COBIT and Cybersecurity. Rolf von Roessing CISA, CGEIT, CISM

Transcription

1 COBIT and Cybersecurity Rolf von Roessing CISA, CGEIT, CISM

2 Overview Practical Challenges in Cybersecurity The COBIT5 Approach An Update on Sources and Materials Strategy, Tactics, Ops Using COBIT5 Outlook Q&A

3 Practical Challenges

4 Practical Challenges Breaches and Incidents The frequency and severity of cyberattacks is growing day by day see any newspaper The intelligent attacker is still excluded from thought in many security scenarios Incidents are often hushed up, as organisations fear reputational damage People Tech and social skills are often undeveloped, or not even asked for IT is seen as something strange that other people will have to sort out Wolves and Sheep Most of what is out there by way of compliance, risk management and security still addresses the management of sheep Wolves, in sharp contrast, have no intention whatsoever to abide by the rules

5 Practical Challenges Cyberattacks are multi-vector, multi-dimensional Technology component (target applications, systems, infrastructures) Social component (target people, organisations, soft spots) Monetary component (make attacks an appetising business proposition) Managerial component (infiltrate, embed and activate internal attackers) State and military component (create and maintain cyberwar capabilities) etc. The underlying problem is less technical and much more managerial than we may like to think. Remember: it s not about the way in which they got in, it s about the purpose.

6 Standard Software: Timeline Pre-DOS: simple opsys and limited apps MS-DOS (1982) Commodore C64 Windows 3.0 MS Office ERP Systems for Wintel Microsoft goes Web Popular web development ebanking Popular Linux Mobile opsys Mobile banking and payments Broader use of smartphones Flatrate WLAN, Popular web shopping Mobile Linux etc. Apple, Google Early connectivity From stationary to mobile computing, then smart mobile devices From representative to interactive, then commercial internet use WWW From Digital Ignorants to Natives, then Sheep E- commerce beginning Homeland Security Cyber Crime Ubiqitous Broadband

7 Cybercrime and Cyberwarfare: Timeline First conceptual virus (Scientific American) First IBM PC (1982) Wall Street Crash (1987) First virii in the wild Value Added Providers Back (CompuServe, AOL etc.) Orifice No. of virii > 1000 Number of virii > Virus Builder Toolsets 419 scamming Sub Seven et. al. Rootkits Spamming and Phishing ID theft Commercial / criminal hacking Full-blown organised cyber crime Cyber Warfare Stuxnet, Duqu et. al. Early connectivity From stationary to mobile computing, then smart mobile devices From representative to interactive, then commercial internet use WWW From Digital Ignorants to Natives, then Sheep E- commerce beginning Homeland Security Cyber Crime Ubiqitous Broadband

8 Challenges Prevalence and ubiquity of «smart» devices (the IoT) Blurring of the boundary between business and private use Continuing shift of sensitive data and transactions towards personal rather than business devices Industrialisation of cybercrime, developing highly organised structures with decentralised infrastructures Lack of political response, lagging law enforcement

9 The COBIT Approach Body Copy

10 The COBIT Approach Cybersecurity is a systemic problem: there are many actors, techniques, influences and outcomes Cybersecurity is primarily managerial: we know about technology, but we need to manage it properly Cybersecurity is business: we need to achieve a reasonable level of assurance and security within the limits of sensible budgets Cybersecurity is strategic: we need to think long and hard about where and to what purpose we deploy our strategic assets

11 The COBIT Approach (2) This is not a technology session well, almost «Nerds will be nerds»? No, actually. Pockets of technical proficiency may still exist, but the Nerd is an endangered species. Cybersecurity needs to acknowledge the «unsuspecting user» and the fact that people favour convenience over security The phone may be smart, but the person using it may not be just as smart Cybersecurity will not function when applying the old paradigm of rules control - punishment

12 Update on Sources and Materials OK, I guess I had to use that pink transition slide somewhere in the presentation

13 Sources and Materials: COBIT5 Product Family Securing Mobile Devices Transforming Cybersecurity Cloud Security BMIS APT Attack Survey Responding to Targeted Cyberattacks Managing APT Risk BMIS Culture European Cybersec Series Cybersecurity SME Standard Cybersec White Papers

14 A LITTLE COMPLEX, SO... some sense-making is needed to find a way through the growing number of cybersecurity publications Historically, the COBIT5 framework combined all extant documents and frameworks to put an end to the 4.1 separation, e.g. ValIT, RiskIT The idea behind COBIT5 is to project the principles, enablers and other fundamentals using a lens: from wide angle to telephoto The same applies in cybersecurity, see next slide

15 SAMPLE CYBERSECURITY DRILLDOWN COBIT5 Framework Apply principles Apply enablers COBIT5 for Infosec Principles for information security only Enablers narrowed down to information security ISO mappings and other useful materials Cybersecurity Top Level Transforming Cybersecurity Using COBIT5 Cybersecurity Standard for SME (& implementation guide) European Cybersecurity Implementation Series Cybersecurity Detailed Level Responding to Targeted Attacks Cloud-based works Securing Mobile Devices Using COBIT5 etc.

16 Strategy, Tactics and Operations Using COBIT5 Body Copy

17 COBIT5 Strategic Layer: TCS Establish current state of cybersecurity and preparedness, using the usual methods and tools Define target state, and avoid the known pitfalls often seen in practice

18 COBIT Strategic Layer (2) Start with the Principles Apply the EDM domain as described in TCS Then apply the APO domain The end result will provide you with a business case and a solid strategy

19 COBIT Tactical Layer Apply the Enablers using TCS Define tactical management initiatives based on Enablers Set the scene for operational management and setting controls

20 COBIT Operational Layer Transform managerial processes into detailed procedures, using TCS Establish existing control set, gaps and measures Define, implement and measure additional cybersecurity controls needed Establish continuous improvement, maturity levels and integration with the three lines of defence

21 COBIT Operational Layer: Examples

22 COBIT Operational Layer: Examples

23 Outlook Body Copy

24 Outlook on COBIT and Cybersecurity CSX and the COBIT5 series are still expanding Specific cybersecurity topics, e.g. industrial control systems, are being developed ISACA will publish more white papers and emergency technology pieces to highlight the future direction Empirical control through surveys and studies will continue COBIT5 is quite likely to become the most comprehensive and versatile framework for cybersecurity, as seen from a managerial (not necessarily technical) perspective

25 Contact Details We provide independent advice on GRC, all aspects of security, and business resilience (including BCM and ITSCM). Forfa AG Holding Andhauser Str Berg TG, Switzerland Phone: mobile: skype: rvrscm