Generative AI - Gitex v1Generative AI - Gitex v1.pptx
The evolving threats and the challenges of the modern CISO
1. 1
The evolving threats
and
the challenges of the modern CISO
Gerasimos Moschonas
Information Security Professional
2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic Chapter
March 2017
2. 2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic Chapter
March 2017
Information Security Topics
Big Data
Internet of Things
Cyber Crime & Attacks
Social Engineering
Mobility
Regulatory Framework
2
4. 2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic Chapter
March 2017
World keeps changing
From centralised legacy systems (in premises) to
decentralised interconnected systems (in and out of
premises)
Outsourcing services
Cloud computing
ΙοΤ
Enterprises become more and more digital, and a
serious target for cyber criminals
Attacks and attackers become more smart, aggresive
and professionals
Threats are evolving and cyber security is a top priority
4
5. 2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic Chapter
March 2017
Incidents keep growing
5
Massive DDoS attack against major DNS service Dyn,
affected a huge portion of Internet users in the US, taking down the
access to major web services, including Twitter, Amazon, Netflix, PayPal
SWIFT cyber heists (started from the Bank of Bangladesh)
Yahoo had been hacked ..... again and ... again
Hospitals, state and local governments, law enforcement
agencies, small & large businesses - these are just some of
the entities impacted recently by ransomware
Spam email operator's faulty backup leaks 1.37bn addresses
WikiLeaks Vault 7 : CIA hacking tools revealed
6. 2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic Chapter
March 2017
CISO’s role keeps evolving
From the role of the IT security administrator & the IT Security
Officer inside the IT Unit to the independent role of CISO who:
Is a decision maker, an influencer
Has the overall responsibility for the Information Security
Governance, reporting to the Senior Management
Is Business-oriented and Technology-oriented, talks the
business & the technology language as well. Understands
the business environment, acts as an integrator of people,
business processes and technology
“Translates” information security risks to business risks
Is always aware of the evolving threats, the technology
trends and the regulatory framework
6
7. 2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic Chapter
March 2017
Big Data
Amount of data is increasing daily
Data at rest and in transit, in and out of the perimeter
But, do you know
Where is your data located?
How is your data used and exchanged?
Who has access and for which reason?
The retention period and how is it destructed?
If Cloud services are being used?
Use of cloud services for cost reduction raises several
matters to evaluate
Data privacy and compliance
Lack of governance
Appropriate security controls
Contractual terms (e.g. Right to Audit)
7
Employees & Partners 1/2
8. 2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic Chapter
March 2017
Big Data
Restrict the user environment (usb media, admin rights)
Use DLP measures for data in transit (at the endpoints and
the perimeter)
Enforce Identity & Access Management (staff, partners)
Use of encryption – segregation of duties
Apply a retention and destruction policy for both electronic
and physical data
For cloud services
Identity – Evaluate the assets
Perform a risk based assessment
Define the minimum security controls
Be compliant with data privacy
regulations
8
Employees & Partners 2/2
9. 2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic Chapter
March 2017
Internet of Things
More than 24 billion IoT devices installed on Earth by 2020
These «things» don’t «look» like traditional computers and
aren’t treated like computers
Usually no adequate security measures taken
Could be used as a botnet or as an entry point to a home or
corporate network
IoT Botnet ‘Mirai’ targeted vulnerable ‘Smart’ IoT devices
turning them into ‘Bots’, used for DDoS
Implement strong authentication
Ensure the identity of each device
Apply device-to-device secure communication
Minimise the data exchanged, processed and stored
Secure the data stored on the devices
9
11. 2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic Chapter
March 2017
Cyber Crime & Attacks
Attacks become more aggresive and intelligent
Crime as a Service
Distributed Denial of
Services (DDoS)
Advanced Persistent
Threats (APTs)
0-day attacks (malware unknown to traditional controls)
The era of the Ransomware
Ransomware attacks against businesses increased threefold in 2016. Kaspersky Lab
recorded one ransomware attack every 40 seconds against companies in September.
ATM attacks (malware, black box)
11
2/4
AKAMAI REPORT Q4 2016
12. 2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic Chapter
March 2017
Cyber Crime & Attacks
Bypassing the perimeter e.g. a malware is spreaded via a
usb / a laptop connected to a workstation / the network
Do you really know if someone or “something” malicious is
already inside your network?
How do you monitor the inside behavior to have alerts for
any abnormal activity?
What constitutes normal and abnormal activity?
Preventing known threats is not enough : detect and prepare
for the Unknown
12
3/4
13. 2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic Chapter
March 2017
Cyber Crime & Attacks
Threat intelligence for monitoring both the incoming traffic
(web & email) and the corporate network, detecting any
malicious activity which points to viable threats
Implement centralised Advanced Threat Protection
technologies for simulating the behavior of the
malicious/suspicious traffic (sandboxing)
Implement multi-layered protection for the endpoints
(reputation analysis, advanced machine learning, behavior
emulation, memory exploit mitigation)
Sign a Cyber Insurance contract
Educate the incident response team to react accordingly
13
4/4
14. 2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic Chapter
March 2017
Social Engineering
Methods of manipulating / tricking people to disclose
confidential information, breaking the security procedures
CEO Fraud
Spear Phishing (targeting Companies or
group of people) via email, sms, voice
Social Media masquerade, Fake Apps/Sites:
Fraudsters can masquerade your brand - across
your digital channels - and bait your customers with scams, phishing
and offers for counterfeit products and services (Sony Twitter account
hacked)
Educate and train the personnel (and the clients)
Security awareness program - Metrics
Protect your Brand – Internet monitoring
14
15. 2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic Chapter
March 2017
Mobility
Mobile apps
m-wallets, m-banking, …
Contactless and NFC payments
Abuse of privacy : where the app has access to?
Mixing of personal and corporate data on the device
Remote working for troubleshooting
Remote access to corporate resources
Emails, Intranet Sites, Documents sharing
Data stored in the cloud (e.g. iCloud)
«Rooted» / «jailbroken» operating systems override the
security of the mobile device
15
1/2
16. 2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic Chapter
March 2017
Mobility
16
Privacy by design
Application security assessment
BYOD policy – Mobile Data Management
Security policy (password, idle timeout), encryption
Check for “rooted” devices / Remote Wipe
Malware protection
WiFi – Bluetooth not always on
Secure remote access procedure
Guest – WiFi LAN not connected to corporate network
Control each device connected to the corporate network
2/2
17. 2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic Chapter
March 2017
Information Security becomes more and more regulated
General Data Protection Regulation (GDPR)
The Directive on security of network and information
systems (NIS Directive)
The EU Regulation on electronic identification and trust
services for electronic transactions in the internal market
(eIDAS Regulation)
The 2nd Payment Services Directive (PSD2)
Be ahead of the Regulatory Requirements – Act proactively
Inform the Enterprise for the new obligations – Act for being
compliant in time
17
Regulatory Framework
18. 2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic Chapter
March 2017
Build a understandable and robust (cyber) security strategy
Align security strategy to business strategy, supporting the
business success
Engage the Board. “Translate” information security risks to
business risks
Reduce information security risks to an acceptable level.
Adopt appropriate security measures and procedures
18
The challenges of CISO
1/2
19. 2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic Chapter
March 2017
Protect business brand and keep customers’ & shareholders’
confidence high
Be ahead of the Regulatory Requirements – Act proactively
Be prepared for an incident – Assume you’ll be compromised
Educate the personnel – Raise awareness
19
The challenges of CISO
2/2
20. 2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic Chapter
March 2017
Managing information security risks while
delivering value
to the digital enterprise
The role of CISO is more vital than ever
20
The role of CISO
21. 2ο Forward Thinking Cyber Security Event
(ISC)² Hellenic Chapter
March 2017
Q & A
21