SENG 460 / ECE 574 Practice of Information Security and Privacyweb.uvic.ca/~garyperkins/SENG 460 -...
Transcript of SENG 460 / ECE 574 Practice of Information Security and Privacyweb.uvic.ca/~garyperkins/SENG 460 -...
SENG 460 / ECE 574
Practice of Information Security and Privacy
Gary Perkins, MBA, CISSP
Review: Reading & Lecture
▪ disaster response
▪ shouldn’t exchange business cards during an
emergency
▪ meaning you need to be proactive, make
introductions before there is a problem
▪ severe lack of understanding about real risks behind
headlines
▪ 80% say security is discussed in most or every
boardroom meeting
Chapter 13
▪ boards are increasingly looking at the CEO and
executive members to step up
▪ as the CEO your job is to balance risk and reward in
your company
▪ what is the current level of cyber risk? what is our
plan to address?
▪ how is executive informed of cyber risk?
▪ how do we apply industry standards, best practices?
Chapter 13
▪ how many/types of cyber incidents do we detect?
what is the threshold for notifying executive?
▪ how comprehensive is cyber incident response plan?
how often is the plan tested?
▪ critical for CEOs to lead involvement of cyber risks
inrisk management
▪ involve CIO, CSO, CISO in conversation from the
beginning
Chapter 13
▪ make sure cyberthreats not seen as ‘someone else’s
problem’
▪ cyberthreats are very real
▪ tools are regularly sold on the online black market
▪ no solution is 100%
▪ develop an incident response plan and regularly test it
▪ understand the impacts of cyber incidents
▪ identify your crown jewels – critical assets and data
Chapter 13
▪ must balance risks and rewards of your decisions and
investments
▪ cyberthreats seem to be an issue of fear for
boardrooms
▪ need to get to a point where cybersecurity is a normal
part of business operational plan
Chapter 13
▪ cybersecurity programs address risk that includes
sophisticated attacks
▪ boards and C-suites don’t have cybersecurity skills
▪ threat landscape is evolving
▪ platforms holding sensitive data are changing
▪ cybersecurity should not consist of an annual review
▪ primary risk to cyber assets is a cyber attack▪ “We must know ourselves and our enemeies and select a strategy to positively influence the outcome of the battle. There is no
reason to fear the attack but there is reason to be concerned about our readiness to defend ourselves from the attack and
respond appropriately.”
Chapter 14
▪ when will the cybersecurity program be completed?
never
▪ it is a process and not an endpoint
▪ it is a journey, not a destination
▪ 5 step process: plan, protect, detect, respond, adjust
▪ asset inventory, risk assessment, governance
▪ are your most important systems and data deployed in
protected zones?
Chapter 14
▪ what are your top 3 most important business
processes?
▪ what systems support those functions?
▪ does the way your CIO answers match your
understanding of critical systems?
▪ Tier 1: executive leadership
▪ Tier 2: business management
▪ Tier 3: systems management
Chapter 14
▪ risk management is to drive selection of adequate and
rational controls and assign responsibilities to manage
them
▪ comprehensive program addresses administrative,
physical, and technical controls
▪ cyberinsurance is becoming increasingly popular way
to transfer risk
▪ outcome for program is expectation that organization
can defend its assets from cyber attack
Chapter 14
▪ executive roles
▪ business unit roles
▪ systems management roles
▪ cybersecurity programs are often a work in process for
several years
▪ best program is one the staff and partners willexecute
▪ magic is in the ability of organization to manage
solutions to mitigate risks
▪ shortage of talent
Chapter 14
▪ maintenance of systems and security controls often go
underfunded
▪ cybersecurity programs moved from static defenses to
active defenses
▪ no program is perfect
▪ continuous monitoring and reporting are important
▪ plan, protect, detect, respond, adjust
Chapter 14
▪ All material and notes are
attributed to:
▪ Cyber Threats to Canada’s
Democratic Process
▪ produced by the
Communications Security
Establishment
Threats to Canada’s Democratic Process
▪ Cyber threat activity against the democratic process is
increasing around the world
▪ Canada is not immune
▪ small number of nation-states have undertaken
majority of cyber activity against democratic process
▪ multiple groups will likely deploy cyber capabilities
against future elections ranging in sophistication
▪ elections are largely paper-based and have
controls in place
Threats to Canada’s Democratic Process
▪ threat to Canada’s democratic process remains at
‘low’ level
▪ 3 targeted areas of democratic process:
1) elections
2) political parties and politicians
3) traditional and social media
▪ highly probable threat activity will increase
▪ cyber capabilities are publicly available and cheap and
easy to use
Threats to Canada’s Democratic Process
▪ rapid growth of social media and other factors without
sufficient checks and balances means spreading ‘fake
news’ is easier than ever
▪ elections are increasingly using technology
▪ deterring cyber threat activity is challenging
because it is difficult to detect, attribute, and
respond to in a timely manner
Threats to Canada’s Democratic Process
▪ different types of threats: strategic threats and
incidental threats
▪ motivation for organized crime or “cybercriminals” is
profit
▪ cyber threats can be a show of force to deter other
nation-states
▪ adversaries may seek to change Canadian election
outcomes, policy choices, government relationships
Threats to Canada’s Democratic Process
▪ one goal is to reduce trust in a free and fair
democratic process
▪ another goal may be to shift policy in a preferred
direction or promote core interests
▪ elections are targeted to prevent citizens registering,
prevent voters from voting, tamper with election
results, steal voter database
▪ three essential phases: registering voters,
voting, disseminating results
Threats to Canada’s Democratic Process
▪ if voter registration happens online, adversaries could
use cyber capabilities to pollute the database with
fake accounts
▪ could take the site off line or erase or encrypt the data
▪ it is more likely that adversaries could disrupt the
voting process and cause doubt about the fairness
than actually change the results
Threats to Canada’s Democratic Process
▪ two types of threats
▪ known (those that you can anticipate)
▪ unknown (those that you are unable to anticipate)
▪ two types of attacks:
▪ direct (attacks directly against voting assets)
▪ indirect (attacks intended to shift perception of the voting process)
▪ goal is to prepare for the known so when the time
comes can focus on the unknown that arise
Threats to Canada’s Democratic Process
▪ threats to political parties and politicians include:
cyberespionage, blackmail, embarrass/discredit,
steal/manipulate voter or party database
▪ cyber capabilities to disable a website are simple to
buy or rent
▪ adversaries may steal a voter database in order to sell
it on the Darkweb
Threats to Canada’s Democratic Process
▪ covert manipulation of traditional and social media to
influence political discussion
▪ troll farms: groups of people paid to spread
propaganda on social media
▪ social botnets: series of computers commanded by a
single person
▪ DDoS: distributed denial of service attack – could be
against a political or media website
Threats to Canada’s Democratic Process
▪ deface a website: attackers could modify the content
to embarrass, discredit, or spread false content
▪ spearphishing: targeted phishing against a political
target or other
▪ ransomware: restricts access and compels victims to
pay to have access returned
▪ the most effective defenses against ransomware
are user awareness and offline or disconnected
backups
Threats to Canada’s Democratic Process
▪ redirect/man-in-the-middle attack: when the attacker
logically inserts themselves between the source and
recipient of the traffic
▪ low sophistication: single capability, single target, little
or no planning, no lasting effect
▪ medium sophistication: a few capabilities, more than
one target, planning, multiple affected
▪ high: several capabilities used expertly, numerous
targets, extensive planning, long impacts
Threats to Canada’s Democratic Process
▪ possible attack - gain access, move laterally, monitor,
analyze, contact rival
▪ “Many effective cyber capabilities are readily available,
cheap, and easy to use. €
▪ Deterring cyber threat activity is challenging. We are
unable to attribute about 20 percent of incidents to a
particular adversary. Of those incidents that are
attributed, most appear to have gone unpunished.” €
Threats to Canada’s Democratic Process
▪ “The rapid growth of social media coupled with the
decline in longstanding authoritative sources of
information make it easier for adversaries to use cyber
capabilities and other methods to inject disinformation
and propaganda into the media to influence voters.
▪ Elections and election agencies are adopting more
online processes, making them more vulnerable to
cyber threats. “
Threats to Canada’s Democratic Process
▪ “There is a dynamic of success emboldening
adversaries to repeat their activity, and to inspire
copycat behaviour.”
▪ during the 2015 federal election, Canada was targeted
by low sophistication cyber activity
▪ next federal election is set for 2019
▪ nation-states have demonstrated the highest
sophistication
Threats to Canada’s Democratic Process
▪ All material and notes are
attributed to:
▪ Cyber Threats to Canada’s
Democratic Process
▪ produced by the
Communications Security
Establishment
Threats to Canada’s Democratic Process