ability to exploit
Organised Crime
Financial gain, fraud, ID theft
Professionals/Companies/Terrorists
Commercial advantage, Intellectual Property
Nation States
Economic, political or military advantage
Hacktivists
Disruption, Reputational Damage,Political/Social,
Script Kiddies/Cyber Researchers
Experimentation, Fun, Testing
Cyber Threat Actors
Agenda Targets
.senseofsecurity.com.au © Sense of Security 2013 Page 15 – April 2013
Activity –But Not Yet Cyber War
http://www.economist.com/blogs/analects/2013/02/chinese-cyber-attacks
.senseofsecurity.com.au © Sense of Security 2013 Page 16 – April 2013
Hacktivist Attacks
http://www.bankinfosecurity.com/american-express-a-5645 http://www.scmagazine.com/market-for-ddos-prevention-to-hit-870-million/article/287020/
.senseofsecurity.com.au © Sense of Security 2013 Page 17 – April 2013
Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 18 – April 2013
Target
org/person
Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 19 – April 2013
Target
org/person
Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 20 – April 2013
Target
org/person
Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 21 – April 2013
Target
org/person
Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 22 – April 2013
Target
org/person
Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 23 – April 2013
Target
org/person
Malware
penetrates
Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 24 – April 2013
Target
org/person
Malware
penetrates
Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 25 – April 2013
Target
org/person
Malware
penetrates
Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 26 – April 2013
Target
org/person
Malware
penetrates
Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 27 – April 2013
Target
org/person
Malware
penetrates
Command &
Control
Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 28 – April 2013
Target
org/person
Malware
penetrates
Command &
Control
Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 29 – April 2013
Target
org/person
Malware
penetrates
Command &
Control
Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 30 – April 2013
Target
org/person
Malware
penetrates
Command &
Control
Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 31 – April 2013
Target
org/person
Malware
penetrates
Command &
Control
Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 32 – April 2013
Target
org/person
Malware
penetrates
Command &
Control
Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 33 – April 2013
Target
org/person
Malware
penetrates
Command &
Control
Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 34 – April 2013
Target
org/person
Malware
penetrates
Command &
Control
Data harvest
& exfiltrate
Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 35 – April 2013
Target
org/person
Malware
penetrates
Command &
Control
Data harvest
& exfiltrate
Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 36 – April 2013
Target
org/person
Malware
penetrates
Command &
Control
Data harvest
& exfiltrate
Advanced Persistent Threat
www.senseofsecurity.com.au © Sense of Security 2013 Page 37 – April 2013
RBA Falls Victim to Cyber Attack
http://www.afr.com/p/national/rba_confirms_cyber_attacks_ZsVpeJas8JX6UXCLwOVJKP
www.senseofsecurity.com.au © Sense of Security 2013 Page 38 – April 2013
Opportunistic Attack – Out of Business
http://www.zdnet.com/distribute-it-claims-evil-behind-hack-1339319324/
www.senseofsecurity.com.au © Sense of Security 2013 Page 39 – April 2013
Identifying Security Risk
Materiality Risk
ASX Principle 7: “Recognise and Manage Risk”
• A risk profile informs the board and
management about material business risks,
relevant to company (financial and non-
financial) matters. Material business risks are
the most significant areas of uncertainty or
exposure at a whole of Company level that could
impact the achievement of organisational
objectives.
Applies also to non listed entities!
www.senseofsecurity.com.au © Sense of Security 2013 Page 40 – April 2013
Small Business Also Affected
http://www.staysmartonline.gov.au/alert_service/advisories/ransomware_attacks_will_increase_in_2013
www.senseofsecurity.com.au © Sense of Security 2013 Page 41 – April 2013
1 use application whitelisting to help prevent malicious software and
other unapproved programs from running
Just The Top 4 ….. At least 85% of the targeted cyber intrusions that Defence Signals Directorate (DSD) responds to
could be prevented by following the first four mitigation strategies listed in DSD’s 35 Strategies
to Mitigate Targeted Cyber Intrusions
2
3
4
patch applications such as PDF readers, Microsoft Office, Java, Flash
Player and web browsers
patch operating system vulnerabilities
minimise the number of users with administrative privileges
As of April 2013, the Top 4 Strategies to Mitigate Targeted Cyber Intrusions are mandatory for
Australian Government agencies.
www.senseofsecurity.com.au © Sense of Security 2013 Page 42 – April 2013
Action Required
Corporations & Government are
generally becoming more aware to the
need for improved governance and
infosec capability
www.senseofsecurity.com.au © Sense of Security 2013 Page 43 – April 2013
Protect Your Data
http://www.theaustralian.com.au/news/nation/personal-details-of-50000-people-exposed-as-abc-website-hacked/story-e6frg6nf-1226586895264
www.senseofsecurity.com.au © Sense of Security 2013 Page 44 – April 2013
Protect Your Data
http://www.dailyfinance.com/2012/06/08/youve-been-hacked-again-why-linkedins-breach-is-worse-tha/
www.senseofsecurity.com.au © Sense of Security 2013 Page 45 – April 2013
Know Your Data
There is no network perimeter. Your data is everywhere.
Mobile Devices
Corporate/Home Networks
Databases/File Servers
Cloud Services
www.senseofsecurity.com.au © Sense of Security 2013 Page 46 – April 2013
Data Centric, Not System Centric
www.senseofsecurity.com.au © Sense of Security 2013 Page 47 – April 2013
Availability
Fundamentals Still Count
the security controls used to protect data, and the
communication channel designed to access it must be functioning
correctly
Integrity data integrity means maintaining and assuring the accuracy and
consistency of data over its entire life-cycle
Confidentiality preventing the disclosure of information to unauthorised
individuals or systems
www.senseofsecurity.com.au © Sense of Security 2013 Page 48 – April 2013
Defence-in-Depth
A solid Information Security capability
requires resilience through defence-in-
depth, sound fundamentals,
accountability by executives and the
ability to comply with
regulations/legislation.
www.senseofsecurity.com.au © Sense of Security 2013 Page 49 – April 2013
Regulation & Legislation
Government
Privacy Act
Australian Government - Information Security Manual (ISM),
Protective Security Policy Framework (PSPF)
State Government Standards, e.g. NSW Government Digital
Information Security Policy based on ISO 27001
Industry Australian Prudential Regulatory Authority (PPG-234)
PCI Security Standards Council (PCI Data Security Standard – PCI DSS)
www.senseofsecurity.com.au © Sense of Security 2013 Page 50 – April 2013
Self Examination
What type of data do you have and is it classified?
Whose owns it?
Where does it reside (data sovereignty)?
How is it accessed and by whom?
What are your future technology objectives (BYOD, Cloud,
Mobility…)
Are there third parties suppliers involved?
What are your compliance obligations?
Do you a current/effective security governance capability?
How would you respond in case of an incident?
www.senseofsecurity.com.au © Sense of Security 2013 Page 51 – April 2013
Information Security Governance
Incorporate an industry recognised system of governance
(e.g. ISO 27001 - Information Security Management System)
Domains
Information Security Management: Security Policy & Organisation
Asset Management
Human Resource Security
Physical & Environmental Security
Communications & Operations Management
Access Control
Information Systems Acquisition, Development & Maintenance
Information Security Incident Management
Business Continuity Management
Compliance
www.senseofsecurity.com.au © Sense of Security 2013 Page 52 – April 2013
Management & Technical Standards
Management standards and technical controls need to be
defined and enforced.
Management Practice Area
Change Management Incident & Event Management
Patch Management Disaster Recovery & Business Continuity
Management
Configuration Management Security Awareness Management
Vulnerability Management Physical Security
Threat Management Application Management
Access Control Management 3rd Party Management
www.senseofsecurity.com.au © Sense of Security 2013 Page 53 – April 2013
Technical Assurance
Vulnerability Management Program
SDLC Governance, Static Code Analysis
Configuration Management / Hardening
Enterprise Security Architecture
Testing of technology assets and social engineering
threat assessments
External/Internal penetration testing (ethical hacking)
on networks and applications
www.senseofsecurity.com.au © Sense of Security 2013 Page 54 – April 2013
Questions?
Thank you
Head office is level 8, 66 King Street, Sydney, NSW 2000,
Australia. Owner of trademark and all copyright is Sense of
Security Pty Ltd. Neither text or images can be reproduced
without written permission.
T: 1300 922 923
www.senseofsecurity.com.au
Top Related