The Importance of IT SecurityInformation security preparedness for Australian Business

WHO AM I…?

CSIRT team memberInformation Security Specialist

Board Game Designer Trainer

Overview• Something is out there!

• Threats and vulnerabilities in today’s online environment

• What are you protecting?• Threats and vulnerabilities in today’s online environment

• Cyber Defences• What can you put in place immediately - quick wins

• Opportunities for further action• Proactive steps businesses can take to ensure longer term data security

• References and more information

Do you have an information security emergency response plan?

Question…

Australian - Cyber crime security survey report 2013 – CERT Australia

Australian organisationsYES

NO

Something is out there…

THREAT + VULNERABILITY = POTENTIAL SECURITY BREACH

Something is coming…

THREAT + VULNERABILITY = POTENTIAL SECURITY BREACH

Something is here!

THREAT + OPPORTUNITY = SECURITY BREACH

Data Breach Investigations report 2014 - Verizon

The Threats are many…

…and they come from different directions…

Data Breach Investigations report 2014 - Verizon

Threats resulting in a breach…Data Breach Investigations report 2014 - Verizon

Hewlett-Packard's Cyber Risk Report- Hewlett Package - 2014

• Many vulnerabilities exploited in 2014 took advantage of code written many years ago— “some are even decades old" the report noted.

"Adversaries continue to leverage these classic avenues for attack. …”

Ten-year old Vulnerabilities

“99.9% OF THE [REPORTED] EXPLOITED VULNERABILITIES WERE COMPROMISED MORE THAN A YEAR AFTER THE CVE WAS PUBLISHED.”

Verizon’s Data Breach Investigation Report - 2015

More recent Vulnerabilities – but still old!

Vulnerabilities – some stats..• 44% of known breaches in 2014 came from vulnerabilities that were between two

and four years old…!

• Malware: the majority of these automated threat tools found by HP’s security team attempted to exploit older vulnerabilities.

• 11% of breaches targeted vulnerabilities in Adobe Reader and Acrobat.

• Whilst Oracle Java was blamed for 9 %

Of the top 10 vulnerabilities identified, three were Microsoft vulnerabilities and six were tied to Oracle Java.

Hewlett-Packard's Cyber Risk Report- Hewlett Package - 2014

Attacker success formula:• A criminal requires:

• Motive+ Opportunity

Opportunity = Vulnerability + Capability

Attacker success formula:

• A cyber-criminal requires

• Motive • Opportunity

o Vulnerability+

o Capability

Cyber Defences –Stopping a cyber-criminal:

• We cannot control:• Motive

or• Capability

• We can control:• The Vulnerability – to an extent

What can we do?• Reduce the opportunity for a cyber attack through

vulnerability management.

• By reducing or removing access to vulnerable systems, so exploitations are less likely to take place.

• The problem is:• It’s a big job dealing with every vulnerability that is

discovered…

What can we do?

• So, we have to choose the most important ones to reduce or eliminate…

• We need to prioritise…

Ask yourself…

• What assets are you protecting?

• Customer data (PII)

• Your organisation’s IP – knowledge and methods

• Your organisation’s reputation

• Your staff – their identity / profile

Ask yourself…• Are you a likely target of cyber attack?

• “Probably not – I don’t have that much corporate IP worth protecting”

• But – what about those you do work for?• What about your staff?• What about you personally – (Director/CEO)?

• Clients or Partners?• You could you be a ‘way-in’ for a bad guy to target one of your

clients or stakeholders..!

What could you do right now to improve your security posture?

• The ASD Top 4 :• Application Whitelisting

• Patching applications and OS’s

• Using the latest versions of software

• Restrict Administrative privileges

What could you do right now to improve your security posture?

• Have an emergency plan• Minimal = who to call list

i.e. Techs, Legal or Financial reps, PR, the CEO…

• Backups of sensitive information kept safe* for restoration of systems after a breach – continuity..

(*Offline copies if possible to avoid infections and ‘ransomware’ … aka ‘crypto-attacks’)

Quick-wins

“40% OF CONTROLS DETERMINED TO BE MOSTEFFECTIVE FALL INTO THE QUICK WIN CATEGORY.”

- Verizon DIBR 2015

The ASD Top 4 (85% of intrusions mitigated)

A ‘Who To Call’ List

Backups (hopefully you are already doing this…)

Examples:

Opportunities for further action

• How to know what you have lost/was stolen (or what was damaged or corrupted)?• Logging and monitoring mechanisms

• How to know what happened so you can fix it for next time someone tries it

• Understand Vectors of attack (Threats/IOTs)• Vulnerabilities you need to fix or vulnerable systems to protect

• Fixing it long term…• May need to review your technical controls, process or policy procedures

• Some of these may require expert help…

References and further reading• StaySmart Online Small Business Guide

• (www.communications.gov.au/what-we-do/internet/stay-smart-online/smallbusinessguide)

• ScamWatch• (www.scamwatch.gov.au/)

• ASD Top -4 (Top 4 Strategies to Mitigate Targeted Cyber Intrusions)• www.asd.gov.au/publications/protect/top_4_mitigation

s.htm

References and further reading• US-CERT Tips - Tips describe and offer advice about common security

issues for non-technical computer users.• (https://www.us-cert.gov/ncas/tips)

• Surveys and Publications• “ACSC Threat Report 2015”• “ACSC Commonly exploited software vulnerabilities targeting critical

networks”• “Mobile Cyber Threats” – Oct 2014 – Kaspersky and INTERPOL• “Data Breach Investigations Report” – 2014 – Verizon• “2014 Cost of Data Breach Australia” – Ponemon Institute• “Winning the Cyber Security Small-Medium Business Opportunity” –

FireEye 2014• “Australian - Cyber crime security survey report 2013” – CERT Australia

Reporting a security breach or incident• Australian government organisations should contact the ACSC on

1300 CYBER1 (1300 292 371) or asd.assist@defence.gov.au• Australian businesses or other private sector organisations*

seeking assistance should contact CERT Australia by emailing info@cert.gov.au or by calling 1300 172 499

(*CERT Australia is primarily interested in Large or Mediumenterprises operating systems of national interest [e.g. critical infrastructure] but will always speak to you )

• Australian SMEs may choose membership with AusCERT (a not-for-profit security group based at the University of Queensland)• “AusCERT members receive timely threat and vulnerability alerts and

access to the following services”• Contact AusCERT by emailing auscert@auscert.org.au or by calling

07 3365 4417

Reporting Cyber Crime:• ACORN (Australian Cybercrime Online Reporting Network)

(www.acorn.gov.au/)

• Australian Cyber Security Centre (www.acsc.gov.au/news.html)• Includes: CERT Australia (www.cert.gov.au) and other

Federal Government partners

• AusCERT (www.auscert.org.au)

Seeking Advice:

Video (dramatization) by Deloitte...• https://www.youtube.com/watch?v=l_XOrcBxy-E

Mark McPherson

Game-On ITCInfoSec Training & Consulting

info@game-on-itc.com

Phone: 0417631889

Information Security Specialist

Training, CyberSec Exercises, Workshops, Advice