The document is a presentation given by James McKinlay to the Manchester BCS Elite Group on July 10th 2014. McKinlay has extensive experience in information security management, including roles at ATOS Worldline, Walmart, and Manchester Airports Group. The presentation covers topics such as performing information security risk assessments, managing risks associated with mobile workforces, mobile apps, cloud computing environments, and public cloud services. It emphasizes the importance of understanding emerging threats, updating security policies and procedures, and staying up to date with the evolving threat landscape through activities like threat intelligence, industry discussions, and background reading.

2. THANK YOU FOR INVITING ME
MANCHESTER BCS ELITE GROUP
JULY 10TH 2014

3. YOUR SPEAKER – JAMES MCKINLAY
• 2014 HEAD OF INFORMATION SECURITY, DATA PROTECTION AND PCIDSS – ATOS WORLDLINE
• 2014 CISO LEVEL SECURITY, RISK & COMPLIANCE CONSULTANCY ACROSS EUROPE
• 2013 INFORMATION SECURITY MANAGER AT WALMART FOR ASDA & GEORGE (LEVEL ONE MERCHANT)
• 2011 - 2013 INFORMATION SECURITY MANAGER MANCHESTER AIRPORTS GROUP (LEVEL THREE MERCHANT)
• 2006-2011 PCIDSS COMPLIANCE HOMELOAN MANAGEMENT LIMITED (LEVEL ONE SERVICE PROVIDER)
• 2006 ECOMMERCE SECURITY– THOMAS COOK SCHEDULED BUSINESS

4. EXEC SUMMARY –
•UNDERSTAND YOUR FORMAL RISK ASSESSMENT
AND RISK ACCEPTANCE PROCEDURES
•KEEP UP TO DATE WITH CHANGING THREATS
(INTERNAL AND EXTERNAL)
•UPDATE YOUR INCIDENT RESPONSE PROCEDURES
TO INCLUDE ANY NEW POSITIONS YOU ADOPT Hope for the best – Plan for the worst

5. BEFORE WE BEGIN

6. WHAT DO I MEAN BY . . . .
•INFOSEC RISK ASSESSMENT
•MOBILE WORKFORCE RISK
•MOBILE APP RISK
•CLOUD VPC RISK
•CLOUD PUBLIC SERVICE RISK

7. INFOSEC RISK ASSESSMENT
• IS USUALLY DIFFERENT TO CORPORATE RISK
REGISTER
• CAN BE BESPOKE OR FOLLOW A RECOGNISED
METHOD
• CAN ALREADY BE PART OF YOUR INFORMATION
SECURITY MANAGEMENT STRATEGY
• MIGHT WANT TO CONSIDER USING THE SAME
OUTPUT “SCALES” (5X5)

8. RMF – PROCESS DRIVEN METHODOLOGIES
• NIST / OCTAVE ALLEGRO / HMG-IS1 / FAIR / ISO27005 / STRIDE

9. THE TECHNICAL RISK ASSESSMENT
• PATTERNS FROM OPEN SECURITY ARCHITECTURE (OSA)
• TRA/RAR TEMPLATE
• HTTP://CSRC.NIST.GOV/GROUPS/SMA/FASP/DOCUMENTS/RISK_MGMT/RAR_TEMPLATE_07112007.DO
• HTTP://WWW.OPENSECURITYARCHITECTURE.ORG/CMS/LIBRARY/PATTERNLANDSCAPE/262-PDF-TEST-PATTERN

10. TRA EXAMPLE

11. IS THE CIA ENOUGH

12. GOVERNANCE RISK & COMPLIANCE IN INFOSEC
• ARCHER
• RIVOSOFTWARE
• CURASOFTWARE
• SURECLOUD
• HITECLABS/TENRISK
• WCK (TECHARBOUR)

13. WHAT DO I MEAN BY . . . .
•INFOSEC RISK ASSESSMENT
•MOBILE WORKFORCE RISK
•MOBILE APP RISK
•CLOUD VPC RISK
•CLOUD PUBLIC SERVICE RISK

14. CASE STUDY : ASDA STORE MANAGERS
• WANT ACCESS TO SENSITIVE COMPANY DATA FROM A COMPANY
OWNED MOBILE DEVICE
• ALLOW STORE MANAGERS TO TAKE DEVICE HOME
• PHASE 1 – USE MOBILE PROVIDERS NETWORKING
• PHASE 2 – USE INSTORE WIFI

15. THINGS TO CONSIDER
• DEVICE CHOICE (IPAD –V- ANDROID TABLET)
• PROTECT FROM DAMAGE
• LOGISTICS (DELIVER DEVICE – DELIVER LOGIN DETAILS)
• SERVICE DESK / SUPPORT – NEW PROCEDURES, NEW EXPERIENCE
• MDM / SANDBOX – ESSENTIAL , NOT FOOLPROOF !!!
• MOBILE DEVICES NOT DESIGNED WITH MULTI USER SECURITY IN MIND (APPLE OWNER IS KING)

16. MORE THINGS TO CONSIDER
• HACKERS CAN BEAT MDM ENCRYPTION CONTAINERS – BLACKHAT EUROPE CONFERENCE
• HACKERS CAN BEAT VENDOR SECURITY – IOS8 JAIL BEAKS ALREADY AVAILABLE
• HACKERS CAN ESCAPE FROM BROWSERS (SAFARI MOBILE)
• SECURITY AWARENESS OF USERS
• VALUE OF DATA IN WRONG HANDS
• NEW ATTACKS BEING THOUGHT UP ALL THE TIME – SEPTEMBER 2014 EXPECT TO SEE ATTACKS ON
TELECOMS INFRASTRUCTURE

17. WHAT DO I MEAN BY . . . .
•INFOSEC RISK ASSESSMENT
•MOBILE WORKFORCE RISK
•MOBILE APP RISK
•CLOUD VPC RISK
•CLOUD PUBLIC SERVICE RISK

18. DUTY OF CARE ?
• LOOK AFTER CUSTOMER DETAILS
• NO EXCESSIVE LOGGING
• DO NOT GIVE ATTACKERS AN EASY EXPLOIT

19. WATCH FOR LEAKS
https://www.owasp.org/images/9/94/MobileTopTen.pdf

20. EXAMPLES ARE EVERYWHERE

21. CALL THE (LOCAL) PROFESSIONALS
www.pentest.co.uk www.mdsec.co.uk

22. FOOD FOR THOUGHT . . . .
• AMONG THE MOST SIGNIFICANT SECURITY RISKS ASSOCIATED
WITH CLOUD COMPUTING IS THE TENDENCY TO BYPASS
INFORMATION TECHNOLOGY (IT) DEPARTMENTS AND INFORMATION
OFFICERS. ALTHOUGH SHIFTING TO CLOUD TECHNOLOGIES
EXCLUSIVELY IS AFFORDABLE AND FAST, DOING SO UNDERMINES
IMPORTANT BUSINESS-LEVEL SECURITY POLICIES, PROCESSES, AND
BEST PRACTICES. IN THE ABSENCE OF THESE STANDARDS,
BUSINESSES ARE VULNERABLE TO SECURITY BREACHES THAT CAN
QUICKLY ERASE ANY GAINS MADE BY THE SWITCH TO SAAS.

23. WHAT DO I MEAN BY . . . .
•INFOSEC RISK ASSESSMENT
•MOBILE WORKFORCE RISK
•MOBILE APP RISK
•CLOUD VPC RISK
•CLOUD PUBLIC SERVICE RISK

24. ARE YOU READY TO MOVE TO THE CLOUD
Amazon
Microsoft
Rackspace
Pro-Act
Exponential-e

25. ARE YOUR SECURITY TEAM ?
Jericho Forum -> CSA
Data Breaches
Data Loss
Account Hijacking
Insecure APIs
Denial of Service
Malicious Insiders
Abuse of services
Insufficient Due Diligence
Shared Technology Vulnerabilities

26. THE VENDORS WANT TO HELP

27. BUT THAT IS NOT ENOUGH -
• NEED TO UNDERSTAND HOW VPC EXTENDS YOUR ENVIRONMENT
AND HOW THAT WILL WORK WITH YOUR ISMS AND IS POLICIES.
• LOGICAL ACCESS POLICY
• INFORMATION SECURITY ASSET REGISTER
• PASSWORD POLICY
• CRYPTOGRAPHY POLICY
• THIRD PARTY SUPPLIER MANAGEMENT
• BACKUP AND RESTORE POLICY & PROCEDURES
• INCIDENT RESPONSE POLICY AND PROCEDURES

28. CASE STUDY : REPLACE THE SERVER ROOM
• VPN TO PRIVATE CLOUD
• GOOD STARTERS LEAVERS MOVERS PROCESS
• GOOD CHANGE MANAGEMENT PROCESS
• ENCRYPTING DATA AT REST AND DATA IN TRANSIT
• CENTRALISED LOG SHIPPING AND SIEM/CORRELATION/ALERTING
• SRC DST FIREWALL RULES IN ACROSS EVERY SUBNET

29. WHAT DO I MEAN BY . . . .
•INFOSEC RISK ASSESSMENT
•MOBILE WORKFORCE RISK
•MOBILE APP RISK
•CLOUD VPC RISK
•CLOUD PUBLIC SERVICE RISK

30. DATA GETS EVERY WHERE
• GOOGLE DRIVE , ONEDRIVE
• EVERNOTE
• GMAIL, HOTMAIL,
• SKYPE, YOUTUBE, SOUNDCLOUD
• MOZY BACKUPS , SALESFORCE.COM, OFFICE365, APPLE ICLOUD

31. DLP IN WEB CHANNELS

32. MSSP MANAGED SECURITY SERVICE PROVIDERS
• LOG MONITORING IN THE CLOUD
• SOC / CIRT OUTSOURCING
• THREAT INTELLIGENCE IN THE CLOUD
• VULNERABILITY MANAGEMENT IN THE CLOUD
• WHAT ABOUT VOIP IN THE CLOUD ?

33. WHERE DO THEY COME FROM . . . .
•EVOLVING THREAT LANDSCAPE

34. STAY UP TO DATE
• IMPORTANT FOR YOUR INFORMATION SECURITY STAFF TO STAY UP TO DATE
• UNDERSTAND THE REAL RISKS
• THREAT INTELLIGENCE
• INDUSTRY DISCUSSIONS AND NETWORKING
• BACKGROUND READING

35. THREAT INTELLIGENCE

36. DON’T FORGET TO AUDIT

37. BACKGROUND READING: BOOKS

38. DEEPER DIVE : BOOKS

39. YOU CAN’T HOLD BACK THE TIDE
• ACCENTURE-TECNOLOGY-VISION-2014.PDF”

40. • FIND ME ON LINKEDIN
• UK.LINKEDIN.COM/PUB/JAMES-MCKINLAY/16/A42/206/
TIME IS PRECIOUS
– THANK YOU FOR YOURS