valuendo cyberwar and security (okt 2011) handout

Marc Vael Director

The vulnerability

of high hazards plant

to cyber attack

Cybersecurity threats

• Cyber-criminals

• Malware

• Phishers

• Spammers

• Negligent staff

• Hackers

• Unethical employees misusing/misconfiguring security functions

• Unauthorized access, modification, disclosure of information

• Nations attacking critical information infrastructures

• Technical advances that can render encryption algorithms obsolete

Cyberattacks are

DIFFICULT to execute.

Lessons learned so far

Governments do have

the resources/skills to conduct

cyberattacks.

Lessons learned so far

Cyberattacks are war. Lessons learned so far

Cyberwarfare is

"the fifth domain

of warfare“

“Cyberspace is a new domain in warfare which

has become just as critical to military operations

as land, sea, air and space.”

“Actions to penetrate computers or networks for the

purposes of causing damage or disruption.”

Information warfare is

“using & managing IT

in the pursuit of a

competitive advantage

over an opponent“

Cyberattacks are a real, clear and present danger to organisations & government

agencies.

Lessons learned so far

“It’s possible that hackers have gotten into administrative computer systems of utility companies, but says those aren’t linked to the equipment controlling the grid, at least not in developed countries. I have never heard that the grid itself has been hacked..”

Howardt Schmidt, Cyber-Security Coordinator of the US

Targeted organizations are unprepared.

Lessons learned so far

Security professionals are at risk.

Lessons learned so far

Risk always exists! (whether or not it is

detected / recognised by the organisation).

Impact of an attack on the business

Cyberattack mitigating strategies

Corporate governance : ERM = COSO

Support from Board of Directors & Executive Management

Cyberattack mitigating strategies

Managing risks appropriately

Cyberattack mitigating strategies

Policies & Standards

Cyberattack mitigating strategies

Cyberattack mitigating strategies

Project Management

Cyberattack mitigating strategies

Supply Chain Management

Cyberattack mitigating strategies

EDUCATION!

Providing proper funding

Cyberattack mitigating strategies

Providing proper resources

Cyberattack mitigating strategies

Measuring performance

Cyberattack mitigating strategies

Review / Audit

Cyberattack mitigating strategies

Incident/Crisis Management

Cyberattack mitigating strategies

Information Criteria • Effectiveness • Efficiency • Confidentiality • Integrity • Availability • Compliance • Reliability

IT RESOURCES • Applications • Information • Infrastructure • People

MONITOR & EVALUATE

PO1 Define a strategic IT plan

PO2 Define the information architecture

PO3 Determine technological direction

PO4 Define the IT processes, organisation and

relationships

PO5 Manage the IT investment

PO6 Communicate mgt aims & direction

PO7 Manage IT human resources

PO8 Manage quality

PO9 Assess and manage IT risks

PO10 Manage projects

AI1 Identify automated solutions

AI2 Acquire & maintain application software

AI3 Acquire & maintain IT infrastructure

AI4 Enable operation and use

AI5 Procure IT resources

AI6 Manage changes

AI7 Install & accredit solutions and changes

ME1 Monitor & evaluate IT performance

ME2 Monitor & evaluate internal control

ME3 Ensure compliance with external requirements

ME4 Provide IT governance

DS1 Define & manage service levels

DS2 Manage third-party services

DS3 Manage performance & capacity

DS4 Ensure continuous service

DS5 Ensure systems security

DS6 Identify & allocate costs

DS7 Educate & train users

DS8 Manage service desk and incidents

DS9 Manage the configuration

DS10 Manage problems

DS11 Manage data

DS12 Manage the physical environment

DS13 Manage operations

PLAN & ORGANISE

ACQUIRE & IMPLEMENT

DELIVER & SUPPORT

Information Criteria • Effectiveness • Efficiency • Confidentiality • Integrity • Availability • Compliance • Reliability

IT RESOURCES • Applications • Information • Infrastructure • People

MONITOR & EVALUATE

PO1 Define a strategic IT plan

PO2 Define the information architecture

PO3 Determine technological direction

PO4 Define the IT processes, organisation and

relationships

PO5 Manage the IT investment

PO6 Communicate mgt aims & direction

PO7 Manage IT human resources

PO8 Manage quality PO9 Assess and manage IT risks

PO10 Manage projects

AI1 Identify automated solutions

AI2 Acquire & maintain application software

AI3 Acquire & maintain IT infrastructure AI4 Enable operation and use

AI5 Procure IT resources

AI6 Manage changes

AI7 Install & accredit solutions and changes

ME1 Monitor & evaluate IT performance

ME2 Monitor & evaluate internal control

ME3 Ensure compliance with external requirements ME4 Provide IT governance

DS1 Define & manage service levels

DS2 Manage third-party services DS3 Manage performance & capacity

DS4 Ensure continuous service

DS5 Ensure systems security DS6 Identify & allocate costs

DS7 Educate & train users DS8 Manage service desk and incidents

DS9 Manage the configuration

DS10 Manage problems

DS11 Manage data

DS12 Manage the physical environment

DS13 Manage operations

PLAN & ORGANISE

ACQUIRE & IMPLEMENT

DELIVER & SUPPORT

Information Security Management

Your security solution is as strong …

… as its weakest link

“I don’t care how many millions of dollars you spend on security technology. If you don’t have people trained properly, I’m going to get in if I want to get in.”

Susie Thunder, Cyberpunk

Marc Vael CISA, CISM, CISSP, CGEIT, ITIL Service Manager, Prince2

Director Knowledge Board

ISACA

3701 Algonquin Road, Suite 1010

Rolling Meadows

IL 60008 USA

http://www.isaca.org/security

marc@vael.net

http://www.linkedin.com/in/marcvael

http://twitter.com/marcvael

Contact information