Sense of Security Best practice strategies to improve your enterprise security

www.senseofsecurity.com.au © Sense of Security 2013 Page 1 – April 2013
Compliance, Protection & Business Confidence
Sense of Security Pty Ltd
Sydney
Level 8, 66 King Street
Sydney NSW 2000
Australia
Melbourne
Level 10, 401 Docklands Drv
Docklands VIC 3008
Australia
T: 1300 922 923
T: +61 (0) 2 9290 4444
F: +61 (0) 2 9290 4455
info@senseofsecurity.com.au
www.senseofsecurity.com.au
ABN: 14 098 237 908
Best practice strategies to
improve your enterprise
security
Murray Goldschmidt, Chief Operating Officer
April 2013
2nd Annual Australian Fraud Summit 2013

Agenda
1. Recent Security Breaches
2. Identifying & Understanding Security Risks
& Organisational Implications
3. Steps to mitigate risk of breaches & theft

.senseofsecurity.com.au © Sense of Security 2013 Page 3 – April 2013
Increasing threat / consequence
Scope – increasing ability to exploit
Cyber Threat Actors

Cyber Threat Actors
Agenda Targets

Script Kiddies/Cyber Researchers
Experimentation, Fun, Testing
Cyber Threat Actors
Agenda Targets

Cyber Threat Actors
Agenda Targets

Hacktivists
Disruption, Reputational Damage,Political/Social,
Cyber Threat Actors
Agenda Targets

Hacktivists
Cyber Threat Actors
Agenda Targets

Organised Crime
Financial gain, fraud, ID theft
Hacktivists
Cyber Threat Actors
Agenda Targets

Organised Crime
Hacktivists
Cyber Threat Actors
Agenda Targets

Organised Crime
Professionals/Companies/Terrorists
Commercial advantage, Intellectual Property
Hacktivists
Cyber Threat Actors
Agenda Targets

Organised Crime
Hacktivists
Cyber Threat Actors
Agenda Targets

Organised Crime
Nation States
Economic, political or military advantage
Hacktivists
Cyber Threat Actors
Agenda Targets

Activity –But Not Yet Cyber War
http://www.economist.com/blogs/analects/2013/02/chinese-cyber-attacks

Hacktivist Attacks
http://www.bankinfosecurity.com/american-express-a-5645 http://www.scmagazine.com/market-for-ddos-prevention-to-hit-870-million/article/287020/

Advanced Persistent Threat

Target
org/person

Target
org/person
Malware
penetrates

Target
org/person
Malware
penetrates
Command &
Control

Target
org/person
Malware
penetrates
Command &
Control
Data harvest
& exfiltrate

RBA Falls Victim to Cyber Attack
http://www.afr.com/p/national/rba_confirms_cyber_attacks_ZsVpeJas8JX6UXCLwOVJKP

Opportunistic Attack – Out of Business
http://www.zdnet.com/distribute-it-claims-evil-behind-hack-1339319324/

Identifying Security Risk
Materiality Risk
ASX Principle 7: “Recognise and Manage Risk”
• A risk profile informs the board and
management about material business risks,
relevant to company (financial and non-
financial) matters. Material business risks are
the most significant areas of uncertainty or
exposure at a whole of Company level that could
impact the achievement of organisational
objectives.
Applies also to non listed entities!

Small Business Also Affected
http://www.staysmartonline.gov.au/alert_service/advisories/ransomware_attacks_will_increase_in_2013

1
use application whitelisting to help prevent malicious software and
other unapproved programs from running
Just The Top 4 …..
At least 85% of the targeted cyber intrusions that Defence Signals Directorate (DSD) responds to
could be prevented by following the first four mitigation strategies listed in DSD’s 35 Strategies
to Mitigate Targeted Cyber Intrusions
2
3
4
patch applications such as PDF readers, Microsoft Office, Java, Flash
Player and web browsers
patch operating system vulnerabilities
minimise the number of users with administrative privileges
As of April 2013, the Top 4 Strategies to Mitigate Targeted Cyber Intrusions are mandatory for
Australian Government agencies.

Action Required
Corporations & Government are
generally becoming more aware to the
need for improved governance and
infosec capability

Protect Your Data
http://www.theaustralian.com.au/news/nation/personal-details-of-50000-people-exposed-as-abc-website-hacked/story-e6frg6nf-1226586895264

Protect Your Data
http://www.dailyfinance.com/2012/06/08/youve-been-hacked-again-why-linkedins-breach-is-worse-tha/

Email
Know Your Data
There is no network perimeter. Your data is everywhere.
Mobile Devices
Corporate/Home Networks
Databases/File Servers
Cloud Services

Data Centric, Not System Centric

Availability
Fundamentals Still Count
the security controls used to protect data, and the
communication channel designed to access it must be functioning
correctly
Integrity
data integrity means maintaining and assuring the accuracy and
consistency of data over its entire life-cycle
Confidentiality
preventing the disclosure of information to unauthorised
individuals or systems

Defence-in-Depth
A solid Information Security capability
requires resilience through defence-in-
depth, sound fundamentals,
accountability by executives and the
ability to comply with
regulations/legislation.

Regulation & Legislation
Government
Privacy Act
Australian Government - Information Security Manual (ISM),
Protective Security Policy Framework (PSPF)
State Government Standards, e.g. NSW Government Digital
Information Security Policy based on ISO 27001
Industry Australian Prudential Regulatory Authority (PPG-234)
PCI Security Standards Council (PCI Data Security Standard – PCI DSS)

Self Examination
What type of data do you have and is it classified?
Whose owns it?
Where does it reside (data sovereignty)?
How is it accessed and by whom?
What are your future technology objectives (BYOD, Cloud,
Mobility…)
Are there third parties suppliers involved?
What are your compliance obligations?
Do you a current/effective security governance capability?
How would you respond in case of an incident?

Information Security Governance
Incorporate an industry recognised system of governance
(e.g. ISO 27001 - Information Security Management System)
Domains
Information Security Management: Security Policy & Organisation
Asset Management
Human Resource Security
Physical & Environmental Security
Communications & Operations Management
Access Control
Information Systems Acquisition, Development & Maintenance
Information Security Incident Management
Business Continuity Management
Compliance

Management & Technical Standards
Management standards and technical controls need to be
defined and enforced.
Management Practice Area
Change Management Incident & Event Management
Patch Management
Disaster Recovery & Business Continuity
Management
Configuration Management Security Awareness Management
Vulnerability Management Physical Security
Threat Management Application Management
Access Control Management 3rd Party Management

Technical Assurance
Vulnerability Management Program
SDLC Governance, Static Code Analysis
Configuration Management / Hardening
Enterprise Security Architecture
Testing of technology assets and social engineering
threat assessments
External/Internal penetration testing (ethical hacking)
on networks and applications

Questions?
Thank you
Head office is level 8, 66 King Street, Sydney, NSW 2000,
Australia. Owner of trademark and all copyright is Sense of
Security Pty Ltd. Neither text or images can be reproduced
without written permission.
T: 1300 922 923
info@senseofsecurity.com.au
www.senseofsecurity.com.au

Sense of Security Best practice strategies to improve your enterprise security

More Related Content

Similar to Sense of Security Best practice strategies to improve your enterprise security (20)

More from Jason Edelstein (10)

Recently uploaded (20)

Sense of Security Best practice strategies to improve your enterprise security