Cybersecurity

Management
Webinar 1
Effective and Efficient Cybersecurity
Jeremy Koster

1
 Mentor Introduction

• Jeremy Koster
• 20 years in IT
• Over 10 Years in Information Security
• Qualifications
• Experience
• Lecturing for IT Masters and CSU for 4 years
2
 House Keeping

Webinars
•
– GoToWebinar
– Wednesday 8:30pm AEST
The Forum
•
Lively discussions are encouraged
–
Weekly homework
–
Weekly discussion questions
–
The Exam
•
40 multiple choice questions
–
Enquiries and questions
•
– Course topics – Mentor
Student Administration for everything else
–

3
 Related Certifications

• ISACA Certified Information Security Manger - CISM

– De-facto standard for Cybersecurity Management
– Security Governance, Risk Management and Security Program
– Exam focuses on decision makers and business goals
• ISC2 Security Management - ISSMP
– Builds on the CISSP
– 5 domains
– Similar to the CISM
• GIAC Cybersecurity Leadership – GSLC
– Broad overview of technology and weaknesses
– Addresses a good range of standard management topics as well

4
 The Cybersecurity Manager

Good technical understanding

•
IT and/or Networking Background
–
Staying abreast of technology and industry developments
–
Disciplined and creative
•
Persists with mundane and routine tasks
–
Accurately identifies future threats
–
Follows up
–
Provides advice
•
Where guidance is sought
–
Where a gap is identified
–
A communicator
•
Excellent verbal and written communication skills
–
Understands how to talk to the business
–

5
 The Enterprise Landscape

• A corporate environment that is increasingly connected

• Executives who don’t have time for technical explanations
• Board members who demand results
• Staff who are susceptible to malicious attacks
• Technology that is increasing in depth and diversity
• Software that is constantly vulnerable

6
 What is at Stake?

• Brand and reputation

• Loss of revenue and customers
• Increased scrutiny
• Fines and penalties
• Personal cost for the team
• Professional cost for the Cybersecurity Manager

7
 The Threat Landscape
• International exposure
• Anonymity
• Automation and weaponisation
• Comoditisation of Cybercrime actors
– Developers
– Hackers
– Mules
– Botnets and zombies
– Organisers

8
 The Attackers

• Internal
– Disgruntled employees, drugs, gambling and fraud
– Accidental and inadvertent
• External
– Funded criminals
– State sponsored agents
– Activists
– Bored teens

9
 Breaches in the News

Feb, 2013 – KRTV – Great Falls Montana

•
Emergency alert system hacked
–
Dead bodies are rising from their grave
–
August 2013 – Adobe
•
3 million (38 million really!) customer records
–
Malware analysis, breadcrumbs
–
Password resets
–
December 2013 – Target Corp
•
110 million customer records
–
Malware on POS terminals
–
Phishing through a partners environment?
–
May 2014 – Ebay
•
145 Million customer details
–
Small number of employee log-in credentials
–
Password resets
–
October 2015 - David Jones and Kmart
•
10
 Information Security Terms

• Threat – actions or events that have the potential to

negatively impact assets
• Vulnerability – a weakness in a system or asset of value
• Exploit – a method of making use of a weakness to gain
access to an asset
• Risk assessment, determination and management
• Residual risk

11
 Information Security Risk

• Risk = Likelihood x Impact

• Likelihood – the probability of an event
occurring
• Impact – the amount of damage an event
would incur

12
 The CIA Objectives

• Confidentiality – prevent unauthorised

disclosure
• Integrity – prevent unauthorised or improper
changes
• Availability – prevent disruption to service
quality

13
 Communication is Key

• Communicating with the executive team

– Concise and accurate summaries
– Writing quality
– Enterprise needs
• Organisational awareness
• Education
• Managing sideways and down
14
 Trust is Paramount

• The most valuable currency

• Be customer focussed
• Staff don’t need to consult security
• No, no… I told you so
• Don’t just follow best practice
• Identify a plausible risk
• Trust, vision, relationship
• No FUD
15
 Threat Scenarios

1. Actor
– Bad guy, good guy
– External, internal
– Incidental, malicious
2. Negative impact
– Expose
– Unauthorised access
– Loss of service
– Loss of data
3. Asset
– Confidential information
– Privileged function or business functionality
16
 Threat Scenarios - Examples

• Vulnerability – For convenience, staff are storing corporate credit cards on

pastebin.
• Threat Scenario – An external attacker may gain unauthorised access to
the list of corporate credit card numbers.

• Vulnerability – Big “delete all” button right next to the “update record” button in
the customer relationship manager application.
• Threat Scenario – A staff member may accidentally delete the full customer
database.
17
 Policies and Standards

• Policies are for People

– Policy from the Greek Politica – the population
– High level statements describing acceptable behaviour
– Examples
• Information Security Policy
• Information Classification Policy
• Acceptable Use Policy

• Standards are for Systems

– Subject specific
– Specific statements describing how systems are to be configured
– Non-vendor specific
– Examples
• Network Security Standard
• Encryption Standard
18
 Baselines and Plans

• Baseline
– Technology and vendor specific
– Technical configuration to maintain security
– Examples
• RHEL build standard
• Windows 10 secure build configuration

• Plans
– What to do when a specific issue occurs
– Contains responsibilities and contacts
– Examples:
• Incident response plan
• Business continuity plan
19
 Discussion Questions
1. Are threats to modern organisations increasing or
decreasing?

2. What are the three components in a threat scenario?

3. When is it OK to use FUD?

4. Which of the CIA is most important?

20