3. 2011 Outlook: (ISC)²
• Cybercrime and Espionage
• Software Security
• Mobile Security
• The Business Face of Security
• Security as a Profession
• Evolution of Security Technology
• Cloud Computing
• Data Loss Prevention & Rights Management
• Social Media
• Regulatory and Political
3
4. TISA : Thailand Information Security Association
TISA web site : http://www.tisa.or.th
4
5. 5
Information Security TRIAD
Availability
Information
Security
Integrity Confidentiality
14/10/54
5
6. Today’s Key Concerns
Cyber Threats Considerations
• Increasing Social Network Attacks Ethical and Strategic Issues in
Organization
Issues
Social Networking Policies
• Identity theft
Lifestyles
• Privacy issue in Social Networking
• Security issue in Social Networking User Awareness
• Ethical issue
Impacts
• Individuals
• Corporate
• Social
People is the “KEY”
Social Networking Security Conference
6
2010
8. IT Security Roles
1. Chief Information Officer
2. Digital Forensics Professional
3. Information Security Officer
4. IT Security Compliance Officer
5. IT Security Engineer
6. IT Security Professional
7. IT Systems Operations and Maintenance
Professional
8. Physical Security Professional
9. Privacy Professional
10.Procurement Professional
8
10. The Competent Officials : knowledge and qualification
Computer Forensic
Information Technology
Graduations/Experiences Computer Science
Information Security
Laws
Competent Official
Appointment by ICT Minister
after taking examination
Information Security Training
Qualifications Computer/Network Forencis
Training
Moral/Ethics Course
Law Enforcement Course
10
11. The 2010 State of Cybersecurity from the
Federal CISO’s Perspective — An (ISC)2 Report
11
13. Business Motivations For Hacking
Source from Breach Security 2007 Incidents by attack outcome
13
14. Leading IT and InfoSec Professional
Certification Institutes
15. CISSPs in Asia- South Korea: Highest in Asia
As of: 30/SEPT/07
China (400)
Macao (8)
Korea, South (2,003)
Thailand (91) Japan (883)
Hong Kong (1,311)
Indonesia (44)
Singapore (9)47 Philippines (112)
India (909)
Taiwan (238)
Sri Lanka (35) Malaysia (177)
20. BCM
ISO 27002
Control 14.1
Information Continuity
management
ISO 27005
Risk Assessment
ISO 24762
ICT DR Services
Vendor Risk
Mgmt Mitigation Logical
DR site Access
Power Asset Control
Supply Mgmt Physical
Telecom Access
Fire Control
DR plan
Protection
21. Governance, Risk & Compliance - GRC
Source: A New Strategy for Success Through Integrated Governance, Risk and Compliance Management PWC white paper
Stakeholder Expectations
Governance
Key linkage Setting objectives, tone, policies, risk appetite
Objectives & and accountabilities. Monitoring performance.
Risk Appetite
Enterprise Risk Management
Key linkage Identifying and assessing risks that may affect the ability to
Risk Response achieve objectives and determining risk response strategies
& Control and control activities.
Activities
Compliance
Operating in accordance with objectives and ensuring
adherence with laws and regulations, internal policies and
procedures, and stakeholder commitments.
21
Laws Policies Procedures Processes/system People Tools &Technologies
22. GRC related best practices and compliance
SOX CobiT 4.1 GLBA HIPAA
ITSM ITAF/GTAG ISO/IEC 27001
Corporate Governance PCI DSS
IT Governance BS25999 (BCM)
ITIL & ISO/IEC 20000 ISO/IEC 27006
Basel II COSO (ERM) CCA/ETA
(C) Copyright 2007-2009, ACIS Professional Center Company Limited
23. Difference among IA, IT Audit, Infosec Audit and
System Security Audit
Internal
IT Audit InfoSec Audit System Security Audit
Audit
Audit scope Enterprise IT IS Security System specific
NIST(SPP800-53A,SP800-
Audit
COSO CobiT ISO27001 115),
Framework
NSA:IAM, OSSTMM
ITG, IT/Biz Security System security,
Audit objective CG
Alignment Governance hardening
Professional NSA:IAM,OPST, OPSA,
CIA CISA CISSP, IRCA:ISMS
Cert. CEH, SSCP, CSSLP
etc.
24. Information Technology (IT) Security
Essential Body of Knowledge (EBK)
A Competency and Functional Framework
for IT Security Workforce Development
September 2008
United States Department of Homeland Security
27. IT Security Roles
1. Chief Information Officer
2. Digital Forensics Professional
3. Information Security Officer
4. IT Security Compliance Officer
5. IT Security Engineer
6. IT Security Professional
7. IT Systems Operations and Maintenance
Professional
8. Physical Security Professional
9. Privacy Professional
10.Procurement Professional
28. Competency Areas (MDIE in each)
1. Data Security 8. Personnel Security
2. Digital Forensics 9. Physical and
3. Enterprise Continuity Environmental Security
4. Incident Management 10. Procurement
5. IT Security Training and 11. Regulatory and Standards
Awareness Compliance
6. IT System Operations and 12. Security Risk Management
Maintenance
13. Strategic Security
7. Network and Management
Telecommunication
Security 14. System and Application
Security
29.
30. TISA EBK Analysis
IT Security Roles
Executive Functional Corollary
IT Security EBK:
A Competency and
IT Security Compliance Officer
Physical Security Professional
Digital Forensics Professional
Functional Framework
Information Security Officer
IT Systems Operations and
Procurement Professional
Maintenance Professional
Chief Information Officer
IT Security Professional
IT Security Engineer
Privacy Professional
Functional Perspectives
M - Manage
D - Design
I - Implement
E - Evaluate
M 11 12 0 1 2 1 0 1 3 1
D 2 7 1 3 4 6 4 2 6 1
I 0 1 2 5 8 3 4 4 4 1
E 3 10 14 3 5 7 2 3 5 1
Total Competency Units 16 30 17 12 19 17 10 10 18 4
Managerial Professional
Level Level
Entry Level
32. Enterprise Infosec Competency Profile
* Organization assess Infosec competency
Enterprise requirement against EBK
Capability * Assess current competency within the
enterprise
* Identify competency gap training
requirement, recruitment
EBK
Infosec training provider maps Training
training courses to EBK Provider
33. TISA Roadmap
2012
TISA Exam Thailand InfoSec
First Launch
2011
Local InfoSec Professional Council
TISET#1
Q1 Certification
TISA Level I,II,III
TISET Pilot Test 2010 (preparation for taking
Q4 Increase number of International InfoSec
InfoSec professional Certification)
across industries in
Thailand and Asia
2009 Pacific
TISA EBK
Assessment Exam
(Pilot Test)
Social Networking Security
33
Conference 2010
34. TISET Certification Roadmap
TISA IT Security – Essential Body of Knowledge (EBK) Test
Internal Audit, IT/GRC Technical / IT Practitioner
EXPERT IT Audit, InfoSec Audit Management
ADVANCE
International Certified IT & Information Security Professional
Good Step to take …
CISSP, SSCP, CISA, CISM, CSSLP, SANS GIAC
FOUNDATION (Localized)
on IT & Information Security TISA TISET Certification
Competencies Test
TISA TISET Exam
Social Networking Security
34
Conference 2010
36. CyberCrime, CyberTerror,
CyberEspionage, and CyberWar
• What happened to Estonia was the first instance of cyber-warfare
against a specific government. Russia was suspected as the
instigator of the digital assault, a charge the Russian government
denied, but there was no reliable evidence to prove this.
• DDoS attacks had happened before, seemingly triggered by political
or other events. The latest such incident involved a DDoS attack on
US servers from what appeared to be Korean computers after a
South Korean contestant to the 2002 Winter Games in Salt Lake City
was disqualified.
• The cyber-attack against Estonia could have been orchestrated by
private individuals sympathetic to the Russian government or ethnic
Russian citizens in Estonia, although the obviously large financial
resource made available for the May 9-10 DDoS attacks places this
in some doubt.
39. Cyberwar History
1982: logic bomb in computer control systems cause the explosion of Soviet pipeline
1999: AF/91 caused Iraqi anti-aircraft guns malfunction
1999: USA has been attacked from computers and computer networks situated in China and Russia.
2006: Israel alleges that cyber-warfare was part of the conflict, where the Israel Defense Force (IDF) estimates several countries in the Middle
East used Russian hackers and scientists
2007: McAfee, Inc. alleged that China was actively involved in "cyberwar." China was accused of cyber-attacks on India, Germany, and the
United States
2007, April: Estonia came under cyber attack from Russia targeting ministries, banks, and media
2007, Sept.: Israel carried out an airstrike on Syria using a computer program designed to interfere with the computers of integrated air
defense systems
2007: US suffered "an espionage Pearl Harbor" in which an "unknown foreign power...broke into all of the high tech agencies, all of the
military agencies, and downloaded terabytes of information."
2007: Kyrgyz Central Election Commission was defaced during its election. The message left on the website read "This site has been hacked
by Dream of Estonian organization". During the election campaigns and riots preceding the election, there were cases of Denial-of-
service attacks against the Kyrgyz ISPs.
2008: Russian, South Ossetian, Georgian and Azerbaijani sites were attacked by hackers during the 2008 South Ossetia War.
2008: U.S. military facility in the Middle East. The Pentagon released a document, which reflected that a "malicious code" on a USB flash
drive spread undetected on Pentagon systems.
2009, March: a cyber spy network, GhostNet, using servers mainly based in China has tapped into classified documents from government and
private organizations in 103 countries
2009, July: a series of coordinated cyber attacks against major government, news media, and financial websites in South Korea and the United
States. From North Korea and UK
2009, Dec.: through January 2010, a cyber attack, dubbed Operation Aurora, was launched from China against Google and over 20 other
companies.
2010, May: Indian Cyber Army defacing Pakistani websites. In return 1000+ Indian websites were defaced by PakHaxors, TeaMp0isoN,
UrduHack & ZCompany Hacking Crew, among those were the Indian CID website
2010, Sept: Iran was attacked by the Stuxnet worm. The worm is said to be the most advanced piece of malware ever discovered and
significantly increases the profile of cyberwarfare.
2010, Oct.: Government Communications Headquarters (GCHQ), said Britain faces a “real and credible” threat from cyber attacks by hostile
states and criminals and government systems are targeted 1,000 times each month
2010, Nov.: Indian Cyber Army hacked the websites belonging to the Pakistan Army and ministries, as a revenge of the Mumbai terrorist
attack
2010, Dec.: Pakistan Cyber Army hacked the website of India's top investigating agency, the Central Bureau of Investigation (CBI).