SlideShare una empresa de Scribd logo
1 de 46
Risks in the Cloud
and Business Continuity
BCP/DRP Summit
jorge.sebastiao@its.ws
What is the Cloud?
Evolution of Cloud
IaaS
Infrastructure as a Service
PaaS
Platform as a Service
SaaS
Software as a Service
Complexity of the Cloud
5
Spread of Code Red Worm in the Cloud
July 19 01:05:00 2001
6
Spread of Worm in the Cloud
July 19 20:15:00 2001
Financial Cost: CodeRED Worm: $2.6 billion
SQL Slammer Worm: 30min
- Infections doubled every 8.5 seconds
- Spread 100X faster than Code Red
-At peak, scanned 55 million hosts per second.
-COST: $1.2 billion
Cloud Challenges
8
Dynamic threats
Limited IT resources
Pressure to demonstrate risk
reduction and compliance
Process complexity
Reduce operating costs
Must show value
Proactive versus reactive
9
Cloud Focus Challenges
Cloud Reliability
Enterprise are setting their SLAs uptimes at 99.99% or
higher, cloud providers are not fully ready
Amazon’s cloud outages receive a lot of exposure …
July 20, 2008 Failure due to stranded zombies, lasts 5 hours
Feb 15, 2008 Authentication overload leads to two-hour service outage
October 2007 Service failure lasts two days
October 2006 Security breach where users could see other users data
… and their current SLAs don’t match those of enterprises*
Amazon EC2 99.95% Amazon S3 99.9%
* SLAs expressed in Monthly Uptime Percentages; Source : McKinsey & Company
• Not clear that all applications require such high services
• IT shops do not always deliver on their SLAs but their
failures are less public and customers can’t switch easily
Source: Copyright © 2007 Boeing. All rights reserved.
Services
Application
Development
Platform
Storage
Hosting
Cloud Service Layers
Description
Services – Complete business services such as
PayPal, OpenID, OAuth, Google Maps, Alexa
Services
Application
Focused
Infrastructure
Focused
Application – Cloud based software that eliminates
the need for local installation such as Google Apps,
Microsoft Online
Storage – Data storage or cloud based NAS such as
CTERA, iDisk, CloudNAS
Development – Software development platforms used
to build custom cloud based applications (PAAS &
SAAS) such as SalesForce
Platform – Cloud based platforms, typically provided
using virtualization, such as Amazon ECC, Sun Grid
Hosting – Physical data centers such as those run by
IBM, HP, NaviSite, etc.
Services
Application
Development
Platform
Storage
Hosting
Cloud and Risk
Services
Information
Risk
Relative
effectiveness
of technical
controls
Inter-
operability
Risk
Difficulty of
enterprise
integration
Capability
Maturity
Source: Copyright © 2007 Boeing. All rights reserved.
Network
Policy
Applications
Inside and outside groups
default deny
Hundreds of groups
default allow
Tens of applications
Web, mail, domain name
server (DNS)
Hundreds of applications
custom protocols,
payroll, trading
Tens of targets
Megabits of traffic
Thousands of targets
Gigabits of traffic
Past Present +
Cloud more challenges
Reorganizing the roles in the cloud
Cloud Impact on your Business
Threats sources
Environmental
Natural
Disasters
Unexpected
(“OOPS” factor)
Cyber terrorism Viruses
Threats
Industrial
Espionage
Business Impacts and Risks
Employee &
customer
privacy
Legislative
violations
Financial
loss
Intellectual
capital
Litigation
Public
Image/Trust
Business
Risks
Importance of Critical Infrastructures
India
Pakistan
Egypt
Saudi Arabia
UAE
Kuwait
Qatar
Bahrain
60m
12m
6m
4.7m
1.7m
0.8m
0.3m
0.2m
Recent Middle East
 Dragging anchor cut two critical cables
 85+ million users impact across eight countries
 Incident highlights potential terrorist opportunities
Resiliency is ABSOLUTELY CRITICAL
Critical Infrastructure - cable cuts
20
Complexity: Increased Risk
“The Future of digital systems is
complexity, and complexity is the
worst enemy of security.”
Bruce Schneier
Crypto-Gram Newsletter, March 2000
21
More complexity more Security Flaws
Complexity & Reliability Risk
1 – 10 Simple procedure, little risk
11- 20 More Complex, moderate risk
21 – 50 Complex , high risk
>50 Untestable, VERY HIGH RISK
Complexity & Bad Fix Probability
Essential Complexity (Un-structuredness) &
Maintainability (future Reliability) Risk
1 – 4 Structured, little risk
> 4 Unstructured, High Risk
Structural Analysis … Providing Actionable Metrics
Complexity and Risk
Framework must address Risk
Threats Vulnerabilities
Controls Risks Assets
Security
Requirements
Business
Impact
exploit
exposeincreaseincrease
increase have
protect against
met by indicate
reduce
Risk Analysis provides focus
High
Medium
Low
Low Medium High
Area of
Major
Concern
Managing risk?
End User Phishing
http://www.antiphishing.org/
• Target customers of banks
and online payment services
• Obtain sensitive data from
U.S. taxpayers by pretended
IRS- emails
• Identity theft for social
network sites, e.g.
myspace.com
• Recently more non-financial
brands were attacked
including social networking,
VOIP, and numerous large
web-based email providers.
Phishing only started in 2004, but in 2006 it cost the UK
£35m and the USA perhaps $200m
End User is biggest problem
Farce of the Facebook spy: MI6 chief
faces probe after wife exposes their
life on Net
“ MI6 faced calls for an inquiry last night after an
extraordinary lapse of judgment led to the new
head of MI6's personal detailsbeing plastered
over Facebook.
Millions of people could have gained access to
compromising photographs of Sir John Sawers
and his family on the social networking website.
...“
http://www.dailymail.co.uk/news/article-1197757/New-MI6-chief-
faces-probe-wife-exposes-life-Facebook.html
When all fails….are you ready?
Everybody’s got a plan until they get
hit! -- Mike Tyson
Business Continuity Management
Business Impact Analysis
Risk Analysis
Recovery Strategy
Group Plans
and Procedures
Business Continuity Planning Initiation
Risk
Reduction
Implement
Standby Facilities
Create Planning Organization
Testing
PROCESS
Change Management Education Testing Review
Policy ScopeResourcesOrganization
BCM
Ongoing
Process
BCM
Project
Business Continuity timeline
Active
Business
A successful
recovery
Processes - Workflow
Risk Transfer
Elimination
Reduction/Controls
Transfer/Outsource
Insurance
Residual
Not all risk can be
eliminated via
controls
Strategy Optimization
Recovery strategy must be optimized to business requirements
Time
CostofStrategy
Mitigation
LostRevenue
Optimum Mitigation
Strategy
Response and Risk approach
Risk Management and Business Controls
Events
Incidents
Crises
Impact Monitor & resolve the
“critical few” with crisis
management team
Assess impact of events &
implement appropriate controls
Monitor & resolve at
appropriate level using
processesIncident Management
Process
Crisis Management
Process
Standardisation bodies
ISO/IEC - Wide scope of standardization. 27xxx and 13335
IETF – Focuses on Internet related technical Security requirements
NIST-CSRC (http://www.nist.gov/) – Wide scope of coverage for both
government and enterprise needs.
OASIS (http://www.oasis-open.org/) - Application Vulnerability
Description Language
OGSF (Open Group Security Forum,
http://www.opengroup.org/security/) - started Intrusion Attack and
Response Workshop
Best practices and recommendations
CERT/CC (http://www.cert.org/)
SANS (System Administration, Networking, and Security) Institute –
http://www.sans.org/
ISACA (http://www.isaca.org/) – Most noted for CoBIT framework fIT
Governance
ISSA (http://www.issa.org/) – GAISP (Generally Accepted Information
Security Principles)
Standards, Guidelines
ISMS family of standards (ISO/IEC 27xxx)
ISO/IEC 27001 – ISMS (BS 7799-2)
ISO/IEC 27002 – ISO/IEC 17799 (BS 7799-1)
ISO/IEC 27005 –Infosec risk management
ISO/IEC 27006 – Guide to ISMS certification process
ISO/IEC 27003 – ISMS implementation guide
ISO/IEC 27004 – Infosec Metrics
ISO/IEC 27007 - Guideline for ISMS auditing
ISO/IEC 27011 - ISMS implementation guideline for
the telecommunications industry
ISO/IEC 27034 - a guideline for application security
Standard provide Controls
So how do you implement security controls?
Technical controls:
Site implements a firewall to stop external attackers
but allow academic collaboration.
Education:
Explain to users why there is a firewall (to stop
attackers) and how to ask for exceptions (to allow
collaboration).
Administrative controls:
The Security Policy states that Internet services must
be used safely.
ISO 27004 : Metrics & Measurement
ISO/IEC has a new project to develop an
ISMS Metrics and Measurements Standard
This development is aimed at addressing
how to measure the effectiveness of ISMS
implementations (processes and controls)
Performance targets
What to measure
How to measure
When to measure
Security Metrics
Infrastructure-Centric Metrics
Infrastructure-centric metric – measure of efficiency,
speed, and/or capacity of technology
Throughput – amount of information that can pass
through a system in a given amount of time
Transaction speed – speed at which a system can
process a transaction
System availability – measured inversely as downtime,
or the average amount of time a system is down or
unavailable
Response time – average time to respond to a user-
generated event like a mouse click
Scalability – conceptual metric related to how well a
system can be adapted to increased demands
7-39
IT Metrics and SLAs
Service level agreement (SLA) – formal,
contractually obligated agreement
SLAs must include IT success metrics
SLAs are between you and outsourcer
SLAs define how you will measure KPI
Measures are in service level specifications (SLS)
or service level objectives (SLO)
7-40
Incident Handling Life Cycle
Email
Hotline/
Phone
Analyze
Coordinate
Information
and
Response
Obtain
Contact
Information
Provide
Technical
Assistance
Incident
Report
Triage
Vulnerability
Report
Information
Request
IDS
Other
Incident Response Components
(from RFC 2350)
CSIRT’s
Organisational form depends on
type of organisation and
required level of support to community
Security Policy
Define what is required/allowed/acceptable
Incident Response Policy
What is provided, who receives it and who provides support
Incident Response Plan
Which incidents will be responded and how
EU CERTS
Action Plan 1
Build resilience / Harden the infrastructure
Servers and links redundancy
Security of routing protocol / traffic exchange
Security of DNS service
Profiling attackers and understanding their objectives
(know your enemies)
Response preparedness
National contingency plan for the Internet
Cyber exercises on National/international level are crucial
Strengthen multinational cooperation for rapid response (formal
rather than informal)
Importance of CERTs/CSIRTs and their role for national and
international cooperation
Measurement - monitoring of traffic to understand what is
going on
Action Plan - 2
Technology will not be sufficient
Study the economics of security and cyber crime
Set-up Public Private Partnership (PPP)
Example www.antiphishing.org
Develop cross-sector and cross-organisational
cooperation on National, EU and international levels
Agree on responsibility’s allocation
Information and best practices sharing  importance
of trust
Raising awareness and education of individuals, public
bodies, corporate users and service providers
Questions

Más contenido relacionado

La actualidad más candente

Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security DemystifiedMichael Torres
 
Architect secure cloud services.
Architect secure cloud services.Architect secure cloud services.
Architect secure cloud services.Moshe Ferber
 
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation  - Cloud Security Alliance East Europe Congress 2013Cloud security innovation  - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013Moshe Ferber
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Vladimir Jirasek
 
Cloud security what to expect (introduction to cloud security)
Cloud security   what to expect (introduction to cloud security)Cloud security   what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)Moshe Ferber
 
Aligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startupsAligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startupsMoshe Ferber
 
Webinar compiled powerpoint
Webinar compiled powerpointWebinar compiled powerpoint
Webinar compiled powerpointCloudPassage
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Samrat Das
 
Security and governance in the cloud
Security and governance in the cloudSecurity and governance in the cloud
Security and governance in the cloudJulian Knight
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeHimani Singh
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud securityVladimir Jirasek
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architectureVladimir Jirasek
 
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats -  CSA Congress, San JoseThe Notorious 9 Cloud Computing Threats -  CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats - CSA Congress, San JoseMoshe Ferber
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudCloudPassage
 
Cloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and TechniquesCloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and TechniquesGokul Alex
 
Securing virtual workload and cloud
Securing virtual workload and cloudSecuring virtual workload and cloud
Securing virtual workload and cloudHimani Singh
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloudPassage
 
CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security -
CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security - CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security -
CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security - Puneet Kukreja
 

La actualidad más candente (20)

Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
 
Architect secure cloud services.
Architect secure cloud services.Architect secure cloud services.
Architect secure cloud services.
 
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation  - Cloud Security Alliance East Europe Congress 2013Cloud security innovation  - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
 
Cloud security what to expect (introduction to cloud security)
Cloud security   what to expect (introduction to cloud security)Cloud security   what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)
 
Aligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startupsAligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startups
 
Webinar compiled powerpoint
Webinar compiled powerpointWebinar compiled powerpoint
Webinar compiled powerpoint
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB
 
Security and governance in the cloud
Security and governance in the cloudSecurity and governance in the cloud
Security and governance in the cloud
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
 
Cloud Security Governance
Cloud Security GovernanceCloud Security Governance
Cloud Security Governance
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
 
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats -  CSA Congress, San JoseThe Notorious 9 Cloud Computing Threats -  CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the Cloud
 
Cloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and TechniquesCloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and Techniques
 
Cloud security
Cloud securityCloud security
Cloud security
 
Securing virtual workload and cloud
Securing virtual workload and cloudSecuring virtual workload and cloud
Securing virtual workload and cloud
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO Successful
 
CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security -
CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security - CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security -
CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security -
 

Similar a Cloud risk and business continuity v21

Data security in cloud
Data security in cloudData security in cloud
Data security in cloudInterop
 
Information Security
Information SecurityInformation Security
Information SecurityMohit8780
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
 
Plataforma de Operação e Simulação Cibernética
Plataforma de Operação e Simulação CibernéticaPlataforma de Operação e Simulação Cibernética
Plataforma de Operação e Simulação CibernéticaHamilton Oliveira
 
Sify - IT Management Services
Sify - IT Management ServicesSify - IT Management Services
Sify - IT Management Serviceswebhostingguy
 
The Secure Path to Value in the Cloud by Denny Heaberlin
The Secure Path to Value in the Cloud by Denny HeaberlinThe Secure Path to Value in the Cloud by Denny Heaberlin
The Secure Path to Value in the Cloud by Denny HeaberlinCloud Expo
 
Real-time Visibility at Scale with Sumo Logic
Real-time Visibility at Scale with Sumo LogicReal-time Visibility at Scale with Sumo Logic
Real-time Visibility at Scale with Sumo LogicAmazon Web Services
 
GDPR Compliance Countdown - Is your Application environment ready?
GDPR Compliance Countdown - Is your Application environment ready?GDPR Compliance Countdown - Is your Application environment ready?
GDPR Compliance Countdown - Is your Application environment ready?QualiQuali
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Amazon Web Services
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAmazon Web Services
 
Smart security solutions for SMBs
Smart security solutions for SMBsSmart security solutions for SMBs
Smart security solutions for SMBsJyothi Satyanathan
 
Walls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application SecurityWalls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application SecurityAbdul Jaleel
 
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...CloudIDSummit
 
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based  Automated Attack Surface Managem...Criminal IP ASM | Threat Intelligence-based  Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...Criminal IP
 
AWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons Learned
AWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons LearnedAWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons Learned
AWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons LearnedAWS Summits
 
Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2jeffirby
 
Presentation cloud security the grand challenge
Presentation   cloud security the grand challengePresentation   cloud security the grand challenge
Presentation cloud security the grand challengexKinAnx
 

Similar a Cloud risk and business continuity v21 (20)

Data security in cloud
Data security in cloudData security in cloud
Data security in cloud
 
Information Security
Information SecurityInformation Security
Information Security
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond Compliance
 
Plataforma de Operação e Simulação Cibernética
Plataforma de Operação e Simulação CibernéticaPlataforma de Operação e Simulação Cibernética
Plataforma de Operação e Simulação Cibernética
 
Sify - IT Management Services
Sify - IT Management ServicesSify - IT Management Services
Sify - IT Management Services
 
The Secure Path to Value in the Cloud by Denny Heaberlin
The Secure Path to Value in the Cloud by Denny HeaberlinThe Secure Path to Value in the Cloud by Denny Heaberlin
The Secure Path to Value in the Cloud by Denny Heaberlin
 
Real-time Visibility at Scale with Sumo Logic
Real-time Visibility at Scale with Sumo LogicReal-time Visibility at Scale with Sumo Logic
Real-time Visibility at Scale with Sumo Logic
 
GDPR Compliance Countdown - Is your Application environment ready?
GDPR Compliance Countdown - Is your Application environment ready?GDPR Compliance Countdown - Is your Application environment ready?
GDPR Compliance Countdown - Is your Application environment ready?
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
 
Smart security solutions for SMBs
Smart security solutions for SMBsSmart security solutions for SMBs
Smart security solutions for SMBs
 
Walls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application SecurityWalls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application Security
 
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
 
Presentación AMIB Los Cabos
Presentación AMIB Los CabosPresentación AMIB Los Cabos
Presentación AMIB Los Cabos
 
Cloud security v2
Cloud security v2Cloud security v2
Cloud security v2
 
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based  Automated Attack Surface Managem...Criminal IP ASM | Threat Intelligence-based  Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
 
AWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons Learned
AWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons LearnedAWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons Learned
AWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons Learned
 
Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2
 
Presentation cloud security the grand challenge
Presentation   cloud security the grand challengePresentation   cloud security the grand challenge
Presentation cloud security the grand challenge
 
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SCCyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
 

Más de Jorge Sebastiao

Real estate tokenization and blockchain
Real estate tokenization and blockchainReal estate tokenization and blockchain
Real estate tokenization and blockchainJorge Sebastiao
 
Blockchain and covid19 v3
Blockchain and covid19 v3Blockchain and covid19 v3
Blockchain and covid19 v3Jorge Sebastiao
 
Top tech shapping startups
Top tech shapping startupsTop tech shapping startups
Top tech shapping startupsJorge Sebastiao
 
Blockchain and security v3
Blockchain and security v3Blockchain and security v3
Blockchain and security v3Jorge Sebastiao
 
The road to blockchain 5.0
The road to blockchain 5.0The road to blockchain 5.0
The road to blockchain 5.0Jorge Sebastiao
 
Cyber Warfare 4TH edition
Cyber Warfare 4TH editionCyber Warfare 4TH edition
Cyber Warfare 4TH editionJorge Sebastiao
 
How AI is Disrupting Traffic Management in Smart City
How AI is DisruptingTraffic Management in Smart CityHow AI is DisruptingTraffic Management in Smart City
How AI is Disrupting Traffic Management in Smart CityJorge Sebastiao
 
Ai and traffic management application v1.0
Ai and traffic management application v1.0Ai and traffic management application v1.0
Ai and traffic management application v1.0Jorge Sebastiao
 
Practical analytics hands-on to cloud & IoT cyber threats
Practical analytics hands-on to cloud & IoT cyber threatsPractical analytics hands-on to cloud & IoT cyber threats
Practical analytics hands-on to cloud & IoT cyber threatsJorge Sebastiao
 
Dz hackevent 2019 Middle East Cyberwars V3
Dz hackevent 2019 Middle East Cyberwars V3Dz hackevent 2019 Middle East Cyberwars V3
Dz hackevent 2019 Middle East Cyberwars V3Jorge Sebastiao
 
AI HR and Future Jobs Version 2.1
AI HR and Future Jobs Version 2.1AI HR and Future Jobs Version 2.1
AI HR and Future Jobs Version 2.1Jorge Sebastiao
 
Cyber fear obstacles to info sharing-Version 2
Cyber fear obstacles to info sharing-Version 2Cyber fear obstacles to info sharing-Version 2
Cyber fear obstacles to info sharing-Version 2Jorge Sebastiao
 
Blockchain & cyber security Algeria Version 1.1
Blockchain & cyber security Algeria Version 1.1Blockchain & cyber security Algeria Version 1.1
Blockchain & cyber security Algeria Version 1.1Jorge Sebastiao
 
Datamatix GCC HR future jobs Version 1.3
Datamatix GCC HR future jobs Version 1.3Datamatix GCC HR future jobs Version 1.3
Datamatix GCC HR future jobs Version 1.3Jorge Sebastiao
 
Cyber security crypto blockchain Version 3.2
Cyber security crypto blockchain Version 3.2Cyber security crypto blockchain Version 3.2
Cyber security crypto blockchain Version 3.2Jorge Sebastiao
 
RTA AI for traffic management version 1.4
RTA AI for traffic management version 1.4RTA AI for traffic management version 1.4
RTA AI for traffic management version 1.4Jorge Sebastiao
 
IGF2017 Data is new oil - UN Internet Governance Forum
IGF2017 Data is new oil - UN Internet Governance ForumIGF2017 Data is new oil - UN Internet Governance Forum
IGF2017 Data is new oil - UN Internet Governance ForumJorge Sebastiao
 
ADIPEC physical and Infosec for Oil and Gas
ADIPEC physical and Infosec for Oil and GasADIPEC physical and Infosec for Oil and Gas
ADIPEC physical and Infosec for Oil and GasJorge Sebastiao
 
AVSEC are you flying cybersafe?
AVSEC are you flying cybersafe?AVSEC are you flying cybersafe?
AVSEC are you flying cybersafe?Jorge Sebastiao
 
Are we ready for IoT? VU Version 7
Are we ready for IoT? VU Version 7Are we ready for IoT? VU Version 7
Are we ready for IoT? VU Version 7Jorge Sebastiao
 

Más de Jorge Sebastiao (20)

Real estate tokenization and blockchain
Real estate tokenization and blockchainReal estate tokenization and blockchain
Real estate tokenization and blockchain
 
Blockchain and covid19 v3
Blockchain and covid19 v3Blockchain and covid19 v3
Blockchain and covid19 v3
 
Top tech shapping startups
Top tech shapping startupsTop tech shapping startups
Top tech shapping startups
 
Blockchain and security v3
Blockchain and security v3Blockchain and security v3
Blockchain and security v3
 
The road to blockchain 5.0
The road to blockchain 5.0The road to blockchain 5.0
The road to blockchain 5.0
 
Cyber Warfare 4TH edition
Cyber Warfare 4TH editionCyber Warfare 4TH edition
Cyber Warfare 4TH edition
 
How AI is Disrupting Traffic Management in Smart City
How AI is DisruptingTraffic Management in Smart CityHow AI is DisruptingTraffic Management in Smart City
How AI is Disrupting Traffic Management in Smart City
 
Ai and traffic management application v1.0
Ai and traffic management application v1.0Ai and traffic management application v1.0
Ai and traffic management application v1.0
 
Practical analytics hands-on to cloud & IoT cyber threats
Practical analytics hands-on to cloud & IoT cyber threatsPractical analytics hands-on to cloud & IoT cyber threats
Practical analytics hands-on to cloud & IoT cyber threats
 
Dz hackevent 2019 Middle East Cyberwars V3
Dz hackevent 2019 Middle East Cyberwars V3Dz hackevent 2019 Middle East Cyberwars V3
Dz hackevent 2019 Middle East Cyberwars V3
 
AI HR and Future Jobs Version 2.1
AI HR and Future Jobs Version 2.1AI HR and Future Jobs Version 2.1
AI HR and Future Jobs Version 2.1
 
Cyber fear obstacles to info sharing-Version 2
Cyber fear obstacles to info sharing-Version 2Cyber fear obstacles to info sharing-Version 2
Cyber fear obstacles to info sharing-Version 2
 
Blockchain & cyber security Algeria Version 1.1
Blockchain & cyber security Algeria Version 1.1Blockchain & cyber security Algeria Version 1.1
Blockchain & cyber security Algeria Version 1.1
 
Datamatix GCC HR future jobs Version 1.3
Datamatix GCC HR future jobs Version 1.3Datamatix GCC HR future jobs Version 1.3
Datamatix GCC HR future jobs Version 1.3
 
Cyber security crypto blockchain Version 3.2
Cyber security crypto blockchain Version 3.2Cyber security crypto blockchain Version 3.2
Cyber security crypto blockchain Version 3.2
 
RTA AI for traffic management version 1.4
RTA AI for traffic management version 1.4RTA AI for traffic management version 1.4
RTA AI for traffic management version 1.4
 
IGF2017 Data is new oil - UN Internet Governance Forum
IGF2017 Data is new oil - UN Internet Governance ForumIGF2017 Data is new oil - UN Internet Governance Forum
IGF2017 Data is new oil - UN Internet Governance Forum
 
ADIPEC physical and Infosec for Oil and Gas
ADIPEC physical and Infosec for Oil and GasADIPEC physical and Infosec for Oil and Gas
ADIPEC physical and Infosec for Oil and Gas
 
AVSEC are you flying cybersafe?
AVSEC are you flying cybersafe?AVSEC are you flying cybersafe?
AVSEC are you flying cybersafe?
 
Are we ready for IoT? VU Version 7
Are we ready for IoT? VU Version 7Are we ready for IoT? VU Version 7
Are we ready for IoT? VU Version 7
 

Último

Chapter_Five_The_Rural_Development_Policies_and_Strategy_of_Ethiopia.pptx
Chapter_Five_The_Rural_Development_Policies_and_Strategy_of_Ethiopia.pptxChapter_Five_The_Rural_Development_Policies_and_Strategy_of_Ethiopia.pptx
Chapter_Five_The_Rural_Development_Policies_and_Strategy_of_Ethiopia.pptxesiyasmengesha
 
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...Brian Solis
 
Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Lviv Startup Club
 
Scrum Events & How to run them effectively
Scrum Events & How to run them effectivelyScrum Events & How to run them effectively
Scrum Events & How to run them effectivelyMarianna Nakou
 
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for BusinessQ2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for BusinessAPCO
 
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...Khaled Al Awadi
 
MC Heights construction company in Jhang
MC Heights construction company in JhangMC Heights construction company in Jhang
MC Heights construction company in Jhangmcgroupjeya
 
MoneyBridge Pitch Deck - Investor Presentation
MoneyBridge Pitch Deck - Investor PresentationMoneyBridge Pitch Deck - Investor Presentation
MoneyBridge Pitch Deck - Investor Presentationbaron83
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access
 
To Create Your Own Wig Online To Create Your Own Wig Online
To Create Your Own Wig Online  To Create Your Own Wig OnlineTo Create Your Own Wig Online  To Create Your Own Wig Online
To Create Your Own Wig Online To Create Your Own Wig Onlinelng ths
 
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)tazeenaila12
 
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003believeminhh
 
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...AustraliaChapterIIBA
 
ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...
ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...
ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...ISONIKELtd
 
Personal Brand Exploration Presentation Eric Bonilla
Personal Brand Exploration Presentation Eric BonillaPersonal Brand Exploration Presentation Eric Bonilla
Personal Brand Exploration Presentation Eric BonillaEricBonilla13
 
NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023Steve Rader
 
PDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdfPDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdfHajeJanKamps
 
Building Your Personal Brand on LinkedIn - Expert Planet- 2024
 Building Your Personal Brand on LinkedIn - Expert Planet-  2024 Building Your Personal Brand on LinkedIn - Expert Planet-  2024
Building Your Personal Brand on LinkedIn - Expert Planet- 2024Stephan Koning
 

Último (20)

Chapter_Five_The_Rural_Development_Policies_and_Strategy_of_Ethiopia.pptx
Chapter_Five_The_Rural_Development_Policies_and_Strategy_of_Ethiopia.pptxChapter_Five_The_Rural_Development_Policies_and_Strategy_of_Ethiopia.pptx
Chapter_Five_The_Rural_Development_Policies_and_Strategy_of_Ethiopia.pptx
 
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
 
Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)
 
Scrum Events & How to run them effectively
Scrum Events & How to run them effectivelyScrum Events & How to run them effectively
Scrum Events & How to run them effectively
 
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for BusinessQ2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
 
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...
 
MC Heights construction company in Jhang
MC Heights construction company in JhangMC Heights construction company in Jhang
MC Heights construction company in Jhang
 
MoneyBridge Pitch Deck - Investor Presentation
MoneyBridge Pitch Deck - Investor PresentationMoneyBridge Pitch Deck - Investor Presentation
MoneyBridge Pitch Deck - Investor Presentation
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024
 
To Create Your Own Wig Online To Create Your Own Wig Online
To Create Your Own Wig Online  To Create Your Own Wig OnlineTo Create Your Own Wig Online  To Create Your Own Wig Online
To Create Your Own Wig Online To Create Your Own Wig Online
 
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
 
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
 
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
 
ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...
ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...
ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...
 
WAM Corporate Presentation Mar 25 2024.pdf
WAM Corporate Presentation Mar 25 2024.pdfWAM Corporate Presentation Mar 25 2024.pdf
WAM Corporate Presentation Mar 25 2024.pdf
 
Investment Opportunity for Thailand's Automotive & EV Industries
Investment Opportunity for Thailand's Automotive & EV IndustriesInvestment Opportunity for Thailand's Automotive & EV Industries
Investment Opportunity for Thailand's Automotive & EV Industries
 
Personal Brand Exploration Presentation Eric Bonilla
Personal Brand Exploration Presentation Eric BonillaPersonal Brand Exploration Presentation Eric Bonilla
Personal Brand Exploration Presentation Eric Bonilla
 
NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023
 
PDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdfPDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdf
 
Building Your Personal Brand on LinkedIn - Expert Planet- 2024
 Building Your Personal Brand on LinkedIn - Expert Planet-  2024 Building Your Personal Brand on LinkedIn - Expert Planet-  2024
Building Your Personal Brand on LinkedIn - Expert Planet- 2024
 

Cloud risk and business continuity v21

  • 1. Risks in the Cloud and Business Continuity BCP/DRP Summit jorge.sebastiao@its.ws
  • 2. What is the Cloud?
  • 3. Evolution of Cloud IaaS Infrastructure as a Service PaaS Platform as a Service SaaS Software as a Service
  • 5. 5 Spread of Code Red Worm in the Cloud July 19 01:05:00 2001
  • 6. 6 Spread of Worm in the Cloud July 19 20:15:00 2001 Financial Cost: CodeRED Worm: $2.6 billion
  • 7. SQL Slammer Worm: 30min - Infections doubled every 8.5 seconds - Spread 100X faster than Code Red -At peak, scanned 55 million hosts per second. -COST: $1.2 billion
  • 8. Cloud Challenges 8 Dynamic threats Limited IT resources Pressure to demonstrate risk reduction and compliance Process complexity Reduce operating costs Must show value Proactive versus reactive
  • 10. Cloud Reliability Enterprise are setting their SLAs uptimes at 99.99% or higher, cloud providers are not fully ready Amazon’s cloud outages receive a lot of exposure … July 20, 2008 Failure due to stranded zombies, lasts 5 hours Feb 15, 2008 Authentication overload leads to two-hour service outage October 2007 Service failure lasts two days October 2006 Security breach where users could see other users data … and their current SLAs don’t match those of enterprises* Amazon EC2 99.95% Amazon S3 99.9% * SLAs expressed in Monthly Uptime Percentages; Source : McKinsey & Company • Not clear that all applications require such high services • IT shops do not always deliver on their SLAs but their failures are less public and customers can’t switch easily
  • 11. Source: Copyright © 2007 Boeing. All rights reserved. Services Application Development Platform Storage Hosting Cloud Service Layers Description Services – Complete business services such as PayPal, OpenID, OAuth, Google Maps, Alexa Services Application Focused Infrastructure Focused Application – Cloud based software that eliminates the need for local installation such as Google Apps, Microsoft Online Storage – Data storage or cloud based NAS such as CTERA, iDisk, CloudNAS Development – Software development platforms used to build custom cloud based applications (PAAS & SAAS) such as SalesForce Platform – Cloud based platforms, typically provided using virtualization, such as Amazon ECC, Sun Grid Hosting – Physical data centers such as those run by IBM, HP, NaviSite, etc.
  • 12. Services Application Development Platform Storage Hosting Cloud and Risk Services Information Risk Relative effectiveness of technical controls Inter- operability Risk Difficulty of enterprise integration Capability Maturity Source: Copyright © 2007 Boeing. All rights reserved.
  • 13. Network Policy Applications Inside and outside groups default deny Hundreds of groups default allow Tens of applications Web, mail, domain name server (DNS) Hundreds of applications custom protocols, payroll, trading Tens of targets Megabits of traffic Thousands of targets Gigabits of traffic Past Present + Cloud more challenges
  • 14. Reorganizing the roles in the cloud
  • 15. Cloud Impact on your Business
  • 17. Business Impacts and Risks Employee & customer privacy Legislative violations Financial loss Intellectual capital Litigation Public Image/Trust Business Risks
  • 18. Importance of Critical Infrastructures
  • 19. India Pakistan Egypt Saudi Arabia UAE Kuwait Qatar Bahrain 60m 12m 6m 4.7m 1.7m 0.8m 0.3m 0.2m Recent Middle East  Dragging anchor cut two critical cables  85+ million users impact across eight countries  Incident highlights potential terrorist opportunities Resiliency is ABSOLUTELY CRITICAL Critical Infrastructure - cable cuts
  • 20. 20 Complexity: Increased Risk “The Future of digital systems is complexity, and complexity is the worst enemy of security.” Bruce Schneier Crypto-Gram Newsletter, March 2000
  • 21. 21 More complexity more Security Flaws Complexity & Reliability Risk 1 – 10 Simple procedure, little risk 11- 20 More Complex, moderate risk 21 – 50 Complex , high risk >50 Untestable, VERY HIGH RISK Complexity & Bad Fix Probability Essential Complexity (Un-structuredness) & Maintainability (future Reliability) Risk 1 – 4 Structured, little risk > 4 Unstructured, High Risk Structural Analysis … Providing Actionable Metrics Complexity and Risk
  • 22. Framework must address Risk Threats Vulnerabilities Controls Risks Assets Security Requirements Business Impact exploit exposeincreaseincrease increase have protect against met by indicate reduce
  • 23. Risk Analysis provides focus High Medium Low Low Medium High Area of Major Concern
  • 25. End User Phishing http://www.antiphishing.org/ • Target customers of banks and online payment services • Obtain sensitive data from U.S. taxpayers by pretended IRS- emails • Identity theft for social network sites, e.g. myspace.com • Recently more non-financial brands were attacked including social networking, VOIP, and numerous large web-based email providers. Phishing only started in 2004, but in 2006 it cost the UK £35m and the USA perhaps $200m
  • 26. End User is biggest problem Farce of the Facebook spy: MI6 chief faces probe after wife exposes their life on Net “ MI6 faced calls for an inquiry last night after an extraordinary lapse of judgment led to the new head of MI6's personal detailsbeing plastered over Facebook. Millions of people could have gained access to compromising photographs of Sir John Sawers and his family on the social networking website. ...“ http://www.dailymail.co.uk/news/article-1197757/New-MI6-chief- faces-probe-wife-exposes-life-Facebook.html
  • 27. When all fails….are you ready? Everybody’s got a plan until they get hit! -- Mike Tyson
  • 28. Business Continuity Management Business Impact Analysis Risk Analysis Recovery Strategy Group Plans and Procedures Business Continuity Planning Initiation Risk Reduction Implement Standby Facilities Create Planning Organization Testing PROCESS Change Management Education Testing Review Policy ScopeResourcesOrganization BCM Ongoing Process BCM Project
  • 32. Strategy Optimization Recovery strategy must be optimized to business requirements Time CostofStrategy Mitigation LostRevenue Optimum Mitigation Strategy
  • 33. Response and Risk approach Risk Management and Business Controls Events Incidents Crises Impact Monitor & resolve the “critical few” with crisis management team Assess impact of events & implement appropriate controls Monitor & resolve at appropriate level using processesIncident Management Process Crisis Management Process
  • 34. Standardisation bodies ISO/IEC - Wide scope of standardization. 27xxx and 13335 IETF – Focuses on Internet related technical Security requirements NIST-CSRC (http://www.nist.gov/) – Wide scope of coverage for both government and enterprise needs. OASIS (http://www.oasis-open.org/) - Application Vulnerability Description Language OGSF (Open Group Security Forum, http://www.opengroup.org/security/) - started Intrusion Attack and Response Workshop Best practices and recommendations CERT/CC (http://www.cert.org/) SANS (System Administration, Networking, and Security) Institute – http://www.sans.org/ ISACA (http://www.isaca.org/) – Most noted for CoBIT framework fIT Governance ISSA (http://www.issa.org/) – GAISP (Generally Accepted Information Security Principles)
  • 35. Standards, Guidelines ISMS family of standards (ISO/IEC 27xxx) ISO/IEC 27001 – ISMS (BS 7799-2) ISO/IEC 27002 – ISO/IEC 17799 (BS 7799-1) ISO/IEC 27005 –Infosec risk management ISO/IEC 27006 – Guide to ISMS certification process ISO/IEC 27003 – ISMS implementation guide ISO/IEC 27004 – Infosec Metrics ISO/IEC 27007 - Guideline for ISMS auditing ISO/IEC 27011 - ISMS implementation guideline for the telecommunications industry ISO/IEC 27034 - a guideline for application security
  • 36. Standard provide Controls So how do you implement security controls? Technical controls: Site implements a firewall to stop external attackers but allow academic collaboration. Education: Explain to users why there is a firewall (to stop attackers) and how to ask for exceptions (to allow collaboration). Administrative controls: The Security Policy states that Internet services must be used safely.
  • 37. ISO 27004 : Metrics & Measurement ISO/IEC has a new project to develop an ISMS Metrics and Measurements Standard This development is aimed at addressing how to measure the effectiveness of ISMS implementations (processes and controls) Performance targets What to measure How to measure When to measure
  • 39. Infrastructure-Centric Metrics Infrastructure-centric metric – measure of efficiency, speed, and/or capacity of technology Throughput – amount of information that can pass through a system in a given amount of time Transaction speed – speed at which a system can process a transaction System availability – measured inversely as downtime, or the average amount of time a system is down or unavailable Response time – average time to respond to a user- generated event like a mouse click Scalability – conceptual metric related to how well a system can be adapted to increased demands 7-39
  • 40. IT Metrics and SLAs Service level agreement (SLA) – formal, contractually obligated agreement SLAs must include IT success metrics SLAs are between you and outsourcer SLAs define how you will measure KPI Measures are in service level specifications (SLS) or service level objectives (SLO) 7-40
  • 41. Incident Handling Life Cycle Email Hotline/ Phone Analyze Coordinate Information and Response Obtain Contact Information Provide Technical Assistance Incident Report Triage Vulnerability Report Information Request IDS Other
  • 42. Incident Response Components (from RFC 2350) CSIRT’s Organisational form depends on type of organisation and required level of support to community Security Policy Define what is required/allowed/acceptable Incident Response Policy What is provided, who receives it and who provides support Incident Response Plan Which incidents will be responded and how
  • 44. Action Plan 1 Build resilience / Harden the infrastructure Servers and links redundancy Security of routing protocol / traffic exchange Security of DNS service Profiling attackers and understanding their objectives (know your enemies) Response preparedness National contingency plan for the Internet Cyber exercises on National/international level are crucial Strengthen multinational cooperation for rapid response (formal rather than informal) Importance of CERTs/CSIRTs and their role for national and international cooperation Measurement - monitoring of traffic to understand what is going on
  • 45. Action Plan - 2 Technology will not be sufficient Study the economics of security and cyber crime Set-up Public Private Partnership (PPP) Example www.antiphishing.org Develop cross-sector and cross-organisational cooperation on National, EU and international levels Agree on responsibility’s allocation Information and best practices sharing  importance of trust Raising awareness and education of individuals, public bodies, corporate users and service providers

Notas del editor

  1. The NIST diagram provides a good visualization of what it is, what types of services are delivered and how it is deployed.
  2. The security approach and role varies depending on the delivery model