Prevention Is Better Than Prosecution: Deepening the defence against cyber crime

LEX INFORMATICA CONFERENCE JULY 2009

PREVENTION IS BETTER THAN PROSECUTION:

DEEPENING THE DEFENCE AGAINST CYBER CRIME

Adv Jacqueline Fick

Risk and Compliance Management

PwC Advisory Southern Africa

Contents

Introduction and ApproachInformation AssuranceDefence in Depth StrategyConclusionQuestions

Slide 3PricewaterhouseCoopersJuly 2009

Introduction and Approach

• President in State of the Nation Address specifically referred to an increased effort to combat cyber crime and identity theft

• Increase in cyber crime in both private and public sector • Criminals want information• Law enforcement hampered in efforts to catch criminals• Shift in paradigm:

- Re-active v pro-active- Prevention is better than Prosecution- Devoting time and resources to implement strategies that prevent cyber

crime • Information Assurance and Defence in Depth strategy

Information Assurance

DefinitionObjective of Information AssuranceFive pillars of Information Assurance



Definition

• The practice of managing information-related risks (Wikipedia).

• Information operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection and reaction capabilities (US DoD).

• Umbrella concept bringing together issues of Information Security and Dependability.

• Includes other corporate governance issues such as privacy, audits, business continuity and disaster recovery.



Objective

The objective of Information Assurance is to minimise the risk that information systems and information stored, transmitted and processed thereon is vulnerable to threats. If an attack does take place, the damage it might cause will be minimised. It also provides for method to recover from attack as efficiently and effectively as possible.

Information Assurance focuses on:• Access controls• Individual Accountability• Audit trails



Five pillars of Information Assurance

• Information Security based on CIA triad• Information Assurance: CIA triad, authenticity and non-repudiation• NSA: application of five pillars should be based on protect, detect and

react paradigm• Electronic Communications and Transactions Act, No. 25 of 2002

- Incorporates principles of five pillars- Criminalises attacks



Five pillars of Information Assurance

INFORMATION ASSURANCE

AUTHENTICITY

NON

-REPUDIATION

CONFIDENTIALITY

AVAILABILITY

INTEGRITY


Defence in Depth Strategy

IntroductionFocus areasCore principlesImplementing strategyLayered defence approachMaintaining strategy


Definition

Strategy that can be implemented to achieve Information Assurance in today’s highly networked environments (NSA). Also defined as systematic security management of people, processes and technologies in a holistic risk-management approach (TISN):• “Best practices” strategy in that it relies on the intelligent application of

techniques and technologies.• Based on balancing protection capability and cost, performance and

operational considerations.• Delivers:

- Effective risk-based decisions;- Enhanced operational effectiveness;- Reduced overall cost and risk; and- Improved information security.



Threats

To protect an organisations’ information and information systems against cyber attacks, it is necessary to determine who the enemy is, why they would want to launch an attack and how they would attack the organisation. Threats can be internal and external and can be as a result of intentional and unintentional actions.

PEOPLE TRADING PARTNERSDisgruntled employeesFinancially troubled employeesCorporate espionageUneducated/uninformed users

Business partners with poor data securityPhysical access to shared systemsMisunderstanding of allowed accessCompetitive environment

EXTERNAL THREATS TECHNOLOGICAL INNOVATION

HackersOrganised crimeChanges in regulatory framework

Faster networksMore storage in smaller devicesTechnological convergenceIncreasingly mobile workforce



Focus areas

Achieving Information Assurance requires a balanced focus on:• People• Processes• Technology• Governance

INFORMATION ASSURANCE

PEOPLEPROCESSES/OPERATIONS

TECHNOLOGY

DEFENCE IN DEPTH STRATEGY

GOVERNANCE



Focus areas (continued)

Technology

• Refers to solutions that organisations employ that enable them to achieve and sustain their business objectives. Key focus areas for implementing a Defence in Depth strategy:- Management of network architecture- Infrastructure management- Application security- Communications management

• Important to ensure that procurement policy aligned to overall Defence in Depth strategy: right technology procured in accordance with overall business objectives.



Core principles

TISN defines the core principles as follows:

• Implementing measures according to business risks.• Using a layered approach• Implementing controls to increase effort needed to attack and breach the

system.• Implementing personnel, procedural and technical controls.




People

• Refers to the security roles and responsibilities for internal and external persons.

• Important to define, maintain and enforce security roles and responsibilities for employees, contractors or business partners.

• User awareness (both internal and external people).




Processes (or Operations)• Refer to standardised actions which are used to ensure that the

organisations’ position on security is sustained.• Organisations must define, maintain and enforce standardised

actions/processes which are used to develop and sustain its position on security.

• Key focus areas would typically include:- Identity and user-access management- Incident response management- Disaster recovery management- Audit management




Governance

• Refers to the oversight and coordination of technology, people and processes provided in terms of a management framework and begins with commitment from senior management level. This is followed by:- Integration and alignment to overall strategy; - alignment and incorporation into business objectives and goals; - drafting and implementing appropriate policies; and - deriving procedures from it.

• Key focus areas for implementation include:- Risk management.- Information security and policy.- Compliance Management.



Implementing the strategy

• Requires a shift in paradigm: IT security/Information Assurance cannot be viewed as stand-alone issues, but must become part of business planning, overall strategy, governance and operations.

• Reasons for implementing strategy:- Expanding organisational boundaries.- Mobile workforce.- Decentralisation of services.- Increasing value of information.



Implementing the strategy (continued)

Steps

• Analysis of internal and external environment.• Determining the risks.• Implementation of strategy.• Maintenance, monitoring and review.



Layered Defence Approach as part of Defence in Depth Strategy

The most effective way to secure information within modern day parameters would be through implementing different layers of control as part of Defence in Depth strategy (Murali 2007). Controls include both technical and process control mechanisms.

Physical Security

OS Security

Network Security

Database Security

Application Security

User Security

INFORMATION

Physical Security

OS Security

Network Security

Database Security

Application Security

User Security

INFORMATION



Layered Defence Approach (continued)

An organisation must deploy multiple defence mechanisms between the attacker and the target. Must increase the difficulty of successfully penetrating the network and thereby reducing risk, but also increase the chances of detecting the intruder:• Must identify users of a system e.g. through passwords and usernames.• Must be able to provide mechanisms to effectively and efficiently recover

from damage after attack.• Must provide intelligence and correlate information between various

departments in a business with aim to prevent future attacks.



Maintaining the strategy

Maintaining strategy includes continuous monitoring and evaluation of effectiveness of the implemented program. Would include evaluating strategy to determine alignment where there are changes to:• Business objectives and/or overall enterprise strategy.• Security profile or specific breaches in security or increases in particular

type of security breach occurs.• Weaknesses or gaps identified in current strategy.

Information Assets

Control & Monitoring• Basic admin

systems• Monitoring systems

(e.g. IDS)• Logging and

physical protection

Prevention• IPS• Anti-malware• Staff vigilance

Mitigation• Policies and

procedures• Staff

awareness training

• Access controls and strict configurations

Response• Incident response

planning• Business

continuity/disaster recovery planning

• Third party coordination processes



Practical guidelines for maintaining strategy

• Know and understand your organisation.• Define security roles and responsibilities.• Adopt appropriate policies and procedures.• Continuous auditing and assessment of process.• Stay up to date.• Effective public private partnerships.

Defence in Depth strategy


Conclusion

• Value of information: organisations and the criminals• Critical to preserve the integrity of information, to ensure that it is stored,

transmitted and accessed securely.• Systems designed to manage and secure information must be reliable,

aligned to business objectives and inline with risk management approach of organisation.

• Achieve Information Assurance through implementation of Defence in Depth strategy.

• Shift in paradigm: pro-active vs re-active.• SHARE INFORMATION!


Questions?

Thank you!

Documents

Prevention Is Better Than Prosecution: Deepening the defence against cyber crime