How to effectively mitigate Risks and ensure effective deployment of IOT using COBIT 5 best practices? CA. Abdul Rafeq, FCA, CISA, CIA, CGEIT Managing Director, Wincer Infotech Limited Past Member, COBIT 5.0 Task Force, ISACA, USA 21 st Jan. 2018, Dubai
Some queries? Have you downloaded COBIT 5? Are you current user of COBIT5? Have you deployed IOT in your enterprise? If yes, in what way? What is your primary objective for attending this presentation? 2
Learning Objectives Impact of all-pervasive deployment of Internet of Things (IoT) on existing paradigm of risk, security, controls, assurance and governance. What are the solutions from IT professionals to ensure effective deployment of IOT from strategic and holistic perspective? How IT professionals (Risk, Security, Control, Compliance and Assurance) can update their skills to provide effective IOT-enabled solutions to meet enterprise objectives? How to use time-tested approach of global best practices and guides such as COBIT? 3
Agenda 1. COBIT 5: Eternal philosophy, Timeless Principles, Holistic Approach and Best Practices 2. Risk Management: Perennial need for enterprises of digital era and integrated approach 3. Cybersecurity: Threats, Counter-measures, best-practices and frameworks 4. IOT: Components, Risks and Benefits for enterprises of fully connected digital world 5. Security Challenges of IoT-enabled Solutions for enterprises and professionals 6. How to integrate COBIT 5 best practices for effective deployment of IOT? 4
1. COBIT 5: Eternal philosophy, Timeless Principles, Holistic Approach and Best Practices 5
COBIT 5 COBIT 5 COBIT 5 COBIT 5 6
Some Tips for learning COBIT Concepts & Practice Practical Usage Select & Customise Actionable Insights Tools not just Text Application not just certification Micro not just macro Skills not just knowledge Techniques not just content Templates not just Principles Specifics not just philosophy Action not just decisions 7
COBIT Sutras of Success Understand vocabulary Understand processes, key flows and systems Simple standard structure Underlying Logic and flow Chunk it down to components Get perspectives right to get insights right 8
COBIT 5 Principles 9
COBIT Enablers 2012 ISACA. All Rights Reserved.
COBIT 5 Process Reference Model 2012 ISACA. All Rights Reserved. 11
2. Risk Management: Perennial need for enterprises of digital era and integrated approach 12
Risk Management in COBIT 5 Source: COBIT 5, figure 16. 2012 ISACA All rights reserved. 13
Risk Management in COBIT 5 (cont.) All enterprise activities have associated risk exposures resulting from environmental threats that exploit enabler vulnerabilities EDM03 Ensure risk optimisation ensures that the enterprise stakeholders approach to risk is articulated to direct how risks facing the enterprise will be treated. APO12 Manage risk provides the enterprise risk management (ERM) arrangements that ensure that the stakeholder direction is followed by the enterprise. All other processes include practices and activities that are designed to treat related risk (avoid, reduce/mitigate/control, share/transfer/accept). 14
3. Cybersecurity: Threats, Counter-measures, best-practices and frameworks 15
COBIT 5 for Information Security COBIT 5 for Information Security is an extended view of COBIT 5 that explains each component of COBIT 5 from an information security perspective. Additional value for information security constituents is created through additional explanations, activities, processes and recommendations. The COBIT 5 for Information Security deliverable provides a view of information security governance and management that will provide security professionals detailed guidance for using COBIT 5 as they establish, implement and maintain information security in the business policies, processes and structures of an enterprise. 16
Understanding Business Domain Business Processes Regulatory requirements Business Objectives Organization Structure Technology Deployed 17
Understanding Risk Cycle Risk Security Business Objectives Assurance Control 18
COBIT, Risks, Security and IoT COBIT Governance and Management Best Practices Information Security and Cyber Security Business Objectives of deploying IOT Assurance IOT Security 19
NIST Cybersecurity Framework Framework for Improving Critical Infrastructure Cybersecurity, version 1.0, the National Institute of Standards and Technology (NIST), February 12, 2014. o A response to the President s Executive Order 13636, Improving Critical Infrastructure Cybersecurity on February 12, 2013. Critical infrastructure: systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. a voluntary risk-based Cybersecurity Framework a set of industry standards and best practices to help organizations manage cybersecurity risks The Framework is technology neutral. 20
Core: Cybersecurity Framework Component What processes and assets need protection? What safeguards are available? What techniques can identify incidents? What techniques can contain impacts of incidents? What techniques can restore capabilities? Function Category ID Asset Management ID.AM Business Environment ID.BE Governance ID.GV Identify Risk Assessment ID.RA Risk Management Strategy ID.RM Protect Detect Respond Recover Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Information Protection Processes & Procedures PR.IP Maintenance PR.MA Protective Technology PR.PT Anomalies and Events DE.AE Security Continuous Monitoring DE.CM Detection Processes DE.DP Response Planning RS.RP Communications RS.CO Analysis RS.AN Mitigation RS.MI Improvements RS.IM Recovery Planning RC.RP Improvements RC.IM Communications RC.CO 21
Core Cybersecurity Framework Component Function Category ID Asset Management ID.AM Business Environment ID.BE Identify Governance ID.GV Risk Assessment ID.RA Risk Management Strategy ID.RM Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Protect Information Protection Processes & Procedures PR.IP Maintenance PR.MA Protective Technology PR.PT Anomalies and Events DE.AE Detect Security Continuous Monitoring DE.CM Detection Processes DE.DP Response Planning RS.RP Communications RS.CO Respond Analysis RS.AN Mitigation RS.MI Improvements RS.IM Recovery Planning RC.RP Recover Improvements RC.IM Communications RC.CO Subcategory ID.BE-1: The organization s role in the supply chain is identified and communicated ID.BE-2: The organization s place in critical infrastructure and its industry sector is identified and communicated ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated ID.BE-4: Dependencies and critical functions for delivery of critical services are established ID.BE-5: Resilience requirements to support delivery of critical services are established Informative References COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05 ISO/IEC 27001:2013 A.15.1.3, A.15.2.1, A.15.2.2 NIST SP 800-53 Rev. 4 CP-2, SA-12 COBIT 5 APO02.06, APO03.01 NIST SP 800-53 Rev. 4 PM-8 COBIT 5 APO02.01, APO02.06, APO03.01 ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6 NIST SP 800-53 Rev. 4 PM-11, SA- 14 ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3 NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14 COBIT 5 DSS04.02 ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, A.17.1.2, A.17.2.1 NIST SP 800-53 Rev. 4 CP-2, CP- 11, SA-14 22 22
23
Cyber Security Framework: 7-Step Process Step 1: Prioritize and Scope Step 2: Orient Step 3: Create a Current Profile Step 4: Conduct a Risk Assessment Step 5: Create a Target Profile Step 6: Determine, Analyze, and Prioritize Gaps Step 7: Implementation Action Plan 24
4. IOT: Components, Risks and Benefits for enterprises of fully connected digital world 25
Information Security Office of Budget and Finance Education Partnership Solutions What is IoT? The Internet of Things (IoT) is the network of physical objects devices, vehicles, buildings and other items embedded with electronics, software, sensors, and network connectivity that enables these objects to collect and exchange data.
Definition of IOT The Internet of Things (IoT) is the network of physical objects or things embedded with electronics, software, sensors, and network connectivity, which enables these objects to collect and exchange data. the essence of IoT resides in the source of the data, which are the sensors. Those smart devices generate data about activities, events, and influencing factors that provide visibility into performance and support decision processes across a variety of industries and consumer channels. 27
What is included in IOT IoT includes anyone or anything carrying embedded software that enables interaction with other animate or inanimate objects across networks, including the Internet. Interaction entails sharing and processing information to influence decision-making and/or actions with or without human intervention. 28
Where is IoT? Information Security It s everywhere! Office of Budget and Finance Education Partnership Solutions Smart Appliances Wearable Tech Healthcare
Driving Forces of IoT 1. Sensor Technology Tiny, Cheap, Variety 2. Cheap Miniature Computers 3. Low Power Connectivity 4. Capable Mobile Devices 5. Power of the Cloud
1. Sensor Technology Accelerometer (4mm diameter) Force Sensor (0.1N 10N) Pulse Sensor $25 https://www.sparkfun.com/ https://www.adafruit.com/
2. Cheap Mini Computers Key Parameters Lily Tiny Guess the Price? Flash: 8 Kbytes Pin Count: 8 Max. Operating Freq: 20 MHz CPU: 8-bit AVR Max I/O Pins: 6 Ext Interrupts: 6 SPI: 1 I2C: 1 http://www.atmel.com/devices/attiny 85.aspx?tab=parameters
3. Low Power Connectivity Bluetooth Smart (4.0) (Up to 2 years with a single Coin-cell battery)
4. Capable Mobile Devices Quad Core 1.5 GHz 128 GB Internal Memory 3 GB RAM 16 MP Camera 2160p@30fps video WiFI, GPS, BLE
5. Power of the Cloud
IoT: a network of converging networks Internet : IPv6 GPS Mobility Data matrix ONS Sensors RFID, tags & readers ad hoc networks 36
Connectivity of IoT
ABCD s of IoT Applications Big Data Analytics Connectivity and Communication Devices that are smart! Photos Libelium, Google Image Search
IoT Application Segments
IoT Evolution
[Source: http://postscapes.com/what-exactly-isthe-internet-of-things-infographic ]
Business Opportunities Capabilities Monitor Benefits Improved Performance Control Reduced Costs Optimize Create Innovative Products Autonomous New Revenue Streams
IoT Challenges Fragmented industry Security and Privacy of data Managing vast amounts of data Finding the right business model Copyright RIOT 2015 All Rights Reserved
Key Challenges of deploying IoT Integrating data from multiple sources Automating the collection of data Analyzing data to effectively identify actionable insights Only by addressing all three can organizations turn raw data into information and actionable insights.
5. Security Challenges of IoT-enabled Solutions for enterprises and professionals 45
Information Security Office of Budget and Finance Does IoT add additional risks? Are highly portable devices captured during vulnerability scans? Where is your network perimeter? Are consumer devices being used in areas like health care where reliability is critical? Do users install device management software on other computers? Is that another attack vector?
Attacking IoT Information Security Office of Budget and Finance Education Partnership Solutions Default, weak, and hardcoded credentials Difficult to update firmware and OS Lack of vendor support for repairing vulnerabilities Vulnerable web interfaces (SQL injection, XSS) Coding errors (buffer overflow) Clear text protocols and unnecessary open ports DoS / DDoS Physical theft and tampering
Threat vs. Opportunity Information Security Office of Budget and Finance If misunderstood and misconfigured IoT poses risk to our data, privacy, and safety If understood and secured IoT will enhance communications, lifestyle, and delivery of services
Security Best Practices for IOT Trust: Allow only designated people/services device or data access Identity: Validate the identity of people, services, and things Privacy: Ensure device, personal & sensitive data is kept private Protection: Protect devices and users from harm Safety: Provide safety for devices, infrastructure and people Security: Maintain security of data, devices, people, etc.
6. How to integrate COBIT 5 best practices for effective deployment of IOT? 50
Technology Stack of IOT by IOT World Forum: reference model 51
IOT Jobs: what is the role we can play 52
Role of IT professionals in IOT Be clear about what IoT is and where it manifests itself. Consider the shift of control from people to code. Understand the fusion of roles for engineers and IT professionals, the interdependency of those who create mechanical devices and those who program them to become smart devices. Adapt to changing roles in response to IoT. Manage the well-known cyber security skill deficit. Balance the potential of innovation with safety. Promote and enhance professional capability to advise, design, implement and support IoT. Identify risk, apply proper security and provide assurance to realize positive outcomes and address the risk of unintended effects. 53
Tenets of Good IoT Governance 1. Build security and control by design from the start. 2. Test controls and look for vulnerabilities by creating and testing use cases and misuse cases. 3. Educate everyone that building security alongside functionality by design is essential for IoT. 4. Engage experienced IT security and assurance personnel who understand cyber and IoT potential, risk and benefits. 5. Replace the isolation of specialists working in silos with collaboration across specialties so that security professionals work alongside IT engineers, architects, data managers, developers and business experts. 54
Key issues of IoT 1. Understand that IoT relies on data and the use of data. 2. Understand the business environment (i.e., strategic and business objectives). 3. Confirm that key decision makers understand the business environment and supply-chain behavior. 4. Identify the client/customer at the end of the supply chain. 5. Require the enterprise to define IoT based on take-aways 1 to 4. 55
Understand how IoT works? 1. Understand that each IoT device is a computer in its own right. 2. Understand that IoT tends to function as the automated equivalent of an end user. 3. Understand that IoT relies on and uses data. 4. Understand the purpose of sensors. 5. Recognize that data and sensors combine to make IoT a powerful and valuable resource. 6. Understand the relationship of hardware, firmware and software to IoT. 56
Understand how IoT works? 7. Understand how IoT interacts with big data, artificial intelligence, machine learning and the cloud. 8. Learn from relevant experts how IoT devices operate. 9. Understand how IoT devices work when they are connected to LANS/WANS/the Internet and how they work when not connected. 10. Recognize that IoT reflects a fusion of engineering and IT and that both disciplines must work together. 57
Understand how IoT is deployed 1. Determine whether the enterprise is a creator or consumer of IoT devices. 2. Clarify the strategic thinking behind the production and use of IoT. Does its production reflect market demand or technological push? 3. Determine if there is an inventory of IoT devices. 4. Identify where IoT devices exist. 5. Determine whether IoT interacts with clients/customers, and if so, how the interaction occurs. 6. Determine whether the enterprise understands the similarities and differences among health, safety and security. 58
IoT Security issues Insufficient holistic knowledge and experience to judge risk Lack of IoT technical experts Insufficient understanding of interrelated technologies Lack of IoT security specialists Lack of optimal project-management skills 59
Issues and challenges of IoT for business and IT professionals Lack of understanding of the basic attributes of IoT devices. Management of basic IoT attributes is magnified in complexity by the vast number of components that each device can use. Managing IoT devices alongside more conventional IT systems will be a challenge. Lack of transparency into IoT devices functionality, data and responses can make it difficult to determine correct management actions. Any protection that controls offer at the time of the device s installation may become obsolete as the device receives, stores and transmits more data over time. Gap not only between IoT development and security, but also between IoT engineering and security. 60
Risk in IoT 1. Understand that good, basic security is lacking in most off-the-shelf IoT devices. 2. Start with the risk assessments and methodology already in use and apply them to IoT devices, considering the following take-aways in this list. 3. Apply the ISACA nine questions that cover device use, access to data and risk management. 4. Avoid using IoT devices that have hardcoded, non-changeable passwords. 5. Change default passwords in IoT devices. 6. Maintain an asset inventory of all IoT devices. 7. Understand that devices featuring always on network connectivity increase the likelihood of attack. 8. Monitor IoT behavior to distinguish normal from abnormal behaviors. 9. Be aware of and check for stealth IoT because it potentially undermines controls. 61
9 Questions: Practitioners should ask 62
Think Think worst case scenario Everything in and connected to IoT is, by default, available to all; everything needs protection from harm and every hacker who attempts to breach controls is a criminal. How to perform IoT risk assessment Focus on Assess Categorize Focus on impacts, not likelihoods Cyberbreaches are a matter of when, not if. Emphasizing impact over likelihood will help spur development of all necessary proactive and reactive responses to threats. Assess the impact of each malfunctioning device Include its physical and virtual environments, the data it uses and produces and the expected range of actions taken by IoT in response to the data. Categorize severity of impacts Categories should include disastrous, disruptive and damaging. Identify For each category, identify scenarios Scenarios help clarify risk and identify relevant controls and responses to reduce potential damage. 63
Good Governance Responses for IoT 1. Governance foundations are dedicated to enhancing good behavior and relationships among people. IoT creates a parallel universe of autonomous devices whose behavior and relationships need to be governed in a complementary way. 2. IoT requires more focus on ethics for ethical outcomes, which means more ethical policies, projects and processes. 3. Profits are the main outcome that markets seek, so good governance is necessary to rein in excesses that can harm the enterprise and society. 4. In the absence of legislation and common standards, an organizational IoT governance framework needs to be promoted. 5. COBIT 5 provides a useful framework to improve overall governance. 64
Applying COBIT 5 to Governance of IoT 1. Carry out and review IT risk assessments at a technical level and evaluate the impact on the business. 2. Apply and/or modify controls, the bulk of which will be privacy, security and safety controls. 3. Obtain assurance on an ongoing basis from executives and from external third parties. 4. Obtain and act on independent assurance from internal and external audit. COBIT 5 offers tools that cover the governance of enterprise IT (GEIT), risk management, information security, audit and assurance and regulatory compliance. 65
66
Dos and Don ts of IOT 67
Tips for effective IoT deployment Risk must evaluated holistically to ensure that business value is maximised while risk is minimised. Risk assessment has to be collaborative effort among all stakeholders, including business teams, compliance, operations, information security, privacy and all other pertinent areas. Identify the new complex risks and problems. Plan in advance and implement from holistic and strategic perspective 68
ISACA Whitepapers on IoT 69
Thank You.. Any Questions? rafeq@wincaat.com