Presented to KMUTT CPE 4rd yr students on 21/9/2010

1. Introduction
Infosec Professional
Presented at
King Mongkut’s University of Technology Thonburi (KMUTT)
by Chaiyakorn Apiwathanokul
CISSP, GCFA, IRCA:ISMS
Chief Security Officer
PTT ICT Solutions Co., Ltd.
A Company of PTT Group
Sep. 2010

2. • Advisor of Department of Special Investigation (DSI)

3. วิทยากรบรรยาย
• กองบัญชาการกองทัพไทย
• สานักงานปลัดกระทรวงกลาโหม
• หลักสูตรหลักประจาโรงเรียนเสนาธิการทหารบก สถาบันวิชาการทหารบกชันสูง
้
• ธนาคารแห่ งประเทศไทย
• สานักงานปลัดกระทรวงพาณิชย์
• ชมรมเทคโนโลยีสารสนเทศรัฐวิสาหกิจแห่ งประเทศไทย
• สมาคมเวชสารสนเทศไทย Thai Medical Informatics Association
• หลักสูตร Strategic IT Governance, Software Park 2007-2009
• Mini-MBA Program, Thammasat University
• Micro-MBA Program, Thammasat University
• MIS Program, Thammasat University
• มหาวิทยาลัยเทคโนโลยีพระจอมเกล้ าธนบุรี
• ITU ASP COE : Training Workshop on Information Management Framework for CIOs
• CIO Conference 2007
• Information Security Asia 2007
• 2nd Annual ASIA IT Congress 2007
• Cyber Defence Initiative Conference (CDIC) 2008, 2009 and 2010
• SCADA Asia Summit 2009 and 2010

4. 1 st Visit at KMUTT
21/9/2007

5. CIA Admits Cyber attacks Blacked Out Cities
In the real world
• The disclosure was made at a New Orleans
security conference Friday attended by
international government officials, engineers,
and security managers.
• The CIA on Friday admitted that cyberattacks
have caused at least one power outage affecting
multiple cities outside the United States. By Thomas
Claburn InformationWeek January 18, 2008 06:15 PM

6. Maroochy Waste Water
Event: More than 750,000 gallons of
untreated sewage intentionally released
into parks, rivers, and hotel grounds
Impact: Loss of marine life, public health
jeopardized, $200,000 in cleanup and
monitoring costs
Specifics: SCADA system had 300 nodes
(142 pumping stations) governing sewage
and drinking water
 Used OPC ActiveX controls, DNP3, and
Lessons learned: ModBus protocols
 Suspend all access after  Used packet radio communications to
terminations RTUs
 Investigate anomalous system Used commercially available radios and
behavior stolen SCADA software to make laptop
 Secure radio and wireless appear as a pumping station
transmissions  Caused as many as 46 different incidents
over a 3-month period (Feb 9 to April 23)

7. Browns Ferry Power Plant
Event: Aug, 2006 Two circulation pumps at
Unit 3 of the nuclear power plant failed
Impact: The unit had to be shut down
manually
Specifics: The failure of the pumps was
traced to excessive traffic on the control
Recovery time:
system network, possibly caused by the
 SPDS – 4hours 50 minutes
failure of another control system device
 PPC – 6 hours 9 minutes
Lessons learned:
 Provide adequate network
segmentation
 Place controls on multiple
segments to limit congestion and
cascading effects
 Provide active network
monitoring tools

8. Hatch Nuclear Power Plant
Event: A software update caused
control system to initiate plant
shutdown.
Impact: The Plant was shutdown for 48
hours
Specifics: . An engineer installed a
software update on a computer Recovery time: 48 Hours
operating on the plant's business
network. When the updated computer Lessons learned:
rebooted, it reset the data on the
 Patch management policy
control system, causing safety systems
must address testing
to errantly interpret the lack of data as
requirements before
a drop in coolant water reservoirs
integration in production
environment
 IT and ICS must be aware
of connectivity
…there was full two-way communication between
certain computers on the plant's corporate and
control networks. 8

9. Davis Besse Nuclear Power Plant
Event: Aug 20, 2003 Slammer worm
infects plant
Impact: Complete shutdown of digital
portion of Safety Parameter Display
System (SPDS) and Plant Process Computer
(PPC)
Recovery time:
Specifics: Worm started at contractors site
 SPDS – 4hours 50 minutes
 Worm jumped from corporate to plant  PPC – 6 hours 9 minutes
network and found an unpatched server
Patch had been available for 6 months Lessons learned:
 Secure remote (trusted) access
channels
 Ensure Defense-in-depth
strategies with appropriate
procurement requirements
 Critical patches need to be
applied

10. Olympic Pipeline Explosion
Event: 16-inch gasoline pipeline explosion and
fire, exacerbated by inability of SCADA system
to perform control and monitoring functions.
Impact: 3 fatalities, property damage >$45M,
matching fines of $7.86M against two
companies.
Specifics: Erroneous changes to live historical
database caused critical slowdown in system
responsiveness (evidenced by sensor scan rate
changing from 3 second poll to over 6 photo by David Willoughby copyright Bellingham Herald
minutes!) Lessons learned:
 Communication link between main  Identify controls to Critical Assets
computer, field sensors, and controllers was a
combination of leased phone lines and frame  Do not use administrative controls
relay. to solve system anomalies
 Do not perform database updates
on live systems
 Apply appropriate security to
remote access

11. Big Bang Experiment is Hacked
Event: Sept, 2008 - Computer hackers broke
into the Large Hadron Collider and defaced
one of the project websites.
Impact: “There seems to be no harm done.
From what they can tell, it was someone
making the point that CMS was hackable,"
said James Gillies, spokesman for European
Organization for Nuclear Research (also
known as CERN)
Specifics: Hackers targeted the Compact
Muon Solenoid Experiment, or CMS, one of Lessons learned:
the experiments at facility that will be
 Provide adequate network
analyzing the fallout of the Big Bang
segmentation
CERN expressed concerned over what the
hackers could do as they were “one step  Place controls on another
away” from the computer control system segment with no direct outside
access
 Provide active network
monitoring tools
 Ensure defense-in-depth
strategies, firewalls & Intrusion
Detection Systems

12. Space Station – Air Gap Bridged
Event: Aug. 2008, Viruses intended to
steal passwords and send them to a
remote server infected laptops in the
International Space Station (again).
Impact: Created a “nuisance” to non-
critical space station laptops
Specifics:The virus did make it onto
more than one laptop -- suggesting that
it spread via some sort of intranet on
the space station or via a thumb drive.
Lessons learned:
 Due to the human factor – there is no
true airgap, for example, thumb drives,
laptop connection, modems, VPN,
CD/DVD, etc.
12

13. Security Guard Busted For Hacking Hospital's HVAC, Patient
Information Computers, July 2009
In the real world
• "A former security guard for a Dallas hospital has
been arrested by federal authorities for allegedly
breaking into the facility's HVAC and confidential
patient information computer systems. In a bizarre
twist, he posted videos of his hacks on YouTube,
and was trying to recruit other hackers to help him
wage a massive DDoS attack on July 4 -- one day
after his planned last day on the job.
• Jesse William McGraw, 25, also known as
"GhostExodus," "PhantomExodizzmo," as well as by
a couple of false names, was charged with
downloading malicious code onto a computer at
the Carrell Clinic in order to cause damage and as a
result, "threatened public health and safety,"
according to an affidavit filed by the FBI . McGraw
worked as a night security guard for United
Protection Services, which was on contract with
hospital, which specializes in orthopedics and
sports medicine."

14. TISA in Bangkok Post : When Hacking risks health
In the real world
TISA web site : http://www.tisa.or.th

15. Malicious code/
Virus/Worm
Adversary/
Terrorist/ Disgruntled
Hacker employee
Vulnerabilities/
Weaknesses
has Manufacture
National
Critical Plant
Infrastructure Control Operation
Systems
Law/
Industry-
Government Compliance/
specific
Standard/ Regulator
Guideline

16. Cyber Threats in A Plant

17. Qualified professional undersupply
IT Professional
Control
Infosec
System
Prof.
Prof.
Control System
Cybersecurity Prof.

18. The Implication
• Only small number of professional with right
competency to help you out
• Collaboration and support from professional
community is highly needed

19. 3.2 Update ประเด็นกฎหมายธุรกรรมอิเล็กทรอนิกส์ลาสุดและความสัมพันธ์กบ ISO 27001
่ ั
[ประกาศในในราชกิจจานุเบกษา เมื่อ 3 ก.ย. 53]
[ มาตรา 5, 7 และ 8]
ประกาศคณะกรรมการธุรกรรมทางอิเล็กทรอนิกส์
เรื่ อง แนวนโยบายและแนวปฏิบติในการรักษาความมันคงปลอดภัย
ั ่
ด้ านสารสนเทศของหน่วยงานของรัฐ พ.ศ. ๒๕๕๓
[ ใช้ บงคับ 31 พ.ค. 53 ]
ั

20. กฎหมายทีเ่ กียวกับการบริหารจัดการเทคโนโลยีสารสนเทศ
่
เรื่ องการบริ หารจัดการความมันคงปลอดภัย
่
[ รอประกาศในในราชกิจจานุเบกษา ]
ISO 27001 (ISMS)
20

21. กฎหมายทีเ่ กียวกับการบริหารจัดการเทคโนโลยีสารสนเทศ
่
เรื่ องการบริ หารจัดการความมันคงปลอดภัย
่
21

22. กฎหมายทีเ่ กี่ยวกับการบริหารจัดการเทคโนโลยีสารสนเทศ
เรื่ องการบริ หารจัดการความมันคงปลอดภัย
่
[ อ้ างอิง มาตรา 5, 7 และ 8 ของ พรฎ ม. 35]
[ ใช้ บงคับ 31 พ.ค. 53 ]
ั
“Security Awareness/Training”
22

23. กฎหมายทีเ่ กียวกับการบริหารจัดการเทคโนโลยีสารสนเทศ
่
เรื่ องการบริ หารจัดการความมันคงปลอดภัย
่
“IT Security assessment”
23

24. 3.3 กรณีศกษา “Hack e-Banking สูญเงิน 7 แสนบาท ทั ้งปี 53 เสียหายกว่า 100 ล้ านบาท”
ึ
แหล่งข่าว www.mcot.net/cfcustom/cache_page/88092.html

25. 3.3 กรณีศกษา “Hack e-Banking สูญเงิน 7 แสนบาท ทั ้งปี 53 เสียหายกว่า 100 ล้ านบาท”
ึ
Trojan Horse
่ ิ่ ่
ความอันตรายทีแฝงเข ้ามากับสงทีเหมือนจะไม่มอะไร
ี

26. 3.3 กรณีศกษา “Hack e-Banking สูญเงิน 7 แสนบาท ทั ้งปี 53 เสียหายกว่า 100 ล้ านบาท”
ึ

27. Cybersecurity Professional vs. Cyber Punk
Key Differentiation
• Ethic
• Methodology

28. ยุทธศาสตร์การพ ัฒนา ICT Master Plan II
SMART
Thailand
ใช ้ ICT เพือสนับสนุนให ้เกิด
่ ใช ้ ICT เพือเพิมขีดความสามารถ
่ ่
ธรรมาภิบาลในการบริหารและ ในการแข่งข ันอย่างยงยืน
่ั
บริการของรัฐ 4 (Strategic Sectors, SMEs) 6
Hardware Software Communication
3
พัฒนาขีดความสามารถของ
พัฒนาโครงสร ้างพืนฐาน ICT
้ 5 อุตสาหกรรม ICT
2 บริหารจัดการ ICT ของประเทศอย่างมีธรรมาภิบาล
(Institutional arrangement, Rules and Regulation, Financing, …)
1 พัฒนากาลังคน
รากฐานของทุกสิ่ง
(ICT Professionals and “Information-Literate” People)

29. ยุทธศาสตร์ท ี่ 1 : พ ัฒนากาล ังคน
เปาหมาย : Information Literacy
้
เร่ งรั ดผลิตบุคลากรด้ านความมั่นคงปลอดภัยของ
ระบบสารสนเทศที่มีคุณภาพตามมาตรฐานสากล

30. 3 Pillars of ICT 3 Pillars of Security
Disclosure
People Confidentiality
Process Technology Integrity Availability
(Tool) Alteration Destruction

31. Areas of Expertise
• Access Control Systems and Methodology • Malicious Code (counter measures and
(how people enter and leave the system) prevention techniques for dealing with
viruses,worms and other forms of deviant
• Administration code)
(planning, implementating and evaluating • Operations Security (setting identity
information security programs) controls; auditing and monitoring the
• Application and Systems Development mechanisms and tools)
Security • Physical Security (giving physical systems
(creating new computer programs to access solely to those who need it)
protect an organization) • Risk, Response and Recovery (processes to
• Auditing and Monitoring (collecting identify, measure and control loss)
information for identification and response • Security Architecture and Models
to security breaches) (building the security infrastructure for a
complex organization)
• Business Continuity Planning (BCP) and • Security Management Practices
Disaster Recovery Planning (DRP) (identification of information assets and
(uninterrupted access to critical data development of policies and procedures)
systems) • Telecommunications and Network
• Cryptography (the coding and decoding of Security (ensuring security through remote
data and messages) access management, network availability,
firewall architectures,VPNs, data
• Law, Investigation and Ethics (computer networking, LAN devices, etc.)
crime laws and regulations and ethics)

32. Common Job Titles
• Security auditor  CISA, IRCA:ISMS, OPSA, OPST
• Security specialist  GIAC, SSCP, CISSP
• Security consultant  GIAC, CISSP
• Security administrator  GIAC, SSCP
• Security analyst/engineer  GIAC, CISSP
• Web security manager  OWASP
• Director/Manager of security  CISSP, CISM
• Chief privacy officer  CISSP, CISM
• Chief risk officer (CRO)  CISSP, CISM
• Chief Security Officer (CSO)  CISSP, CISM
• Chief Information Security Officer (CISO)  CISSP, CISM

33. CISSP® 10 CBK® Domains
• Access Control
• Application Security
• Business Continuity and Disaster Recovery Planning
• Cryptography
• Information Security and Risk Management
• Legal, Regulations, Compliance and Investigations
• Operations Security
• Physical (Environmental) Security
• Security Architecture and Design
• Telecommunications and Network Security

34. Career Path – (ISC)2

35. 11 ISMS Control Areas in ISO27001:2005
Annex A

36. Information Technology (IT) Security
Essential Body of Knowledge (EBK)
A Competency and Functional Framework
for IT Security Workforce Development
United States Department of Homeland Security
September 2008
36

37. Key Dimensions
 4 functional perspectives
 14 competency areas
 10 roles
37

38. Functional Perspectives (MDIE)
 Manage
 Design
 Implement
 Evaluate
M D
I E
38

39. Competency Areas (MDIE in each)
1. Data Security 8. Personnel Security
2. Digital Forensics 9. Physical and Environmental
3. Enterprise Continuity Security
4. Incident Management 10. Procurement
5. IT Security Training and 11. Regulatory and Standards
Awareness Compliance
6. IT System Operations and 12. Security Risk Management
Maintenance 13. Strategic Security
7. Network and Management
Telecommunication Security 14. System and Application
Security
39

40. Roles of Information Security
1. Chief Information Officer
2. Digital Forensics Professional
3. Information Security Officer
4. IT Security Compliance Officer
5. IT Security Engineer
6. IT Security Professional
7. IT Systems Operations and
Maintenance Professional
8. Physical Security Professional
9. Privacy Professional
10. Procurement Professional
40

41. 41

42. TISA TISET Examination
TISET = TISA IT Security EBK Test

43. The Example of TISA TISET Exam
Information Security Competency Score Card
43

44. Enterprise Infosec Competency Profile
* Organization assess Infosec competency
Enterprise/ requirement against EBK
Personnel * Assess current competency within the
Capability enterprise
* Identify competency gap  training
requirement, recruitment
EBK
Infosec training provider Training
Provider
maps training courses to EBK

45. TISA Pilot Exam Summary: TISA ITS-EBK Model
45

46. Competency Profile
Max Score Min Score
Avg Score
1. Data Security
2. Digital Forensics 8. Personnel Security
3. Enterprise Continuity 9. Physical and Environmental Security
4. Incident Management 10. Procurement
5. IT Security Training and Awareness 11. Regulatory and Standards
Compliance
6. IT System Operations and Maintenance
12. Security Risk Management
7. Network and Telecommunication
13. Strategic Security Management
Security
14. System and Application Security
46

47. Functional Perspective
Max Score Min Score
Avg Score
M – Manage
D – Design
I – Implement
E - Evaluate
47

48. IT Security Role Match
Max Score Min Score
Avg Score
48

49. Example of TISA TISET Report
49

50. TISET Certificate – Pass criteria

51. Summary Score by Competency Areas

52. Average Role Matching

53. Summary by Functional Perspective

54. TISA Pilot Exam Summary: Certification Roadmap
Audit Management Technical
EXPERT
ADVANCE
International Certified IT & Information Security Professional
Step to CISSP,SSCP, CISA,CISM
FOUNDATION (Localized) TISA TISET Certification
on IT / Information Security
Competencies Test TISA TISET Exam
54

55. 55