Your SlideShare is downloading. ×
0
Prevention Is Better Than Prosecution:  Deepening the defence against cyber crime
Prevention Is Better Than Prosecution:  Deepening the defence against cyber crime
Prevention Is Better Than Prosecution:  Deepening the defence against cyber crime
Prevention Is Better Than Prosecution:  Deepening the defence against cyber crime
Prevention Is Better Than Prosecution:  Deepening the defence against cyber crime
Prevention Is Better Than Prosecution:  Deepening the defence against cyber crime
Prevention Is Better Than Prosecution:  Deepening the defence against cyber crime
Prevention Is Better Than Prosecution:  Deepening the defence against cyber crime
Prevention Is Better Than Prosecution:  Deepening the defence against cyber crime
Prevention Is Better Than Prosecution:  Deepening the defence against cyber crime
Prevention Is Better Than Prosecution:  Deepening the defence against cyber crime
Prevention Is Better Than Prosecution:  Deepening the defence against cyber crime
Prevention Is Better Than Prosecution:  Deepening the defence against cyber crime
Prevention Is Better Than Prosecution:  Deepening the defence against cyber crime
Prevention Is Better Than Prosecution:  Deepening the defence against cyber crime
Prevention Is Better Than Prosecution:  Deepening the defence against cyber crime
Prevention Is Better Than Prosecution:  Deepening the defence against cyber crime
Prevention Is Better Than Prosecution:  Deepening the defence against cyber crime
Prevention Is Better Than Prosecution:  Deepening the defence against cyber crime
Prevention Is Better Than Prosecution:  Deepening the defence against cyber crime
Prevention Is Better Than Prosecution:  Deepening the defence against cyber crime
Prevention Is Better Than Prosecution:  Deepening the defence against cyber crime
Prevention Is Better Than Prosecution:  Deepening the defence against cyber crime
Prevention Is Better Than Prosecution:  Deepening the defence against cyber crime
Prevention Is Better Than Prosecution:  Deepening the defence against cyber crime
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Prevention Is Better Than Prosecution: Deepening the defence against cyber crime

1,230

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,230
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
25
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1.  LEX INFORMATICA CONFERENCE JULY 2009 PREVENTION IS BETTER THAN PROSECUTION: DEEPENING THE DEFENCE AGAINST CYBER CRIME Adv Jacqueline Fick Risk and Compliance Management PwC Advisory Southern Africa
  • 2. Contents Introduction and Approach Information Assurance Defence in Depth Strategy Conclusion Questions
  • 3. Introduction and Approach <ul><ul><li>President in State of the Nation Address specifically referred to an increased effort to combat cyber crime and identity theft </li></ul></ul><ul><ul><li>Increase in cyber crime in both private and public sector </li></ul></ul><ul><ul><li>Criminals want information </li></ul></ul><ul><ul><li>Law enforcement hampered in efforts to catch criminals </li></ul></ul><ul><ul><li>Shift in paradigm: </li></ul></ul><ul><ul><ul><li>Re-active v pro-active </li></ul></ul></ul><ul><ul><ul><li>Prevention is better than Prosecution </li></ul></ul></ul><ul><ul><ul><li>Devoting time and resources to implement strategies that prevent cyber crime </li></ul></ul></ul><ul><ul><li>Information Assurance and Defence in Depth strategy </li></ul></ul>
  • 4. Information Assurance Definition Objective of Information Assurance Five pillars of Information Assurance
  • 5. Information Assurance <ul><li>Definition </li></ul><ul><li>The practice of managing information-related risks (Wikipedia). </li></ul><ul><li>Information operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection and reaction capabilities (US DoD). </li></ul><ul><li>Umbrella concept bringing together issues of Information Security and Dependability. </li></ul><ul><li>Includes other corporate governance issues such as privacy, audits, business continuity and disaster recovery. </li></ul>Information Assurance
  • 6. Objective <ul><li>The objective of Information Assurance is to minimise the risk that information systems and information stored, transmitted and processed thereon is vulnerable to threats. If an attack does take place, the damage it might cause will be minimised. It also provides for method to recover from attack as efficiently and effectively as possible. </li></ul><ul><li>Information Assurance focuses on: </li></ul><ul><ul><li>Access controls </li></ul></ul><ul><ul><li>Individual Accountability </li></ul></ul><ul><ul><li>Audit trails </li></ul></ul>Information Assurance
  • 7. Five pillars of Information Assurance <ul><ul><li>Information Security based on CIA triad </li></ul></ul><ul><ul><li>Information Assurance: CIA triad, authenticity and non-repudiation </li></ul></ul><ul><ul><li>NSA: application of five pillars should be based on protect, detect and react paradigm </li></ul></ul><ul><ul><li>Electronic Communications and Transactions Act, No. 25 of 2002 </li></ul></ul><ul><ul><ul><li>Incorporates principles of five pillars </li></ul></ul></ul><ul><ul><ul><li>Criminalises attacks </li></ul></ul></ul>Information Assurance
  • 8. Five pillars of Information Assurance Information Assurance
  • 9. Defence in Depth Strategy Introduction Focus areas Core principles Implementing strategy Layered defence approach Maintaining strategy
  • 10. Definition <ul><li>Strategy that can be implemented to achieve Information Assurance in today’s highly networked environments (NSA). Also defined as systematic security management of people, processes and technologies in a holistic risk-management approach (TISN): </li></ul><ul><ul><li>“Best practices” strategy in that it relies on the intelligent application of techniques and technologies. </li></ul></ul><ul><ul><li>Based on balancing protection capability and cost, performance and operational considerations. </li></ul></ul><ul><ul><li>Delivers: </li></ul></ul><ul><ul><ul><li>Effective risk-based decisions; </li></ul></ul></ul><ul><ul><ul><li>Enhanced operational effectiveness; </li></ul></ul></ul><ul><ul><ul><li>Reduced overall cost and risk; and </li></ul></ul></ul><ul><ul><ul><li>Improved information security. </li></ul></ul></ul>Defence in Depth Strategy
  • 11. Threats <ul><li>To protect an organisations’ information and information systems against cyber attacks, it is necessary to determine who the enemy is, why they would want to launch an attack and how they would attack the organisation. Threats can be internal and external and can be as a result of intentional and unintentional actions. </li></ul>Defence in Depth Strategy <ul><li>Faster networks </li></ul><ul><li>More storage in smaller devices </li></ul><ul><li>Technological convergence </li></ul><ul><li>Increasingly mobile workforce </li></ul><ul><li>Hackers </li></ul><ul><li>Organised crime </li></ul><ul><li>Changes in regulatory framework </li></ul>TECHNOLOGICAL INNOVATION EXTERNAL THREATS <ul><li>Business partners with poor data security </li></ul><ul><li>Physical access to shared systems </li></ul><ul><li>Misunderstanding of allowed access </li></ul><ul><li>Competitive environment </li></ul><ul><li>Disgruntled employees </li></ul><ul><li>Financially troubled employees </li></ul><ul><li>Corporate espionage </li></ul><ul><li>Uneducated/uninformed users </li></ul>TRADING PARTNERS PEOPLE
  • 12. Focus areas <ul><li>Achieving Information Assurance requires a balanced focus on: </li></ul><ul><ul><li>People </li></ul></ul><ul><ul><li>Processes </li></ul></ul><ul><ul><li>Technology </li></ul></ul><ul><ul><li>Governance </li></ul></ul>Defence in Depth Strategy
  • 13. Focus areas (continued) <ul><ul><li>Technology </li></ul></ul><ul><ul><li>Refers to solutions that organisations employ that enable them to achieve and sustain their business objectives. Key focus areas for implementing a Defence in Depth strategy: </li></ul></ul><ul><ul><ul><li>Management of network architecture </li></ul></ul></ul><ul><ul><ul><li>Infrastructure management </li></ul></ul></ul><ul><ul><ul><li>Application security </li></ul></ul></ul><ul><ul><ul><li>Communications management </li></ul></ul></ul><ul><ul><li>Important to ensure that procurement policy aligned to overall Defence in Depth strategy: right technology procured in accordance with overall business objectives. </li></ul></ul>Defence in Depth Strategy
  • 14. Core principles <ul><li>TISN defines the core principles as follows: </li></ul><ul><ul><li>Implementing measures according to business risks. </li></ul></ul><ul><ul><li>Using a layered approach </li></ul></ul><ul><ul><li>Implementing controls to increase effort needed to attack and breach the system. </li></ul></ul><ul><ul><li>Implementing personnel, procedural and technical controls. </li></ul></ul>Defence in Depth Strategy
  • 15. Focus areas (continued) <ul><li>People </li></ul><ul><ul><li>Refers to the security roles and responsibilities for internal and external persons. </li></ul></ul><ul><ul><li>Important to define, maintain and enforce security roles and responsibilities for employees, contractors or business partners. </li></ul></ul><ul><ul><li>User awareness (both internal and external people). </li></ul></ul>Defence in Depth Strategy
  • 16. Focus areas (continued) <ul><li>Processes (or Operations) </li></ul><ul><ul><li>Refer to standardised actions which are used to ensure that the organisations’ position on security is sustained. </li></ul></ul><ul><ul><li>Organisations must define, maintain and enforce standardised actions/processes which are used to develop and sustain its position on security. </li></ul></ul><ul><ul><li>Key focus areas would typically include: </li></ul></ul><ul><ul><ul><li>Identity and user-access management </li></ul></ul></ul><ul><ul><ul><li>Incident response management </li></ul></ul></ul><ul><ul><ul><li>Disaster recovery management </li></ul></ul></ul><ul><ul><ul><li>Audit management </li></ul></ul></ul>Defence in Depth Strategy
  • 17. Focus areas (continued) <ul><li>Governance </li></ul><ul><ul><li>Refers to the oversight and coordination of technology, people and processes provided in terms of a management framework and begins with commitment from senior management level. This is followed by: </li></ul></ul><ul><ul><ul><li>Integration and alignment to overall strategy; </li></ul></ul></ul><ul><ul><ul><li>alignment and incorporation into business objectives and goals; </li></ul></ul></ul><ul><ul><ul><li>drafting and implementing appropriate policies; and </li></ul></ul></ul><ul><ul><ul><li>deriving procedures from it. </li></ul></ul></ul><ul><ul><li>Key focus areas for implementation include: </li></ul></ul><ul><ul><ul><li>Risk management. </li></ul></ul></ul><ul><ul><ul><li>Information security and policy. </li></ul></ul></ul><ul><ul><ul><li>Compliance Management. </li></ul></ul></ul>Defence in Depth Strategy
  • 18. Implementing the strategy <ul><ul><li>Requires a shift in paradigm: IT security/Information Assurance cannot be viewed as stand-alone issues, but must become part of business planning, overall strategy, governance and operations. </li></ul></ul><ul><ul><li>Reasons for implementing strategy: </li></ul></ul><ul><ul><ul><li>Expanding organisational boundaries. </li></ul></ul></ul><ul><ul><ul><li>Mobile workforce. </li></ul></ul></ul><ul><ul><ul><li>Decentralisation of services. </li></ul></ul></ul><ul><ul><ul><li>Increasing value of information. </li></ul></ul></ul>Defence in Depth Strategy
  • 19. Implementing the strategy (continued) <ul><li>Steps </li></ul><ul><ul><li>Analysis of internal and external environment. </li></ul></ul><ul><ul><li>Determining the risks. </li></ul></ul><ul><ul><li>Implementation of strategy. </li></ul></ul><ul><ul><li>Maintenance, monitoring and review. </li></ul></ul>Defence in Depth Strategy
  • 20. Layered Defence Approach as part of Defence in Depth Strategy <ul><li>The most effective way to secure information within modern day parameters would be through implementing different layers of control as part of Defence in Depth strategy (Murali 2007). Controls include both technical and process control mechanisms. </li></ul>Defence in Depth Strategy
  • 21. Layered Defence Approach (continued) <ul><li>An organisation must deploy multiple defence mechanisms between the attacker and the target. Must increase the difficulty of successfully penetrating the network and thereby reducing risk, but also increase the chances of detecting the intruder: </li></ul><ul><ul><li>Must identify users of a system e.g. through passwords and usernames. </li></ul></ul><ul><ul><li>Must be able to provide mechanisms to effectively and efficiently recover from damage after attack. </li></ul></ul><ul><ul><li>Must provide intelligence and correlate information between various departments in a business with aim to prevent future attacks. </li></ul></ul>Defence in Depth Strategy
  • 22. Maintaining the strategy <ul><li>Maintaining strategy includes continuous monitoring and evaluation of effectiveness of the implemented program. Would include evaluating strategy to determine alignment where there are changes to: </li></ul><ul><ul><li>Business objectives and/or overall enterprise strategy. </li></ul></ul><ul><ul><li>Security profile or specific breaches in security or increases in particular type of security breach occurs. </li></ul></ul><ul><ul><li>Weaknesses or gaps identified in current strategy. </li></ul></ul>Defence in Depth Strategy
  • 23. Practical guidelines for maintaining strategy <ul><ul><li>Know and understand your organisation. </li></ul></ul><ul><ul><li>Define security roles and responsibilities. </li></ul></ul><ul><ul><li>Adopt appropriate policies and procedures. </li></ul></ul><ul><ul><li>Continuous auditing and assessment of process. </li></ul></ul><ul><ul><li>Stay up to date. </li></ul></ul><ul><ul><li>Effective public private partnerships. </li></ul></ul>Defence in Depth strategy
  • 24. Conclusion <ul><ul><li>Value of information: organisations and the criminals </li></ul></ul><ul><ul><li>Critical to preserve the integrity of information, to ensure that it is stored, transmitted and accessed securely. </li></ul></ul><ul><ul><li>Systems designed to manage and secure information must be reliable, aligned to business objectives and inline with risk management approach of organisation. </li></ul></ul><ul><ul><li>Achieve Information Assurance through implementation of Defence in Depth strategy. </li></ul></ul><ul><ul><li>Shift in paradigm: pro-active vs re-active. </li></ul></ul><ul><ul><li>SHARE INFORMATION! </li></ul></ul>
  • 25. Questions? Thank you!

×