ISF Threat Horizon: Cybercrime and the banking industry

Transcription

1 ISF Threat Horizon: Cybercrime and the banking industry Dr Adrian Davis, PhD, MBA, MBCS, CITP, CISMP Principal Research Analyst Information Security Forum

2 Agenda: External threats Regulatory threats Internal threats Recommendations ISF Threat Horizon Copyright 2013 Information Security Forum Limited 2

3 What is the ISF? An international association of over 300 leading global organisations, which... addresses key issues in information risk management through research and collaboration develops practical tools and guidance is fully independent, not-for-profit organisation driven by its Members promotes networking within its membership The leading, global authority on information security and information risk management ISF Threat Horizon Copyright 2013 Information Security Forum Limited 3

4 EXTERNAL THREATS ISF Threat Horizon Copyright 2013 Information Security Forum Limited 4

5 Cyber criminality increases as Malspace matures further Significant increase in maturity of the industry Crime-sourcing more common Attacking the cloud, mobile platforms ISF Threat Horizon Copyright 2013 Information Security Forum Limited 5

6 Welcome to malspace Global highly-functional industry that supports all aspects of modern crime Supports the development and sale of: - sophisticated attack tools - services to help plan and coordinate attacks - laundering of stolen assets. The tools that we use are also available to our attackers Cyber ISF Security Threat Horizon Strategies Copyright Information Security Security Forum Forum Limited Limited 6

7 The cyber arms race leads to a cyber cold war Stuxnet proved the effectiveness of cyber weapons (vis-à-vis military action) Investments into cyber resilience and intelligence sharing Scale of cyber espionage becoming apparent, starting to hurt ISF Threat Horizon Copyright 2013 Information Security Forum Limited 7

8 ISF Threat Horizon Copyright 2013 Information Security Forum Limited 8

9 New players Protesting tools fully available More causes come online; activists get more active Increasing speed, reach and impetus of online democracy ISF Threat Horizon Copyright 2013 Information Security Forum Limited 9

10 Cyberspace gets physical Real impact Utilities hacked Lives at stake ISF Threat Horizon Copyright 2013 Information Security Forum Limited 10

11 CERT Australia: 44% of attacks originate from within the organisation ISF Threat Horizon Copyright 2013 Information Security Forum Limited 11

12 REGULATORY THREATS ISF Threat Horizon Copyright 2013 Information Security Forum Limited 12

13 New requirements shine a light in dark corners, exposing weaknesses Secrecy does not equal security Transparency everywhere regulations business partners customers Whistle-blowing, fraud and cyber attacks ISF Threat Horizon Copyright 2013 Information Security Forum Limited 13

14 A focus on privacy distracts from other efforts Incoming privacy regulations New technologies, new concerns Cyber havens ISF Threat Horizon Copyright 2013 Information Security Forum Limited 14

15 The regulatory storm Governments and regulators are demanding action The results often have extraterritorial impacts: - EU Data Privacy Directive - US FATCA - US Dodd-Frank Act - PCI DSS - Proposed EU Directive on Network and Information Security ISF Threat Horizon Copyright 2013 Information Security Forum Limited 15

16 is getting stronger Monetary Authority of Singapore (MAS) June 2012 notice: [..] inform the Authority in writing within 30 minutes upon the discovery of all IT security incidents [...] - ( 20June%202012%20Notice%20On%20Technology%20Risk%20Management.pdf) ISF Threat Horizon Copyright 2013 Information Security Forum Limited 16

17 INTERNAL THREATS ISF Threat Horizon Copyright 2013 Information Security Forum Limited 17

18 Cost pressures stifle investment; an undervalued function can t keep up West in self-induced stagnation Legacy of underinvestment kicking back Deteriorating security awareness ISF Threat Horizon Copyright 2013 Information Security Forum Limited 18

19 A clouded understanding leads to an outsourced mess Strategically unsound business decisions strain security IT security increasingly outsourced Organisations in a digital divide ISF Threat Horizon Copyright 2013 Information Security Forum Limited 19

20 New technologies overwhelm Mobile is king The Internet of Things Big data runs businesses off course ISF Threat Horizon Copyright 2013 Information Security Forum Limited 20

21 The supply chain springs a leak, as the insider threat comes from outside Closer business relationships lead to unforeseen security challenges Increased risk complexity Your business information is your supplier s data ISF Threat Horizon Copyright 2013 Information Security Forum Limited 21

22 IT is a key disruptor in supply chains... Risks Triggers for disruption 64% Reliance on Oil 63% shared data 59% fragmenta tion 59% natural disasters 46% conflict 57% subcontr acting 44% shocks 53% visibility 30% Information and communications ISF Threat Horizon Copyright 2013 Information Security Forum Limited 22

23 WHAT CAN I DO? RECOMMENDATIONS ISF Threat Horizon Copyright 2013 Information Security Forum Limited 23

24 It s as much about the predictions as what you do with them. ISF Threat Horizon Copyright 2013 Information Security Forum Limited 24

25 Recommendations 1. Prepare for the strategic challenge of cyberspace 2. Build cyber resilience into your organisation 3. Create or enhance your strategy and governance 4. Develop an incident management capability 5. Secure your supply chain 6. Focus on the basics 7. Keep looking forwards ISF Threat Horizon Copyright 2013 Information Security Forum Limited 25

26 1. Prepare for the strategic challenge of cyberspace CYBERSPACE Always-on, technologically interconnected world Made up of people, organisations, information and technology CYBERSECURITY Organisation s ability to secure its people, information, systems and reputation Builds on information security the basics and principles are the same ISF Threat Horizon Copyright 2013 Information Security Forum Limited 26

27 2. Build cyber resilience into your organisation Organisation s capability to withstand impacts from threats materialising in cyberspace Covers all threats even the one we don t know about Driven by agile, broader risk management - Linking information risk to ERM Cyber ISF Security Threat Horizon Strategies Copyright Copyright Information Information Security Security Forum Forum Limited Limited 27

28 3. Create or enhance your strategy and governance A plan of action to take the information security function from mission to vision ISF Threat Horizon Copyright 2013 Information Security Forum Limited 28

29 3. Create or enhance your strategy and governance Aligned to ISO/IEC ISF Threat Horizon Copyright 2013 Information Security Forum Limited 29

30 4. Develop an incident management capability There are five key components which need to be addressed to establish an effective information security incident management capability. Post incident analysis and forensics are vital. The results from these should change risk assessments that select controls ISF Threat Horizon Copyright 2013 Information Security Forum Limited 30

31 5. Secure your supply chain: Follow the information 1. Approve - Build support 2. Prepare - Create the tools and build on existing risk management 3. Discover - Categorise, prioritise and assess existing contracts 4. Embed - Build information risk management in to the vendor lifecycle and new contracts Aligned to ISO/IEC ISF Threat Horizon Copyright 2013 Information Security Forum Limited 31

32 6. Focus on the basics: collaborate Adopt a consistent approach to security Integrate security in the business Share information on attacks Build awareness across your customers, suppliers and employees Build up a threat picture ISF Threat Horizon Copyright 2013 Information Security Forum Limited 32

33 7. Keep looking forwards The ISF has just released Threat Horizon 2015 Here is a sneak peek Reputation is the new target for cyber attacks Criminals value your information Don t misunderstand the role of government ISF Threat Horizon Copyright 2013 Information Security Forum Limited 33

34 Information Security Forum ISF Threat Horizon Copyright 2013 Information Security Forum Limited 34