adedoyin odunfa - isaca.or.keisaca.or.ke/resources2017/isaca kenya hackers... · adedoyin...

74
Name Here Understanding the Hackers Mindset . Adedoyin Odunfa

Upload: others

Post on 10-Jun-2020

6 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

Name Here

Understanding the Hackers Mindset. Adedoyin Odunfa

Page 2: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

www.digitaljewels.net

Adedoyin Odunfa’s Profile

Education & Certifications

• CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001 Lead Auditor, COBIT 5.0 Certified Assessor, SFIA Accredited Consultant

• MBA (IT & Management)

City University Business School (Now CASS Business School), Barbican Centre, London.

• B.SC Computer Science & Economics.

Obafemi Awolowo University. Ile-Ife

• Queen’s College, Yaba. Lagos

Work Experience

• Current: MD/CEO, Digital Jewels Ltd

• ED, Information Systems & E-bus.

Phillips Consulting. Ltd

• GM, DSC.

• MIS Research Analyst. Lagos Business School

IT & Business Strategist, GRC & Project Mgt Practitioner

Strengthening IT Governance, Risk & Compliance across Africa…

Page 3: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Outline

Setting the Context

The attackers perspective

Understanding the attackers mindset

How do we win?

Building a culture of Information Security

Next Steps/Conclusion

3

Page 4: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

www.secureyourenvironment.com

Page 5: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Page 6: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

https://appbugs-wp-static.s3.amazonaws.com/uploads/2017/01/top_cybersecurity_threats-2.png

Page 7: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001
Page 8: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

Know the Attacker….Sun Tzu

2016 Trustwave Global Security Report

Understanding the motivations and resources

of professional cybercriminals is key to

defending against them.

Professional, organised, determined, innovative, meticulous in evolving

techniques to remain steps ahead of targets.

Page 9: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Know the Attacker….• Hackers: Build • Crackers: Break

Authorised Authorised UnathorisedCheck Exploitation Break

Page 10: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Categorising Hackers by Stereotype

Black Hat Actor

Script Kiddie

Malicious Insider

Activist

Spy

Terrorist

Organised Crime

Example

Tinkerers

Work force or ex-staff

Snowden/ Niger Hacktivist

Nation States

Sony Hack

Russian Mob

Motive

Curiosity

Revenge

Revelation

Espionage

Destruction

Making Money

Actions

V. loud, no specific targets & lots of

attempts

Stealing info/ wreaking havoc w/ int. systems

Revealing trade secrets/bringing light

to a cause

Better understand your enemy or ally

Infiltrate, discredit or destroy data/systems

Making money

Page 11: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

For example…..

Page 12: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

Factors that come to play…

Factors that come to play…

Persist-ence

Skill

Greed

Stealth

Motivation

Page 13: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Know the AttackerMotivation

• Money e.g. Ransomware, PII theft

• Reputation “Bragging Rights”, Respect & Acknowledgement

Means/ Factors of Victimisation

• User illiteracy

• Deficient criminal cues

• Limited attention

• Inflated Trust

• Addiction potential

Fundamental Approaches

• Social Engineering

• Brute force

• Technical intrusion

Attack sources

• Internet security defects

• Misuse of legitimate tools

• Improper maintenance

• Ineffective security

• Inadequate detection systems

Page 14: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

The Cyber Economics Challenge

Platform Converg-

enceWeb

Cloud

Social Mobile

IOT

Security

Sharing

Global data:

• expanding exponentially

• Volume,

• Velocity,

• Variety and

• Complexity.

+

=

Page 15: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

2 sides of the same coin

• Technology is about HOW attacks occur,

• Economics is about WHY attacks occur

EconomicsTechnology

Page 16: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Cyber Economics: the Why?Attack Parameters

Ease of Attack

Impact of Attack

Incentive to Attack

Increased Difficulty in Defense

1,542% estimated ROI for exploit kit & ransomware

schemes

2015 Trustwave Global Security Report

Page 17: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

2016 Trustwave Global Security Report

• Investigation across 17 countriesWeak application security: 97% of

applications tested >=1 vulnerability. 10% of

critical or high risk. Median # of

vulnerabilities per application:14.

60% of breaches targeted CHD

59% of victims did not detect the breach

themselves but through regulators, card brands &

law enforcement

Av. time btw intrusion & detection – 15days for int. detected breaches, 168 days for breaches

ext. detected/reported breaches

Median time btw detection & containment

was 1 day for int. detected breaches,

compared to 28 days for ext. detected breaches

Growth of

Malware-as-a-service

Page 18: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Difficulties in Defending against Attacks• Attack: Ease, Impact, Incentive

Page 19: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Difficulty of detection.

• Perpetrators of cyber crime facing jail time is still the exception.

• Victims of cyber theft may not be aware of the loss (IP, Confidential information, etc.) for years—or ever.

• No one is immune!

59% of victims did not detect the breach themselves but

through regulators, card brands & law enforcement

Av: 168 days to detect & 28 from intrusion to

containment (ext. detection)

Page 20: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Cyber Economic Equation: Incentives Favour Attackers

Offence Defense

Page 21: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

The Target: Your Digital Crown Jewels?

• The most valuable asset of the 21st century company – Data

• Information is an asset which like other important business

assets, has value to an organization and consequently needs

to be suitably protected.

Page 22: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

What are your Digital Crown Jewels?• Intellectual property, Card Holder Data and confidential

business information?• One of the most serious, and hardest to quantify, components of

cybercrime.

• Threat to IP has grown in transition from tangible to intangible assets in a post-industrial, knowledge-worker society.

• More to gain by stealing intellectual property than several physical assets.• Less effort, more reward

Page 23: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

How do we tip the Economics Equation in our favour?• Enhance your CyberSecurity Posture to

• Increase the effort of the attacker

• Reduce the reward

How do you win?

Page 24: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Tip the Cyber Security Economics Equation in your favor by building a culture of Information Security

National

Institutional/

Corporate

Individual/ProfessionalPeople

Process/

Controls

Tech-nology

• Respondents are satisfied, but not overjoyed with security technology. Use of almost all security technologies increased… CSI Annual Report 2009: Financial Fraud, Malware On The Increase

Page 25: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Page 26: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

What is at risk?

Reputation Finances

Continuity ….

Page 27: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Page 28: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

People Competence: Look beneath the surface

Knowledge

Skills

Behaviour

Values

Potential

Motives

Select for…

Train/Develop for…

Functional Quotient

Competencies

Personal qualities that form the foundation

Source: Thomas Int’l

People

Page 29: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Page 30: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Page 31: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Source: Apollo Education Group

Page 32: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Page 33: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Page 34: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Behavior... Why is it important?

• Your leadership style, communication style, and parenting style are heavily influenced by your personality style.

• How you communicate, build relationships, raise your kids, network at business meetings, and build teams all hinge on the interaction between your style and the style of people with whom you interact.

• It’s about understanding• who you are & what strengths you possess and

• placing yourself in situations that support you and your strengths.

• Understanding others: team & other stakeholders

• Well known personality profile tools• DISC

• Meyers-Briggs Type Indicator (MBTI©)

• ….

Page 35: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Page 36: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Page 37: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

But:You are only as strong as your weakest link!

Page 38: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

The proverbial challenge

• How to inform, convince, influence, - “sell”

• the need for improving IS security practices

• Information Security can only work when snr management support it.

• They will support only if they are convinced of its importance.

Setting the Tone at the TOP

Page 39: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Meeting the challenge: Motive, Opportunity & Means (MOM):

Motivation:

• What motivates our executives in decision making?

• What key concepts & terms do they use?

• What message do I need to be sending & how? FUD/ Bus. Benefits/ Competitive adv

Opportunity:

• What opportunities are there to meet with, be heard by, or gain access to snr execs? E.g.

• Summaries of recent cybercrimes

• Induction programmes,

• management presentations

• Audits/auditors to reinforce the message

• Regulatory guidelines

• Relevant standards

Means

• What creative ways to get the message heard by management?

• Compile links of current cyber crime cases

• Be innovative: videos, simulations, etc.

Page 40: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Page 41: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Creating the Human Firewall:Training, Education & Awareness

The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Enacting policies and procedures simply won't suffice. Even with oversight the policies and procedures may not be effective: my access to Motorola, Nokia, ATT, Sun depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully.‘ Kevin Mitnick

Page 42: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

The need for Training, Education & Awareness

Education

• Imparting knowledge e.g. certification training

• Technical staff

Training

• How to e.g. new software application/ methodology

• IT staff, users

Awareness

• “Top of mind”/ Real & relevant

• All: Management, Third parties, users, etc

Page 43: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Benefits of the Human Firewall

Avoidance of the direct and indirect costs associated

with inappropriate employee behaviour

Compliance with specific regulatory and/or legal issues associated with

information security - Due care and due diligence

Benefiting from the intrinsic value of having a

more security-savvy workforce

Minimising security breaches arising from ignorance or malicious

intent which often hamper operations and affect operational efficiency

Reducing the risk of costly information security

incidents.

Page 44: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

The challenge is to build an enabling culture

Legal & Regulatory Framework (Standards,

policies, procedures,

rules, regulations)

• (a framework

of acceptable behavior)

Training & Awareness of above by Mgt

& Staff

• (knowledge of

acceptable behavior)

Total commitment

of Mgt & Staff

• (tone at the top & a desire

towards acceptable behavior

Secure Culture

Process/

Controls

Page 45: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

Best Practice: What does it offer?

• Can help address performance targets & conformance requirements in a single vehicle

• A continuous improvement approach: PDCA

• Periodic updates for currency

Myth…A well of collective wisdom

Page 46: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

The Framework Forest

Page 47: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

Categorising Frameworks/Standards

Governance: the umbrella

• ISO38500

• COBIT

Vision, Mission, Objectives, Strategy

• Bus Strategy Frameworks

• Balanced Scorecard

Risk & Compliance

• ISO38500

• COSO

• COBIT

• ISO27001

• PCIDSS

• ISO27001

IT Strategy/Architec-ture

• (IT) Balanced Scorecard

• TOGAF

Project/Change Mgt

• PRINCE2/PMBOK

• M_O_R, MSP

• COBIT

• CMMI

Balance Sheet

• ISO38500

Operations/Service Delivery & Mgt

• ISO27001/20000

• BS25999

• ITIL

• 6Sigma

Page 48: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

Associated Standards/ Frameworks

• PCIDSS

• ISO27001

• ISO22301

• ISO31000

Information Security

• ISO22301

• BS OHSAS 18000

• ISO27001

• Data Centre Tiers

Business Continuity

• ITIL

• COBIT

• ISO20000

• CMMI

ITSM

• COBIT

• COSO

• CMMI

• ISO15504

• ISO38500

• TOGAFGRC

• PRINCE2

• PMP

• ISO 21500

• COBIT

• SFIAProject/Change /People Mgt

Page 49: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Unbundling the Standards & Framework Forest

Standards with Certification

PCIDSS v3

ISO27001: 2013

ISO20000: 2011

ISO22301: 2011

BS OHSAS (18000) -ISO 45001

Data Centre Tier 3/4

ISO 15504: 2013

Standards yet to be Certifiable

ISO8583

ISO20022

ISO38500: 2015

ISO31000

Frameworks/

Methodologies

COBIT 5

COSO

PRINCE2

PMBoK

TOGAF

CMMi

SFIA

XBRL

Page 50: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

The Role of Standards…

Standards help to develop a framework of acceptable behavior, a common language, process predictability & maturity

• Make the protection of corporate information assets “the law”. Make adherence to policy and standards a condition of employment. Policy, standards, and procedures must become part of a corporations living structure, not just a policy development effort.

Page 51: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Best Practise: Making it work for you

1. Do your homework: Select the right standard/framework/methodology

2. Secure & sustain top management buy in

3. Measure to Manage

4. Tailor & Customise

5. Train to Minimize Culture Shock & Resistance

6. Manage the Change: Communicate, take a participative approach

Page 52: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

As a case study

Page 53: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001
Page 54: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001
Page 55: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

The Nigerian Dimension….

Page 56: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

CBN Standards Roadmap (June 2013)

Page 57: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Priority 1 Standards:

• Service Management

• Interfaces

• IT Security

• Application Reporting

Priority 2 Standards:

• IT Governance

• Strategic Alignment

• Project Management

• Work and Resource

Management

Priority 3 Standards:

• Data Centre

• Business Continuity

Management

• Enterprise Architecture

• OHAS Management

Page 58: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

CBN IT Standards Roadmap (April 2015)

Page 59: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

0

5

10

15

20

25

30

PCIDSS (PaymentCard Industry DataSecurity Standard)

ISO27001(Information Security

Mgt System)

ISO22301 (BusinessContinuity Mgt

System)

IS020000 (IT ServiceManagement)

Global Best Practice Standard Certification Status (Nigeria) May. 2017

Certified In progress

Page 60: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

0

5

10

15

20

25

PCIDSS (Payment CardIndustry Data Security

Standard)

ISO27001 (InformationSecurity Mgt System)

ISO22301 (BusinessContinuity Mgt System)

ISO20000 (IT ServiceMgt System)

Global Best Practice Standard Certification Status (Banks Only). May 2017

Certified In progress

Page 61: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Page 62: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Data Centre Tiers

Page 63: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

ImpactCritical mass of certified organisations permeating the entire epaymentsvalue chain

High numbers of certified specialists in global best practice standards

Significant deployment of World class Technology

High levels of awareness

Development of shared service models

Private Sector more impacted

Page 64: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

Nigeria Cyber Crime Bill 2015

Objectives

Provide effective &

unified legal framework to

combat cybercrime in

Nigeria

Promote cyber security &

protect systems, electronic

communication, data, IP &

privacy rights

Ensure protection of

Critical National Information

Infrastructure

Page 65: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

As a case study

GHANA

Page 66: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

GHANA

Page 67: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

GHANA

Page 68: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001
Page 69: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001
Page 70: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

GHANA

Page 71: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

GHANA

Page 72: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

Defence in Depth: A layered approach to Information Security

People

Process

Tech

Page 73: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

#iSecureKenya

How do we tip the Economics Equation in our favour?• Understand the attacker: mindset, tools, techniques, resources

• Enhance your CyberSecurity Posture to• Increase the effort of the attacker

• Reduce the reward

How do you win? A Holistic approach

National

Institutional/

Corporate

Individual/ Professional

People

Process/

Controls

Tech

Page 74: Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin Odunfa’sProfile Education & Certifications •CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001

Key References

• 2015 & 2016 Trustwave Global Security Reports

• Building the High Performance Information Security Team. CEB Information Risk Leadership Council

• Competency Models for Enterprise & Cyber Security. Apollo Education Group

• Understanding the Hackers Mind – a phycological insight into the hacking of identities. Danube University

• Psychology and the Hacker –Psychological Incident Handling. Sans Institute Infosec Reading Room

• Security Industry Survey of Risks & Professional Competencies. UOPX-ASIS Security Report

• The Global State of Information Security Survey 2016

[email protected]