Security challenges within an Information System Directorate Works of - - PowerPoint PPT Presentation

security challenges within an information system
SMART_READER_LITE
LIVE PREVIEW

Security challenges within an Information System Directorate Works of - - PowerPoint PPT Presentation

Sep 02, 2022 228 likes •379 views

Security challenges within an Information System Directorate Works of the RWGs 5th meeting on Computer Development 25/04/2019 DGD/DSID/Ple Scurit 1 Security challenges within an Information System Directorate 29/04/2019 DGD/DSID/Ple

slide-1
SLIDE 1

Security challenges within an Information System Directorate

DGD/DSID/Pôle Sécurité 25/04/2019 1

Works of the RWG’s 5th meeting on Computer Development

slide-2
SLIDE 2

Security challenges within an Information System Directorate

DGD/DSID/Pôle Sécurité 29/04/2019 2

slide-3
SLIDE 3

DGD/DSID/Pôle Sécurité 25/04/2019 3

table of content

CONTEXT VULNERABILITIES IS THREAT VECTORS HACKERS PROFILES CYBERATTACKS EXAMPLE CYBERSECURITY GOUVERNANCE

slide-4
SLIDE 4

25/04/2019 DGD/DSID/Pôle Sécurité

Context (1/2)

Strong IT dependency Partnership

  • utreach

Digitalization Protection of the economy Contribution to the State budget Trade security Business facilitation

slide-5
SLIDE 5

25/04/2019 DGD/DSID/Pôle Sécurité

Context (2/2)

RESPECT OF INTERNATIONAL AGREEMENTS AND TREATIES Legislation ( Customs Code, cyber criminality, personal data protection, Code of Telecoms, e‐ transactions, etc ) Standards(ISO 270XX, 900X, PCI‐ DSS, SANS, OWASP, NIST, CC, Bale II‐III )

COMPLIANCE

slide-6
SLIDE 6

25/04/2019 DGD/DSID/Pôle Sécurité 6

IS VULNERABILITIES

Technical Vulnerabilities

  • Contremesures non

adaptés aux menaces

  • Obsolescence des

technologies utilisées

  • défaut ou mauvaise

configuration

  • Défaut Conceptuel
  • Etc. cf base vuln Mehari,

Ebios, 27005

Organizational Vulnerabilities

  • Lack of procedure (PSSI,

GIS, audit, etc )

  • Lack of task separation
  • Lack of rôle definition

and responsabilities

  • No organization of the

security

  • cf base vulnérabilité

Mehari vulnerabilities database, Ebios, 27005

Human ressources Vulnerabilities

  • Lack of human ressources
  • f unqualified human

ressources

  • Lack of staff awareness
  • n cybersecurity
  • Misunderstanding of

procedures

  • Etc.cf Mehari

vulnerabilities database, Ebios, 27005

slide-7
SLIDE 7

25/04/2019 DGD/DSID/Pôle Sécurité/Team Pentest 7

Threath vectors (1/2)

  • The art to persuade someone to give away a confidential information une

personne de révéler une information confidentielle

SOCIAL ENGINEERING

  • Social Networks can contribute and facilitate the loss of control on strategic

information

Social Networks

  • Mail
  • Links
  • Attachments

PHISHING

  • Injection: remote code execution
  • Cross‐Site Scripting : attacks on the client’s side
  • Violation de Gestion d'Authentification et de Session: authorisation and authentification

WEB APPLICATION

  • USB,
  • keyboard,
  • CD, etc

REMOVABLE DRIVES

  • Technology implementation ( applications, services, storage function and

information sharing) within collaborators without the need of the CIO

Shadow IT

  • The hacker accesses the location of its victim so he directly connects.

Physical intrusion

slide-8
SLIDE 8

29/04/2019 Verizon‐DBIR_2018‐Main_report.pdf 8

Threat vectors2/2

slide-9
SLIDE 9

29/04/2019 DGD/DSID/Pôle Sécurité 9

HACKER PROFILES 1/2

PROFILES MOTIVATIONS

Expert commissioned Financial Sabotage Hacktivists Ideology Cyber‐soldiers State interests Malicious user Financial Malicious staff None (nuisance by mistake) Sabotage Financial Furniture Provider Financial Service provider Financial partners Espionnage Cybercriminals Renommée Financières

slide-10
SLIDE 10

29/04/2019 Verizon‐DBIR_2018‐Main_report.pdf 10

HACKERS PROFILES 2/2

slide-11
SLIDE 11

25/04/2019 DGD/DSID/Pôle Sécurité 11

EXAMPLES OF CYBER‐ATTACKS

Examples of cyber‐attacks in the intrnational transit sector

Military Sealift Command

  • The attack targetted a sailing

shuttle of the Military Sealift Command : many systems would have been compromised by the chineses armyaccording to a report from the American Senate.

Anvers’ Port

  • The attack was detected in

June 2011 and were commissioned by a drug squad trying to high‐jack containers and to circulate drug coming from Latin America by stealing agents’ passcodes.

IRISL (Islamic Republic

  • f Iran Shipping Lines)
  • The attack occured in

august 2011 and all the date the company had on its cargos were deleted. The commissioner remains unknown.

MAERSK

  • The attack was detected

by the end of June 2017 and was done by a group

  • f hackers. MAERSK a lost

nearly 300 millions dollars because of this attack.

slide-12
SLIDE 12

Cybersecurity Governance (1/2)

25/04/2019 DGD/DSID/Pôle Sécurité 12

  • Engagement from the Top Management
  • Organization ( rôles and responsability, institutions)
  • Ressources
  • Tools
slide-13
SLIDE 13

Cybersecurity Governance (2/2)

25/04/2019 cisecurity.org/controls 13

slide-14
SLIDE 14

Thank you ‐ Jerejef

29/04/2019 DGD/DSID/Pôle Sécurité 14

Ressources humaines Process