Upload
jacqueline-fick
View
1.204
Download
1
Embed Size (px)
Citation preview
LEX INFORMATICA CONFERENCE JULY 2009
PREVENTION IS BETTER THAN PROSECUTION:
DEEPENING THE DEFENCE AGAINST CYBER CRIME
Adv Jacqueline Fick
Risk and Compliance Management
PwC Advisory Southern Africa
Contents
Introduction and ApproachInformation AssuranceDefence in Depth StrategyConclusionQuestions
Slide 3PricewaterhouseCoopersJuly 2009
Introduction and Approach
• President in State of the Nation Address specifically referred to an increased effort to combat cyber crime and identity theft
• Increase in cyber crime in both private and public sector • Criminals want information• Law enforcement hampered in efforts to catch criminals• Shift in paradigm:
- Re-active v pro-active- Prevention is better than Prosecution- Devoting time and resources to implement strategies that prevent cyber
crime • Information Assurance and Defence in Depth strategy
Information Assurance
DefinitionObjective of Information AssuranceFive pillars of Information Assurance
Slide 5PricewaterhouseCoopersJuly 2009
Information Assurance
Definition
• The practice of managing information-related risks (Wikipedia).
• Information operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection and reaction capabilities (US DoD).
• Umbrella concept bringing together issues of Information Security and Dependability.
• Includes other corporate governance issues such as privacy, audits, business continuity and disaster recovery.
Information Assurance
Slide 6PricewaterhouseCoopersJuly 2009
Objective
The objective of Information Assurance is to minimise the risk that information systems and information stored, transmitted and processed thereon is vulnerable to threats. If an attack does take place, the damage it might cause will be minimised. It also provides for method to recover from attack as efficiently and effectively as possible.
Information Assurance focuses on:• Access controls• Individual Accountability• Audit trails
Information Assurance
Slide 7PricewaterhouseCoopersJuly 2009
Five pillars of Information Assurance
• Information Security based on CIA triad• Information Assurance: CIA triad, authenticity and non-repudiation• NSA: application of five pillars should be based on protect, detect and
react paradigm• Electronic Communications and Transactions Act, No. 25 of 2002
- Incorporates principles of five pillars- Criminalises attacks
Information Assurance
Slide 8PricewaterhouseCoopersJuly 2009
Five pillars of Information Assurance
INFORMATION ASSURANCE
AUTHENTICITY
NON
-REPUDIATION
CONFIDENTIALITY
AVAILABILITY
INTEGRITY
Information Assurance
Defence in Depth Strategy
IntroductionFocus areasCore principlesImplementing strategyLayered defence approachMaintaining strategy
Slide 10PricewaterhouseCoopersJuly 2009
Definition
Strategy that can be implemented to achieve Information Assurance in today’s highly networked environments (NSA). Also defined as systematic security management of people, processes and technologies in a holistic risk-management approach (TISN):• “Best practices” strategy in that it relies on the intelligent application of
techniques and technologies.• Based on balancing protection capability and cost, performance and
operational considerations.• Delivers:
- Effective risk-based decisions;- Enhanced operational effectiveness;- Reduced overall cost and risk; and- Improved information security.
Defence in Depth Strategy
Slide 11PricewaterhouseCoopersJuly 2009
Threats
To protect an organisations’ information and information systems against cyber attacks, it is necessary to determine who the enemy is, why they would want to launch an attack and how they would attack the organisation. Threats can be internal and external and can be as a result of intentional and unintentional actions.
PEOPLE TRADING PARTNERSDisgruntled employeesFinancially troubled employeesCorporate espionageUneducated/uninformed users
Business partners with poor data securityPhysical access to shared systemsMisunderstanding of allowed accessCompetitive environment
EXTERNAL THREATS TECHNOLOGICAL INNOVATION
HackersOrganised crimeChanges in regulatory framework
Faster networksMore storage in smaller devicesTechnological convergenceIncreasingly mobile workforce
Defence in Depth Strategy
Slide 12PricewaterhouseCoopersJuly 2009
Focus areas
Achieving Information Assurance requires a balanced focus on:• People• Processes• Technology• Governance
INFORMATION ASSURANCE
PEOPLEPROCESSES/OPERATIONS
TECHNOLOGY
DEFENCE IN DEPTH STRATEGY
GOVERNANCE
Defence in Depth Strategy
Slide 13PricewaterhouseCoopersJuly 2009
Focus areas (continued)
Technology
• Refers to solutions that organisations employ that enable them to achieve and sustain their business objectives. Key focus areas for implementing a Defence in Depth strategy:- Management of network architecture- Infrastructure management- Application security- Communications management
• Important to ensure that procurement policy aligned to overall Defence in Depth strategy: right technology procured in accordance with overall business objectives.
Defence in Depth Strategy
Slide 14PricewaterhouseCoopersJuly 2009
Core principles
TISN defines the core principles as follows:
• Implementing measures according to business risks.• Using a layered approach• Implementing controls to increase effort needed to attack and breach the
system.• Implementing personnel, procedural and technical controls.
Defence in Depth Strategy
Slide 15PricewaterhouseCoopersJuly 2009
Focus areas (continued)
People
• Refers to the security roles and responsibilities for internal and external persons.
• Important to define, maintain and enforce security roles and responsibilities for employees, contractors or business partners.
• User awareness (both internal and external people).
Defence in Depth Strategy
Slide 16PricewaterhouseCoopersJuly 2009
Focus areas (continued)
Processes (or Operations)• Refer to standardised actions which are used to ensure that the
organisations’ position on security is sustained.• Organisations must define, maintain and enforce standardised
actions/processes which are used to develop and sustain its position on security.
• Key focus areas would typically include:- Identity and user-access management- Incident response management- Disaster recovery management- Audit management
Defence in Depth Strategy
Slide 17PricewaterhouseCoopersJuly 2009
Focus areas (continued)
Governance
• Refers to the oversight and coordination of technology, people and processes provided in terms of a management framework and begins with commitment from senior management level. This is followed by:- Integration and alignment to overall strategy; - alignment and incorporation into business objectives and goals; - drafting and implementing appropriate policies; and - deriving procedures from it.
• Key focus areas for implementation include:- Risk management.- Information security and policy.- Compliance Management.
Defence in Depth Strategy
Slide 18PricewaterhouseCoopersJuly 2009
Implementing the strategy
• Requires a shift in paradigm: IT security/Information Assurance cannot be viewed as stand-alone issues, but must become part of business planning, overall strategy, governance and operations.
• Reasons for implementing strategy:- Expanding organisational boundaries.- Mobile workforce.- Decentralisation of services.- Increasing value of information.
Defence in Depth Strategy
Slide 19PricewaterhouseCoopersJuly 2009
Implementing the strategy (continued)
Steps
• Analysis of internal and external environment.• Determining the risks.• Implementation of strategy.• Maintenance, monitoring and review.
Defence in Depth Strategy
Slide 20PricewaterhouseCoopersJuly 2009
Layered Defence Approach as part of Defence in Depth Strategy
The most effective way to secure information within modern day parameters would be through implementing different layers of control as part of Defence in Depth strategy (Murali 2007). Controls include both technical and process control mechanisms.
Physical Security
OS Security
Network Security
Database Security
Application Security
User Security
INFORMATION
Physical Security
OS Security
Network Security
Database Security
Application Security
User Security
INFORMATION
Defence in Depth Strategy
Slide 21PricewaterhouseCoopersJuly 2009
Layered Defence Approach (continued)
An organisation must deploy multiple defence mechanisms between the attacker and the target. Must increase the difficulty of successfully penetrating the network and thereby reducing risk, but also increase the chances of detecting the intruder:• Must identify users of a system e.g. through passwords and usernames.• Must be able to provide mechanisms to effectively and efficiently recover
from damage after attack.• Must provide intelligence and correlate information between various
departments in a business with aim to prevent future attacks.
Defence in Depth Strategy
Slide 22PricewaterhouseCoopersJuly 2009
Maintaining the strategy
Maintaining strategy includes continuous monitoring and evaluation of effectiveness of the implemented program. Would include evaluating strategy to determine alignment where there are changes to:• Business objectives and/or overall enterprise strategy.• Security profile or specific breaches in security or increases in particular
type of security breach occurs.• Weaknesses or gaps identified in current strategy.
Information Assets
Control & Monitoring• Basic admin
systems• Monitoring systems
(e.g. IDS)• Logging and
physical protection
Prevention• IPS• Anti-malware• Staff vigilance
Mitigation• Policies and
procedures• Staff
awareness training
• Access controls and strict configurations
Response• Incident response
planning• Business
continuity/disaster recovery planning
• Third party coordination processes
Defence in Depth Strategy
Slide 23PricewaterhouseCoopersJuly 2009
Practical guidelines for maintaining strategy
• Know and understand your organisation.• Define security roles and responsibilities.• Adopt appropriate policies and procedures.• Continuous auditing and assessment of process.• Stay up to date.• Effective public private partnerships.
Defence in Depth strategy
Slide 24PricewaterhouseCoopersJuly 2009
Conclusion
• Value of information: organisations and the criminals• Critical to preserve the integrity of information, to ensure that it is stored,
transmitted and accessed securely.• Systems designed to manage and secure information must be reliable,
aligned to business objectives and inline with risk management approach of organisation.
• Achieve Information Assurance through implementation of Defence in Depth strategy.
• Shift in paradigm: pro-active vs re-active.• SHARE INFORMATION!
Slide 25PricewaterhouseCoopersJuly 2009
Questions?
Thank you!