cyber security cloud computing attacks and defences · cloud computing attacks and defences. page 2...
TRANSCRIPT
Cyber SecurityCloud Computing Attacks and Defences
Page 2
Table of Contents
Trust 3
The Growing Threat 4
Current Risks and Threats 6
A Typical Current IT Network 7
Many and varied ways to gain entry to the network 8
Anatomy of a modern attack 9
Growing complexity of threats and solutions 10
Compliance 11
Can you trust the Cloud? 12
Can you trust your Service Provider? 14
Recovering from a Breach 16
Things you can do to help avoid a breach 17
The Litcom Approach 18
Page 3
Trust
“There should be an assumption by all users, perhaps, that nothing in the cyber world can or should be trusted. And security professionals may do their organizations a service by not trusting any network traffic—or by not having full faith in the security practices of vendors or the supply chains that provide technology to the enterprise.”(from Cisco 2014 Annual Security Report)
This is the sad truth today.
What has caused this?
• Decrease in customer confidence that we can keep their information safe;
• Numerous recent breaches of supposed safe and secure networks and
• A recent rash of leaks showing that even the government can and will use a variety of techniques to get a hold of our information.
Page 4
The Growing Threat
From FoxBusiness.com article “As
Cyber Threats Mount, Business is
Booming in the Security World”
Page 5
The Growing Threat (cont.)
From 2013 Cyber Attack Statistics – Hackmageddon.com
Page 6
Current Risks and Threats
Gone are the simple days when a good anti virus and a few policies would protect you from the world. Todays risks and threats mirror the complexity of our IT environments and the disseminated nature of the internet:
• Greater attack surface area;• Rapid growth and sophistication
of attacks and• Complexity of threats and the
solutions to counteract them.
Page 7
A Typical Current IT Network
Page 8
Many and varied ways to gain entry to the network
Today’s networks are very complex and diversified environments with multiple points of entry that a malicious attacker can use to gain access to the network and ultimately the data residing there.
• Internet• Email• Remote access• File transfer systems• Wireless• DMZ systems• Web servers• Guest access• SharePoint• Management and monitoring systems• Mobile devices• Social media• 3rd Parties• Vendors• Employees• And on………
Page 9
Anatomy of a modern attack
Page 10
Growing complexity of threats and solutions
Threats have become very complex, utilizing multiple weaknesses in environment, policy and procedures, IT service management gaps, people, etc.
Cyber security for the most part has been an “after the fact” process where malicious activity has been perpetrated and the aftermath is discovered by IT/Security and then they begin the process of containment and recovery.
The growing complexity, maturity and most importantly speed of the attacks however have made this method almost useless as by the time the attack has been identified and contained the damage is already done.
The Target breach took less than 3 weeks from beginning to end (as far as we know).
Analysis, threat detection, containment and recovery has to take place in real time in order to keep up with the threats.
Page 11
Compliance
So many organizations and industry segments have to comply with a variety of regulatory compliances, many of which contain IT, security and data components. These regulatory compliances invariably carry penalties and/or fines for non-compliance, not to mention loss of credibility in the industry or with the customer base should compliance not be achieved or maintained.
For M&A, these compliances may not be part of the parent organization’s current responsibilities (if for example you branch out into a new business line) but you will not only be responsible for the newly acquired organization but depending on how you tackle the merging of the IT, business systems, security and data elements it may bring other entities of the organization under the same compliance.
There are a few simple things that you can do to protect and prepare for this:
• Know the regulatory compliance landscape of the M&A target;• Acquire the necessary due diligence on the status of the target’s regulatory compliance;• Understand the ramifications of the M&A target on the rest of your organization;• Acquire the necessary skills (in house or 3rd party) to deal with the compliance and • Depending on the information available you may want to keep the IT, security, business
solutions and data of the newly acquired organization separate to simplify compliance.
Page 12
Can you trust the Cloud?
The concept of the cloud is actually not new and has been in existence almost as long as there have been computer networks. It is simply the delivery of on-demand computing resources on a pay per-use basis and includes the following models:
• Infrastructure as a Service (IaaS)• Platform as a Service (PaaS)• Software as a service (SaaS)
The internet has paved the way for these services to be provided in a cost effective manner utilizing public, private or hybrid cloud models to deliver these services.
For the concept of the cloud the one real issue that is different from any normal diversified network environment run by any organization is WHERE DOES MY DATA RESIDE? As long as the cloud provider can deliver your business systems and data according to the SLA’s they can put the information where ever they want to, mostly to reduce costs of facilities and the people to run them.
Current Intellectual Property laws in most countries identify the location of the data as the deciding factor on which countries IP laws are applicable, a number of which are not the best at protecting you and your information, 3rd world mostly, exactly where most cloud providers put their data centres.
Page 13
Can you trust the Cloud? (cont.)
As you can see from the latest GIPC analysis there is a wide amount of variation in the maturity and adoption of better and more comprehensive IP laws.
Things you can do to protect your organization:
• Understand where your data will be residing and the IP laws that it will be subject to;
• Do a risk analysis to fully understand the situation;
• If the organization feels the risk to high, find out of the cloud provider can house your data in a country where IP laws work for you, and
• IF not change providers, there are many to choose from.
Page 14
Can you trust your Service Provider?
Cloud service providers are plentiful these days. You will find everything from mom and pop type start-ups to the biggest names in computers, networks and data providing cloud services.
A cloud provider is no different than any other long term relationship that the organization might enter into. It is a marriage of sorts and needs to be approached in this manner.
For the M&A target there are 2 critical factors to look at regarding a cloud provider:
• Do they provide the level of service, support, security and customer service that is required by the organization?
• Do you want multiple cloud providers and relationships or just one?
Page 15
Can you trust your Service Provider? (cont.)
Due diligence is the key to the first question. Make sure you fully understand the cloud provider and what they do for the organization. Critical will be their security and IT service management components. Get a professional (internal or external) to look at these aspects, do not count on your IT organization to do this, unless you are very comfortable with their track record and capabilities.
• Does the providers way of doing things match with your own (or can you adapt)?• Is it at least as mature in its processes as the parent organization?• Talk to other customers of the provider to get a more complete view.• You cannot have enough information to review with regard to the provider.
The second is a matter of the parent organizations adaptability and appetite for risk.
• Can you manage multiple provider relationships (if the parent or one of the divisions is already in a relationship with an outsource or cloud provider)
• Can the parent organization keep the environment separate? (more costly and more complex to manage but could be easier for compliance)
• Are you willing to undergo the trails of moving or merging the providers? (this can break some organizations)
Page 16
Recovering from a Breach
So it has happened and you have been breached (and you will, the majority of security providers identify that it is not if you will be breached but when) what can you do about it?
• Be Prepared for this eventuality. Have a Security Response Plan developed and in place.• Test the plan just as you would for any other critical response plan such as disaster recovery
or business continuity;• Keep the plan up to date and current;• Never stop working on improving your current security and policies/procedures;• Keep your customer, vendors, partners (in other words everyone) up to date and informed on
what is being done to contain and mitigate the situation (big lesson from this years breaches) and
• Breach insurance is available but it is complex and you need to make sure you understand what you are covered by it. Take the time to review and understand your options.
Page 17
Things you can do to help avoid a breach
What we all want is to avoid the breach in the first place. These things you can do to decrease the likelihood of a breach:
• Practice Defense in depth. It sounds obvious but it is rarely done well.• The entire company needs to know and understand why security is important. People will be
your most critical flaw in any security plan (another big lesson from this years breaches).• Hire full time security people, pay them well and give them the tools they need to do their job• Do not forget the simple things in a secure environment may be the most important
(remember the FTP incident!)• Document, document, document.• Have a comprehensive IT security plan and policies developed and in place. More importantly
FOLLOW THEM.• There is a tremendous amount of information out there on security from a variety of vendors
and agencies, make use of this information to keep up to date on what is going on. It helps!• The most important thing you can do is understand that a breach will happen and make your
environment as unappealing as possible to the attacker. Make it so once they get in there is either nothing readily available for them to get access to or it is just too difficult and time consuming to get it.
Page 18
The Litcom Approach
Today’s business leaders wonder how secure their organizations and IT systems are, and often struggle to find the right strategy to balance implementing effective information security controls and achieving business objectives of cost reduction and agility. Litcom provides information security expertise and skilled resources to assist our clients in a variety of information security capacities including:
Health CheckThe security health check provides a comprehensive yet attainable tool that will evaluate critical elements of your information security including:Information Security Strategy: Understand how information security should enable your business, and determine whether or not an effective security strategy is in place.Security Management and Governance: Evaluate if you have the right organizational and policy structures to support your information security function(s).Security Operations: Verify the adequacy of incident response, identity and access, and vulnerability and risk management processes.Privacy and Compliance: Evaluate your privacy and data protection processes and mechanisms in order to strengthen your regulatory compliance.Technical Architecture: Assess technical and logical controls (e.g. network, application and security tools) resilience against cyber and internal threats. Optionally, this may also include technical vulnerability assessments and penetration testing.
Page 19
The Litcom Approach (cont.)
Program ManagementLitcom will help your organization develop an information security program that is effective, adequate to your organization culture, and cost effective. Key elements of program development include:
• Define an Information Security Strategy and prioritized roadmap for achieving information security and business goals, and
• Establish a Security Management and Governance structure. Create the right organizational and policy structures required to support your information security function(s).
Enterprise Security PlanningLitcom offers professional consulting services for organizations to select, plan, and implement information security products and solutions in areas such as:
• Security Information and Event Management (SIEM) technologies• Intrusion Detection and Intrusion Prevention Systems (IDPS)• Identity and Access Management Solutions (IAM)• Security Architecture and Design
Litcom help its clients progress through the various selection stages from requirement definition, to development of Request for Proposals (RFP), to vendor evaluation and contract negotiation, and to project management and implementation. For more information contact us at: [email protected].