Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin...
Transcript of Adedoyin Odunfa - isaca.or.keisaca.or.ke/resources2017/ISACA Kenya Hackers... · Adedoyin...
Name Here
Understanding the Hackers Mindset. Adedoyin Odunfa
www.digitaljewels.net
Adedoyin Odunfa’s Profile
Education & Certifications
• CISA, CISSP, CGEIT, PMP, ITBMC, ISO27001 Lead Auditor, COBIT 5.0 Certified Assessor, SFIA Accredited Consultant
• MBA (IT & Management)
City University Business School (Now CASS Business School), Barbican Centre, London.
• B.SC Computer Science & Economics.
Obafemi Awolowo University. Ile-Ife
• Queen’s College, Yaba. Lagos
Work Experience
• Current: MD/CEO, Digital Jewels Ltd
• ED, Information Systems & E-bus.
Phillips Consulting. Ltd
• GM, DSC.
• MIS Research Analyst. Lagos Business School
IT & Business Strategist, GRC & Project Mgt Practitioner
Strengthening IT Governance, Risk & Compliance across Africa…
#iSecureKenya
Outline
Setting the Context
The attackers perspective
Understanding the attackers mindset
How do we win?
Building a culture of Information Security
Next Steps/Conclusion
3
#iSecureKenya
www.secureyourenvironment.com
#iSecureKenya
#iSecureKenya
https://appbugs-wp-static.s3.amazonaws.com/uploads/2017/01/top_cybersecurity_threats-2.png
Know the Attacker….Sun Tzu
2016 Trustwave Global Security Report
Understanding the motivations and resources
of professional cybercriminals is key to
defending against them.
Professional, organised, determined, innovative, meticulous in evolving
techniques to remain steps ahead of targets.
#iSecureKenya
Know the Attacker….• Hackers: Build • Crackers: Break
Authorised Authorised UnathorisedCheck Exploitation Break
#iSecureKenya
Categorising Hackers by Stereotype
Black Hat Actor
Script Kiddie
Malicious Insider
Activist
Spy
Terrorist
Organised Crime
Example
Tinkerers
Work force or ex-staff
Snowden/ Niger Hacktivist
Nation States
Sony Hack
Russian Mob
Motive
Curiosity
Revenge
Revelation
Espionage
Destruction
Making Money
Actions
V. loud, no specific targets & lots of
attempts
Stealing info/ wreaking havoc w/ int. systems
Revealing trade secrets/bringing light
to a cause
Better understand your enemy or ally
Infiltrate, discredit or destroy data/systems
Making money
#iSecureKenya
For example…..
Factors that come to play…
Factors that come to play…
Persist-ence
Skill
Greed
Stealth
Motivation
#iSecureKenya
Know the AttackerMotivation
• Money e.g. Ransomware, PII theft
• Reputation “Bragging Rights”, Respect & Acknowledgement
Means/ Factors of Victimisation
• User illiteracy
• Deficient criminal cues
• Limited attention
• Inflated Trust
• Addiction potential
Fundamental Approaches
• Social Engineering
• Brute force
• Technical intrusion
Attack sources
• Internet security defects
• Misuse of legitimate tools
• Improper maintenance
• Ineffective security
• Inadequate detection systems
#iSecureKenya
The Cyber Economics Challenge
Platform Converg-
enceWeb
Cloud
Social Mobile
IOT
…
Security
Sharing
Global data:
• expanding exponentially
• Volume,
• Velocity,
• Variety and
• Complexity.
+
=
#iSecureKenya
2 sides of the same coin
• Technology is about HOW attacks occur,
• Economics is about WHY attacks occur
EconomicsTechnology
#iSecureKenya
Cyber Economics: the Why?Attack Parameters
Ease of Attack
Impact of Attack
Incentive to Attack
Increased Difficulty in Defense
1,542% estimated ROI for exploit kit & ransomware
schemes
2015 Trustwave Global Security Report
#iSecureKenya
2016 Trustwave Global Security Report
• Investigation across 17 countriesWeak application security: 97% of
applications tested >=1 vulnerability. 10% of
critical or high risk. Median # of
vulnerabilities per application:14.
60% of breaches targeted CHD
59% of victims did not detect the breach
themselves but through regulators, card brands &
law enforcement
Av. time btw intrusion & detection – 15days for int. detected breaches, 168 days for breaches
ext. detected/reported breaches
Median time btw detection & containment
was 1 day for int. detected breaches,
compared to 28 days for ext. detected breaches
Growth of
Malware-as-a-service
#iSecureKenya
Difficulties in Defending against Attacks• Attack: Ease, Impact, Incentive
#iSecureKenya
Difficulty of detection.
• Perpetrators of cyber crime facing jail time is still the exception.
• Victims of cyber theft may not be aware of the loss (IP, Confidential information, etc.) for years—or ever.
• No one is immune!
59% of victims did not detect the breach themselves but
through regulators, card brands & law enforcement
Av: 168 days to detect & 28 from intrusion to
containment (ext. detection)
#iSecureKenya
Cyber Economic Equation: Incentives Favour Attackers
Offence Defense
#iSecureKenya
The Target: Your Digital Crown Jewels?
• The most valuable asset of the 21st century company – Data
• Information is an asset which like other important business
assets, has value to an organization and consequently needs
to be suitably protected.
#iSecureKenya
What are your Digital Crown Jewels?• Intellectual property, Card Holder Data and confidential
business information?• One of the most serious, and hardest to quantify, components of
cybercrime.
• Threat to IP has grown in transition from tangible to intangible assets in a post-industrial, knowledge-worker society.
• More to gain by stealing intellectual property than several physical assets.• Less effort, more reward
#iSecureKenya
How do we tip the Economics Equation in our favour?• Enhance your CyberSecurity Posture to
• Increase the effort of the attacker
• Reduce the reward
How do you win?
#iSecureKenya
Tip the Cyber Security Economics Equation in your favor by building a culture of Information Security
National
Institutional/
Corporate
Individual/ProfessionalPeople
Process/
Controls
Tech-nology
• Respondents are satisfied, but not overjoyed with security technology. Use of almost all security technologies increased… CSI Annual Report 2009: Financial Fraud, Malware On The Increase
#iSecureKenya
#iSecureKenya
What is at risk?
Reputation Finances
Continuity ….
#iSecureKenya
#iSecureKenya
People Competence: Look beneath the surface
Knowledge
Skills
Behaviour
Values
Potential
Motives
Select for…
Train/Develop for…
Functional Quotient
Competencies
Personal qualities that form the foundation
Source: Thomas Int’l
People
#iSecureKenya
#iSecureKenya
#iSecureKenya
Source: Apollo Education Group
#iSecureKenya
#iSecureKenya
#iSecureKenya
Behavior... Why is it important?
• Your leadership style, communication style, and parenting style are heavily influenced by your personality style.
• How you communicate, build relationships, raise your kids, network at business meetings, and build teams all hinge on the interaction between your style and the style of people with whom you interact.
• It’s about understanding• who you are & what strengths you possess and
• placing yourself in situations that support you and your strengths.
• Understanding others: team & other stakeholders
• Well known personality profile tools• DISC
• Meyers-Briggs Type Indicator (MBTI©)
• ….
#iSecureKenya
#iSecureKenya
#iSecureKenya
But:You are only as strong as your weakest link!
#iSecureKenya
The proverbial challenge
• How to inform, convince, influence, - “sell”
• the need for improving IS security practices
• Information Security can only work when snr management support it.
• They will support only if they are convinced of its importance.
Setting the Tone at the TOP
#iSecureKenya
Meeting the challenge: Motive, Opportunity & Means (MOM):
Motivation:
• What motivates our executives in decision making?
• What key concepts & terms do they use?
• What message do I need to be sending & how? FUD/ Bus. Benefits/ Competitive adv
Opportunity:
• What opportunities are there to meet with, be heard by, or gain access to snr execs? E.g.
• Summaries of recent cybercrimes
• Induction programmes,
• management presentations
• Audits/auditors to reinforce the message
• Regulatory guidelines
• Relevant standards
Means
• What creative ways to get the message heard by management?
• Compile links of current cyber crime cases
• Be innovative: videos, simulations, etc.
#iSecureKenya
#iSecureKenya
Creating the Human Firewall:Training, Education & Awareness
The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Enacting policies and procedures simply won't suffice. Even with oversight the policies and procedures may not be effective: my access to Motorola, Nokia, ATT, Sun depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully.‘ Kevin Mitnick
#iSecureKenya
The need for Training, Education & Awareness
Education
• Imparting knowledge e.g. certification training
• Technical staff
Training
• How to e.g. new software application/ methodology
• IT staff, users
Awareness
• “Top of mind”/ Real & relevant
• All: Management, Third parties, users, etc
#iSecureKenya
Benefits of the Human Firewall
Avoidance of the direct and indirect costs associated
with inappropriate employee behaviour
Compliance with specific regulatory and/or legal issues associated with
information security - Due care and due diligence
Benefiting from the intrinsic value of having a
more security-savvy workforce
Minimising security breaches arising from ignorance or malicious
intent which often hamper operations and affect operational efficiency
Reducing the risk of costly information security
incidents.
#iSecureKenya
The challenge is to build an enabling culture
Legal & Regulatory Framework (Standards,
policies, procedures,
rules, regulations)
• (a framework
of acceptable behavior)
Training & Awareness of above by Mgt
& Staff
• (knowledge of
acceptable behavior)
Total commitment
of Mgt & Staff
• (tone at the top & a desire
towards acceptable behavior
Secure Culture
Process/
Controls
Best Practice: What does it offer?
• Can help address performance targets & conformance requirements in a single vehicle
• A continuous improvement approach: PDCA
• Periodic updates for currency
Myth…A well of collective wisdom
#iSecureKenya
The Framework Forest
Categorising Frameworks/Standards
Governance: the umbrella
• ISO38500
• COBIT
Vision, Mission, Objectives, Strategy
• Bus Strategy Frameworks
• Balanced Scorecard
Risk & Compliance
• ISO38500
• COSO
• COBIT
• ISO27001
• PCIDSS
• ISO27001
IT Strategy/Architec-ture
• (IT) Balanced Scorecard
• TOGAF
Project/Change Mgt
• PRINCE2/PMBOK
• M_O_R, MSP
• COBIT
• CMMI
Balance Sheet
• ISO38500
Operations/Service Delivery & Mgt
• ISO27001/20000
• BS25999
• ITIL
• 6Sigma
Associated Standards/ Frameworks
• PCIDSS
• ISO27001
• ISO22301
• ISO31000
Information Security
• ISO22301
• BS OHSAS 18000
• ISO27001
• Data Centre Tiers
Business Continuity
• ITIL
• COBIT
• ISO20000
• CMMI
ITSM
• COBIT
• COSO
• CMMI
• ISO15504
• ISO38500
• TOGAFGRC
• PRINCE2
• PMP
• ISO 21500
• COBIT
• SFIAProject/Change /People Mgt
#iSecureKenya
Unbundling the Standards & Framework Forest
Standards with Certification
PCIDSS v3
ISO27001: 2013
ISO20000: 2011
ISO22301: 2011
BS OHSAS (18000) -ISO 45001
Data Centre Tier 3/4
ISO 15504: 2013
Standards yet to be Certifiable
ISO8583
ISO20022
ISO38500: 2015
ISO31000
Frameworks/
Methodologies
COBIT 5
COSO
PRINCE2
PMBoK
TOGAF
CMMi
SFIA
XBRL
The Role of Standards…
Standards help to develop a framework of acceptable behavior, a common language, process predictability & maturity
• Make the protection of corporate information assets “the law”. Make adherence to policy and standards a condition of employment. Policy, standards, and procedures must become part of a corporations living structure, not just a policy development effort.
#iSecureKenya
Best Practise: Making it work for you
1. Do your homework: Select the right standard/framework/methodology
2. Secure & sustain top management buy in
3. Measure to Manage
4. Tailor & Customise
5. Train to Minimize Culture Shock & Resistance
6. Manage the Change: Communicate, take a participative approach
#iSecureKenya
As a case study
#iSecureKenya
The Nigerian Dimension….
#iSecureKenya
CBN Standards Roadmap (June 2013)
#iSecureKenya
Priority 1 Standards:
• Service Management
• Interfaces
• IT Security
• Application Reporting
Priority 2 Standards:
• IT Governance
• Strategic Alignment
• Project Management
• Work and Resource
Management
Priority 3 Standards:
• Data Centre
• Business Continuity
Management
• Enterprise Architecture
• OHAS Management
#iSecureKenya
CBN IT Standards Roadmap (April 2015)
#iSecureKenya
0
5
10
15
20
25
30
PCIDSS (PaymentCard Industry DataSecurity Standard)
ISO27001(Information Security
Mgt System)
ISO22301 (BusinessContinuity Mgt
System)
IS020000 (IT ServiceManagement)
Global Best Practice Standard Certification Status (Nigeria) May. 2017
Certified In progress
#iSecureKenya
0
5
10
15
20
25
PCIDSS (Payment CardIndustry Data Security
Standard)
ISO27001 (InformationSecurity Mgt System)
ISO22301 (BusinessContinuity Mgt System)
ISO20000 (IT ServiceMgt System)
Global Best Practice Standard Certification Status (Banks Only). May 2017
Certified In progress
#iSecureKenya
#iSecureKenya
Data Centre Tiers
#iSecureKenya
ImpactCritical mass of certified organisations permeating the entire epaymentsvalue chain
High numbers of certified specialists in global best practice standards
Significant deployment of World class Technology
High levels of awareness
Development of shared service models
Private Sector more impacted
Nigeria Cyber Crime Bill 2015
Objectives
Provide effective &
unified legal framework to
combat cybercrime in
Nigeria
Promote cyber security &
protect systems, electronic
communication, data, IP &
privacy rights
Ensure protection of
Critical National Information
Infrastructure
#iSecureKenya
As a case study
GHANA
GHANA
GHANA
GHANA
GHANA
#iSecureKenya
Defence in Depth: A layered approach to Information Security
People
Process
Tech
#iSecureKenya
How do we tip the Economics Equation in our favour?• Understand the attacker: mindset, tools, techniques, resources
• Enhance your CyberSecurity Posture to• Increase the effort of the attacker
• Reduce the reward
How do you win? A Holistic approach
National
Institutional/
Corporate
Individual/ Professional
People
Process/
Controls
Tech
Key References
• 2015 & 2016 Trustwave Global Security Reports
• Building the High Performance Information Security Team. CEB Information Risk Leadership Council
• Competency Models for Enterprise & Cyber Security. Apollo Education Group
• Understanding the Hackers Mind – a phycological insight into the hacking of identities. Danube University
• Psychology and the Hacker –Psychological Incident Handling. Sans Institute Infosec Reading Room
• Security Industry Survey of Risks & Professional Competencies. UOPX-ASIS Security Report
• The Global State of Information Security Survey 2016