cybersecurity isaca

of 56 /56
Cybersecurité à l’ISACA Yves LE ROUX CISM, CISSP [email protected] 2 avril 2015 Jeudi de l’AFAI

Upload: antoine-vigneron

Post on 15-Jul-2015

425 views

Category:

Technology


3 download

TRANSCRIPT

Cybersecurité à l’ISACA

Yves LE ROUX CISM, CISSP [email protected]

2 avril 2015 Jeudi de l’AFAI

Tendances et nouveaux aspects de la sécurité informatique

3 © 2014 CA. ALL RIGHTS RESERVED.

4 © 2014 CA. ALL RIGHTS RESERVED.

Factors Impacting the Need for Improved Cyber Security

Source: ISACA, 2014

5 © 2014 CA. ALL RIGHTS RESERVED.

Consumerization

•Mobile devices •Social media •Cloud services •Nonstandard •Security as a

Service

Continual Regulatory and Compliance Pressures • SOX, PCI, EU

Privacy • ISO 27001 • Other regulations

Emerging Trends

•Decrease in time to

exploit •Targeted attacks •Advanced persistent

threats (APTs)

Source: ISACA, 2014

Key Trends and Drivers of Security

6 © 2014 CA. ALL RIGHTS RESERVED.

he WOrld is Changing

Source: ISACA, 2012

7 © 2014 CA. ALL RIGHTS RESERVED.

The APT Life cycle

History shows that most sophisticated attackers, regardless of their motives, funding or control, tend to operate in a certain cycle and are extremely effective at attacking their targets.

7

8 © 2014 CA. ALL RIGHTS RESERVED.

APT sont différents ils sont ciblés

VS

Attaques ciblées • Adversary’s persistence

– They know what they want and they pursue their goal – They will repeatedly try to get in – Once they’re in they try to stay – When you throw them out they will try to come back

• Initial infection very difficult to avoid – Spear-phishing e-mails – Social engineering to trick the user into running malware installers – Watering hole attacks using known exploits – Watering hole attacks that rely on social engineering

• Take control over the infrastructure: 10’-> 48hours • Detection: average 229 days (or never)

• Remediation: 1-6 months

Stratégie Européenne de Cybersécurité

12 © 2014 CA. ALL RIGHTS RESERVED.

Strategie Européenne de Cybersecurité

The Five strategic objectives of the strategy are as follows:

– Achieving cyber resilience

– Drastically reducing cybercrime

– Developing cyberdefence policy and capabilities related to the Common Security and Defence Policy (CSDP)

– Developing the industrial and technological resources for cybersecurity

– Establishing a coherent international cyberspace policy for the European Union and promote core EU values.

13 © 2014 CA. ALL RIGHTS RESERVED.

Network and Information Security (NIS) Directive Key Elements Capabilities: Common NIS requirements at national level

– NIS strategy and cooperation plan – NIS competent authority – Computer Emergency Response Team (CERT)

Cooperation: NIS competent authorities to cooperate within a network at EU level – Early warnings and coordinated response – Capacity building – NIS exercises at EU level – ENISA to assist

Risk management and incident reporting for: – Energy – electricity, gas and oil – Credit institutions and stock exchanges – Transport – air, maritime, rail – Healthcare – Internet enablers – Public administrations

14 © 2014 CA. ALL RIGHTS RESERVED.

NIS Directive legal actions

7 February 2013 The European Commission published the draft Network and Information Security (NIS) Directive, which set out proposals to enhance the EU’s resilience to cyber security threats and ensure a common level of network and information security across the EU. 13 March 2014 The European Parliament successfully voted through the proposed NIS Directive with a number of amendments to the proposed text. 19 November 2014 EU Member States remain divided whether Internet companies should comply with the proposed NIS Directive. The Council presidency said that it is "confident" that the Council and Parliament would be able to "reach a deal before the end of the year" on the final wording of the legislation.

15 © 2014 CA. ALL RIGHTS RESERVED.

NIS Public-Private Platform

NIS Platform is complementing and underpinning the NIS Directive. It will help implement the measures set out in the Directive, e.g. by simplifying incident reporting, and ensure its convergent and harmonised application across the EU.

First meeting of the NIS Platform on 17 June 2013, it was decided to set up 3 working groups which should be cross-cutting, with all relevant sectors represented: – WG1 on risk management, including information assurance, risks metrics

and awareness raising; – WG2 on information exchange and incident coordination, including

incident reporting and risks metrics for the purpose of information exchange; – WG3 on secure ICT research and innovation.

The NIS Platform on 25 November 2014, decided that the aim is to have NISP finalised guidance of all Chapters in October 2015 and Commission recommendations on good cyber security practices due to be adopted in late 2015.

16 © 2014 CA. ALL RIGHTS RESERVED.

Breakdown and tentative timing of Chapters per W.G.

Source: NIS Public-Private Platform 25 november 2014 Meeting Report

17 © 2014 CA. ALL RIGHTS RESERVED.

France

La loi de programmation militaire du 18 décembre 2013

Décret no 2015-349 du 27 mars 2015 relatif à l’habilitation et à l’assermentation des agents de l’autorité nationale de sécurité des systèmes d’information

Décret no 2015- 350 du 27 mars 2015 relatif à la qualification des produits de sécurité 

Décret no 2015-351 du 27 mars 2015 relatif à la sécurité des systèmes d’information des opérateurs d’importance vitale.

18 © 2014 CA. ALL RIGHTS RESERVED.

France

218 organisations stratégiques pour la nation, ont l'obligation de se protéger contre les intrusions informatiques.

Secteurs étatiques : activités civiles de l’Etat, activités militaires de l’Etat, activités judiciaires.

Secteurs de la protection des citoyens : santé, gestion de l'eau, alimentation.

Secteurs de la vie économique et sociale de la nation : énergie, communication, électronique, audiovisuel et information (les quatre représentent un secteur), transports, finances, industrie.

Audits externes réguliers contrôlant la sécurité de leur système d'information

Installation de logiciels ou matériels qui détectent en permanence les intrusions informatiques venues de l'extérieur.

ISACA European Cybersecurity Implementation Series

20 © 2014 CA. ALL RIGHTS RESERVED.

ISACA has released the European Cyber security Implementation Series primarily to provide practical implementation guidance that is aligned with European requirements and good practice.

Source: ISACA, 2014

21 © 2014 CA. ALL RIGHTS RESERVED.

Source: ISACA, 2014

22 © 2014 CA. ALL RIGHTS RESERVED.

23 © 2014 CA. ALL RIGHTS RESERVED.

SIX QUESTIONS THE BOARD SHOULD ASK

Does the organization use a security framework?

What are the top five risks the organization has related to cybersecurity?

How are employees made aware of their role related to cybersecurity?

Are external and internal threats considered when planning cybersecurity program activities?

How is security governance managed within the organization?

In the event of a serious breach, has management developed a robust response protocol?

24 © 2014 CA. ALL RIGHTS RESERVED.

Overview

When implementing cybersecurity steps and measures enterprises should perform :

1. Analyse impact (with a view to business impacts and other, nonfinancial impacts).

2. Identify and analyse risk

3. Determine risk treatment.

4. Determine cybersecurity strategy options based on risk profile.

25 © 2014 CA. ALL RIGHTS RESERVED.

Source: ENISA, 2014

Mapping ERMP to COBIT 5

Source: ISACA, 2014

Some exemples of Cybersecurity Risk

Risk Scenario in COBIT 5 Risk Management

Cobit 5 Risk Management Framework

Trois lignes de défense

European restriction on Audit

Legal and contractual relationships

Data logging & retention

Le dernier paru

Questions?

[email protected]