SIG ISM WORKSHOP LONDON 2015 Alf Moens SIG ISM The aims of the - - PowerPoint PPT Presentation

sig ism
SMART_READER_LITE
LIVE PREVIEW

SIG ISM WORKSHOP LONDON 2015 Alf Moens SIG ISM The aims of the - - PowerPoint PPT Presentation

May 08, 2023 658 likes •775 views

SIG ISM WORKSHOP LONDON 2015 Alf Moens SIG ISM The aims of the SIG-ISM are: * Establish a community of NREN security management professionals develop, maintain and promote trust framework between NRENs based on international standards *

slide-1
SLIDE 1

WORKSHOP LONDON 2015

SIG ISM

Alf Moens

slide-2
SLIDE 2

SIG ISM

The aims of the SIG-ISM are: * Establish a community of NREN security management professionals develop, maintain and promote trust framework between NRENs based

  • n international standards

* promote the use of international security standards and share best practices for security management within NRENs * discuss and promote issues of information security management of particular interest to NRENs In the direction of these fundamental points, the 1st SIG-ISM that will be held at the Imperial College in London wishes to bring together CISOs and all people interested on ISM to develop and strengthen the ISM Community around the globe.

slide-3
SLIDE 3

Agenda Tuesday

12:30-13:30 Arrival and registration 13:30-13:45 Welcome and introduction Alf Moens (SURF) 13:45-14:15 How to gain and maintain ISO 27001 certification Urpo Kaila (CSC) 14:15-14:45 Jisc and the ISO27001 James Davis (Jisc) 14:15-14:45 Coffee break 14:45-16:45 Round-table discussions What do NREN need to implement as a standard? The aim of this discussion is to generate a document to highlight the basic steps NRENS should follow to implement security management. 16:45-17:00 Summary of the day 17:00-19:00 Checking in... 19:00-21:00 Joint dinner

slide-4
SLIDE 4

Introduction SIG ISM

Steering committee: Started autumn 2014, at workshop in Utrecht, monthly VC meetings: James, Rolf, Wayne, Alf Charter: approved! Participation: free for anyone but aimed at security opfficers of NRENs It’s not about incidents, it’s about security management. Reach out to other Task forces and SIGs Maintain ‘register’ of security officers Should we work on a trust framework?

slide-5
SLIDE 5

Agenda Wednesday

09:00-9:30 Risk Registers, the good and the bad – Making Real Change Wayne Routly (GEANT) 9:30-10:30 Round-table discussions Risk analysis The aim of this discussion is to generate a short paper around the current risks and the new threads coming up. 10:30-11:00 Coffee break 11:00-11:30 Finalising the discussion on Risks 11:30-12:20 REFEDS and SIG-ISM Nicole Harris (GEANT) 12:20-12:30 Discussion about future meetings and Wrap-up

slide-6
SLIDE 6

Participants

Alf Moens - SURFnet bv Wayne Routly - DANTE Alessandra Scicchitano - GEANT Association Dominique Launay - GIP RENATER Maciej Milostan - PSNC / PIONIER John Chapman - Jisc Antonio Fuentes Bermejo - RedIRIS Fernand De Decker - BELNET Rolf Sture Normann - UNINETT AS Cynthia Wagner - Fondation RESTENA Thomas Tam - Canada's Advanced Research and Innovation Network Jacob Asbæk Wolf - NORDUnet A/S Øivind Høiem - UNINETT AS James Davis - Jisc Urpo Kaila - CSC - IT Center for Science Ltd. Nicole Harris - GÉANT Association apologized [4] Aidan Carty - HEAnet David Simonsen - WAYF - Where are you from Vlado Pribolsan - AAI@EduHr - Croatian Research and Education Federation Ralf Groeper - DFN

slide-7
SLIDE 7

Standards and certifications

Inventory

  • Do you have a security officer? An approved security policy?
  • Which standard for information security are you using?
  • Are you implementing any certifications?
  • Which?
  • Who is asking for this?
  • How much effort is it?

Discussion

  • What standard should a NREN use for information security?
slide-8
SLIDE 8

Risk Identification and Management

Do you perform any risk analysis? Company wide, for a project or for an information system? What do you need to protect? What are the core assets of a NREN? What are the main threats for a NREN? What are the main threats for a university?

slide-9
SLIDE 9

Type of Threath Example sof Threath Relevance (chance * imoact) # Type of Threath Event Actor Example incidents Education Research Operations 1" Accessing"or"(unautorised)"" publishing""data" Theft"of"reasearch"data" Privacysensitive"information""is"leaked"and"published" Design"of"a"research"lab"falls"into"wrong"hands"" Fraude"bij"gaining"access"to""information"abouth"exams"and" test"questions"" Cybercriminals" Activists" States" Employees" Tentamenfraude" door"

  • penbaarmaking"

van" tentamenopgaven"" Privacygevoelige" gegevens"

  • ver"

students" en" leerlingen"op"straat"beland" Kamervragen"over"intranetlek"Hogeschool" MIDDLE HIGH MIDDLE 2" Identity"fraude" Student"has"someone"else"do"his"examn" Student"poses"as"other"student"or"employee"to"gain"access" to"exams." Activist"poses"as"a"researcher" Student"poses"as"an"employee"and"changes"examresults" Students" Cybercriminals" Activists" " Kamervragen" naar" identiteitsfraude" Hogeschool" Windesheim" Fraude"in"toelating"examens" HIGH MIDDLE LOW 3" Manipulation"of""data" Studieresultaten"worden"vervalst" Manipulatie"van"research"data" Aanpassing"van"bedrijfsvoering"data" " Students" Employees" Student" krijgt" vier" jaar" celstraf" voor" het" wijzigen" van"zijn"cijfers" Massale"fraude"economiestudents" Student" hackt" website" en" inleversysteem" Informatica" HIGH LOW LOW 4" Espionage" Research"data"worden"afgetapt" Via"een"derde"partij"wordt"intellectueel"eigendom"gestolen" States" Companies" &" commercial"partners" Cybercriminals" MI5" waarschuwde" Britse" universiteiten" voor" cyberattacklen" NSA"hackt"Belgische"cyberprofessor" Chinezen"bespioneren"denk"tanks"met"expertise"in" Irak" LOW HIGH LOW 5" Disruption"of"ICT" DDoSVattack"legt"ITVinfrastructuur"plat" Kritieke""research"data"of"examendata"wordt"vernietigd" Opzet"van"onderzoeksinstellingen"wordt"gesaboteerd" Onderwijsmiddelen" worden" onbruikbaar" door" malware" (bijv."eLearning"of"het"netwerk)" Cyberresearchers" Activists" Students" Employees" Distributed" Denial" of" Service" attack" treft" SETI" project" Dorifelvirus"treft"ook"universiteiten" Server"legde"netwerk"Universiteit"Utrecht"plat" MIDDLE MIDDLE MIDDLE 6" Take"over"or"abuse"ofCT" Opstelling"van"onderzoeksinstellingen"overgenomen" Systemen" of" accounts" worden" misbruikt" voor" andere" doeleinden"(botnet,"mining,"spam)" Cybercriminals" Students" Employees" Yahoo" blokkeert" Universiteit" Maastricht" wegens" spam" Student" gebruikt" universiteit" computers"

  • m"

dogecoin"te"minen" LOW MIDDLE MIDDLE 7" Create"negative"image"on" purpose" Defacement"of"website" Social"media"account"hacked"and"abused" Activists" Students" Cyberresearchers" Cybervandalen" Homepage"Faculteit"Letteren"beklad" Hackers"bekladden"website"van"MIT" LOW LOW LOW

slide-10
SLIDE 10

Sources for threat information 10

SURF Cyberdreigingsbeeld 2014

https://www.surf.nl/nieuws/2014/11/handvatten-om- cybersecurity-instellingen-te-verbeteren.html

Cyber Security Beeld Nederland 4 (NCSC)

https://www.ncsc.nl/dienstverlening/expertise-advies/ kennisdeling/trendrapporten/cybersecuritybeeld- nederland-4.html

Dutch Cyber Security Council (CSR)

(cyber security guide for the board room)

http://www.cybersecurityraad.nl/assets/ 1502517_VENJ_Cybersecurity_UK_vdef.pdf

Enisa Threat Landscape

http://www.enisa.europa.eu/activities/risk-management/ evolving-threat-environment/enisa-threat-landscape-mid- year-2013/at_download/fullReport

World Economic Forum

http://www.enisa.europa.eu/activities/risk-management/ evolving-threat-environment/enisa-threat-landscape-mid- year-2013/at_download/fullReport

slide-11
SLIDE 11

Source: Enisa Threat Landscape and Good Practice Guide for Internet Infrastructure, jan. 2015

Threat Landscape and Good Practice Guide for Internet Infrastructure

Threat types Threats Asset types

Physical attacks Sabotage Hardware, Infrastructure Unauthorised physical access/unauthorised entries to premises Hardware, Infrastructure Disasters Natural disasters Hardware, Software, Information, Services, Interconnection, Infrastructure, Human resources Environmental disasters Hardware, Software, Information, Services, Interconnection, Infrastructure, Human resources Failures/Malfunctions Failures of parts of devices Protocols, Hardware, Software, Information, Services Configuration errors Protocols, Hardware, Software, Information, Services Outages Lack of resources Hardware, Software, Information, Services, Interconnection, Infrastructure, Human resources Network outages Hardware, Software, Information, Services Unintentional damages (accidental) Information leakage/sharing Hardware, Software, Information, Services, Interconnection Unintentional change of data in an information systems Protocols, Hardware, Software, Information, Services Damage/Loss (IT assets) Damage caused by a third parties Hardware, Software, Information, Services, Interconnection, Infrastructure, Human resources Loss of reputation Interconnection, Human resources Nefarious activity/Abuse Manipulation of hardware and software Protocols, Hardware, Software, Information, Services Denial of service attacks (DoS/DDoS) Hardware, Software, Information, Services Eavesdropping /Interception/Hijacking Interception compromising emissions Protocols, Software, Information, Services Man in the middle/session hijacking Software, Information, Services Legal Violations of law or regulation/breaches of legislation Software, Information, Interconnection, Human resources Failure to meet contractual requirements Software, Information, Interconnection, Human resources