ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

40

TAGS:

description

Slide deck for BCS Elite Manchester July 2014

Transcript of ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

Page 1: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments
Page 2: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

THANK YOU FOR INVITING ME

MANCHESTER BCS ELITE GROUP JULY 10TH 2014

Page 3: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

YOUR SPEAKER – JAMES MCKINLAY • 2014 HEAD OF INFORMATION SECURITY, DATA PROTECTION AND PCIDSS – ATOS WORLDLINE

• 2014 CISO LEVEL SECURITY, RISK & COMPLIANCE CONSULTANCY ACROSS EUROPE

• 2013 INFORMATION SECURITY MANAGER AT WALMART FOR ASDA & GEORGE (LEVEL ONE MERCHANT)

• 2011 - 2013 INFORMATION SECURITY MANAGER MANCHESTER AIRPORTS GROUP (LEVEL THREE MERCHANT)

• 2006-2011 PCIDSS COMPLIANCE HOMELOAN MANAGEMENT LIMITED (LEVEL ONE SERVICE PROVIDER)

• 2006 ECOMMERCE SECURITY– THOMAS COOK SCHEDULED BUSINESS

Page 4: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

EXEC SUMMARY –

• UNDERSTAND YOUR FORMAL RISK ASSESSMENT

AND RISK ACCEPTANCE PROCEDURES

• KEEP UP TO DATE WITH CHANGING THREATS

(INTERNAL AND EXTERNAL)

• UPDATE YOUR INCIDENT RESPONSE PROCEDURES

TO INCLUDE ANY NEW POSITIONS YOU ADOPT Hope for the best – Plan for the worst

Page 5: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

BEFORE WE BEGIN

Page 6: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

WHAT DO I MEAN BY . . . .

•INFOSEC RISK ASSESSMENT

•MOBILE WORKFORCE RISK

•MOBILE APP RISK

•CLOUD VPC RISK

•CLOUD PUBLIC SERVICE RISK

Page 7: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

INFOSEC RISK ASSESSMENT

• IS USUALLY DIFFERENT TO CORPORATE RISK

REGISTER

• CAN BE BESPOKE OR FOLLOW A RECOGNISED

METHOD

• CAN ALREADY BE PART OF YOUR INFORMATION

SECURITY MANAGEMENT STRATEGY

• MIGHT WANT TO CONSIDER USING THE SAME

OUTPUT “SCALES” (5X5)

Page 8: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

RMF – PROCESS DRIVEN METHODOLOGIES

• NIST / OCTAVE ALLEGRO / HMG-IS1 / FAIR / ISO27005 / STRIDE

Page 9: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

THE TECHNICAL RISK ASSESSMENT

• PATTERNS FROM OPEN SECURITY ARCHITECTURE (OSA)

• TRA/RAR TEMPLATE

• HTTP://CSRC.NIST.GOV/GROUPS/SMA/FASP/DOCUMENTS/RISK_MGMT/RAR_TEMPLATE_07112007.DO

• HTTP://WWW.OPENSECURITYARCHITECTURE.ORG/CMS/LIBRARY/PATTERNLANDSCAPE/262-PDF-TEST-PATTERN

Page 10: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

TRA EXAMPLE

Page 11: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

IS THE CIA ENOUGH

Page 12: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

GOVERNANCE RISK & COMPLIANCE IN INFOSEC

• ARCHER

• RIVOSOFTWARE

• CURASOFTWARE

• SURECLOUD

• HITECLABS/TENRISK

• WCK (TECHARBOUR)

Page 13: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

WHAT DO I MEAN BY . . . .

•INFOSEC RISK ASSESSMENT

•MOBILE WORKFORCE RISK

•MOBILE APP RISK

•CLOUD VPC RISK

•CLOUD PUBLIC SERVICE RISK

Page 14: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

CASE STUDY : ASDA STORE MANAGERS

• WANT ACCESS TO SENSITIVE COMPANY DATA FROM A COMPANY

OWNED MOBILE DEVICE

• ALLOW STORE MANAGERS TO TAKE DEVICE HOME

• PHASE 1 – USE MOBILE PROVIDERS NETWORKING

• PHASE 2 – USE INSTORE WIFI

Page 15: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

THINGS TO CONSIDER

• DEVICE CHOICE (IPAD –V- ANDROID TABLET)

• PROTECT FROM DAMAGE

• LOGISTICS (DELIVER DEVICE – DELIVER LOGIN DETAILS)

• SERVICE DESK / SUPPORT – NEW PROCEDURES, NEW EXPERIENCE

• MDM / SANDBOX – ESSENTIAL , NOT FOOLPROOF !!!

• MOBILE DEVICES NOT DESIGNED WITH MULTI USER SECURITY IN MIND (APPLE OWNER IS KING)

Page 16: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

MORE THINGS TO CONSIDER

• HACKERS CAN BEAT MDM ENCRYPTION CONTAINERS – BLACKHAT EUROPE CONFERENCE

• HACKERS CAN BEAT VENDOR SECURITY – IOS8 JAIL BEAKS ALREADY AVAILABLE

• HACKERS CAN ESCAPE FROM BROWSERS (SAFARI MOBILE)

• SECURITY AWARENESS OF USERS

• VALUE OF DATA IN WRONG HANDS

• NEW ATTACKS BEING THOUGHT UP ALL THE TIME – SEPTEMBER 2014 EXPECT TO SEE ATTACKS ON

TELECOMS INFRASTRUCTURE

Page 17: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

WHAT DO I MEAN BY . . . .

•INFOSEC RISK ASSESSMENT

•MOBILE WORKFORCE RISK

•MOBILE APP RISK

•CLOUD VPC RISK

•CLOUD PUBLIC SERVICE RISK

Page 18: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

DUTY OF CARE ?

• LOOK AFTER CUSTOMER DETAILS

• NO EXCESSIVE LOGGING

• DO NOT GIVE ATTACKERS AN EASY EXPLOIT

Page 19: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

WATCH FOR LEAKS

https://www.owasp.org/images/9/94/MobileTopTen.pdf

Page 20: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

EXAMPLES ARE EVERYWHERE

Page 21: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

CALL THE (LOCAL) PROFESSIONALS

www.pentest.co.uk www.mdsec.co.uk

Page 22: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

FOOD FOR THOUGHT . . . .

• AMONG THE MOST SIGNIFICANT SECURITY RISKS ASSOCIATED

WITH CLOUD COMPUTING IS THE TENDENCY TO BYPASS

INFORMATION TECHNOLOGY (IT) DEPARTMENTS AND INFORMATION

OFFICERS. ALTHOUGH SHIFTING TO CLOUD TECHNOLOGIES

EXCLUSIVELY IS AFFORDABLE AND FAST, DOING SO UNDERMINES

IMPORTANT BUSINESS-LEVEL SECURITY POLICIES, PROCESSES, AND

BEST PRACTICES. IN THE ABSENCE OF THESE STANDARDS,

BUSINESSES ARE VULNERABLE TO SECURITY BREACHES THAT CAN

QUICKLY ERASE ANY GAINS MADE BY THE SWITCH TO SAAS.

Page 23: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

WHAT DO I MEAN BY . . . .

•INFOSEC RISK ASSESSMENT

•MOBILE WORKFORCE RISK

•MOBILE APP RISK

•CLOUD VPC RISK

•CLOUD PUBLIC SERVICE RISK

Page 24: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

ARE YOU READY TO MOVE TO THE CLOUD

Amazon

Microsoft

Rackspace

Pro-Act

Exponential-e

Page 25: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

ARE YOUR SECURITY TEAM ?

Jericho Forum -> CSA

Data Breaches

Data Loss

Account Hijacking

Insecure APIs

Denial of Service

Malicious Insiders

Abuse of services

Insufficient Due Diligence

Shared Technology Vulnerabilities

Page 26: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

THE VENDORS WANT TO HELP

Page 27: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

BUT THAT IS NOT ENOUGH -

• NEED TO UNDERSTAND HOW VPC EXTENDS YOUR ENVIRONMENT

AND HOW THAT WILL WORK WITH YOUR ISMS AND IS POLICIES.

• LOGICAL ACCESS POLICY

• INFORMATION SECURITY ASSET REGISTER

• PASSWORD POLICY

• CRYPTOGRAPHY POLICY

• THIRD PARTY SUPPLIER MANAGEMENT

• BACKUP AND RESTORE POLICY & PROCEDURES

• INCIDENT RESPONSE POLICY AND PROCEDURES

Page 28: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

CASE STUDY : REPLACE THE SERVER ROOM

• VPN TO PRIVATE CLOUD

• GOOD STARTERS LEAVERS MOVERS PROCESS

• GOOD CHANGE MANAGEMENT PROCESS

• ENCRYPTING DATA AT REST AND DATA IN TRANSIT

• CENTRALISED LOG SHIPPING AND SIEM/CORRELATION/ALERTING

• SRC DST FIREWALL RULES IN ACROSS EVERY SUBNET

Page 29: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

WHAT DO I MEAN BY . . . .

•INFOSEC RISK ASSESSMENT

•MOBILE WORKFORCE RISK

•MOBILE APP RISK

•CLOUD VPC RISK

•CLOUD PUBLIC SERVICE RISK

Page 30: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

DATA GETS EVERY WHERE

• GOOGLE DRIVE , ONEDRIVE

• EVERNOTE

• GMAIL, HOTMAIL,

• SKYPE, YOUTUBE, SOUNDCLOUD

• MOZY BACKUPS , SALESFORCE.COM, OFFICE365, APPLE ICLOUD

Page 31: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

DLP IN WEB CHANNELS

Page 32: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

MSSP MANAGED SECURITY SERVICE PROVIDERS

• LOG MONITORING IN THE CLOUD

• SOC / CIRT OUTSOURCING

• THREAT INTELLIGENCE IN THE CLOUD

• VULNERABILITY MANAGEMENT IN THE CLOUD

• WHAT ABOUT VOIP IN THE CLOUD ?

Page 33: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

WHERE DO THEY COME FROM . . . .

•EVOLVING THREAT LANDSCAPE

Page 34: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

STAY UP TO DATE

• IMPORTANT FOR YOUR INFORMATION SECURITY STAFF TO STAY UP TO DATE

• UNDERSTAND THE REAL RISKS

• THREAT INTELLIGENCE

• INDUSTRY DISCUSSIONS AND NETWORKING

• BACKGROUND READING

Page 35: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

THREAT INTELLIGENCE

Page 36: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

DON’T FORGET TO AUDIT

Page 37: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

BACKGROUND READING: BOOKS

Page 38: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

DEEPER DIVE : BOOKS

Page 39: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

YOU CAN’T HOLD BACK THE TIDE

• ACCENTURE-TECNOLOGY-VISION-2014.PDF”

Page 40: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments

• FIND ME ON LINKEDIN

• UK.LINKEDIN.COM/PUB/JAMES-MCKINLAY/16/A42/206/

TIME IS PRECIOUS – THANK YOU FOR YOURS

http://uk.linkedin.com/pub/james-mckinlay/16/a42/206/
http://uk.linkedin.com/pub/james-mckinlay/16/a42/206/
http://uk.linkedin.com/pub/james-mckinlay/16/a42/206/
http://uk.linkedin.com/pub/james-mckinlay/16/a42/206/
http://uk.linkedin.com/pub/james-mckinlay/16/a42/206/

Cloud Mobile Datasheet

Cloud Mobile Datasheet

Mobile cloud service

Mobile cloud service

Mobile cloud sync

Mobile cloud sync

An Update on Shared Cloud Security Assessments (HECVAT) WG ... · An Update on Shared Cloud Security Assessments (HECVAT) WG and NET+ Cloud Services Program Nick Lewis, Internet2

An Update on Shared Cloud Security Assessments (HECVAT) WG ... · An Update on Shared Cloud Security Assessments (HECVAT) WG and NET+ Cloud Services Program Nick Lewis, Internet2

About pellustro - The cloud-based platform for assessments

About pellustro - The cloud-based platform for assessments

Mobile Cloud Computing - Webspaces - Accueil › ... › 2014-SSO-School-Mobile-Cloud-Compu… · Mobile Cloud Computing •Mobile Computing –Untrustedmobile devices with limited

Mobile Cloud Computing - Webspaces - Accueil › ... › 2014-SSO-School-Mobile-Cloud-Compu… · Mobile Cloud Computing •Mobile Computing –Untrustedmobile devices with limited

Risk Assessments Mobile Equipment 2019-20 · RISK ASSESSMENTS: MOBILE EQUIPMENT The Warehouse Climbing Centre - Mobile Assessor/Reviewer Name Job Title Signature Date Review Date

Risk Assessments Mobile Equipment 2019-20 · RISK ASSESSMENTS: MOBILE EQUIPMENT The Warehouse Climbing Centre - Mobile Assessor/Reviewer Name Job Title Signature Date Review Date

Introduction of Mobile Cloud Computing Mobile ... - … IAO... · -Shared infrastructure for specific community Public cloud ... Client-driven . ... •Mobile poll •Cloud push Each

Introduction of Mobile Cloud Computing Mobile ... - … IAO... · -Shared infrastructure for specific community Public cloud ... Client-driven . ... •Mobile poll •Cloud push Each

Mobile cloud

Mobile cloud

secure mobile cloud

secure mobile cloud

Tips for making mobile friendly assessments

Tips for making mobile friendly assessments

Cloud & Mobile Computing

Cloud & Mobile Computing

SOFT SKILLS - The Conover Company: Cloud-based assessments ...

SOFT SKILLS - The Conover Company: Cloud-based assessments ...

Mobile Cloud Survey

Mobile Cloud Survey

Mobile-First Cloud-First Graphics - ferraiolo.comferraiolo.com/graphicalweb2013/Mobile-First Cloud-First Graphics.pdf · Mobile-First, Cloud-First Graphics (Project Verona) 6 Mixed

Mobile-First Cloud-First Graphics - ferraiolo.comferraiolo.com/graphicalweb2013/Mobile-First Cloud-First Graphics.pdf · Mobile-First, Cloud-First Graphics (Project Verona) 6 Mixed

Cloud Computing Risk Assessments

Cloud Computing Risk Assessments

Using smart mobile devices for selection assessments: A ...When are Mobile Assessments Smart? 6 Personality, bio-data assessments: Results found to be invariant across mobile and PC

Using smart mobile devices for selection assessments: A ...When are Mobile Assessments Smart? 6 Personality, bio-data assessments: Results found to be invariant across mobile and PC

Microsoft Azure Responses to Cloud Security Alliance Consensus Assessments Initiative ... · 2018-10-16 · Microsoft Azure Responses to the Cloud Security Alliance Consensus Assessments

Microsoft Azure Responses to Cloud Security Alliance Consensus Assessments Initiative ... · 2018-10-16 · Microsoft Azure Responses to the Cloud Security Alliance Consensus Assessments

Converged. Holistic. Borderless. · Unisys Mobile Security Mobile Environment Management Mobile Assessments & Consulting Mobile Security Mobile App Development Mobile Infrastructure

Converged. Holistic. Borderless. · Unisys Mobile Security Mobile Environment Management Mobile Assessments & Consulting Mobile Security Mobile App Development Mobile Infrastructure

Mobile Cloud Computinglepo.it.da.ut.ee/~srirama/talks/MobileCloud_2016.pdf · Mobile Cloud –Interpretation • We should not see Mobile Cloud to be just a scenario where mobile

Mobile Cloud Computinglepo.it.da.ut.ee/~srirama/talks/MobileCloud_2016.pdf · Mobile Cloud –Interpretation • We should not see Mobile Cloud to be just a scenario where mobile