None

1
PREVENTION IS BETTER THAN PROSECUTION
DEEPENING THE DEFENCE AGAINST CYBER CRIME
LEX INFORMATICA CONFERENCE JULY 2009
Adv Jacqueline Fick Risk and Compliance
Management PwC Advisory Southern Africa
PwC
2
Contents

• Introduction and Approach
• Information Assurance
• Defence in Depth Strategy
• Conclusion
• Questions

3
Introduction and Approach

• President in State of the Nation Address
  specifically referred to an increased effort to
  combat cyber crime and identity theft
• Increase in cyber crime in both private and
  public sector
• Criminals want information
• Law enforcement hampered in efforts to catch
  criminals
• Shift in paradigm
• Re-active v pro-active
• Prevention is better than Prosecution
• Devoting time and resources to implement
  strategies that prevent cyber crime
• Information Assurance and Defence in Depth
  strategy

4
Information Assurance

• Definition
• Objective of Information Assurance
• Five pillars of Information Assurance

5
Information Assurance
Information Assurance

• Definition
• The practice of managing information-related
  risks (Wikipedia).
• Information operations that protect and defend
  information and information systems by ensuring
  their availability, integrity, authentication,
  confidentiality, and non-repudiation. This
  includes providing for restoration of information
  systems by incorporating protection, detection
  and reaction capabilities (US DoD).
• Umbrella concept bringing together issues of
  Information Security and Dependability.
• Includes other corporate governance issues such
  as privacy, audits, business continuity and
  disaster recovery.

6
Objective
Information Assurance

• The objective of Information Assurance is to
  minimise the risk that information systems and
  information stored, transmitted and processed
  thereon is vulnerable to threats. If an attack
  does take place, the damage it might cause will
  be minimised. It also provides for method to
  recover from attack as efficiently and
  effectively as possible.
• Information Assurance focuses on
• Access controls
• Individual Accountability
• Audit trails

7
Five pillars of Information Assurance
Information Assurance

• Information Security based on CIA triad
• Information Assurance CIA triad, authenticity
  and non-repudiation
• NSA application of five pillars should be based
  on protect, detect and react paradigm
• Electronic Communications and Transactions Act,
  No. 25 of 2002
• Incorporates principles of five pillars
• Criminalises attacks

8
Five pillars of Information Assurance
Information Assurance
9
Defence in Depth Strategy

• Introduction
• Focus areas
• Core principles
• Implementing strategy
• Layered defence approach
• Maintaining strategy

10
Definition
Defence in Depth Strategy

• Strategy that can be implemented to achieve
  Information Assurance in todays highly networked
  environments (NSA). Also defined as systematic
  security management of people, processes and
  technologies in a holistic risk-management
  approach (TISN)
• Best practices strategy in that it relies on
  the intelligent application of techniques and
  technologies.
• Based on balancing protection capability and
  cost, performance and operational considerations.
• Delivers
• Effective risk-based decisions
• Enhanced operational effectiveness
• Reduced overall cost and risk and
• Improved information security.

11
Threats
Defence in Depth Strategy

• To protect an organisations information and
  information systems against cyber attacks, it is
  necessary to determine who the enemy is, why they
  would want to launch an attack and how they would
  attack the organisation. Threats can be internal
  and external and can be as a result of
  intentional and unintentional actions.

12
Focus areas
Defence in Depth Strategy

• Achieving Information Assurance requires a
  balanced focus on
• People
• Processes
• Technology
• Governance

13
Focus areas (continued)
Defence in Depth Strategy

• Technology
• Refers to solutions that organisations employ
  that enable them to achieve and sustain their
  business objectives. Key focus areas for
  implementing a Defence in Depth strategy
• Management of network architecture
• Infrastructure management
• Application security
• Communications management
• Important to ensure that procurement policy
  aligned to overall Defence in Depth strategy
  right technology procured in accordance with
  overall business objectives.

14
Core principles
Defence in Depth Strategy

• TISN defines the core principles as follows
• Implementing measures according to business
  risks.
• Using a layered approach
• Implementing controls to increase effort needed
  to attack and breach the system.
• Implementing personnel, procedural and technical
  controls.

15
Focus areas (continued)
Defence in Depth Strategy

• People
• Refers to the security roles and responsibilities
  for internal and external persons.
• Important to define, maintain and enforce
  security roles and responsibilities for
  employees, contractors or business partners.
• User awareness (both internal and external
  people).

16
Focus areas (continued)
Defence in Depth Strategy

• Processes (or Operations)
• Refer to standardised actions which are used to
  ensure that the organisations position on
  security is sustained.
• Organisations must define, maintain and enforce
  standardised actions/processes which are used to
  develop and sustain its position on security.
• Key focus areas would typically include
• Identity and user-access management
• Incident response management
• Disaster recovery management
• Audit management

17
Focus areas (continued)
Defence in Depth Strategy

• Governance
• Refers to the oversight and coordination of
  technology, people and processes provided in
  terms of a management framework and begins with
  commitment from senior management level. This is
  followed by
• Integration and alignment to overall strategy
• alignment and incorporation into business
  objectives and goals
• drafting and implementing appropriate policies
  and
• deriving procedures from it.
• Key focus areas for implementation include
• Risk management.
• Information security and policy.
• Compliance Management.

18
Implementing the strategy
Defence in Depth Strategy

• Requires a shift in paradigm IT
  security/Information Assurance cannot be viewed
  as stand-alone issues, but must become part of
  business planning, overall strategy, governance
  and operations.
• Reasons for implementing strategy
• Expanding organisational boundaries.
• Mobile workforce.
• Decentralisation of services.
• Increasing value of information.

19
Implementing the strategy (continued)
Defence in Depth Strategy

• Steps
• Analysis of internal and external environment.
• Determining the risks.
• Implementation of strategy.
• Maintenance, monitoring and review.

20
Layered Defence Approach as part of Defence in
Depth Strategy
Defence in Depth Strategy

• The most effective way to secure information
  within modern day parameters would be through
  implementing different layers of control as part
  of Defence in Depth strategy (Murali 2007).
  Controls include both technical and process
  control mechanisms.

21
Layered Defence Approach (continued)
Defence in Depth Strategy

• An organisation must deploy multiple defence
  mechanisms between the attacker and the target.
  Must increase the difficulty of successfully
  penetrating the network and thereby reducing
  risk, but also increase the chances of detecting
  the intruder
• Must identify users of a system e.g. through
  passwords and usernames.
• Must be able to provide mechanisms to effectively
  and efficiently recover from damage after attack.
• Must provide intelligence and correlate
  information between various departments in a
  business with aim to prevent future attacks.

22
Maintaining the strategy
Defence in Depth Strategy

• Maintaining strategy includes continuous
  monitoring and evaluation of effectiveness of the
  implemented program. Would include evaluating
  strategy to determine alignment where there are
  changes to
• Business objectives and/or overall enterprise
  strategy.
• Security profile or specific breaches in security
  or increases in particular type of security
  breach occurs.
• Weaknesses or gaps identified in current strategy.

23
Practical guidelines for maintaining strategy
Defence in Depth strategy

• Know and understand your organisation.
• Define security roles and responsibilities.
• Adopt appropriate policies and procedures.
• Continuous auditing and assessment of process.
• Stay up to date.
• Effective public private partnerships.

24
Conclusion

• Value of information organisations and the
  criminals
• Critical to preserve the integrity of
  information, to ensure that it is stored,
  transmitted and accessed securely.
• Systems designed to manage and secure information
  must be reliable, aligned to business objectives
  and inline with risk management approach of
  organisation.
• Achieve Information Assurance through
  implementation of Defence in Depth strategy.
• Shift in paradigm pro-active vs re-active.
• SHARE INFORMATION!

25
Questions?
Thank you!