Valuendo cyberwar and security (okt 2011) handout

391 views
320 views

Published on

Presentation on cyberattacks given by Marc Vael at EPSC forum in Brussels on 25th of October 2011

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
391
On SlideShare
0
From Embeds
0
Number of Embeds
15
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Valuendo cyberwar and security (okt 2011) handout

  1. 1. The vulnerabilityof high hazards plant to cyber attack Marc Vael Director
  2. 2. Cybersecurity threats• Cyber-criminals• Malware• Phishers• Spammers• Negligent staff• Hackers• Unethical employees misusing/misconfiguring security functions• Unauthorized access, modification, disclosure of information• Nations attacking critical information infrastructures• Technical advances that can render encryption algorithms obsolete
  3. 3. Lessons learned so far Cyberattacks are DIFFICULT to execute.
  4. 4. Lessons learned so far Governments do have the resources/skills to conduct cyberattacks.
  5. 5. Lessons learned so far Cyberattacks are war.
  6. 6. Cyberwarfare is"the fifth domainof warfare“
  7. 7. “Cyberspace is a new domain in warfare whichhas become just as critical to military operationsas land, sea, air and space.”
  8. 8. “Actions to penetrate computers or networks for thepurposes of causing damage or disruption.”
  9. 9. Information warfare is“using & managing ITin the pursuit of acompetitive advantageover an opponent“
  10. 10. Lessons learned so far Cyberattacks are a real, clear and present danger to organisations & government agencies.
  11. 11. “It’s possible that hackers have gotteninto administrative computer systems ofutility companies, but says those aren’tlinked to the equipment controlling thegrid, at least not in developed countries.I have never heard that the grid itself hasbeen hacked..” Howardt Schmidt, Cyber-Security Coordinator of the US
  12. 12. Lessons learned so far Targeted organizations are unprepared.
  13. 13. Lessons learned so far Security professionals are at risk.
  14. 14. Risk always exists! (whether or not it isdetected / recognisedby the organisation).
  15. 15. Impact of an attack on the business
  16. 16. Cyberattack mitigating strategies
  17. 17. Cyberattack mitigating strategiesCorporate governance : ERM = COSO Support from Board of Directors & Executive Management
  18. 18. Cyberattack mitigating strategies Managing risks appropriately
  19. 19. Cyberattack mitigating strategies Policies & Standards
  20. 20. Cyberattack mitigating strategies Project Management
  21. 21. Cyberattack mitigating strategies Supply Chain Management
  22. 22. Cyberattack mitigating strategies EDUCATION!
  23. 23. Cyberattack mitigating strategiesProviding proper funding
  24. 24. Cyberattack mitigating strategiesProviding proper resources
  25. 25. Cyberattack mitigating strategies Measuring performance
  26. 26. Cyberattack mitigating strategies Review / Audit
  27. 27. Cyberattack mitigating strategies Incident/Crisis Management
  28. 28. PO1 Define a strategic IT plan PO2 Define the information architecture Information Criteria PO3 Determine technological direction • Effectiveness • Efficiency PO4 Define the IT processes, organisation and • Confidentiality relationships • Integrity PO5 Manage the IT investment • Availability PO6 Communicate mgt aims & direction • Compliance PO7 Manage IT human resources • Reliability PO8 Manage quality PO9 Assess and manage IT risksME1 Monitor & evaluate IT performance PO10 Manage projectsME2 Monitor & evaluate internal control IT RESOURCESME3 Ensure compliance with external requirements • ApplicationsME4 Provide IT governance • Information • Infrastructure • People PLAN & ORGANISE MONITOR & EVALUATE ACQUIRE &DS1 Define & manage service levels IMPLEMENTDS2 Manage third-party servicesDS3 Manage performance & capacityDS4 Ensure continuous serviceDS5 Ensure systems securityDS6 Identify & allocate costsDS7 Educate & train users DELIVER & SUPPORT AI1 Identify automated solutionsDS8 Manage service desk and incidents AI2 Acquire & maintain application softwareDS9 Manage the configuration AI3 Acquire & maintain IT infrastructureDS10 Manage problems AI4 Enable operation and useDS11 Manage data AI5 Procure IT resourcesDS12 Manage the physical environment AI6 Manage changesDS13 Manage operations AI7 Install & accredit solutions and changes
  29. 29. PO1 Define a strategic IT plan PO2 Define the information architecture Information Criteria PO3 Determine technological direction • Effectiveness • Efficiency PO4 Define the IT processes, organisation and • Confidentiality relationships • Integrity PO5 Manage the IT investment • Availability PO6 Communicate mgt aims & direction • Compliance PO7 Manage IT human resources • Reliability PO8 Manage quality PO9 Assess and manage IT risksME1 Monitor & evaluate IT performance PO10 Manage projectsME2 Monitor & evaluate internal control IT RESOURCESME3 Ensure compliance with external requirements • ApplicationsME4 Provide IT governance • Information • Infrastructure • People PLAN & ORGANISE MONITOR & EVALUATE ACQUIRE &DS1 Define & manage service levels IMPLEMENTDS2 Manage third-party servicesDS3 Manage performance & capacityDS4 Ensure continuous serviceDS5 Ensure systems securityDS6 Identify & allocate costs DELIVER &DS7 Educate & train usersDS8 Manage service desk and incidents SUPPORT AI1 Identify automated solutions AI2 Acquire & maintain application softwareDS9 Manage the configuration AI3 Acquire & maintain IT infrastructureDS10 Manage problems AI4 Enable operation and useDS11 Manage data AI5 Procure IT resourcesDS12 Manage the physical environmentDS13 Manage operations AI6 Manage changes AI7 Install & accredit solutions and changes
  30. 30. Information Security Management
  31. 31. Your security solution is as strong … … as its weakest link
  32. 32. “I don’t care how many millions ofdollars you spend on securitytechnology. If you don’t have peopletrained properly, I’m going to get in if Iwant to get in.” Susie Thunder, Cyberpunk
  33. 33. Contact information Marc Vael CISA, CISM, CISSP, CGEIT, ITIL Service Manager, Prince2 Director Knowledge Board ISACA 3701 Algonquin Road, Suite 1010 Rolling Meadows IL 60008 USA http://www.isaca.org/security marc@vael.net http://www.linkedin.com/in/marcvael http://twitter.com/marcvael

×