Diese Präsentation wurde erfolgreich gemeldet.

PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032

24

Teilen

Wird geladen in …3
×
3 von 39
3 von 39

PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032

24

Teilen

The webinar covers:
• An overview of Cybersecurity
• Explaining of Cybersecurity Relationship with other types of security
• Guidance for addressing common Cybersecurity issues.
• Convincing stakeholders to collaborate on resolving Cybersecurity issues.

Presenter:
This webinar was presented by PECB Partner and Trainer Mr. Fabrice DePaepe, who is Managing Director at Nitroxis Sprl and has more than 15 years of experience in IT and Information Security.

Link of the recorded session published on YouTube: https://youtu.be/fQUSQEoLsYc

The webinar covers:
• An overview of Cybersecurity
• Explaining of Cybersecurity Relationship with other types of security
• Guidance for addressing common Cybersecurity issues.
• Convincing stakeholders to collaborate on resolving Cybersecurity issues.

Presenter:
This webinar was presented by PECB Partner and Trainer Mr. Fabrice DePaepe, who is Managing Director at Nitroxis Sprl and has more than 15 years of experience in IT and Information Security.

Link of the recorded session published on YouTube: https://youtu.be/fQUSQEoLsYc

Weitere Verwandte Inhalte

Weitere von PECB

Ähnliche Bücher

Kostenlos mit einer 14-tägigen Testversion von Scribd

Alle anzeigen

Ähnliche Hörbücher

Kostenlos mit einer 14-tägigen Testversion von Scribd

Alle anzeigen

PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032

  1. 1. PECB Webinar 2nd December 2015 Speaker : Fabrice De Paepe Senior Information Security Consultant / PECB Partner & Trainer Introduction to ISO/IEC 27032
  2. 2. What’s the n°1 worldwide security threat ? Introduction to ISO 27032 2
  3. 3. Hacking Will Replace Terrorism FBI Director Robert Mueller reiterated his testimony cyber-threats would surpass terrorism as the country's top concern (2012) Introduction to ISO 27032 3
  4. 4. Schedule for the day An overview of Cybersecurity Cybersecurity relationships within other type of security Guidance for addressing common cybersecurity issues Convincing stakeholders to collaborate on resolving cybersecurity issues Introduction to ISO 27032 4
  5. 5. 1- An overview of Cybersecurity What is Cyberspace ? “The cyberspace can be described as a virtual environment, which does not exist in any physical form, but rather, a complex environment or space resulting from the emergences of the Internet, plus the people, organizations, and activities on all sorts of technology devices and networks that are connected to it” (ISO 27032) Introduction to ISO 27032 5
  6. 6. 1- An overview of Cybersecurity What is Cybersecurity ? “ Cyberspace security or Cybersecurity is about the security of this virtual world” “Cybersecurity relates to actions that stakeholders should be taking to establish and maintain security in the Cyberspace” (ISO 27032) Introduction to ISO 27032 6
  7. 7. 1- An overview of Cybersecurity ISO 27032 provides guidance for improving the state of cybersecurity with a focus on : Introduction to ISO 27032 7 Attacks by malicious and potentially unwanted software Social Engineering attacks Information sharing and coordination
  8. 8. Introduction to ISO 27032 8 1- An overview of Cybersecurity
  9. 9. 2 – Cybersecurity relationships within other type of security Introduction to ISO 27032 9 ISO27001 ISO27032
  10. 10. 2 - Cybersecurity relationships within other type of security Introduction to ISO 27032 10
  11. 11. 3 – Guidance for addressing Common Cybersecurity issues Introduction to ISO 27032 11 Assets in the Cyberspace Assets Information Software Physical Services People reputation, image
  12. 12. 3 – Guidance for addressing Common Cybersecurity issues Introduction to ISO 27032 12 Assets in the Cyberspace Assets Personal Physical Personal digital device endpoint, smartphone Virtual Online credit information, Bitcoins Organizational Physical Infrastructure Virtual Online Brand
  13. 13. 3 – Guidance for addressing Common Cybersecurity issues Introduction to ISO 27032 13 Threats to personal or organizational assets in the Cyberspace Threats Personal Physical Identity issue Leakage, theft of personal information Virtual Virtual theft and mugging Organizational Disclosure of Personal info from employees, clients, partners, suppliers Financial filling regulations breached Government agencies Gray area in which terrorism thrives
  14. 14. 3 – Guidance for addressing Common Cybersecurity issues Social engineering attacks Hacking Malicious Software (malware) Spyware Unwanted software Introduction to ISO 27032 14
  15. 15. 3 – Guidance for addressing Common Cybersecurity issues Application Level Controls Server Protection End user controls Social Engineering attacks Introduction to ISO 27032 15
  16. 16. 3- Guidance for addressing Common Cybersecurity issues – Technical controls Introduction to ISO 27032 16 • Display Short notice of the company’s essential online services • Secure • Handling of sessions for Web Applications (Cookies, Session Fixation,.) • Input validation and handling to prevent attacks (SQL Injection) • Web page Scripting to prevent XSS • (See Owasp, ISO 27034, CWE, SANS) • Code Security Review • HTTPS- SSL Application Level Controls
  17. 17. 3- Guidance for addressing Common Cybersecurity issues – Technical controls Introduction to ISO 27032 17 • Hardening • Implement a system to test and deploy security patches • Monitor the security performance • Review the security configuration • Run anti-malicous software controls (anti- virus, anti-malware) • Scan all hosted and uploaded contents regularly • Perform regular vulnerability assessment • Regularly scan for compromises Server Protection (against unauthorized access of malicious content on servers)
  18. 18. 3- Guidance for addressing Common Cybersecurity issues – Technical controls Introduction to ISO 27032 18 •Use of supported OS •Use of the latest supported Software applications •Use of anti-virus and anti-spyware •Enable script blockers •Use phishing filters •Use other available web browser security features •Enable personal FW & HIDS •Enable automated update End- user
  19. 19. 3- Guidance for addressing Common Cybersecurity issues – Technical controls Introduction to ISO 27032 19 •Policies •Methods and processes •Categorization and classification of information •Awareness and training •Testing •People & Organization •Technical Social engineering attacks
  20. 20. 3- Guidance for addressing Common Cybersecurity issues – Framework of information sharing and coordination Introduction to ISO 27032 20 IPO Information Providing Organisation IRO Information Receiving Organisation
  21. 21. 3- Guidance for addressing Common Cybersecurity issues – Framework of information sharing and coordination Policies • Policies should be defined to address the lifecycle of the Cybersecurity incident information from creation to transfer and destruction to ensure C.I.A are maintained • Classification and categorization of information • Information minimization • Limited audience • Coordination protocol Introduction to ISO 27032 21
  22. 22. 3- Guidance for addressing Common Cybersecurity issues – Framework of information sharing and coordination Methods and Processes • Classification and categorization of information • NDA • Code of Practice • Testing and drills • Timing and scheduling of information sharing Introduction to ISO 27032 22
  23. 23. 3- Guidance for addressing Common Cybersecurity issues – Framework of information sharing and coordination People and organizations •Contacts •Alliances •Awareness and training Introduction to ISO 27032 23
  24. 24. 3- Guidance for addressing Common Cybersecurity issues – Framework of information sharing and coordination Technical • Data standardization for automated system • Data visualization • Cryptographic key exchange and software/hardware backups • Secure file sharing, instant messaging, web portal, and discussion forum • Testing systems Introduction to ISO 27032 24
  25. 25. 4 – Convincing stakeholders to collaborate on resolving security issues Introduction to ISO 27032 25 •individuals •organizations Roles of consumers Roles of providers
  26. 26. 4 – Convincing stakeholders to collaborate on resolving security issues Introduction to ISO 27032 26 Roles of consumers (individuals) General Cyberspace Application user Online Gamer, instant messaging, websurfer… Buyer (Ecommerce) Seller (Ebay) Blogger (blog, wiki, twitter, youtube,…) IAP (Idenpendent Application Provider) You as an employee of an organization ... When a user visits a site which requires authorization, and unintentionally gain access, the user may be labelled as an intruder.
  27. 27. 4 – Convincing stakeholders to collaborate on resolving security issues Introduction to ISO 27032 27 Roles of consumers (organizations) Should extend their corporate responsibilities to Cyberspace By proactively ensuring that their practices and actions do not introduce further security risks (into the cyberspace) Some proactive measures : Implementing ISMS Proper security monitoring and response Incorporating Security as part of the SDLC (ISO 27034) Regular security education of users Understanding and using proper channels
  28. 28. 4 – Convincing stakeholders to collaborate on resolving security issues Introduction to ISO 27032 28 Roles of consumers (organizations) The government, law enforcement agencies and regulators may have the following roles to play : Advise organizations of their R&R in the Cyberspace Share info with other stakeholders On the latest trends and developments in technology On the current prevalent risks Be a conduit for receiving any information with regards to security risks Be the primary coordinator for info dissemination and orchestration Ex: National CERT (cert.be, cert.lu)
  29. 29. 4 – Convincing stakeholders to collaborate on resolving security issues Introduction to ISO 27032 29 Roles of providers Same roles and responsibilities as consumer organizations They have additional responsibilities in maintaining cybersecurity by providing Safe and secure products and services Safety and security guidance for end-users Security inputs to others providers and to consumers
  30. 30. 4 – Convincing stakeholders to collaborate on resolving security issues Consumers - Individuals - Organizations - Private - Public Providers - Internet Service Providers - Application Service Providers Personal - Physical Assets - Virtual Assets Organizational - Physical Assets - Virtual Assets Best Practices - Preventive - Detective - Reactive Coordination & Information Sharing Introduction to ISO 27032 30 Stakeholders Assets Measures
  31. 31. 4 – Convincing stakeholders to collaborate on resolving security issues Introduction to ISO 27032 31 Guidelines for Stakeholders Risk assessment and treatment ISO31000 and ISO27005 guidelines are sufficient for addressing Cybersecurity Risks Guidelines for Consumers Learn and understand the security and privacy policy of the site and application concerned as published by the site provider Manage online identity …
  32. 32. 4 – Convincing stakeholders to collaborate on resolving security issues Introduction to ISO 27032 32 Guidelines for organizations and services providers Manage IS Risks in the business ISMS Provide Secure Products Network Monitoring and Response Support and Escalation Keeping up-to-date with latest development Address security requirements for hosting Web and other cyber-application services Comply with practices standards, policy, terms of agreements, Data Protection, Privacy, …protected against unauthorized access Provide security guidance to consumers How to stay secure online (security newsletter, direct broadcast, security seminar,…)
  33. 33. Conclusion Introduction to ISO 27032 33 Cyber security is everyone’s business, impacts could be catastrophic Cybersecurity risks involve a combination of multiples strategies, taking into account the various stakeholders (consumer, employee, partner, third party,…) Risks need to be identified and addressed Need of Awareness and Communication on how to report – detect potential risk and security incidents Keep an eye on new emerging technologies (e.g.: IoT)
  34. 34. Conclusion Introduction to ISO 27032 34 Prevention Detection Recovery
  35. 35. Facts Introduction to ISO 27032 35 “The average number of days that attackers were present on a victim’s network before they were discovered is 229.” Mandiant M-Trends Report 2014 http://www.infosecurityeurope.com
  36. 36. Q&A Introduction to ISO 27032 36
  37. 37. What’s next ? Get your passport to Cybersecurity and join us in #Nice for the PECB Partner Event on CyberSecurity Introduction to ISO 27032 37
  38. 38. What’s next ? Introduction to ISO 27032 38 I am a #nice #BlueOwl passionate about #traveling and #cybersecurity. Tweeting in #EN #ES #FR
  39. 39. What’s next ? Introduction to ISO 27032 39 #FollowBlueOwl on Twitter @BlueOwlJourney

Notizen

  • According to the FBI’s Director (Robert Mueller – 2012)


    Cela veut surtout dire que c’était déjà l’une des préoccupation du FBI il y a 3 ans.
    Le hacking peut aussi être une arme des terroristes pour s’enrichir

    Rappelez-vous un Tweet comme quoi Barack Obama a été blessé, il s’agissait en fait du piratage d’un compte twitter.
    Les systèmes informatiques de la bourse de N-Y ont immédiatement réagit, cela a perturbé la valeurs des échanges

    Celui qui est au courant de cela, peut après racheter à bas pris ou vendre juste avant que cela ne baisse, pour racheter à bas pris derriere

  • First, a few basic things. What is cyberspace?

    Well – we use it everyday to exchange emails, we use the cloud to handle our bills and invoice, we speak with our partners true Skype, Viber, IMO or any other Mobile App – We use a VPN to connect to our corporate network from abroad and we read it with our Tablets from everywhere in the world. We follow distance learning trainings (MOOC), or E-learning, follow a Webex or a webinar on ISO 27032 for instance and it’s where finally I decide to purchase my Xmas gift (meaning online, doing some e shopping sessions)

  • While there is no lack of cybersecurity threats, and as many, albeit not standardized, ways to counter them, the focus of this International Standard is on the following key issues:

    -Attacks by malicious and potentially unwanted software-
    -Social engineering attacks, and
    -Information sharing and coordination
  • Security is concerned with the protection of assets from threats, where threats are categorised as the potential for abuse of protected assets.
    All categories of threats should be considered, but in the domain of security greater attention is given to those threats that are related to malicious or other human activities.

    Safeguarding assets of interests is the responsibility of stakeholders who place value on those assets.

    Threat agents may also put value on your assets and seek to abuse them.

    The risks rely on C.I.A (Confidentiality, Integrity, Availability of the information)

    Stakeholders assess risks taking into account threats that apply to their assets. This analysis can help
    In the selection of controls to counter the risks and reduce it to an acceptable level.

    Controls are imposed to reduce the vulnerabilities or impact to an acceptable level for the stakeholders

    Stakeholders can also ask assessment of the controls to externals organizations (Pentesting, Auditors, code reviewers, social engineers,…)
  • ISO 27001 vs ISO 27032

    There are many standards in the ISO 27001 series, all related to security.  You probably don’t know much about ISO 27032:2012 because it is not as well-known as ISO 27001, ISO 27002, or ISO 22301, but it is near you, because it has to do with a place that you habitually visit: cyberspace.

    ISO 27032 has not been released as an auditable international standard



    The proposed guidelines regarding Governance of Cybersecurity are a direct adaptation of the ISO 27001 (ISMS) – requirements with the suggestion of extending the scope of the existing ISMS to include the transfer and sharing of information via the Cyberspace.

    Organisations implementing an ISMS in accordance with ISO 27001 will be aligned to the Governance guidelines of ISO 27032 once the scope of the ISMS is extended to include Cybersecurity.

    The biggest and, for many, the most welcoming adaptation of the ISO 27001 standard in ISO 27032 is the dependency on the Risk Assessment process organisations implement to comply with ISO27001.

    As an organization in the Cyberspace you are still required to identify your critical assets, identify your threats and vulnerabilities and prioritise the risks to your criticals assets which will, in turn give you a framework for Cybersecurity investment.

    The word “security” is a complex term that involves various disciplines, and it is composed of various domains, like application security, network security … and cybersecurity. So, cybersecurity is not synonymous with information security, application security, network security, etc. The main objective of cybersecurity is to require stakeholders to play an active role in the maintenance of cyberspace (i.e., it requires actions that stakeholders should be taking to establish and maintain security in cyberspace) and in the improvement of its reliability and utility.
  • This figures summarizes the relationship between Cybersecurity and other security domains.

    The relationship between these security domains and Cybersecurity is complex.

    Cybersecurity is different of Information Security and of Network security and Internet security

    e.g Some of the critical infrastructure services, for example water distribution and transportation, need not impact the state of Cybersecurity directly or significantly. However, the lack of Cybersecurity can have a negative impact on the availability of critical information infrastructure systems provided by the critical infrastructure providers.

    On the other hands the availability and reliability of the Cyberspace in many ways rely on the availability and reliability of related critical infrastructures and services (e.g telecoms)

    The security of the Cyberspace is also closely related to the security of Internet, enterprise/home networks and information security in general.

    Each security domains identified in the picture may have it’s own scope, objective or focus.

    A basic framework for information sharing and issue or incident coordination is necessary to bridge the gaps and provide adequate assurance to the
    Stakeholders in the Cyberspace.

    Well, I hope you clearly see that Cybersecurity is a subset of Information Security right now and the different possible relationships between them.

  • An asset is anything that has value to an individual or an organization

    There are many types of assets, including but not limited to …


    Information
    Software
    Physical (hardware, computer, server)
    Services
    People
    Reputation, image

  • For the purpose of this Standard, assets in the Cyberspace are classified into the following classes :

    Personal and organizational

    For both classes, an asset can also be further classified as
    a physical asset (whose form exist in the real world)
    or a virtual asset (which only exists in the Cyberspace and cannot be seen or touched in the Real World)
  • Threat to personal assets revolve mainly around identity issues, posed by leakage or theft of personal information
    Ex: Credit information can be sold on the black market, which can facilitate online identity theft

    As rules and regulations for the protection of real physical assets, in connection with the Cyberspace, are still being written,
    Those pertaining to virtuals assets are almost non-existent. Extra care and caution must be undertaken by participants.

    In the event of a successfull attack, personal information from employees, clients, partners or suppliers could be disclosed
    and result in sanctions, against the organizations.

    Financial filling regulations could also be breached if organizational results are disclosed in an unauthorized manner.

    Well, recent events around the world remind us that terrorism is still a threat and is present.
    The Government agencies also need to protect their data if they want to fight against these organizations

    Cyberspace is a gray area in which terrorism thrives, thanks to the ease of communication provided by the Cyberspace.
    It’s really difficult to regulate and control the way that it can be used (borders, scope, boundaries,...)

  • Attack mechanisms

    This standard highlights 5 types of attacks

    Attacks can come from inside the Private Network or outside the Private Network (meaning from Internet)

    Inside –
    normally launched inside an organization’ private network, typically the local area network, and can be initiated by employees
    or someone who get access to a computer or network within an organization or individual’s premises.

    Outside
    DoS, XML Bomb, buffer overflow, IP spoofing , …

    Many of the attacks are carried out using malicious software, such as spyware, worms and
    viruses.
    Information is often gathered through phishing techniques.

    These attacks can be propagated via suspicious websites, unverified downloads, spam emails, remote exploitation, and infected removable media.

    Other mechanisms growing in use are those based on social networking (Clickjacking, you click on a video on Facebook and nothing happen,
    Well indeed, there is no Video, rather a remote script, or a trojan is installed in stealth mode on your computer…)

    Individuals tend to implicitly trust messages and content received from contacts previously accepted in their
    profiles on their social networking websites. Once an attacker can disguise him/herself
    as a legitimate contact, the attacker can engage others, and a new avenue is open for launching the various
    types of attacks previously discussed.

    I’m pretty sure, if I send you an email as the CEO of a major company (from the inside), and you work for this company,
    I’m sure you will click on the link I provided you.

    Legitimate websites can also be hacked into and have some of their files corrupted and used as a means for
    perpetrating attacks. Individuals tend to implicitly trust commonly visited websites, often bookmarked in their
    Internet browsers for a long time, and even more those which use security mechanisms such as SSL (Secure
    Sockets Layer).

    We will see later some precautions against this.

  • Once the risks are identified and appropriate guidelines are drafted, Cybersecurity controls that support the security requirements can be selected and implemented. This is an overview of the key Cybersecurity controls that can be implemented to support the guidelines laid out in this Standard


    The technical controls include :

    Application level controls
    Implement controls to protect against unauthorized data edits, carry out transaction logging, and error handling
    Secure coding must be implemented to secure information collected by products in the Cyberspace


    Server Protection
    Controls must be implemented to ensure servers are securely accessible from the Cyberspace and protected against unauthorised access
    and malicious content

    End-user Controls
    Controls must be implemented to protect the end user infrastructure across organisations against known exploits and attacks

    Controls against social engineering attacks



    Organisations should train and educate users on the use of suitable technical controls to protect against known exploits and attacks.
    As a general guide, technical controls defined in this section of ISO27032 should be implemented
  • Application level controls include the following

    1 Display short notice of the company’s essential online services so users ara able to make more informed choices about sharing their information online.
    Have a look also at local Charters e.g e-commerce compliancy Charter, Ethical Charter …in your different countries

    2 Secure handling of sessions for Web Applications (Cookies, Cookie Flag)
    Secure input validation and handling to prevent attacks such as SQL-Injection
    Secure Web page Scripting to prevent common attacks suchs a XSS

    See OWASP and ISO 27034, CWE , SANS

    3 Code Security Review and testing by appropriate skilled entities

    4 HTTPS – SSL the organization’s service should be provided in a fashion that the consumer can authenticate the service.



  • Well there is nothing new here and it looks really abious to me

    Server Protection

    1°) Hardening – in accordance to a baseline security configuration guide

    2°) Implement a system to test and deploy security updates, and ensure the server OS and applications are kept up-to-date promplty when
    New security updates are available

    3 Monitor the security performance of the server through regular reviews of audit trails

    4 Review the security configuration
    5 Run anti-malicous software controls (anti-virus, anti malware) on the server

    6 Scan all hosted and uploaded contents regularly

    7 Perform regular vulnerability assessments and security testing for the online sites and applications to ensure that their security is adequately maintained

    Regularly scan for compromises –
    and I’d say it’s not only there we need to focus on trade-offs but everywhere in business, it’s also part of negociation and Risk Analysis



  • Well there is nothing new here and it looks really abious to me

    Server Protection

    1°) Hardening – in accordance to a baseline security configuration guide

    2°) Implement a system to test and deploy security updates, and ensure the server OS and applications are kept up-to-date promplty when
    New security updates are available

    3 Monitor the security performance of the server through regular reviews of audit trails

    4 Review the security configuration
    5 Run anti-malicous software controls (anti-virus, anti malware) on the server

    6 Scan all hosted and uploaded contents regularly

    7 Perform regular vulnerability assessments and security testing for the online sites and applications to ensure that their security is adequately maintained

    Regularly scan for compromises –
    and I’d say it’s not only there we need to focus on trade-offs but everywhere in business, it’s also part of negociation and Risk Analysis


  • Cybercriminals are increasingly resorting to psychological or social engineering tactics in order to succeed

    As we are e-connected (mobile, tablet, social networks) such attacks are also transcending technology beyond the PC systems and traditional network
    Connectivity (including BlueTooth, VOIP)



    Rise Awareness on this – to communicate and follow the rules described in a security policy towards enduser

  • The ISO 27032 standard introduces the concepts of IPO and IRO which the ISO advise should feature heavily in the framework developed for
    Information sharing and incident handling

    IPO – Information Providing Organisation
    IRO – Information Receiving Organisation

    Where an IPO can becomes an IRO and vice & versa (such as Client/Server finally)

    IPO – Information Providing Organisation (the sender of the Cybersecurity related information)

    IRO – Information Receiving Organisation (the recipient of the Cybersecurity information)

    This section of the standard provides guidelines for the implementation of a secure, reliable, effective and efficient information sharing and cyber
    Incident response framework. The framework includes the following areas


  • This standard defines a framework of information sharing and coordination

    Why ? Well when you have a security incident accross different organizations, countries, geo-localisation, different stakeholers,
    you need to establish a system for information sharing and coordination to help prepare and reponsd to Cybersecurity events and incidents.

    This is a basic framework, for me you can also rely on the 27035 (Information Security Incident Management)
    Or if you already have an ISO 22301 (For BCP) you could also rely on the crisis management – then you define your proper « framework to communicate » based on the existing processes at your company.

    Policies
    Classification and categorization of information
    IPO should determine the different categories of information they collect
    Security events, security threats, security vulnerabilities, suspected/confirmed perpertretors profiles and so forth
    For each category it should be further broken down into two or more classifications based on the contents of the information involved. (e.g sensitive and unrestrictred), if information contains personal data, pribacy may also be applied
    Then you can also have a look at the ISO 29100 – which defines a framework to implement Privacy.

    Information minimization
    For each category and classification IPO should exercice caution to minimize the information to be distributed

    Limited audience
    In line, with the minimization principle, a policy to limit the audience, which may be to a specific contact person, group, or organization, for distrinution is necessary when sharing information containing private or confidential data.
    Coordination protocol
    A High-level policy for coordinating the request and distribution (whether it is IPO , or IRO intiated) should be established.

  • To implement the policies defined in the framework and ensure consistency in practices of information sharing and incident handling, the appropriate methods and processes should be in place which all parties involved in the information sharing practices follow


    Methods and processes
    Classification and categorization of information
    Information to be shared will come from both open (e.g Internet, newspapers) and closed sources (not public available)

    NDA (Non Disclosure Agreement)
    Bear in mind we are in a context of information sharing – that said.
    We need it to ensure the adequate handling and protection of sensitive, personal, confidential information
    shared among IPO and IRO.

    while responding to Cybersecurity events, the pre-establishement of an NDA enables swift sharing and distribution of information amongst authorized parties.

    Code of practice
    Establishing this is a good practice to ensure adequate sharing and handling of sensitive information

    Testing and Drills
    To ensure effectiveness and reliability and to achieve the desired level of efficiency, methods and processes should be devleoped for conducting regular testing and drills scenario

    Timing and scheduling of information sharing
    Define also the requirements to share the information at which interval.
    Some organizations will need Real-Time information, others will accept some delay – as it also provide them time for further analysis.
  • People & organizations are the key determinants to the success of cybersecurity.

    People refers to individuals involved in executing the methods and processes for information sharing and coordinating to make a positive
    Difference to the outcomes of Cyberseucrity events.

    While Organizations refer to groups of people within a company up to entire company involved in such activities.

    Contacts

    a list of contacts should be copiled by the IPO and IRO and mutually exchanged.
    (it’s the same in business continuity with ISO 22301 and if you need to operate an BCMS, it’s the same in crisis management and incident management, look obious isn’t ?

    Alliances
    to facilitate information sharing , establish common and consistent practices governed by an agreed code of practice and/or NDA,
    organizations and groups of individuals may form alliances based on their aread of interest.s

    (e.g : Interpol , antispyware coalation, saferinternet.be )

    Awareness and training

    People in organizations should be made aware of emerging and new Cybersecurity risks and trained so that they develop the required skills and expertise to respond effectively to any situation related to cybersecurity

  • These controls may be used to improve efficicency, reduce human error, and enhance security involved in the information sharing and coordination
    processes


    Data standardization for automated system

    These systems may be developed and deployed amongst coordination organizations to collect data on evolving Cybersecurity events
    For real-time and offine analysis assessments

    Data visualization

    It’s kind of representation of Data without the help of technicians

    Secure file sharing, instant messaging, web portal, and discussion forum

    IPO and IRO should consider using suitable file sharing tools that can meet the security effectiveness, efficiency and reliability needs.

    Testing Systems

    Of course, you need to test your tools, methods, processes, scenarios (it should be considered)
    You can simulate with the perception of each organization
  • Introduction

    To improve the state of Cybersecurity, stakeholders in the cyberspace need to play an active role in their respective use and development of the Internet.

    Roles can overlap with individual and organizations networks (intranet, extranets, website, networks exposed to the Internet,…)

    Pitfall – because of this overlap roles can be seen as insignifant for the concerned stakeholders, But significant to enhancing Cybersecurity
  • Roles of stakeholders in Cybersecurity

    Roles of consumers

    Individuals
    They may assume different roles in different context and applications
    It may include
    -General cyberspace application user, general user, online auction and marketplace sites for interested byers
    and vice and versa
    -Buyer/seller
    -Blogger and other contents contributor (twitter, wikipedia, youtube,…)
    - Member of an organization, ...

    ex: an individual acting as buyer or seller can unknowingly participate in criminal transactions of selling
    stolen goods or money laundrey activities

    And you can switch from task to task during the day, so from role to role also ....
  • Roles of stakeholders in Cybersecurity

    Roles of Organizations

    The organizations should extend their corporate responsibilities to the Cyberspace.
    How ? By proactively ensuring that their practices and actions do not introduce further security risks (into the Cyberspace)

    Some proactive measures include:

    - Implementing ISMS
    - proper security monitoring and response;
    - incorporating security as part of the Software Development Life-cycle (SDLC),
    - regular security education of users in the organization through continuous technology updates and keeping
    track of latest technology developments;

    - understanding and using proper channels in communicating with vendors and service providers on security
    issues discovered during usage.



  • Roles of stakeholders in Cybersecurity

    The government, primarily law enforcement agencies and regulators, may have the following important roles to play:

    — advise organizations of their roles and responsibilities in the Cyberspace;
    — share information with other stakeholders on the latest trends and developments in technology;
    — share information with other stakeholders on the current prevalent security risks;
    — be a conduit for receiving any information, whether close or open, with regard to security risks to the
    Cyberspace; and
    — be the primary coordinator for information dissemination and orchestrating any required resources, both
    at national-level or corporate level, in times of crisis arising from a massive cyber-attack.




  • Service providers are also consumer organizations. They are thus expected to observe the same roles and responsibilities as consumer organizations.
    As Service providers they have additional responsibilities in maintaining or even enhancing cybersecurity.

    Providing safe and secure products and services
    Providing safety and security guidance for end-users
    Providing security inputs to others providers and to consumers about trends and observations of traffic in their network and services

  • This picture provided an overview of the salient points in the approach taken in this standard.


    Consumers refer to individual users as well as private and public organizations

    Private organizations include small and medium enterprises (SMEs), as well as large enterprises.
    Government and other public agencies are collectively referred to as public organizations.

    An individual or an organization becomes a consumer when they access the Cyberspace or any services available in the Cyberspace.

    And you see,
    A consumer can also be a provider it it provides a service in the Cyberspace (ISP) or enables another consumer to access the Cyberspace.
    A consumer of a virtual world service may become a provider by making available virtual products and services to other consumers.

    Providers refer to providers of services in the Cyberspace, as well as ISP’s that enable
    consumers to access the Cyberspace and the various services available in the Cyberspace.

    Providers might also be understood as carriers or wholesalers, versus distributors and retailers of access
    services.

    Application service providers make services available to consumers through their software. These services
    take many forms and include combinations of the following non-exhaustive list:
    — document editing, storage, distribution;
    — online virtual environments for entertainment, communications and interaction with other users;
    — online digital media repositories with aggregation, indexing, search, store-front, catalogue, shopping cart
    and payment services; and
    — enterprise resource management functions such as human resource, finance and payroll, supply chain
    management, customer relationship, invoicing.
  • Guidelines for Stakeholders


    ISO 31000, Risk management – Principles and guidelines , provides principles and generic guidelines on risk
    Management.

    ISO 27005, Information technology – Security techniques – Information security risk
    management , provides guidelines and processes for information security risk management in an organization,
    Supporting in particular the requirements of an ISMS according to ISO/IEC 27001.


    Guidelines for consumers (non exhaustive list)
    My dears, it means when you want to install a new mobile app, or a new version of a patch (Adobe) or a new version of OS (Mac)
    You will need to read dozen of Policy pages prior saying “Yes I’ve read it”

    Manage online identity
    use different identifiers for different web applications an minimize the sharing of personal information to each website
    or application requesting such information



  • -Manage IS risks in the business
    -Address security requirements for hosting website and other cyber-application services
    -Provide security guidance to consumers

    ISMS
    Provide secure products
    Could be independently validated against Common Criteria Scheme
    (Personnaly I would validate it against SDLC and ISO 27034, OWASP and so forth)
    Network monitoring and reponse
    to ensure reliability and quality of the network services
    Support and escalation

  • Prevention


    Understand the business processes, assets & evolving technology
    Professionnals need to know their environment (internal/external) factors
    business plan, processes, regulation
    Risk Analysis (prioritize)
    Communicate with stakeholders and agree on findings and recommendations

    2 Incident Response
    Detection
    CERT – CSIRT – Specialized Team of a Security Incident Team
    Fast Incident Response –
    Incident Response and Management Responsible Vulnerability Disclosure Incident Response

    Recovery
    Forensics



  • Cybersec attacks increase
    People are always the most vulnerable (Social Engineering, Awareness, Policies, Cybersec culture, … )
    It takes time to discover intruders (and what about if you dont have a Detection Team, Monitoring, Response Team, .?

  • PECB will launch a brand new training in #Nice (France) in January.
  • With the consent of PECB we started a campaign with the Trainings Mascot called BlueOwl

    The beast tweets about Cybersecurity, meets security professionals across Europe, and join also Cybersecurity Events

    Feel free to #FollowBlueOwl on Twitter

  • The campaign started 2 weeks ago, and we still got some surprises for you untill January.

  • ×