ELITE.BCS-Cloud-and-Mobile-Risk-Assessments
-
Upload
infosecresearch -
Category
Technology
-
view
64 -
download
1
description
Transcript of ELITE.BCS-Cloud-and-Mobile-Risk-Assessments
![Page 1: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/1.jpg)
![Page 2: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/2.jpg)
THANK YOU FOR INVITING ME
MANCHESTER BCS ELITE GROUP JULY 10TH 2014
![Page 3: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/3.jpg)
YOUR SPEAKER – JAMES MCKINLAY • 2014 HEAD OF INFORMATION SECURITY, DATA PROTECTION AND PCIDSS – ATOS WORLDLINE
• 2014 CISO LEVEL SECURITY, RISK & COMPLIANCE CONSULTANCY ACROSS EUROPE
• 2013 INFORMATION SECURITY MANAGER AT WALMART FOR ASDA & GEORGE (LEVEL ONE MERCHANT)
• 2011 - 2013 INFORMATION SECURITY MANAGER MANCHESTER AIRPORTS GROUP (LEVEL THREE MERCHANT)
• 2006-2011 PCIDSS COMPLIANCE HOMELOAN MANAGEMENT LIMITED (LEVEL ONE SERVICE PROVIDER)
• 2006 ECOMMERCE SECURITY– THOMAS COOK SCHEDULED BUSINESS
![Page 4: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/4.jpg)
EXEC SUMMARY –
• UNDERSTAND YOUR FORMAL RISK ASSESSMENT
AND RISK ACCEPTANCE PROCEDURES
• KEEP UP TO DATE WITH CHANGING THREATS
(INTERNAL AND EXTERNAL)
• UPDATE YOUR INCIDENT RESPONSE PROCEDURES
TO INCLUDE ANY NEW POSITIONS YOU ADOPT Hope for the best – Plan for the worst
![Page 5: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/5.jpg)
BEFORE WE BEGIN
![Page 6: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/6.jpg)
WHAT DO I MEAN BY . . . .
•INFOSEC RISK ASSESSMENT
•MOBILE WORKFORCE RISK
•MOBILE APP RISK
•CLOUD VPC RISK
•CLOUD PUBLIC SERVICE RISK
![Page 7: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/7.jpg)
INFOSEC RISK ASSESSMENT
• IS USUALLY DIFFERENT TO CORPORATE RISK
REGISTER
• CAN BE BESPOKE OR FOLLOW A RECOGNISED
METHOD
• CAN ALREADY BE PART OF YOUR INFORMATION
SECURITY MANAGEMENT STRATEGY
• MIGHT WANT TO CONSIDER USING THE SAME
OUTPUT “SCALES” (5X5)
![Page 8: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/8.jpg)
RMF – PROCESS DRIVEN METHODOLOGIES
• NIST / OCTAVE ALLEGRO / HMG-IS1 / FAIR / ISO27005 / STRIDE
![Page 9: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/9.jpg)
THE TECHNICAL RISK ASSESSMENT
• PATTERNS FROM OPEN SECURITY ARCHITECTURE (OSA)
• TRA/RAR TEMPLATE
• HTTP://CSRC.NIST.GOV/GROUPS/SMA/FASP/DOCUMENTS/RISK_MGMT/RAR_TEMPLATE_07112007.DO
• HTTP://WWW.OPENSECURITYARCHITECTURE.ORG/CMS/LIBRARY/PATTERNLANDSCAPE/262-PDF-TEST-PATTERN
![Page 10: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/10.jpg)
TRA EXAMPLE
![Page 11: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/11.jpg)
IS THE CIA ENOUGH
![Page 12: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/12.jpg)
GOVERNANCE RISK & COMPLIANCE IN INFOSEC
• ARCHER
• RIVOSOFTWARE
• CURASOFTWARE
• SURECLOUD
• HITECLABS/TENRISK
• WCK (TECHARBOUR)
![Page 13: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/13.jpg)
WHAT DO I MEAN BY . . . .
•INFOSEC RISK ASSESSMENT
•MOBILE WORKFORCE RISK
•MOBILE APP RISK
•CLOUD VPC RISK
•CLOUD PUBLIC SERVICE RISK
![Page 14: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/14.jpg)
CASE STUDY : ASDA STORE MANAGERS
• WANT ACCESS TO SENSITIVE COMPANY DATA FROM A COMPANY
OWNED MOBILE DEVICE
• ALLOW STORE MANAGERS TO TAKE DEVICE HOME
• PHASE 1 – USE MOBILE PROVIDERS NETWORKING
• PHASE 2 – USE INSTORE WIFI
![Page 15: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/15.jpg)
THINGS TO CONSIDER
• DEVICE CHOICE (IPAD –V- ANDROID TABLET)
• PROTECT FROM DAMAGE
• LOGISTICS (DELIVER DEVICE – DELIVER LOGIN DETAILS)
• SERVICE DESK / SUPPORT – NEW PROCEDURES, NEW EXPERIENCE
• MDM / SANDBOX – ESSENTIAL , NOT FOOLPROOF !!!
• MOBILE DEVICES NOT DESIGNED WITH MULTI USER SECURITY IN MIND (APPLE OWNER IS KING)
![Page 16: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/16.jpg)
MORE THINGS TO CONSIDER
• HACKERS CAN BEAT MDM ENCRYPTION CONTAINERS – BLACKHAT EUROPE CONFERENCE
• HACKERS CAN BEAT VENDOR SECURITY – IOS8 JAIL BEAKS ALREADY AVAILABLE
• HACKERS CAN ESCAPE FROM BROWSERS (SAFARI MOBILE)
• SECURITY AWARENESS OF USERS
• VALUE OF DATA IN WRONG HANDS
• NEW ATTACKS BEING THOUGHT UP ALL THE TIME – SEPTEMBER 2014 EXPECT TO SEE ATTACKS ON
TELECOMS INFRASTRUCTURE
![Page 17: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/17.jpg)
WHAT DO I MEAN BY . . . .
•INFOSEC RISK ASSESSMENT
•MOBILE WORKFORCE RISK
•MOBILE APP RISK
•CLOUD VPC RISK
•CLOUD PUBLIC SERVICE RISK
![Page 18: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/18.jpg)
DUTY OF CARE ?
• LOOK AFTER CUSTOMER DETAILS
• NO EXCESSIVE LOGGING
• DO NOT GIVE ATTACKERS AN EASY EXPLOIT
![Page 19: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/19.jpg)
WATCH FOR LEAKS
https://www.owasp.org/images/9/94/MobileTopTen.pdf
![Page 20: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/20.jpg)
EXAMPLES ARE EVERYWHERE
![Page 21: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/21.jpg)
CALL THE (LOCAL) PROFESSIONALS
www.pentest.co.uk www.mdsec.co.uk
![Page 22: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/22.jpg)
FOOD FOR THOUGHT . . . .
• AMONG THE MOST SIGNIFICANT SECURITY RISKS ASSOCIATED
WITH CLOUD COMPUTING IS THE TENDENCY TO BYPASS
INFORMATION TECHNOLOGY (IT) DEPARTMENTS AND INFORMATION
OFFICERS. ALTHOUGH SHIFTING TO CLOUD TECHNOLOGIES
EXCLUSIVELY IS AFFORDABLE AND FAST, DOING SO UNDERMINES
IMPORTANT BUSINESS-LEVEL SECURITY POLICIES, PROCESSES, AND
BEST PRACTICES. IN THE ABSENCE OF THESE STANDARDS,
BUSINESSES ARE VULNERABLE TO SECURITY BREACHES THAT CAN
QUICKLY ERASE ANY GAINS MADE BY THE SWITCH TO SAAS.
![Page 23: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/23.jpg)
WHAT DO I MEAN BY . . . .
•INFOSEC RISK ASSESSMENT
•MOBILE WORKFORCE RISK
•MOBILE APP RISK
•CLOUD VPC RISK
•CLOUD PUBLIC SERVICE RISK
![Page 24: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/24.jpg)
ARE YOU READY TO MOVE TO THE CLOUD
Amazon
Microsoft
Rackspace
Pro-Act
Exponential-e
![Page 25: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/25.jpg)
ARE YOUR SECURITY TEAM ?
Jericho Forum -> CSA
Data Breaches
Data Loss
Account Hijacking
Insecure APIs
Denial of Service
Malicious Insiders
Abuse of services
Insufficient Due Diligence
Shared Technology Vulnerabilities
![Page 26: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/26.jpg)
THE VENDORS WANT TO HELP
![Page 27: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/27.jpg)
BUT THAT IS NOT ENOUGH -
• NEED TO UNDERSTAND HOW VPC EXTENDS YOUR ENVIRONMENT
AND HOW THAT WILL WORK WITH YOUR ISMS AND IS POLICIES.
• LOGICAL ACCESS POLICY
• INFORMATION SECURITY ASSET REGISTER
• PASSWORD POLICY
• CRYPTOGRAPHY POLICY
• THIRD PARTY SUPPLIER MANAGEMENT
• BACKUP AND RESTORE POLICY & PROCEDURES
• INCIDENT RESPONSE POLICY AND PROCEDURES
![Page 28: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/28.jpg)
CASE STUDY : REPLACE THE SERVER ROOM
• VPN TO PRIVATE CLOUD
• GOOD STARTERS LEAVERS MOVERS PROCESS
• GOOD CHANGE MANAGEMENT PROCESS
• ENCRYPTING DATA AT REST AND DATA IN TRANSIT
• CENTRALISED LOG SHIPPING AND SIEM/CORRELATION/ALERTING
• SRC DST FIREWALL RULES IN ACROSS EVERY SUBNET
![Page 29: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/29.jpg)
WHAT DO I MEAN BY . . . .
•INFOSEC RISK ASSESSMENT
•MOBILE WORKFORCE RISK
•MOBILE APP RISK
•CLOUD VPC RISK
•CLOUD PUBLIC SERVICE RISK
![Page 30: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/30.jpg)
DATA GETS EVERY WHERE
• GOOGLE DRIVE , ONEDRIVE
• EVERNOTE
• GMAIL, HOTMAIL,
• SKYPE, YOUTUBE, SOUNDCLOUD
• MOZY BACKUPS , SALESFORCE.COM, OFFICE365, APPLE ICLOUD
![Page 31: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/31.jpg)
DLP IN WEB CHANNELS
![Page 32: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/32.jpg)
MSSP MANAGED SECURITY SERVICE PROVIDERS
• LOG MONITORING IN THE CLOUD
• SOC / CIRT OUTSOURCING
• THREAT INTELLIGENCE IN THE CLOUD
• VULNERABILITY MANAGEMENT IN THE CLOUD
• WHAT ABOUT VOIP IN THE CLOUD ?
![Page 33: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/33.jpg)
WHERE DO THEY COME FROM . . . .
•EVOLVING THREAT LANDSCAPE
![Page 34: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/34.jpg)
STAY UP TO DATE
• IMPORTANT FOR YOUR INFORMATION SECURITY STAFF TO STAY UP TO DATE
• UNDERSTAND THE REAL RISKS
• THREAT INTELLIGENCE
• INDUSTRY DISCUSSIONS AND NETWORKING
• BACKGROUND READING
![Page 35: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/35.jpg)
THREAT INTELLIGENCE
![Page 36: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/36.jpg)
DON’T FORGET TO AUDIT
![Page 37: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/37.jpg)
BACKGROUND READING: BOOKS
![Page 38: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/38.jpg)
DEEPER DIVE : BOOKS
![Page 39: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/39.jpg)
YOU CAN’T HOLD BACK THE TIDE
• ACCENTURE-TECNOLOGY-VISION-2014.PDF”
![Page 40: ELITE.BCS-Cloud-and-Mobile-Risk-Assessments](https://reader034.fdocuments.net/reader034/viewer/2022051816/54623f41b4af9f581c8b4698/html5/thumbnails/40.jpg)
• FIND ME ON LINKEDIN
• UK.LINKEDIN.COM/PUB/JAMES-MCKINLAY/16/A42/206/
TIME IS PRECIOUS – THANK YOU FOR YOURS