closing the gap: protecting business capabilities … · closing the gap: protecting business...

RTN CTRL

Closing the Gap: Protecting Business Capabilities Against Security Threats

Dr Ryan Ko Head, Cyber Security Researchers of Waikato, University of Waikato

Editor, ISO 21878 2016 NZ Cloud Computing and Hybrid IT Forum www.crow.org.nz

www.stratus.org.nz

RTN CTRL

CROW – 1st Uni Cyber Security Lab in NZ

•  FirstCyberSecurityLabinNZ,buildingontradi8onsofNZInternet,DataMining(Weka),networkinggroup•  20+researchstudents(Honours,PGDip,MasterofCyberSecurity,PhD)•  30+Alumni(nowatGallagher,DeloiMe,INTERPOL,CloudSecurityAlliance,LayerX,etc)•  14staff(6academics,8staff)•  DrRyanKoisScienceLeaderofNZ$12.2million,6-year,MBIE-fundedSTRATUSproject,NZ’slargestIT

researchgrant•  AlsofundedbyFulbrightCommission,InternetNZ,Educa8onNZ,andOfficeofthePrivacyCommissioner•  CreatorsoftheNewZealandCyberSecurityChallenge(now3rdyear;267par8cipants)

RTN CTRL

Who we work with:

RTN CTRL

NZ Cyber Security Challenge (since 2014)

RTN CTRL

Craig Scoon and Ryan Ko presenting to the Governor-General of New Zealand, April 2016

Hosting the Governor-General, and Director, NSA Research Directorate

RTN CTRL

Cybercrime Research with INTERPOL

RTN CTRL

Co-developed the (ISC)2 Certified Cloud Security Professional (CCSP)

RTN CTRL

INDUSTRY TRENDS A look at the recent

8

RTN CTRL

RTN CTRL

RTN CTRL 11

RTN CTRL

An Important Trend •  Global trend of linking liability of cyber security incidents to directors

–  Think Health and Safety

•  The rise of awareness of the need for cyber security and cyber insurance

–  Better utilising existing capabilities –  Future capabilities (in training and research)

RTN CTRL

Institute of Directors in NZ: Cyber-Risk Practice Guide

hMps://www.iod.org.nz/Portals/0/Governance%20resources/Cyber-Risk%20Prac8ce%20Guide.pdf

RTN CTRL

10 August 2016: First NZ-Specific Social Engineering TorrentLocker

ImmediatelyreportedtoITDept.,Government:NCPO(ConnectSmart),

NCSC

RTN CTRL

The Mind of the Attacker: 4-Stages of Penetration Testing (ref: The basics of Hacking and Penetration Testing – patrick engebretson)

• Aim:Gainadminaccessovertargetmachine(s)

• Maintainpermanentbackdoorstothesystem,resistanttoprogramclosuresandevenreboots.

• Aim:Searchingforholesandvulnerabili8esinnetworkportsandsystemsoiware

• Aim:GatheringInforma8onabouttarget.

Recon-naissance Scanning

Exploita8onMaintainingAccess

Onemorestep:Hiding/Coveringyourtracks.(forBlackHats)

RTN CTRL

Src: http://www.youtube.com/watch?v=F_5CMjgHRKQ

RTN CTRL

Preventing and mitigating Social Engineering 1.  Learning to identify social engineering attacks 2.  Creating a personal security awareness program 3.  Creating awareness of the value of the information that is being

sought by social engineers 4.  Keeping software updated 5.  Developing scripts 6.  Learning from social engineering audits 7.  Continuously learning from: http://www.social-engineer.org/

RTN CTRL

Developing Scripts •  If someone calls and claims to be from the management office and

demands compliance of either handing over information or internal data, follow these steps:

1.  Ask for the person’s employee ID number and name. Do not answer any questions until you have this information.

2.  After getting the identifying information, ask for the project ID number related to the project he or she is managing that requires this information.

3.  If the information in steps 1 and 2 is successfully obtained, comply. 4.  If it’s not, ask the person to have his or her manager send an email to

your manager requesting authorization and terminate the call. •  A simple script like this can help employees know what to say and do in

circumstances that can try their security consciousness.

RTN CTRL

AN ORGANISATION’S PERSPECTIVE Script development is just a part of the Big Picture!

RTN CTRL

Planning your organisation if you are an IT Manager/ CISO/ Director •  Prevention

–  Vulnerability Detection –  Vulnerability Remediation –  Vulnerability Patching

•  Security –  Policies (Designing and Implementing an ISMS) –  Alignment to standards, e.g. ISO/IEC 27001 –  Controls (Scripts, Assets, BYOD, Users, Physical Environment, etc)

•  Forensics –  How can you find out what went wrong?

•  Collaboration across the sector and link to the national level –  Does your sector have a trusted network? CSIRT?

RelatedQues+on:Doityourselves,oroutsource?

RTN CTRL

Doing it yourself: Manpower and Resources •  Do you have a person/ group of people who will be able to adequately respond to an

incident or emergency? –  Technical Response –  Communications Response

•  Do you have a group of people who are preventing, monitoring and giving you updates on the weekly trends?

–  Vulnerability discovery and patching? –  CISO –  Virtual CISO –  Collaboration/ sharing between trusted parties

•  Do you have a group which looks into the future for trends and problems – 1 year, 2 years, 5 years? (Covered later in talk)

–  If not, you may wish to work with Callaghan Innovation, or groups such as MBIE STRATUS

RTN CTRL

Outsourcing: 5 Key Questions to Ask a Vendor •  Do you use the tool to protect yourself? Give specific use cases. •  What can’t your tool protect? •  What happens when I get attacked? How will you help me? •  How well do you know about the International Legislations and

Controls? E.g. ISO 27000 series, NZ data privacy laws and NZISM (which version)?

–  How does your tool align our organisation to them?

•  If I have a malicious staff who leaks my data, how can your tool contain the situation?

RTN CTRL

5 Simple Questions to ask the Educator/ Trainer •  Tell me specifically what skills do you train, and why you focus on

them? •  How many alumni trained, and where are they working now? •  How many of your staff/trainers are involved in international

standards; are they globally or regionally-recognised experts? •  Do they produce technology or publications which is really usable by

users? •  Is this demo you showed me your own, or did you use another

organisation’s tool and ‘white-label’ it?

RTN CTRL

ISO 27001 @ ISO Online Browsing Platform (OBP)

RTN CTRL

UPCOMING KEY EVENTS Mark Your Calendars

RTN CTRL

STRATUS Forum 2015 (Last Year)

RTN CTRL

STRATUS Forum 2016 (Open to Public) •  Research Team:

–  Universities: University of Waikato (lead), University of Auckland –  Polytechnic: Unitec –  Global Consortium: Cloud Security Alliance –  Industry Partners: Gallagher, LayerX, Virscient, Aura (Kordia)

•  Date: 5 December 2016 •  Location: MBIE Building, Wellington •  More Info: https://stratus.org.nz

RTN CTRL

Hosting the ISO/IEC JTC 1/SC 27 Plenary and Workshop Meetings •  Hosted by University of Waikato & Cloud Security Alliance next year. •  Supported by Standards New Zealand •  First time in New Zealand •  400+ national delegates from 60+ countries and 20+ liaison bodies •  April 18-25, 2017

RTN CTRL

THANKS Ryan Ko, PhD，CCSP •  Head, Cyber Security Lab/ Senior Lecturer, University of Waikato |

https://crow.org.nz •  Science Leader, STRATUS | https://stratus.org.nz •  International Faculty Member, NIATEC, Idaho State University, USA •  Asia Pacific Research Advisor, Cloud Security Alliance •  Editor, ISO/IEC 21878 – Security Guidelines for Design and

Implementation of Virtualized Servers •  Consultant and Technical Advisor to NZ and International Companies

ryan@waikato.ac.nz

Announcements: •  3 x STRATUS project PhD study awards (fees

+stipend) available •  1 x STRATUS Masters study award (fees+stipend)

available

soli deo gloria