ISYS 2394 Business Globalisation and Business IT.docx

ISYS 2394 Business Globalisation and Business IT
Security in a Global Environment
Barry Cook
*
Index
*
Introduction
Introduction
My Background
Disclaimer
Security in a Globalised Environment
Impact of Data Breaches
Largest Data Breaches of All Time
Security Threat Basics
Emerging IT Trends Security Considerations
Defences and Best Practices
Summary

*
IntroductionThe objective of today is to:
Provide you an overview of the current major security threats,
risks and impacts to individuals and businesses, in our
globalised world
Provide you some high level best practices and defences to
address security threats and risks
Get you to starting to think about security as an integral part of
your development plans
Today
Part 1: Lecture and Questions
Part 2: Practical Activity with 3 Minute Presentation Per Group
*
*
My BackgroundCurrent Role:
J6, Defence Command Support Training Centre (DCSTC)
J = Joint (Army, Navy, Air Force),
6 = Communication Information Systems (CIS)Experience
National Security Focus Department of Defence & Federal
Attorney-General’s Department
Management / IT ConsultancyCurrent Research Interests
Cyber-Security & Cyber-Warfare
*

*
Disclaimer
Everything you hear today is based on material available in the
public domain.
Nothing Specific, Unique or Classified to the Department of
Defence, Australian Government or our Allies will be discussed
or referenced.
*
*
Security in a Globalised EnvironmentTechnology has opened up
Global Opportunities and Markets
It has also lead to a significant increase in the Security Threats
to Individuals and Businesses
Mobile Devices estimated to reach 10 Billion by 20161
Accumulated Digital Data to grow to 8 Zettabytes by 20152
Distributed nature of the threats, makes it difficult for Law
Enforcement to address root causes.
Threat often occur from multiple sovereignties each with
differing laws and jurisdictional processes

You can’t just block all the traffic, as it is often mixed in with
legitimate traffic
*
Source: 1. Cisco
2. IDC Worldwide Big Data Technology and Service
2012-2015 Forecast
*
Impact of Data BreachesLoss of Customer Confidence and Loss
of CustomersLoss of Competitive AdvantageFraudFinesCost of
Data Breaches on Business1
$188 per record stolen in 2013
Cost of Identify Theft on Individuals2
Average Cost of $4,841 per person
Average Time to Repair Damage caused by Identify Theft is 330
Hours
*
Source: 1. 2013 Cost of Data Breach Study, Ponemon Institute
2. Identify Theft Resource Centre
Average Total Organisation Cost of Data Breach
for Large Business1

*
Largest Data Breaches of All Time
*
Source: 1. Nathan Yau, http://flowingdata.com
*
Index
*
Introduction
Summary
Threat Motives
Threat Actors
Threat Vectors
Technical Threats
Non-Technical Threats
*

Threats MotivesFinancial Gain
Competitive Advantage
Disruption
Political Advantage / Hacktivism
Disobedience / Protest
Showing Off / “THE CHALLENGE”
*
*
Threats ActorsOrganised Crime
Financial Gain
State Sponsored / Foreign Government
Espionage, Disruption
Terrorist Groups
Financial Gain, Disruption
Individuals
Internal – Disgruntled Employee, Curious Insider, Ignorance
Outsider – Hackers, “Script Kiddies”, Competitors
*
*

Threats VectorsWeb – Fake SitesEmail – Attachments,
LinksUnsecure Devices – Wireless Hotspots, Physical
DevicesRemovable Media (USB Thumb Drives)Social
MediaSocial Engineering
*
Source: 1. Symantec Intelligence Report for Feb 2014
1
*
Technical Threats - PhishingPhishing
Fake Website designed to look like real one to obtain privilege
information
Generic in Nature
Email / Social Networking Attack VectorSpear Phishing
Targets Individuals based on already known information about
the target
May appear to come from a trusted source
*
Source: 1. Symantec Intelligence Report for Feb 2014
In Dec 2013, it was estimated 1 in every 1,053 emails was a
Phishing attempt.1

*
Technical Threats -
MalwareTrojansVirusesSpywareAdwareWormsScarewareBotnet
sSoftware Keyloggers
*
Source: 1. PandaLabs Annual Report 2013 Summary
2. Symantec Intelligence Report for Feb 2014
In Dec 13, it was estimated 1 in every 164 emails contained
Malware2
1
*
Technical Threats - Hardware Keyloggers
*
*

Technical Threats – Zero-Day AttacksZero-Day Attacks
Attacks that exploits a security vulnerability on the day or even
before it becomes generally known
Type of Advanced Persistent Threat (APT)
Famous Examples
Attack on Google in 2009 as a result of a Internet Explorer
Zero-Day Flaw.
HEART BLEED OpenSSL Vulnerability
*
Source: 1. Symantec Elderwood Project
1
*
Technical Threats - Heartbleed Bug
*
Source: 1. LWG Consulting
1
*

Non Technical Threats – PasswordsPoor Passwords
Lack Length and Complexity
Hard to Remember so written down
Password Lengths
Any Password < 5 Characters can be cracked in 5 seconds
Any Password < 7 Characters can be cracked within 1 day
Even 8 Character Passwords with some complexity can be
cracked in a few months
*
*
Non Technical Threats – OtherPhysical Security
Lack of Protection of Sensitive and Critical ICT Assets
Includes End User Device Protection when MobileImproper
Destruction
Paper and Electronic AssetsInsufficient Backup and Recovery
Risk to Data Survivability and IntegrityInadequate Staff
Identification Processes
Susceptibility to Social Engineering Attack Vector
*
*

Index
*
Introduction
Summary
Cloud Computing
BYOD
Mobile Devices
Big Data
*
Cloud ComputingWhat about my Data
Where is My Data stored?
Who has access to My Data?Data Segregation
How well is my Data Segregated from others Cloud
Clients?Recovery
What are my Recovery Options?Compliance Requirements
Can I guarantee they are achieved if I don’t control the
infrastructure?
*

*
Bring Your Own Device (BYOD)All Devices or Only Some?
What about Patching and Updates?
How will you deploy applications to all the devices?Data
Ownership
What happens when the employee leaves?Device Loss or Theft
How do you maintain control?
What about User Rights?
*
*
Mobile DevicesMobile Devices are just as susceptible to threats
Malware
Bluesnarfing
Phone Hacking
Browser Security Issues
*
Source: 1. F-secure Mobile Threat Report Q1 2014
Mobile Device Malware Detected
Q1 20141

*
Index
*
Introduction
Security Basics
Summary
Defence in Depth CycleLayered DefenceSecurity MeasuresTop
4 Mitigation StrategiesMobile / BYOD Security Control
FrameworkCloud Computer Security
*
Defence in Depth CycleContext
Business Strategy in PlayRisk Analysis
Identify Generic and Specific Risks to Business and its
consequencesImplement Defence in Depth
Employ a Multi-Layer Defence StrategyReview and Monitor
Ensure Defence Strategy is continuous reviewed and updated
*
AS43560 Risk Rating Levels
Source: 1. Trusted Information Sharing Network
www.tisn.gov.au

*
Layered Defence
*
www.tisn.gov.au
*
Security Measures – Physical SecuritySecure Server Rooms
Restrict Access to only those that require and log/monitor
access at all times
Keep Server Rooms neat and documented, so anomalies can be
quickly detectedRestrict Entry to Work Areas to only authorised
personnelSecure Mobile Assets
In and Out of the OfficeControl Physical Assets that contain
data and information at all times
From Creation to Destruction
*
*

Security Measures – Device SecurityPatch Operating System
and Applications consistently and quickly.
Setup an Automatic Mechanism to updateInstall Suitable
Security Software
Should include Anti-virus, Firewall, Anti-Spam, Anti-Malware,
Web Site Threat Checker
Needs to check for updates multiple times per dayEncrypt Data
on Portable DevicesRestrict Application Installation/Usage to
Only Authorised ApplicationsDisable Auto Run / Auto Load of
Removal Media
*
*
Security Measures – Network/System SecurityApply Multiple
Levels of Network Defence
Firewalls / Routers / Gateways
Intrusion Detection SystemsMonitor Network Continuously and
Quickly Act to Protect
Know what devices are on your network at all times and what
they are doingApply comprehensive Access Controls to Data
Consider Multi-Factor Authentication such as Tokens, Smart
Cards or Biometrics
Remove Access immediately upon personnel change (Staff
Departure, Role Change)Implement Robust Change Management
and Application Development SDLC Processes
*

*
Security Measures – User SecuritySecurity Awareness Training
Threat and Consequence Awareness Training
Anti-Phishing and Anti-Social Engineering Training
What to do if a “Breach” occursSuitable Password
At least 10 Characters with mixture of Upper & Lower Case,
Numbers and Special Characters.
However, the longer the password length the less complex it has
to be.
Use different passwords for different types of systems. E.g.
Social Media, Banking
Change Passwords Regularly
Don’t Share Passwords
*
*
Top 4 Mitigation Strategies
*
Source: 1. DSD Top 35 Strategies to Mitigate Targeted Cyber
Intrusions

1Mitigation Strategy Effectiveness RankingMitigation
StrategyDesigned to Prevent or Detect an IntrusionUser
ResistanceUpfront CostMaintenance Cost1Patch applications
e.g. PDF viewer, Flash Player, Microsoft Office and Java. Patch
or mitigate within two days for high risk vulnerabilities. Use
the latest version of applications.PreventLowHighHigh2Patch
operating system vulnerabilities. Patch or mitigate within two
days for high risk vulnerabilities. Use the latest operating
system version.PreventLowMediumMedium3Minimise the
number of users with domain or local administrative privileges.
Such users should use a separate unprivileged account for email
and web browsing.PreventMediumMediumLow4Application
whitelisting to help prevent malicious software and other
unapproved programs from running e.g. by using Microsoft
Software Restriction Policies or
AppLocker.BothMediumHighMedium
*

Mobile / BYOD Security Control Framework
*
www.tisn.gov.au
1Security ControlsPreventiveDetectiveCorrectiveAccess
ControlEnforce strong passwords
Use two-factor authenticationExtend existing auditing and
monitoring controls around mobile device connectionsConduct
regular reviews of devices connecting to corporate networkData
ProtectionEncrypt business data
Limit the sensitive data transferred to mobile devices, or
implement least privilege access
Implement remote device management
Enable device-lockout function when the device is not in
usePerform technical security assessments on mobile devices
and supporting infrastructure with emphasis on data stored on
devices
Monitor access and usage of high-risk data to identify
potentially inappropriate usageImplement appropriate measures
to eliminate or reduce the risk impact - either by enhancements
in technology or by updating the policies/proceduresApplication
SecurityAllow only certified business applicationsRegularly
monitor installed applications to identify risks to corporate
dataRemove applications identified to be untrustworthy or
maliciousFundamental ControlsInstall anti malware software
Install and manage personal firewall to permit only authorised
trafficRegularly monitor compliance reports
Setup alerts to identify changesEradicate and/or repair any
devices identified to be non-complaint from company defined
policyGovernance and ComplianceInclude mobile security into
the organisations risk management program
Add mobile security awareness to existing employee awareness
programs
Implement mobile device policies and include them in them in

the Acceptable Use PoliciesAdd mobile devices in the
organisations audit program
Monitor and maintain logs of mobile device interactions with
corporate network Address and mitigate any non-compliance
Incorporate mobile devices into incident response plan
Regularly review mobile device acquisition and usage
*
Cloud Computing SecurityFully Understand the Cloud Providers
Environment
Service Levels
Where you Data will be stored.
Access rights to Government under local laws where that data
will be stored
Data Transfer Options should you want to move to another
provider
Data Retention PeriodsEncrypt your Data
Particularly for Sensitive Data

Should be Independent of Current Cloud Provider
*
*
Index
*
Introduction
Security Basics
Summary
Key Points
Additional Resources
*
Key PointsUnderstand the Threats and Consequences
General threats and those specific to your businessFactor
Security into your Development Plans
Engage with your Security ExpertsPatch your Operating
Systems and Applications regularlyDeploy and Maintain
Security Software on your DevicesSecure your Physical and

Information AssetsRegularly conduct Security Awareness
Training
*
*
*
*
Additional Reading / SupportAustralian Signals Directorate
http://www.asd.gov.au/publications/index.htmTrusted
Information Sharing Network
http://www.tisn.gov.au/Pages/default.aspxUS-CERT
http://www.us-cert.govSymantec Intelligence Report
http://www.symantec.com/theme.jsp?themeid=state_of_spamSA
NS Security
http://www.sans.org/reading_room/whitepapers/bestprachttp://w
ww.sans.org/tip_of_the_day.phpAnti-Phishing Working Group
http://www.antiphishing.org/
*

*
Globalization and Business IT
Week One
Dr Claire Davison
AgendaGetting to know your classmatesIn-depth discussion of
the assessment tasksgroup formation for
assignmentReferencingTurnItIn
Where do you live?NorthSouthEastWestCBD
Course Co-ordinatorDr Paul R Cerroti
[email protected]
Course guide
Assignment OneYour first assignment is a reflective writing
exercise about a specific topic pertaining to Global business and
IT.
Specifically, you are required to reflect on the sessions two,
three and four of this course:Globalisation and Business

ITSocial MediaThe Role of IT in Global Business
Assignment OneDue: Week 5Tuesday 19 August 2014 in
class ORFriday 22 August 2014 in classMarks allocated: 10% of
final mark
Reflective Journal Writing
Prepared by Lila Kemlo
Manager Student Learning Support
What is Reflective Practiceprocess of thinking about
experiences, often new, with a view to learning from them a
form of personal response to experiences, situations, events or
information by reflecting on their meaning. This process
enables you to better understand what you have learned and to
gain new insights about yourself, others, and situations. These
new insights may result in a change of behaviour, perspective or
new action. There is neither a right nor a wrong way of
reflective thinking, there are just questions to explore.
What is the purpose of reflective journal writing
To record the development of your ideas and insights, concepts,
experiencesTo reflect on these thoughts and experiences as a
means of increasing your understanding of both yourself and
what you are observing To analyse what you learn and your self
development – may lead to change

What are the benefits of reflective practice?Life skill – by
documenting experiences, thoughts, questions, ideas – develop
an approach to thinking and learning - able to be transferred to
all aspects of life observe, analyse & reflect your responses to
situations opportunity to challenge ourselves, what we do and to
explore ways to do it differently and better understand course
material & gain skills related to your disciplinerecognise the
acquired knowledge & skills developedenhance your
employability as these skills are invaluable and attractive in the
workplace and to potential employers.
Reflective writing is NOTjust conveying information,
instruction or argument pure description, though there may be
descriptive elements straightforward decision or judgement (e.g.
about whether something is right or wrong, good or bad) simple
problem-solving a summary of course notes a standard
university essay
*
The Learning Cycle
Source: Adapted from Kolb’s Learning Cycle 1984 by the Study
and Learning Centre 2002
Record (what)

.
Reflect (think)
Analyse
(explain & gain insight)
New action
Simplified Learning Cycle
Step 1 in Learning Cycle: Record whatSummaries of the main
points from the guest speakers’ presentationsImmediate
thoughts/responses to what you are hearing from the
speakersDescribe the experience you are having while listening
to the speaker
Step 2 in Learning Cycle: Reflect (think)Which speakers had
the greatest impact on me? Why?What were the areas from
their presentations that influenced my thinking? In Business?

On self?How did I relate what the speakers said compared to
what I believed/thought prior to the presentation (Relevance to
me...beliefs, values, attitudes, assumptions)Did the speakers
demonstrate any common characteristics/themes? What were
they?How did what I heard link in with what I am
studyingWhere there any surprises/challenges for me? What
were they?
Step 3 in Learning Cycle: AnalysisAnalysis in a reflective
journal may involve three things:
- Analysis of experience or content
- Integration of experience with theory
- Demonstration of improved awareness and self-
development
Step 3 in Learning Cycle: AnalysisWhat questions you have
since that experience?What can I use and apply from this
experience in my business practice/ management/life?What I
have learned about myself?What have I learned about the ways
in which I interact with others?What aspects of myself could I
change/ develop as a result of what I have learned?Conclusions
you have drawn.
Step 4 in Learning Cycle: New ActionComparisons and
connections between your prior assumptions, preconceptions
and prior knowledge your new knowledge and experience How
new ideas challenge what you already know What will I change
about.....How will I go about changing......How will I
monitor/evaluate the effectiveness of these changes?

Style of writingMostly subjective. In addition to being
reflective and logical, you can be personal, hypothetical,
critical and creative. Write in the first person.includes
description (what, when, who) and analysis (how, why, what
if)…. often resulting in more questions than answers. A
reflective task may allow you to use different modes of writing
and language: descriptive (outlining what something is or how
something was done) explanatory (explaining why or how it is
like that) expressive (I think, I feel, I believe) questioningKeep
colloquial language to a minimum (eg, ‘kid’, ‘bloke’, ‘stuff’).
*
reflective writing is mostly subjective. Therefore in addition to
being reflective and logical, you can be personal, hypothetical,
critical and creative. You can comment based on your
experience, rather than limiting yourself to academic evidence.
Reflective writing is an activity that includes description (what,
when, who) and analysis (how, why, what if). It is an
explorative tool often resulting in more questions than answers.
A reflective task may allow you to use different modes of
writing and language:
descriptive (outlining what something is or how something was
done)
explanatory (explaining why or how it is like that)
expressive (I think, I feel, I believe)
Use full sentences and complete paragraphs
You can usually use personal pronouns like 'I', 'my' or 'we'
Keep colloquial language to a minimum (eg, kid, bloke, stuff)
REFLECTIVE WRITINGDEIP handoutUsing the four steps of
reflection:Who is someone you admire and what does it mean to

you?
BRW Research Report (Individual or Group)
Students will select an organization of their choice and conduct
one or two site visits, interview the relevant person(s) and write
a magazine article regarding the organization as a whole or a
department of the organization.This article should be written
with the intention that it will be published in BUSINESS
REVIEW WEEKLY.
Assignment TwoDue date: Tuesday 23 September or Friday 26
September (submit in the class you are enrolled in)Worth:
40%Length: 4000 wordsGroup: No more than 2 people or
individual
Choosing an organisationIn choosing an organization students
should carefully consider the need to address the specific
requirements of the assessment. The choice of organization is
very important. If in doubt please contact the lecturer.In your
choice, also consider an organization, which is of manageable
size and complexity for the project.When approaching an
organization, it is essential that you make it clear that the
project is for educational purposes only, and forms part of your
assessment ISYS 2394 Globalization and Business IT
Choosing an organisationName some organisations?What
networks do you have?Who do I contact in an

organisation?Look on the websiteMedia relations or PR
departmentHuman resources department
1001 facets of business …Where to begin?Lecture topicsWhat
interests you?Read magazines and newspapers to see what the
current topics are …What are some current business
trends?Your topic can be about the business or the person (a
profile). Some good assignments have been about the personal
experiences of successful business people
Business Review Weeklyhttp://www.brw.com.au/Some articles
are focused on:3 myths about your millenial staff,
busted.Avocado smoothie, anyone? How Boost Juice and Sumo
Salad have expanded offshoreIf physical retail is dying,
someone forgot to tell Dick Smith CEO Nick Abboud
Other sources Fast CompanyWiredInc.Forbes
1001 facets of businessSome topics we have had in the
past:Cross cultural management in International hotelCareer
path of celebrity chefChinese female
entrepreneurAccommodation entrepreneursOarsome Foursome
(Olympic rowers)Lord Mayor of Melbourne John
SoEntrepreneur story - Paul RubensSystem implementation at
SAP

*
How to get started on the report?Brainstorm ideasInvestigate
networkRead, read, readTalk to peopleYou will need to
collectSecondary data (Background information)Primary data
(via interviews/surveys)
*
Some advantages of qualitative
methodsUnderstanding/explaining personal experiences of
individualsFocus on subjects' own understanding and
interpretations Researcher experiences issues from a
participant's perspectiveReports presented in a narrative rather
than a statistical form – more interesting/understandable for
non-experts Useful in examining personal changes over
timeFocus on human-interest issues that are meaningful to
managers
*
Some qualitative methodsIn-depth interviewsSmall number of
subjects Checklist rather than a formal questionnaireTape-
recording + verbatim transcript30 minutes to several hours;
repeat interviews possible.
Group interviews/focus groupsConducted with a
groupInteraction between subjects + interaction between
interviewer and subject.
Collecting your informationRead about the topic and

organisation before you go to the interview. Be prepared.You
will need to organise an interview with the relevant
person/people in the organisation you have chosen.
A well planned 30 minute interview should use about eight to
ten questions, any more and you’re not allowing the subject
enough time to elaborate. To create a 4000 word paper you’ll
probably need one hour (around 15 questions).
You may need to be flexible with time and content
*
Wording of questionsavoid jargonsimplify wherever
possibleavoid ambiguityavoid leading questionsask only one
question at a time (avoid multi-purpose questions)
*
Asking your questionsStart with easy questionsStart with
'relevant' questionsLeave sensitive questions until later Be
aware of reader/user – interviewer or respondent?Compactness
(eg. single page) = ease of handling
*
How to write an article
Create an outline for your article
Your article should include a headline, introduction, body,
conclusion and resource box

Headline - make this as catchy as possible because your reader
will read this first and decide if they will continue reading the
rest of the article. i.e. "7 Highly Effective Ways to Gain Instant
Traffic to Your Web Site".
Introduction - introduce the topic you will be discussing in your
article or write a short story of your experience with the
topic/issue.
*
Planning and Drafting – What not to doDon’t just summarize
sourcesDon’t string quotes together and hope that it tells the
story.Instead, add your analysis and thoughts surrounding that
quote.Don’t write in the form of “The first issue was … and this
was followed by …” (step-by-step narrative)Instead, focus on
the results and analysis of your research. This is the juicy
information and could be the story of your
analysis/results.Don’t plagiarize – use direct quotes or
paraphrase.
Body - discuss all the aspects of the topic that you outlined in
the introduction. Break up each point into separate paragraphs
and keep them to about 5 - 8 lines. You may want to create a
sub-heading for each point. This makes it easier to read as most
people will scan your article.
Show, not tell – this is the golden rule of all writers

Conclusion - this should include a brief summary of your article
and a call for the reader to take action. i.e. "Be sure to include
article marketing as one of the top strategies for promoting your
web site. It's a self generating marketing machine that produces
a constant flow of visitors".
Resource box - this is the place you can add extra information
about your topic that is not strictly linked to the article. Eg
background information about a topic
Write with style - write in an informal style, like you
would explain your topic to a friend but formal enough that it is
not written in the first person.
When you finish writing, put it aside for some time. Let your
mind cool off a little, and then try to take an independent look
at what you have written. If you can’t, ask your family
member/friend/anyone whose opinion you value to read your
article and give feedback.
Format of reportMust be formatted in the same way as a
magazine article The use of graphs, visuals and photographs are
essential to your piece of work.Content, layout, neatness,

originality of presentation are important to the overall final
product.
ReferencingHarvard style of referencing.Use online
resourcesEndnote
TurnItIn – http://www.turnitin.com
What are you interested in?Social MediaGlobal supply chain
and logisticsBusiness in ChinaOnline securityCross cultural
understanding in businessGlobalizationEthical issues in
business

ISYS 2394 Business Globalisation and Business IT.docx

Recommended

Recommended

More Related Content

Similar to ISYS 2394 Business Globalisation and Business IT.docx

Similar to ISYS 2394 Business Globalisation and Business IT.docx (20)

More from priestmanmable

More from priestmanmable (20)

Recently uploaded

Recently uploaded (20)

ISYS 2394 Business Globalisation and Business IT.docx