Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Using international standards to improve Asia-Pacific cyber security

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Wird geladen in …3
×

Hier ansehen

1 von 33 Anzeige

Using international standards to improve Asia-Pacific cyber security

Herunterladen, um offline zu lesen

Understand the cyber threat facing APAC organisations, current legislation and how to utilise international standards to get your business cyber secure in this informative webinar, hosted by Alan Calder.

Understand the cyber threat facing APAC organisations, current legislation and how to utilise international standards to get your business cyber secure in this informative webinar, hosted by Alan Calder.

Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie Using international standards to improve Asia-Pacific cyber security (20)

Anzeige

Weitere von IT Governance Ltd (20)

Aktuellste (20)

Anzeige

Using international standards to improve Asia-Pacific cyber security

  1. 1. Using international standards to improve Asia-Pacific cyber security Tuesday, 24 March, 2015 Alan Calder IT Governance Ltd www.itgovernance.asia PLEASE NOTE THAT ALL DELEGATES IN THE TELECONFERENCE ARE MUTED ON JOINING AND WILL AUTOMATICALLY BE UNMUTED FOR THE START OF THE Q&A SESSION
  2. 2. Introduction About Alan Calder… • Acknowledged international cyber security expert • Leading author on information security and IT governance issues • Led the world’s first successful implementation of ISO 27001 (then called BS 7799) • Consultant on cyber security and IT governance strategies globally, including across the Asia-Pacific region 2 © IT Governance Ltd 2015
  3. 3. Agenda • The cyber threat – Breaking down recent high-profile data breaches • Current legislation – Learn about the current data protection laws in Hong Kong, Australia, Singapore and the Philippines • International standard – Discover how the cyber security standard, ISO 27001, will help get your business cyber secure 3 © IT Governance Ltd 2015
  4. 4. 4 © IT Governance Ltd 2015 Current cyber threat
  5. 5. The current cyber threat 1 billion data records compromised globally in 2014 5 © IT Governance Ltd 2015 1,500 data breaches globally in 2014 $2.8 million is the average cost of a data breach in Australia 70% believe cyber attacks are among the three biggest threats facing organisations
  6. 6. The current cyber threat • 61% of APAC organisations expect a cyber attack to strike their organisation in 2015, but only 43% are prepared • 76% of APAC organisations have detected security incidents in the past 12 months • 63% of APAC organisations will increase their security budget over the next 12 months 6 © IT Governance Ltd 2015
  7. 7. The changing threat landscape • 87% of iPhone and 97% of Android top 100 apps have been hacked • 100% of companies experience virus attacks, and 97% have suffered malware attacks • 156 million phishing emails are sent every day • 15 million make it through spam filters • The average cost for each stolen record in Australia is $145 7 © IT Governance Ltd 2015
  8. 8. Why did they fail to avoid a breach? 8 © IT Governance Ltd 2015 Root cause of data breaches The changing threat landscape Source: Ponemon Institute – Year of the Mega Breach 2014
  9. 9. Case study – Philippine government • Government websites compromised multiple times by hacktivists – Nov 2013 - Philippine hacker group linked to Anonymous hacked numerous government websites, calling on the public to support a protest – Nov 2014 – Philippine branch of Anonymous hacked 11+ government websites to express dissatisfaction: “Your governments have failed you, they sit atop their thrones and abuse their power” – Feb 2015 – Website compromised by anti-ISIS hacker, posting expletive-ridden message 9 © IT Governance Ltd 2015
  10. 10. Case study – Philippine government • No formal statement from the government about the hacks, how they happened or what they are doing about it, but it is clear that: – Government is unprepared for a cyber attack and failing to put effective measures in place – Little or no contingency plans – Websites restored but government’s lack of security exposed – Effective way for hacktivists to voice opinions 10 © IT Governance Ltd 2015
  11. 11. Case study – Lizard Squad and their infamous DNS attacks Hacking group Lizard Squad appears to have attacked a number of websites: Lizard Squad attacks Malaysia Airlines website, January 2015 • Visitors to www.malaysiaairlines.com on Monday 26 January found the message “404 – Plane Not Found” • Appeared to be DNS attack, overriding settings and redirecting site visitors to a Lizard Squad-controlled page • Fully recovered within 22 hours Google Vietnam hacked by Lizard Squad, February 2015 • Google.com.vn, the search giant’s Vietnamese site, appeared to have suffered a DNS attack by Lizard Squad • Site visitors instead found a photo of a man taking a selfie with an iPhone instead of the normal search engine Lenovo attacked after Superfish controversy, February 2015 • Lizard Squad attacked Lenovo’s website with a DNS attack, redirecting users to a free CloudFlare account Last year, the hacking group claimed responsibility for attacks on Sony’s PlayStation Network and Microsoft’s Xbox Live network, among others. 11
  12. 12. Case study – Lizard Squad DNS attacks What are DNS attacks? • Domain Name System (DNS) • DNS hijacking works by overriding TCP/IP settings and redirecting site visitors rather than by assuming control of the actual target site • DNS hijacking rarely affects customer information, instead causing disruption to affected sites by gaining control over their domain names Effects • Websites restored but lack of security/vulnerability exploited • Effective way for hackers to voice opinions 12 © IT Governance Ltd 2015
  13. 13. International case study – Sony Pictures Data breach • November 2014 • Hackers infiltrated Sony’s corporate computer network • Torrents of unreleased Sony Pictures films appeared online • Personal information about employees (families, emails, salaries, etc.) was leaked • Plaintext passwords leaked online, along with other credential data • Huge amount of marketing slide decks were leaked • Kept Sony staff from using computers for days • Sony postponed release of upcoming film The Interview 13 © IT Governance Ltd 2015
  14. 14. International case study – Sony Pictures Repercussions • North Korea blamed, increasing tension with the US • Ex-employees sought to combine class action lawsuits against Sony • Costs reach $100million How did the breach get so bad? • Executives ignored ransom emails, treated as spam • Failed to acknowledge breach until one week later • Generally lax approach to online security – April 2011 – Sony’s PlayStation network hacked and 76 million gamers’ accounts compromised – Inappropriate spending? $250million budget still couldn’t keep them cyber secure 14 © IT Governance Ltd 2015
  15. 15. Small companies are at risk too • Cyber criminals target indiscriminately • 60% of breached small organisations close down within six months • Often lack effective internal security practices • No dedicated IT security and support • Passwords, system access easily compromised • Out-of-date server hardware and software • Websites are built on common, open-source frameworks – weaknesses easily exploited 15 © IT Governance Ltd 2015
  16. 16. What is the board told? • 32.5% of boards do not receive any information about their cyber security posture and activities • 38% of the remainder receive reports only annually • 29% of IT teams don’t report breaches for fear of retribution 16 © IT Governance Ltd 2015 Source: IT Governance ‘Boardroom Cyber Watch Survey 2014’
  17. 17. Cyber security skills shortage Shortage • Global shortage of two million cyber security professionals by 2017 ISACA report • 85% believe there is a shortage • 53% consider it difficult to identify adequate cyber security skills • 50% plan to increase staff training Companies should be looking for • Industry-recognised qualifications (IBITGQ) 17 © IT Governance Ltd 2015
  18. 18. Current cyber security legislation 18
  19. 19. Australia Cyber Security Strategy 2009 • Framework to address the increasing risk of online threats to the country • Aims to have businesses operate secure and resilient information and communications technologies, thereby protecting the integrity of their own operations and the identity and privacy of their customers • Criticism – significantly out of date. Prime Minister Tony Abbott is currently pushing for cyber security review 19 © IT Governance Ltd 2015
  20. 20. Hong Kong Personal Data (Privacy) Ordinance (PDPO) • Govern data subjects’ personal data • Six principles for data processors to abide by – DPP4 – practicable steps shall be taken to ensure that personal data are protected against unauthorised or accidental access, processing or erasure • Max. penalty of five years’ imprisonment and up to HKD$1,000,000 • Data users are liable for any breach by third parties 20© IT Governance Ltd 2015
  21. 21. The Philippines Cybercrime Prevention Act of 2012 • Enacted to address numerous forms of cyber crime • Applicable to organisations outside the Philippines • Met with controversy – many saw the legislation as a heavy-handed undermining of free expression and privacy, therefore the Supreme Court put a temporary restraining order in place • Feb 2014 - Supreme Court ruled a number of provisions to be constitutional, including: – Cyber crime offences – Cyber crime against critical infrastructure – Misuse of devices 21 © IT Governance Ltd 2015
  22. 22. Singapore Personal Data Protection Act (PDPA) 2012 • Governs the collection, use and disclosure of personal data by organisations • Only concerns individuals’ data and not corporate data National Cyber Security Masterplan 2018 • Five-year plan aims to develop Singapore as a “trusted and robust infocomm hub by 2018” Computer Misuse and Cybersecurity Act 1993 (Amended 2013) • Provision for securing computer material against unauthorised access or modification, and requires organisations to take appropriate cyber security measures – Punishable offences could be up to ten years’ imprisonment and/or SGD$50,000 fine 22 © IT Governance Ltd 2015
  23. 23. Meeting cyber security legislation • A strong security posture • An effective incident response plan • A CISO appointment • Implementing industry standards* 23 © IT Governance Ltd 2015 Source: 2014 Global Report on the Cost of Cyber Crime - Ponemon and HP
  24. 24. International standards 24
  25. 25. ISO 27001 – the cyber security standard • ISO 27001 – a globally recognised standard that provides a best-practice framework for addressing the entire range of cyber risks – Encompasses people, processes and technology – Systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organisation's information security to achieve business objectives 25 © IT Governance Ltd 2015
  26. 26. Key elements of implementing ISO 27001 • Determine the scope of the ISMS • Consider the context of the organisation and interested parties • Appoint a senior individual responsible for information security • Conduct a risk assessment – identify risks, threats and vulnerabilities • Appoint risk owners for each of the identified risks • Implement appropriate policies and procedures • Conduct staff training • Conduct an internal audit • Perform continual improvement of the ISMS 26 © IT Governance Ltd 2015
  27. 27. How will ISO 27001 benefit your business? • Increased/appropriate level of information security – Systematic approach to risks – Informed decisions on security investments: cost-effective security • Better work practices that support business goals • Good marketing opportunities • Credibility with staff, customers and partner organisations • Due diligence • Compliance with corporate governance requirements – Appropriate action to comply with law – Manage business risks – Industry best-practice security – Internationally recognised good security practice 27 © IT Governance Ltd 2015
  28. 28. Benefits of ISO 27001 certification • Assurance to customers, employees, investors – their data is safe • Credibility and confidence • Internationally recognised • Shows that you have considered all of the information security-associated risks • Notably fulfilling fiduciary responsibilities • Supports your adherence to multiple compliance requirements 28 © IT Governance Ltd 2015
  29. 29. ISO 27001 in APAC 29 © IT Governance Ltd 2015
  30. 30. Why some of the world’s most valuable brands pursue ISO 27001 certification 30 © IT Governance Ltd 2015 Google: “This certification validates what I already knew… that the technology, process and infrastructure offers good security and protection for the data that I store in Google Apps Amazon: “The certification confirms our longstanding commitment to the security of our services to our customers.” Microsoft: “…provides external validation that our approach to managing security risk in a global organization is comprehensive and effective, which is important for our business and consumer customers.”
  31. 31. IT Governance • Helped over 150 organisations achieve ISO 27001 certification worldwide • 15+ years experience • Highly regarded within the industry • Unique offering of tools, training and consultancy, which is unavailable elsewhere 31 © IT Governance Ltd 2015
  32. 32. Fixed-priced, packaged solutions You deliver the project independently You resource the project, calling on specialist tools and courses to aid efficiency and accelerate implementation Standards and books Software and documentation templates Training Mentor and coach IT Governance removes all the pain, delivering a certification- ready ISMS, aligned with ISO 27001 You resource the project, use tools and courses and benefit from the expert’s know-how You own and are in control of the project, receiving hands- on guidance from us You provide input Find out more: www.itgovernance.asia/t-iso27001-solutions.aspx
  33. 33. 33 © IT Governance Ltd 2015

×