cybersecurity in government -...

Cybersecurity in

Government

Executive Development Course: Digital Government

Ng Lup Houh, Principal Cybersecurity Specialist

Cybersecurity Group

03 April 2018

Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.

• Cyber Threats & Vulnerabilities

• Cyber Security & Risk Mitigation

• Proactive & Holistic Cybersecurity: GovTech’s

Approach

• Disrupting the Kill Chain: Internet Surfing

Separation (ISS)

• Conclusion

Agenda

Cyber Threats &

Vulnerabilities

Copyright of GovTech © Not to be reproduced unless with explicit consent by GovTech.4


Anatomy of an Attack

5

Source: NEC


Cyber Kill Chain

6

Source: Lockheed Martin

Increased Attack Surface

Weak Defences

7

Mainboard (Hardware)

Recent Trend – Hardware Vulnerabilities

10

Operating System (OS)

Applications

Kernel

CPU TPMME

AMT

Addressing Vulnerabilities can be Costly

Vulnerability AffectedComponent

Initial Exploit

OS Patch? Full remediation

Infineon TPM vulnerability to ROCA

TPM Local Yes - workaround Manual

Intel ME / AMT CPU Chipset Local No Manual

Meltdown & Spectre

Micro-processor Local & Remote

Yes - workaround Some Manual

11

Meltdown & Spectre Vulnerabilities

• : Basic security function of microprocessor is to restrict access to

memory areas e.g. normal programs cannot read system memory.

To enhance performance, modern microprocessors use system memory to:

run instructions concurrently (“Out-of-order Execution”)

guess and perform next set of instructions beforehand (“Speculative Execution”)

• : Security checks are not done. This allows malicious programs to read

sensitive data from restricted memory areas such as system memory

(Meltdown) and through other programs (Spectre)

• : Attacker can compromise and access sensitive data such as user and

password information. For Spectre, attacker can remotely exploit the

computer through user’s browser using web-based attack to access sensitive

data.

12

Copyright of GovTech © FOR INTERNAL USE ONLY

Rapid rise in exploit attempts

13

14

Cyber attack is a natural consequence of being connected to the global cyberspace.

We have a asymmetric problem at hand,where the defender require significantly more resources compared to an attacker.

Examples of attacks increasing in scale and sophistication:

Low

High

FuturePast

Threat

Actors

Cyber

Defenders

Threats begin to

overwhelm you

Present

day

Scale

/ S

ophis

tication

Continued Growth of Cyber attacks

• DDoS Attacks

• Phishing Attacks

• Ransomware

Cyber Security & Risk

Mitigation

High level of Maturity – Track technology change & continual improvement

Adaptive Security, Continuous Assessment

Continuous Adaptive Risk & Trust Assessment (CARTA) – Gartner 2017

Mapping Tech to Assets & Capabilities

Proactive & Holistic

Cybersecurity:

GovTech’s Approach


As a sector lead for the Government, GovTech has 3 main functions:

1. Governance - to develop ICT security policies, standards and implement oversight initiatives to assess ICT security-related implementations across government agencies

2. Consulting - to provide technical subject matter expert support for key ICT projects and to key decision-making fora such as eGov Council and Committee of Permanent Secretaries

3. Cyber Security Operations - to perform operational cyber security functions that include cyber intelligence, network monitoring, intrusion detection, threat hunting, incident response and security analytics

3 main functions

Cyber Security Framework

Prepare

Prevent

DetectRespond

Learn

Technology

5 enablers

cutting across

5 phases

Stakeholders

End Users

Needs to be adequately

trained and made aware of

the threats in cyberspace.

To report on potential

security breaches or

suspicious events.

IT Professionals

Needs to ensure that

security concerns are

addressed.

To ensure that applications

are secure by design.

Security Specialists

To promote a security by design

mindset in app development.

To test and ensure that

applications are well secured

and compliant to security

policies.

1. Requirements Gathering Risk based security policies, Mandatory

security requirements.

3. Construction

Static Application Security Testing.

2. Design

To adopt industry best practices

and established standards for

security controls.

4. Deployment

Separation of Staging and

Production environments.

5. Testing

Penetration Test.

3

4

2

5

1Requirements Gathering

Security

Security by Design

Automated Security Testing within

Continuous Integration.

e.g. NIST 800, ISO 27002, CIS Critical Controls.

Security Acceptance Test.

Vulnerability Assessment.

Implement secure coding practices.

Coping with the trend

Time

QuantityThe tipping point where the cyber attacks start to overwhelm you.

Re-ArchitectReduce ExposureTechnologyTrainRetain

User Awareness

Email Signature

A3 Size Posters

JAGA - Our cybersecurity ambassador


The Balance

27

Security

Usability Cost

Optimising the

cost-benefit tradeoff

while ensuring ease of

use

Disrupting the Kill

Chain: Internet Surfing

Separation (ISS)

Top 3 attack vectorsInternet Surfing

Internet Emails

Unsecured

Deployment

ISS

Email

Filtering

End point

security

Penetration

Test

Audit

Overview of ISS

Internet SurfingEmail & Intranet

Other Internet

Services

Agency notebook

containing classified

documents

Internet enabled notebook

containing non-classified

documents

ISS was the single most effective measure is to separate Internet surfing (main exfiltration channel) from the

Government ICT infrastructure.

Disrupting the Kill Chain

Change Management

• Lead by example

• Champion the change

• Active engagement and support

• Reinforce that cyber threats are real

• Address user needs and concerns

• Communicate device allocation policies

• Re-assure users on the availability of

alternative solutions

• Phased approach

• Getting ready early the infrastructure,

applications and devices (size correctly)

• Pilot testing to minimise disruption

IT Professionals & Project Managers

Security Specialists

CorporateCommunications

• Engage agency key stakeholders.

• Oversee and track implementation progress.

• Facilitate agencies with implementation.

• Advise on current threat landscape.

• Ensure that security solutions are designed

and implemented correctly.

• Dispel any miscommunication or myths.

• Communicate new policies and behavioral

expectations.

• Communicate the availability of allocated

solutions.

Supported by

Management-led approach Early Planning and Pilot TestingCommunications

End User Experience

End users MUST be clear on what is classified information and what is not.

Internet enabled devices MUST be clearly labelled.

End users MUST be well trained on cyber hygiene practices.

Conclusion

Holistic Security

Prepare

Prevent

DetectRespond

Learn

Technology

1. Today’s threats are growing in scale and sophistication.

2. We need to think about security holistically. e.g. across 5 phases.

3. This includes the cooperation of IT Professionals, Security Specialists and End Users to address them.

35


Cybersecurity

is an

Enabler


Thank you

cybersecurity in government -...

Documents