Cybersecurity in Government Executive Development Course: Digital Government Ng Lup Houh, Principal Cybersecurity Specialist Cybersecurity Group 03 April 2018
Agenda Cyber Threats & Vulnerabilities Cyber Security & Risk Mitigation Proactive & Holistic Cybersecurity: GovTech s Approach Disrupting the Kill Chain: Internet Surfing Separation (ISS) Conclusion Copyright of GovTech Not to be reproduced unless with explicit consent by GovTech.
Cyber Threats & Vulnerabilities
4 Copyright of GovTech Not to be reproduced unless with explicit consent by GovTech.
Anatomy of an Attack 5 Copyright of GovTech Not to be reproduced unless with explicit consent by GovTech. Source: NEC
Cyber Kill Chain Source: Lockheed Martin 6 Copyright of GovTech Not to be reproduced unless with explicit consent by GovTech.
7 Increased Attack Surface Weak Defences
8 Copyright of GovTech Not to be reproduced unless with explicit consent by GovTech.
9
Recent Trend Hardware Vulnerabilities Applications Operating System (OS) Kernel Mainboard (Hardware) CPU TPM AMT ME 10
Addressing Vulnerabilities can be Costly Vulnerability Infineon TPM vulnerability to ROCA Affected Component Initial Exploit OS Patch? TPM Local Yes - workaround Manual Intel ME / AMT CPU Chipset Local No Manual Meltdown & Spectre Micro-processor Local & Remote Yes - workaround Full remediation Some Manual 11
Meltdown & Spectre Vulnerabilities : Basic security function of microprocessor is to restrict access to memory areas e.g. normal programs cannot read system memory. To enhance performance, modern microprocessors use system memory to: run instructions concurrently ( Out-of-order Execution ) guess and perform next set of instructions beforehand ( Speculative Execution ) : Security checks are not done. This allows malicious programs to read sensitive data from restricted memory areas such as system memory (Meltdown) and through other programs (Spectre) : Attacker can compromise and access sensitive data such as user and password information. For Spectre, attacker can remotely exploit the computer through user s browser using web-based attack to access sensitive data. 12
Rapid rise in exploit attempts 13 Copyright of GovTech FOR INTERNAL USE ONLY
Scale / Sophistication Continued Growth of Cyber attacks High Threat Actors Present day Cyber attack is a natural consequence of being connected to the global cyberspace. We have a asymmetric problem at hand, where the defender require significantly more resources compared to an attacker. Cyber Defenders Examples of attacks increasing in scale and sophistication: DDoS Attacks Low Threats begin to overwhelm you Phishing Attacks Ransomware Past Future 14
Cyber Security & Risk Mitigation
High level of Maturity Track technology change & continual improvement
Adaptive Security, Continuous Assessment Continuous Adaptive Risk & Trust Assessment (CARTA) Gartner 2017
Mapping Tech to Assets & Capabilities
Proactive & Holistic Cybersecurity: GovTech s Approach
3 main functions As a sector lead for the Government, GovTech has 3 main functions: 1. Governance - to develop ICT security policies, standards and implement oversight initiatives to assess ICT security-related implementations across government agencies 2. Consulting - to provide technical subject matter expert support for key ICT projects and to key decision-making fora such as egov Council and Committee of Permanent Secretaries 3. Cyber Security Operations - to perform operational cyber security functions that include cyber intelligence, network monitoring, intrusion detection, threat hunting, incident response and security analytics 21 Copyright of GovTech Not to be reproduced unless with explicit consent by GovTech.
Cyber Security Framework Prepare 5 enablers cutting across Learn Prevent 5 phases Respond Detect Technology
Stakeholders IT Professionals Needs to ensure that security concerns are addressed. To ensure that applications are secure by design. Security Specialists To promote a security by design mindset in app development. To test and ensure that applications are well secured and compliant to security policies. End Users Needs to be adequately trained and made aware of the threats in cyberspace. To report on potential security breaches or suspicious events.
Security by Design 5. Testing Penetration Test. Security Acceptance Test. Vulnerability Assessment. 4. Deployment 4 5 Requirements Gathering 1 Security 2 1. Requirements Gathering Risk based security policies, Mandatory security requirements. 2. Design To adopt industry best practices and established standards for security controls. e.g. NIST 800, ISO 27002, CIS Critical Controls. Separation of Staging and Production environments. Automated Security Testing within Continuous Integration. 3 3. Construction Static Application Security Testing. Implement secure coding practices.
Coping with the trend Quantity The tipping point where the cyber attacks start to overwhelm you. Re-Architect Reduce Exposure Technology Train Retain Time
Email Signature User Awareness JAGA - Our cybersecurity ambassador A3 Size Posters
The Balance Security Optimising the cost-benefit tradeoff while ensuring ease of use Cost Usability Copyright of GovTech 27 Not to be reproduced unless with explicit consent by GovTech.
Disrupting the Kill Chain: Internet Surfing Separation (ISS)
Top 3 attack vectors Internet Surfing Unsecured Deployment Internet Emails ISS Audit Email Filtering Penetration Test End point security
Overview of ISS Email & Intranet Internet Surfing Other Internet Services Agency notebook containing classified documents Internet enabled notebook containing non-classified documents
Disrupting the Kill Chain ISS was the single most effective measure is to separate Internet surfing (main exfiltration channel) from the Government ICT infrastructure.
Change Management Management-led approach Communications Early Planning and Pilot Testing Lead by example Champion the change Active engagement and support Reinforce that cyber threats are real Address user needs and concerns Communicate device allocation policies Re-assure users on the availability of alternative solutions Supported by Phased approach Getting ready early the infrastructure, applications and devices (size correctly) Pilot testing to minimise disruption IT Professionals & Project Managers Corporate Communications Security Specialists Engage agency key stakeholders. Oversee and track implementation progress. Facilitate agencies with implementation. Dispel any miscommunication or myths. Communicate new policies and behavioral expectations. Communicate the availability of allocated solutions. Advise on current threat landscape. Ensure that security solutions are designed and implemented correctly.
End User Experience End users MUST be clear on what is classified information and what is not. Internet enabled devices MUST be clearly labelled. End users MUST be well trained on cyber hygiene practices.
Conclusion
Holistic Security 1. Today s threats are growing in scale and sophistication. Prepare 2. We need to think about security holistically. e.g. across 5 phases. Learn Prevent 3. This includes the cooperation of IT Professionals, Security Specialists and End Users to address them. Respond Detect Technology 35
Cybersecurity is an Enabler 36 Copyright of Copyright GovTech of GovTech Not to be Not reproduced to be reproduced unless with unless explicit with explicit consent consent by GovTech. by GovTech.
Thank you