manuel corregedorlex-informatica.org/wp-content/uploads/2014/10/lex...framework) the preservation of...
TRANSCRIPT
Lex-
InformaticaCybercrime
Manuel Corregedor
1
2
WHY THE NAME WOLFPACK?
3
WHY THE NAME WOLFPACK?
Cyber Security Guidance for local organisations
Opportunities for Collaboration
4
3
2
1 Cyber Threat Landscape1
5
THE EVOLVING CYBER THREAT LANDSCAPE
1990’s
Hackers
• Spam, Phishing, Scams & Heists
• Organised Crime –Financial Motive
= High Concern
Criminals
2000 - 2010
• Damaging Breaches
• Infiltrate, Disclose, Control or Destroy Motive
= Major Risk
Activist / State
Today
• Website Defacements
• Hacker Groups seeking notoriety
= Irritation
6
• Cybercrime is a global problem costingthe economy billions of Dollars annually
• Large scale cyber espionageprogrammes, IP theft & privacy concerns
• Governments in Africa have underestimated the challenge of implementing national cyber securityinitiatives
CYBER RISK IS NOW A MAJOR PRIORITY!
7
8
THE EUROPEAN COMMISSON
Security: a societal challenge
It concerns the protection of citizens, society and economy as well as Europe's assets, infrastructures and services, its prosperity, political stability and well-being.
Any malfunction or disruption, intentional or accidental, can have a detrimental impact with high associated economic or societal costs.
Eurobarometer: 50% of the EU citizens are worried (percentage increasing)
9
Cyber security has become part of "Securing Societies”
Challenges:
- How to assess the threats in cyber-space and their possible scope?
- How to best tackle cyber-threats and protect citizens in the digital domain?
Cyber Security is an issue that can only be tackled effectively if all stakeholders cooperate: companies and authorities must work together across borders.
Many infrastructures and services operated in Europe are privately owned, yet protection of public (safety and security) is seen as the responsibility of public authorities.
10
WHAT IS CYBERSECURITY?
The state of being protected against the criminal or unauthorised use of electronic data, or the measures taken to achieve this. (Oxford Dictionary)
Cybersecurity is the practice of making the networks that constitute cyberspace secure against intrusions, maintaining confidentiality, availability and integrity of information, detecting intrusions and incidents that do occur, and responding to and recovering from them. (SA NCPF)
Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets. (ITU)
The process of protecting information by preventing, detecting, and responding to attacks. (NIST CybersecurityFramework)
The preservation of confidentiality, integrity and availability of information in Cyberspace (ISO 27032 -Guidelines for Cybersecurity)
Cybersecurity encompasses a broad range of practices, tools and concepts related closely to those of information and operational technology security. Cybersecurity is distinctive in its inclusion of the offensive use of information technology to attack adversaries. (Gartner)
11
WHAT IS CYBERSPACE? Cyberspace means a physical and non-physical terrain created by and/or composed of some or all of the following: computers, computer systems, networks, and their computer programs, computer data, content data, traffic data, and users (SA NCPF)
The complex environment resulting from the interaction of people, software and services on the Internet by means of technology devices and networks connected to it, which does not exist in any physical form (ISO 27032 -Guidelines for Cybersecurity)
Cyberspace belongs to no one but has key stakeholdersincluding:• End Users• Private and Public organisations• Internet Service Providers (ISP)• Government – Regulators and enforcement (Kenya Cyber Security Report 2014)
12
13
INFORMATION & CYBER SECURITY DEFINED
MOTIVATIONS BEHIND ATTACKS
14
Source: http://hackmageddon.com/
STATISTICS IN SOUTH AFRICA
• In 2013, South Africans lost over R2.2 billion according to the South African Banking Risk Information Centre (SABRIC)
• Cybercrime is costing South Africa over R5.8 billion rand each year (McAfee)
• According to Norton cybercrime is costing South Africa R3,42 billion
15
16
THE INTERNET ECONOMY Studies estimate that the Internet economy generates between $2 trillion and $3 trillion per annum, a share of the global economy that is expected to grow rapidly.
17
HOW MUCH IS A TRILLION DOLLARS?
18
The gross domestic product (GDP) is one the primary indicators used to gauge the health of a country's economy. It represents the total dollar value of all goods and services produced over a specific time period.
19
SUB-SAHARAN AFRICA
What is the Combined GDP of
Africa + Middle East?
US$3,082 Trillion
What is the Combined GDP of
all SSA countries?
US$1,592 Trillion
20
THE UNDERGROUNDINTERNET ECONOMY
A June 2014 report from the Center for Strategic and International Studies (CSIS) calculates the cost of cybercrime at between 15% and 20% per annum of the value created by the Internet – around $US400 billion.
21
Enterprise Risk Management
22
Lloyds 2013 Risk Index
23
24
Any disruption of these systems may cause a massive impact upon society / populations at a national or regional level.
Critical infrastructure consists of interconnected &interdependent systems (many ICT based)
CRITICAL INFORMATION INFRASTRUCTURE PROTECTION
Development of an integrated decision support system for large crisis events involving Critical Infrastructures (KRITIS)
THREAT SOURCES
25
WHO ARE THE ATTACKERS?MOTIVATIONS & TACTICS
26
VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT
2727
VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT
2828
A FEW INTERESTING TOOLS OF THE TRADE
29
30
BUT A LONG TIME TO DISCOVERY
• IN 66% OF CASES, THE BREACH WASN’TDISCOVERED FOR MONTHS OR EVEN YEARS.
MINIMAL TIME
PENETRATION VS DETECTION
TO COMPROMISE,
31
OF BREACHES WERE SPOTTED
BY AN EXTERNAL PARTY.
OF BREACHES WERE DISCOVERED
BY CUSTOMERS.
WHO DISCOVERED THE BREACH?
NOTIFICATION
32
33
SA CYBER SECURITY GAP ANALYSIS – ARE WE MOVING or ?
COUNTRY THREAT INTELLIGENCE REVIEW
34
SOUTH AFRICA
COUNTRY STATISTICS
POPULATION: 52 Million
GDP: US$ $350 Billion
INTERNET USERS: 14 Million
CORRUPTION SCORE: 42/100Scores range from 0 (highly corrupt) to 100 (very clean).
ISO 27001 CERTIFICATIONS: <20
35
South Africa Overall
Risk Rating
National Cyber
Security Policy
Cyber Criminal
Legislation
National
CSIRT / CERTPrivacy or
Breach
Notification Law
SCALE RATING
High Risk - None
Medium Risk - Partial South Africa
Low Risk - implemented
COUNTRY THREAT INTELLIGENCE RATING
35
36
HostExploit Rating – 43.1 out of 1000 (lower score = less vulnerabilities)
Global HE Rank – 80 of 219 countries
Spam – 44.5Unsolicited junk mail. Typically sent out indiscriminately on a mass scale, but increasingly targeted towards a specific audience.
Malware – 21.8Software with malicious intent. Usually designed to steal sensitive information for financial gain, but also can be primarily destructive. Including viruses, trojans, rootkits, worms and spyware.
Badware – 31.3Software that fundamentally disregards a user's choice regarding how their computer will be used. Including spyware and adware.
Botnets – 0.3Collections of computers running a (typically) unwanted program as a zombie, controlled by a "command & control" server, used to attack other computers or to harvest sensitive information. Generally used for financial gain, although increasingly used for political purposes.
Phishing – 105.2Fraudulent emails that appear to be from a trusted source and trick users into entering personal information.
Data Breaches – No data
Cybercrime Hubs – 1.7Servers or networks that support or control the spreading of malicious software or exploits.
Current Events – 48.4A blend of the most up-to-date attack variants and zero-day exploits. Currently includes attack vectors such as MALfi (XSS/RCE/RFI/LFI), click jacking, rogue pharmas, Koobface and others.
* The HE Index represents how vulnerable a country is to cyber threats, on a scale from 0 (no vulnerabilities detected) to 1000 (maximum vulnerabilities). It is a quantitative metric, representing the concentration of malicious activity served from an autonomous System.
HOST EXPLOIT SCORE SOUTH AFRICA
36
419 Scams
• AKA Nigerian Advance Fee Fraud
• Confidence Trick
• Email, Fax, SMS, phishing sites (fake sites)
• Invitations to countries
37
Example 419 Scam
Source: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-ice-419.pdf
38
Increased Support Structures
39
What’s happening in South Africa?
• Massive influx of Cameroonian scams
• Sitting locally, targeting the Far and Middle East businesses in export scams• Advertising R300k vehicles
• Spoof legitimate businesses in ZA, using their tax and company numbers
• OLX, JunkMail and WozaOnline
40
Example 419 Site
41
Example 419 Site
42
Why is it out of control?
• Automated toolkits
• Easy to register domains using fake information
• Take down procedures
• Resources/skills
43
• Critical Information Infrastructure Protection
• Technical skills shortage & capacity issues
• No national awareness programme
• Weak fraud detection mechanisms
• No National CSIRT
• Minimal cross-industry collaboration
• Improved /streamlined reporting processes needed
• Smaller cases neglected – easy victims
• Lack of quantitative cybercrime figures
• Cyber laws need updating / implementing
• Dilution of cybercrime cases with common law
GAP ANALYSIS - SUMMARY OF NATIONAL ISSUES
PROSECUTE
PREVENT
DETECT
INVESTIGATE
CYB
ER S
ECU
RTI
Y (S
SA /
DO
C)
CYB
ER C
RIM
E (S
AP
S /
NPA
)
44
1
2
Opportunities for Collaboration 3
Cyber Threat Landscape
45
2 Cyber Security Guidance for local companies
46
WHERE DID THE MISSING SQUARE GO?
THREAT RADAR
47
SELECT RELEVANT GRC STANDARDS, FRAMEWORKS AND BEST PRACTICE – ADAPT TO YOUR ENVIRONMENT
1
2
3
KING III
COBIT 5.0
ISO 27001/2
SANS 20 Critical Controls | OWASP
Protection of Personal Information (POPI) Act
Other IT related laws
48
Privacy
Information & Cyber Security
Information & IT Governance
Info
rma
tio
n
Ris
k
INFORMATION RISK MANAGEMENT FRAMEWORK
INFORMATION RISK MANAGEMENT (Tactical - How)
GOVERNANCE
Executive BoardCommittee
IS Steering Committee
Programme / Project Office Committee
Change Management Committee
Procurement / Supplier Management
HR / Communications / Training
IT Governance Council
Performance Metrics & Incentives
Enterprise Risk Committee
Compliance Committee
IT & OPERATIONS MANAGEMENT (Monitor interdependencies)
IT Operations
Infrastructure Security
Capacity Management
Change Management
Application Security
IT Service Continuity
Management
Release Management
Configuration Management
IT Vulnerability Management
Service Desk
HR Processes
Information & Asset
Management
Third Party Management
IT Incident Management
Performance Management
Facilities Management
Problem Management
Event Management
Physical Security
Systems Management
Service Level Management
IS / IT Governance
Policy & Reporting
Information Risk
Management
Threat & Vulnerability Management
Information Compliance
Management
Human Resource
Management
Programme Management
IS Performance Measurement
IT Risk Monitoring
Identity & Access
Management
IS Incident Management
Training & Awareness
Business Objectives
Corporate Governance
Enterprise Risk Management
Enterprise Architecture
Legal / Compliance
Assurance Functions HR / Audit / Security /
BCM / Fraud
BUSINESS (Strategic – What)
49
53
HOW TO GET THERE?
54
#1 PREDICT - INTEGRATE CYBER THREAT INTELLIGENCE
AUS Top 35
Strategies
Cyber Essentials
Scheme
Wolfpack Cyber
Threat Reports
Kaspersky FCI
2013
Symantec – State
of Financial
Trojans
Verizon Data
Breach Report
2014
55
#1 PREDICT - IDENTIFY THREAT PATTERNS RELEVANT TO YOUR SECTOR
THREAT INTELLIGENCE
• Prevent / Deter
• Detect
RESILIENCE
• Respond
• Recover
#1 PREDICT - ADOPT A MORE INTEGRATED APPROACH
Governance / Risk
Compliance / IT
Infosec / Audit
56
PS - TRADITIONAL RISK + AUDIT AREAS WILL NEED TO ADAPT
INFORMATION & CYBER SECURITY DOMAINS WILL
EXPAND.
57
58
# 2 ASSESS: INDUSTRY CYBER SECURITY FRAMEWORK
STRATEGIC /
EXECUTIVE
SPECIALIST /
OPERATIONAL
TACTICAL /
MANAGEMEN
T
59
# 2 ASSESS: GLOBAL SURVEY / GROUP REPORT
60
# 3 IMPROVE: PLAN TO DEVELOP IN-HOUSE CAPABILITY
Vulnerability assessments / Sourcecode reviews etc are now required more often…develop in-house capability & outsource the hard stuff
# 3 IMPROVE: DEVELOP A ROBUST INCIDENT MANAGEMENT CAPABILITY
Entrenched practices within the organisation
ISO 27035:2011
ISO 27002:2013
Cobit 5.0 / ITIL 3.0
FIRST.org
6161
Min
d the (
Skill
s)
Gap: • Rapid advances in technology & cyber threats driving
global demand for skills
• Increased compliance universe
• High pressure work environment = less time for talent management
• Limited local training providers = fragmented training options
• Difficult to find correct balance of technical & business skills
• Shortage of capable graduates entering the field
• The industry is still largely untransformed
# 3 IMPROVE: SKILLS - NATIONAL RESOURCE CHALLENGES
62
DESIRED SITUATION – ESTABLISHMENT OF NATIONAL /INDUSTRY SKILLS DEVELOPMENT CAPABILITIES
Intermediate
Assess
63
NATIONAL / INDUSTRY ACADEMY APPROACH
64
Attract Baseline
Technical
Management
Elite
Programme Entry Minimum skills Specialist skills Expert skills
Skills assessment
LESSONS LEARNT - WOLFPACK ACADEMY
65
Step 1: Understand
Requirements
Step 2: Assess Skills - Gap
Analysis
Step 3: Design Curriculum
Step 4: Implement
Training
ASSESS
STEP 1: UNDERSTAND REQUIREMENTS /CLASSIFY EMPLOYEES
• Organises cybersecurity into seven high-level categories, each comprising several specialty areas.
• Based on extensive job analysis and groups together work and workers that share common major functions, regardless of actual job titles or other occupational terms.
66
National Initiative for Cybersecurity Education (NICE)
67
68
Competency Assessment
Technical
Assessment
Skills Gaps Analysis
STEP 2: PERFORM SKILLS GAP ANALYSIS
69
Learning Management SystemIntegrated Secure Assessment & Learning PlatformSystem
STEP 3: DESIGN CURRICULA
TECHNICAL
SKILLS COMMUNICATION
SKILLS
BUSINESS
ACUMEN
CONSULTING
SKILLS
BEHAVIOUR &
ATTITUDE
5 1
24
3
• Presentation Skills
• Report Writing
• Content Delivery
• Personal Effectiveness
• Negotiation Skills
• Teamwork
• Decision Making
• Interpersonal Skills
• Time Management
• Trusted Advisor
• Research
• Programme & Project Management
• Drive to succeed
• Ethics & Integrity
• Accountability
• Self-development
• Adaptability
• Information Risk, Governance
& Compliance
• Information & Cyber Security
• Security Operations
• Incident Management
• Awareness
• Forensics
70
71
STEP 4: CONDUCT TRAINING
72
Step 1: Classify
Employees
Step 2: Perform
Skills Gap Analysis
Step 3: Design
Curriculum
Step 4: Conduct Training
CASE STUDY: INFORMATION RISK FOUNDATION PROGRAMME
• Classification: Graduates or passionate individuals <29 years
• Skills Gap: The Shortage of Information Risk Professionals
73
Step 1: Classify
Employees
Step 2: Perform
Skills Gap Analysis
Step 3: Design
Curriculum
Step 4: Conduct Training
2Strategies for Information & Cyber Security Management
74
Cyber Threat Landscape1
3 Opportunities for Collaboration
75
COMMUNITY INITIATIVES
77
AWARENESS
78
STRATEGY CONTENT
GRC RATIONALISATION AND
ALIGNMENT
POLICY ALIGNMENT
HUMAN VULNERABILITY
ASSESSMENTS
EXECUTIVE CYBER
VULNERABILITY ASSESSMENTS
GREY WOLF ASSESSMENT AND
LEARNING PLATFORM
STRATEGIC AWARENESS
PROGRAMME (SAP)
ANIMATED VIDEO SERIES:• 5 PRIVACY
• 7 INFORMATION SECURITY
• CUSTOM
POSTERS / CARTOONS
EASY POLICY COMMUNICATOR
CYBERCRIME SURVIVAL GUIDE & COURSE
INTERACTIVE AWARENESS
SESSIONS
TRAINING & SIMULATIONS
WHAT ARE YOU DOING FOR OCTOBER SECURITY AWARENESS MONTH?
79
CYBERSHIELD COMMUNITY MAGAZINE
Cybershield is a quarterly digital magazine for the African information security community. It is packed with high quality articles across 10 sectionssourced from both local & international subject matter experts. This is provided as a free resource to help improve awareness of threats facing the continent. With permission from our clients we also include relevant articles from our research work in the magazine.
http://www.wolfpackrisk.com/magazine/
80
CYBERCON AFRICA 2014
81
http://www.cyberconafrica.org
CYBER PACK - COMMUNITY TASK TEAMS
82
Data Breaches
Damage to Reputation
Increased Attacks
World Class Skills
Reduced Crime & Corruption
Safer Society
PROACTIVE
Creating stakeholder value
VALUEREACTIVE
Preserving stakeholder value
DESIRED OUTCOME – A SAFER (SOUTH) AFRICA
83
Wolfpack Information Risk (Pty) Ltd
+27 11 794 [email protected]
Research | Training | Awareness | Advisory | Talent
84