battling efraud: the place of standards - digital jewels · 2018-11-28 · battling efraud: the...
TRANSCRIPT
Battling eFraud: The Place of Standards
A presentation by Adedoyin Odunfa. (CEO, Digital Jewels)
At the occasion of the Special InformationValueChain Breakfast Forum, hosted by Digital Jewels Ltd. July 2016. Accra, Ghana
Outline
• Setting the Context: Global & Regional Trends
• Cybercrime: a very present danger
• The Cyber Economic Challenge
• Unbundling the standards universe
• Adoption Snapshot: Nigeria as a case study
• Next Steps
9
GHANA
14
# 15
15
Cyber Threat Landscape
87% of iPhone & 97% of Android top 100
apps have been hacked
100% of companies experience virus
attacks & 97% have experienced malware
attacks
156million phishing emails are sent every
day
15million make it through spam filters
The average global cost for each stolen record
is Euro128
Cyber Attacks on Governments
• Over 11 Ghanaian Government Websites attacked in Feb 2015
• INEC website on election day
• Spate of Nigerian Government website attacks in recent times….
The Cyber Economics Challenge
Platform Converg-
enceWeb
Cloud
Social Mobile
IOT
…
Security
Sharing
Global data:
• expanding exponentially
• Volume,
• Velocity,
• Variety and
• Complexity.
+
=
2 sides of the same coin
•Technology is about HOW attacks occur,
•Economics is about WHY attacks occur
EconomicsTechnology
Cyber Economics: the Why?
Ease of Attack
Impact of Attack
Incentive to Attack
Increased Difficulty in Defense
Attack Parameters
Cybercriminals
• If you know yourself but not the enemy for every victory gained, you will also suffer a defeat’. Sun Zu
• Professional, organised, determined, innovative, meticulous in evolving techniques to remain steps ahead of targets.
1,542% estimated ROI for exploit kit & ransomware schemes
Attack: Ease, Impact & Incentive
• 574 data compromises investigated across 15 countries
Weak passwords (28%) & Weak Remote Access Security (28%) - 2 top causes of breaches resulting in 94% of POS breaches
Weak/non-existent input validation or unpatched vulnerabilities led to 75% of e-com. breaches
49% of investigations involved the theft of PII & CHD
81% of victims did not detect the breach themselves but through regulators, card brands & law enforcement
Av: 86 days to detect & 111 from intrusion to containment
1,542% estimated ROI for exploit kit & ransomware schemes
98% of applications tested where vulnerable.
95% of mobile applications where vulnerable
“Password1” still the most common password. 8 character long passwords.
1 day to crack. 10 character passwords took 591 days to crack
Difficulties in Defending against Attacks
Difficulty of detection.
• Perpetrators of cyber crime facing jail time is still the exception.
• Victims of cyber theft may not be aware of the loss (IP, Confidential information, etc.) for years—or ever.
• No one is immune!
81% of victims did not detect the breach themselves but
through regulators, card brands & law enforcement
Av: 86 days to detect & 111 from intrusion to
containment
Cyber Economic Equation: Incentives Favour Attackers
Offence Defense
The Target: Your Digital Crown Jewels?
38
• The most valuable asset of the 21st century company – Data
• Information is an asset which like other important business
assets, has value to an organization and consequently needs
to be suitably protected.
What are your Digital Crown Jewels?
• Intellectual property, Card Holder Data and confidential business information?• One of the most serious, and hardest to quantify, components of cybercrime.
• Threat to IP has grown in transition from tangible to intangible assets in a post-industrial, knowledge-worker society.
• More to gain by stealing intellectual property than several physical assets.• Less effort, more reward
The Cyber Economics Challenge
Platform Convergenc
eWeb
Cloud
Social Mobile
IOT
…
Security
Sharing
Global data:
• expanding exponentially
• Volume,
• Velocity,
• Variety and
• Complexity.
+
=
How do we tip the Economics Equation in our favour?• Enhance your CyberSecurity Posture to
• Increase the effort of the attacker
• Reduce the reward
Tip the Cyber Security Economics Equation in your favor by building a culture of Information Security
National
Institutional/
Corporate
Individual/Professional
People
Process/
Controls
Technology
The challenge
• The need to build an enabling culture.• Culture dictates behavior
People
Process/
Controls
Technology
Defence in Depth: A layered approach to Information Security
People
Process/
Controls
Technology
The challenge is to build an enabling culture
Standards, policies,
procedures, rules,
regulations
• (a framework
of acceptable behavior)
Training & Awareness of
above by employees
• (knowledge of
acceptable behavior)
Total commitment
of ALL employees to
above
• (desire towards
acceptable behavior
Secure Culture
Best Practice: What does it offer?
• Can help address performance targets & conformance requirements in a single vehicle
• A continuous improvement approach: PDCA
• Periodic updates for currency
Myth…A well of collective wisdom
The Framework Forest
Unbundling the Standards & Framework Forest
Standards with Certification
PCIDSS v3
ISO27001: 2013
ISO20000: 2011
ISO22301: 2011
BS OHSAS (18000) -ISO 45001
Data Centre Tier 3/4
ISO 15504: 2013
Standards yet to be Certifiable
ISO8583
ISO20022
ISO38500: 2015
ISO31000
Frameworks/
Methodologies
COBIT 5
PRINCE2
PMBoK
TOGAF
CMMi
SFIA
XBRL
Associated Standards/ Frameworks
• PCIDSS
• ISO27001
• ISO22301
• ISO31000
Information Security
• ISO22301
• BS OHSAS 18000
• ISO27001
• Data Centre Tiers
Business Continuity
• ITIL
• COBIT
• ISO20000
• CMMI
ITSM
• COBIT
• CMMI
• ISO15504
• ISO38500
• TOGAF
IT Governance
• PRINCE2
• PMP
• ISO 21500
• COBIT
• SFIAProject/Change /People Management
ISO2700x family
ISO27001
Mapping ISO27001 with PCIDSS
PCIDSS REQUIREMENTS
ISO 27001 ANNEX A CONTROL OBJECTIVES
A.5
A.6 A.7 A.8 A.9 A.10 A.11 A.12 A.13 A.14 A.15 A.16 A.17 A.18
1 ● ● ● ● ● ●
2 ● ●
3 ● ● ● ● ●
4 ● ●
5 ● ● ● ●
6 ● ● ● ● ● ●
7 ●
8 ●
9 ● ● ● ● ● ●
10 ● ● ● ●
11 ● ● ● ● ● ●
12 ● ● ● ● ● ● ● ● ● ● ●
Most PCIDSS controls are focused around four (4) ISO27001:2013 controls andcontrol objectives highlighted i.e. Access Control, Cryptography, Operations Securityand Communication Security.
Mapping/Overlap of ISO27001 to ISO22301
57
ISO 27001, A.17 Business Continuity Management ISO 22301:2012
A.17.1 Information security aspects of business continuity managementObjective: Information Security shall be embedded in the organization’s business continuity management system.
A.1
7.1
.1
Planning information securitycontinuity
ControlThe organization shall determine its requirements for informationsecurity and the continuity of information security management inadverse situations, e.g. during a crisis or disaster.
A.1
7.1
.2
Implementing informationsecurity continuity
ControlThe organization shall establish, document, implement and maintainprocesses, procedures and controls to ensure the requiredlevel of continuity for information security during an adverse situation.
A.1
7.1
.3
Verify, review and evaluate informationSecuritycontinuity
ControlThe organization shall verify the established and implementedinformation security continuity controls at regular intervals inorder to ensure that they are valid and effective during adversesituations.
6.1 Actions to address risks
and opportunities
8.1 Operational Planning and
Control
9.1 Monitoring,
measurement, analysis and evaluation
Attaining & Sustaining Certification
Annual Recertification
On-going Vigilance
ISO StandardsPCIDSS
Year
0: I
nit
ial C
erti
fica
tio
n
Year
1: S
urv
eilla
nce
Au
dit
Year
2: S
urv
eilla
nce
Au
dit
Year
3: R
ecer
tifi
cati
on
A
ud
it
Compliance: Challenges & Concerns
The Benefits of Best Practices
Avoid re-inventing the
wheel
Reduce dependency on
experts
Increase potential to
utilise trained rookies
Make it easier to leverage ext.
assistance
Overcome vertical silos & nonconforming
behavior
Reduce risks & errors
Improve qualityImprove ability to
manage & monitor
Increase standardisationleading to cost
reduction
Improve trust & confidence from mgt & partners
Create respect from regulators &
other ext. reviewers
Safeguard & prove value
Creating the Human Firewall:Training, Education & Awareness
The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Enacting policies and procedures simply won't suffice. Even with oversight the policies and procedures may not be effective: my access to Motorola, Nokia, ATT, Sun depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully.‘ Kevin Mitnick
People
Process/
Controls
Technology
Information Security Governance
The need for Training, Education & Awareness
Education
• Imparting knowledge e.g. certification training
• Technical staff
Training
• How to e.g. new software application/ methodology
• IT staff, users
Awareness
• “Top of mind”/ Real & relevant
• All: Board, Management, Third parties, users, etc
69
The Nigerian Dimension….
The Nigerian Dimension….
CBN Standards Roadmap (June 2013)
73
Priority 1 Standards:
• Service Management
• Interfaces
• IT Security
• Application Reporting
Priority 2 Standards:
• IT Governance
• Strategic Alignment
• Project Management
• Work and Resource
Management
Priority 3 Standards:
• Data Centre
• Business Continuity
Management
• Enterprise Architecture
• HSE Management
Industry IT Standards Roadmap (June 2013)
Category Standards
PCI-DSS *
ISO 27001 / 27002
XBRL
ISO 8583
TOGAF
COBIT
PMBOK / PRINCE2
CMMI
ITIL
SFIA
DC Tier Standards (Target Maturity: Tier 3)
BCI GPGs / BS25999 / ISO 22301
OHSAS 18001
Service Management &
Operations
Solutions Delivery
Information & Technology
Security
Architecture & Information
ManagementStrategic IT Alignment &
Governance
2017 20182012 2013 2014 2015 2016
Priority 1 Standards
CBN IT Standards Roadmap (April 2015)
0
5
10
15
20
25
30
PCIDSS (PaymentCard Industry DataSecurity Standard)
ISO27001(InformationSecurity Mgt
System)
ISO22301(Business
Continuity MgtSystem)
IS020000 (ITService
Management)
Global Best Practice Standard Certification Status (Nigeria)April 2016
Certified In progress
0
5
10
15
20
25
PCIDSS (PaymentCard Industry DataSecurity Standard)
ISO27001(Information Security
Mgt System)
ISO22301 (BusinessContinuity Mgt
System)
ISO20000 (IT ServiceMgt System)
Global Best Practice Standard Certification Status (Banks Only). April 2016
Certified In progress
Data Centre Tiers
Best Practise:Making it work for you: 6 essential steps
1. Do your homework: Select the right standard/framework/methodology
2. Secure & sustain top management buy in
3. Measure to Manage
4. Tailor & Customise
5. Train to Minimize Culture Shock & Resistance
6. Manage the Change: Communicate, take a participative approach
Nigeria Cyber Crime Bill 2015
Objectives
Provide effective & unified legal
framework to combat cybercrime in Nigeria
Promote cyber security & protect computer systems, electronic
commination's, data, intellectual property &
privacy rights
Ensure protection of Critical National
Information Infrastructure
GHANA
83
In Conclusion: build a secure culture
Standards, policies,
procedures, rules,
regulations
• (a framework
of acceptable behavior)
Training & Awareness of
above by employees
• (knowledge of
acceptable behavior)
Total commitment
of ALL employees to
above
• (desire towards
acceptable behavior
Secure Culture
Take a Holistic View: What works?
Remember:You are only as strong as your weakest link!
References
• 2015 Trustwave Global Security Report
• 2016 Trustwave Global Security Report
• PWC Global State of Information Security Survey 2016
• Norton CyberSecurity Insights Report
• Internet Security Threat Report VOLUME 21, April 2016
• Wearesocial (2016 data)
• CBN Standards Roadmap (2013, 2015)
• Bank of Ghana Publications
Adedoyin Odunfa.
CEO, Digital Jewels
65 sessions of Industry shaping Knowledge Sharing Sessions… still counting
An eclectic platform for knowledge sharing,information exchange & business networking
IVC Breakfast Forum’s...Free Knowledge Sharing, Information Exchange, Business Networking Sessions.
65 sessions & still counting...
Celebrates
Engagement & Publications….
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
An innovative approach to Information Security awareness…
IndependentFocused & Specialized
Painstaking & Rigorous
Experienced Professional
• Specialised Independent Information Value Chain Consulting & Capacity Building Firm
• Focused on Governance, Risk & Compliance & Capacity Building along the Information Value Chain.
• Team of professional, experienced and certified consultants
• Strong Local Information Security & Assurance Track record
• Strong international partnerships
• Optimal blend of local expertise and experience
Digital Jewels Ltd
About Digital Jewels:Secure.Assure,Enable.Empower.Manage
Secure
• Information Security
Assure
• Information
Assurance
Enable
• E-business
Empower
• Capacity Building
Manage
• Project Management
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
1st & only ISO27001, ISO9001 & PCIDSS QSA Professional Services Firm in Africa
Strengthening IT Governance, Risk & Compliance across Africa…
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
SECURE :: ASSURE :: ENABLE :: EMPOWER :: MANAGE
Adedoyin Odunfa.
CEO, Digital Jewels