Cybersecurity Health Checks: Safeguarding Your Organisation

1

Cybersecurity Health Checks:Safeguarding Your Organisation

Dr. Malcolm Shore

2

Quick Facts about Lynda.com

Government• Major government agencies• Branches of military

Corporations• More than half of the Fortune 50

across all key industry sectors

Education• 60% of all US colleges and

universities 40% of Australian universities

4M+Members

…with 350k paying out of pocket

20Years

Lynda.com was founded in 1995

1 2 ,000

+Enterprise Clients

…located across 52 countries

6,000+

Courses…available in

5 languages (German, Spanish, French, Japanese)

The Global Leader in Online Skills Instruction

INTRODUCTION

3

Dr. Malcolm Shore

Lynda.com authorTechnical Director, BAE Systems Applied Intelligence, Australia

INTRODUCTION

4

•1983 - US DoD rainbow series•1993 – UK PD0003•1998 – BS 7799……ISO 27000•2005 – NIST Special Publication 800-53•… but too difficult and costly

Information Security Standards

BACKGROUND

Cybersecurity Health Checks

5

•From Bulletin Boards to the Web•Ubiquitous connectivity across the globe•Clouds aren’t just in the sky…•From email to social media…•From telephone to smartphone•Cyber kill chain … the world has changed

Information Security Standards

BACKGROUND


6

•Evolution of information security standards lagging•Information security policies ineffective*

New Approach

BACKGROUND


*Doherty, NF and Fulford H. Do Information Security Policies Reduce the Incidence of Security Breaches? 2005

7

•UK Cybersecurity Strategy•Cyber Governance Health Check• top 350 listed companies• only15% of Boards manage cyber risk• only 30% use threat intelligence

•Majority of attacks exploit basic weaknesses

Information Security Policies

BACKGROUND


8

•Term used in audit community•Now used in cybersecurity consulting•Various interpretations

… is simply cyber fitness

Cybersecurity Health Check

DEFINITION


9

•Check-up – unauthorised users, malware•Health test - check network traffic for infections•Full examination - rules, patches, access and privileges - operational defences•Fitness test - external penetration exercise•Cyber insurance

Cybersecurity Health Check

DEFINITION


10

•Baseline security•Operational focus•Affordable, manageable

Cyber Essentials

CYBER ESSENTIALS


11

CYBER ESSENTIALS


12

•Prevents low grade technical attacks on• desktop PCs, laptops

• tablets, smartphones

• email

• web applications

Cyber Essentials

CYBER ESSENTIALS


13

• Boundary devices• Secure configuration• User access control• Malware protection• Patch management

Cyber Essentials

CYBER ESSENTIALS


14

Boundary Firewalls and Internet Gateways

CYBER ESSENTIALS

Cybersecurity health Checks

15

•administrative password must be changed•documented and authorised rules•obsolete rules removed•unnecessary services blocked•administrative interface accessible only internally

Boundary Firewalls and Internet Gateways

CYBER ESSENTIALS


16

Secure Configuration

CYBER ESSENTIALS


17

•Issues:• easy to install• no security configured• default administrator accounts and

passwords


CYBER ESSENTIALS


18


CYBER ESSENTIALS


• remove unnecessary default accounts• change default passwords• remove or disable unnecessary applications and

services• install personal firewalls on all PCs

19 Cybersecurity Health Checks

20 Cybersecurity Health Checks

21

• Issues:• legacy access• excess privileges

User Access Control

CYBER ESSENTIALS


22

User Access Control

CYBER ESSENTIALS


• minimum privileges• userid and strong passwords• ensure privileged accounts are not used for internet activity• disable or remove accounts when no longer required

23

User Access Control

CYBER ESSENTIALS


24

•Install anti-virus software• up to date signatures

•Use real-time protection•Scan the filebase•Blacklisting known malicious sites

Malware Protection

CYBER ESSENTIALS


25

•Flaws found by developers, researchers, hackers

•Often exploited within 24 hours

•Timely patching

•Licenced software

Patching

CYBER ESSENTIALS


26

•Good routine check-up and examination

•Does not propose a full cyber fitness test

Cyber Essentials – Health Check?

CYBER ESSENTIALS


27

•Published March 2015

•Improve cyber resilience

•Cyber defence posture

•Incident management

ASIC Report 429

ASIC REPORT 429


28

•Adopted in ASIC Report 429

•26 prompts• 2 governance

• 24 across the five Framework areas

US Cybersecurity Framework

ASIC REPORT 429


29

•Board and Executive awareness of cyber risk

•Assessment against the Cybersecurity Framework

Governance

ASIC REPORT 429


30

•What are the essential information and assets?

•What are the cyber risks?

•Are third party risks considered?

•Does enterprise risk management include cyber risks?

•Are staff aware of cyber risks?

Identify

ASIC REPORT 429


31

•Are security policies and standards up to date?

•Have IT systems and processes been tested?

•Are there sufficient resources in place?

Protect

ASIC REPORT 429


32

•Monitoring for cyber attacks

•External engagement

Detect

ASIC REPORT 429


33

•Is response planning adequate?

•Notifying law enforcement of an attack

•Notifying customers of a breach

Respond

ASIC REPORT 429


34

•Does the organisation have a recovery plan?Recover

ASIC REPORT 429


35

•Full set of controls

•Cyber health checks lost in the noise

•A through life fitness programme

ASIC Report 429 – Cyber Health Check?

ASIC REPORT 429


36

•Security standards are evolving

•Traditional approach is having limited success

•Cyber health checks are a more manageable approach

•Cyber Essentials provides a health check

Conclusion

CONCLUSION


37

ResourcesCONCLUSION


38

Q&A

CONCLUSION


Technology

Cybersecurity Health Checks: Safeguarding Your Organisation