CA A.Rafeq, FCA, CISA, CGEIT, CIAManaging Director, Wincer Infotech Limited

www.wincaat.com

S AT U R DAY, 1 7 T H O C T. 2 0 1 5 ( 9 . 3 0 A M T O 1 1 . 0 0 A M )

H OT E L P R I D E , BA N GA LO R E

Presentation at Special CPE Session

Using COBIT 5 to implement

Cyber Security of Web Applications

Agenda/Session Plan

1. COBIT 5

in a Capsule

2. Essence

of Cyber

Security

3. Cyber

Security

using

Frameworks

4. Cyber

Security of

Web Apps

2

3

4

5

6

7

Ten Hot Tech Skills Gaining Speed

8

Cloud

9

Cyber security

10

Macro to Micro: Top Down Approach

11

COBIT 5

Cyber Security

Web Applications

Applying COBIT 5 to Cyber Security of Web Applications

1. COBIT in a Capsule

Principles and

EnablersProducts

ImplementationProcesses and

Practices

How to use

COBIT 5?

12

Why use COBIT 5?

13

COBIT 5

COBIT 5

COBIT 5

COBIT 5

What is COBIT 5?

The only

Business

Framework for

the Governance

and Management

of Enterprise IT.

14

COBIT 5 Principles

15

Principle 1: Meeting Stakeholder Needs

Enterprises exist to create value for their stakeholders

Value creation: realizing benefits at an optimal resource cost while optimizing risk.

16

Principle 1: Meeting Stakeholder Needs

Stakeholder needs have to be transformed into an enterprises’ actionable strategy

The COBIT 5 stakeholder needs into specific, practical and customized goals

17

18

19

Principle 2: Covering the Enterprise End–to–End

20

Principle 3:Applying a Single Integrated Framework

Enablers

provide

structure to the

COBIT 5

knowledge base

21

Principle 4: Enabling a Holistic Approach

22

Principle 4: Enablers of COBIT 5

23

24

Principle 5:Separating Governance from Management`

COBIT 5 Governance and Management Key Areas

25

COBIT 5 Processes

Governance of Enterprise

IT

Evaluate, Direct and Monitor

Align, Plan and Organize

Build, Acquire

and Implement

Deliver, Service

and Support

Monitor, Evaluate

and Assure

26

27

COBIT 5 Process Reference Model

COBIT 5 Processes

COBIT 5 Product Family

28

COBIT 5 Implementation

29

Implementing COBIT 5 best practices

1. COBIT 5 has a knowledge repository of best practices which is complete, consistent, and easily navigable

2. COBIT 5 guidance can be used and adapted for meeting any applicable legal, regulatory and contractual requirements.

3. Learn how to navigate through the knowledge repository and select relevant guidance?

30

31

2. Essence of Cyber Security

32

Increasing dependence on the internet

Directly◦ Communication (Email, IM, VoIP)

◦ Commerce (business, banking, e-commerce, etc.)

◦ Control systems (public utilities, etc.)

◦ Information and entertainment

◦ Sensitive data stored on the Internet

Indirectly◦ Business, Education, Government have permanently replaced physical/manual processes with Internet-based processes

33

‘Cybersecurity is the body of technologies,processes and practices designed to protectnetworks, computers, programs and data fromattack, damage or unauthorized’

http://whatis.techtarget.com/definition/cybersecurity

What is a Cyber Security?

34

35

Cybersecurity

Refers to preventative methods used to protect information from being stolen, compromised or attacked.

Requires an understanding of potential information threats, such as viruses and other malicious code.

Cybersecurity strategies include identity management, risk management and incident management.

36

Why is Cyber Security required?

37

Cybersecurity Attacks: Vulnerabilities

38

Cyber Security Objectives

INTEGRITYauthenticity

AVAILABILITYaccess

CONFIDENTIALITYdisclosure

39

39

Cyber Security Objectives in real world

INTEGRITYauthenticity

AVAILABILITYaccess

CONFIDENTIALITYdisclosure

USAGEpurpose

40

40

Cybersecurity Roadblocks

No metrics to measure (in)security

Internet is inherently international

Private sector owns most of the infrastructure

“Cybersecurity Gap”: a cost/incentive disconnect?

◦ Businesses will pay to meet business imperatives

◦ Who’s going to pay to meet national security imperatives?

41

Key considerations in implementing Cyber Security

42

43

ISACA’s Certification in Cyber Security

44

45

3. Cyber Security using

Frameworks

46

Implementing Cyber Security Framework

Cybersecurity framework?

“The security professional needs to adhere to a framework.… once the security professional begins to bring order to the organization’s security program, they are implementing a framework.” --http://www.securitycurrent.com/en/writers/david-sheidlower/security-where-myths-should-go-to-die

Benefits:

◦ From chaos to order and organization

◦ Manageable practice

◦ From tools / mechanisms architecture / policy strategy / governance

47

NIST Cybersecurity Framework

48

• Three parts: o The Framework Coreo The Framework Profileo The Framework Implementation Tiers

• Framework Core- A set of activities, outcomes, and informative

references- Providing the detailed guidance for developing

individual organizational Profiles

Using the Framework

Building from standards, guidelines, and practices, the Framework provides a common taxonomy and mechanism for organizations to:

1) Describe their current cybersecurity posture;

2) Describe their target state for cybersecurity;

3) Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;

4) Assess progress toward the target state;

5) Communicate among internal and external stakeholders about cybersecurity risk.

49

Framework Core

50

• Five concurrent and continuous Functions— Identify— Protect— Detect— Respond— Recover

• (Altogether) the functions provide a high-level, strategicview of the lifecycle of an organization’s management of cybersecurity risk.

51

• Functions organize basic cybersecurity activities at their highest level.• Categories are the subdivisions of a Function into groups of

cybersecurity outcomes closely tied to programmatic needs and particular activities. o Example Categories: “Asset Management,” “Access Control,” “Detection

Processes.”

52

53

Framework Profile

54

• Represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories

• Aligning standards, guidelines, and practices to the Framework Core in a particular implementation scenario

• “Current” profile “Target” profile

• Comparison of Profiles may reveal gaps to be addressed to meet cybersecurity risk management objectives.

Framework Profile

55

• The Framework document does not prescribe Profile templates, allowing for flexibility in implementation.

• Example profiles can be found: http://www.nist.gov/itl/upload/discussion-draft_illustrative-examples-082813.pdf

Example Profiles for Threat Mitigation:1. Mitigating intrusions2. Mitigating malware3. Mitigating insider threats

56

57

Gartner Recommendations

58

Enterprises:

• Use the CSF as a legal framework to map your IT/OT risks.

• Avoid making long-term procurement- or compliance-based decisions from the

CSF's guidance in its current state as it is missing key components.

• Continue to apply standards that are well-accepted by your respective

industries.

Critical infrastructure companies with existing cybersecurity risk programs:

• Use the CSF to validate program completeness.

Enterprises with nascent cybersecurity risk management programs:

• Use the CSF as a starting point for cybersecurity risk planning, as a self-

assessment tool and as a reference to weigh consulting offerings.

Companies with considerable IT/OT assets:

• Use the CSF as an aid to align and integrate cybersecurity risk management

across corporate and industrial control/automation requirements.

4. Implementing Cyber Security for

Web Apps

59

Web application or Web Apps

An application program that is stored on a remote server and delivered over the Internet through a browser interface.

Refers to any program that is accessed over a network connection using HTTP, rather than existing within a device’s memory.

Often run inside a Web browser. May be client-based, where a small part of the program is downloaded to a user’s desktop, but processing is done over the Internet on an external server.

Any website component that performs some function for the user qualifies as a Web app.

60

Web application security

Branch of Information Security that deals specifically with security of websites, web applications and web services.

At a high level, Web application security draws on the principles of application security but applies them specifically to Internet and Web systems.

61

Cyber Security in Context: Cyber wars

Corporate Cybersecurity = availability, integrity and secrecy of information systems and networksin the face of attacks, accidents and failures with the goal of protecting a corporation’s operations and assets

National Cybersecurity = availability, integrity and secrecy of the information systems and networksin the face of attacks, accidents and failures with the goal of protecting a nation’s operations and assets

62

Types of Controls

63

Assurance of Web Apps

64

Business

Processes

on the web

Applicable

Regulatory

requirements

Organization

Structure

And

Access policy

Technology

Deployed

and Security

Assurance

Process –

Frameworks

Integrating COBIT 5 with Cyber Security of Web Applications

65

Tailored as per Enterprise Requirements

COBIT 5 for Cyber Security

Cyber Security of Web Applications

Security of Web Applications

COBIT 5

Cyber

Security

Web Apps

Four strategic best practices for protecting Web applications

To address security-related issues as they pertain to Web applications, organizations can employ four broad, strategic best practices.

1. Increase security awareness

2. Categorize application risk and liability

3. Set a zero-tolerance enforcement policy

4. Integrate security testing throughout the development and delivery process

66

Crystal Ball: In the Year 2025

PAST, PRESENT

Cyber security is a young and immature field

The attackers are more innovative than defenders

Defenders are mired in FUD (fear, uncertainty and doubt) and fairy tales

Attack back is illegal or classified

FUTURE

Cyber security will become a scientific discipline

Cyber security will be application and technology centric

Cyber security will never be “solved” but will be “managed”

Attack back will be a integral part of cyber security

67

67

Seven Tips for Cyber Safety

68

1. Install OS/Software Updates

2. Run Anti-virus Software

3. Prevent Identity Theft

4. Turn on Personal Firewalls

5. Avoid Spyware/Adware

7. Back up Important Files

6. Protect Passwords

Summary

69

70

rafeq@wincaat.comThank You