The evolving threats and the challenges of the modern CISO
-
Upload
isc2-hellenic -
Category
Technology
-
view
24 -
download
2
Transcript of The evolving threats and the challenges of the modern CISO
1
The evolving threats
and
the challenges of the modern CISO
Gerasimos MoschonasInformation Security Professional
2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic ChapterMarch 2017
2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic ChapterMarch 2017
Information Security Topics
Big Data
Internet of Things
Cyber Crime & Attacks
Social Engineering
Mobility
Regulatory Framework
2
2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic ChapterMarch 2017
World keeps changing
From centralised legacy systems (in premises) todecentralised interconnected systems (in and out of premises)
Outsourcing services
Cloud computing
ΙοΤ
Enterprises become more and more digital, and a serious target for cyber criminals
Attacks and attackers become more smart, aggresive and professionals
Threats are evolving and cyber security is a top priority
4
2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic ChapterMarch 2017
Incidents keep growing
5
Massive DDoS attack against major DNS service Dyn, affected a huge portion of Internet users in the US, taking down the access to major web services, including Twitter, Amazon, Netflix, PayPal
SWIFT cyber heists (started from the Bank of Bangladesh)
Yahoo had been hacked ..... again and ... again
Hospitals, state and local governments, law enforcement agencies, small & large businesses - these are just some of the entities impacted recently by ransomware
Spam email operator's faulty backup leaks 1.37bn addresses
WikiLeaks Vault 7 : CIA hacking tools revealed
2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic ChapterMarch 2017
CISO’s role keeps evolving
From the role of the IT security administrator & the IT Security Officer inside the IT Unit to the independent role of CISO who:
Is a decision maker, an influencer
Has the overall responsibility for the Information Security Governance, reporting to the Senior Management
Is Business-oriented and Technology-oriented, talks the business & the technology language as well. Understandsthe business environment, acts as an integrator of people, business processes and technology
“Translates” information security risks to business risks
Is always aware of the evolving threats, the technology trends and the regulatory framework
6
2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic ChapterMarch 2017
Big Data
Amount of data is increasing daily
Data at rest and in transit, in and out of the perimeter
But, do you know
Where is your data located?
How is your data used and exchanged?
Who has access and for which reason?
The retention period and how is it destructed?
If Cloud services are being used?
Use of cloud services for cost reduction raises several matters to evaluate
Data privacy and compliance
Lack of governance
Appropriate security controls
Contractual terms (e.g. Right to Audit)
7
Employees & Partners 1/2
2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic ChapterMarch 2017
Big Data
Restrict the user environment (usb media, admin rights)
Use DLP measures for data in transit (at the endpoints and the perimeter)
Enforce Identity & Access Management (staff, partners)
Use of encryption – segregation of duties
Apply a retention and destruction policy for both electronic and physical data
For cloud services
Identity – Evaluate the assets
Perform a risk based assessment
Define the minimum security controls
Be compliant with data privacy
regulations
8
Employees & Partners 2/2
2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic ChapterMarch 2017
Internet of Things
More than 24 billion IoT devices installed on Earth by 2020
These «things» don’t «look» like traditional computers and aren’t treated like computers
Usually no adequate security measures taken
Could be used as a botnet or as an entry point to a home or corporate network
IoT Botnet ‘Mirai’ targeted vulnerable ‘Smart’ IoT devicesturning them into ‘Bots’, used for DDoS
Implement strong authentication
Ensure the identity of each device
Apply device-to-device secure communication
Minimise the data exchanged, processed and stored
Secure the data stored on the devices
9
2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic ChapterMarch 2017
Cyber Crime & Attacks
10
1/4
2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic ChapterMarch 2017
Cyber Crime & Attacks
Attacks become more aggresive and intelligent
Crime as a Service
Distributed Denial of
Services (DDoS)
Advanced Persistent
Threats (APTs)
0-day attacks (malware unknown to traditional controls)
The era of the RansomwareRansomware attacks against businesses increased threefold in 2016. Kaspersky Lab
recorded one ransomware attack every 40 seconds against companies in September.
ATM attacks (malware, black box)
11
2/4
AKAMAI REPORT Q4 2016
2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic ChapterMarch 2017
Cyber Crime & Attacks
Bypassing the perimeter e.g. a malware is spreaded via a usb / a laptop connected to a workstation / the network
Do you really know if someone or “something” malicious is already inside your network?
How do you monitor the inside behavior to have alerts forany abnormal activity?
What constitutes normal and abnormal activity?
Preventing known threats is not enough : detect and prepare for the Unknown
12
3/4
2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic ChapterMarch 2017
Cyber Crime & Attacks
Threat intelligence for monitoring both the incoming traffic (web & email) and the corporate network, detecting any malicious activity which points to viable threats
Implement centralised Advanced Threat Protection technologies for simulating the behavior of the malicious/suspicious traffic (sandboxing)
Implement multi-layered protection for the endpoints (reputation analysis, advanced machine learning, behavior emulation, memory exploit mitigation)
Sign a Cyber Insurance contract
Educate the incident response team to react accordingly
13
4/4
2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic ChapterMarch 2017
Social Engineering
Methods of manipulating / tricking people to disclose confidential information, breaking the security procedures
CEO Fraud
Spear Phishing (targeting Companies or
group of people) via email, sms, voice
Social Media masquerade, Fake Apps/Sites:Fraudsters can masquerade your brand - across your digital channels - and bait your customers with scams, phishing and offers for counterfeit products and services (Sony Twitter account hacked)
Educate and train the personnel (and the clients)
Security awareness program - Metrics
Protect your Brand – Internet monitoring
14
2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic ChapterMarch 2017
Mobility
Mobile apps
m-wallets, m-banking, …
Contactless and NFC payments
Abuse of privacy : where the app has access to?
Mixing of personal and corporate data on the device
Remote working for troubleshooting
Remote access to corporate resources
Emails, Intranet Sites, Documents sharing
Data stored in the cloud (e.g. iCloud)
«Rooted» / «jailbroken» operating systems override the security of the mobile device
15
1/2
2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic ChapterMarch 2017
Mobility
16
Privacy by design
Application security assessment
BYOD policy – Mobile Data Management
Security policy (password, idle timeout), encryption
Check for “rooted” devices / Remote Wipe
Malware protection
WiFi – Bluetooth not always on
Secure remote access procedure
Guest – WiFi LAN not connected to corporate network
Control each device connected to the corporate network
2/2
2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic ChapterMarch 2017
Information Security becomes more and more regulated
General Data Protection Regulation (GDPR)
The Directive on security of network and information systems (NIS Directive)
The EU Regulation on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation)
The 2nd Payment Services Directive (PSD2)
Be ahead of the Regulatory Requirements – Act proactively
Inform the Enterprise for the new obligations – Act for being compliant in time
17
Regulatory Framework
2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic ChapterMarch 2017
Build a understandable and robust (cyber) security strategy
Align security strategy to business strategy, supporting the business success
Engage the Board. “Translate” information security risks to business risks
Reduce information security risks to an acceptable level. Adopt appropriate security measures and procedures
18
The challenges of CISO
1/2
2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic ChapterMarch 2017
Protect business brand and keep customers’ & shareholders’ confidence high
Be ahead of the Regulatory Requirements – Act proactively
Be prepared for an incident – Assume you’ll be compromised
Educate the personnel – Raise awareness
19
The challenges of CISO
2/2
2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic ChapterMarch 2017
Managing information security risks while delivering value
to the digital enterprise
The role of CISO is more vital than ever
20
The role of CISO