Embed Size (px)
Citation preview
Maggie Kneller FBCS CITP MBA
BCS Bristol Branch: 26th January 2016
The Importance of Cyber Resilience
And RESILIATM Best Practice
RESILIATM is a registered trademark of AXELOS Limited
Topics
Security Risks and Effective
Controls
Common Threats and Methods of
AttackWhy does Cyber
Resilience Matter?
Managing Cyber Resilience and
the CR Lifecycle
RESILIATM Best Practice
“Cyber Resilience”
Computer Security
Computer Security
Information Security
Information Security Cyber SecurityCyber Security Cyber
ResilienceCyber
Resilience
Security breaches are reported in the press dailyThe number and scale of breaches continues to increase year on yearLarge and small organizations, in every industry are affectedSecurity breaches impact many millions of end customersLosses typically run into millions of $£€¥CEOs and CIOs have been forced to resign
A 2015 UK government survey found that 90% of large organisations had suffered a security breach during the past year.
This suggests such incidents are a near certainty.
Research shows that organisations are extremely likely to suffer at least one information security breach in any 24 month period.
If you think you’ve never been breached then you probably aren’t monitoring well enough to know!
Why does Cyber Resilience matter?
Source: Information Security Breaches Survey: HM Government 2015
Malicious Attacks are the most frequent cause:
Malicious attacks are the most costly:
Cost per Record Lost / Compromised
Malicious Attacks
Human Error
System Glitches
49%
28%
23%
Causes of Data Breaches
Causes and Costs
Source: IBM / Ponemon Institute Cost of Data Breach Study UK 2015
Malicious Attacks
Employee Error
System Glitches
£123
£92
£90
Cost Per Record Lost or Compromised
Malicious / Intentional Acts:
Cyber Crime
Serious & organised crime
Motivated by financial reward, directly or indirectly
Can be internal or external to the organisation
Cyber Hacktivism
Hackers and activists, usually motivated by a cause or belief
To achieve a range of outcomes - publicity, revenge, etc …...
Cyber Espionage
Nation states, usually motivated to gain strategic or economic advantage…..
in trade, diplomacy or through warfare
Common Threat Sources & Methods
Based on AXELOS (RESILIATM) material.
Sony Pictures (Nov 2014) - suffered a major attack from the hacker group ‘Guardians of Peace’ - staff personal data and corporate correspondence was leaked, plus unreleased films. Evidence suggests the hack had been occurring for over a year and the hackers claimed to have taken over 100 terabytes of data from Sony.
Ebay (2014) - Hackers stole personal records of 233 million users, including usernames, passwords, phone numbers and addresses. The Syrian Electronic Army claimed responsibility, as a Hacktivist operation.
P.F.Chang’s restaurant chain (2014) - POS machines were hacked, compromising customer payment information, and thousands of stolen credit and debit cards that had been used at Chang’s locations went up for sale online. The stolen records were sold for between $18 and $140 each.
Feedly (2014) - Two DDoS attack waves brought down their service for 2 days, with the attacker attempting to extort money from Feedly in exchange for ending the attacks.
Domino’s Pizza (2014) - Hacking group Rex Mundi held them to ransom over 600,000 Belgian and French customer records. They demanded $40,000 from Domino’s in exchange for personal data including names, addresses, emails, phone numbers. It is not clear whether they complied with the ransom demands.
JP Morgan Chase & Co (2014) suffered an attack compromising information of 76 million households and 7 million small businesses. The breach included customer names, addresses, phone nos and email information.
Home Depot (2015) - cyberthieves stole 60 million credit card numbers, and the attacks went on for 5 months before being discovered.
Examples - External Attacks
Certegy Check Services (2007) - An employee stole the account information of 8.5 million people, including credit card, bank and other account information.
Morrison’s (2014). An employee published details of the entire workforce online, 100,000 employees, some of whom took legal action against Morrison’s. The employee was prosecuted.
T-Mobile (2009) - Sales staff were caught selling customer records to brokers.
Examples - Internal Attacks
Unintended Acts:
Human Errors
Accidental consequences of human action - usually internal to the organisation
System glitches
Security consequences from IT system breakdown and other incidents
Natural Disasters
Security consequences of acts of nature - fire, flood, earthquake, etc
Common Threat Sources & Methods
Bank of New York Mellon (2005) - Lost storage tapes contained personal information of 12.5 million people. The breach led to an undisclosed amount of stolen funds.
Student Finance England (2012) - due to an ‘administrative error’ sent an email to 8,000 customers which included other recipients’ email addresses.
O2 (2012) - a ‘technical glitch’ during routine maintenance led to users’ mobile phone numbers being disclosed online.
Nationwide (2006) - an unencrypted laptop was stolen from an employee putting at risk the personal data of 11 million savers. Nationwide were fined £980,000.
HM Revenue & Customs (2008) - 2 CDs containing records of 25 million child benefit claimants including every child in the UK went missing in the post.
Brighton & Sussex University Hospitals NHS Trust (2010) - Hundreds of de-commissioned drives that should have been deep cleaned and destroyed by a contractor were sold second hand. Sensitive patient information of thousands of patients was discovered on the hard drives being sold on Ebay. The trust was fined £325,000 by the Information Commissioner.
Midlothian Council repeatedly disclosed personal data about children and their carers to the wrong recipients, resulting in a £140,000 penalty charge. According to Computing (2015), more than 4000 data breaches occurred in UK local councils in just 3 years - almost 4 breaches a day!
Examples
According to the UK Government Survey 2015:
69% of large organisations (500+ employees) and 38% of small businesses were attacked by unauthorised access from outside the organisation during the last year.
Malicious software breaches impacted 75% of large organisations and 60% of smaller business.
The character of these attacks is changing, with greater targeting by outsiders.
Attacks from Outside the Organisation
Source: Information Security Breaches Survey: HM Government 2015
According to the UK Government Survey 2015:
75% of large organisations and 31% of small organisations suffered staff-related security breaches over the last year (around 50% higher than the previous year).
Around 70% of all organisations provide some sort of staff awareness training, and this is increasing.
Despite the training, people are as likely to be the unwitting cause of a security breach as are malicious causes such as viruses.
Employee-related Security Breaches
Source: Information Security Breaches Survey: HM Government 2015
A 2015 IBM Study found that the average cost of data breach in the UK was £2.37 million the worst breach suffered by each large organisation ranged from £1.46 million to £3.14 million. For small businesses security breach costs range from £75,000 to £310,000 for each breach.
The average organisational cost of a data breach in the UK is $104 per lost or stolen record and this increases year on year, of which $54 pertains to indirect costs including abnormal turnover or customer churn and $50 pertains to direct costs.
Factors found to impact the average cost of a breach:
Costs of Breaches
Source: IBM / Ponemon Institute Cost of Data Breach Study 2015
Factors increasing cost
Factors reducing cost
Involvement of 3rd partiesUse of consultantsRush to notify
Employee trainingContinuity planningIncident response teamCISO appointedExtensive encryptionInsurance protectionBoard level involvement
11% of organisations surveyed said that the nature of their business had changed as a result of their worst breach during 2014.
Impacts include business disruption, lost sales, recovery of assets, loss of reputation costs, diminished goodwill and compensation costs.
According to US government sources, 60% of small businesses fail within 6 months of a data breach!
Impacts can be extremely serious
Source: Information Security Breaches Survey: HM Government 2015
CUSTOMERS
The bottom line?
Breaches will continue to occur with increased frequency
and huge financial and reputational impacts
There will always be new threats
Taking steps to prevent breaches is no longer enough…..
Prevention & Avoidance
Rapid Detection and Effective Recovery
The need for Balance
Prevention is no longer enough!
PreventDo everything practical to prevent security breaches
DetectMake sure you detect breaches that you failed to prevent
Detection needs to be quick and ideally automated
CorrectRecover quickly and effectively from detected breaches
Learn from the experience
Cyber Resilience involves a balanced approach
Based on AXELOS (RESILIATM) material.
RESILIATM Best Practice Guidance
RESILIA is documented in a single
publication
Covering the entire lifecycle of cyber
resilience
RESILIA describes a similar lifecycle to
ITIL
Strategy, design, transition, operation,
continual improvement
The RESILIA lifecycle is about cyber
resilience, not ITSM
RESILIA integrates well with ITSM and other
management system approachesCopyright © AXELOS Limited 2015. All rights reserved.
SellUGoodsRetail
organization InternationalLarge internet
presenceMany physical
storesWorry about
payment card data breaches
PCI-DSS compliant
MedUServPrivate
medical labSingle locationCarries out
tests for doctors and hospitals
Worry about confidentiality of patient records
ISO 9001 certified
MakeUGoodsManufacturingOne countrySecret
production methods
Customers in the defence industry
SCADA systemsWorry about
leaked secrets and lost production
The Case StudiesThree case studies about fictional companies are threaded through all the chapters
Based on AXELOS (RESILIATM) material.
RESILIA Foundation Exam
Similar to other AXELOS foundation certificationsThree day training course (online or face-
to-face)
50 question multiple choice exam
Covers all chapters of the publication
General understanding of cyber resilience
Purpose of risk management and how to do it
Purpose of each lifecycle stage
Key features of each control
Interactions between cyber resilience and ITSM
Tests basic knowledge and understanding
RESILIA Qualification Scheme
RESILIA Practitioner Exam
Similar to other AXELOS practitioner certifications Foundation is a pre-requisite
Two day training course (online or face-to-face)
50 question multiple choice exam
With a case study and scenarios
More complex questions, but still only one correct answer
Same content knowledge as foundation
Demonstrates that you can apply the knowledge
Publication Structure (Topics Covered):1. Introduction
2. Risk management
3. Managing cyber resilience
4. Cyber resilience strategy
5. Cyber resilience design
6. Cyber resilience transition
7. Cyber resilience operation
8. Cyber resilience continual improvement
9. Roles and responsibilities
RESILIATM Best Practice Overview
Based on AXELOS (RESILIATM) material.
A Single Management System for Cyber Resilience
Effective Governance (Evaluate, direct, monitor)
Setting the vision and direction for security
Establishing appropriate Cyber Resilience Policy
Directing management to carry out the required activities
Monitoring to ensure that expectations are met.
Effective Management (Plan, Build, Run, Improve)
Allocating resources, and making tactical and operational decisions
Overseeing activities to ensure they are carried out efficiently and effectively
Ensuring appropriate segregation of duties.
Policies, processes, organisational design, roles and responsibilities, metrics, CSFs and KPIs
Managing Cyber Resilience
Based on AXELOS (RESILIATM) material.
IT is responsible for managing INFORMATION technology services
Cyber Resilience is about managing INFORMATION security
They are both dealing with The same information The same IT servicesThe same need to manage
It makes sense to COLLABORATE
IT has an important role to play in Cyber Resilience
Managing Cyber Resilience - IT’s Role
Image credit Quinn Dombrowski
The Cyber Resilience lifecycle
StrategyStrategy
Design
Design
TransitionTransition
OperationOperation
Continual
Improve-ment
Continual
Improve-ment
For an IT service to be Cyber Resilient, it needs to be:
planned,
designed,
implemented,
delivered, and
used
with Cyber Resilience in mind.
Cyber resilience processes also need to undergo these stages.
This is what the Cyber Resilience Lifecycle is about.
Cyber resilience needs to be planned in accordance with business priorities and needs
Governance roles and responsibilities for Cyber ResilienceBoard level oversighte.g. CISO or cyber resilience steering group
Understanding stakeholders’ needs and expectations for cyber resilience
Creating, communicating and managing effective Cyber Resilience Policies
Ensuring regular Audit and compliance review
Cyber Resilience Strategy
Strategy
Strategy
Design
Design
Transition
Transition
Operation
Operation Continual
Improve-ment
Continual Improve-
ment
Ensuring that IT systems and services are designed with cyber resilience in mind
System acquisition, development, architecture and design
HR security design
Supplier and 3rd party security
Technical considerations - e.g. endpoint security, cryptography, network design
Business Continuity Management
Ensuring that Cyber Resilienceprocesses and practices arewell designed
Cyber Resilience Design
Strategy
Strategy
Design
Design
Transition
Transition
Operation
Operation Continual
Improve-ment
Continual Improve-
ment
Ensuring that systems and services are transitioned into operation taking account of cyber resilience requirements
Cyber resilience should be a key feature of change evaluation and change management
Cyber resilience should be considered as a key part of any change project
Testing - including specific security testing - e.g. authentication, access control, input and output validation, testing against common software vulnerabilities e.g. latest OWASP Top 10 risks, etc
Training - users and IT support need to be trained taking cyber resilience into account. Trained staff are less likely to make mistakes.
Cyber Resilience Transition
Strategy
Strategy
Design
Design
Transition
Transition
Operation
Operation Continual
Improve-ment
Continual Improve-
ment
Cyber Resilience Operation
Based on AXELOS (RESILIATM) material.
Ensuring that IT systems and services are operated
securely, with cyber resilience as a prime consideration
by all staff at all times
Being aware of the likely threats, monitoring routinely,
and acting promptly on all potential incidents
Managing and escalating security incidents effectively
Taking steps to avoid unauthorised access to systems
and networks
Managing physical security of assets
Strategy
Strategy
Design
Design
Transition
Transition
Operation
Operation Continual
Improve-ment
Continual Improve-
ment
Control assessment
Remediation and improvement planning
Don’t aim for perfectionCyber resilience is an ongoing effort, it’s never complete
Continual improvement is a state of mindEveryone always looking for ways to work better
Audit and review - your friend, not something to avoidExternal audits
Internal audits
Vulnerability scans
Assurance testing
Continual Improvement
Strategy
Strategy
Design
Design
Transition
Transition
Operation
Operation Continual
Improve-ment
Continual Improve-
ment
Strategy
How effective is governance of cyber resilience in your organization? Are the right people involved? What could be improved?
Design
To what extent does your organization risk assess its supply chain? Do you design services and systems with cyber resilience in mind?
Transition
How effective is risk management during service transition? Is cyber resilience integrated with ITSM change management and SACM?
Operation
Are there cyber attacks that your monitoring processes might not detect? Is the access management process integrated with HR procedures?
Continual improvement
How do you measure the effectiveness of your controls?
The Cyber Resilience lifecycle
Based on AXELOS (RESILIATM) material.
Cyber resilience is largely about managing risks
A risk is created by a threat exploiting a vulnerability to impact an asset
ThreatThreat AssetAssetVulnerability
Risk Management
Copyright © AXELOS Limited 2015. All rights reserved.
The Risk Management Process
Copyright © AXELOS Limited 2015. All rights reserved.
Risk Treatment - 4 approaches
Four methods of treating a risk:
1. Risk AvoidanceTaking steps not to undertake the action that could lead to the risk
2. Risk ModificationUsing controls to reduce the likelihood of a risk (cybersecurity controls) and/or reduce the impact of the risk (cyber resilience measures).
Defence-in-depth measures help when a threat requires more than one vulnerability to succeed.
3. Risk SharingSharing the risk with another party such as a supplier, partner or an insurance company
4. Risk Retention Retention is the conscious decision to accept a risk (or any remaining risk, after other measures), while continuing to monitor and review this decision from time to time
Based on AXELOS (RESILIATM) material.
Preventative controls - intended to prevent threats from succeeding e.g. requirement to log in before access
Detective controls - intended to identify a threat that has succeeded so the organisation can respond e.g. network logs being reviewed daily to detect unusual activity, doors fitted with alarms
Corrective controls - intended to correct the situation after a successful attack has been detected e.g. restoring data from backups, invoking a business continuity plan, running anti-virus tools to remove the virus
Types of Controls
Based on AXELOS (RESILIATM) material.
Deterrent controls - discouraging people from launching attacks e.g. ‘beware of the dog’ sign, or routine audits
Reductive controls - Steps taken before an attack to improve the effectiveness of recovery or reduce potential damage e.g. creating a backup or a recovery plan
Repressive controls - preventing a successful attack from progressing further e.g. an intrusion prevention system
Compensatory controls - additional controls that provide protection when another control is not effective, helping to provide defence-in-depth e.g. a backup generator for use when the primary electricity supply fails
Types of Controls (sub-categories)
Based on AXELOS (RESILIATM) material.
People - the organisation’s greatest asset and weakest link
The risk of employees and contractors during hiring, in employment
and when they leave the organisation
Privileged access to sensitive information
Intended Threats:
People can be the hackers - e.g. dishonest insiders
Insider threats from disgruntled and disaffected employees
Unintended Threats:
Targets of malicious influence & coercion
Poorly trained and unaware employees can inadvertently disclose information, lose assets or cause system failures
Risks and Controls - HR Security
Strategy
Strategy
Design
Design
Transition
Transition
Operation
Operation Continual
Improve-ment
Continual Improve-
ment
People - HR Security Controls
Cyber Resilience integral to a well-designed JML process:
Pre-employment checks, contract of employment covering CR obligations
Staff induction, good line management discipline
Exit and termination of employment process
Training and Awareness and Communication:
Induction training and regular cyber resilience-specific training and communication
Leadership by example, behavioural and cultural change nurtured
Continual professional development
Cyber resilience, built into charters, vision statements, missions, job descriptions and briefings
Risks and Controls - HR Security
Strategy
Strategy
Design
Design
Transition
Transition
Operation
Operation Continual
Improve-ment
Continual Improve-
ment
Supplier and 3rd-Party Security Management
Your supply chain is as strong as the weakest link in the chain
The supply chain presents significant unknown risks
The customers of your suppliers may be your competitors
With cloud-based services, it is not always easy to know exactly where an asset is and where the risk lies
With multiple suppliers, the demarcation of responsibilities is unclear
Rapid response to attacks is more difficult
Where partners are integrated into your business processes and IT systems, this brings additional risks
Risks and Controls - 3rd Party Security
Strategy
Strategy
Design
Design
Transition
Transition
Operation
Operation Continual
Improve-ment
Continual Improve-
ment
Based on AXELOS (RESILIATM) material.
Supplier and 3rd-Party Security ControlsRisk management should include the supply chain, to have a good
understanding of the risks involved
A good supplier management process, taking cyber resilience needs into account
Include cyber resilience and security in the contracts
Carry out supplier due diligence and risk assessment
Have a contingency plan for the supply chain and test this with the supply chain, at least annually
A policy for sharing information with external parties such as suppliers
Build a separate network for visitors and suppliers to connect out. Do not let 3rd parties connect to the internal network.
Risks and Controls - 3rd Party Security
Strategy
Strategy
Design
Design
Transition
Transition
Operation
Operation Continual
Improve-ment
Continual Improve-
ment
Based on AXELOS (RESILIATM) material.
Asset and configuration managementCritical assets identified, classified, tracked, protected
Classification:
e.g. public, internal, private, commercial, confidential, highly confidential
depending on classification decide how it can be transmitted, stored, discussed, whether it should be encrypted, how it may be disposed of, etc
Document management. Treat documents as assets.
Risks and Controls - Asset Management
Based on AXELOS (RESILIATM) material.
Strategy
Strategy
Design
Design
Transition
Transition
Operation
Operation Continual
Improve-ment
Continual Improve-
ment
Information Retention and Disposal
Information should be disposed of securely
This will depend on the classification of the information and the type of media the information is stored on
Paper documents classified as public may go in the bin, but confidential paper documents may need to be cross-shredded
Digital information may need special software for deletionSpecialised software may be needed to overwrite drives for re-
use
CDs and DVDs may need to be crushed beyond reconstitution
Disposal records should be keptDisposal certificates when using a supplier
Risks and Controls - Retention & Disposal
Strategy
Strategy
Design
Design
Transition
Transition
Operation
Operation Continual
Improve-ment
Continual Improve-
ment
Based on AXELOS (RESILIATM) material.
Access control:
Asset owners should authorise access rights - role-based ‘Least Privilege’ and ‘Need to Know’Use information classification to determine access rights Identity verificationSecurity obligations - keeping passwords and PINs secretTwo-factor or multi-factor authenticationJoiners Movers and Leavers process - to include access
monitoring, review At least annual review and re-certification for super-users with
privileged access(These accounts are often the target of hackers)
Risks and Controls - Access Control
Strategy
Strategy
Design
Design
Transition
Transition
Operation
Operation Continual
Improve-ment
Continual Improve-
ment
Based on AXELOS (RESILIATM) material.
Network Security Design:
Design networks in a hierarchical segmented model, with security domains or zones - to contain breaches
Segment networks with firewalls - to protect internal network addresses and potentially filter against some web-borne attacks
Terminate external connections outside the network in a DMZ
Segregate internal traffic such as data, VOIP and management. Management traffic should preferably be out of band so it is not a single point of failure
Encrypted traffic into the internal network should only be from a secured endpoint. Otherwise terminate in a DMZ, so traffic can be screened before forwarding.
Ensure endpoints are secured.
Risks and Controls - Network Design
Strategy
Strategy
Design
Design
Transition
Transition
Operation
Operation Continual
Improve-ment
Continual Improve-
ment
Based on AXELOS (RESILIATM) material.
Network Security Management:
Harden all network devices - disable all services that are not essential
Protect Internal networks from unauthorised access
Protect networks from DDoS attacks - for example Anti-DDoS
Only allow encrypted traffic into the internal network from secured endpoints.
Monitor the network for suspicious activities, e.g. using IDS/IPS or SIEMs, and review firewall policies regularly
Authenticate devices before they connect to the network (wireless and physical connections)
Any remote maintenance should use strong authentication
WiFi connections should be secured with strong passwords and encryption
Ensure all endpoints are secure, for exampleadopt BYOD policy and process.
Risks and Controls - Network Security
Strategy
Strategy
Design
Design
Transition
Transition
Operation
Operation Continual
Improve-ment
Continual Improve-
ment
Based on AXELOS (RESILIATM) material.
Endpoint SecurityEndpoint devices (PCs, laptops, smartphones, tablets, etc) are
particularly at risk - they can be used to infiltrate the network
They need to be built and configured to be secure
Encrypt data and the connection to the network
Implement host firewall, host IDS/IPS and anti-malware protection, with automatic update before connection
Use MDM technology to manage tablets and smartphones
BYOD policy including management of the devices and ownership of the data
Authenticate all endpoints
Risks and Controls - Endpoint Security
Strategy
Strategy
Design
Design
Transition
Transition
Operation
Operation Continual
Improve-ment
Continual Improve-
ment
Based on AXELOS (RESILIATM) material.
Physical security Perimeter security
Visitor management
Equipment siting, labelling, cabling
Protect supporting utilities (power, water, etc)
Security of unattended equipment
Security incident management To respond effectively to cyber resilience incidents
Incident planning
Incident response team
Escalation
Contain, eradicate, recover
Learn lessons and improve
Risks and Controls - Operational Controls
Strategy
Strategy
Design
Design
Transition
Transition
Operation
Operation Continual
Improve-ment
Continual Improve-
ment
Business continuity management: Business Impact Analysis - Understand the impact of loss
of services / data / assets
Develop business continuity strategy and plan, identifying all the critical assets the business relies on, and planning to recover in the event of a major incident:IT services, key people, suppliers, information,….
Test and review the plan regularly
Cyber Resilience should beintegral to business continuitymanagement
Risks and Controls - Business Continuity
Strategy
Strategy
Design
Design
Transition
Transition
Operation
Operation Continual
Improve-ment
Continual Improve-
ment
A complete, collaborative approach
Driven by the board - with clear board-level ownership and responsibility for CR
Enterprise-wide strategy
Providing relevant learning, development and regular communication
Involving everyone in the organisation
Extending to the supply chain, partners and customers
Important Features:
Clear understanding of the critical assets, including information assets
Clear view of the main threats and areas of vulnerability, including those of customers, partners and the supply chain
Adoption of a common language by all stakeholders
Design of appropriate plans using best-practice guidance
Adoption of a balanced set of controls to prevent, detect and correct
Characteristics of Good Cyber Resilience
Based on AXELOS (RESILIATM) material.
Cyber attacks and data breaches are going to happen…....... with increasing frequency and impacts
Focusing on prevention is no longer enough…...
........we need to focus also on timely detection and
effective correction
RESILIA provides a set of best practices that can help
you manage cyber resilience
In Summary
