Prevention Is Better Than Prosecution: Deepening the defence against cyber crime


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Prevention Is Better Than Prosecution: Deepening the defence against cyber crime

  2. 2. Contents Introduction and Approach Information Assurance Defence in Depth Strategy Conclusion Questions
  3. 3. Introduction and Approach <ul><ul><li>President in State of the Nation Address specifically referred to an increased effort to combat cyber crime and identity theft </li></ul></ul><ul><ul><li>Increase in cyber crime in both private and public sector </li></ul></ul><ul><ul><li>Criminals want information </li></ul></ul><ul><ul><li>Law enforcement hampered in efforts to catch criminals </li></ul></ul><ul><ul><li>Shift in paradigm: </li></ul></ul><ul><ul><ul><li>Re-active v pro-active </li></ul></ul></ul><ul><ul><ul><li>Prevention is better than Prosecution </li></ul></ul></ul><ul><ul><ul><li>Devoting time and resources to implement strategies that prevent cyber crime </li></ul></ul></ul><ul><ul><li>Information Assurance and Defence in Depth strategy </li></ul></ul>
  4. 4. Information Assurance Definition Objective of Information Assurance Five pillars of Information Assurance
  5. 5. Information Assurance <ul><li>Definition </li></ul><ul><li>The practice of managing information-related risks (Wikipedia). </li></ul><ul><li>Information operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection and reaction capabilities (US DoD). </li></ul><ul><li>Umbrella concept bringing together issues of Information Security and Dependability. </li></ul><ul><li>Includes other corporate governance issues such as privacy, audits, business continuity and disaster recovery. </li></ul>Information Assurance
  6. 6. Objective <ul><li>The objective of Information Assurance is to minimise the risk that information systems and information stored, transmitted and processed thereon is vulnerable to threats. If an attack does take place, the damage it might cause will be minimised. It also provides for method to recover from attack as efficiently and effectively as possible. </li></ul><ul><li>Information Assurance focuses on: </li></ul><ul><ul><li>Access controls </li></ul></ul><ul><ul><li>Individual Accountability </li></ul></ul><ul><ul><li>Audit trails </li></ul></ul>Information Assurance
  7. 7. Five pillars of Information Assurance <ul><ul><li>Information Security based on CIA triad </li></ul></ul><ul><ul><li>Information Assurance: CIA triad, authenticity and non-repudiation </li></ul></ul><ul><ul><li>NSA: application of five pillars should be based on protect, detect and react paradigm </li></ul></ul><ul><ul><li>Electronic Communications and Transactions Act, No. 25 of 2002 </li></ul></ul><ul><ul><ul><li>Incorporates principles of five pillars </li></ul></ul></ul><ul><ul><ul><li>Criminalises attacks </li></ul></ul></ul>Information Assurance
  8. 8. Five pillars of Information Assurance Information Assurance
  9. 9. Defence in Depth Strategy Introduction Focus areas Core principles Implementing strategy Layered defence approach Maintaining strategy
  10. 10. Definition <ul><li>Strategy that can be implemented to achieve Information Assurance in today’s highly networked environments (NSA). Also defined as systematic security management of people, processes and technologies in a holistic risk-management approach (TISN): </li></ul><ul><ul><li>“Best practices” strategy in that it relies on the intelligent application of techniques and technologies. </li></ul></ul><ul><ul><li>Based on balancing protection capability and cost, performance and operational considerations. </li></ul></ul><ul><ul><li>Delivers: </li></ul></ul><ul><ul><ul><li>Effective risk-based decisions; </li></ul></ul></ul><ul><ul><ul><li>Enhanced operational effectiveness; </li></ul></ul></ul><ul><ul><ul><li>Reduced overall cost and risk; and </li></ul></ul></ul><ul><ul><ul><li>Improved information security. </li></ul></ul></ul>Defence in Depth Strategy
  11. 11. Threats <ul><li>To protect an organisations’ information and information systems against cyber attacks, it is necessary to determine who the enemy is, why they would want to launch an attack and how they would attack the organisation. Threats can be internal and external and can be as a result of intentional and unintentional actions. </li></ul>Defence in Depth Strategy <ul><li>Faster networks </li></ul><ul><li>More storage in smaller devices </li></ul><ul><li>Technological convergence </li></ul><ul><li>Increasingly mobile workforce </li></ul><ul><li>Hackers </li></ul><ul><li>Organised crime </li></ul><ul><li>Changes in regulatory framework </li></ul>TECHNOLOGICAL INNOVATION EXTERNAL THREATS <ul><li>Business partners with poor data security </li></ul><ul><li>Physical access to shared systems </li></ul><ul><li>Misunderstanding of allowed access </li></ul><ul><li>Competitive environment </li></ul><ul><li>Disgruntled employees </li></ul><ul><li>Financially troubled employees </li></ul><ul><li>Corporate espionage </li></ul><ul><li>Uneducated/uninformed users </li></ul>TRADING PARTNERS PEOPLE
  12. 12. Focus areas <ul><li>Achieving Information Assurance requires a balanced focus on: </li></ul><ul><ul><li>People </li></ul></ul><ul><ul><li>Processes </li></ul></ul><ul><ul><li>Technology </li></ul></ul><ul><ul><li>Governance </li></ul></ul>Defence in Depth Strategy
  13. 13. Focus areas (continued) <ul><ul><li>Technology </li></ul></ul><ul><ul><li>Refers to solutions that organisations employ that enable them to achieve and sustain their business objectives. Key focus areas for implementing a Defence in Depth strategy: </li></ul></ul><ul><ul><ul><li>Management of network architecture </li></ul></ul></ul><ul><ul><ul><li>Infrastructure management </li></ul></ul></ul><ul><ul><ul><li>Application security </li></ul></ul></ul><ul><ul><ul><li>Communications management </li></ul></ul></ul><ul><ul><li>Important to ensure that procurement policy aligned to overall Defence in Depth strategy: right technology procured in accordance with overall business objectives. </li></ul></ul>Defence in Depth Strategy
  14. 14. Core principles <ul><li>TISN defines the core principles as follows: </li></ul><ul><ul><li>Implementing measures according to business risks. </li></ul></ul><ul><ul><li>Using a layered approach </li></ul></ul><ul><ul><li>Implementing controls to increase effort needed to attack and breach the system. </li></ul></ul><ul><ul><li>Implementing personnel, procedural and technical controls. </li></ul></ul>Defence in Depth Strategy
  15. 15. Focus areas (continued) <ul><li>People </li></ul><ul><ul><li>Refers to the security roles and responsibilities for internal and external persons. </li></ul></ul><ul><ul><li>Important to define, maintain and enforce security roles and responsibilities for employees, contractors or business partners. </li></ul></ul><ul><ul><li>User awareness (both internal and external people). </li></ul></ul>Defence in Depth Strategy
  16. 16. Focus areas (continued) <ul><li>Processes (or Operations) </li></ul><ul><ul><li>Refer to standardised actions which are used to ensure that the organisations’ position on security is sustained. </li></ul></ul><ul><ul><li>Organisations must define, maintain and enforce standardised actions/processes which are used to develop and sustain its position on security. </li></ul></ul><ul><ul><li>Key focus areas would typically include: </li></ul></ul><ul><ul><ul><li>Identity and user-access management </li></ul></ul></ul><ul><ul><ul><li>Incident response management </li></ul></ul></ul><ul><ul><ul><li>Disaster recovery management </li></ul></ul></ul><ul><ul><ul><li>Audit management </li></ul></ul></ul>Defence in Depth Strategy
  17. 17. Focus areas (continued) <ul><li>Governance </li></ul><ul><ul><li>Refers to the oversight and coordination of technology, people and processes provided in terms of a management framework and begins with commitment from senior management level. This is followed by: </li></ul></ul><ul><ul><ul><li>Integration and alignment to overall strategy; </li></ul></ul></ul><ul><ul><ul><li>alignment and incorporation into business objectives and goals; </li></ul></ul></ul><ul><ul><ul><li>drafting and implementing appropriate policies; and </li></ul></ul></ul><ul><ul><ul><li>deriving procedures from it. </li></ul></ul></ul><ul><ul><li>Key focus areas for implementation include: </li></ul></ul><ul><ul><ul><li>Risk management. </li></ul></ul></ul><ul><ul><ul><li>Information security and policy. </li></ul></ul></ul><ul><ul><ul><li>Compliance Management. </li></ul></ul></ul>Defence in Depth Strategy
  18. 18. Implementing the strategy <ul><ul><li>Requires a shift in paradigm: IT security/Information Assurance cannot be viewed as stand-alone issues, but must become part of business planning, overall strategy, governance and operations. </li></ul></ul><ul><ul><li>Reasons for implementing strategy: </li></ul></ul><ul><ul><ul><li>Expanding organisational boundaries. </li></ul></ul></ul><ul><ul><ul><li>Mobile workforce. </li></ul></ul></ul><ul><ul><ul><li>Decentralisation of services. </li></ul></ul></ul><ul><ul><ul><li>Increasing value of information. </li></ul></ul></ul>Defence in Depth Strategy
  19. 19. Implementing the strategy (continued) <ul><li>Steps </li></ul><ul><ul><li>Analysis of internal and external environment. </li></ul></ul><ul><ul><li>Determining the risks. </li></ul></ul><ul><ul><li>Implementation of strategy. </li></ul></ul><ul><ul><li>Maintenance, monitoring and review. </li></ul></ul>Defence in Depth Strategy
  20. 20. Layered Defence Approach as part of Defence in Depth Strategy <ul><li>The most effective way to secure information within modern day parameters would be through implementing different layers of control as part of Defence in Depth strategy (Murali 2007). Controls include both technical and process control mechanisms. </li></ul>Defence in Depth Strategy
  21. 21. Layered Defence Approach (continued) <ul><li>An organisation must deploy multiple defence mechanisms between the attacker and the target. Must increase the difficulty of successfully penetrating the network and thereby reducing risk, but also increase the chances of detecting the intruder: </li></ul><ul><ul><li>Must identify users of a system e.g. through passwords and usernames. </li></ul></ul><ul><ul><li>Must be able to provide mechanisms to effectively and efficiently recover from damage after attack. </li></ul></ul><ul><ul><li>Must provide intelligence and correlate information between various departments in a business with aim to prevent future attacks. </li></ul></ul>Defence in Depth Strategy
  22. 22. Maintaining the strategy <ul><li>Maintaining strategy includes continuous monitoring and evaluation of effectiveness of the implemented program. Would include evaluating strategy to determine alignment where there are changes to: </li></ul><ul><ul><li>Business objectives and/or overall enterprise strategy. </li></ul></ul><ul><ul><li>Security profile or specific breaches in security or increases in particular type of security breach occurs. </li></ul></ul><ul><ul><li>Weaknesses or gaps identified in current strategy. </li></ul></ul>Defence in Depth Strategy
  23. 23. Practical guidelines for maintaining strategy <ul><ul><li>Know and understand your organisation. </li></ul></ul><ul><ul><li>Define security roles and responsibilities. </li></ul></ul><ul><ul><li>Adopt appropriate policies and procedures. </li></ul></ul><ul><ul><li>Continuous auditing and assessment of process. </li></ul></ul><ul><ul><li>Stay up to date. </li></ul></ul><ul><ul><li>Effective public private partnerships. </li></ul></ul>Defence in Depth strategy
  24. 24. Conclusion <ul><ul><li>Value of information: organisations and the criminals </li></ul></ul><ul><ul><li>Critical to preserve the integrity of information, to ensure that it is stored, transmitted and accessed securely. </li></ul></ul><ul><ul><li>Systems designed to manage and secure information must be reliable, aligned to business objectives and inline with risk management approach of organisation. </li></ul></ul><ul><ul><li>Achieve Information Assurance through implementation of Defence in Depth strategy. </li></ul></ul><ul><ul><li>Shift in paradigm: pro-active vs re-active. </li></ul></ul><ul><ul><li>SHARE INFORMATION! </li></ul></ul>
  25. 25. Questions? Thank you!