Cybersecurity is a universal concern across today’s enterprise and the need for strategic approach is required for appropriate mitigation.
Adopting ISO 27032 will help to:
• Understanding the nature of Cyberspace and Cybersecurity
• Explore Cybersecurity Ecosystem – Roles & Responsibilities
• Achieve Cyber Resilience through implementing defensive and detective cybersecurity controls
Presenter:
Obadare Peter Adewale is a first generation and visionary cyberpreneur. He is a PECB certified Trainer, Fellow Chartered Information Technology Professional, the First Licensed Penetration Tester in Nigeria, second COBIT 5 Assessor in Africa and PCI DSS QSA. He is also an alumnus of Harvard Business School and MIT Sloan School of Management Executive Education.
Link of the recorded session published on YouTube: https://youtu.be/NX5RMGOcyBM
Improve Cybersecurity posture by using ISO/IEC 27032
1.
2. Adewale Obadare
Cybersecurity Expert
Adewale Obadare is a Fellow Chartered Information Technology Professional (UK),
Fellow Institute of Brand Management of Nigeria, the First Licensed Penetration
Tester in Nigeria , 2nd COBIT 5 Certified Assessor in Africa and a PCI DSS Qualified
Security Assessor (QSA).
Contact Information
+234 802 331 6951
wale@digitalencode.net www.digitalencode.net
ng.linkedin.com/in/obadarepeteradewale
3. • Introduction
• Understanding The Nature of Cyberspace and Cyber security
• Explore Cyber security Ecosystem – Roles and Responsibilities
• Achieve Cyber Resilience through implementing Defensive, Resilience
and Detective Cyber security Controls from ISO/IEC 27032
Agenda
4. Starting Thought
I will like to start with the world of the famous chinese warrior
– SUN TZU
“It is said that if you know your enemies and know yourself, you
will not be imperiled in a hundred battles; if you do not know your
enemies but do know yourself, you will win one and lose one; if you
do not know your enemies nor yourself, you will be imperiled in every
single battle.”
5. INTRODUCTION: ISO/IEC 27032 STANDARD
“STANDARDS ARE GENERALLY REQUIRED WHEN EXCESSIVE DIVERSITY
CREATES INEFFICIENCIES OR IMPEDES EFFECTIVENESS.”
-----Edward W Hammond and James J. Cimino
6. 6.Overview
7. Stakeholders in
the Cyberspace
8. Assets in the
cyberspace
9. Threats against
the security in the
cyberspace
10. Roles of
Stakeholders in
Cyber security
11. Guidelines for
Stakeholders
12. Cyber security
Controls
13. Framework of
Information sharing
and coordination
The main sections are:
ISO/IEC 27032 Structure and Content
7. ISO 27001 – Applicable to both
Information on Non-Digital
and Digital media/Assets
- Auditable
ISO 27032 – Applicable to
protection of Information on
Digital Media/assets
- Not Auditable
ISO 27001 VS 27032
10. Anatomy of Target Breach
Source: http://securityintelligence.com/target-breach-protect-against-similar-attacks-retailers/#.U9-17GP5dJu
11. Target Data Breach Numbers
• 40 million credit cards +
70 million customer records stolen
• $54 million: income to cyber criminals
• $400 million: cost of replacing credit cards
• $150 million: Target initial response cost
• $1 billion: estimated ultimate cost to Target
• 140: number of active lawsuits against Target
• 2: Number of C-suite executives at Target who were fired
• 7: Number of Directors targeted by Institutional Shareholder Services for ouster,
claiming failed duties to shareholders
20. Business Continuity Institute – February 2016
This year’s top dozen threats to business
continuity are:
1. Cyber attack
2. Data breach
3. Unplanned IT and telecom outages
4. Act of terrorism
5. Security Incidents
6. Interruption to Utility Supply
7. Supply Chain Disruption
8. Adverse weather
9. Availability of Talents & Key Skills
10. Health & Safety incident
11. Fire
12. Transport Network Disruption
21. “The cyberspace can be described as a virtual
environment, which does not exist in any physical form,
but rather, a complex environment or space resulting from
the emergences of the Internet, plus the people,
organizations, and activities on all sorts of technology
devices and networks that are connected to it” (ISO 27032)
Definition - Cyberspace:
22. Cyberspace security or Cybersecurity is about
the security of this virtual world” “Cybersecurity
relates to actions that stakeholders should be
taking to establish and maintain security in the
Cyberspace” (ISO 27032)
Definition - Cybersecurity:
26. –
–
–
–
–
–
assets
Each component has its own security requirements
♣ Software
Applications, operating systems, utilities
Exploitation of programming errors accounts for a
substantial portion of information attacks
Easy target for accidental or intentional attacks
♣ Hardware
Physical components of IS
Physical security deals with protection of physical
from theft, vandalism, destruction
Issue: security for laptop and notebook computers
Digital Asset Components
27. ♣ Data
– Often the most valuable asset possessed by an organization
main target of deliberate attacks
and
– Proper development and use of database management systems
increases data security
♣ People
– Can be the weakest link (greatest threat) to security in an
organization
Policy, education and training, awareness and technology are all
used to prevent people from accidentally or intentially damaging or
losing information
Social engineering can be used to manipulate the actions of
people to obtain access information about a system
–
–
Digital Asset Components (Contd)
29. ISO/IEC 27032 Clause
12.2 – Application
Level Control
1. Display of short notices, which provide clear, concise one-page
summaries (using simple language of the company’s essentials
policies.
2. Secure handling of session for web applications.
3. Secure Input validation and handling to prevent common attacks
such as SQL-Injection.
4. Secure web pages scripting to prevent common attacks such as
cross-site scripting..
5. Code security review and testing by appropriately skilled entities.
6. Service Authentication – by the use of sub domains by providers
and possibly the use of HTTPS credentials registered to the
organisation
Defense In-Depth Using ISO/IEC 27032
30. ISO/IEC 27032
Clause 12.3 –
Server Protection
1. Configure servers, including underlying operating systems in
accordance to a baseline security configuration guide.
2. Implement a system to test and
3. Implement a system to test and deploy security updates, and
ensure the server operating system and application are kept up-to-
date promptly when new security updates are available.
4. Monitor the security performance of the server through regular
reviews of the audit trails.
5. Review the security configuration.
6. Run licensed anti-malicious software controls (such as anti-
spyware and anti-virus) on the server.
7. Have a good vulnerability management system in place for all
online applications.
Defense In-Depth Using ISO/IEC 27032
31. ISO/IEC 27032
Clause 12.4 – End-
user controls
1. Use of supported operating systems, with the most updated
security patches installed.
2. Use of latest supported software applications, with most patches
installed.
3. Use anti-virus and anti-spyware tools – can make use of security
tools as a service from service provider
4. Enable script blockers, phishing filters and other available web
browser security features.
5. Enable a personal firewall and HIPS
6. Enable automated updates notifications
Defense In-Depth Using ISO/IEC 27032
32. ISO/IEC 27032 Clause
12.5 – Controls against
social engineering
1. Put in place appropriate policies
2. Categorisation and classification of information
3. Awareness and Training
4. Cyber security Awareness Test
Defense In-Depth Using ISO/IEC 27032
33. the
♣ Security as Art
– No hard and fast rules or universally accepted solutions
– Requires knowledge and experience of systems and
goals to build the solution that best fits the organization's needs
♣ Security as Science – Defensive, Resilience &Detection Strategies
– Technology is a major component of information security
solutions
– Requires knowledge of technologies, and use of
accepted standards and practices
♣ Security as Social Science
– People are a critical component in the organization and in
security of the organization
– Security must consider and address human factors
Cyber Security: Art and Science
36. IT Security Training Courses
ISO/IEC 27032 Lead Cybersecurity Manager
5 Day Course
ISO/IEC 27034 Application Security Foundation
2 Days Course
ISO/IEC 27034 Application Security Lead Implementer
5 Days Course
ISO/IEC 27034 Application Security Lead Auditor
5 Days Course
Exam and certification fees are included in the training price.
https://www.pecb.com/it-security| www.pecb.com/events