Upload
trinhdieu
View
216
Download
0
Embed Size (px)
Citation preview
RTN CTRL
Closing the Gap: Protecting Business Capabilities Against Security Threats
Dr Ryan Ko Head, Cyber Security Researchers of Waikato, University of Waikato
Editor, ISO 21878 2016 NZ Cloud Computing and Hybrid IT Forum www.crow.org.nz
www.stratus.org.nz
RTN CTRL
CROW – 1st Uni Cyber Security Lab in NZ
• FirstCyberSecurityLabinNZ,buildingontradi8onsofNZInternet,DataMining(Weka),networkinggroup• 20+researchstudents(Honours,PGDip,MasterofCyberSecurity,PhD)• 30+Alumni(nowatGallagher,DeloiMe,INTERPOL,CloudSecurityAlliance,LayerX,etc)• 14staff(6academics,8staff)• DrRyanKoisScienceLeaderofNZ$12.2million,6-year,MBIE-fundedSTRATUSproject,NZ’slargestIT
researchgrant• AlsofundedbyFulbrightCommission,InternetNZ,Educa8onNZ,andOfficeofthePrivacyCommissioner• CreatorsoftheNewZealandCyberSecurityChallenge(now3rdyear;267par8cipants)
RTN CTRL
Who we work with:
RTN CTRL
NZ Cyber Security Challenge (since 2014)
RTN CTRL
Craig Scoon and Ryan Ko presenting to the Governor-General of New Zealand, April 2016
Hosting the Governor-General, and Director, NSA Research Directorate
RTN CTRL
Cybercrime Research with INTERPOL
RTN CTRL
Co-developed the (ISC)2 Certified Cloud Security Professional (CCSP)
RTN CTRL
INDUSTRY TRENDS A look at the recent
8
RTN CTRL
RTN CTRL
RTN CTRL 11
RTN CTRL
An Important Trend • Global trend of linking liability of cyber security incidents to directors
– Think Health and Safety
• The rise of awareness of the need for cyber security and cyber insurance
– Better utilising existing capabilities – Future capabilities (in training and research)
RTN CTRL
Institute of Directors in NZ: Cyber-Risk Practice Guide
hMps://www.iod.org.nz/Portals/0/Governance%20resources/Cyber-Risk%20Prac8ce%20Guide.pdf
RTN CTRL
10 August 2016: First NZ-Specific Social Engineering TorrentLocker
ImmediatelyreportedtoITDept.,Government:NCPO(ConnectSmart),
NCSC
RTN CTRL
The Mind of the Attacker: 4-Stages of Penetration Testing (ref: The basics of Hacking and Penetration Testing – patrick engebretson)
• Aim:Gainadminaccessovertargetmachine(s)
• Maintainpermanentbackdoorstothesystem,resistanttoprogramclosuresandevenreboots.
• Aim:Searchingforholesandvulnerabili8esinnetworkportsandsystemsoiware
• Aim:GatheringInforma8onabouttarget.
Recon-naissance Scanning
Exploita8onMaintainingAccess
Onemorestep:Hiding/Coveringyourtracks.(forBlackHats)
RTN CTRL
Src: http://www.youtube.com/watch?v=F_5CMjgHRKQ
RTN CTRL
Preventing and mitigating Social Engineering 1. Learning to identify social engineering attacks 2. Creating a personal security awareness program 3. Creating awareness of the value of the information that is being
sought by social engineers 4. Keeping software updated 5. Developing scripts 6. Learning from social engineering audits 7. Continuously learning from: http://www.social-engineer.org/
RTN CTRL
Developing Scripts • If someone calls and claims to be from the management office and
demands compliance of either handing over information or internal data, follow these steps:
1. Ask for the person’s employee ID number and name. Do not answer any questions until you have this information.
2. After getting the identifying information, ask for the project ID number related to the project he or she is managing that requires this information.
3. If the information in steps 1 and 2 is successfully obtained, comply. 4. If it’s not, ask the person to have his or her manager send an email to
your manager requesting authorization and terminate the call. • A simple script like this can help employees know what to say and do in
circumstances that can try their security consciousness.
RTN CTRL
AN ORGANISATION’S PERSPECTIVE Script development is just a part of the Big Picture!
RTN CTRL
Planning your organisation if you are an IT Manager/ CISO/ Director • Prevention
– Vulnerability Detection – Vulnerability Remediation – Vulnerability Patching
• Security – Policies (Designing and Implementing an ISMS) – Alignment to standards, e.g. ISO/IEC 27001 – Controls (Scripts, Assets, BYOD, Users, Physical Environment, etc)
• Forensics – How can you find out what went wrong?
• Collaboration across the sector and link to the national level – Does your sector have a trusted network? CSIRT?
RelatedQues+on:Doityourselves,oroutsource?
RTN CTRL
Doing it yourself: Manpower and Resources • Do you have a person/ group of people who will be able to adequately respond to an
incident or emergency? – Technical Response – Communications Response
• Do you have a group of people who are preventing, monitoring and giving you updates on the weekly trends?
– Vulnerability discovery and patching? – CISO – Virtual CISO – Collaboration/ sharing between trusted parties
• Do you have a group which looks into the future for trends and problems – 1 year, 2 years, 5 years? (Covered later in talk)
– If not, you may wish to work with Callaghan Innovation, or groups such as MBIE STRATUS
RTN CTRL
Outsourcing: 5 Key Questions to Ask a Vendor • Do you use the tool to protect yourself? Give specific use cases. • What can’t your tool protect? • What happens when I get attacked? How will you help me? • How well do you know about the International Legislations and
Controls? E.g. ISO 27000 series, NZ data privacy laws and NZISM (which version)?
– How does your tool align our organisation to them?
• If I have a malicious staff who leaks my data, how can your tool contain the situation?
RTN CTRL
5 Simple Questions to ask the Educator/ Trainer • Tell me specifically what skills do you train, and why you focus on
them? • How many alumni trained, and where are they working now? • How many of your staff/trainers are involved in international
standards; are they globally or regionally-recognised experts? • Do they produce technology or publications which is really usable by
users? • Is this demo you showed me your own, or did you use another
organisation’s tool and ‘white-label’ it?
RTN CTRL
ISO 27001 @ ISO Online Browsing Platform (OBP)
RTN CTRL
UPCOMING KEY EVENTS Mark Your Calendars
RTN CTRL
STRATUS Forum 2015 (Last Year)
RTN CTRL
STRATUS Forum 2016 (Open to Public) • Research Team:
– Universities: University of Waikato (lead), University of Auckland – Polytechnic: Unitec – Global Consortium: Cloud Security Alliance – Industry Partners: Gallagher, LayerX, Virscient, Aura (Kordia)
• Date: 5 December 2016 • Location: MBIE Building, Wellington • More Info: https://stratus.org.nz
RTN CTRL
Hosting the ISO/IEC JTC 1/SC 27 Plenary and Workshop Meetings • Hosted by University of Waikato & Cloud Security Alliance next year. • Supported by Standards New Zealand • First time in New Zealand • 400+ national delegates from 60+ countries and 20+ liaison bodies • April 18-25, 2017
RTN CTRL
THANKS Ryan Ko, PhD,CCSP • Head, Cyber Security Lab/ Senior Lecturer, University of Waikato |
https://crow.org.nz • Science Leader, STRATUS | https://stratus.org.nz • International Faculty Member, NIATEC, Idaho State University, USA • Asia Pacific Research Advisor, Cloud Security Alliance • Editor, ISO/IEC 21878 – Security Guidelines for Design and
Implementation of Virtualized Servers • Consultant and Technical Advisor to NZ and International Companies
Announcements: • 3 x STRATUS project PhD study awards (fees
+stipend) available • 1 x STRATUS Masters study award (fees+stipend)
available
soli deo gloria