Pat Larkin
Business Development Manager
+353 (0) 87 2446093 pat.larkin@wardinfosec.co.uk
Pat.Larkin@ward.ie
CONFIDENTIAL
1

CONFIDENTIAL
2

CONFIDENTIAL
3

• How many people think Information Security adds real value to your business?
CONFIDENTIAL
4

What we see…
In Number
Continued malware growth & scale
Shift to Mobile
– mainly Android
In Severity
 Motive and intent has moved from notoriety to financial gain
 Cyber security is critical
Broad New Hacking Attack
Detected
“Hackers in Europe and China successfully broke into computers at nearly 2,500 companies and government agencies over the last 18 months in a coordinated global attack that exposed vast amounts of personal and corporate secrets to theft ..”.
Google Hack Attack Was
Ultra Sophisticated, New
Details Show
“Hackers seeking source code from Google,
Adobe and dozens of other high-profile companies used unprecedented tactics that combined encryption, stealth programming and an unknown hole in Internet Explorer, according to new details..”
In Complexity
 Coordinated and blended attacks are now a common practice
 Increased processing power required
 APTs
© 2000-2010 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary .

© 2000-2010 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary .

© 2000-2010 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary .

• Ransomware – highly targeted via social engineering & phishing to nominated Director level - IP & compliance users
© 2000-2010 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary .

What we see…
Web
Mail
2004/5
• “Read only”
• Corporate brochures
• Simple browsing patterns
• Emerging business use
• Primarily text
• Minimal spam threat
2013
• Rich, two-way interaction
• Web applications
• Web 2.0
• Ubiquitous business use
• Blended rich media
• Pervasive and escalating spam threats
Applications • “Security by Obscurity” • Interconnected and vulnerable
Hacker
Motivation
Data and
Privacy
Regulation
• Bragging rights
• Minimal
Trust • Implied
Security
Maturity
• Point solutions approach
© 2000-2010 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary .
• Profit and disruption (DDoS, cyber crime and terror)
• PCI-DSS, Data Protection, ISO compliance
• Needs to be earned and verified
• Back 2 back contract/indemnity
• Security maturity
• Consolidated approach
Threats
• Increasing
• Users are threat vectors
• Increasing
• Multiple vectors
• Web applications increasingly under pressure
• Easier for hackers
• Accelerated adoption
• More parties

Insider Threat
Unknown%
Application Layer
> 80%
Services Layer
< 10%
Host/OS Layer
< 1%
Network Layer
< 5%
CONFIDENTIAL
10

• Despite everything of 87 security incidents we were involved in YTD (2013)
 61 - (~70%) were internal origin
 42 of these (~68%) – classified as non malicious/inadvertent
 Of external origin (~26) – 90% (23) were classified as suspicious / malicious
 Impact ranges – almost NIL to potentially criminal – final costs (€10K - €?,???,???)
CONFIDENTIAL
11

REACTIVE
(~3% of IT Budget on Security)
COMPLIANT/PROACTIVE
(~8% of IT Budget on Security)
OPTIMIZED
(~4% of IT Budget on Security)
TCO
(CapEx + OpEx)
Security Posture
SECURITY OPTIMIZATION
CONFIDENTIAL
12

Maturity Model Defines Reaction
Threat Defense
• Security a necessary evil
• Event driven
• Reactive / decentralised
• Ad-hoc testing
• Point Products
Compliance DiD
• Compliance – ‘checkbox’ mentality
Risk Based Security
• Proactive and assessment based
Business Oriented
• Security embedded in business processes
• Collect data for compliance purposes
• Vulnerability Testing
• Threat based risk assessments
• Tactical Threat
Defences with layered security controls
• Integrated Security tools
• Closed Loop
• Business based assessments
• Real time governance
13
© 2000-2010 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary .

Maturity Model Applied to Security Risk Management
Compliance Risk Based Business Oriented Threat Defense
High
Risk
Cost
Low
Security Posture
October 18,
2013
14
© 2000-2010 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary .

• How do you make your business case for new
Information Security projects?
• Majority - Return on Investment based on
 Risk mitigation - Prevention
 Redress / Reinstatement
 Compliance
CONFIDENTIAL
15

CONFIDENTIAL
16

• Security a business enabler
 Strategic partner in business innovation
 Business enablement with
“appropriate” controls and risk management
 Security initiates the conversation from the get-go
CONFIDENTIAL
17

• Conversing with the Business about
 Vulnerability scans
 Encryption policy
 Next Gen Firewalls
 MDM
 EndPoint Security Suites
 Latest Malware threats
CONFIDENTIAL
18

• Security team perceived as blockers
• Consulted at end of process/project to tick box & bolt on controls
• Limited value-add approach
 “Insurance” only
 Prevention/Detection/Re-Instatement
CONFIDENTIAL
19

CONFIDENTIAL
20

Maturity Strategy
Maturity Strategy
Governance
Security within IT
Security Risk
Management
High level view of risk
Operations
Management
Basics tools
Incident
Management
Product based monitoring
Security part of every business process
Manage business specific risks
Risk based controls
Advanced Analytics
Security Management: ISO 27001 Risk Management: ISO 31000
© 2000-2010 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary .

Maturity Strategy
Business
Governance
Define business Objective
Defined business level risk
Identify critical assets
Security Risk
Management
Understand the external and internal threat landscape
Identify vulnerabilities in critical assets
Prioritise remediation
Operations
Management
Add Controls as required
Maximise monitoring and visibility
Incident
Management
Identify events
Prioritise based on business impact
Report to business
Security Management: ISO 27001 Risk Management: ISO 31000
© 2000-2010 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary .

If a tree falls in a forest and no one is around to hear it, does it make a sound
(George Berkeley)

Threat Based Risk Assessments
– Risk prioritisation reduces costs
– Vulnerabilities ‘less important’
– Know threats
– How automatic can countermeasures be
Risk
Risk =
(Threat x Vulnerability x Asset)
Countermeasure
© 2000-2010 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary .

Approach
IT Governance Frameworks
• COBIT
• ISO/IEC 27001
• ITIL
• IT Baseline Protection Catalogs (IT-Grundschutz)
• Information Security Maturity Model (ISM3)
• ISO/IEC 38500:2008 Corporate Governance of
Information Technology
IT Auditing and Security Assurance Frameworks
• ISO/IEC 27005:2011 Information technology --
Security techniques -- Information security risk management
• ISO/IEC 27001:2005 Information technology --
Security techniques -- Information security management systems -- Requirements
• ISO 31000:2009 Risk Management -- Principles and
Guidelines
• ISO/IEC 31010:2009 Risk management -- Risk assessment techniques
Methodical Testing Approach
• The Open Source Security Testing Methodology
Manual (OSSTMM),
• The Penetration Testing Execution Standard (PTES),
• The OISSG Penetration Testing framework
© 2000-2010 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary .

Key Takeaway Points
•
There is an ever evolving threat landscape.
•
Securing information gets harder and harder
•
Security Maturity is key to defining your security
approach.
• Adopt a business driven, needs based security solution mindset.
• Security assessments and remediation activities should follow a threat based risk assessment approach.
• Know threats
• Understand where vulnerabilities fit in
• Incident management and response is critical.
© 2000-2010 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary .

Requirements
Functional Specification &
Security Specification
Design
Systems & Software Design &
Security Design
Implementation
Systems & Software Build &
Security Build
Verification
Object, Module, Integration and Systems Testing
Code Review, Vulnerability & Pen Testing, DR testing
Maintenance
Helpdesk/Call Centre - ITIL V3
Authentication & Anti Social Engineering
© 2000-2010 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary .

Requirements
Functional Specification &
Security Specification
Design
Systems & Software Design &
Security Design
Implementation
Systems & Software Build &
Security Build
Verification
Object, Module, Integration and Systems Testing
Code Review, Vulnerability & Pen Testing, DR testing
Maintenance
Helpdesk/Call Centre - ITIL V3
Authentication & Anti Social Engineering
© 2000-2010 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary .

• Sometimes the right answer is to take the risk……provided that it is an educated & informed decision.
Likelihood of
Occurance
Remote
(less than 10%)
Unlikely
(10%-40%)
Possible
(40%-60%)
Likely
(60%-90%)
Almost Certain
(greater than 90%)
Business
Impact
Insignificant
Minor
Moderate
Major
Critical
Note (0)
Low (1)
Low (2)
Medium (3)
Medium (4)
Low (1)
Low (2)
Medium (3)
Medium (4)
High (5)
Low (2)
Medium (3)
Medium (4)
High (5)
High (6)
Medium (3)
Medium (4)
High (5)
High (6)
Critical (7)
Medium (4)
High (5)
High (6)
Critical (7)
Critical (8)
© 2000-2010 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary .

© 2000-2010 Ward Solutions, Ltd. All rights reserved. Confidential and Proprietary .

Pat Larkin
Business Development Manager
+353 (0) 87 2446093
pat.larkin@wardinfosec.co.uk
CONFIDENTIAL
31