1. FRAUD and Cybersecurity
- How are they related?
Hoo Chuan Wei CISSP, CISA, CFE, BCCE
Chief CybersecurityTechnology Officer
ST Engineering Electronics
2. Human asset or risk
Over 70%of companies
say humans are their greatest
vulnerability
- security analyst submit
http://www.humanresourcesonline.net/developing-leaders-weakest-link-emerging-asia/
5. Catch-22
• We are getting ourselves
equipped with cybersecurity
knowledge to protect and
defend
• With the new found knowledge,
we are also able to do “bad”
things; bypass the controls, etc.
http://blogs.iac.gatech.edu/unreliable/2013/10/07/hellers-catch-22/
6. The CIA AAA SAM pyramids
Confidentiality Integrity
Availability
IT
IoT/OT
Safety
Maintainability
Authentication,Authorisation,Auditing
Domains
expertise
Deep
engineering
mindset
System
assurance
Detect Respond
Protect
Authentication-
determining whether
someone or something
is, in fact, who or what it
is declared to be.
Keeping your
information
asset safe and
secret and share
with people you
trust.
It provides
assurance that
the information
asset is
trustworthy
and accurate.
It is a guarantee
that reliable
access to the
information asset
is available for
authorized
usage.
Auditing - to ascertain
the sequence of events
to present a true and
fair view of the concern.
Authorisation- to determine
user/client privileges or
access levels related to
system resources.
The
probabilityof
performing a
successful
repair action
within a given
time.
The condition of
being protected
from or unlikely
to cause danger,
risk, or threat of
harm and injury.
8. Security is as
strong as the
weakest link
Defense in-
depth
No
perfect
security
Risk
management
What is planned may not be what is exercised
Security circular problem
Conduct frequency?
Frequency of risk assessment?
Cyber-
physical
Complexities
Integration
Enterprise
Architecture
9. Technology (UBA vs UEBA)
• User Behaviour Analytics (UBA)
• Monitoring human behaviour patterns
• Using algorithms to detect behaviour anomalies
• User and Entity BehaviourAnalytics (UEBA)
• UBA + environmental variables (devices, applications, IT
computing)