sense of security best practice strategies to improve your enterprise security

www.senseofsecurity.com.au © Sense of Security 2013 – April 2013

Compliance, Protection & Business Confidence

Sense of Security Pty Ltd Sydney Level 8, 66 King Street Sydney NSW 2000 Australia

Melbourne Level 10, 401 Docklands Drv Docklands VIC 3008 Australia

T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455

[email protected] www.senseofsecurity.com.au ABN: 14 098 237 908

Best practice strategies to

improve your enterprise

security

Murray Goldschmidt, Chief Operating Officer

April 2013

2nd Annual Australian Fraud Summit 2013


Agenda

1. Recent Security Breaches

2. Identifying & Understanding Security Risks

& Organisational Implications

3. Steps to mitigate risk of breaches & theft

.senseofsecurity.com.au © Sense of Security 2013 – April 2013

Increasing threat / consequence

Scope – increasing ability to exploit

Cyber Threat Actors




Cyber Threat Actors

Agenda Targets




Script Kiddies/Cyber Researchers

Experimentation, Fun, Testing

Cyber Threat Actors

Agenda Targets




Hacktivists

Disruption, Reputational Damage,Political/Social,



Cyber Threat Actors

Agenda Targets




Organised Crime

Financial gain, fraud, ID theft

Hacktivists




Cyber Threat Actors

Agenda Targets




Organised Crime


Professionals/Companies/Terrorists

Commercial advantage, Intellectual Property

Hacktivists




Cyber Threat Actors

Agenda Targets




Organised Crime


Professionals/Companies/Terrorists

Commercial advantage, Intellectual Property

Nation States

Economic, political or military advantage

Hacktivists




Cyber Threat Actors

Agenda Targets


Activity –But Not Yet Cyber War

http://www.economist.com/blogs/analects/2013/02/chinese-cyber-attacks


Hacktivist Attacks

http://www.bankinfosecurity.com/american-express-a-5645 http://www.scmagazine.com/market-for-ddos-prevention-to-hit-870-million/article/287020/


Advanced Persistent Threat


Target

org/person



Target

org/person

Malware

penetrates



Target

org/person

Malware

penetrates

Command &

Control



Target

org/person

Malware

penetrates

Command &

Control

Data harvest

& exfiltrate



RBA Falls Victim to Cyber Attack

http://www.afr.com/p/national/rba_confirms_cyber_attacks_ZsVpeJas8JX6UXCLwOVJKP

http://www.afr.com/p/national/rba_confirms_cyber_attacks_ZsVpeJas8JX6UXCLwOVJKP


Opportunistic Attack – Out of Business

http://www.zdnet.com/distribute-it-claims-evil-behind-hack-1339319324/















Identifying Security Risk

Materiality Risk

ASX Principle 7: “Recognise and Manage Risk”

• A risk profile informs the board and

management about material business risks,

relevant to company (financial and non-

financial) matters. Material business risks are

the most significant areas of uncertainty or

exposure at a whole of Company level that could

impact the achievement of organisational

objectives.

Applies also to non listed entities!


Small Business Also Affected

http://www.staysmartonline.gov.au/alert_service/advisories/ransomware_attacks_will_increase_in_2013

http://www.staysmartonline.gov.au/alert_service/advisories/ransomware_attacks_will_increase_in_2013


1 use application whitelisting to help prevent malicious software and

other unapproved programs from running

Just The Top 4 ….. At least 85% of the targeted cyber intrusions that Defence Signals Directorate (DSD) responds to

could be prevented by following the first four mitigation strategies listed in DSD’s 35 Strategies

to Mitigate Targeted Cyber Intrusions

2

3

4

patch applications such as PDF readers, Microsoft Office, Java, Flash

Player and web browsers

patch operating system vulnerabilities

minimise the number of users with administrative privileges

As of April 2013, the Top 4 Strategies to Mitigate Targeted Cyber Intrusions are mandatory for

Australian Government agencies.


Action Required

Corporations & Government are

generally becoming more aware to the

need for improved governance and

infosec capability


Protect Your Data

http://www.theaustralian.com.au/news/nation/personal-details-of-50000-people-exposed-as-abc-website-hacked/story-e6frg6nf-1226586895264


























Protect Your Data

http://www.dailyfinance.com/2012/06/08/youve-been-hacked-again-why-linkedins-breach-is-worse-tha/





















Email

Know Your Data

There is no network perimeter. Your data is everywhere.

Mobile Devices

Corporate/Home Networks

Databases/File Servers

Cloud Services


Data Centric, Not System Centric


Availability

Fundamentals Still Count

the security controls used to protect data, and the

communication channel designed to access it must be functioning

correctly

Integrity data integrity means maintaining and assuring the accuracy and

consistency of data over its entire life-cycle

Confidentiality preventing the disclosure of information to unauthorised

individuals or systems


Defence-in-Depth

A solid Information Security capability

requires resilience through defence-in-

depth, sound fundamentals,

accountability by executives and the

ability to comply with

regulations/legislation.


Regulation & Legislation

Government

Privacy Act

Australian Government - Information Security Manual (ISM),

Protective Security Policy Framework (PSPF)

State Government Standards, e.g. NSW Government Digital

Information Security Policy based on ISO 27001

Industry Australian Prudential Regulatory Authority (PPG-234)

PCI Security Standards Council (PCI Data Security Standard – PCI DSS)


Self Examination

What type of data do you have and is it classified?

Whose owns it?

Where does it reside (data sovereignty)?

How is it accessed and by whom?

What are your future technology objectives (BYOD, Cloud,

Mobility…)

Are there third parties suppliers involved?

What are your compliance obligations?

Do you a current/effective security governance capability?

How would you respond in case of an incident?


Information Security Governance

Incorporate an industry recognised system of governance

(e.g. ISO 27001 - Information Security Management System)

Domains

Information Security Management: Security Policy & Organisation

Asset Management

Human Resource Security

Physical & Environmental Security

Communications & Operations Management

Access Control

Information Systems Acquisition, Development & Maintenance

Information Security Incident Management

Business Continuity Management

Compliance


Management & Technical Standards

Management standards and technical controls need to be

defined and enforced.

Management Practice Area

Change Management Incident & Event Management

Patch Management Disaster Recovery & Business Continuity

Management

Configuration Management Security Awareness Management

Vulnerability Management Physical Security

Threat Management Application Management

Access Control Management 3rd Party Management


Technical Assurance

Vulnerability Management Program

SDLC Governance, Static Code Analysis

Configuration Management / Hardening

Enterprise Security Architecture

Testing of technology assets and social engineering

threat assessments

External/Internal penetration testing (ethical hacking)

on networks and applications


Questions?

Thank you

Head office is level 8, 66 King Street, Sydney, NSW 2000,

Australia. Owner of trademark and all copyright is Sense of

Security Pty Ltd. Neither text or images can be reproduced

without written permission.

T: 1300 922 923

[email protected]

www.senseofsecurity.com.au

sense of security best practice strategies to improve your enterprise security

Technology