2. What is Cyber Security?
Cyber Security Cases
Cyber Security Strategy
A Risk Based Approach
Managing Cyber Attacks.. CHECK and ACT
The Bigger Picture!!
Agenda
3. What is Cyber Security??
Protection of ICT system, network and data in Cyber Space (i.e. any communications
environment, particularly the Internet).
Protection through prevention, detection and response to attacks from wide Cyber
Threats such as Cyber Crime, Cyber Terror, Cyber Espionage, Cyber War etc..
Impact Governments, Financial Organisations, Critical National Infrastructures,
Individuals etc.. at significantly different levels of technical sophistication.
Exploits varied Cyber Space offerings (e.g. Cloud, Mobile, Social Networking, Shopping,
Online Games etc..) not previously dealt with in traditional Information Security World.
4. Cyber Security Cases
Student, After Delay, Is Charged In Crippling of Computer Network "After more than
eight months, the Justice Department said yesterday that a Federal grand jury in Syracuse
had indicted the 24-year-old Cornell University graduate student who has been blamed for
crippling a nationwide computer network with a rogue software program... The student,
Robert Tappan Morris, was charged with a single felony count under a 1986 computer
crimes law, the Computer Fraud and Abuse Act ..." The New York Times (27 July 1989)
Youth Sentenced in Government Hacking Case "A 16-year-old from Miami who
repeatedly penetrated computer systems of the Defense Department and the space agency
has been sentenced to six months in juvenile detention. The Justice Department said he is
the first juvenile hacker to be sentenced to serve time..." The New York Times (23 Sept
2000)
5. Cyber Security Cases (cont’d..)
Downloaded music by Jay-Z ... all I got was snooped, dog "Fans of rapper Jay-Z
who thought they'd grabbed hold of an app granting them access to an early release of his
new album Magna Carta Holy Grail have found themselves on the receiving end of an anti-
PRISM Android Trojan designed to slurp all their data..." The Register (05 July 2013)
6. Cyber Security Strategy
United Kingdom - Cyber Security Strategy
Improving knowledge, capabilities and decision-making
Reducing risk from the UK’s use of cyber space
Exploiting opportunities in cyber space
United States - Comprehensive National Cyber Security Initiative
Establish a front line of defence against today’s immediate threats
Defend against the full spectrum of threats
Strengthen the future cyber space environment
Similar goals - Understand Cyber Space offerings to exploit the opportunities it delivers
and address its risks.
However Governments are breaking their own privacy laws on wire snooping to understand
and combat Cyber Threats!!!
7. A Risk Based Approach
Risk based approach with emphasis on likelihood of most dangerous attacks on assets
with most impact to the organisation needs to be applied.
Objective feedback from existing controls to assess exposure to, and deal
instantly with Cyber Threats.
Interrelated international standards already exist to support this approach:
ISO27001 (Design and develop Information Security Controls, Processes and Awareness)
ISO27005 (Manage Information Security Risks)
ISO27035 (Manage Information Security Incidents)
ISO27001 and ISO 27005 uses Deming Cycle for development, maintenance and
improvement of Information Security:
Plan->Do->Check->Act->Plan->Do->Check->Act->Plan->.... (Anticlockwise 0)
Deming Cycle is more linear to address Cyber Security concentrating on maintenance
and improvement exercises to deal with growing Cyber Threats at a faster pace:
Plan->Do->Check->Act->Check->Act->Check->Act->Check->.... (Anticlockwise 6)
8. A Risk Based Approach.. (continue)
ISO standards cover following processes and activities to aid Cyber Security:
Understanding of actual business context information and security related context information
(PLAN)
Risk Assessments conducted to understand likelihood of threats and vulnerabilities
and impact to the organisation (PLAN and CHECK)
Awareness for the need, and responsibility, for security by all parties (DO)
Security design and implementation of controls commensurate to assessed risk (PLAN and
DO)
Prevent, detect and respond to security incidents including review of existing state of
security (CHECK and ACT).
Measurement of control effectiveness and maturity of overall security to enable when,
where and how to improve overall security posture (CHECK and ACT).
9. A Risk Based Approach.. (continue)
Acceptable Risk =
Monitor To Ensure
stability
Significant Risk =
Appropriate Actions
Required
Critical Risk =
Immediate Actions
Required
Acceptable Risk =
Monitor To Ensure
stability
Significant Risk =
Appropriate Actions
Required
Significant Risk =
Appropriate Actions
Required
Negligible Risk =
No Action Required
Acceptable Risk =
Monitor To Ensure
stability
Acceptable Risk =
Monitor To Ensure
stability
LOW MEDIUM HIGH
HIGHMEDIUMLOW
<<<<<<<<< Impact (Assets) >>>>>>>>>
<<<Likelihood(ThreatsxVulnerabilities)>>>
<<<<<<RiskRelatedInformation>>>>>>
<<<<<<<< Risk Related Information >>>>>>>>
10. Managing Cyber Attacks.. CHECK and ACT
Identify Cyber Space assets, threats, vulnerabilities and appropriate controls (i.e. risk
related information) to address:
IF we are to be attacked what should we have in place to PREVENT an attack?
WHEN we are attacked what should we have in place, and how, to DETECT the attack? And
can we RESPOND to it and PREVENT it from happening again?
To address WHEN situation, Preventative and Detective controls need to be
implemented to discover, and protect important assets from, attacks. These controls are
prime sources for providing risk related information as events in real time.
Event monitoring provides recording of risk related information such as:
Malicious traffic to specific systems
Suspicious activity across domain boundaries
User session activity.. and more...
11. Managing Cyber Attacks.. (..continue)
Threat
Firewall
Identity and Access Manager
DLP
Vulnerability
Vulnerability Scanner
Asset
Preventative and Detective Controls
IDS/IPS
Suspicious Login or
Access Event
Malicious Port
Scanning
Event
Malware
Event
Data Theft
Event
Mitigates or stop
attack against...
Discovers attack
against..
Suspicious Network
Access Event
Application; DB and OS
etc.. information
Asset
Inventory and
compliance
Information
Un-patched
OS/Application
Denial of
Service
Event
Mounts attack
on..
Can be
exploited
on,,
Discovers
and protects
against
Discovers
and
protects
against.
Threat Correlation/Aggregation
Vulnerability Correlation/Aggregation
Asset Correlation/Aggregation
Event Logging and Reporting
Risk Information
SIEM & Logger
AV Gateway
ALARM Security Incidents
12. Managing Cyber Attacks.. (..continue)
SIEM (Security and Information Event Management) requires understanding of
business and security related context information to enable:
Correlation and aggregation of event data (i.e. risk related information) for risk
assessment
Capability to generate alarms against security incidents
Not all tools can help in instantaneously managing, preventing or detecting all threats
and attacks. Computer Forensics provides a methodology to address:
Unknown threats and attacks not picked up as part of security monitoring
How, where and when such threats were realised
Real time assessment of threats and vulnerabilities provides understanding of the
effectiveness of controls and risks to assets.
Measurement of control effectiveness can be obtained through a combination of
output of incidents; events and information acquired through forensics investigation.
13. Managing Cyber Attacks.. (..continue)
Acceptable Event
= Monitor To Ensure
stability (e.g. Admin
is logged on to
Catalogue Server
for > 8 hours)
Significant Event =
Appropriate Actions
Required (e.g.
Malicious script on
company’s Intranet
portal)
Critical Event =
Immediate Actions
Required (e.g.
Worm discovered
on air traffic
control system)
Acceptable Event =
Monitor To Ensure
stability
Significant Event =
Appropriate Actions
Required
Significant Event =
Appropriate Actions
Required
Negligible Event =
No Action Required
(e.g. Legitimate
user carries out a
wrong search on
Catalogue server.)
Acceptable Event =
Monitor To Ensure
stability
Acceptable Event =
Monitor To Ensure
stability
LOW MEDIUM HIGH
HIGHMEDIUMLOW
<<<<<<<<< Impact (Assets) >>>>>>>>>
<<<Likelihood(ThreatsxVulnerabilities)>>>
<<<<Correlated/AggregatedEvents>>>>
<<<<<<< Correlated/Aggregated Events >>>>>>>>
14. The Bigger Picture!!
Addressing Cyber Security is not so fundamentally different to Information Security.
Main difference is keeping up with growing opportunities and challenges (i.e. risks) in
Cyber Space. These differences are created by:
Expanding technology and new, but converging, service offerings (e.g. cloud, social
networking and mobile) landscape in the past twenty or so years.
The business and user interaction with new services like social networking and it's impact on
personal data privacy, politics, etc..
Risk based approach required to fully understand the scale and impact of Cyber Threats.
Indicators for risk exposure and control effectiveness identifies key risks over time.
Data and system centric processes and key controls already exists for dealing with Cyber
Threats.
Might require help from other disciplines such as criminologists, sociologists, psychologists.
lawyers etc.. leading to people and behaviour centric controls.
Additional control types required but continuous maintenance and improvement activities
to deal with risk at real time is important.
15. The Bigger Picture!!.. (continue)
Approach covers risk identified across people and process activities not just technical.
Existing Information Security related standards, regulations and guidelines important to
risk based approach for addressing Cyber Security.
Changes to old legislation, and new legislations, on computer misuse, fraud and abuse
aim to further tighten the noose on individuals involved in Cyber Security breaches.
Thank You!!Thank You!!