The document discusses cybersecurity risks and controls. It begins by defining cybersecurity and noting that 46% of the world's population is connected to the internet. It then discusses common threat vectors and the industries most targeted by espionage. The document emphasizes the importance of cybersecurity management and outlines standard guidance documents. It describes the key elements of effective cybersecurity as including policies, governance, personnel security, and controls related to assets, access, operations, networks, software and more. Finally, it discusses integrating security across an organization's infrastructure.
Resume: The Complete Guide to Cybersecurity Risks and Controls
1. Resume: The Complete Guide
to Cybersecurity Risks and
Controls
Rd. R. Agung T.
EL5261 – Manajemen Resiko Keamanan Informasi
Anne Kohnke,Dan Shoemaker,Ken Sigler",The Complete Guide to Cybersecurity Risks and Controls,CRC Press Taylor and Prancis Group,2016
2. The increasing prevalence and severity of malicious cyberenabled
activities… Constitute an unusual and extraordinary threat to the
national security, foreign policy and economy of the United States.
I hereby declare a national emergency to deal with this threat.
Barack Obama, President of the United States, 2015
4/14/2018
3. What is Cybersecurity?
• The state of being protected
against the criminal or
unauthorized use of electronic
data, or the measures taken to
achieve this (Oxford English
Dictionary)
• 46% populasi dunia terhubung
ke jaringan internet [1]
THREAT VECTORS BY INDUSTRY
The vectors by which industries are compromised.
Source: Verizon 2015 Data Breach Investigations Report
[1] Cybersecurity: Threats, Challenges, and Opportunities by ACS
4/14/2018
4. TOP 10 Espionage Targeted
Industries
The most targeted industries in 2015.
Source: Verizon 2015 Data Breach Investigations Report
EASY HACKS, EASY BREACHES
Source: Verizon 2016 Data Breach
Investigations Report
4/14/2018
5. China 37.01
US 17.88
UK 10.21
India 7.43
Spain 6.03
Korea 4.53
Russian Federation 4.45
Germany 4.29
Australia 4.18
Taiwan 4
Top sources of mitigated DDoS attacks on Akamai’s network.
Source: Akamai State of the Internet Report, Q2 2015
4/14/2018
6. Why Cybersecurity Management is
Important?
• World Wide Web
sudah mulai popular
pada pertengahan
1990-an
• Sindrom “Six Blind
Men and an
Elephant”
4/14/2018
7. Cybersecurity Controls
• Accurately identify and authenticate all entities seeking access
to a system
• Authorize access to only those objects that the entity’s level of
trust permits
• Monitor and control activities during the time that the entity is
granted access
• Ensure against unauthorized access, or manipulation of data
• Ensure against unauthorized manipulation of system objects
4/14/2018
8. the Disiplines of Cybersecurity
• The confusion about what
constitutes the proper elements of
the field originates in the fact that
the profession of cybersecurity
could potentially comprise concepts
from a number of disciplines. Some
content from all of these disciplines
might reasonably fall within
legitimate boundaries. That
includes such diverse areas as
shown in Figure
4/14/2018
9. Standard Guidance
• International Organization for Standardization (ISO) 27000
Information Security Standard.
• The second is the National Institute for Standards and
Technology (NIST) and its Federal Information Processing
Standards (FIPS) 200 Framework, as implemented by NIST 800-
53
• The third and perhaps more influential are the Information
System Audit and Control Association (ISACA) and its Control
Objectives for IT (COBIT) Model
4/14/2018
10. Standard Guidance
• COBIT and ISO 27000 are primarily oriented toward
conventional business IT in their practical use. NIST 800-53
satisfies the requirements of the Federal Information Security
Management Act (FISMA), and is used in all healthcare
organizations to substantiate meaningful use with their
electronic health records systems.
4/14/2018
11. Control or Countermeasure
1. Policy
2. Governance
control
3. Personnel security
4. Physical and
environmental
security
5. Asset management
6. Access control
7. Security of
operations
8. Network security
9. Computer security
10.Software
development and
maintenance
security
11.Acquisition
12.Incident
management
13.Compliance
14.Continuity
15.Elements of
human factors
such as training
and education
4/14/2018
12. IT Governance
• Top-down effectively describes
the strategic approach and
purposes of information
governance
4/14/2018
13. Security and Control
• Every organization has a basic need to understand the status of
its own IT systems and to decide the level of security and control
they should provide. Neither aspect of this issue—understanding
or deciding on the required level of control—is straightforward.
Furthermore, it is hard to get an objective view of what should
be measured and how.
4/14/2018
15. Important Resources
• Most important is the need for them to be measurable. They
need to focus on the resources most important to the process and
be driven by generic business needs including:
– Cost efciency
– Productivity
– Defects
– Cycle time
– Quality and innovation
– Computing performance
– Stakeholder satisfaction
– Staff competency
– Benchmark comparisons
4/14/2018
16. Control Framework Assumptions
• In order to effectively and
efficiently achieve those
outcomes—for example, the
desired information—the process
has to be rationally and optimally
managed. And to satisfy business
objectives, the information must
directly support the business need.
Thus, the following dozen generic
requirements tend to appear in
most frameworks
1. Security
requirements
2. Quality
requirements
3. Confidentiality
4. Integrity
5. Availability
6. Cost
7. Service delivery
8. Fiduciary
responsibility
9. Effectiveness and
efficiency of operations
10. Reliability of
information
11. Compliance with
laws and regulations
12. Definition of
concepts
4/14/2018
18. • Effective information security governance should result in six
outcomes to include (Information Systems Audit and Control
Association [ISACA], 2012) the following:
– Strategic alignment
– Risk management
– Business process management/value delivery
– Resource management
– Performance management
– Integration
4/14/2018
19. Information Security Governance
• The organization’s executive management team is then
responsible for ensuring the needed infrastructure, resources,
and organizational function are made available to carry out the
directives of the board and any governmental regulatory agency
that is required
• CISO or Chief Information Security Officer have responsibility
and authority over the full scope and breadth of information
security activity.
• CISO develops, oversees, and manages the information security
program and initiatives to include strategic, personnel,
infrastructure, policy enforcement, emergency planning, security
training and awareness.
4/14/2018
20. What is Control?
• Controls are a security mechanism, policy, or procedure that can
successfully counter attacks, reduce risk, resolve vulnerabilities,
and otherwise improve security within an organization. The
main focus of control formulation and development should be on
the security of hardware, telecommunications, and software.
Moreover, the level of control implementation chosen should
protect sensitive information in one of the following three states:
data at rest, data in transit, and data in process.
4/14/2018
22. Information Security Integrated
• Integrating information security into organizational
infrastructure requires a carefully coordinated set of activities to
ensure that fundamental requirements for information security
are addressed and risk to the organization from information
systems is managed efficiently and cost effectively.
4/14/2018
Meningkatnya prevalensi dan tingkat keparahan kegiatan cyberenicious jahat ...merupakan ancaman yang tidak biasa dan luar biasa terhadap keamanan nasional, kebijakan luar negeri dan ekonomi Amerika Serikat. Dengan ini saya menyatakan darurat nasional untuk menangani ancaman ini.
Keadaan yang dilindungi terhadap penggunaan data elektronik secara kriminal atau tidak sah, atau tindakan yang diambil untuk mencapainya (Oxford English Dictionary)
Sadar atau tidak, bahwa selama kegiatan berlangsung (pertengahan 90an, atau sekitar 30 tahun),
Tantangan untuk menghasilkan solusi yang menyeluruh berasal dari sindrom “Six Blind Men and an Elephant”, terdapat bagian bagian yang diketahui untuk dilindungi seperti bagian pada gajah yang the blind man sentuh, namun solusi yang ditawarkan adalah ketika kita dapat mengetahui keseluruhan bentuk dari gajah tersebut. Effective solutions can only be based on whole system approaches. Or in simple terms, “You are not secure if you are not completely secure.” Kontrol keamanan harus dirancang dan disusun dengan tepat.
Kebingungan tentang apa yang merupakan unsur-unsur yang tepat dari lapangan berasal dari fakta bahwa profesi cybersecurity berpotensi terdiri dari konsep-konsep dari sejumlah disiplin ilmu. Beberapa konten dari semua disiplin ini mungkin masuk dalam batas yang sah. Itu termasuk berbagai bidang seperti berikut:
Intinya bingung nentuin profesi dari cybersecurity itu seperti apa dan terdiri dari siapa aja sehingga bisa terdiri dari berbagai disiplin ilmu maka terbentuk bagan seperti itu.
COBIT dan ISO 27000 terutama berorientasi pada TI bisnis konvensional dalam penggunaan praktisnya. NIST 800-53 memenuhi persyaratan Undang-Undang Pengelolaan Keamanan Informasi Federal (FISMA), dan digunakan di semua organisasi perawatan kesehatan untuk membuktikan penggunaan yang berarti dengan sistem catatan kesehatan elektronik mereka.
Responsibilities and function of IT Governance shows at Figure
Setiap organisasi memiliki kebutuhan dasar untuk memahami status sistem TI sendiri dan untuk memutuskan tingkat keamanan dan kontrol yang harus mereka sediakan. Tidak ada aspek dari masalah ini — memahami atau memutuskan tingkat kontrol yang diperlukan — sangat mudah. Lebih jauh lagi, sulit untuk mendapatkan pandangan objektif tentang apa yang harus diukur dan bagaimana.
Selain kebutuhan untuk mengukur di mana organisasi berada, ada persyaratan untuk memastikan peningkatan yang berkelanjutan di bidang keamanan dan kontrol TI. Ini menyiratkan perlunya array garis pelaporan yang akan memungkinkan eksekutif yang sibuk untuk memantau proses dimana keamanan umum aset informasinya diimplementasikan dan dipelihara. Proses pemantauan harus membahas masalah manajemen seperti
Strategic alignment—security activities must be aligned with the business strategy to support the organization objectives. Security solutions take into account the governance style, organizational culture, technology deployed, and the structure of the organization.
2. Risk management—risk mitigation should be based on the organization’s risk profile, acceptable levels of risk, understanding of risk exposure, and the potential impact/consequences of residual risk.
3. Business process management/value delivery—this includes the integration of all relevant information assurance processes and practices to maximize the effectiveness and efficiency of security activities.
4. Resource management—efficient and effective use of information security knowledge and infrastructure to ensure knowledge is captured and available to develop and document security processes and practices.
5. Performance management—develops a measurement process, aligned with strategic objectives, to aid in effective decision making. This includes continuous monitoring and reporting of information security processes and independent external assessments and audits.
6. Integration—ensures that processes function as intended from end to end
The first of these is “effective” Effectiveness pertains to the relevance and value of the information to the business process. To be effective, the information also must be delivered in a timely, correct, consistent, and usable manner.
The second factor is “efficiency” Efficiency underwrites the provision of information through the optimal, that is, most productive and economical use of resources.
The third factor is “confidentiality” Confidential describes the protection of sensitive information from unauthorized disclosure.
The fourth factor is "integrity" Integrity designates the accuracy and completeness of information as well as to its validity in accordance with business values and
Expectations
The fifth factor is “available” Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.
The sixth factor is “compliant” Compliance ensures that the organization complies with those laws, regulations, and contractual arrangements to which the business process is subject, that is, externally imposed business criteria.
The final factor is “reliable” Reliability designates that the appropriate information is trustworthy and dependable enough for management to operate the organization and for management to exercise its fnancial and compliance reporting responsibilities.