Cybersecurity in Government

Transcription

1 Cybersecurity in Government Executive Development Course: Digital Government Ng Lup Houh, Principal Cybersecurity Specialist Cybersecurity Group 03 April 2018

2 Agenda Cyber Threats & Vulnerabilities Cyber Security & Risk Mitigation Proactive & Holistic Cybersecurity: GovTech s Approach Disrupting the Kill Chain: Internet Surfing Separation (ISS) Conclusion Copyright of GovTech Not to be reproduced unless with explicit consent by GovTech.

3 Cyber Threats & Vulnerabilities

4 4 Copyright of GovTech Not to be reproduced unless with explicit consent by GovTech.

5 Anatomy of an Attack 5 Copyright of GovTech Not to be reproduced unless with explicit consent by GovTech. Source: NEC

6 Cyber Kill Chain Source: Lockheed Martin 6 Copyright of GovTech Not to be reproduced unless with explicit consent by GovTech.

7 7 Increased Attack Surface Weak Defences

8 8 Copyright of GovTech Not to be reproduced unless with explicit consent by GovTech.

9 9

10 Recent Trend Hardware Vulnerabilities Applications Operating System (OS) Kernel Mainboard (Hardware) CPU TPM AMT ME 10

11 Addressing Vulnerabilities can be Costly Vulnerability Infineon TPM vulnerability to ROCA Affected Component Initial Exploit OS Patch? TPM Local Yes - workaround Manual Intel ME / AMT CPU Chipset Local No Manual Meltdown & Spectre Micro-processor Local & Remote Yes - workaround Full remediation Some Manual 11

12 Meltdown & Spectre Vulnerabilities : Basic security function of microprocessor is to restrict access to memory areas e.g. normal programs cannot read system memory. To enhance performance, modern microprocessors use system memory to: run instructions concurrently ( Out-of-order Execution ) guess and perform next set of instructions beforehand ( Speculative Execution ) : Security checks are not done. This allows malicious programs to read sensitive data from restricted memory areas such as system memory (Meltdown) and through other programs (Spectre) : Attacker can compromise and access sensitive data such as user and password information. For Spectre, attacker can remotely exploit the computer through user s browser using web-based attack to access sensitive data. 12

13 Rapid rise in exploit attempts 13 Copyright of GovTech FOR INTERNAL USE ONLY

14 Scale / Sophistication Continued Growth of Cyber attacks High Threat Actors Present day Cyber attack is a natural consequence of being connected to the global cyberspace. We have a asymmetric problem at hand, where the defender require significantly more resources compared to an attacker. Cyber Defenders Examples of attacks increasing in scale and sophistication: DDoS Attacks Low Threats begin to overwhelm you Phishing Attacks Ransomware Past Future 14

15 Cyber Security & Risk Mitigation

16 High level of Maturity Track technology change & continual improvement

17 Adaptive Security, Continuous Assessment Continuous Adaptive Risk & Trust Assessment (CARTA) Gartner 2017

18

19 Mapping Tech to Assets & Capabilities

20 Proactive & Holistic Cybersecurity: GovTech s Approach

21 3 main functions As a sector lead for the Government, GovTech has 3 main functions: 1. Governance - to develop ICT security policies, standards and implement oversight initiatives to assess ICT security-related implementations across government agencies 2. Consulting - to provide technical subject matter expert support for key ICT projects and to key decision-making fora such as egov Council and Committee of Permanent Secretaries 3. Cyber Security Operations - to perform operational cyber security functions that include cyber intelligence, network monitoring, intrusion detection, threat hunting, incident response and security analytics 21 Copyright of GovTech Not to be reproduced unless with explicit consent by GovTech.

22 Cyber Security Framework Prepare 5 enablers cutting across Learn Prevent 5 phases Respond Detect Technology

23 Stakeholders IT Professionals Needs to ensure that security concerns are addressed. To ensure that applications are secure by design. Security Specialists To promote a security by design mindset in app development. To test and ensure that applications are well secured and compliant to security policies. End Users Needs to be adequately trained and made aware of the threats in cyberspace. To report on potential security breaches or suspicious events.

24 Security by Design 5. Testing Penetration Test. Security Acceptance Test. Vulnerability Assessment. 4. Deployment 4 5 Requirements Gathering 1 Security 2 1. Requirements Gathering Risk based security policies, Mandatory security requirements. 2. Design To adopt industry best practices and established standards for security controls. e.g. NIST 800, ISO 27002, CIS Critical Controls. Separation of Staging and Production environments. Automated Security Testing within Continuous Integration Construction Static Application Security Testing. Implement secure coding practices.

25 Coping with the trend Quantity The tipping point where the cyber attacks start to overwhelm you. Re-Architect Reduce Exposure Technology Train Retain Time

26 Signature User Awareness JAGA - Our cybersecurity ambassador A3 Size Posters

27 The Balance Security Optimising the cost-benefit tradeoff while ensuring ease of use Cost Usability Copyright of GovTech 27 Not to be reproduced unless with explicit consent by GovTech.

28 Disrupting the Kill Chain: Internet Surfing Separation (ISS)

29 Top 3 attack vectors Internet Surfing Unsecured Deployment Internet s ISS Audit Filtering Penetration Test End point security

30 Overview of ISS & Intranet Internet Surfing Other Internet Services Agency notebook containing classified documents Internet enabled notebook containing non-classified documents

31 Disrupting the Kill Chain ISS was the single most effective measure is to separate Internet surfing (main exfiltration channel) from the Government ICT infrastructure.

32 Change Management Management-led approach Communications Early Planning and Pilot Testing Lead by example Champion the change Active engagement and support Reinforce that cyber threats are real Address user needs and concerns Communicate device allocation policies Re-assure users on the availability of alternative solutions Supported by Phased approach Getting ready early the infrastructure, applications and devices (size correctly) Pilot testing to minimise disruption IT Professionals & Project Managers Corporate Communications Security Specialists Engage agency key stakeholders. Oversee and track implementation progress. Facilitate agencies with implementation. Dispel any miscommunication or myths. Communicate new policies and behavioral expectations. Communicate the availability of allocated solutions. Advise on current threat landscape. Ensure that security solutions are designed and implemented correctly.

33 End User Experience End users MUST be clear on what is classified information and what is not. Internet enabled devices MUST be clearly labelled. End users MUST be well trained on cyber hygiene practices.

34 Conclusion

35 Holistic Security 1. Today s threats are growing in scale and sophistication. Prepare 2. We need to think about security holistically. e.g. across 5 phases. Learn Prevent 3. This includes the cooperation of IT Professionals, Security Specialists and End Users to address them. Respond Detect Technology 35

36 Cybersecurity is an Enabler 36 Copyright of Copyright GovTech of GovTech Not to be Not reproduced to be reproduced unless with unless explicit with explicit consent consent by GovTech. by GovTech.

37 Thank you