Keynote address...2019/03/14 · AWS Shield Managed DDoS protection service that safeguards web...
Transcript of Keynote address...2019/03/14 · AWS Shield Managed DDoS protection service that safeguards web...
Mitigating the Financial Impact of a Cyberattack
Keynote address
John FrostHead of Business Continuity, Marks & Spencer Group plc
Mitigating the Impact of a Cyber Attack
People
Property
Brand
Profit
Qubic Conference Thursday 14th March
BUSINESS RESILIENCE
SESSION OBJECTIVES
BUSINESS RESILIENCE
1. Group Business Continuity Programme Overview – How it aligns and assists Cyber Security • Group Incident Reporting • Group Crisis Management• Group Business Recovery • KHRE Procedures • IT Heatmapping
2. The need for Collaboration – “The Human Factor”• My Safety Channel• My Safety App• Exercising, Testing & Assurance – Global Minimum Standards
3. Measuring the Success – Winning Together • Reporting Metrics & ROI• Campaign Metrics
And finally, Success, Learnings & Opportunities, a chance to be honest about the things that went well and not so well along theway…
THE M&S RESILIENCE CHALLENGE
BUSINESS RESILIENCE
16 UK Distribution Centres 8 International Hubs10 Sourcing Offices 5 UK Offices 3 International Offices1000+ Stores Worldwide
46Operational Countries
75% Of all invocations are Cyber/Data related
THE INDUSTRY RESILIENCE CHALLENGE
BUSINESS RESILIENCE
BC Team Structure
Sept 2018
380,000 Customers
affected
May 2017
40 Hospitals affected across
24 trusts
June 2018
40,000 Customers
affected
April 2017
250,000 Customers affected
Jan 2017
Loss of 2.5m from 9,000 accounts
August 2017
Up to loss of $300 in revenue
Sept 2017
Parson green attempted bombing
May 2017
Manchester Arena Terrorist
Attack
March 2017
Westminster Bridge Terrorist
Attack
June 2017
London Bridge attack
CONDUCTORS OF RESILIENCE
BUSINESS RESILIENCE
Group Business Continuity Programme
People
Property
Brand
Profit
Qubic Conference Thursday 14th March
BUSINESS RESILIENCE
CRISIS MANAGEMENT VALUES
BUSINESS RESILIENCE
The need for Collaboration
People
Property
Brand
Profit
BUSINESS RESILIENCE
Qubic Conference Thursday 14th March
CONDUCTOR OF RESILIENCE
BUSINESS RESILIENCE
Background
• Perception - Boring, Dry, Grey
• Hard/Harsh message to deliver
• The island nobody really wants to visit
Purpose
• Soften the message
• Create an identifiable brand
• Tell a story
• Provide a service
Benefit
• Significant increase in engagement
• Stakeholder belief/buy in/integrity
• Brand identity/trust
• Protect the organisation
• Speed & agility
CONDUCTOR OF RESILIENCE
BUSINESS RESILIENCE
BUSINESS RESILIENCE
Paperless Resilience –The need to go Digital
People
Property
Brand
Profit
BUSINESS RESILIENCE
Qubic Conference Thursday 14th March
RESILIENCE PROGRAMME – SOCIETAL DEMANDS
BUSINESS RESILIENCE
BC Team StructureBC Team Structure
WHY CHANGE – BUSINESS DEMANDS
BUSINESS RESILIENCE
Questions that we could/should all consider:
• Readership/Version control o How many people printed the plan?o How many people read it?o Do they have the right version?o Who is required to carry a version? o How do we measure that they are doing it? o The car boot analogy
• Which page is it on…• Which section is it in…• The data stick approach…
• Just tell me what to do…• I left it on a train, plane or at the hotel
URIM APP
BUSINESS RESILIENCE
Measuring Programme Success
People
Property
Brand
Profit
BUSINESS RESILIENCE
Qubic Conference Thursday 14th March
CHALLENGES/THINGS TO CONSIDER
BUSINESS RESILIENCE
• How do we move the industry forward together
• Do we believe in organisational resilience – Together we are stronger
• Can BC/Cyber be the conductor in your organisation
• Do you believe in the digital journey – It’s happening all around us
• How do you bring it to life – “The Human Factor”
• How does BC/Cyber add everyday value in our organisations
• Can BC/Cyber be a service proposition
• If we don’t diversify we will die…
Don’t get letter-bombedAn unprotected email inbox is an open invitation for hackers, phishers, ransom-holders, spyware and worms.
Scott JennerSales Engineer, Mimecast
Clouded judgment?
Rob HaleAmazon Web Services
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Security, Identity, and ComplianceAn Overview
March, 2018Rob Hale, Cyber Security Segment Leader, EMEA
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why is security traditionally so hard?
Lack of visibility
Low degree of automation
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORMove fast Stay secure
Before…
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORANDMove fast Stay secure
Now…
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The most sensitive workloads run on AWS
“With AWS, DNAnexus enables enterprises worldwide to perform
genomic analysis and clinical studies in a secure and compliant
environment at a scale not previously possible.”
— Richard Daly, CEO DNAnexus
“The fact that we can rely on the AWS security posture to boost our
own security is really important for our business. AWS does a much
better job at security than we could ever do running a cage in a data
center.”
— Richard Crowley, Director of Operations, Slack
“We determined that security in AWS is superior to our on-premises data
center across several dimensions, including patching,
encryption, auditing and logging, entitlements, and compliance.”
—John Brady, CISO, FINRA (Financial Industry Regulatory Authority)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automatewith deeply integrated
security services
Inheritglobal
security and compliance
controls
Highest standards for privacy and data security
Largest network
of security partners and solutions
Scale with superior visibility and
control
Move to AWS Strengthen your security posture
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Inherit global security and compliance controls
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Scale with visibility and control
• Control where your data is stored and who can access it• Fine-grain identity & access control so resources have the right access• Reduce risk via security automation and continuous monitoring• Integrate AWS services with your solutions to support existing workflows,
streamline ops, and simplify compliance reporting
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Encryption at scale with keys managed by
our AWS Key Management Service (KMS) or managing your own encryption keys
with Cloud HSM using FIPS 140-2 Level 3
validated HSMs
Meet data residency requirements
Choose an AWS Region and AWS will not replicate it elsewhere unless you choose
to do so
Access services and tools that enable you to
build compliant infrastructure on top of AWS
Comply with local data privacy laws
by controlling who can access content, its lifecycle, and disposal
Highest standards for privacy
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automate with integrated services
CloudWatch Events
Amazon CloudWatch
CloudWatch Event
Lambda
Lambda Function
AWS Lambda
GuardDuty
Amazon GuardDuty
Automated threat remediation
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Infrastructure securityLogging
& monitoringIdentity &
access control
Configuration & vulnerability
analysis
Data protection
Largest ecosystem of security partners and solutions
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Identity & Access Management (IAM)
AWS Single Sign-On
AWS Directory Service
Amazon Cognito
AWS Organizations
AWS Secrets Manager
AWS Resource Access Manager
AWS Security Hub
Amazon GuardDuty
AWS Config
AWS CloudTrail
AmazonCloudWatch
VPC Flow Logs
AWS Systems Manager
AWS Shield
AWS WAF – Web application firewall
AWS Firewall Manager
Amazon Inspector
Amazon Virtual Private Cloud (VPC)
AWS Key Management Service (KMS)
AWS CloudHSM
AWS Certificate Manager
Amazon Macie
Server-Side Encryption
AWS Config Rules
AWS Lambda
IdentityDetective
controlInfrastructure
securityIncidentresponse
Dataprotection
AWS security solutions
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Identity and Access Management (IAM) Securely control access to AWS services and resources
AWS Single Sign-On (SSO)Centrally manage SSO access to multiple AWS accounts & business apps
AWS Directory Service Managed Microsoft Active Directory in the AWS Cloud
Amazon Cognito Add user sign-up, sign-in, and access control to your web/mobile apps
AWS Organizations Policy-based management for multiple AWS accounts
AWS Secrets ManagerEasily rotate, manage, and retrieve database credentials, API keys, and other secrets through their lifecycle
AWS Resource Access ManagerSimple, secure service to share AWS resources
Define, enforce, and audit user
permissions across
AWS services, actions
and resources.
Identity & accessmanagement
Identity and accessmanagement
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Security HubCentrally view & manage security alerts & automate compliance checks
Amazon GuardDutyIntelligent threat detection and continuous monitoring to protect your AWS accounts and workloads
AWS ConfigRecord and evaluate configurations of your AWS resources to enable compliance auditing, resource change tracking, & security analysis
AWS CloudTrailTrack user activity and API usage to enable governance, compliance, and operational/risk auditing of your AWS account
Amazon CloudWatchComplete visibility of your cloud resources and applications to collect metrics, monitor log files, set alarms, and automatically react to changes
VPC Flow LogsCapture info about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs
Gain the visibility you need
to spot issues before they impact
the business, improve your
security posture, and reduce the
risk profile of
your environment.
Detectivecontrol
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Systems ManagerEasily configure and manage Amazon EC2 and on-premises systems to apply OS patches, create secure system images, and configure secure operating systems
AWS ShieldManaged DDoS protection service that safeguards web applications running on AWS
AWS WAF – Web application firewallProtects your web applications from common web exploits ensuring availability and security
AWS Firewall ManagerCentrally configure and manage AWS WAF rules across accounts and applications
Amazon InspectorAutomates security assessments to help improve the security and compliance of applications deployed on AWS
Amazon Virtual Private Cloud (VPC)Provision a logically isolated section of AWS where you can launch AWS resources in a virtual network that you define
Reduce surface area to manage
and increase privacy for and
control of your overall
infrastructure on AWS.
Infrastructuresecurity
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Key Management Service (KMS)Easily create and control the keys used to encrypt your data
AWS CloudHSMManaged hardware security module (HSM) on the AWS Cloud
AWS Certificate ManagerEasily provision, manage, and deploy SSL/TLS certificates for use with AWS services
Amazon MacieMachine learning-powered security service to discover, classify, and protect sensitive data
Server-Side EncryptionFlexible data encryption options using AWS service managed keys, AWS managed keys via AWS KMS, or customer managed keys
In addition to our automatic data
encryption and management
services,
employ more features for
data protection.(including data management, data
security, and encryption key storage)
Dataprotection
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config RulesCreate rules that automatically take action in response to changes in your environment, such as isolating resources, enriching events with additionaldata, or restoring configuration to a known-good state
AWS LambdaUse our serverless compute service to run code without provisioning or managing servers so you can scale your programmed, automated response to incidents
During an incident, containing the
event and returning to a known
good state are important elements
of a response plan. AWS provides
the following
tools to automate aspects of this
best practice.
Incidentresponse
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“I have come to realize that as a relatively small organization, we can be far more secure in the cloud and achieve a higher level of assurance at a much lower cost, in terms of effort and dollars invested. We
determined that security in AWS is superior to our on-premises data center across several dimensions, including patching, encryption, auditing and logging, entitlements, and compliance.”
• Looks for fraud, abuse, and insider trading over nearly 6 billion shares traded in U.S. equities markets every day
• Processes approximately 6 terabytes of data and 37 billion records on an average day
• Went from 3–4 weeks for server hardening to 3–4 minutes
• DevOps teams focus on automation and tools to raise the compliance bar and simplify controls
• Achieved incredible levels of assurance for consistencies of builds and patching via rebooting with automated deployment scripts
—John Brady, CISO FINRA
Financial industry regulatory authority
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“Previously all our servers were configured and updated by hand or through limited automation, we didn’t take full advantage of a configuration management …All our new services are built as stateless docker containers, allowing
us to deploy and scale them easily using Amazon’s ECS.”
“AWS allowed us to scale our business to handle 6 million patients a month and elevate our security—all while maintaining HIPAA compliance-–as we migrated 100% to cloud in less than 12 months”
• Migrated all-in on AWS in under 12 months, becoming a HIPAA compliant cloud-first organization
• New York based startup leveraged infrastructure as code to securely scale to 6 million patients per month
• Data liberation—use data to innovate and drive more solutions for patients, reducing patient wait times from 24 days to 24 hours
• Maintain end to end visibility of patient data using AWS
Online medical care schedulingOnline medical care scheduling
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank youhttps://aws.amazon.com/security/https://aws.amazon.com/compliance/https://aws.amazon.com/products/security
Premium Insurance
Raf SanchezBeazley Group
Cyber Security:
The Latest Challenges and
Approaches
14th March 2019
Raf Sanchez
Misconceptions
Cyber Threats
& Trends
40%
12%8%
8%
24%
8%
2018: UK Incidents by Cause
Hack / Malware
Vendor breach
Insider
Portable Device
Unintended
Disclosure
Social Engineering
45%
14%
4%
2%
4%
17%
2%
12%
BBR International: Total breaches by cause
Hack / Malware
Vendor breach
Insider
Physical/Non
Electronic
Portable Device
Unintended Disclosure
Social Engineering
Other
Emotet & Ryuk
Microsoft Office 365 Account Compromise
Failure to Implement MFA
Cyber
Insurance
Suffering a Data Breach is
not a disaster…
Mishandling it is.
2013 2014 2015 2016 2017 2018
554777
1249
1944
2615
3332
Global Incidents Handled
What do BBR Services Do?
NO
•Legal Advice
•Activate Policy
YES
•Advocacy
•Liaison
Detection
Prevention
ContainmentRecovery
Learning
Pre-Breach Services
Breach Management
Risk ManagementServices
Incident
Management
How Does BBR Services Assist ?
breach hotline
How Does BBR Services Assist ?
in-house team
How Does Beazley Assist ?
co-ordination
How Does BBR Services Assist ?
expert vendors
How Does BBR Services Assist ?
risk management
Planning for continuity
Justin RhodesURIM
URIM The Road Ahead
2019
10/03/2019
1. Android Version – Q2
2. Single Sign On – Google & Microsoft Active Directory – Q2
3. PEN Testing – Already A+ Rating via “SSL Labs” - Q2
4. Forms Support – Q2
5. Change Control Audit – “who, what, when” – Q3
Contents
Universal Remote Information Management
GDPR keeping data safe?
Shane GohilQubic Group plc
GDPR
“The General Data Protection Regulation (GDPR) very
significantly increases the obligations and
responsibilities for organisations and businesses in
how they collect, use and protect personal data.”
What is the aim of the GDPR?
“The aim of the GDPR is to allow Data Subjects to
understand and manage personal data held by
businesses and organisations.”
What is personal data?
• The term ‘personal data’ means any information relating to
a living person who is identified or identifiable (such a
person is referred to as a ‘data subject’).
• The GDPR gives examples of identifiers, including names,
identification numbers, and location data. A person may
also be identifiable by reference to factors which are
specific to their identity, such as physical, genetic or cultural
factors.
• Therefore, if you can identify an individual based on any
data held this is personal data and is applicable to GDPR.
(This includes employee data.)
Processing explained
You are deemed to be processing personal data if
you do any of the following:
• Collect, store, organise or retrieve data
• Change, modify or adapt the data
• Use part or all of the data
• Transmit or transfer the data
• Destroy or erase data
Principles and Rights
1. Lawfulness, Fairness and
Transparency
2. Purpose limitation
3. Data minimization
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
7. Accountability
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated
decision making and profiling.
Integrity and confidentiality the Security Principle
What does the GDPR say?
“Processed in a manner that ensures appropriate
security of the personal data, including protection
against unauthorised or unlawful processing and
against accidental loss, destruction or damage, using
appropriate technical or organisational measures”
This means that you must have appropriate security
to prevent the personal data you hold being
accidentally or deliberately compromised
Why should organisations review security?
The ICO is required to consider the technical and organisational measures you had in place when considering an administrative fine.
Case example
Cybersecurity factors
• System security – the security of your network and
information systems, including those which process
personal data;
• Data security – the security of the data you hold within
your systems, e.g. ensuring appropriate access controls are
in place and that data is held securely;
• Online security – e.g. the security of your website and any
other online service or application that you use; and
• Device security – including policies on Bring-your-own-
Device (BYOD) if you offer it.
Security of processing (GDPR Article 32)
What does the GDPR say?
• Encrypt personal data;
• Have the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• Have the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
• Have a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Security of processing (GDPR Article 32)
What does this mean for organisations?
• Ensure data is secure both in rest and in transit
• Maintain a suite of cyber security services that
keep you secure (a layered approach)
• Have backup and disaster recovery and a business
continuity plan
• Run reports and test your systems and measures
you have in place
Where are organisations falling short?
Subject Access Requests - SARs
Under the GDPR, individuals have the right to
obtain:
• Confirmation that their data is being processed;
• Access to their personal data; and
• Other supplementary information – this largely
corresponds to the information that should be
provided in a privacy notice.
Recent ICO enforcement
The court heard that an individual had submitted a subject access request on 17 April 2017. A subject access request, or SAR, allows someone to request all the personal information an organisation holds about them.
Magnacrest, based in Hazlemere, Buckinghamshire, failed to provide the information within the required timescale of 40 calendar days and the individual complained to the data protection regulator, the ICO.
Magnacrest pleaded guilty to a charge of failing to comply with an enforcement notice when it appeared before Westminster Magistrates on 6 February 2019. The company was fined £300, with a £30 victim surcharge, and was ordered to pay £1,133.75 towards prosecution costs.
Getting SARs right
• Establish a procedure for acknowledging SARs –allowing an individual to know their request is received and being worked on
• Gain an understanding of what the individual wants to achieve – this may save you time and resource
• Ensure your privacy policy has been updated; this can inform individuals about how and why you want to process their data
• Provide staff training on SARs – unaware staff could be the reason you fail to provide under the request
Where are organisations falling short?
Working from home.
• Two-factor authentication and secure remote
connections should be established
• Allowing staff to insecurely connect to your
network increases information security risk
• Staff are required to be made aware of their
responsibilities of access and ensure risk is
minimised
Case example – working from home
• Former council officer fined for emailing CVs of rival job applicants to his partner
• He accessed the authority’s recruitment system and emailed the personal information of the nine rival shortlisted candidates to both his own work email address and also his partner’s Hotmail account.
• The recruitment packs he shared included the name, address, telephone number and CV of each candidate, along with contact details for each of their two referees. That was against the law.
Where are organisations falling short?
Device security.
More and more organisations are now allowing BYOD. Personal data being processed via a personal device might be stored in one, or a combination, of the following locations:
• On the device;
• On a server within the organisation’s IT network (or other private cloud); or
• In a private, community or public cloud.
Regardless of where the data is stored, you will have to take appropriate measures to protect against unauthorised or unlawful access, for example if the device is lost or stolen. This remains your responsibility as the data controller.
Spare slide
• Text here
020 8601 7000
www.qubicgroup.com