Wolfpack 2016 Cyber Security Guide

CYBER SECURITY GUIDE 2016 WOLFPACK INFORMATION RISK

RESEARCH | THREAT INTELLIGENCE | ADVISORY | TRAINING AWARENESS | MONITORING |

TALENT MANAGEMENT

www.wolfpackrisk.com

Contents

 INTRODUCTION





Introduction Approach



Cyberwolf Cartoon - Reconnaissance

ASSESS - Health Check Phase



Stakeholder Engagement – Setting the scene Cyberwolf Cartoon - Infiltration



4



ISMS: DO Phase

17

5



ISMS: CHECK & ACT Phase

17

7



Simulated Red and Blue Team Exercises

18



Information Security & Privacy Incident Management

19



Cyberwolf Cartoon - Spear Phished

21



Information Security Programme

22



Awareness



Training Programme

8



8 9

Health Check – Determine the Current State



 IMPROVE

10

24

Training Courses



25

Conduct an Information Risk Assessment



Conduct a Cyber Risk Analysis



Define a Priority Road map

12





Cyberwolf Cartoon - Revenge

13



MONITOR – Threat Monitoring Phase

27



Cyberwolf Cartoon - Command and Control

28

About Wolfpack Information Risk

29







IMPROVE - Remediation Phase

14



Define an Information Risk Management Framework

15



Establish an Information Security Management System

15



ISMS: PLAN Phase

15



Cyberwolf Cartoon - Compromise

16

 IMPROVE





Cyberwolf Cartoon - Ransomware



26

11



1

23



ASSESS

10





MONITOR

28

Professional Service Offering



30

Introduction



Cyberspace is where online communication happens

Introduction

 INTRODUCTION

Any organisation today faces a constant challenge in preserving the confidentiality, integrity and availability of its information assets, against the broad range of external and internal threats. The failure to take a proactive approach to information risk management is leaving many organisations vulnerable with potentially devastating consequences. We have on many occasions seen how organisations are battling to. establish a business-aligned, risk-based cyber security programme that can adapt to a constantly changing regulatory, customer, and threat environment.

It is the interconnection of humans through technology, without regard to physical geography.

Wolfpack have over the years established an approach that will: • • • •

Cyber security is the preservation of confidentiality, integrity and availability of information in cyberspace

Provide you with the highest return on investment (ROI) for your information security spend. Protect your organisation from a large majority of threats thereby reducing risk. Demonstrate a proactive posture to safeguard critical assets. Elevate security from an operational function to a strategic business enabler.

(ISO 27032) 1

4



Approach



 INTRODUCTION

This document outlines our approach to:

 ASSESS

E

ME

DI

I AT

N,

SIM

UL

IM AT ED

SO

RY

AR N G & AW

RE

O

SS

AD

PROV

AT TA C

VI

E

K S & IN CI D E N T RE S P

ESS ASS

E NC

AINI

NE

 IMPROVE

•

• ON

SE

MONITOR

5

•

•

 1

• •

T & CYBER RIS KA SMEN N SES A LY AS SIS SK RI

REAT INTELLI GE TH

TR

THREAT &V UL NE RA BI

T LI

INF OR MA TIO

•

N

MO NI

R TO Y

MENT AGE N MA

•

• •

Identify the specific information threats facing your business environment. Validate acceptable information risk levels in accordance with business requirements. Determine the maturity of existing information risk, people, process and technology controls across the areas within scope. Highlight key vulnerabilities and risk areas across the organisation.

Define a suggested improvement priority road map for the establishment of an Information Risk Management Framework and an Information Security Management System (ISMS) in accordance with ISO 27001:2013 specifications. Performing realistic threat testing to ensure the controls are effective. Ensure a robust incident management programme is in place. Provide a training and awareness programme to transfer skills. Correlate and analyse event data. Determine suspicious network behaviour, conduct active network scanning and respond to threats more effectively.

6

Reconnaissance



ASSESS - Health Check Phase

 ASSESS

Stakeholder Engagement ASSESS Health Check Phase

Information Risk Assessment

Priority Roadmap

A workshop is conducted with senior management and operations to reinforce the importance of information risk management and ensure all stakeholders understand their roles and responsibilities in the upcoming health check. 400 vulnerabilities reviewed across 14 key domains

Cyber Risk Analysis

Deep technical monitoring exercise to identify cyber risks

Following a rigorous analysis of the assessment results and management concerns, an improvement roadmap is agreed upon to address high priority risks.

Stakeholder Engagement – Setting the scene An information risk workshop will be conducted with key stakeholders in the organisation to highlight major threats facing the organisation, to reinforce the importance of information risk management and ensure all stakeholder teams understand their roles and responsibilities in the upcoming assessment. This will improve the accuracy of responses from all applicable sections within scope of the assessment and encourage open dialogue in order to highlight all major vulnerabilities within the Technology organisation.

Technology

Communication

Inadequate capacity

Unencrypted communication

Poor siting of equipment

Inadequate bandwidth

Insufficient software testing

Diagnostic ports active

Lack of documentation

Weak wifi security

Organisation Inadequate management oversight

Weak change management

Unstable power supply

No procedure to report weaknesses

Poor physical security

Poor log management

Lack of regular audits

SLAs not monitored

  1

7

Process

8

People Poor screening Shortage of key skills Lack of awareness Insufficient monitoring

Infiltration

Health Check – Determine the Current State

 ASSESS

Technical review covers asset discovery, vulnerability management, threat analysis and anomalous behaviour

400 vulnerabilities are reviewed in interviews with strategic and tactical teams

Cyber Risk Analysis

Information Risk Assessment

Open Source Intelligence (OSINT) and community threat intelligence reviews are conducted

Our health check also factors in concerns raised by stakeholders, audit findings and past incidents

Conduct an Information Risk Assessment Our proposal intends to review your current capability to provide assurance to senior management that relevant Information Risk requirements are being managed effectively. We will determine the maturity of your Information Risk capability through the review of existing Information Security, IT Governance and Privacy processes. We propose performing an assessment against a consolidated set of baseline controls from a range of best practices, international standards and legal requirements.

It is recommended the assessment includes members from Strategic (CLevel) , Management and Operational levels to ensure the correct balance of IT governance, business continuity, information security, privacy and cyber security controls are in place.

1

9

10

Define a Priority Road Map

Conduct a Cyber Risk Analysis

 ASSESS

Wolfpack will help determine your current cyber risk status by running simulated threats against different aspects of your environment. Although the threat simulations are passive, they will present data using realistic potential events. This includes IP reputational data from the Open Threat Exchange (OTX) collaboration platform. These simulations identify activity from known threat actors across the globe, including advanced persistent threats.

Simulated threats include: • • • • • •

Network and port scanning. Suspicious database activity. Scans against web services. Brute force attacks. Open Source Intelligence (OSINT) gathering. Other simulations.

TR AC KC O

3

INTERNAL

EXTERNAL

1

T EN R

PO

EP

NT

LO YM

IDE ES

NS

E

MAN

AGE THREATS

20

25

30

Risk 1

4

8

12

16

20

24

Risk 2

3

6

9

12

15

18

Risk 3

2

4

6

8

10

12

Risk 4

1

Mar

Apr

May

S FA

T

D

Active Network Scanning Passive Network Monitoring Asset Inventory Software Inventory

4

5

6

3

4

5

Business Impact

• Business operations impact

(The potential negative impact on the achievement of the objectives of the Organisation).

Vulnerabilities Network Vulnerability Testing Continuous Vulnerability Monitoring

(The potential financial loss that could be suffered by the Organisation as a result of the risk materialising).

• Reputational impact

(The potential negative impact on the reputation / image / credibility of the Organisation).

• National impact multi-disciplinary approach for preparedness, oversight and execution.”

11

3 2

• Financial impact

“Cyber security is more than an IT issue – it requires a

1

2 1

Asset Discovery

PR O

INC

Network IDS Host IDS File Integrity Monitoring (FIM) Reporting and Alarms

15

Feb

The following will be considered as part of the risk impact rating scale:

2

Threats

10

Jan

Risk 6

E TIV AC

Network Analysis Service Availability Full Packet Capture Log Management Event Correlation

E NC IA PL M

5

Priorities

Risk 5

FLEXIBLE

Behavioral

The information risk assessment and cyber risk analysis results will be reviewed in consultation with management, and a priority road map established to address high impact risks.

(The potential negative impact on the critical information infrastructure of the Country).

12

Revenge





IMPROVE - Remediation Phase

IMPROVE

ASSESS

IMPROVE Remediation Phase

Information Risk Framework & ISMS

An information risk management framework and information security management system (ISMS) aligned to ISO 27001 specifications is implemented.

Simulated Red & Blue Team Exercises

We run a number of information & cyber security simulations to help clients test their security against real-world threats and high-profile attacks.

Incident Response

We establish a comprehensive information security & privacy incident management capability based on ISO 27035. Training and testing is included.

Business Benefits & Continual Improvement Phase

We provide a combination of managed services, “battle-hardened” methods as well as training and awareness to help remediate vulnerabilities and accelerate the implementation of ISMS deliverables. This will ensure that project momentum is maintained and cross-skilling occurs within all applicable sectors of the organisation.

“There’s no silver bullet solution with cyber security - a layered defence covering the full spectrum of prevention, detection, incident response and business resilience is the only viable option”

1

13

14



Define an Information Risk Management Framework



Compromise

 IMPROVE

The information risk management framework provides an interactive dashboard to ensure that high priority risks are identified and allocated resources according to business priority. BUSINESS (Strategic)

GOVERNANCE Executive Board Committee

Governance, Risk & Compliance

Organisational Objectives

Audit & Assurance

Business Continuity

Innovation

Programme & Project Requirements

Enterprise Risk Committee Compliance Committee

IR Steering Committee Programme / Project Office Committee

INFORMATION RISK MANAGEMENT (Tactical ) Governance & Risk Management

Legal & Compliance

Human Resource & Supplier Mngt

Asset Management

Physical & Environmental Security

Security Architecture & Design

Access Control

Telecoms & Networking

Software Development & Acquisition

Cryptography

Operations Security

Incident Mngt, BCM & DR

Performance Metrics & Incentives

IT & OPERATIONS MANAGEMENT

IT Governance Council HR / Communications / Training Procurement / Supplier Management Change Management Committee

IT Operations

Capacity Management

IT Incident Management

Problem Management

Facilities Management

HR Processes

Physical Security

Infrastructure Security

Application Security

Release Management

IT Vulnerability Management

Performance Management

Third Party Management

Service Level Management

Change Management

IT Service Continuity Management

Configuration Management

Service Desk

Event Management

Information & Asset Management

Systems Management

Establish an Information Security Management System

A business-aligned ISMS is an essential vehicle to implement the necessary information security controls to address risks identified in the health check phase.

ISMS: PLAN Phase • • • •

Review of ISMS and current state of documents: Validate scope – To ensure the ISMS scope supports business objectives, audit, compliance, risk, governance & technology requirements. ISMS Gap Analysis - to identify and ensure key information assets are protected. Policy Management – Review and updating of relevant information security policies and standards. Information Risk Management – Review of information risk assessment methodology.

 

1

15

16



Information Security Management System (ISMS)



Simulated Red and Blue Team Exercises

 IMPROVE

ISMS Do Phase

Ensure that vital building blocks are in place when implementing the ISMS:

Wolfpack offers a full information & cyber security threat assessment testing programme to help clients protect against evolving cyber security threats and advanced persistent threat (APT) attacks.

• • • • • •

The full portfolio of solutions assesses cyber threats, understands defensive capabilities and actively tests an organisation’s battle readiness through various simulated attacks such as phishing, social engineering, unauthorised devices, vulnerability scanning and more. These assessment services help organisations understand risks and take immediate action to strengthen information & cyber security defences, processes and procedures.

• •

ISMS Scope. ISMS Manual. Risk Management. Business Impact Analysis. Statement of Applicability. Awareness & Training Programmes – Design a skills transfer programme to ensure sustainability. Incident Management – Implement an incident management programme. Management Review of ISMS – Ensure that adequate senior management review sessions are taking place.

ISMS: CHECK & ACT Phase Review & improve the ISMS: • • •

1

PARTNERS • • •

ISMS Internal Audit – Ensure an internal audit review of the ISMS against ISO27001:2013. Determine organisation’s appetite for ISO27001:2013 certification. If so assist with: Stage 1 /2 Audit - Finalise logistics with external auditor for stage 1 audit.

17

Global Local Internal

PEOPLE

PROCESSES

CONTROLS

• • • •

VULNERABILITIES (Technology / Communications / Process / People)

Management Staff IT Contractors

PROCESSES

CONTROLS

CUSTOMERS • • •

Global Local Internal

THREAT INTELLIGENCE

(Threat Actors / Internal Sources / External Sources)

18

Information Security & Privacy Incident Management

 IMPROVE

Information security policies or controls alone will not guarantee total protection of information, information systems, services or networks. After controls have been implemented, residual vulnerabilities are likely to remain that can reduce the effectiveness of information security and facilitate the occurrence of information security incidents. This can potentially have direct and indirect adverse impacts on an organisation's business operations. Furthermore, it is inevitable that new instances of previously unidentified threats will occur. Wolfpack offers a full information security & privacy incident management approach based on ISO 27035 along with on-site training to assist organisations to mitigate the impact of incidents in their environment.

INFORMATION SECURITY INCIDENT MANAGEMENT

 

PLAN AND PREPARE

DETECTION AND REPORTING

Information Security Incident Management Policy Policy Gap Analysis Establishment of IRT Incident Management Awareness Plan Information Security Incident Management Plan

Situational Awareness information

ASSESSMENT AND DECISION

How to Respond

LESSONS LEARNT Lessons Learnt

Event Assessment

Monitor Systems and Networks

Info Security Improvements

How to Contain Incidents

Assessment Improvements

Detecting and Alerting Collection of Security Event Reports

RESPONSES

Recovery Incident Determination

Report Events

Management Plan Improvements Resolution and Closure

IRT Evaluation

“Security is a business issue, not a technical issue.” -T. Glaessner

Insufficient preparation by an organisation to deal with such incidents will make any response less effective, and increase the degree of potential adverse business impact. Therefore, it is essential for any organisation desiring a strong information security programme to have a structured and planned approach to: • • • •

1

19

Detect, report and assess information security incidents. Respond to information security incidents, including the activation of appropriate controls to prevent, reduce, and recover from impacts. Report information security vulnerabilities, so they can be assessed and dealt with appropriately. Learn from information security incidents and vulnerabilities, institute preventive controls, and make improvements to the overall approach to information security incident management.

20

Spear Phished

Information Security Programme

 IMPROVE

Information protection is a human capital issue. A large majority of breaches are due to human involvement, not a lack of technology protection. Culture plays a huge role in setting the standards for behaviour throughout an organisation, starting with buy-in from senior management. Wolfpack provides a full turnkey awareness solution that includes business needs analysis, content development and customisation, programme management, an intuitive learning management system, as well as various human vulnerability tests conducted using our online threat platform Camo Wolf.

Exec

Stakeholder Change Management

Management

Tailored Awareness Programme with Professional Content

1

21

Users & Third Parties

22

Awareness

Training Programme

 IMPROVE

Review our Awareness Premium Pack: An annual license with access to the following content: • • • • • • • •

15 animated awareness videos (10 security / 5 privacy). 15 posters. 10 screen savers. 10 cartoons. 4 web simulations. Cybercrime survival guide. Awareness programme management toolkit. Easy policy communicator with associated induction training slides in Microsoft Power point.

Note – The annual fee covers all new content or upgrades within your licence year. Grey Wolf Learning Management System (LMS) • • • •

A powerful LMS to run your animated videos. Includes a set of questions per video that can be used to track compliance. LMS can be configured to include training for other departments in your organisation. Initial fee covers installation, configuration to client requirements and a training session for local admin staff.

Companies urgently need to develop in-house skills to ensure they can prevent, detect and respond to the increase in information threats. The Wolfpack Cyber Academy offers over 20 courses in Risk Management, IT Governance, Information Security, Cyber Security and a range of other complimentary areas. We have furthermore developed the Information Risk Baseline Programme which directly aligns to their Information Risk Methodology and is a cost effective way to train up teams within any organisation or industry.

1.1 Executive / Management (1 hour)

1. INFORMATION RISK BASELINE PROGRAMME

1.2 GRC / IS / IT teams (1-2 days)

2. SPECIALIST PROGRAMMES

1.3 User Awareness Programme (1 - 4 hours)

Let us not look back in anger, nor forward in fear, but around in awareness. - James Thurber

1

23

24

2.1 Governance, Risk & Compliance Programme

2.4 Vulnerability Management Programme

2.2 Information Security Programme

2.5 Security Operations Programme

2.3 Privacy & Incident Management Programme

2.6 Secure Development Programme

Wolfpack Cyber Academy Training Courses Wolfpack Cyber Academy Courses

Ransomware





Duration 2 DAYS

IMPROVE

Course Foundation Wolfpack Security Baseline Training – Over 14 information and cyber security domains

3 DAYS

are covered in this comprehensive course. COBIT 5 Foundation - Forms a maturity model which will provide a wealth of insight and understanding on practical issues of IT Governance.

2 DAYS

ISO 27001 Foundation - Learn about the best practices for implementing and managing

2 DAYS 2 DAYS 2 DAYS

an Information Security Management System (ISMS). ISO 22301:2010 BCM Foundation - Learn about the best practices for implementing and managing a Business Continuity Management System (BCMS). ISO 31000 Risk Foundation - Learn about the best practices in Risk Management and the essential concepts and processes that are considered most effective in risk management ISO 27005 IT Risk Foundation - Learn about the best practices in risk management and understanding how different parts of a risk management program and the implementation stages of an optimal risk assessment are synchronised

Intermediate

5 DAYS 5 DAYS 5 DAYS 5 DAYS 2 DAYS 2 DAYS 2 DAYS

CompTIA Security+ - A vendor neutral credential and internationally recognised validation

of foundation level security skills and knowledge. Certified Cyber Security First Responder – This course introduces the strategies, frameworks, methodologies and tools, which are used to manage cybersecurity risks and identify various types of common threats. ISO 27001:2013 Lead Implementer - Develop the necessary expertise to support an organisation in implementing and managing an Information Security Management System (ISMS). ISO 22301:2010 BCM Lead Implementer - Develop the necessary expertise to support an organisation in implementing and managing a Business Continuity Management System (BCMS). ISO 31010 Risk Assessment Techniques - The ISO/IEC 31010 Standard is a supporting standard for ISO 31000 Risk Management. It provides guidance on the selection and application of systematic techniques for Risk Assessment. ISO 31000:2009 Risk Manager - Develop the competence to master a model for implementing risk management processes throughout your organisation. ISO 27005:2011 IT Risk Manager - Develops the competence to master the basic risk management elements related to all assets of relevance for information security.

Advanced 5 DAYS 4 DAYS 5 DAYS

1

CompTIA CASP - A vendor neutral credential and an internationally targeted validation of advanced-level security skills and knowledge. CISM Exam Prep Course - This uniquely management-focused certification ensures holders understand business, and know how to manage and adapt technology to their enterprise and industry. ISO 27001 Lead Auditor - Develop the necessary expertise to audit an Information Security Management System (ISMS), as well as to manage a team of auditors by applying widely recognised audit principles, procedures and techniques.

WOLFPACK CYBER ACADEMY

25

+27 11 794 7322

[email protected]

26

MONITOR – Threat Monitoring Phase



Command and Control



MONITOR

The Wolfpack Monitoring platform provides five essential security capabilities in a single managed service. Understanding the sensitive nature of IT environments, we include active, passive and host-based technologies so that you can maintain the requirements of your particular environment.

Asset Discovery • • • •

Active Network Scanning. Passive Network Monitoring. Asset Inventory. Software Inventory.

Vulnerability Assessment • •

Network Vulnerability Testing. Continuous Vulnerability Monitoring.

Threat Detection • • •

Network Intrusion Detection System (IDS). Host IDS. File Integrity Monitoring (FIM).

Behavioral Monitoring • • •

Netflow Analysis. Service Availability Monitoring. Full packet capture.

Security Intelligence • • • •

Log Management. Event Correlation. Incident Response. Reporting and Alarms.

“Connecting your organisation to the Internet makes it vulnerable to the full spectrum of global threats. Without constant monitoring you have no way of knowing where you have been compromised!”

1

27

28

Professional Service Offering

About Wolfpack Information Risk

We are a specialist cyber security services company Research - Cyber security research into national security vulnerabilities

Wolfpack is a privately owned company. We are respected for our dynamic, independent thought leadership in the information and cyber security domains. We undertake a number of pro bono projects each year to improve cyber threat collaboration with a cyber community of over 9,000 stakeholders on the African continent.

Threat Intelligence – Local insight into strategic and operational cyber threats facing Africa

Who do we work with? We partner with local and international governments, organisations, industry bodies and individuals.

Advisory – Business aligned security and privacy professional services

What do we do? CONFIDENTIAL

We specialise in information and cyber threat management covering the full spectrum of prevention, detection, incident response and business resilience capabilities.

[email protected]

Inbox (6) Outbox Drafts Sent

Established in 2011

5 New National Projects in 2016

Monitoring – Cyber Threat Intelligence Centre offering threat and vulnerability monitoring

TV / Radio Interviews

Monitoring Talent Management

9000+ Cyber Community

Core Team 22

30+

Print / Online Interviews

National Research

Conference / Event Talks

29

Training – Tailored training programmes to ensure optimal skills-transfer

Level 1 BBBEE

Awareness Training

1

Sign out



Research & Threat Intelligence Advisory

Awareness – Establish a strong security-aware culture from the top to the bottom

60+ 90+

Threat Intel Reports



Talent Management – Talent solutions to attract, assess and retain scarce skills

30

RESEARCH | THREAT INTELLIGENCE | ADVISORY | TRAINING AWARENESS | MONITORING | TALENT MANAGEMENT

WE SPECIALISE IN CYBER SECURITY

DI

I AT

,S

IM

UL

IM AT ED

SO

E

ME

1

RY

AR N G & AW

RE

ON

SS

AD

PROV

AT TA C

VI

E

K S & IN CI D E N T RE S P

www.wolfpackrisk.com

|

ON

ESS ASS

E NC

AINI NE

T & CYBER RIS KA SMEN N SES AL AS YS SK IS RI

REAT INTELLI GE TH

TR

THREAT &V UL NE RA BI

T LI

INF OR MA TIO N

MO NI

R NAGEMENT O T Y MA

SE

[email protected]