SENG 460 / ECE 574 Practice of Information Security and Privacyweb.uvic.ca/~garyperkins/SENG 460 -...

SENG 460 / ECE 574

Practice of Information Security and Privacy

Gary Perkins, MBA, CISSP

[email protected]

Review: Reading & Lecture

▪ disaster response

▪ shouldn’t exchange business cards during an

emergency

▪ meaning you need to be proactive, make

introductions before there is a problem

▪ severe lack of understanding about real risks behind

headlines

▪ 80% say security is discussed in most or every

boardroom meeting

Chapter 13

▪ boards are increasingly looking at the CEO and

executive members to step up

▪ as the CEO your job is to balance risk and reward in

your company

▪ what is the current level of cyber risk? what is our

plan to address?

▪ how is executive informed of cyber risk?

▪ how do we apply industry standards, best practices?

Chapter 13

▪ how many/types of cyber incidents do we detect?

what is the threshold for notifying executive?

▪ how comprehensive is cyber incident response plan?

how often is the plan tested?

▪ critical for CEOs to lead involvement of cyber risks

inrisk management

▪ involve CIO, CSO, CISO in conversation from the

beginning

Chapter 13

▪ make sure cyberthreats not seen as ‘someone else’s

problem’

▪ cyberthreats are very real

▪ tools are regularly sold on the online black market

▪ no solution is 100%

▪ develop an incident response plan and regularly test it

▪ understand the impacts of cyber incidents

▪ identify your crown jewels – critical assets and data

Chapter 13

▪ must balance risks and rewards of your decisions and

investments

▪ cyberthreats seem to be an issue of fear for

boardrooms

▪ need to get to a point where cybersecurity is a normal

part of business operational plan

Chapter 13

▪ cybersecurity programs address risk that includes

sophisticated attacks

▪ boards and C-suites don’t have cybersecurity skills

▪ threat landscape is evolving

▪ platforms holding sensitive data are changing

▪ cybersecurity should not consist of an annual review

▪ primary risk to cyber assets is a cyber attack▪ “We must know ourselves and our enemeies and select a strategy to positively influence the outcome of the battle. There is no

reason to fear the attack but there is reason to be concerned about our readiness to defend ourselves from the attack and

respond appropriately.”

Chapter 14

▪ when will the cybersecurity program be completed?

never

▪ it is a process and not an endpoint

▪ it is a journey, not a destination

▪ 5 step process: plan, protect, detect, respond, adjust

▪ asset inventory, risk assessment, governance

▪ are your most important systems and data deployed in

protected zones?

Chapter 14

▪ what are your top 3 most important business

processes?

▪ what systems support those functions?

▪ does the way your CIO answers match your

understanding of critical systems?

▪ Tier 1: executive leadership

▪ Tier 2: business management

▪ Tier 3: systems management

Chapter 14

▪ risk management is to drive selection of adequate and

rational controls and assign responsibilities to manage

them

▪ comprehensive program addresses administrative,

physical, and technical controls

▪ cyberinsurance is becoming increasingly popular way

to transfer risk

▪ outcome for program is expectation that organization

can defend its assets from cyber attack

Chapter 14

▪ executive roles

▪ business unit roles

▪ systems management roles

▪ cybersecurity programs are often a work in process for

several years

▪ best program is one the staff and partners willexecute

▪ magic is in the ability of organization to manage

solutions to mitigate risks

▪ shortage of talent

Chapter 14

▪ maintenance of systems and security controls often go

underfunded

▪ cybersecurity programs moved from static defenses to

active defenses

▪ no program is perfect

▪ continuous monitoring and reporting are important

▪ plan, protect, detect, respond, adjust

Chapter 14

▪ All material and notes are

attributed to:

▪ Cyber Threats to Canada’s

Democratic Process

▪ produced by the

Communications Security

Establishment

Threats to Canada’s Democratic Process

▪ Cyber threat activity against the democratic process is

increasing around the world

▪ Canada is not immune

▪ small number of nation-states have undertaken

majority of cyber activity against democratic process

▪ multiple groups will likely deploy cyber capabilities

against future elections ranging in sophistication

▪ elections are largely paper-based and have

controls in place


▪ threat to Canada’s democratic process remains at

‘low’ level

▪ 3 targeted areas of democratic process:

1) elections

2) political parties and politicians

3) traditional and social media

▪ highly probable threat activity will increase

▪ cyber capabilities are publicly available and cheap and

easy to use


▪ rapid growth of social media and other factors without

sufficient checks and balances means spreading ‘fake

news’ is easier than ever

▪ elections are increasingly using technology

▪ deterring cyber threat activity is challenging

because it is difficult to detect, attribute, and

respond to in a timely manner


▪ different types of threats: strategic threats and

incidental threats

▪ motivation for organized crime or “cybercriminals” is

profit

▪ cyber threats can be a show of force to deter other

nation-states

▪ adversaries may seek to change Canadian election

outcomes, policy choices, government relationships


▪ one goal is to reduce trust in a free and fair

democratic process

▪ another goal may be to shift policy in a preferred

direction or promote core interests

▪ elections are targeted to prevent citizens registering,

prevent voters from voting, tamper with election

results, steal voter database

▪ three essential phases: registering voters,

voting, disseminating results


▪ if voter registration happens online, adversaries could

use cyber capabilities to pollute the database with

fake accounts

▪ could take the site off line or erase or encrypt the data

▪ it is more likely that adversaries could disrupt the

voting process and cause doubt about the fairness

than actually change the results


▪ two types of threats

▪ known (those that you can anticipate)

▪ unknown (those that you are unable to anticipate)

▪ two types of attacks:

▪ direct (attacks directly against voting assets)

▪ indirect (attacks intended to shift perception of the voting process)

▪ goal is to prepare for the known so when the time

comes can focus on the unknown that arise


▪ threats to political parties and politicians include:

cyberespionage, blackmail, embarrass/discredit,

steal/manipulate voter or party database

▪ cyber capabilities to disable a website are simple to

buy or rent

▪ adversaries may steal a voter database in order to sell

it on the Darkweb


▪ covert manipulation of traditional and social media to

influence political discussion

▪ troll farms: groups of people paid to spread

propaganda on social media

▪ social botnets: series of computers commanded by a

single person

▪ DDoS: distributed denial of service attack – could be

against a political or media website


▪ deface a website: attackers could modify the content

to embarrass, discredit, or spread false content

▪ spearphishing: targeted phishing against a political

target or other

▪ ransomware: restricts access and compels victims to

pay to have access returned

▪ the most effective defenses against ransomware

are user awareness and offline or disconnected

backups


▪ redirect/man-in-the-middle attack: when the attacker

logically inserts themselves between the source and

recipient of the traffic

▪ low sophistication: single capability, single target, little

or no planning, no lasting effect

▪ medium sophistication: a few capabilities, more than

one target, planning, multiple affected

▪ high: several capabilities used expertly, numerous

targets, extensive planning, long impacts


▪ possible attack - gain access, move laterally, monitor,

analyze, contact rival

▪ “Many effective cyber capabilities are readily available,

cheap, and easy to use. €

▪ Deterring cyber threat activity is challenging. We are

unable to attribute about 20 percent of incidents to a

particular adversary. Of those incidents that are

attributed, most appear to have gone unpunished.” €


▪ “The rapid growth of social media coupled with the

decline in longstanding authoritative sources of

information make it easier for adversaries to use cyber

capabilities and other methods to inject disinformation

and propaganda into the media to influence voters.

▪ Elections and election agencies are adopting more

online processes, making them more vulnerable to

cyber threats. “


▪ “There is a dynamic of success emboldening

adversaries to repeat their activity, and to inspire

copycat behaviour.”

▪ during the 2015 federal election, Canada was targeted

by low sophistication cyber activity

▪ next federal election is set for 2019

▪ nation-states have demonstrated the highest

sophistication


▪ All material and notes are

attributed to:

▪ Cyber Threats to Canada’s

Democratic Process

▪ produced by the

Communications Security

Establishment


SENG 460 / ECE 574 Practice of Information Security and Privacyweb.uvic.ca/~garyperkins/SENG 460 -...

Documents

Transcript of SENG 460 / ECE 574 Practice of Information Security and Privacyweb.uvic.ca/~garyperkins/SENG 460 -...