using international standards to improve asia-pacific cyber security

Using international standards to

improve Asia-Pacific cyber security

Tuesday, 24 March, 2015

Alan Calder

IT Governance Ltd

www.itgovernance.asia

PLEASE NOTE THAT ALL DELEGATES IN THE TELECONFERENCE ARE MUTED ON JOINING AND WILL

AUTOMATICALLY BE UNMUTED FOR THE START OF THE Q&A SESSION

Introduction

About Alan Calder…

• Acknowledged international cyber security

expert

• Leading author on information security

and IT governance issues

• Led the world’s first successful

implementation of ISO 27001

(then called BS 7799)

• Consultant on cyber security and IT

governance strategies globally, including

across the Asia-Pacific region

2

© IT Governance Ltd 2015

Agenda

• The cyber threat – Breaking down recent high-profile

data breaches

• Current legislation – Learn about the current data

protection laws in Hong Kong, Australia, Singapore and

the Philippines

• International standard – Discover how the cyber

security standard, ISO 27001, will help get your business

cyber secure

3


4


Current cyber threat

The current cyber threat

1 billiondata records compromised

globally in 2014

5


1,500data breaches globally in 2014

$2.8 million is the average cost of a data

breach in Australia

70% believe cyber attacks are

among the three biggest

threats facing organisations

The current cyber threat

• 61% of APAC organisations

expect a cyber attack to strike

their organisation in 2015, but

only 43% are prepared

• 76% of APAC organisations

have detected security

incidents in the past 12 months

• 63% of APAC organisations will

increase their security budget

over the next 12 months

6


The changing threat landscape

• 87% of iPhone and 97% of Android

top 100 apps have been hacked

• 100% of companies experience virus

attacks, and 97% have suffered

malware attacks

• 156 million phishing emails are sent

every day

• 15 million make it through spam filters

• The average cost for each stolen

record in Australia is $145

7


Why did they fail to avoid a

breach?

8


Root cause of data

breaches

The changing threat landscape

Source: Ponemon Institute – Year of the Mega

Breach 2014

Case study – Philippine

government

• Government websites compromised

multiple times by hacktivists

– Nov 2013 - Philippine hacker group linked

to Anonymous hacked numerous

government websites, calling on the

public to support a protest

– Nov 2014 – Philippine branch of

Anonymous hacked 11+ government

websites to express dissatisfaction: “Your

governments have failed you, they sit

atop their thrones and abuse their power”

– Feb 2015 – Website compromised by

anti-ISIS hacker, posting expletive-ridden

message

9


Case study – Philippine

government

• No formal statement from the

government about the hacks, how

they happened or what they are

doing about it, but it is clear that:

– Government is unprepared for a

cyber attack and failing to put

effective measures in place

– Little or no contingency plans

– Websites restored but government’s

lack of security exposed

– Effective way for hacktivists to voice

opinions

10


Case study – Lizard Squad and

their infamous DNS attacksHacking group Lizard Squad appears to have attacked a number of

websites:

Lizard Squad attacks Malaysia Airlines website, January 2015

• Visitors to www.malaysiaairlines.com on Monday 26 January

found the message “404 – Plane Not Found”

• Appeared to be DNS attack, overriding settings and redirecting

site visitors to a Lizard Squad-controlled page

• Fully recovered within 22 hours

Google Vietnam hacked by Lizard Squad, February 2015

• Google.com.vn, the search giant’s Vietnamese site, appeared

to have suffered a DNS attack by Lizard Squad

• Site visitors instead found a photo of a man taking a selfie with

an iPhone instead of the normal search engine

Lenovo attacked after Superfish controversy, February 2015

• Lizard Squad attacked Lenovo’s website with a DNS attack,

redirecting users to a free CloudFlare account

Last year, the hacking group claimed responsibility for attacks on

Sony’s PlayStation Network and Microsoft’s Xbox Live network,

among others.

11

http://www.malaysiaairlines.com/

Case study – Lizard Squad

DNS attacks

What are DNS attacks?

• Domain Name System (DNS)

• DNS hijacking works by overriding TCP/IP settings

and redirecting site visitors rather than by

assuming control of the actual target site

• DNS hijacking rarely affects customer information,

instead causing disruption to affected sites by

gaining control over their domain names

Effects

• Websites restored but lack of security/vulnerability

exploited

• Effective way for hackers to voice opinions

12


International case study –

Sony Pictures

Data breach

• November 2014

• Hackers infiltrated Sony’s corporate computer

network

• Torrents of unreleased Sony Pictures films

appeared online

• Personal information about employees (families,

emails, salaries, etc.) was leaked

• Plaintext passwords leaked online, along with

other credential data

• Huge amount of marketing slide decks were

leaked

• Kept Sony staff from using computers for days

• Sony postponed release of upcoming film The

Interview

13


International case study –

Sony Pictures

Repercussions

• North Korea blamed, increasing tension with the US

• Ex-employees sought to combine class action lawsuits

against Sony

• Costs reach $100million

How did the breach get so bad?

• Executives ignored ransom emails, treated as spam

• Failed to acknowledge breach until one week later

• Generally lax approach to online security

– April 2011 – Sony’s PlayStation network hacked

and 76 million gamers’ accounts compromised

– Inappropriate spending? $250million budget still

couldn’t keep them cyber secure

14


Small companies are at risk too

• Cyber criminals target indiscriminately

• 60% of breached small organisations close

down within six months

• Often lack effective internal security practices

• No dedicated IT security and support

• Passwords, system access easily compromised

• Out-of-date server hardware and software

• Websites are built on common, open-source

frameworks – weaknesses easily exploited

15


What is the board told?

• 32.5% of boards do not

receive any information

about their cyber security

posture and activities

• 38% of the remainder

receive reports only

annually

• 29% of IT teams don’t

report breaches for fear of

retribution

16


Source: IT Governance ‘Boardroom Cyber Watch Survey 2014’

Cyber security skills shortage

Shortage

• Global shortage of two million cyber

security professionals by 2017

ISACA report

• 85% believe there is a shortage

• 53% consider it difficult to identify

adequate cyber security skills

• 50% plan to increase staff training

Companies should be looking for

• Industry-recognised qualifications

(IBITGQ)

17


Current cyber security

legislation

18

Australia

Cyber Security Strategy 2009

• Framework to address the increasing risk of online threats to the country

• Aims to have businesses operate secure and resilient information and

communications technologies, thereby protecting the integrity of their own

operations and the identity and privacy of their customers

• Criticism – significantly out of date. Prime Minister Tony Abbott is

currently pushing for cyber security review

19


Hong Kong

Personal Data (Privacy) Ordinance (PDPO)

• Govern data subjects’ personal data

• Six principles for data processors to abide by

– DPP4 – practicable steps shall be taken to ensure that personal data are

protected against unauthorised or accidental access, processing or

erasure

• Max. penalty of five years’ imprisonment and up to HKD$1,000,000

• Data users are liable for any breach by third parties

20© IT Governance Ltd 2015

The Philippines

Cybercrime Prevention Act of 2012

• Enacted to address numerous forms of cyber crime

• Applicable to organisations outside the Philippines

• Met with controversy – many saw the legislation as a heavy-handed

undermining of free expression and privacy, therefore the Supreme

Court put a temporary restraining order in place

• Feb 2014 - Supreme Court ruled a number of provisions to be

constitutional, including:

– Cyber crime offences

– Cyber crime against critical infrastructure

– Misuse of devices

21


Singapore

Personal Data Protection Act (PDPA) 2012

• Governs the collection, use and disclosure of personal data by organisations

• Only concerns individuals’ data and not corporate data

National Cyber Security Masterplan 2018

• Five-year plan aims to develop Singapore as a “trusted and robust infocomm

hub by 2018”

Computer Misuse and Cybersecurity Act 1993 (Amended 2013)

• Provision for securing computer material against unauthorised access or

modification, and requires organisations to take appropriate cyber security

measures

– Punishable offences could be up to ten years’ imprisonment and/or

SGD$50,000 fine

22


Meeting cyber security legislation

• A strong security

posture

• An effective incident

response plan

• A CISO appointment

• Implementing

industry standards*

23


Source: 2014 Global Report on the Cost of Cyber Crime - Ponemon and HP

International standards

24

ISO 27001 – the cyber security

standard

• ISO 27001 – a globally recognised

standard that provides a best-practice

framework for addressing the entire

range of cyber risks

– Encompasses people, processes and

technology

– Systematic approach for establishing,

implementing, operating, monitoring,

reviewing, maintaining and improving an

organisation's information security to

achieve business objectives

25


Key elements of implementing

ISO 27001

• Determine the scope of the ISMS

• Consider the context of the organisation and interested

parties

• Appoint a senior individual responsible for information security

• Conduct a risk assessment – identify risks, threats and

vulnerabilities

• Appoint risk owners for each of the identified risks

• Implement appropriate policies and procedures

• Conduct staff training

• Conduct an internal audit

• Perform continual improvement of the ISMS

26


How will ISO 27001 benefit your

business?

• Increased/appropriate level of information security

– Systematic approach to risks

– Informed decisions on security investments: cost-effective

security

• Better work practices that support business goals

• Good marketing opportunities

• Credibility with staff, customers and partner organisations

• Due diligence

• Compliance with corporate governance requirements

– Appropriate action to comply with law

– Manage business risks

– Industry best-practice security

– Internationally recognised good security practice

27


Benefits of ISO 27001

certification

• Assurance to customers, employees, investors –

their data is safe

• Credibility and confidence

• Internationally recognised

• Shows that you have considered all of the

information security-associated risks

• Notably fulfilling fiduciary responsibilities

• Supports your adherence to multiple

compliance requirements

28


ISO 27001 in APAC

29


Why some of the world’s most valuable

brands pursue ISO 27001 certification

30


Google: “This certification validates what I already

knew… that the technology, process and

infrastructure offers good security and protection

for the data that I store in Google Apps

Amazon: “The certification confirms our

longstanding commitment to the

security of our services to our customers.”

Microsoft: “…provides external validation that

our approach to managing security risk in a

global organization is comprehensive and

effective, which is important for our business

and consumer customers.”

IT Governance

• Helped over 150 organisations

achieve ISO 27001 certification

worldwide

• 15+ years experience

• Highly regarded within the industry

• Unique offering of tools, training and

consultancy, which is unavailable

elsewhere31


Fixed-priced, packaged solutions

You deliver the

project

independently

You resource

the project,

calling on

specialist tools

and courses to

aid efficiency

and accelerate

implementation

Standards and books

Software and documentation templates

Training

Mentor and coach

IT Governance

removes all the

pain, delivering

a certification-

ready ISMS,

aligned with

ISO 27001

You resource

the project,

use tools and

courses and

benefit from

the expert’s

know-how

You own and

are in control of

the project,

receiving hands-

on guidance

from us

You provide

input

Find out more: www.itgovernance.asia/t-iso27001-solutions.aspx

http://www.itgovernance.asia/t-iso27001-solutions.aspx

33


using international standards to improve asia-pacific cyber security

Business

cyber attacks

cyber security standard

governance issues

governance strategies

business cyber secure3

information security

security incidents

security budget