cybersecurity: connectivity, collaboration and security controls

CYBERSECURITY: Connectivity, Collaboration & Critical Security Controls

June 23, 2016

➔  Introduction: 3 minutes

➔  Connectivity: 5 minutes

➔  Collaboration: 3 minutes

➔  Critical Security Controls: 6 minutes

➔  Cold War with China on Cyberspace: 3 minutes

Coverage

MEL V. VELARDE CEO, NOW Corporation and NOW Telecom Co.

Chairman, Asian Institute of Journalism and Communication UNESCO Commissioner and Chairman of Science and Technology

Committee, UNESCO Philippines, 2003-2010

About NOW Corporation

➔  A technology, media and telecom company, owns NOW Telecom Co., a duly enfranchised telecom and mobile cellular company.

➔  Listed in the Philippine Stock Exchange (Ticker: NOW). Market cap: Php4 Billion+.

➔  Apart from government, our customers are blue chips companies like banks and other financial institutions, conglomerates, and SMEs in the Philippines.

➔ Our products and services are: IT services including software and maintenance, IT consultancy and professional services and recently broadband connectivity and multimedia services.

Client References

Mr. Abdul Kalam Shamsuddin Director (Joint Secretary), The Prime Minister’s Office

Mr. S.M. Yarikul Islam Director, The Prime Minister’s Office

Ms. Maliha Nargis

Additional Director (Joint Secretary), Department of Information and Communication Technology

Dr. Md. Maynul Hoque Anshary

Deputy Secretary, Finance Division

Mr. Md. Rafiqul Islam Khan Deputy Secretary, Finance Division

Mohammad Borhanul Haque Deputy Chief, Socio Economic Infrastructure Division

Ministry of Planning

Mr. Golam Md. Baten Assistant Chief, Socio Economic Infrastructure Division

Ministry of Planning

Mst. Maksuda Begum Chief Accounts Officer, Ministry of Science and Information &

Communication Technology (ICT)

Ms. Poly Kar Assistant Director, Implementation Monitoring and

Evaluation Division

Mir Abdul Awwal Al Mehedi Senior Assistant Secretary

Implementation Monitoring and Evaluation Division

Mr. Md. Bashir Ahamed Assistant Secretary

Information and Communication Technology Division

Mr. Anwar Hossen Personal Assistant to Honorable State Minister

Information and Communication Technology Division

Cyber Security Lecture Bangladesh Delegation by NOW Corporation

➔  Republic Act No. 10175 of 2012 Cybercrime Prevention Act:

Cybercrimes:

A. Offenses against the confidentiality, integrity and availability of computer data and

systems.

-  Illegal Access, Illegal Interception, Data Interference, System Interference, Misuse of

Devices,

B. Computer-related Offenses

- Computer-related Forgery, Computer-related Fraud, Computer-related Identity Theft

C. Content-related Offenses

D. Other Cybercrimes

➔  Republic Act No. 10173 of 2012:

The data privacy act and creation of national privacy commission.

➔  Executive Order 189 of 2015:

Creating the national Cybersecurity Inter-agency committee.

➔  Republic Act No. 10844 of 2016:

Creating the department of Information Communication and Technology.

Philippine Enabling Laws

by California Breach Report, February 2016 https://oag.ca.gov/breachreport2016

To protect privacy: ●  businesses must have

privacy policies that are easy to read and access,

●  inform consumers about material changes to their data handling practices, and

●  carefully select their default settings which often determine how data is collected, used, and shared.

“An organization cannot protect people’s privacy without being able to secure their data from unauthorized access.” - Kamala D. Harris, Attorney General, California Department of Justice


State of California: Obligation on Handling Consumer Data



Retailers 25% of

breaches 42% of records

Banks 18% of

breaches 26% of records

Health Care 16% of

breaches

General Businesses

15% of breaches

State of California: Top Breaches per Industry

2012-2015 49 million records of Californians breached

3 out of 5 Californians were victims of a data breach for 2015 alone

Malware & Hacking

(54%)

Retail sector with the highest breach

Physical Breaches

(27%)

Health care sector with the highest breach

Breaches caused by

errors (17%)

Government sector with the highest breach


State of California: Type of Breaches

Businesses and government agencies have been required to notify the Attorney General on breaches affecting more than 500

Californians; most importantly, also required to apply “reasonable security.”

Security defenses include identifying

attacker presence and reducing “living space”

Security defenses include decreasing

attack surface area and

hardening security

Security defenses include controlling

superuser privileges (admin and root)

Security defenses include disrupting

command and control of attacker implanted malware

http://image.slidesharecdn.com/securityonabudget060712-120607135645-phpapp01/95/security-on-a-budget-17-728.jpg?cb=1339077525

Computer Attacker Activities and Associated Defenses

Armed Forces of the United States

http://www.longwaitforisabella.com/2015/05/military-care-package-list.html

The 6th Military Branch: Cyberdefense

http://foter.com/f/photo/6300378608/41329897ea/ http://www.longwaitforisabella.com/2015/05/military-care-package-list.html

Air, land, sea, cyber: NATO adds cyber to operation areas

h"p://www.usnews.com/news/poli1cs/ar1cles/2016-06-14/air-land-sea-cyber-nato-adds-cyber-to-opera1on-areas

CONNECTIVITY

www.shodan.io

Cloak Critical Infrastructure

➔  Cloak Critical Infrastructure Secures and hides communications between trusted devices with cryptographic identities

➔  Segment Networks Centrally managed, micro-segmented networks based on device-whitelisting increases overall security posture

➔  Extend Networks Securely extend your network to any location regardless of topology

➔  Preserve Legacy Investments Seamlessly integrates with existing devices and infrastructure with no impact to underlying network

➔  Increase Operational Integrity and Availability Visibility into network traffic enables diagnostics, debugging and performance optimization

Benefits

*as of the end of 2015

h"p://www.cedmagazine.com/news/2016/06/research-es1mates-more-8-billion-connected-devices-worldwide

Number of Connected Audio-Visual Devices Globally (in millions)

Show NBEX

Guaranteed connections of up to 700 Mbps. For public broadband or private networks. Optional: bundling of

Cable TV and high-value IT services.

NOW Broadband and Private Networks

Fiber in the Air Technology via Radio Antenna

(Defense Contractor)

50 to 700

Mbps Guaranteed

Service

Fiber Optic Network: Phase One

Fiber Optic Network: Phase Two

Fiber Optic Network: Northern Luzon

Fiber Optic Network: Southern Luzon

Fiber Optic Network: Mindanao

COLLABORATION

Initial Targets

Documents Emails Files Content

IT Configuration Hashes Passwords Payment Card Data Customer Data

Medical Records

Social Security Numbers

Product Inventory Financial Reports Email Database

Online Meetings

Chats Social Networking

http://www.csoonline.com/article/2961066/supply-chain-security/ubiquiti-networks-victim-of-39-million-social-engineering-attack.html

In its Form 8-K filings to the SEC the company stated it became aware on June 5th 2015 that it was the victim of a “criminal fraud”. It appears a member of staff in one of its subsidiary companies based in Hong Kong fell victim to what is known as a “CEO scam” or a “Business Email Compromise (BEC) attack.

Collaboration Software & Services

INNOVATION stay ahead of the competition

ACCESSIBILITY & SECURITY keeping information safe

CONFIDENCE mitigate risk

ROI optimizes entire work force

IBM Smart Cloud & NOW Corporation

Collaboration Software & Services


Secure Collaboration on Mobile


The Value of Secure Collaboration

EMPOWER PEOPLE social collaboration

ENGAGE PEOPLE social analytics

TRUST PEOPLE collaboration beyond boundaries

EXTEND TECHNOLOGY integration with other platforms


CRITICAL SECURITY CONTROLS

California’s information security statute requires businesses to use “reasonable security procedures and practices…to protect personal information from unauthorized, access, destruction, use, modification, or disclosure.”

Recommendation #1

The 20 controls in the Center for Internet Security’s Critical Security

Controls identify a minimum level of information security that all

organizations that collect or maintain personal information should meet.

The failure to implement all the Controls that apply to an organization’s

environment constitutes a lack of reasonable security.

by California Breach Report, February 2016 https://oag.ca.gov/breachreport2016 by California Breach Report, February 2016 https://oag.ca.gov/breachreport2016

State of California: Reasonable Security

SYSTEM CSC 1: Inventory of Authorized and Unauthorized Devices

CSC 2: Inventory of Authorized and Unauthorized Software

CSC 3: Secure Configurations for Hardware and Software

CSC 4: Continuous Vulnerability Assessment and Remediation

CSC 5: Controlled Use of Administrative Privileges

CSC 6: Maintenance, Monitoring and Analysis of Audit Logs

CSC 7: E-mail and Web Browser Protections

CSC 8: Malware Defenses

CSC 9: Limitation and Control of Network Ports

CSC 10: Data Recovery Capability

NETWORK CSC 11: Secure Configurations for Network Devices

CSC 12: Boundary Defense

CSC 13: Data Protection

CSC 15: Wireless Access Control

APPLICATION

CSC 14: Controlled Access Based on the Need to Know

CSC 16: Account Monitoring and Control

CSC 17: Security Skills Assessment and Appropriate Training to fill Gaps

CSC 18: Application Software Security

CSC 19: lncident Response and Management

CSC 20: Penetration Tests and Red Team Exercises

The 20 Critical Security Controls

The CIS Critical Security Controls~ Enclave Security 2016

But earlier today, Bit9 told a source for KrebsOnSecurity that their corporate networks had been breached by a cyberattack. According to the source, Bit9 said they’d received reports that some customers had discovered malware inside of their own Bit9-protected networks, malware that was digitally signed by Bit9’s own encryption keys.

http://www.krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/

An hour after being contacted by KrebsOnSecurity, Bit9 published a blog post acknowledging a break-in. The company said attackers managed to compromise some of Bit9’s systems that were not protected by the company’s own software. Once inside, the firm said, attackers were able to steal Bit9’s secret code-signing certificates


“Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network,” Bit9’s Patrick Morley wrote. “As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware. There is no indication that this was the result of an issue with our product. Our investigation also shows that our product was not compromised.”


➔  Security whitelisting vendor, Bit9, was breached (2/2013)

➔  Breach due to the fact that they did not install controls on machines that were not in their inventories

➔  Attackers breached their network, compromising machines where they had not installed their whitelisting product

➔  As a result of the breach a code signing certificate was abused, and malicious code was signed with their certificate


Breach Case Study: Bit9

1.  Deploy an automated asset inventory discovery tool and use it to build a preliminary inventory of systems connected to an organization's public and private network(s). Both active tools that scan through 1Pv4 or 1Pv6 network address ranges and passive tools that identify hosts based on analyzing their traffic should be employed.

2.  If the organization is dynamically assigning addresses using DHCP, then deploy dynamic host configuration protocol (DHCP) server logging, and use this information to improve the asset inventory and help detect unknown

systems. Ensure that all equipment acquisitions automatically update the inventory system as new, approved devices are connected to the network.

3.  Ensure that all equipment acquisitions automatically update the inventory system as new, approved devices are connected to the network.

4.  Maintain an asset inventory of all systems connected to the network and the network devices themselves, recording at least the:

- Network addresses, machine name(s), purpose of each system, an asset owner responsible for each device, department associated with each device.

5.  The inventory should include every system that has an Internet protocol (IP) address on the network, including but not limited to desktops, laptops, servers, network equipment (routers,switches, firewalls,etc.), printers,storage area networks, Voice Over-IP telephones, multi-homed addresses, virtual addresses, etc. The asset inventory created must also include data on whether the device is a portable and/or personal device. Devices such as mobile phones, tablets, laptops, and other portable electronic devices that store or process data must be identified, regardless of whether they are attached to the organization's network.

6.  Deploy network level authentication via 802.1x to limit and control which devices can be connected to the network. The 802.1x must be tied into the inventory data to determine authorized versus unauthorized systems.

7.  Use client certificates to validate and authenticate systems prior to connecting to the private network


Solutions

Last month, Facebook Security discovered that our systems had been targeted in a sophisticated attack. This attack occurred when a handful of employees visited a mobile developer website that was compromised. The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops. The laptops were fully-patched and running up-to-date anti-virus software. As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day.

https://www.facebook.com/note.php?note_id=10151249208250766

We have found no evidence that Facebook user data was compromised. As part of our ongoing investigation, we are working continuously and closely with our own internal engineering teams, with security teams at other companies, and with law enforcement authorities to learn everything we can about the attack, and how to prevent similar incidents in the future.


➔  Internal Facebook workstations compromised (1/2013)

➔  Breach was caused by an insecure version of Oracle Java running on internal workstations

➔  Developers visited a mobile developer website hosting an Oracle Java exploit

➔ Machines were patched & running up to date anti-malware, but were still exploited

➔  No data was reported as compromised in the breach. Believed to be the same exploit that affected Apple and Microsoft in the same time frame


Breach Case Study: Facebook

1.  Devise a list of authorized software and version that is required in the enterprise for each type of system, including servers, workstations, and laptops of various kinds and uses. This list should be monitored by file integrity checking tools to validate that the authorized software has not been modified.

2.  Deploy application whitelisting technology that allows systems to run software only if it is included on the whitelist and prevents execution of all other software on the system. The whitelist may be very extensive (as is available from commercial whitelist vendors), so that users are not inconvenienced when using common software. Or, for some special purpose systems (which require only a small number of programs to achieve their needed business functionality), the whitelist may be quite narrow.

3.  Deploy software inventory tools throughout the organization covering each of the operating system types in use, including servers, workstations, and laptops. The software inventory system should track the version of the underlying operating system as well as the applications installed on it. The software inventory systems must be tied into the hardware asset inventory so all devices and associated software are tracked from a single location.

4.  Virtual machines and/or air-gapped systems should be used to isolate and run applications that are required for business operations but based on higher risk should not be installed within a networked environment.


Solutions

COLD WAR ON CYBERSPACE

The Most Powerful GEO Spy Satellite is Chinese

http://www.popsci.com/gaofen-4-worlds-most-powerful-geo-spy-satellite-continues-chinas-great-leap-forward-into-space

Concentrated Footprint over the Philippines

Korea Satellite.

CYBERSECURITY: Connectivity, Collaboration & Critical Security Controls

THANK YOU!

Contact details: [email protected] https://ph.linkedin.com/in/mel-velarde-050b156 www.nownetwork.ph www.now-corp.com