cybersecurity: connectivity, collaboration and security controls
TRANSCRIPT
CYBERSECURITY: Connectivity, Collaboration & Critical Security Controls
June 23, 2016
➔ Introduction: 3 minutes
➔ Connectivity: 5 minutes
➔ Collaboration: 3 minutes
➔ Critical Security Controls: 6 minutes
➔ Cold War with China on Cyberspace: 3 minutes
Coverage
MEL V. VELARDE CEO, NOW Corporation and NOW Telecom Co.
Chairman, Asian Institute of Journalism and Communication UNESCO Commissioner and Chairman of Science and Technology
Committee, UNESCO Philippines, 2003-2010
About NOW Corporation
➔ A technology, media and telecom company, owns NOW Telecom Co., a duly enfranchised telecom and mobile cellular company.
➔ Listed in the Philippine Stock Exchange (Ticker: NOW). Market cap: Php4 Billion+.
➔ Apart from government, our customers are blue chips companies like banks and other financial institutions, conglomerates, and SMEs in the Philippines.
➔ Our products and services are: IT services including software and maintenance, IT consultancy and professional services and recently broadband connectivity and multimedia services.
Client References
Client References
Mr. Abdul Kalam Shamsuddin Director (Joint Secretary), The Prime Minister’s Office
Mr. S.M. Yarikul Islam Director, The Prime Minister’s Office
Ms. Maliha Nargis
Additional Director (Joint Secretary), Department of Information and Communication Technology
Dr. Md. Maynul Hoque Anshary
Deputy Secretary, Finance Division
Mr. Md. Rafiqul Islam Khan Deputy Secretary, Finance Division
Mohammad Borhanul Haque Deputy Chief, Socio Economic Infrastructure Division
Ministry of Planning
Mr. Golam Md. Baten Assistant Chief, Socio Economic Infrastructure Division
Ministry of Planning
Mst. Maksuda Begum Chief Accounts Officer, Ministry of Science and Information &
Communication Technology (ICT)
Ms. Poly Kar Assistant Director, Implementation Monitoring and
Evaluation Division
Mir Abdul Awwal Al Mehedi Senior Assistant Secretary
Implementation Monitoring and Evaluation Division
Mr. Md. Bashir Ahamed Assistant Secretary
Information and Communication Technology Division
Mr. Anwar Hossen Personal Assistant to Honorable State Minister
Information and Communication Technology Division
Cyber Security Lecture Bangladesh Delegation by NOW Corporation
➔ Republic Act No. 10175 of 2012 Cybercrime Prevention Act:
Cybercrimes:
A. Offenses against the confidentiality, integrity and availability of computer data and
systems.
- Illegal Access, Illegal Interception, Data Interference, System Interference, Misuse of
Devices,
B. Computer-related Offenses
- Computer-related Forgery, Computer-related Fraud, Computer-related Identity Theft
C. Content-related Offenses
D. Other Cybercrimes
➔ Republic Act No. 10173 of 2012:
The data privacy act and creation of national privacy commission.
➔ Executive Order 189 of 2015:
Creating the national Cybersecurity Inter-agency committee.
➔ Republic Act No. 10844 of 2016:
Creating the department of Information Communication and Technology.
Philippine Enabling Laws
by California Breach Report, February 2016 https://oag.ca.gov/breachreport2016
To protect privacy: ● businesses must have
privacy policies that are easy to read and access,
● inform consumers about material changes to their data handling practices, and
● carefully select their default settings which often determine how data is collected, used, and shared.
“An organization cannot protect people’s privacy without being able to secure their data from unauthorized access.” - Kamala D. Harris, Attorney General, California Department of Justice
by California Breach Report, February 2016 https://oag.ca.gov/breachreport2016
State of California: Obligation on Handling Consumer Data
by California Breach Report, February 2016 https://oag.ca.gov/breachreport2016
by California Breach Report, February 2016 https://oag.ca.gov/breachreport2016
Retailers 25% of
breaches 42% of records
Banks 18% of
breaches 26% of records
Health Care 16% of
breaches
General Businesses
15% of breaches
State of California: Top Breaches per Industry
2012-2015 49 million records of Californians breached
3 out of 5 Californians were victims of a data breach for 2015 alone
Malware & Hacking
(54%)
Retail sector with the highest breach
Physical Breaches
(27%)
Health care sector with the highest breach
Breaches caused by
errors (17%)
Government sector with the highest breach
by California Breach Report, February 2016 https://oag.ca.gov/breachreport2016
State of California: Type of Breaches
Businesses and government agencies have been required to notify the Attorney General on breaches affecting more than 500
Californians; most importantly, also required to apply “reasonable security.”
Security defenses include identifying
attacker presence and reducing “living space”
Security defenses include decreasing
attack surface area and
hardening security
Security defenses include controlling
superuser privileges (admin and root)
Security defenses include disrupting
command and control of attacker implanted malware
http://image.slidesharecdn.com/securityonabudget060712-120607135645-phpapp01/95/security-on-a-budget-17-728.jpg?cb=1339077525
Computer Attacker Activities and Associated Defenses
Armed Forces of the United States
http://www.longwaitforisabella.com/2015/05/military-care-package-list.html
The 6th Military Branch: Cyberdefense
http://foter.com/f/photo/6300378608/41329897ea/ http://www.longwaitforisabella.com/2015/05/military-care-package-list.html
Air, land, sea, cyber: NATO adds cyber to operation areas
h"p://www.usnews.com/news/poli1cs/ar1cles/2016-06-14/air-land-sea-cyber-nato-adds-cyber-to-opera1on-areas
CONNECTIVITY
www.shodan.io
Cloak Critical Infrastructure
➔ Cloak Critical Infrastructure Secures and hides communications between trusted devices with cryptographic identities
➔ Segment Networks Centrally managed, micro-segmented networks based on device-whitelisting increases overall security posture
➔ Extend Networks Securely extend your network to any location regardless of topology
➔ Preserve Legacy Investments Seamlessly integrates with existing devices and infrastructure with no impact to underlying network
➔ Increase Operational Integrity and Availability Visibility into network traffic enables diagnostics, debugging and performance optimization
Benefits
*as of the end of 2015
h"p://www.cedmagazine.com/news/2016/06/research-es1mates-more-8-billion-connected-devices-worldwide
Number of Connected Audio-Visual Devices Globally (in millions)
Show NBEX
Guaranteed connections of up to 700 Mbps. For public broadband or private networks. Optional: bundling of
Cable TV and high-value IT services.
NOW Broadband and Private Networks
Fiber in the Air Technology via Radio Antenna
(Defense Contractor)
50 to 700
Mbps Guaranteed
Service
Fiber Optic Network: Phase One
Fiber Optic Network: Phase Two
Fiber Optic Network: Northern Luzon
Fiber Optic Network: Southern Luzon
Fiber Optic Network: Mindanao
COLLABORATION
Initial Targets
Documents Emails Files Content
IT Configuration Hashes Passwords Payment Card Data Customer Data
Medical Records
Social Security Numbers
Product Inventory Financial Reports Email Database
Online Meetings
Chats Social Networking
http://www.csoonline.com/article/2961066/supply-chain-security/ubiquiti-networks-victim-of-39-million-social-engineering-attack.html
In its Form 8-K filings to the SEC the company stated it became aware on June 5th 2015 that it was the victim of a “criminal fraud”. It appears a member of staff in one of its subsidiary companies based in Hong Kong fell victim to what is known as a “CEO scam” or a “Business Email Compromise (BEC) attack.
Collaboration Software & Services
INNOVATION stay ahead of the competition
ACCESSIBILITY & SECURITY keeping information safe
CONFIDENCE mitigate risk
ROI optimizes entire work force
IBM Smart Cloud & NOW Corporation
Collaboration Software & Services
IBM Smart Cloud & NOW Corporation
Secure Collaboration on Mobile
IBM Smart Cloud & NOW Corporation
The Value of Secure Collaboration
EMPOWER PEOPLE social collaboration
ENGAGE PEOPLE social analytics
TRUST PEOPLE collaboration beyond boundaries
EXTEND TECHNOLOGY integration with other platforms
IBM Smart Cloud & NOW Corporation
CRITICAL SECURITY CONTROLS
California’s information security statute requires businesses to use “reasonable security procedures and practices…to protect personal information from unauthorized, access, destruction, use, modification, or disclosure.”
Recommendation #1
The 20 controls in the Center for Internet Security’s Critical Security
Controls identify a minimum level of information security that all
organizations that collect or maintain personal information should meet.
The failure to implement all the Controls that apply to an organization’s
environment constitutes a lack of reasonable security.
by California Breach Report, February 2016 https://oag.ca.gov/breachreport2016 by California Breach Report, February 2016 https://oag.ca.gov/breachreport2016
State of California: Reasonable Security
SYSTEM CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 2: Inventory of Authorized and Unauthorized Software
CSC 3: Secure Configurations for Hardware and Software
CSC 4: Continuous Vulnerability Assessment and Remediation
CSC 5: Controlled Use of Administrative Privileges
CSC 6: Maintenance, Monitoring and Analysis of Audit Logs
CSC 7: E-mail and Web Browser Protections
CSC 8: Malware Defenses
CSC 9: Limitation and Control of Network Ports
CSC 10: Data Recovery Capability
NETWORK CSC 11: Secure Configurations for Network Devices
CSC 12: Boundary Defense
CSC 13: Data Protection
CSC 15: Wireless Access Control
APPLICATION
CSC 14: Controlled Access Based on the Need to Know
CSC 16: Account Monitoring and Control
CSC 17: Security Skills Assessment and Appropriate Training to fill Gaps
CSC 18: Application Software Security
CSC 19: lncident Response and Management
CSC 20: Penetration Tests and Red Team Exercises
The 20 Critical Security Controls
The CIS Critical Security Controls~ Enclave Security 2016
But earlier today, Bit9 told a source for KrebsOnSecurity that their corporate networks had been breached by a cyberattack. According to the source, Bit9 said they’d received reports that some customers had discovered malware inside of their own Bit9-protected networks, malware that was digitally signed by Bit9’s own encryption keys.
http://www.krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/
An hour after being contacted by KrebsOnSecurity, Bit9 published a blog post acknowledging a break-in. The company said attackers managed to compromise some of Bit9’s systems that were not protected by the company’s own software. Once inside, the firm said, attackers were able to steal Bit9’s secret code-signing certificates
http://www.krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/
“Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network,” Bit9’s Patrick Morley wrote. “As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware. There is no indication that this was the result of an issue with our product. Our investigation also shows that our product was not compromised.”
http://www.krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/
➔ Security whitelisting vendor, Bit9, was breached (2/2013)
➔ Breach due to the fact that they did not install controls on machines that were not in their inventories
➔ Attackers breached their network, compromising machines where they had not installed their whitelisting product
➔ As a result of the breach a code signing certificate was abused, and malicious code was signed with their certificate
http://www.krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/
Breach Case Study: Bit9
1. Deploy an automated asset inventory discovery tool and use it to build a preliminary inventory of systems connected to an organization's public and private network(s). Both active tools that scan through 1Pv4 or 1Pv6 network address ranges and passive tools that identify hosts based on analyzing their traffic should be employed.
2. If the organization is dynamically assigning addresses using DHCP, then deploy dynamic host configuration protocol (DHCP) server logging, and use this information to improve the asset inventory and help detect unknown
systems. Ensure that all equipment acquisitions automatically update the inventory system as new, approved devices are connected to the network.
3. Ensure that all equipment acquisitions automatically update the inventory system as new, approved devices are connected to the network.
4. Maintain an asset inventory of all systems connected to the network and the network devices themselves, recording at least the:
- Network addresses, machine name(s), purpose of each system, an asset owner responsible for each device, department associated with each device.
5. The inventory should include every system that has an Internet protocol (IP) address on the network, including but not limited to desktops, laptops, servers, network equipment (routers,switches, firewalls,etc.), printers,storage area networks, Voice Over-IP telephones, multi-homed addresses, virtual addresses, etc. The asset inventory created must also include data on whether the device is a portable and/or personal device. Devices such as mobile phones, tablets, laptops, and other portable electronic devices that store or process data must be identified, regardless of whether they are attached to the organization's network.
6. Deploy network level authentication via 802.1x to limit and control which devices can be connected to the network. The 802.1x must be tied into the inventory data to determine authorized versus unauthorized systems.
7. Use client certificates to validate and authenticate systems prior to connecting to the private network
The CIS Critical Security Controls~ Enclave Security 2016
Solutions
Last month, Facebook Security discovered that our systems had been targeted in a sophisticated attack. This attack occurred when a handful of employees visited a mobile developer website that was compromised. The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops. The laptops were fully-patched and running up-to-date anti-virus software. As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day.
https://www.facebook.com/note.php?note_id=10151249208250766
We have found no evidence that Facebook user data was compromised. As part of our ongoing investigation, we are working continuously and closely with our own internal engineering teams, with security teams at other companies, and with law enforcement authorities to learn everything we can about the attack, and how to prevent similar incidents in the future.
https://www.facebook.com/note.php?note_id=10151249208250766
➔ Internal Facebook workstations compromised (1/2013)
➔ Breach was caused by an insecure version of Oracle Java running on internal workstations
➔ Developers visited a mobile developer website hosting an Oracle Java exploit
➔ Machines were patched & running up to date anti-malware, but were still exploited
➔ No data was reported as compromised in the breach. Believed to be the same exploit that affected Apple and Microsoft in the same time frame
https://www.facebook.com/note.php?note_id=10151249208250766
Breach Case Study: Facebook
1. Devise a list of authorized software and version that is required in the enterprise for each type of system, including servers, workstations, and laptops of various kinds and uses. This list should be monitored by file integrity checking tools to validate that the authorized software has not been modified.
2. Deploy application whitelisting technology that allows systems to run software only if it is included on the whitelist and prevents execution of all other software on the system. The whitelist may be very extensive (as is available from commercial whitelist vendors), so that users are not inconvenienced when using common software. Or, for some special purpose systems (which require only a small number of programs to achieve their needed business functionality), the whitelist may be quite narrow.
3. Deploy software inventory tools throughout the organization covering each of the operating system types in use, including servers, workstations, and laptops. The software inventory system should track the version of the underlying operating system as well as the applications installed on it. The software inventory systems must be tied into the hardware asset inventory so all devices and associated software are tracked from a single location.
4. Virtual machines and/or air-gapped systems should be used to isolate and run applications that are required for business operations but based on higher risk should not be installed within a networked environment.
The CIS Critical Security Controls~ Enclave Security 2016
Solutions
COLD WAR ON CYBERSPACE
The Most Powerful GEO Spy Satellite is Chinese
http://www.popsci.com/gaofen-4-worlds-most-powerful-geo-spy-satellite-continues-chinas-great-leap-forward-into-space
Concentrated Footprint over the Philippines
Korea Satellite.
CYBERSECURITY: Connectivity, Collaboration & Critical Security Controls
THANK YOU!
Contact details: [email protected] https://ph.linkedin.com/in/mel-velarde-050b156 www.nownetwork.ph www.now-corp.com