cybersecurity in government -...
TRANSCRIPT
Cybersecurity in
Government
Executive Development Course: Digital Government
Ng Lup Houh, Principal Cybersecurity Specialist
Cybersecurity Group
03 April 2018
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
• Cyber Threats & Vulnerabilities
• Cyber Security & Risk Mitigation
• Proactive & Holistic Cybersecurity: GovTech’s
Approach
• Disrupting the Kill Chain: Internet Surfing
Separation (ISS)
• Conclusion
Agenda
Cyber Threats &
Vulnerabilities
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.4
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
Anatomy of an Attack
5
Source: NEC
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
Cyber Kill Chain
6
Source: Lockheed Martin
Increased Attack Surface
Weak Defences
7
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.8
9
Mainboard (Hardware)
Recent Trend – Hardware Vulnerabilities
10
Operating System (OS)
Applications
Kernel
CPU TPMME
AMT
Addressing Vulnerabilities can be Costly
Vulnerability AffectedComponent
Initial Exploit
OS Patch? Full remediation
Infineon TPM vulnerability to ROCA
TPM Local Yes - workaround Manual
Intel ME / AMT CPU Chipset Local No Manual
Meltdown & Spectre
Micro-processor Local & Remote
Yes - workaround Some Manual
11
Meltdown & Spectre Vulnerabilities
• : Basic security function of microprocessor is to restrict access to
memory areas e.g. normal programs cannot read system memory.
To enhance performance, modern microprocessors use system memory to:
run instructions concurrently (“Out-of-order Execution”)
guess and perform next set of instructions beforehand (“Speculative Execution”)
• : Security checks are not done. This allows malicious programs to read
sensitive data from restricted memory areas such as system memory
(Meltdown) and through other programs (Spectre)
• : Attacker can compromise and access sensitive data such as user and
password information. For Spectre, attacker can remotely exploit the
computer through user’s browser using web-based attack to access sensitive
data.
12
Copyright of GovTech © FOR INTERNAL USE ONLY
Rapid rise in exploit attempts
13
14
Cyber attack is a natural consequence of being connected to the global cyberspace.
We have a asymmetric problem at hand,where the defender require significantly more resources compared to an attacker.
Examples of attacks increasing in scale and sophistication:
Low
High
FuturePast
Threat
Actors
Cyber
Defenders
Threats begin to
overwhelm you
Present
day
Scale
/ S
ophis
tication
Continued Growth of Cyber attacks
• DDoS Attacks
• Phishing Attacks
• Ransomware
Cyber Security & Risk
Mitigation
High level of Maturity – Track technology change & continual improvement
Adaptive Security, Continuous Assessment
Continuous Adaptive Risk & Trust Assessment (CARTA) – Gartner 2017
Mapping Tech to Assets & Capabilities
Proactive & Holistic
Cybersecurity:
GovTech’s Approach
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.21
As a sector lead for the Government, GovTech has 3 main functions:
1. Governance - to develop ICT security policies, standards and implement oversight initiatives to assess ICT security-related implementations across government agencies
2. Consulting - to provide technical subject matter expert support for key ICT projects and to key decision-making fora such as eGov Council and Committee of Permanent Secretaries
3. Cyber Security Operations - to perform operational cyber security functions that include cyber intelligence, network monitoring, intrusion detection, threat hunting, incident response and security analytics
3 main functions
Cyber Security Framework
Prepare
Prevent
DetectRespond
Learn
Technology
5 enablers
cutting across
5 phases
Stakeholders
End Users
Needs to be adequately
trained and made aware of
the threats in cyberspace.
To report on potential
security breaches or
suspicious events.
IT Professionals
Needs to ensure that
security concerns are
addressed.
To ensure that applications
are secure by design.
Security Specialists
To promote a security by design
mindset in app development.
To test and ensure that
applications are well secured
and compliant to security
policies.
1. Requirements Gathering Risk based security policies, Mandatory
security requirements.
3. Construction
Static Application Security Testing.
2. Design
To adopt industry best practices
and established standards for
security controls.
4. Deployment
Separation of Staging and
Production environments.
5. Testing
Penetration Test.
3
4
2
5
1Requirements Gathering
Security
Security by Design
Automated Security Testing within
Continuous Integration.
e.g. NIST 800, ISO 27002, CIS Critical Controls.
Security Acceptance Test.
Vulnerability Assessment.
Implement secure coding practices.
Coping with the trend
Time
QuantityThe tipping point where the cyber attacks start to overwhelm you.
Re-ArchitectReduce ExposureTechnologyTrainRetain
User Awareness
Email Signature
A3 Size Posters
JAGA - Our cybersecurity ambassador
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
The Balance
27
Security
Usability Cost
Optimising the
cost-benefit tradeoff
while ensuring ease of
use
Disrupting the Kill
Chain: Internet Surfing
Separation (ISS)
Top 3 attack vectorsInternet Surfing
Internet Emails
Unsecured
Deployment
ISS
Filtering
End point
security
Penetration
Test
Audit
Overview of ISS
Internet SurfingEmail & Intranet
Other Internet
Services
Agency notebook
containing classified
documents
Internet enabled notebook
containing non-classified
documents
ISS was the single most effective measure is to separate Internet surfing (main exfiltration channel) from the
Government ICT infrastructure.
Disrupting the Kill Chain
Change Management
• Lead by example
• Champion the change
• Active engagement and support
• Reinforce that cyber threats are real
• Address user needs and concerns
• Communicate device allocation policies
• Re-assure users on the availability of
alternative solutions
• Phased approach
• Getting ready early the infrastructure,
applications and devices (size correctly)
• Pilot testing to minimise disruption
IT Professionals & Project Managers
Security Specialists
CorporateCommunications
• Engage agency key stakeholders.
• Oversee and track implementation progress.
• Facilitate agencies with implementation.
• Advise on current threat landscape.
• Ensure that security solutions are designed
and implemented correctly.
• Dispel any miscommunication or myths.
• Communicate new policies and behavioral
expectations.
• Communicate the availability of allocated
solutions.
Supported by
Management-led approach Early Planning and Pilot TestingCommunications
End User Experience
End users MUST be clear on what is classified information and what is not.
Internet enabled devices MUST be clearly labelled.
End users MUST be well trained on cyber hygiene practices.
Conclusion
Holistic Security
Prepare
Prevent
DetectRespond
Learn
Technology
1. Today’s threats are growing in scale and sophistication.
2. We need to think about security holistically. e.g. across 5 phases.
3. This includes the cooperation of IT Professionals, Security Specialists and End Users to address them.
35
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.
Cybersecurity
is an
Enabler
Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.36
Thank you