Cybersecurity
Upcoming SlideShare
Loading in...5
×
 

Cybersecurity

on

  • 4,702 views

"Toward a Strategic Approach to Cyber Risk...

"Toward a Strategic Approach to Cyber Risk

Summary:
What is the current cyber risk?
Learn lessons from experience.
What approach should we take?
What capabilities do we need?
Risk management – for organizations and countries"

Statistics

Views

Total Views
4,702
Views on SlideShare
4,681
Embed Views
21

Actions

Likes
7
Downloads
529
Comments
0

3 Embeds 21

http://hurricane.kabelinternetdns.de 11
http://192.168.178.28 6
http://cyber.inonesite.com 4

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Cybersecurity Cybersecurity Presentation Transcript

  • Cybersecurity – Toward a Strategic Approach to Cyber Risk Andy Purdy Chief Cybersecurity Strategist May 18, 2010CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 1
  • Summary1 What is the current cyber risk?2 Learn lessons from experience.3 What approach should we take? 4 What capabilities do we need?5 Risk management – for organizations and countries CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 2
  • What is the current cyber risk?CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 3
  • 1What is Cyber?• Cyber is the ability to operate in cyberspace to achieve the results that you intend and not those intended by your adversaries, competitors or cyber criminals. CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 4
  • 1In this brave new world we tread…• November 2002 (Geopolitics): The rise of the Botnets – A DDOS…by an army of citizen-zombie computer attacks…• April 2004 (Sasser): Widespread outages around the world – Agence France-Presse (AFP) blocked satellite communications, Delta Airlines cancel several trans-atlantic flights, If and Sampo Bank close130 offices, also impacted …Goldman Sachs, Deutsche Post, European Commission, Lund University Hospital• January 2010 (Google discloses): The NYT, April 2010 – ―…losses included one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s Web services, including e- mail and business applications…‖• Looking into the Future: → APT/Botnets/Integrity Attacks/Convergence of Threats to Converged Infrastructures CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 5
  • 1…cheerfully, into the unknown• 4G Wireless Broadband Networks: LTE and Wimax – 100 Mbit/s on the move, and 1 Gbit/s stationary - the world goes wireless – Tens of billions of devices (smart phones, metering)…• Convergence in technology and infrastructure: sharing same threats – Voice – Video – Data: using a common protocol (IP), sharing a common infrastructure, and the risks – All national infrastructures (energy, transportation) using the same ICT infrastructure – Threats that transfer between data - video - telephony – Cloud Computing: A shared ICT infrastructure –shared risks CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 6
  • 1Premises• Experience is only valuable if we learn from it and act on it• Information sharing is not enough• A strategic approach to the cyber challenge is essential• Stakeholder collaboration is critical at each level• Threat information is important, but risk should be the driver• Risk management is critical for organizations, nations, and the global information infrastructure CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 7
  • 1Summary of Cyber Risk• The use of innovative technology and interconnected networks in operations improves productivity and efficiency, but also increases the vulnerability to cyber threats if cybersecurity is not addressed and integrated appropriately.• A spectrum of malicious actors routinely conducts attacks against the cyber infrastructure using cyber attack tools.• Because of the interconnected nature of the ICT infrastructure, these attacks could spread quickly and have a debilitating effect. CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 8
  • Learn lessons from experience.CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 9
  • 2Industry concerns?• Data vulnerability due to the sizable increase in data volumes, flows, and interfaces• System security resulting from converged, automated, and integrated environments• New devices that may be immature and have security limitations• Consumer privacy from increased connectivity, devices, and intelligence• Potential fraud from insufficient tamper protection• Overall increase in the complexity of a utility’s compliance profile Adapted from EPRI source image CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 10
  • 2IntroductionCybersecurity – a National Security Imperative and Global Business Issue• Nations and critical infrastructure owners and operators are dependent on Cyber for national security, economic well-being, public safety and law enforcement, and privacy.• Major companies must ensure the resiliency of their operations, protect their reputations and the privacy of their customers, differentiate their brand, and meet compliance obligations.• Innovative technologies and information assurance strategies must be implemented by government and private companies through fully integrated, end-to-end cyber solutions CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 11
  • 2Secure ICT also Represents …• Technological advantage• Opportunity to gain competitive advantage• Opportunity to help shape the global cyber environment in support of US interests• An exciting field for our emerging technology• An additional foundation for academic excellence CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 12
  • What approach should we take?CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 13
  • 3A Strategic View of ICT Security• There is no real separation in cyberspace; we share a common environment with allies, partners, adversaries, and competitors.• It is important to understand computer network defense, and be informed by exploitation and attack.• Security is more about architecture and integration than about deployment of more products to build perimeter defenses. CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 14
  • 3Public Policy Challenge• Nations are dependent on cyber for national security, economic well- being, public safety, and law enforcement• Risk is real but not visible and obvious• Authority/control is spread among multiple entities in the public and private sectors• ICT is international• Individuals and organizations are reactive and tactical, not proactive and strategic• We do not learn lessons from the past CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 15
  • 3Learn Lessons from Experience• Recognize the value of lessons learned to enhance preparedness• Systematize after-action processes for exercises AND real-world events• Take a pro-active, strategic approach to risk• A robust risk management program can facilitate and prioritize planning, decision-making, and resource allocation• A strategic approach to ICT risk management should be grounded in architectural, design, and process principles• Stakeholders should be engaged in the assessment and mitigation of ICT risk, spending on research & development, & cyber incident response and recovery preparedness CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 16
  • 3Regulatory Enviroment – Upcoming Challenges for PrivateSector and Critical Infrastructure?• Legislative perspective: has the private sector done enough to secure their own facilities?• Executive perspective: concern about government and critical infrastructure relative to cyber threats.• Power/Utility, transportation, and other critical infrastructure sectors of significant cyber concern.• Private sector favors voluntary, private-sector developed standards, incentives, and safe harbor provisions rather than regulations CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 17
  • 3The ―New Reality‖• Global recognition that ―national health and security…‖ is permanently intertwined with the internet.• National governments across the globe are intending to actively address cyber security risks to specified private-sector infrastructures of interest supporting national programs and critical infrastructure segments.• Examples of the ―national health and security… ‖ requirement in evidence – Transglobal Secure Collaboration Program (TSCP) – voluntary collaborative program (funded by membership contributions) • Governments – US, UK, Netherlands • Companies – BAE, Boeing, EADS, Lockheed Martin, Northrup Grumman, Rolls Royce, Raytheon – U.S. Defense Industrial Base (DIB) – a threshold of capabilities defined by U.S. DoD to protect Controlled Unclassified Information (CUI) used in Defense contracts • Established and monitored by US DoD (as expressed in the DIB Cyber Security Benchmark and DIB CONOPS) • One-to-one framework agreements, funded by individual companies – U.S. Comprehensive National Cybersecurity Initiative (CNCI) – Activities of European Network Information Security Agency (ENISA) CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 18
  • What capabilities do we need?CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 19
  • 4What is missing nationally and internationally?• What do we need to worry about and what do we need to do about it?• We need to –know our risk posture, –identify requirements for addressing that risk that are generated by a public-private collaboration, and –Make it easy to hold stakeholders accountable. CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 20
  • 4What is needed nationally and internationally?A strategic approach to facilitate public/private collaboration and information sharing to set requirements, and resource, execute, and track progress on:• ICT risk;• ICT preparedness;• Malicious activity and cyber crime; and• Research and development. CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 21
  • 4How should the challenge of ICT risk and preparedness beaddressed?• Stakeholders at the organizational, national ,and int’l levels must work together –to identify critical functions, –assess and mitigate risk, and –plan, and build capacity for, response and recovery• Use standards to drive risk reduction• Exercise to identify gaps and improve• Pursue innovation• Use this process to identify requirements to drive resource allocation for risk mitigation, response preparedness, and research and development CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 22
  • Risk management – for organizations and countriesCSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 23
  • 5Protecting your Organization, Clients, and Costumers• Use lessons learned from Advanced Persistent Threats (APTs) and other sophisticated attackers to strengthen active defense• Work in public-private partnerships to strategically collaborate and share information about threat and risk CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 24
  • 5Strategic Approach to Malicious Cyber Activity• An initiative to promote a strategic approach – by government (not just law enforcement) and the private sector – against malicious cyber activity• Need to build national and international information sharing capabilities to collect, preserve, analyze, and share information on malicious actors AND enablers – using a federated data-sharing model.• Need good national and international data on cyber crime. CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 25
  • 5Government Cyber Security Involvement• Government needs to help define domestic, EU, and allied ICT interests• Using those interests, Government needs to create stronger interagency and inter-governmental policy process and policy (guiding principles)• Collective interests need to be represented consistently in all international fora concerned with global cyber security and cyber governance; if not, global policy and governance may not conform to national and international interests• Your country, EU, and its allies, need a consistent approach to the ICT risk in critical infrastructure – Focus on security standards, rather than prescribed processes (i.e., define how secure to be, not how to be secure) – Recognize that the threat is advanced and dynamic; a ―cookbook‖ approach will not adapt sufficiently well to such a threat• Sensitize private sector and public to the threat; recognize that adversaries do not reserve their most advanced technologies for use only against our Government CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 26
  • 5Private Sector Role• Request government to facilitate information exchange and enhanced collaboration.• What actions are advisable?• What incentives would help bring those actions about? CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 27
  • 5The Model-Portfolio – A Different Way to View the ProblemAn integrated set of capabilities consistent to a model – new to the industry – fit-for purpose - to demands of a complex global problem • The ―security stack‖ - defines the problem complexity and the sophistication needed in the solution •Demonstrated ability to scale to the full dimensions of the problem •Demonstrated ability to leverage our government knowledge applied to our commercial delivery •Allows us to see the gaps – determine how we close them CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 28
  • 5 Making a better case …for Why CSC Cyber security is a core competency of CSC in both commercial and public sectors Comprehensive capability – the full range of the ―security stack‖ Cross-leverage what we know - between commercial and public sectors SOCs to Fortune 500s Defense Industrial BaseNation State-Threats Commercial Sector Worldwide presence Groundbreaker ISO 27001 preparations Forensics training Biometric AccessSystem Certification Public Sector Phys-Lgical Access Personnel Quals CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 29
  • 5A New Idea: The Security Stack as a Model…for how wepresent – organize – determine gaps – integrate. Only CSC and IBMcan make this case The Security Stack Functional Technologies Cyber Security Services The Exercise ofLayer 4 Functional Technologies •Security consulting … National Sovereignty• Ethical hacking – integrating understand and manage risk government capabilities •Security integration led by Situational Awareness solution architectsLayer 3 Functional Technologies• Worldwide monitoring External to the Perimeter Determine Source — Adjust Defenses •Managed Security Services• Attestation — adjusting the defenses •Forensics analysis assessments Integrated •Certification and accreditationLayer 2 Functional Technologies Security Overlay• Security Incident/Event Manager Prevent-Detect-Response• OOB managed devices •Security training - cyber experts• Perimeter defenses (f/w)• Intrusion detection/prevention •Product and system evaluation –• Data Loss Prevention common criteria• HoneypotsLayer 1 Functional Technologies Assured Systems •Penetration testing – ethical• CMDB and Content hacking• White listing• PIV-based biometric access •Compliance• Single Sign On• Data encryption and key management •Disaster Recovery / B-Continuity• Vulnerability assessment CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 30
  • 5 CSC Cyber Security Overview (1 of 3)• More than 1,400 full-time security professionals globally• Security and compliance services to – More than150 Commercial clients globally in more than 40 counties – Many Fortune 500 companies including many with PCI compliance – U.S. federal agencies and many state and local government clients – Non-U.S. government clients (UK Royal Mail, UK National Health Services)• Wide range of security offerings – Managed Security/SOC services – Endpoint Protection – Messaging Security – Data loss prevention – Compliance Monitoring/Enforcement – Vulnerability, Risk and regulatory assessments – Forensic and Investigative Response – Identity and Access management and biometrics – Security engineering, integration, and testing – Disaster recovery and business continuity CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 31
  • 5CSC Cyber Security Overview (2 of 3)• SSE-CMM Level 4 Information Security Practices by independent third party• Defense Security Service (DSS) Cogswell Award for 5 of past 10 years• Achieved ISO 2700 certification for the CSC-managed EPA security program• Many CSC data centers and service delivery centers achieved third party ISO 27001 certification• Major provider of vulnerability assessments, risk assessments and security accreditation services to Federal agencies• Active SAS 70 audit program• Operates DoD Cyber Investigative Training Academy• Biometric engineering services to DoD• Operates certified Common Criteria Test Laboratories in the U.S., Australia and Germany under ISO15408• Operates FIPS 140-2 NVLAP certified Cryptographic Module Test Laboratory CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 32
  • 5CSC Security Operations Centers (SOCs) (3 of 3)Managed Security Services Delivery around the Globe in all Regions• Commercial SOC Operations – North America (Newark, DE) – Newark 33 customers – UK (Chesterfield) -- 15 customers – Australia (Sydney) – 9 customers – India (Hyderabad) – 17 customers – Malaysia and Hong Kong – 2 customers• U.S. Federal SOC/CERT/CSIRT Support – Defense Information Systems Agency (DISA) – U.S. Air Force – U.S. Army – Dept of Homeland Security – EPA – NOAA• Monitor and manage thousands of security devices worldwide Chesterfield, UK Marlton , NJ – Network/Host IDS/IPS Newark, DE – Audit Log Storage/Monitoring Annapolis – Security Event Management Junction, MD – Security Incident Response Services Hong Kong – Technical Compliance Monitoring Hyderabad, India Kuala Lumpur – Vulnerability Scanning and Alerting – End Point Security Management – Managed Encryption Services – Data Loss Prevention Sydney, – Forensic Response Australia Consistent and effective 7x24 security monitoring, detection, response and recovery CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 33
  • 5Representative Cyber Security Clients• Public Sector: Internal Revenue Service, • Retail & Distribution: Coles, Myer, David FAA, USDA, Dept. of Education, Jones, Estee Lauder, Cargill, Astro Environmental Protection Agency, Dept of • Travel & Transportation: Railcorp, Energy, Department of Homeland Security, Bombardier Australian Department of Immigration and Citizenship, Prime Minister and Cabinet, • Health Services: National E-Health Transition Department of the Attorney General and Authority, University of Pennsylvania Health Transport Accident Commission; Canadian Systems, UK National Health Service, Nobel Treasury Board Secretariat, Communication Biocare, Ascension Health, Consolidated Security Establishment Canada, Public Safety Medicaid/Medicare (CMS), Virginia and North Canada, Canada Revenue Agency, Transport Carolina, Medicare/Medicaid Information Canada, DISA, DCITA, U.S. Army, U.S. Navy, Systems, eMed of New York, Stellaris Health U.S. Marine Corps, U.S. STRATCOM, Office of • Manufacturing: BlueSteel, OneSteel, Delphi, Secretary of Defense, Biometric Fusion Chrysler, Freescale, Westinghouse, Motorola, Center, U.K. Ministry of Defense, Danish Nissan, Xerox, Bombardier, Nissan Ministry of Defense • Chemical, Energy & Natural Resources:• Aerospace & Defense: Textron, Raytheon, Powercor, BHPB, Rio Tinto, Alcoa, Woodside Boeing, Hawker Beechcraft, UTC, General Petroleum, Newmont Mining, Shell, DuPont, Dynamics, Spirit Aerospace BHP Billiton Petroleum, Watercorp, Western• Financial and Insurance Services: Allianz, Power, Exelon, Basell, Invista, Anglian Water, AMP, Dunn and Bradstreet, Maybank, Toyota National Grid, Urenco, BNFL Financial Services, Zurich, PartnerRe, Alliancez, AMP, IMB, GE Capital, Toyota Financial Services CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 34
  • 5CSC Strategic Security Partners CSC’s formal partnership with leading security vendors – Special discounts on industry leading security tools – Responsive procurement – Insight into emerging security technology – Increase depth of managed security services CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 35
  • Thank you for your attention!ContactAndy PurdyChief Cybersecurity Strategistdpurdy@csc.comapurdy1@gmu.edu CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 36
  • Further webinars 15.06.10 / 15:30 -16:30 Uhr / Gesellschaftlicher Wandel "Social Media machen - Tipps & Tricks zur Planung und Durchführung" Quelle: www.de.csc.com CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 37
  • CSC Webinar – Cybersecurity – Towards a Strategic Approach on Cyber Risk Page 38