It’s not ITs problem
Shiva Bissessar, BSc (Hons), MBA, MSc Managing & Technical Director Pinaka Technology Solutions +868 678 5078 [email protected]
21st Jan 2015
Assisting Organizations With Their Strategic ICT & Information Security Needs
• Continue work on examining opportunity and risks of Digital Currency in Caribbean
• Partnering with vendors to provide: Software Development / Code QA
(efficiency, security) Appliances for Network Forensics
What’s Pinaka doing in 2015?
Agenda
• Case Study • Incident • Analysis • Solution
• InfoSec Workshops (i) Governance (ii) Awareness
“The Most Devastating Corporate Cyber Attack Ever!”
INCIDENT
http://www.wired.com/2014/12/sony-hack-what-we-know/
Breach: Confidentiality & Availability Compromised
• Guardian of Peace screens • Data erased (entire servers + computing services) • Data taken (10s - 100s TB over 1 year* ) including:
o Employee’s Personal Data SSN, ID, Passport, credit card & bank info, usernames, passwords, health info
o Intellectual Property o Screeners, forthcoming films, scripts
o Corporate data including E-mails (100,000s docs) • Data released to public • Threats of worse things to come (ransom)
*Purported GOP member
As The Story Develops…
• Scrambling to continue daily operations o Phones, e-mail, computer services down o Improvise with cellphones, Gmail and notepads o Cut paychecks manually o Resort to old BB phones
• Shutdown everything; re –architect; secure • Reputation loss
o Employees felt vulnerable which leads to lawsuits • Significant changes to film release strategy • Threats of lawsuits to media outlets redistributing
data • Attribution
ANALYSIS
http://www.nytimes.com/2015/01/19/world/asia/nsa-tapped-into-north-korean-networks-before-sony-attack-officials-say.html?_r=2 http://fortune.com/2014/12/24/why-sony-didnt-learn-from-its-2011-hack/
New York Times, 18th Jan’15
• NSA saw “spear phishing” attacks on Sony in early September.
• In retrospect investigators determined that the North had stolen the “credentials” of a Sony systems administrator
• This allowed the hackers to roam freely inside Sony’s systems.
“Why Sony Didn't Learn From Its 2011 Hack”, 24th Dec’14
• The company has long had a reputation for operating in silos. SPE was most isolated
• “…their CIO should have implemented corporate-wide protection measures and beefed up info-sec training for employees that would be standardized across the organization,”
SOLUTION
Information Security Workshops
Strategic Information Security Governance
End User Information Security Awareness
ORGANIZATION
Understanding importance of Organizational Info Sec Governance Strategy in the context of proposed cybercrime bill and global threat outlook
Sensitization of end users of Information Security threats with emphasis on Social Engineering
PAST
CLI
ENTS
PART I – Information Security Governance • Importance of Information Security • Local & Regional Threats • Types of Attackers & Motivations • Consequences of Attacks • Why Info Sec Governance Required
• “Due Diligence” • Securing People & Process • Risk Management • Info Sec Policies • Audit & Info Sec Mgmt. • Org Structure & Behaviours • “Illegal Devices” &“Remote Forensic Tools”
PART II – Global, Regional & Local Picture • Threats & Vulnerabilities • Phishing, Spoofing, Vishing, Water Holing,
Ransomware, Skimming • Reports & Stats • Local & Regional National Cyber Security Efforts • TARGET 2013 Breach Analysis • Controls
Strategic Information Security Governance
Target Audience
• IT Executive/Senior Management
• IT Management & Professionals
• Risk Management • Internal Audit • HR Professionals • Legal Officers
PART I – Information Security 101
• Importance of Information Security
• Local & Regional Context
• Why Are There Growing Threats
• Types of Attackers & Motivations
• Consequences of Attacks
• Web Security Essentials
• Threat & Vulnerabilities
PART II - Social Engineering
• Users’ Security Appetite
• Attack Scenario Analysis
• Phishing, Spoofing, Vishing, Water Holing, Ransomware, Skimming
• Resources
End User Information Security Awareness
Target Audience • Executives • Executive Secretaries • Finance & Legal staff • Asset Management group • Any personnel who handle:
• Sensitive information • Large financial transactions • Customer account
verification
• Location: Clients’ facilities
• Duration: 3-4 hours (per workshop)
• Participant: 10-12 persons (per workshop)
• Cost: Please get in contact for details
• ‘Train the Trainer’ certified deliveries with use of appropriate training aides and method to reinforce learning during these sessions.
• Flip chart/whiteboard, handouts, videos and questions are used in both workshops
• Customizable options available upon request e.g based on client industry, number of participants etc.
Workshop Details
Don’t wait for an incident to occur, get in contact now…
Shiva Bissessar, BSc (Hons), MBA, MSc
Managing & Technical Director
Shiva Bissessar, BSc (Hons), MBA, MSc Managing & Technical Director Pinaka Technology Solutions +868 678 5078 [email protected]