Upload
marc-vael
View
232
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Presentation on cyberattacks given by Marc Vael at EPSC forum in Brussels on 25th of October 2011
Citation preview
Marc Vael Director
The vulnerability
of high hazards plant
to cyber attack
Cybersecurity threats
• Cyber-criminals
• Malware
• Phishers
• Spammers
• Negligent staff
• Hackers
• Unethical employees misusing/misconfiguring security functions
• Unauthorized access, modification, disclosure of information
• Nations attacking critical information infrastructures
• Technical advances that can render encryption algorithms obsolete
Cyberattacks are
DIFFICULT to execute.
Lessons learned so far
Governments do have
the resources/skills to conduct
cyberattacks.
Lessons learned so far
Cyberattacks are war. Lessons learned so far
Cyberwarfare is
"the fifth domain
of warfare“
“Cyberspace is a new domain in warfare which
has become just as critical to military operations
as land, sea, air and space.”
“Actions to penetrate computers or networks for the
purposes of causing damage or disruption.”
Information warfare is
“using & managing IT
in the pursuit of a
competitive advantage
over an opponent“
Cyberattacks are a real, clear and present danger to organisations & government
agencies.
Lessons learned so far
“It’s possible that hackers have gotten into administrative computer systems of utility companies, but says those aren’t linked to the equipment controlling the grid, at least not in developed countries. I have never heard that the grid itself has been hacked..”
Howardt Schmidt, Cyber-Security Coordinator of the US
Targeted organizations are unprepared.
Lessons learned so far
Security professionals are at risk.
Lessons learned so far
Risk always exists! (whether or not it is
detected / recognised by the organisation).
Impact of an attack on the business
Cyberattack mitigating strategies
Corporate governance : ERM = COSO
Support from Board of Directors & Executive Management
Cyberattack mitigating strategies
Managing risks appropriately
Cyberattack mitigating strategies
Policies & Standards
Cyberattack mitigating strategies
Cyberattack mitigating strategies
Project Management
Cyberattack mitigating strategies
Supply Chain Management
Cyberattack mitigating strategies
EDUCATION!
Providing proper funding
Cyberattack mitigating strategies
Providing proper resources
Cyberattack mitigating strategies
Measuring performance
Cyberattack mitigating strategies
Review / Audit
Cyberattack mitigating strategies
Incident/Crisis Management
Cyberattack mitigating strategies
Information Criteria • Effectiveness • Efficiency • Confidentiality • Integrity • Availability • Compliance • Reliability
IT RESOURCES • Applications • Information • Infrastructure • People
MONITOR & EVALUATE
PO1 Define a strategic IT plan
PO2 Define the information architecture
PO3 Determine technological direction
PO4 Define the IT processes, organisation and
relationships
PO5 Manage the IT investment
PO6 Communicate mgt aims & direction
PO7 Manage IT human resources
PO8 Manage quality
PO9 Assess and manage IT risks
PO10 Manage projects
AI1 Identify automated solutions
AI2 Acquire & maintain application software
AI3 Acquire & maintain IT infrastructure
AI4 Enable operation and use
AI5 Procure IT resources
AI6 Manage changes
AI7 Install & accredit solutions and changes
ME1 Monitor & evaluate IT performance
ME2 Monitor & evaluate internal control
ME3 Ensure compliance with external requirements
ME4 Provide IT governance
DS1 Define & manage service levels
DS2 Manage third-party services
DS3 Manage performance & capacity
DS4 Ensure continuous service
DS5 Ensure systems security
DS6 Identify & allocate costs
DS7 Educate & train users
DS8 Manage service desk and incidents
DS9 Manage the configuration
DS10 Manage problems
DS11 Manage data
DS12 Manage the physical environment
DS13 Manage operations
PLAN & ORGANISE
ACQUIRE & IMPLEMENT
DELIVER & SUPPORT
Information Criteria • Effectiveness • Efficiency • Confidentiality • Integrity • Availability • Compliance • Reliability
IT RESOURCES • Applications • Information • Infrastructure • People
MONITOR & EVALUATE
PO1 Define a strategic IT plan
PO2 Define the information architecture
PO3 Determine technological direction
PO4 Define the IT processes, organisation and
relationships
PO5 Manage the IT investment
PO6 Communicate mgt aims & direction
PO7 Manage IT human resources
PO8 Manage quality PO9 Assess and manage IT risks
PO10 Manage projects
AI1 Identify automated solutions
AI2 Acquire & maintain application software
AI3 Acquire & maintain IT infrastructure AI4 Enable operation and use
AI5 Procure IT resources
AI6 Manage changes
AI7 Install & accredit solutions and changes
ME1 Monitor & evaluate IT performance
ME2 Monitor & evaluate internal control
ME3 Ensure compliance with external requirements ME4 Provide IT governance
DS1 Define & manage service levels
DS2 Manage third-party services DS3 Manage performance & capacity
DS4 Ensure continuous service
DS5 Ensure systems security DS6 Identify & allocate costs
DS7 Educate & train users DS8 Manage service desk and incidents
DS9 Manage the configuration
DS10 Manage problems
DS11 Manage data
DS12 Manage the physical environment
DS13 Manage operations
PLAN & ORGANISE
ACQUIRE & IMPLEMENT
DELIVER & SUPPORT
Information Security Management
Your security solution is as strong …
… as its weakest link
“I don’t care how many millions of dollars you spend on security technology. If you don’t have people trained properly, I’m going to get in if I want to get in.”
Susie Thunder, Cyberpunk
Marc Vael CISA, CISM, CISSP, CGEIT, ITIL Service Manager, Prince2
Director Knowledge Board
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows
IL 60008 USA
http://www.isaca.org/security
http://www.linkedin.com/in/marcvael
http://twitter.com/marcvael
Contact information