utsw elearning ahmad akbar 41208010021
TRANSCRIPT
-
7/25/2019 Utsw Elearning Ahmad Akbar 41208010021
1/12
UTS APLIKOM GENAP 2014/2015
rust is the glue that holds our societies and
economies together. To gain trust in
business, you have to ensure the integrity of
your products, services, and operations as
well as the protection of confidential information.
TDo your customers trust you? How about your employees and business partners?
These questions are more important than ever in a world brimming over with
sensitive dataand where even relatively simple data security breaches can have
huge direct and indirect impacts.
Indeed, trust is a critical ingredient for
success in a fastchanging business
world. !ustomers buy products and
services at least in part because they
trust youthat your products will wor"
as promised, that your services will be
available whenever needed, and, most
importantly, that you will protect their
personal data. #our business partners
suppliers, development partners,
and distributorswor" with you
because they trust you will protect both
their contributions to success and the
secrets about your relationship. $ast
but not least, your employees trust that
their medical information and other
personal data is safe, and that wor"ing
procedures protect their legal rights.
Ahmad Akbar 41208010021
-
7/25/2019 Utsw Elearning Ahmad Akbar 41208010021
2/12
%t its core, information security is about more than merely protecting confidentiality or
ma"ing sure your systems are safeit&s about maintaining the integrity of your
systems, and thus your business and production processes.
Losing Trust
'very wee" seems to bring headlines about security incidents( )*+ included the
steady stream of lea"s about -ational ecurity %gency surveillance as well as news
of breaches that have hammered /01organ !hase and ony. In many cases, it
seems that hac"ers remain a step ahead of the e2isting countermeasures. 34or more
information see the appendi2, 54rom %ttac"asaervice to !yberespionage6 The
$atest Trends in Hac"ing,5.7
It&s tempting to rela2 if your firm hasn&t beenor doesn&t "now it has beentargeted
yet. Too often, we hear statements such as, 58e are secure( nothing has happened
to us before,5 or 59ur firm is not important enough to be a target,5 or 5ecurity costs
are greater than the potential damages.5 :nfortunately, many studies have
demonstratedand many e2ecutives have learned the hard waythat these
statements simply aren&t true. 8hile there is no commonly agreedupon number for
the costs of worldwide security breaches, estimates range from ;** billion 3about
the
-
7/25/2019 Utsw Elearning Ahmad Akbar 41208010021
3/12
-o single industry has the ability to defend all attac"seven the bestprepared, most
technologically advanced industries, such as telecom and ban"ing, have faced
embarrassing incidents and the e2posure of reams of public data. 9ther, potentially
far more damaging incidents have been successfully hidden with high financial
e2penses. In manufacturing, where safety 3avoiding accidents7 has long been afocus, information security has not been a priority. The same is true for infrastructure
industries such as traffic and utilities 3other than nuclear plants, where the information
security focus derives from the industry&s larger safety and security mindset7. Despite
the imminent threats, senior management awareness seems quite low across
industries. This is changing, but only slowly.
8ith digiti>ation increasing, breaches are inevitable, and the magnitude and
frequency of successful attac"s will only increase. 9nly a significant, societywide
change in awareness may be able to slow downand later reversethis
development.
Trust Requires Transparency and Strategic
Commitment
ilence is perhaps the largest hurdle in tac"ling information security. 1any e2ecutives
choose to say nothingcertainly when the damage is hidden, and often even when it
becomes visible. However, true information security requires attac"ing tough issues
head on. 4or the leading companies, information security is a crossfunctional, multi
dimensional tas" that starts at the top, with corporate leaders bringing together
various parties and specialists to address strategic alignment, organi>ational and
process setup, technical measures, communication, and culture.
4or management teams at these firms, the first step is understanding that information
security ris"s are business ris"s. =oard members are the ultimate owners of
information security ris" and are best positioned to instill an information security
mindset across the organi>ation.
The best information security departments see" to support the business side in
achieving business obBectives securely, building trust both internally and e2ternally
and setting mutual goals to create a stronger relationship 3see sidebar6 :sing
!ommunications to =uild Trust7. 4or these leading firms, both business and
-
7/25/2019 Utsw Elearning Ahmad Akbar 41208010021
4/12
information security leaders share responsibility in evaluating protection levels and
identifying threats and vulnerabilities. 8ith the business side supported by the
information security function in analy>ing the business impact of information security,
they mutually define the value at ris". It is paramount that the information security
function perform the final ris" evaluation with an eye toward "eeping overall businesscosts down. 4or these companies, there is transparency and trust about the true ris"
landscape and about defining potential measures to mitigate those ris"s. !reating
informed decision processes for implementing measures or accepting ris"s ensures
that ris"s are only accepted when there is proper reasoning and documentation.
The Five Dimensions of AddressingInformation Security
How do these leading firms achieve cuttingedge information security? =y addressing
five dimensions, each crucial to success6 strategy, organi>ation, processes,
technology, and culture 3see figure +7. Carely are security incidents lin"ed to Bust one
of these five dimensions. !onversely, an integrated combination of measures across
all five can ensure your company is prepared to address information security issues.
The following section loo"s at the five dimensions and some of the leading practices
in addressing them 3see figure )7.
trategy. olid strategy is the foundation for all information security. It focuses
resources on what is most important to protect and sets clear guidelines to help
define what level of protection is needed in different areas.
Information security leaders do three things particularly well when it comes to
strategy6
The information security strategy is clearly lin"ed to the corporate strategy. It
defines what is important for the company and its sta"eholders, and, hence,
what must be protected.
$eading companies put the greatest emphasis on defining and then
protecting their most critical assetsma"ing it harder for attac"ers to increase
-
7/25/2019 Utsw Elearning Ahmad Akbar 41208010021
5/12
the damage after an initial breach. Information security policies clearly define
the requirements for security areas from data centers, devices, applications,
and production systems to processes and governance, such as ris"
management, incident management, and the classification of information. %nd
guidelines for specific sta"eholder groups 3e2ecutives, administrators, ande2ternal users, among others7 serve as 5best practices5 specific to the
audience. This "nowledge helps balance the desired level of protection against
the cost and effort to achieve appropriate securityin other words, the
acceptable ris" that can be tolerated.
% welldefined road map defines short and midterm goals for information
security. $ongterm goals would fail in a rapidly changing environment, or they
would come too late to address foreseeable issues.
Organization.Information security requires an organi>ational setup that can manage
through tough decisions. 9ften there is initial resistance to security measures or a
conflict of interest that slows progress. 9nly if the information security function can
act at 5eye level5 with the business can a company implement all important security
measures. This is even truer across divisional or regional organi>ations, where
attac"ers can use the wea"est lin" to enter the corporate networ" and then easily
move across the entire corporation. imilarly, with e2ternal partners along the value
chain, every connection can become a potential entry point for the bad guys.
0roperly addressing the internal organi>ation and the entire ecosystem of partners is
critical.
4ollowing are two best practices6
$eading companies have a dedicated chief information security officer3!I97 who reports to another board member rather than the !I9, in order to
avoid potential conflicts of interest.
Divisions and regions also have their own information security officerswith
dottedline reporting to the !I9( other roles responsible for information
security are consistently defined throughout the organi>ation and sufficiently
staffed.
-
7/25/2019 Utsw Elearning Ahmad Akbar 41208010021
6/12
Processes.ecurity is a process, not a state. 8elldefined processes ensure that a
strategy is implemented, that protection measures are regularly reviewed, and that
adBustments are made for changing requirements. Information security must be
integrated into all business and operational processes, otherwise protection will slip
or costs will rise.
$eaders follow five best practices6
$eading companies implement solid information security management
systems 3I17 that conform to I9 )**2, including information security ris"
management and incident management. !onsistent I1s across the
organi>ation ensure crossdivisional, interregional consolidation and
coordination.
Information security leaders ma"e sure they understand the ris"s to all
businesscritical processes. =usiness continuity management secures business
even in case of incidents for all critical processes. %ll required parties regularly
conduct training regarding business continuity plans, ensuring that operability
and continuous improvement stay uptodate with changing requirements.
%ll supporting processes are also aligned with information security
requirements. 4or e2ample, the proBect management process involves early
security reviews, as including security from the beginning 3rather than waiting
until everything is designed7 lowers costs and increases effectiveness.
Identity and access management, which is often the eye of the storm of an
attac", is focused on the principle of least privilege.+$eaders have the chec"s
and controls in place to limit potential damage through insider attac"ers orcompromised accounts.
IT operations processes are designed with security in mind to reduce ris" for
IT infrastructure and applications. Cegular penetration tests verify the
effectiveness of security measures.
Technology.IT security is not the same thing as information security. The critical
difference is that information security accounts for the human factorwhich is central
-
7/25/2019 Utsw Elearning Ahmad Akbar 41208010021
7/12
to nearly all successful attac"sas well as technology. 4or e2ample, some
regrettable breaches have come from information stolen because of simple errors
such as disposing of sensitive information in a trash bin below the des" or behind the
building. Having said that, technology is obviously important. %lmost all publicly
"nown maBor security breaches involve technology( in many cases the cause is anavoidable mista"e, such as an insufficiently patched IT system.
How do leading companies stand out in terms of technology?
$eading companies care most about the one attac" they might missnot
the millions of malware attac"s they "now they can defend. These leading
security organi>ations are efficient in their technology use so that they are able
to spend more time wor"ing with the business side to secure core processes.
ervers and applications are protected according to security classification,
and administration occurs only through specifically secured channels with tight
control mechanisms.
!lientsdes"tops, laptops, and mobile devicesare equipped with the
latest malware protection and protect data in case they are stolen or lost.
%ccess requires multifactor authentication wherever possible. %t the same time,
these companies see" to ensure that the user e2perience is improved.
=estpractice networ"s are properly segmented with strict traffic control
between segments. Detection technologies are deployed at all critical places
lin"ed to a central I'1 3security incident and event management7 system as
the central monitoring instance. ecurity monitoring is managed by a ) 9!
3security operation center7, which evaluates incidents and drives remediationactivities together with the !'CT 3computer emergency response team7.
Culture. !ulture is about the people aspect of security. %lmost all maBor incidents
involve the human elementtypically some employees who are tric"ed into malicious
behavior. =ut e2pecting everyone to understand the ris" isn&t faireducation is
required. Then, companies can mitigate the ris" by ma"ing all employees true
sta"eholders of information security.
-
7/25/2019 Utsw Elearning Ahmad Akbar 41208010021
8/12
!ulture is a "ey cog in maintaining solid information security for leading firms. =est
practices include the following6
The commitment of top managers to information security and understanding
it as a crossfunctional tas" can bring strong results. 4or firms with strong
information security, the culture ensures that everybody feels responsible for
their business&s securityand that information security is a business enabler.
$eading firms understand that employees across functions are a great
source for identifying security gaps. They enable this by creating cultures that
are open to the idea that employees can freely report security problems without
fear of punishment for being the 5bearers of bad news.5
Typically, companies vary in their performance across categories, yet often there is a
clear overall trend. :sing %.T. Eearney&s health chec" to assess performance,
companies can outline their obBectives in each category and create a program of
short and midterm measures that lead to the desired state. % comprehensive
program can require three years to complete 3see figure A on page F7.
Information Security: Setup and Budget
There are many schools of thought on how much a company should spend on
information security. 4ive percent of the IT budget 3with yearoveryear growth of to
+* percent7 is often cited as a good rule, but in truth it depends on the individual
company and its industry. -ot only should information security be independent from
IT, but where you are today and the gaps you need to reach the desired protection
level can mean more costs at the outset. That may be hard for some to swallow, but
following a generic benchmar" would be a recipe for failure.
=uilding the budget bottomup, based on identified ris"s and measures needed now,
is the best first step. This forces the organi>ation to wor" on operational e2cellence.
In other words, the obBective is not how to achieve the best theoretical solution, but
how to find a solution that is strong, feasible, and costeffective in delivering
adequate protection to meet business obBectives. The solution has to wor" in practice
and at a reasonable cost.
-
7/25/2019 Utsw Elearning Ahmad Akbar 41208010021
9/12
$astly, cost creep often occurs after a proBect is approved. Cigorous proBect
management independent of the 3mostly technical7 implementation provider that
"eeps operational e2cellence and business obBectives in focus will help avoid this.
Trust Is the Glue
The business world is seeing disruptive technologies and business models at an
unprecedented rate. Industries are changing, with startups leading the change and
becoming partners to established corporations. !ollaboration is a maBor cross
industry trend. 8ith digiti>ation, everything gets more interconnected. =ut one thing
does not change6 Trust is the glue that holds our societies and economies together.
This shiny new world has dar" clouds quic"ly approaching from the hori>onor a
sudden tsunami appearing out of nowhere. To "eep the trust up with all internal ande2ternal sta"eholders, you have to be prepared not only to defend, but also to deal
with a crisis. % systematic approach covering the five aforementioned dimensions
helps companies to establish the structures to be prepared, helping the employees to
trust in their own capabilities and carrying the trust outside the company.
Appendi
!rom Attac"#as#a#Ser$ice to Cy%erespionage:The &atest Trends in 'ac"ing
The ne2t waves of attac"s are as hard to predict as natural disasters, but some
trends are already evident, and others can be predicted. Here are a few to watch out
for6
Total glo%al sur$eillance. Data enables activities beyond the wildest 9rwellian
dreams, sha"ing the foundations of trust among different governments and betweengovernments and their citi>ens. 1any corporate leaders are afraid of what it means
for their firms. Enown security measures may fall short when coming up against
industrial espionage by intelligence agencies. 9ne telecommunication company
providing services to a parliament found its networ" heavily compromised by a
foreign intelligence agency see"ing to get its government into a better position for
maBor multinational negotiations.
-
7/25/2019 Utsw Elearning Ahmad Akbar 41208010021
10/12
Intentional (ea"ening of IT defenses. The intended wea"ening of IT and security
products is a real nightmare. 8hile you want to trust that the products you use help
you stay as secure as possible, many maBor companies have intentionallyand not
necessarily voluntarilyintroduced wea"nesses and bac"doors into their products
3notably security products and in particular, but not limited to, commercialcryptography7 at the behest of governments see"ing information. In other cases,
governments have intervened in the shipping process to alter products in their favor.
Cecently, The Interceptrevealed documents detailing the -%&s entry 'agle and
claims that the program infiltrated commercial entitiesoften even physicallyin
outh Eorea,
-
7/25/2019 Utsw Elearning Ahmad Akbar 41208010021
11/12
-etwor" equipment producer Huawei provides an interesting e2ample here, as the
company has been suspected by some countries of introducing bac"doors for
!hinese agencies( later it was revealed they had been attac"ed by the -% in an
attempt to implement bac"doors. To combat the claims and win the trust of
customers, Huawei has offered to open its code to national intelligence agencies.
The rise of AaaS.%ttac"asaservice 3%aa7 could be an important 3albeit
clandestine7 business model in coming years. The most dangerous attac"s for
corporations are highly professional and customi>ed to their targetsoften referred
to as advanced persistent threats 3%0Ts7 or targeted attac"s. %0Ts require time,
money, and "nowledge to e2ecute, the "ind that no single organi>ation can create
alone, and thus lead to a very international cybercrime industry. Interestingly enough,
this industry is built largely on trust( as in other industries, it is evolving and creating
new business models. 0resumably, customers can e2ecute attac"s without the deep
"nowledge originally required. The first e2ample we have seen involves the ban"ing
industry, with TroBans Geu and py'ye evolving toward this new service model
while the users of the respective services made incredible amounts of money.
)assi$e attac"s on infrastructure.The cyber espionage campaign "nown as
'nergetic =earof origins still unconfirmedhas successfully compromised more
than +,*** utility companies in F countries. The attac" has not only stolen significant
data but also opened the door to sabotage by enabling the crippling of physical
systems such as wind turbines, gas pipelines, and power plants at will. Huge attac"s
such as these could be preludes to stri"es in something of a 5lu"ewarm cyberwar.5
These "inds of threats not only endanger utilities, but also other critical infrastructure
such as information and communication technology, healthcare, traffic and transport,
and ban"ing. :sers generally trust that the services of these sectors are safe( an
important question in these industries is 58hat happens when users lose trust?5 %ndwe certainly don&t want to find ourselves in a situation where public life suddenly
comes to a halt when the lifelines of our society are interrupted.
Automation systems as prime targets.
-
7/25/2019 Utsw Elearning Ahmad Akbar 41208010021
12/12