SlideShare una empresa de Scribd logo

Sense of Security Best practice strategies to improve your enterprise security

J
Jason Edelstein

Best practice strategies to improve your enterprise security Examining the recent cases of security breaches to understand where your network is weak Analysing your existing security platform to mitigate the risk of breaches and theft Understanding the risks of damages associated to data security breach and related data theft

TecnologíaEmpresariales
1 de 54
Descargar para leer sin conexión
www.senseofsecurity.com.au © Sense of Security 2013 Page 1 – April 2013 Compliance, Protection & Business Confidence Sense of Security Pty Ltd Sydney Level 8, 66 King Street Sydney NSW 2000 Australia Melbourne Level 10, 401 Docklands Drv Docklands VIC 3008 Australia T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455 info@senseofsecurity.com.au www.senseofsecurity.com.au ABN: 14 098 237 908 Best practice strategies to improve your enterprise security Murray Goldschmidt, Chief Operating Officer April 2013 2nd Annual Australian Fraud Summit 2013
www.senseofsecurity.com.au © Sense of Security 2013 Page 2 – April 2013 Agenda 1. Recent Security Breaches 2. Identifying & Understanding Security Risks & Organisational Implications 3. Steps to mitigate risk of breaches & theft
.senseofsecurity.com.au © Sense of Security 2013 Page 3 – April 2013 Increasing threat / consequence Scope – increasing ability to exploit Cyber Threat Actors
.senseofsecurity.com.au © Sense of Security 2013 Page 4 – April 2013 Increasing threat / consequence Scope – increasing ability to exploit Cyber Threat Actors Agenda Targets
.senseofsecurity.com.au © Sense of Security 2013 Page 5 – April 2013 Increasing threat / consequence Scope – increasing ability to exploit Script Kiddies/Cyber Researchers Experimentation, Fun, Testing Cyber Threat Actors Agenda Targets
.senseofsecurity.com.au © Sense of Security 2013 Page 6 – April 2013 Increasing threat / consequence Scope – increasing ability to exploit Script Kiddies/Cyber Researchers Experimentation, Fun, Testing Cyber Threat Actors Agenda Targets
.senseofsecurity.com.au © Sense of Security 2013 Page 7 – April 2013 Increasing threat / consequence Scope – increasing ability to exploit Hacktivists Disruption, Reputational Damage,Political/Social, Script Kiddies/Cyber Researchers Experimentation, Fun, Testing Cyber Threat Actors Agenda Targets
.senseofsecurity.com.au © Sense of Security 2013 Page 8 – April 2013 Increasing threat / consequence Scope – increasing ability to exploit Hacktivists Disruption, Reputational Damage,Political/Social, Script Kiddies/Cyber Researchers Experimentation, Fun, Testing Cyber Threat Actors Agenda Targets
.senseofsecurity.com.au © Sense of Security 2013 Page 9 – April 2013 Increasing threat / consequence Scope – increasing ability to exploit Organised Crime Financial gain, fraud, ID theft Hacktivists Disruption, Reputational Damage,Political/Social, Script Kiddies/Cyber Researchers Experimentation, Fun, Testing Cyber Threat Actors Agenda Targets
.senseofsecurity.com.au © Sense of Security 2013 Page 10 – April 2013 Increasing threat / consequence Scope – increasing ability to exploit Organised Crime Financial gain, fraud, ID theft Hacktivists Disruption, Reputational Damage,Political/Social, Script Kiddies/Cyber Researchers Experimentation, Fun, Testing Cyber Threat Actors Agenda Targets
.senseofsecurity.com.au © Sense of Security 2013 Page 11 – April 2013 Increasing threat / consequence Scope – increasing ability to exploit Organised Crime Financial gain, fraud, ID theft Professionals/Companies/Terrorists Commercial advantage, Intellectual Property Hacktivists Disruption, Reputational Damage,Political/Social, Script Kiddies/Cyber Researchers Experimentation, Fun, Testing Cyber Threat Actors Agenda Targets
.senseofsecurity.com.au © Sense of Security 2013 Page 12 – April 2013 Increasing threat / consequence Scope – increasing ability to exploit Organised Crime Financial gain, fraud, ID theft Professionals/Companies/Terrorists Commercial advantage, Intellectual Property Hacktivists Disruption, Reputational Damage,Political/Social, Script Kiddies/Cyber Researchers Experimentation, Fun, Testing Cyber Threat Actors Agenda Targets
.senseofsecurity.com.au © Sense of Security 2013 Page 13 – April 2013 Increasing threat / consequence Scope – increasing ability to exploit Organised Crime Financial gain, fraud, ID theft Professionals/Companies/Terrorists Commercial advantage, Intellectual Property Nation States Economic, political or military advantage Hacktivists Disruption, Reputational Damage,Political/Social, Script Kiddies/Cyber Researchers Experimentation, Fun, Testing Cyber Threat Actors Agenda Targets
.senseofsecurity.com.au © Sense of Security 2013 Page 14 – April 2013 Increasing threat / consequence Scope – increasing ability to exploit Organised Crime Financial gain, fraud, ID theft Professionals/Companies/Terrorists Commercial advantage, Intellectual Property Nation States Economic, political or military advantage Hacktivists Disruption, Reputational Damage,Political/Social, Script Kiddies/Cyber Researchers Experimentation, Fun, Testing Cyber Threat Actors Agenda Targets
.senseofsecurity.com.au © Sense of Security 2013 Page 15 – April 2013 Activity –But Not Yet Cyber War http://www.economist.com/blogs/analects/2013/02/chinese-cyber-attacks
.senseofsecurity.com.au © Sense of Security 2013 Page 16 – April 2013 Hacktivist Attacks http://www.bankinfosecurity.com/american-express-a-5645 http://www.scmagazine.com/market-for-ddos-prevention-to-hit-870-million/article/287020/
.senseofsecurity.com.au © Sense of Security 2013 Page 17 – April 2013 Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 18 – April 2013 Target org/person Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 19 – April 2013 Target org/person Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 20 – April 2013 Target org/person Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 21 – April 2013 Target org/person Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 22 – April 2013 Target org/person Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 23 – April 2013 Target org/person Malware penetrates Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 24 – April 2013 Target org/person Malware penetrates Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 25 – April 2013 Target org/person Malware penetrates Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 26 – April 2013 Target org/person Malware penetrates Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 27 – April 2013 Target org/person Malware penetrates Command & Control Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 28 – April 2013 Target org/person Malware penetrates Command & Control Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 29 – April 2013 Target org/person Malware penetrates Command & Control Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 30 – April 2013 Target org/person Malware penetrates Command & Control Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 31 – April 2013 Target org/person Malware penetrates Command & Control Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 32 – April 2013 Target org/person Malware penetrates Command & Control Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 33 – April 2013 Target org/person Malware penetrates Command & Control Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 34 – April 2013 Target org/person Malware penetrates Command & Control Data harvest & exfiltrate Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 35 – April 2013 Target org/person Malware penetrates Command & Control Data harvest & exfiltrate Advanced Persistent Threat
.senseofsecurity.com.au © Sense of Security 2013 Page 36 – April 2013 Target org/person Malware penetrates Command & Control Data harvest & exfiltrate Advanced Persistent Threat
www.senseofsecurity.com.au © Sense of Security 2013 Page 37 – April 2013 RBA Falls Victim to Cyber Attack http://www.afr.com/p/national/rba_confirms_cyber_attacks_ZsVpeJas8JX6UXCLwOVJKP
www.senseofsecurity.com.au © Sense of Security 2013 Page 38 – April 2013 Opportunistic Attack – Out of Business http://www.zdnet.com/distribute-it-claims-evil-behind-hack-1339319324/
www.senseofsecurity.com.au © Sense of Security 2013 Page 39 – April 2013 Identifying Security Risk Materiality Risk ASX Principle 7: “Recognise and Manage Risk” • A risk profile informs the board and management about material business risks, relevant to company (financial and non- financial) matters. Material business risks are the most significant areas of uncertainty or exposure at a whole of Company level that could impact the achievement of organisational objectives. Applies also to non listed entities!
www.senseofsecurity.com.au © Sense of Security 2013 Page 40 – April 2013 Small Business Also Affected http://www.staysmartonline.gov.au/alert_service/advisories/ransomware_attacks_will_increase_in_2013
www.senseofsecurity.com.au © Sense of Security 2013 Page 41 – April 2013 1 use application whitelisting to help prevent malicious software and other unapproved programs from running Just The Top 4 ….. At least 85% of the targeted cyber intrusions that Defence Signals Directorate (DSD) responds to could be prevented by following the first four mitigation strategies listed in DSD’s 35 Strategies to Mitigate Targeted Cyber Intrusions 2 3 4 patch applications such as PDF readers, Microsoft Office, Java, Flash Player and web browsers patch operating system vulnerabilities minimise the number of users with administrative privileges As of April 2013, the Top 4 Strategies to Mitigate Targeted Cyber Intrusions are mandatory for Australian Government agencies.
www.senseofsecurity.com.au © Sense of Security 2013 Page 42 – April 2013 Action Required Corporations & Government are generally becoming more aware to the need for improved governance and infosec capability
www.senseofsecurity.com.au © Sense of Security 2013 Page 43 – April 2013 Protect Your Data http://www.theaustralian.com.au/news/nation/personal-details-of-50000-people-exposed-as-abc-website-hacked/story-e6frg6nf-1226586895264
www.senseofsecurity.com.au © Sense of Security 2013 Page 44 – April 2013 Protect Your Data http://www.dailyfinance.com/2012/06/08/youve-been-hacked-again-why-linkedins-breach-is-worse-tha/
www.senseofsecurity.com.au © Sense of Security 2013 Page 45 – April 2013 Email Know Your Data There is no network perimeter. Your data is everywhere. Mobile Devices Corporate/Home Networks Databases/File Servers Cloud Services
www.senseofsecurity.com.au © Sense of Security 2013 Page 46 – April 2013 Data Centric, Not System Centric
www.senseofsecurity.com.au © Sense of Security 2013 Page 47 – April 2013 Availability Fundamentals Still Count the security controls used to protect data, and the communication channel designed to access it must be functioning correctly Integrity data integrity means maintaining and assuring the accuracy and consistency of data over its entire life-cycle Confidentiality preventing the disclosure of information to unauthorised individuals or systems
www.senseofsecurity.com.au © Sense of Security 2013 Page 48 – April 2013 Defence-in-Depth A solid Information Security capability requires resilience through defence-in- depth, sound fundamentals, accountability by executives and the ability to comply with regulations/legislation.
www.senseofsecurity.com.au © Sense of Security 2013 Page 49 – April 2013 Regulation & Legislation Government Privacy Act Australian Government - Information Security Manual (ISM), Protective Security Policy Framework (PSPF) State Government Standards, e.g. NSW Government Digital Information Security Policy based on ISO 27001 Industry Australian Prudential Regulatory Authority (PPG-234) PCI Security Standards Council (PCI Data Security Standard – PCI DSS)
www.senseofsecurity.com.au © Sense of Security 2013 Page 50 – April 2013 Self Examination What type of data do you have and is it classified? Whose owns it? Where does it reside (data sovereignty)? How is it accessed and by whom? What are your future technology objectives (BYOD, Cloud, Mobility…) Are there third parties suppliers involved? What are your compliance obligations? Do you a current/effective security governance capability? How would you respond in case of an incident?
www.senseofsecurity.com.au © Sense of Security 2013 Page 51 – April 2013 Information Security Governance Incorporate an industry recognised system of governance (e.g. ISO 27001 - Information Security Management System) Domains Information Security Management: Security Policy & Organisation Asset Management Human Resource Security Physical & Environmental Security Communications & Operations Management Access Control Information Systems Acquisition, Development & Maintenance Information Security Incident Management Business Continuity Management Compliance
www.senseofsecurity.com.au © Sense of Security 2013 Page 52 – April 2013 Management & Technical Standards Management standards and technical controls need to be defined and enforced. Management Practice Area Change Management Incident & Event Management Patch Management Disaster Recovery & Business Continuity Management Configuration Management Security Awareness Management Vulnerability Management Physical Security Threat Management Application Management Access Control Management 3rd Party Management
www.senseofsecurity.com.au © Sense of Security 2013 Page 53 – April 2013 Technical Assurance Vulnerability Management Program SDLC Governance, Static Code Analysis Configuration Management / Hardening Enterprise Security Architecture Testing of technology assets and social engineering threat assessments External/Internal penetration testing (ethical hacking) on networks and applications
www.senseofsecurity.com.au © Sense of Security 2013 Page 54 – April 2013 Questions? Thank you Head office is level 8, 66 King Street, Sydney, NSW 2000, Australia. Owner of trademark and all copyright is Sense of Security Pty Ltd. Neither text or images can be reproduced without written permission. T: 1300 922 923 info@senseofsecurity.com.au www.senseofsecurity.com.au

Recomendados

ICISS Newsletter Sept 14
ICISS Newsletter Sept 14ICISS Newsletter Sept 14
ICISS Newsletter Sept 14Capt SB Tyagi, COAC'CC*,FISM,CSC,
 
ICISS Newsletter Oct14
ICISS Newsletter Oct14ICISS Newsletter Oct14
ICISS Newsletter Oct14Capt SB Tyagi, COAC'CC*,FISM,CSC,
 
40 under 40 in cybersecurity. top cyber news magazine
40 under 40 in cybersecurity. top cyber news magazine40 under 40 in cybersecurity. top cyber news magazine
40 under 40 in cybersecurity. top cyber news magazineBradford Sims
 
14 june
14 june14 june
14 juneCapt SB Tyagi, COAC'CC*,FISM,CSC,
 
Tourism & Hospitality Security Asia Pacific 2016
Tourism & Hospitality Security Asia Pacific 2016Tourism & Hospitality Security Asia Pacific 2016
Tourism & Hospitality Security Asia Pacific 2016Justin Barin de Jesus
 
Microsoft Security Intelligence Report vol. 21
Microsoft Security Intelligence Report vol. 21Microsoft Security Intelligence Report vol. 21
Microsoft Security Intelligence Report vol. 21Ioannis Aligizakis, M.Sc.
 
2016 Trends in Security
2016 Trends in Security 2016 Trends in Security
2016 Trends in Security Ioannis Aligizakis, M.Sc.
 
DYN Sept-Oct 2016
DYN Sept-Oct 2016DYN Sept-Oct 2016
DYN Sept-Oct 2016Ann Longmore-Etheridge
 

Recomendados

ICISS Newsletter Sept 14
ICISS Newsletter Sept 14ICISS Newsletter Sept 14
ICISS Newsletter Sept 14Capt SB Tyagi, COAC'CC*,FISM,CSC,
 
ICISS Newsletter Oct14
ICISS Newsletter Oct14ICISS Newsletter Oct14
ICISS Newsletter Oct14Capt SB Tyagi, COAC'CC*,FISM,CSC,
 
40 under 40 in cybersecurity. top cyber news magazine
40 under 40 in cybersecurity. top cyber news magazine40 under 40 in cybersecurity. top cyber news magazine
40 under 40 in cybersecurity. top cyber news magazineBradford Sims
 
14 june
14 june14 june
14 juneCapt SB Tyagi, COAC'CC*,FISM,CSC,
 
Tourism & Hospitality Security Asia Pacific 2016
Tourism & Hospitality Security Asia Pacific 2016Tourism & Hospitality Security Asia Pacific 2016
Tourism & Hospitality Security Asia Pacific 2016Justin Barin de Jesus
 
Microsoft Security Intelligence Report vol. 21
Microsoft Security Intelligence Report vol. 21Microsoft Security Intelligence Report vol. 21
Microsoft Security Intelligence Report vol. 21Ioannis Aligizakis, M.Sc.
 
2016 Trends in Security
2016 Trends in Security 2016 Trends in Security
2016 Trends in Security Ioannis Aligizakis, M.Sc.
 
DYN Sept-Oct 2016
DYN Sept-Oct 2016DYN Sept-Oct 2016
DYN Sept-Oct 2016Ann Longmore-Etheridge
 
4b - Security Management - Cyber Security Mgt (1).pptx
4b - Security Management - Cyber Security Mgt (1).pptx4b - Security Management - Cyber Security Mgt (1).pptx
4b - Security Management - Cyber Security Mgt (1).pptxromawoodz
 
Why Depending On Malware Prevention Alone Is No Longer An Option
Why Depending On Malware Prevention Alone Is No Longer An Option Why Depending On Malware Prevention Alone Is No Longer An Option
Why Depending On Malware Prevention Alone Is No Longer An Option Seculert
 
Rcs triumfant watchful_webinar_final
Rcs triumfant watchful_webinar_finalRcs triumfant watchful_webinar_final
Rcs triumfant watchful_webinar_finalPatrick Florer
 
Cybersecurity in Sudan: Challenges & Opportunities
Cybersecurity in Sudan: Challenges & OpportunitiesCybersecurity in Sudan: Challenges & Opportunities
Cybersecurity in Sudan: Challenges & OpportunitiesMohamed Amine Belarbi
 
DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014- Mark - Fullbright
 
Data Breach Guide 2013
Data Breach Guide 2013Data Breach Guide 2013
Data Breach Guide 2013- Mark - Fullbright
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
Cyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measuresCyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measuresCBIZ, Inc.
 
Protection You Need from the Partner You Trust
Protection You Need from the Partner You TrustProtection You Need from the Partner You Trust
Protection You Need from the Partner You TrustADP, LLC
 
Protection You Need from the Partner You Trust
Protection You Need from the Partner You TrustProtection You Need from the Partner You Trust
Protection You Need from the Partner You TrustADP, LLC
 
3 Perspectives Around Data Breaches
3 Perspectives Around Data Breaches3 Perspectives Around Data Breaches
3 Perspectives Around Data BreachesSymantec
 
The Value of Crowd-Sourced Threat Intelligence
The Value of Crowd-Sourced Threat IntelligenceThe Value of Crowd-Sourced Threat Intelligence
The Value of Crowd-Sourced Threat IntelligenceImperva
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing ProfessionalsTechWell
 
Maritime Cyber Security
Maritime Cyber SecurityMaritime Cyber Security
Maritime Cyber SecurityDimitris Chalambalis
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyMighty Guides, Inc.
 
CyberSecurity: Protecting Law Firms - Vanderburg - JurInnov
CyberSecurity: Protecting Law Firms - Vanderburg - JurInnovCyberSecurity: Protecting Law Firms - Vanderburg - JurInnov
CyberSecurity: Protecting Law Firms - Vanderburg - JurInnovEric Vanderburg
 
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBMProtecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBMInfinIT - Innovationsnetværket for it
 
vip_day_2._1130_cloud
vip_day_2._1130_cloudvip_day_2._1130_cloud
vip_day_2._1130_cloudNicholas Chia
 
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - DubaiAftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - DubaiAftab Hasan
 
WHY IS SIRA APPROVAL IMPORTANT?
WHY IS SIRA APPROVAL IMPORTANT? WHY IS SIRA APPROVAL IMPORTANT?
WHY IS SIRA APPROVAL IMPORTANT?successdsp
 
Sense of security - Virtualisation Security for Regulated Environments
Sense of security - Virtualisation Security for Regulated EnvironmentsSense of security - Virtualisation Security for Regulated Environments
Sense of security - Virtualisation Security for Regulated EnvironmentsJason Edelstein
 
Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals
Sense of Security - Securing Virtualised Environments; Focus on the FundamentalsSense of Security - Securing Virtualised Environments; Focus on the Fundamentals
Sense of Security - Securing Virtualised Environments; Focus on the FundamentalsJason Edelstein
 

Más contenido relacionado

Similar a Sense of Security Best practice strategies to improve your enterprise security

4b - Security Management - Cyber Security Mgt (1).pptx
4b - Security Management - Cyber Security Mgt (1).pptx4b - Security Management - Cyber Security Mgt (1).pptx
4b - Security Management - Cyber Security Mgt (1).pptxromawoodz
 
Why Depending On Malware Prevention Alone Is No Longer An Option
Why Depending On Malware Prevention Alone Is No Longer An Option Why Depending On Malware Prevention Alone Is No Longer An Option
Why Depending On Malware Prevention Alone Is No Longer An Option Seculert
 
Rcs triumfant watchful_webinar_final
Rcs triumfant watchful_webinar_finalRcs triumfant watchful_webinar_final
Rcs triumfant watchful_webinar_finalPatrick Florer
 
Cybersecurity in Sudan: Challenges & Opportunities
Cybersecurity in Sudan: Challenges & OpportunitiesCybersecurity in Sudan: Challenges & Opportunities
Cybersecurity in Sudan: Challenges & OpportunitiesMohamed Amine Belarbi
 
DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014- Mark - Fullbright
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
Cyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measuresCyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measuresCBIZ, Inc.
 
Protection You Need from the Partner You Trust
Protection You Need from the Partner You TrustProtection You Need from the Partner You Trust
Protection You Need from the Partner You TrustADP, LLC
 
Protection You Need from the Partner You Trust
Protection You Need from the Partner You TrustProtection You Need from the Partner You Trust
Protection You Need from the Partner You TrustADP, LLC
 
3 Perspectives Around Data Breaches
3 Perspectives Around Data Breaches3 Perspectives Around Data Breaches
3 Perspectives Around Data BreachesSymantec
 
The Value of Crowd-Sourced Threat Intelligence
The Value of Crowd-Sourced Threat IntelligenceThe Value of Crowd-Sourced Threat Intelligence
The Value of Crowd-Sourced Threat IntelligenceImperva
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing ProfessionalsTechWell
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyMighty Guides, Inc.
 
CyberSecurity: Protecting Law Firms - Vanderburg - JurInnov
CyberSecurity: Protecting Law Firms - Vanderburg - JurInnovCyberSecurity: Protecting Law Firms - Vanderburg - JurInnov
CyberSecurity: Protecting Law Firms - Vanderburg - JurInnovEric Vanderburg
 
vip_day_2._1130_cloud
vip_day_2._1130_cloudvip_day_2._1130_cloud
vip_day_2._1130_cloudNicholas Chia
 
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - DubaiAftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - DubaiAftab Hasan
 
WHY IS SIRA APPROVAL IMPORTANT?
WHY IS SIRA APPROVAL IMPORTANT? WHY IS SIRA APPROVAL IMPORTANT?
WHY IS SIRA APPROVAL IMPORTANT?successdsp
 

Similar a Sense of Security Best practice strategies to improve your enterprise security (20)

4b - Security Management - Cyber Security Mgt (1).pptx
4b - Security Management - Cyber Security Mgt (1).pptx4b - Security Management - Cyber Security Mgt (1).pptx
4b - Security Management - Cyber Security Mgt (1).pptx
 
Why Depending On Malware Prevention Alone Is No Longer An Option
Why Depending On Malware Prevention Alone Is No Longer An Option Why Depending On Malware Prevention Alone Is No Longer An Option
Why Depending On Malware Prevention Alone Is No Longer An Option
 
Rcs triumfant watchful_webinar_final
Rcs triumfant watchful_webinar_finalRcs triumfant watchful_webinar_final
Rcs triumfant watchful_webinar_final
 
Cybersecurity in Sudan: Challenges & Opportunities
Cybersecurity in Sudan: Challenges & OpportunitiesCybersecurity in Sudan: Challenges & Opportunities
Cybersecurity in Sudan: Challenges & Opportunities
 
DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014
 
Data Breach Guide 2013
Data Breach Guide 2013Data Breach Guide 2013
Data Breach Guide 2013
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
 
Cyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measuresCyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measures
 
Protection You Need from the Partner You Trust
Protection You Need from the Partner You TrustProtection You Need from the Partner You Trust
Protection You Need from the Partner You Trust
 
Protection You Need from the Partner You Trust
Protection You Need from the Partner You TrustProtection You Need from the Partner You Trust
Protection You Need from the Partner You Trust
 
3 Perspectives Around Data Breaches
3 Perspectives Around Data Breaches3 Perspectives Around Data Breaches
3 Perspectives Around Data Breaches
 
The Value of Crowd-Sourced Threat Intelligence
The Value of Crowd-Sourced Threat IntelligenceThe Value of Crowd-Sourced Threat Intelligence
The Value of Crowd-Sourced Threat Intelligence
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
 
Maritime Cyber Security
Maritime Cyber SecurityMaritime Cyber Security
Maritime Cyber Security
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
 
CyberSecurity: Protecting Law Firms - Vanderburg - JurInnov
CyberSecurity: Protecting Law Firms - Vanderburg - JurInnovCyberSecurity: Protecting Law Firms - Vanderburg - JurInnov
CyberSecurity: Protecting Law Firms - Vanderburg - JurInnov
 
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBMProtecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
 
vip_day_2._1130_cloud
vip_day_2._1130_cloudvip_day_2._1130_cloud
vip_day_2._1130_cloud
 
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - DubaiAftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
 
WHY IS SIRA APPROVAL IMPORTANT?
WHY IS SIRA APPROVAL IMPORTANT? WHY IS SIRA APPROVAL IMPORTANT?
WHY IS SIRA APPROVAL IMPORTANT?
 

Más de Jason Edelstein

Sense of security - Virtualisation Security for Regulated Environments
Sense of security - Virtualisation Security for Regulated EnvironmentsSense of security - Virtualisation Security for Regulated Environments
Sense of security - Virtualisation Security for Regulated EnvironmentsJason Edelstein
 
Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals
Sense of Security - Securing Virtualised Environments; Focus on the FundamentalsSense of Security - Securing Virtualised Environments; Focus on the Fundamentals
Sense of Security - Securing Virtualised Environments; Focus on the FundamentalsJason Edelstein
 
PCI What When AISA Sydney 2009
PCI What When AISA Sydney 2009PCI What When AISA Sydney 2009
PCI What When AISA Sydney 2009Jason Edelstein
 
PCI Compliance a Business Issue Isaca 2009
PCI Compliance a Business Issue Isaca 2009PCI Compliance a Business Issue Isaca 2009
PCI Compliance a Business Issue Isaca 2009Jason Edelstein
 
PCI Compliance What Does This Mean For the Australian Market Place 2007
PCI Compliance What Does This Mean For the Australian Market Place 2007PCI Compliance What Does This Mean For the Australian Market Place 2007
PCI Compliance What Does This Mean For the Australian Market Place 2007Jason Edelstein
 
Addressing Security Challenges of Mobility and Web 2.0 2009
Addressing Security Challenges of Mobility and Web 2.0 2009Addressing Security Challenges of Mobility and Web 2.0 2009
Addressing Security Challenges of Mobility and Web 2.0 2009Jason Edelstein
 
Achieving PCI Compliance Long And Short Term Strategies 2009
Achieving PCI Compliance Long And Short Term Strategies 2009Achieving PCI Compliance Long And Short Term Strategies 2009
Achieving PCI Compliance Long And Short Term Strategies 2009Jason Edelstein
 
Virtualisation: Pitfalls in Corporate VMware Implementations
Virtualisation: Pitfalls in Corporate VMware ImplementationsVirtualisation: Pitfalls in Corporate VMware Implementations
Virtualisation: Pitfalls in Corporate VMware ImplementationsJason Edelstein
 
VoIP: Attacks & Countermeasures in the Corporate World
VoIP: Attacks & Countermeasures in the Corporate WorldVoIP: Attacks & Countermeasures in the Corporate World
VoIP: Attacks & Countermeasures in the Corporate WorldJason Edelstein
 
Managing and Securing Web 2.0
Managing and Securing Web 2.0Managing and Securing Web 2.0
Managing and Securing Web 2.0Jason Edelstein
 

Más de Jason Edelstein (10)

Sense of security - Virtualisation Security for Regulated Environments
Sense of security - Virtualisation Security for Regulated EnvironmentsSense of security - Virtualisation Security for Regulated Environments
Sense of security - Virtualisation Security for Regulated Environments
 
Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals
Sense of Security - Securing Virtualised Environments; Focus on the FundamentalsSense of Security - Securing Virtualised Environments; Focus on the Fundamentals
Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals
 
PCI What When AISA Sydney 2009
PCI What When AISA Sydney 2009PCI What When AISA Sydney 2009
PCI What When AISA Sydney 2009
 
PCI Compliance a Business Issue Isaca 2009
PCI Compliance a Business Issue Isaca 2009PCI Compliance a Business Issue Isaca 2009
PCI Compliance a Business Issue Isaca 2009
 
PCI Compliance What Does This Mean For the Australian Market Place 2007
PCI Compliance What Does This Mean For the Australian Market Place 2007PCI Compliance What Does This Mean For the Australian Market Place 2007
PCI Compliance What Does This Mean For the Australian Market Place 2007
 
Addressing Security Challenges of Mobility and Web 2.0 2009
Addressing Security Challenges of Mobility and Web 2.0 2009Addressing Security Challenges of Mobility and Web 2.0 2009
Addressing Security Challenges of Mobility and Web 2.0 2009
 
Achieving PCI Compliance Long And Short Term Strategies 2009
Achieving PCI Compliance Long And Short Term Strategies 2009Achieving PCI Compliance Long And Short Term Strategies 2009
Achieving PCI Compliance Long And Short Term Strategies 2009
 
Virtualisation: Pitfalls in Corporate VMware Implementations
Virtualisation: Pitfalls in Corporate VMware ImplementationsVirtualisation: Pitfalls in Corporate VMware Implementations
Virtualisation: Pitfalls in Corporate VMware Implementations
 
VoIP: Attacks & Countermeasures in the Corporate World
VoIP: Attacks & Countermeasures in the Corporate WorldVoIP: Attacks & Countermeasures in the Corporate World
VoIP: Attacks & Countermeasures in the Corporate World
 
Managing and Securing Web 2.0
Managing and Securing Web 2.0Managing and Securing Web 2.0
Managing and Securing Web 2.0
 

Último

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 

Último (20)

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 

Sense of Security Best practice strategies to improve your enterprise security

  • 1. www.senseofsecurity.com.au © Sense of Security 2013 Page 1 – April 2013 Compliance, Protection & Business Confidence Sense of Security Pty Ltd Sydney Level 8, 66 King Street Sydney NSW 2000 Australia Melbourne Level 10, 401 Docklands Drv Docklands VIC 3008 Australia T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455 info@senseofsecurity.com.au www.senseofsecurity.com.au ABN: 14 098 237 908 Best practice strategies to improve your enterprise security Murray Goldschmidt, Chief Operating Officer April 2013 2nd Annual Australian Fraud Summit 2013
  • 2. www.senseofsecurity.com.au © Sense of Security 2013 Page 2 – April 2013 Agenda 1. Recent Security Breaches 2. Identifying & Understanding Security Risks & Organisational Implications 3. Steps to mitigate risk of breaches & theft
  • 3. .senseofsecurity.com.au © Sense of Security 2013 Page 3 – April 2013 Increasing threat / consequence Scope – increasing ability to exploit Cyber Threat Actors
  • 4. .senseofsecurity.com.au © Sense of Security 2013 Page 4 – April 2013 Increasing threat / consequence Scope – increasing ability to exploit Cyber Threat Actors Agenda Targets
  • 5. .senseofsecurity.com.au © Sense of Security 2013 Page 5 – April 2013 Increasing threat / consequence Scope – increasing ability to exploit Script Kiddies/Cyber Researchers Experimentation, Fun, Testing Cyber Threat Actors Agenda Targets
  • 6. .senseofsecurity.com.au © Sense of Security 2013 Page 6 – April 2013 Increasing threat / consequence Scope – increasing ability to exploit Script Kiddies/Cyber Researchers Experimentation, Fun, Testing Cyber Threat Actors Agenda Targets
  • 7. .senseofsecurity.com.au © Sense of Security 2013 Page 7 – April 2013 Increasing threat / consequence Scope – increasing ability to exploit Hacktivists Disruption, Reputational Damage,Political/Social, Script Kiddies/Cyber Researchers Experimentation, Fun, Testing Cyber Threat Actors Agenda Targets
  • 8. .senseofsecurity.com.au © Sense of Security 2013 Page 8 – April 2013 Increasing threat / consequence Scope – increasing ability to exploit Hacktivists Disruption, Reputational Damage,Political/Social, Script Kiddies/Cyber Researchers Experimentation, Fun, Testing Cyber Threat Actors Agenda Targets
  • 9. .senseofsecurity.com.au © Sense of Security 2013 Page 9 – April 2013 Increasing threat / consequence Scope – increasing ability to exploit Organised Crime Financial gain, fraud, ID theft Hacktivists Disruption, Reputational Damage,Political/Social, Script Kiddies/Cyber Researchers Experimentation, Fun, Testing Cyber Threat Actors Agenda Targets
  • 10. .senseofsecurity.com.au © Sense of Security 2013 Page 10 – April 2013 Increasing threat / consequence Scope – increasing ability to exploit Organised Crime Financial gain, fraud, ID theft Hacktivists Disruption, Reputational Damage,Political/Social, Script Kiddies/Cyber Researchers Experimentation, Fun, Testing Cyber Threat Actors Agenda Targets
  • 11. .senseofsecurity.com.au © Sense of Security 2013 Page 11 – April 2013 Increasing threat / consequence Scope – increasing ability to exploit Organised Crime Financial gain, fraud, ID theft Professionals/Companies/Terrorists Commercial advantage, Intellectual Property Hacktivists Disruption, Reputational Damage,Political/Social, Script Kiddies/Cyber Researchers Experimentation, Fun, Testing Cyber Threat Actors Agenda Targets
  • 12. .senseofsecurity.com.au © Sense of Security 2013 Page 12 – April 2013 Increasing threat / consequence Scope – increasing ability to exploit Organised Crime Financial gain, fraud, ID theft Professionals/Companies/Terrorists Commercial advantage, Intellectual Property Hacktivists Disruption, Reputational Damage,Political/Social, Script Kiddies/Cyber Researchers Experimentation, Fun, Testing Cyber Threat Actors Agenda Targets
  • 13. .senseofsecurity.com.au © Sense of Security 2013 Page 13 – April 2013 Increasing threat / consequence Scope – increasing ability to exploit Organised Crime Financial gain, fraud, ID theft Professionals/Companies/Terrorists Commercial advantage, Intellectual Property Nation States Economic, political or military advantage Hacktivists Disruption, Reputational Damage,Political/Social, Script Kiddies/Cyber Researchers Experimentation, Fun, Testing Cyber Threat Actors Agenda Targets
  • 14. .senseofsecurity.com.au © Sense of Security 2013 Page 14 – April 2013 Increasing threat / consequence Scope – increasing ability to exploit Organised Crime Financial gain, fraud, ID theft Professionals/Companies/Terrorists Commercial advantage, Intellectual Property Nation States Economic, political or military advantage Hacktivists Disruption, Reputational Damage,Political/Social, Script Kiddies/Cyber Researchers Experimentation, Fun, Testing Cyber Threat Actors Agenda Targets
  • 15. .senseofsecurity.com.au © Sense of Security 2013 Page 15 – April 2013 Activity –But Not Yet Cyber War http://www.economist.com/blogs/analects/2013/02/chinese-cyber-attacks
  • 16. .senseofsecurity.com.au © Sense of Security 2013 Page 16 – April 2013 Hacktivist Attacks http://www.bankinfosecurity.com/american-express-a-5645 http://www.scmagazine.com/market-for-ddos-prevention-to-hit-870-million/article/287020/
  • 17. .senseofsecurity.com.au © Sense of Security 2013 Page 17 – April 2013 Advanced Persistent Threat
  • 18. .senseofsecurity.com.au © Sense of Security 2013 Page 18 – April 2013 Target org/person Advanced Persistent Threat
  • 19. .senseofsecurity.com.au © Sense of Security 2013 Page 19 – April 2013 Target org/person Advanced Persistent Threat
  • 20. .senseofsecurity.com.au © Sense of Security 2013 Page 20 – April 2013 Target org/person Advanced Persistent Threat
  • 21. .senseofsecurity.com.au © Sense of Security 2013 Page 21 – April 2013 Target org/person Advanced Persistent Threat
  • 22. .senseofsecurity.com.au © Sense of Security 2013 Page 22 – April 2013 Target org/person Advanced Persistent Threat
  • 23. .senseofsecurity.com.au © Sense of Security 2013 Page 23 – April 2013 Target org/person Malware penetrates Advanced Persistent Threat
  • 24. .senseofsecurity.com.au © Sense of Security 2013 Page 24 – April 2013 Target org/person Malware penetrates Advanced Persistent Threat
  • 25. .senseofsecurity.com.au © Sense of Security 2013 Page 25 – April 2013 Target org/person Malware penetrates Advanced Persistent Threat
  • 26. .senseofsecurity.com.au © Sense of Security 2013 Page 26 – April 2013 Target org/person Malware penetrates Advanced Persistent Threat
  • 27. .senseofsecurity.com.au © Sense of Security 2013 Page 27 – April 2013 Target org/person Malware penetrates Command & Control Advanced Persistent Threat
  • 28. .senseofsecurity.com.au © Sense of Security 2013 Page 28 – April 2013 Target org/person Malware penetrates Command & Control Advanced Persistent Threat
  • 29. .senseofsecurity.com.au © Sense of Security 2013 Page 29 – April 2013 Target org/person Malware penetrates Command & Control Advanced Persistent Threat
  • 30. .senseofsecurity.com.au © Sense of Security 2013 Page 30 – April 2013 Target org/person Malware penetrates Command & Control Advanced Persistent Threat
  • 31. .senseofsecurity.com.au © Sense of Security 2013 Page 31 – April 2013 Target org/person Malware penetrates Command & Control Advanced Persistent Threat
  • 32. .senseofsecurity.com.au © Sense of Security 2013 Page 32 – April 2013 Target org/person Malware penetrates Command & Control Advanced Persistent Threat
  • 33. .senseofsecurity.com.au © Sense of Security 2013 Page 33 – April 2013 Target org/person Malware penetrates Command & Control Advanced Persistent Threat
  • 34. .senseofsecurity.com.au © Sense of Security 2013 Page 34 – April 2013 Target org/person Malware penetrates Command & Control Data harvest & exfiltrate Advanced Persistent Threat
  • 35. .senseofsecurity.com.au © Sense of Security 2013 Page 35 – April 2013 Target org/person Malware penetrates Command & Control Data harvest & exfiltrate Advanced Persistent Threat
  • 36. .senseofsecurity.com.au © Sense of Security 2013 Page 36 – April 2013 Target org/person Malware penetrates Command & Control Data harvest & exfiltrate Advanced Persistent Threat
  • 37. www.senseofsecurity.com.au © Sense of Security 2013 Page 37 – April 2013 RBA Falls Victim to Cyber Attack http://www.afr.com/p/national/rba_confirms_cyber_attacks_ZsVpeJas8JX6UXCLwOVJKP
  • 38. www.senseofsecurity.com.au © Sense of Security 2013 Page 38 – April 2013 Opportunistic Attack – Out of Business http://www.zdnet.com/distribute-it-claims-evil-behind-hack-1339319324/
  • 39. www.senseofsecurity.com.au © Sense of Security 2013 Page 39 – April 2013 Identifying Security Risk Materiality Risk ASX Principle 7: “Recognise and Manage Risk” • A risk profile informs the board and management about material business risks, relevant to company (financial and non- financial) matters. Material business risks are the most significant areas of uncertainty or exposure at a whole of Company level that could impact the achievement of organisational objectives. Applies also to non listed entities!
  • 40. www.senseofsecurity.com.au © Sense of Security 2013 Page 40 – April 2013 Small Business Also Affected http://www.staysmartonline.gov.au/alert_service/advisories/ransomware_attacks_will_increase_in_2013
  • 41. www.senseofsecurity.com.au © Sense of Security 2013 Page 41 – April 2013 1 use application whitelisting to help prevent malicious software and other unapproved programs from running Just The Top 4 ….. At least 85% of the targeted cyber intrusions that Defence Signals Directorate (DSD) responds to could be prevented by following the first four mitigation strategies listed in DSD’s 35 Strategies to Mitigate Targeted Cyber Intrusions 2 3 4 patch applications such as PDF readers, Microsoft Office, Java, Flash Player and web browsers patch operating system vulnerabilities minimise the number of users with administrative privileges As of April 2013, the Top 4 Strategies to Mitigate Targeted Cyber Intrusions are mandatory for Australian Government agencies.
  • 42. www.senseofsecurity.com.au © Sense of Security 2013 Page 42 – April 2013 Action Required Corporations & Government are generally becoming more aware to the need for improved governance and infosec capability
  • 43. www.senseofsecurity.com.au © Sense of Security 2013 Page 43 – April 2013 Protect Your Data http://www.theaustralian.com.au/news/nation/personal-details-of-50000-people-exposed-as-abc-website-hacked/story-e6frg6nf-1226586895264
  • 44. www.senseofsecurity.com.au © Sense of Security 2013 Page 44 – April 2013 Protect Your Data http://www.dailyfinance.com/2012/06/08/youve-been-hacked-again-why-linkedins-breach-is-worse-tha/
  • 45. www.senseofsecurity.com.au © Sense of Security 2013 Page 45 – April 2013 Email Know Your Data There is no network perimeter. Your data is everywhere. Mobile Devices Corporate/Home Networks Databases/File Servers Cloud Services
  • 46. www.senseofsecurity.com.au © Sense of Security 2013 Page 46 – April 2013 Data Centric, Not System Centric
  • 47. www.senseofsecurity.com.au © Sense of Security 2013 Page 47 – April 2013 Availability Fundamentals Still Count the security controls used to protect data, and the communication channel designed to access it must be functioning correctly Integrity data integrity means maintaining and assuring the accuracy and consistency of data over its entire life-cycle Confidentiality preventing the disclosure of information to unauthorised individuals or systems
  • 48. www.senseofsecurity.com.au © Sense of Security 2013 Page 48 – April 2013 Defence-in-Depth A solid Information Security capability requires resilience through defence-in- depth, sound fundamentals, accountability by executives and the ability to comply with regulations/legislation.
  • 49. www.senseofsecurity.com.au © Sense of Security 2013 Page 49 – April 2013 Regulation & Legislation Government Privacy Act Australian Government - Information Security Manual (ISM), Protective Security Policy Framework (PSPF) State Government Standards, e.g. NSW Government Digital Information Security Policy based on ISO 27001 Industry Australian Prudential Regulatory Authority (PPG-234) PCI Security Standards Council (PCI Data Security Standard – PCI DSS)
  • 50. www.senseofsecurity.com.au © Sense of Security 2013 Page 50 – April 2013 Self Examination What type of data do you have and is it classified? Whose owns it? Where does it reside (data sovereignty)? How is it accessed and by whom? What are your future technology objectives (BYOD, Cloud, Mobility…) Are there third parties suppliers involved? What are your compliance obligations? Do you a current/effective security governance capability? How would you respond in case of an incident?
  • 51. www.senseofsecurity.com.au © Sense of Security 2013 Page 51 – April 2013 Information Security Governance Incorporate an industry recognised system of governance (e.g. ISO 27001 - Information Security Management System) Domains Information Security Management: Security Policy & Organisation Asset Management Human Resource Security Physical & Environmental Security Communications & Operations Management Access Control Information Systems Acquisition, Development & Maintenance Information Security Incident Management Business Continuity Management Compliance
  • 52. www.senseofsecurity.com.au © Sense of Security 2013 Page 52 – April 2013 Management & Technical Standards Management standards and technical controls need to be defined and enforced. Management Practice Area Change Management Incident & Event Management Patch Management Disaster Recovery & Business Continuity Management Configuration Management Security Awareness Management Vulnerability Management Physical Security Threat Management Application Management Access Control Management 3rd Party Management
  • 53. www.senseofsecurity.com.au © Sense of Security 2013 Page 53 – April 2013 Technical Assurance Vulnerability Management Program SDLC Governance, Static Code Analysis Configuration Management / Hardening Enterprise Security Architecture Testing of technology assets and social engineering threat assessments External/Internal penetration testing (ethical hacking) on networks and applications
  • 54. www.senseofsecurity.com.au © Sense of Security 2013 Page 54 – April 2013 Questions? Thank you Head office is level 8, 66 King Street, Sydney, NSW 2000, Australia. Owner of trademark and all copyright is Sense of Security Pty Ltd. Neither text or images can be reproduced without written permission. T: 1300 922 923 info@senseofsecurity.com.au www.senseofsecurity.com.au