integrating the information security awareness in …css.escwa.org.lb/ictd/3518/s4-2-elharras.pdf1...
TRANSCRIPT
1
EGYPTNational Telecom Regulatory Authority
Integrating The Information Integrating The Information Security Awareness in Security Awareness in
Critical Infrastructure FirmsCritical Infrastructure FirmsCritical Infrastructure FirmsCritical Infrastructure FirmsMohamed ElHarrasCIIP Strategies and Policies Executive Director
The Connectivity Dissemination.
Current / Proposed Defense Models
AgendaAgenda
Current / Proposed Defense Models.
The Critical Infrastructure Information (CII).
The Importance of Awareness.
Case Study: Mobile Operators.
Q&A
National Telecom Regulatory Authority - EGYPT
2
2
The Internet has made it possible to connect (hence access or attempt to access) any computing device on/off the net.
The Dissolve of Political Borders
National Telecom Regulatory Authority - EGYPT
3
The Threat of pervasive andubiquitous computing while
The Consequences
ubiquitous computing whiletools of attacks becomesmore available as wrap‐up fornon technical people.
National Telecom Regulatory Authority - EGYPT
4
3
With that large number of connections, it will not be feasible (or possible) for effective defense to the individual citizen level.
The Current Defense Model
Cyber warfare
Cyber terrorism
Government Responsibility
National Telecom Regulatory Authority - EGYPT
5
Industrial espionage
Cyber crime
Private Sector Responsibility
The cyber security staff is the focal point to handle :
As Per this ModelAs Per this Model
Detection.
Reaction.
Correction.
Prevention.
National Telecom Regulatory Authority - EGYPT
6
The current model requires:
On‐going increase in the number of specialized staff.
Associated increasing costs.
Does not cover all possible weak points.
4
Push the line of defense to non
Balancing the Model Balancing the Model
specialized individuals.
Rely more on human element to help detecting basic threats / anomalies at early stage.
The Individual is the First Line of Defense.The Individual is the First Line of Defense.
National Telecom Regulatory Authority - EGYPT
7
We need to build his capacity of We need to build his capacity of selfself--defense.defense.
Massive impact.
Quick win.
Selecting the Points of DefenseSelecting the Points of Defense
Q
Fast deployment.
Minimum cost.
On going.
National Telecom Regulatory Authority - EGYPT
8
5
Affects large sectors of the society or the ability of the government to d it f ti
The Critical Infrastructure SectorsThe Critical Infrastructure Sectors
do its function.
Usually owned or operated by the private sector.
Each CI sector affects other sectors in a domino effect model.
The list of CI Sectors includes: Government services Financial service Telecommunication Energy Transportation Health Services Etc.
National Telecom Regulatory Authority - EGYPT
9
Case Study: Mobile TelecomsCase Study: Mobile Telecoms
National Telecom Regulatory Authority - EGYPT
10
6
Pervasive and ubiquitous information on :
The The Telecom Critical Information Telecom Critical Information InfrastructureInfrastructure
Call details social patterns and relations ..etc.
Location details movement patterns, spontaneous location check ..etc.
Live call (on air).
Network architecture layout (BTS Telecom
Finance Media Emergency Service Health Etc.
Network architecture layout (BTS, BSC, MSC, ..etc.)
Network coverage plans.
Network security measures (on‐air, core network, ..etc.)
Affects majority of the society.
National Telecom Regulatory Authority - EGYPT
11
Energy / Transportation
The The Telecom in the Arab CountriesTelecom in the Arab Countries
100
120
20
40
60
80
Connections (m.)
Population (m.)
Unique subscriber (m.)
National Telecom Regulatory Authority - EGYPT
12
0
20
Mobile penetration in the Middle East (Source: GSMA Report, 2014)
7
Check list auditing approach.
The questionnaire approach
How to Measure AwarenessHow to Measure Awareness
The questionnaire approach.
Interviews: sample staff.
Observation : staff / processes.
Focus group: representing business areas.
C t d ( ll ft i id t ) Case study (usually after incidents).
National Telecom Regulatory Authority - EGYPT
13
Top Management : “security is necessary but to the minimum
Common Corporate Perception Common Corporate Perception of Security of Security
necessary but to the minimum required by law”.
Employees: computer security is an obstacle to productivity. A common feeling is that “we are paid to produce, not to protect” or “S it i t bj ti“Security is not on my objectives list”.
National Telecom Regulatory Authority - EGYPT
14
8
Security Knowledge Matrix Security Knowledge Matrix Awareness Training Education
Level Information Knowledge Insight
Objective Recognition Skill Understanding
Channel Media PracticalInstruction
Theoretical Instruction
Example Video, Newsletter,Poster, giveaways
Lectures,case study, hands-on practice
Seminars, essays
National Telecom Regulatory Authority - EGYPT
15
Test Method True/FalseMCQ
Problem solving
Essay
Attribute “What” “How” “Why”
Source: NIST800
Security Awareness Program Life Security Awareness Program Life CycleCycle
Measure
Measure• Snap
shot of
Planning• Timeframe• Objectives• Audience• Depth• Channels
Get Commitment• Top management• HR• CS, Sales, ..etc.
Execute• Different
channels• Embed in
Objectives
Measure• Change in
behavior• Consider feed
back• Improve
program
National Telecom Regulatory Authority - EGYPT
16
shot of current status
• Cost • Team /
materials• KPIs
Change in staff behavior is the best result we can get
9
Message Delivery Message Delivery Gathering Points. Firm restaurants. Banners by access points (doors / elevator). Stickers by electronic gates.
Internal Communications: Newsletter. Company briefing meetings. Monthly message from the CEO.
Interaction with Company Systems:
National Telecom Regulatory Authority - EGYPT
17
Screen savers. Screen wallpapers. Logon message. Daily tips. Quick quiz. Computer-based training.
Background workBackground work Human Resources. Incorporate security awareness in job responsibilities when
applicableapplicable.
Proportionately add security awareness to employees appraisal system.
Prepare the rewarding system for program heroes.
Review materials for message correctness and balance.
Legal / Regulatory: Add relevant laws / regulations to awareness program.
National Telecom Regulatory Authority - EGYPT
18
Highlight law penalties in case of violations.
Add other related issues (e.g. fraud, corruption ..etc.)
Give examples from legal arena.
10
Common PitfallsCommon Pitfalls Not fitting the environment.
Inadequate planning.
Not addressing applicable legal / regulatory requirements.
No motivation for staff.
Budget mismanagement or inadequate budget.
No leadership support.
Information overload
National Telecom Regulatory Authority - EGYPT
19
Not sharing experience.
Not evaluating the effectiveness of training.
The Impact of Social EngineeringThe Impact of Social Engineering Psychological manipulation of people to do action / divulging
confidential information.
Most common in people facing functions (e g customer care Most common in people-facing functions (e.g. customer care agents, technical support, marketing ).
Best technique: The familiar customer normal to be there so the CC lowers self-
defense. The angry customer angry at someone else rather than the target CC
agent. The knowledgeable customer customer equipped with the necessary
information about the company
National Telecom Regulatory Authority - EGYPT
20
information about the company.
How to fight? Training listen to customer calls, give examples. Prepare scripts to handle social engineering situations. Stick to the process. Train fro non-verbal communications.
11
Data Leak Data Leak –– Crafted AttacksCrafted Attacks Exploits zero-day / undocumented vulnerabilities.
Involves highly-skilled preparation and know how.
Aims at getting the information giving “commercial advantage” to the company.
Target individual functions, typically the ‘C’ level; the R&D and the Marketing departments .
How to fight? Awareness program for the company executive. Proportionate technical measures (e g encrypt data secure email
National Telecom Regulatory Authority - EGYPT
21
Proportionate technical measures (e.g. encrypt data, secure email, stringent email rules ..etc.)
Internal / external stake holders involvement.
Channels of Communications Channels of Communications
National Telecom Regulatory Authority - EGYPT
22
Source: multiple internet sites
12
Massive capacity builder.
Awareness is a take-home skill.
Model BenefitsModel Benefits
St t i
Lower coast per individual compared to building large specialized technical force.
Filters false positives.
Off load specialized staff to more serious threats.
Strategic
Organizational
Individual
Early detection of some threats.
National Telecom Regulatory Authority - EGYPT
23
2013 US State of cybercrime Survey.
PWC, “The Global State of Information Security Survey 2014”.
Homeland Security Cyber Security Publications at :http://www.dhs.gov/cybersecurity‐publications
Key ReferencesKey References
Homeland Security Cyber Security Publications at :http://www.dhs.gov/cybersecurity publications
Homeland Security Critical Infrastructure Security at: http://www.dhs.gov/topic/critical‐infrastructure‐security
ENISA : The European Union Agency for Network and Information Security , publications .
GSMA, “The Mobile Economy 2014 Report , The Arab States” , https://gsmaintelligence.com/research/
The International Society of Security Awareness Professionals http://www.iasapgroup.org/
Rebecca Herold, “Managing an Information Security and Privacy Awareness and Program and Training Program”, CRC 2011
National Telecom Regulatory Authority - EGYPT
24