cyberspace and cybersecurity policy, risks & strategies · don’t fallfor phishing (and other)...
TRANSCRIPT
![Page 1: Cyberspace and Cybersecurity Policy, Risks & Strategies · Don’t fallfor phishing (and other) scams Keep systems updated Change passwords on home systems Organizational Risk based](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed9d7fc7e7c217e602e6465/html5/thumbnails/1.jpg)
Introduction to organizational cybersecurity: vulnerabilities and risk mitigation strategiesThomas P. Braun, Global Security & Architecture Section, DM/OICT
Cyberspace and Cybersecurity Policy, Risks & Strategies
Core Diplomatic Training 2018,a collaboration between OICT, UN-OHRLLS, and UNITAR
![Page 2: Cyberspace and Cybersecurity Policy, Risks & Strategies · Don’t fallfor phishing (and other) scams Keep systems updated Change passwords on home systems Organizational Risk based](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed9d7fc7e7c217e602e6465/html5/thumbnails/2.jpg)
<insert today’s headline>
2
![Page 3: Cyberspace and Cybersecurity Policy, Risks & Strategies · Don’t fallfor phishing (and other) scams Keep systems updated Change passwords on home systems Organizational Risk based](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed9d7fc7e7c217e602e6465/html5/thumbnails/3.jpg)
Critical role of ICT
▪ Enabler to accomplish SDGs and deliver public services• E-governance• Education• Healthcare• Communications• Commerce
▪ Reliable infrastructure and trusted digital ecosystem
▪ Vulnerabilities, threats, threat actors risk mitigation3
![Page 4: Cyberspace and Cybersecurity Policy, Risks & Strategies · Don’t fallfor phishing (and other) scams Keep systems updated Change passwords on home systems Organizational Risk based](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed9d7fc7e7c217e602e6465/html5/thumbnails/4.jpg)
4
![Page 5: Cyberspace and Cybersecurity Policy, Risks & Strategies · Don’t fallfor phishing (and other) scams Keep systems updated Change passwords on home systems Organizational Risk based](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed9d7fc7e7c217e602e6465/html5/thumbnails/5.jpg)
Infected more than 230,000 computer systems in 150 countries
Caused approximately 225,000 customers in Ukraine to lose electrical power across various areas for a period from 1 to 6 hours.
• In the UK, up to 70,000 devices belonging to the National Health Service, including computers, MRI scanners, blood-storage refrigerators & theatre equipment, were affected.
5
Attacks on critical infrastructure (‘Wannacry’ / ‘NotPetya’)
![Page 6: Cyberspace and Cybersecurity Policy, Risks & Strategies · Don’t fallfor phishing (and other) scams Keep systems updated Change passwords on home systems Organizational Risk based](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed9d7fc7e7c217e602e6465/html5/thumbnails/6.jpg)
Internet of Things
6
• “Mirai” botnet used to bring down sites like Twitter, the Guardian, Netflix, Reddit, CNN and many others
• 500,000 compromised devices involved in the attack
![Page 7: Cyberspace and Cybersecurity Policy, Risks & Strategies · Don’t fallfor phishing (and other) scams Keep systems updated Change passwords on home systems Organizational Risk based](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed9d7fc7e7c217e602e6465/html5/thumbnails/7.jpg)
Web site defacements
7
![Page 8: Cyberspace and Cybersecurity Policy, Risks & Strategies · Don’t fallfor phishing (and other) scams Keep systems updated Change passwords on home systems Organizational Risk based](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed9d7fc7e7c217e602e6465/html5/thumbnails/8.jpg)
Targeted attacks – “spear phishing”
8
• Highly personalized email messages“From” members of panel or Secretariat staff to other panel members, members of the committee, and external partners
• Highly relevant context, e.g. based on previous messages
• “multi-stage attack”, i.e. attachments or links not malicious (secondary compromise)
![Page 9: Cyberspace and Cybersecurity Policy, Risks & Strategies · Don’t fallfor phishing (and other) scams Keep systems updated Change passwords on home systems Organizational Risk based](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed9d7fc7e7c217e602e6465/html5/thumbnails/9.jpg)
Identity theft
9
(because “that’s where the money is”)
![Page 10: Cyberspace and Cybersecurity Policy, Risks & Strategies · Don’t fallfor phishing (and other) scams Keep systems updated Change passwords on home systems Organizational Risk based](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed9d7fc7e7c217e602e6465/html5/thumbnails/10.jpg)
type examples goal victim target method stealthy
“Internet background
noise”
“virus”, adware, malware,
scareware
“fun” user desktopsemail,
drive-by download
no
cyber crime
malware, Trojan,
keylogger, bot, RAT
profit user organization desktops
email, drive-by
downloadyes
intelligence / espionage
malware, Trojan,
keylogger, RAT
political organizationdesktops
=> internal systems
email, drive-by
downloadyes
"hacktivism"
DoS, defacement, data theft, sabotage
political (profit) organization applications
/ hosts
SQL injection,
XSS, DDoSno
Attack taxonomy (simplified)
![Page 11: Cyberspace and Cybersecurity Policy, Risks & Strategies · Don’t fallfor phishing (and other) scams Keep systems updated Change passwords on home systems Organizational Risk based](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed9d7fc7e7c217e602e6465/html5/thumbnails/11.jpg)
11
organizations on average receive malware every three minutes
![Page 12: Cyberspace and Cybersecurity Policy, Risks & Strategies · Don’t fallfor phishing (and other) scams Keep systems updated Change passwords on home systems Organizational Risk based](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed9d7fc7e7c217e602e6465/html5/thumbnails/12.jpg)
Spectre and Meltdown (2018)
12
![Page 13: Cyberspace and Cybersecurity Policy, Risks & Strategies · Don’t fallfor phishing (and other) scams Keep systems updated Change passwords on home systems Organizational Risk based](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed9d7fc7e7c217e602e6465/html5/thumbnails/13.jpg)
13
![Page 14: Cyberspace and Cybersecurity Policy, Risks & Strategies · Don’t fallfor phishing (and other) scams Keep systems updated Change passwords on home systems Organizational Risk based](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed9d7fc7e7c217e602e6465/html5/thumbnails/14.jpg)
Global challenge: Time to detect (and respond)
14
69% informed by third party
“median of 205 days”
![Page 15: Cyberspace and Cybersecurity Policy, Risks & Strategies · Don’t fallfor phishing (and other) scams Keep systems updated Change passwords on home systems Organizational Risk based](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed9d7fc7e7c217e602e6465/html5/thumbnails/15.jpg)
Evolution of Risks, Threats, and Responses
Risk Level
Time
High
Low 2000 2005 2015
Worms and
Viruses
Patches, Antivirus, Firewalls
Spyware, Phishing, and
Organized, Embedded
Attacks
Increased layered defense, system
and identity assurance
Advanced Persistent Threats; Application attacks and old attacks in
new forms
Risk-based mitigation and
adaptive response
Intelligence driven detection
and response
![Page 16: Cyberspace and Cybersecurity Policy, Risks & Strategies · Don’t fallfor phishing (and other) scams Keep systems updated Change passwords on home systems Organizational Risk based](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed9d7fc7e7c217e602e6465/html5/thumbnails/16.jpg)
Source: Deloitte Cyber Threat Intelligence 2011
Types of actors, and their motivations
![Page 17: Cyberspace and Cybersecurity Policy, Risks & Strategies · Don’t fallfor phishing (and other) scams Keep systems updated Change passwords on home systems Organizational Risk based](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed9d7fc7e7c217e602e6465/html5/thumbnails/17.jpg)
17unite.un.org
![Page 18: Cyberspace and Cybersecurity Policy, Risks & Strategies · Don’t fallfor phishing (and other) scams Keep systems updated Change passwords on home systems Organizational Risk based](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed9d7fc7e7c217e602e6465/html5/thumbnails/18.jpg)
Budapest Convention on Cybercrime (ETS No. 185)
18
![Page 19: Cyberspace and Cybersecurity Policy, Risks & Strategies · Don’t fallfor phishing (and other) scams Keep systems updated Change passwords on home systems Organizational Risk based](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed9d7fc7e7c217e602e6465/html5/thumbnails/19.jpg)
19
![Page 20: Cyberspace and Cybersecurity Policy, Risks & Strategies · Don’t fallfor phishing (and other) scams Keep systems updated Change passwords on home systems Organizational Risk based](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed9d7fc7e7c217e602e6465/html5/thumbnails/20.jpg)
20
![Page 21: Cyberspace and Cybersecurity Policy, Risks & Strategies · Don’t fallfor phishing (and other) scams Keep systems updated Change passwords on home systems Organizational Risk based](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed9d7fc7e7c217e602e6465/html5/thumbnails/21.jpg)
Individual▪ Protect digital identities▪ Don’t fall for phishing
(and other) scams▪ Keep systems updated
▪ Change passwords on home systems
Organizational▪ Risk based approach▪ Int’l best practices▪ Baseline of technical
controls▪ Prevention +
detection & response▪ Focus on user
awareness
21
Mitigation approaches
![Page 22: Cyberspace and Cybersecurity Policy, Risks & Strategies · Don’t fallfor phishing (and other) scams Keep systems updated Change passwords on home systems Organizational Risk based](https://reader030.vdocuments.us/reader030/viewer/2022040411/5ed9d7fc7e7c217e602e6465/html5/thumbnails/22.jpg)
22
… or don’t