11 19-2015 - iasaca membership conference - the state of security
presCyberNISC2015
1. Jersey Financial Services Commission
The Impact of an Evolving Cyber Landscape in an e-Enabled Commission
2. The Impact of an Evolving Cyber Landscape in an e-Enabled Commission
Denis Philippe
Deputy Director - ICT
Introduction Presentation
What is the landscape?
Who are we protection against?
What is changing?
What can we control?
What are we doing?
What about the local aspect?
Summary
Questions
Agenda
Introduction
4. The Impact of an Evolving Cyber Landscape in an e-Enabled Commission
A general increase in the volume and complexity of risks across
threat actors.
You can beat the bad things if you train for it.
Protection is going to cost and some one has to pay.
Standards and collaboration are going to be key.
Escalation is starting to occur with a move from theft to destruction.
Most organisations have little response capability
Most have NOTHING in the recovery capability
We operate on technology that
was built in the age of trust, for
scientific purposes.
There is no embedded security
risk mitigation.
Increasing Complexity
What is the landscape?
5. The Impact of an Evolving Cyber Landscape in an e-Enabled Commission
Subjected to approximately 3,800 network security
attack attempts DAILY
Processes over 5,000 emails per day. With up to
34% of inbound traffic being rejected due to
identified threats.
Website screening prevents access to high risk
content. (< 0.1% traffic)
What Happens To The Commission
What is the landscape?
6. Who are we
protecting against?
The Impact of an Evolving Cyber Landscape in an e-Enabled Commission
7. The Impact of an Evolving Cyber Landscape in an e-Enabled Commission
“Al Qaeda have called for
terror attacks on the financial
services sector.”
“They are not very good at it
but they are getting better.”
John P Carlin
Assistant Attorney General for
National Security, US DoJ
State Actors
Political tool – Low cost, low impact (at present)
Corporate Actors
Intellectual property theft and market manipulation
FBI have identified that IP theft at $100B per year
Criminal Actors
Fraud / Terrorism / Hacktivists
The Actors
Who are we protecting against?
8. The Impact of an Evolving Cyber Landscape in an e-Enabled Commission
Sony Attack 2014
Sony were initially seen as the
bad guys.
After attribution the sentiment
was deflected to the suspected
attacker.
Who attacked you?
Knowing who attacked you is important
It is becoming easier to identify the source
Understanding what they wanted or did
Attribution
Who are we protecting against?
9. What is changing?
The Impact of an Evolving Cyber Landscape in an e-Enabled Commission
10. The Impact of an Evolving Cyber Landscape in an e-Enabled Commission
Everything…
25 years ago, what we valued
was 98% physical.
Today, what we value is 99%
digital.
We went forward without
thinking of the consequences.
Historically most targets have been Intellectual Property or
Financial Theft.
Significant shift to physical threats.
The risk to air travel isn’t liquids, it’s now devices.
Privacy vs Security.
Personal data held by private entities far outstrips that of
government.
What is changing?
11. The Impact of an Evolving Cyber Landscape in an e-Enabled Commission
80 – 90% of attacks can be
prevented by patching.
Breaches take time to detect,
60% of data loss occurs within
the first few hours of a breach.
A change in mind set is required.
Stop using fear as a lever to getting funding.
Stop spending 90% on front facing security measures.
Security as a business benefit.
Security resilience – can you detect an intrusion and contain and
stop it before they achieve their objective.
Collaboration and sharing on incidents and approaches will
improve the success when defending systems and digital assets.
Technology
What is changing?
13. The Impact of an Evolving Cyber Landscape in an e-Enabled Commission
Using the internal network as a
sensor, to assist with detecting
internal threats.
Building a network environment
where technologies work
together not in isolation.
Perimeter
Network
Environments
Systems
Our Own Environment - Technology
What can we control?
14. The Impact of an Evolving Cyber Landscape in an e-Enabled Commission
Information Management based on ISO 27001
Lord Chancellors Code of Practice on the management of
records issued under section 476 of the Freedom of
Information Act 2000
Best practices built into a new EDRMS
Preparing for FOI
Opportunity to understand our data assets
Dispose of information that we no longer need
Our Own Environment - Processes
What can we control?
Create Use
Dispose Archive
Records
15. The Impact of an Evolving Cyber Landscape in an e-Enabled Commission
Dispelling the myth that the IT
department sort it all out with
technology.
There are multiple threat
vectors, all need defending.
Threat Awareness
Understanding what can happen and how.
Data Leakage
Awareness of the responsibility.
Social Engineering
How they may be targeted.
Testing
Are they effective security assets.
Our Own Environment - People
What can we control?
17. The Impact of an Evolving Cyber Landscape in an e-Enabled Commission
Building
Add image here Building with security as a base requirement.
Designing new portals with interoperable user
authentication and authorisation tools.
Revising security model to align with ISO27032.
What are we doing?
18. The Impact of an Evolving Cyber Landscape in an e-Enabled Commission
Building
What are we doing?
Developing a new platform
environment with security
baked in from the start.
Delivering joined up services.
Delivering new Registers from a
common platform. (SIR, JAR)
Move to more services online.
Increased surface area requires
a different approach to security.
19. The Impact of an Evolving Cyber Landscape in an e-Enabled Commission
Maintaining
Complacency is a major threat.
Continual evolution and horizon
scanning is necessary to keep
up, let alone get ahead!
Upgrading infrastructure
Patching networks and systems
(no 1 threat is unpatched systems)
Monitoring activity and alerts
Trend analysis
What are we doing?
20. The Impact of an Evolving Cyber Landscape in an e-Enabled Commission
Educating & Supporting
Complexity is frightening people
to the point of disempowerment.
We need to support and promote
understanding and simplification.
Training technical team members
Training end users on information management risk
Testing the training – reinforcing the learning with testing
Providing advice
What are we doing?
21. What about the
local aspect?
The Impact of an Evolving Cyber Landscape in an e-Enabled Commission
22. The Impact of an Evolving Cyber Landscape in an e-Enabled Commission
With an eye on the digital future of Jersey. Is
there a need to ensure that cyber security is
embedded as a pre-requisite to doing business?
Is there a place for cyber in the regulatory
framework?
Who should set and monitor any local standards?
Should the standards be scalable?
Key discussion points:
An agreed cyber standard for financial
services sector.
Apply existing international standards.
Guidelines for consumers and industry.
The need for a minimum standard.
Build a collaborative environment to discuss
real-time cyber incidents and issues.
Island Opportunity
What about the local aspect?
23. The Impact of an Evolving Cyber Landscape in an e-Enabled Commission
Questions