The growing threat to information security: a focus on ISM

The Growing Threat to Information Security: A focus on ISM Prisons 2015, Melbourne Travis Chehab [email protected] www.ndy.com

The Threat... Australian networks face an unprecedented threat of malicious activity and loss of information.

Malicious Actors: 1.  State-Sponsored

Attackers 2.  Cyber Criminals 3.  Issue-Motivated Groups

CSOC  Update,  Cyber  Security  Picture  2013  ,  June  2014  

The Threat...

CSOC  Update,  Cyber  Security  Picture  2013  ,  June  2014  

The Threat... A new piece of malware is created every 1.5 seconds!

Source:    ISM  -­‐  Trend  Micro,  Trend  Micro  Annual  Report:  The  Future  of  Threats  and  Threat  Technologies,  2009.                                    ISM  -­‐    RSA,  Cybercrime  Trends  Report  –  The  Current  State  of  Cybercrime  and  What  to  Expect  in  2011  

Prison Technology Drivers... •  Reduced rates of recidivism

•  PILS

•  Energy & Sustainability •  Co/Tr-Gen

•  Water Treatment & Recycling Plants •  Lighting control

•  System Resilience & Uptime •  Back-up generation and UPS

•  N +1 systems / system redundancy

•  Streamlining Process & Flexibility •  Centralised control, management, monitoring

and response

Technology  Convergence  The  Integrated  Communica7ons  Network  (ICN)  

Important Questions

What would a serious cyber security incident cost our organisation?

Who would benefit from having access to our information?

What makes us secure against threats?

Is the behaviour of our staff enabling a strong security culture?

Are we ready to respond to a cyber security incident?

The Information Security Manual (ISM)

h>p://www.asd.gov.au/infosec/ism/index.htm  

ISM Principles Volume Policy and procedure: !  Information security policy !  Security risk management plan !  System security plan !  Standard operating procedures !  Incident response plan !  Emergency procedures !  Business continuity and disaster recovery plans

ISM Controls Volume

‘Applicability’  of  a  control,  i.e.  Classifica7ons  TOP  SECRET  

SECRET  

CONFIDENTIAL  

PROTECTED  

GOVERNMENT/UNCLASS  

‘Compliance’  language  –  Should  vs.  Must  

‘Authority’  and  approval  of  non-­‐compliances:  •     DSD  –  Director  DSD  (ASD)  •     AH  –  Agency  Head  •     AA  –  Accredita@on  Authority  

Precinct/Facility  Classifica7on...who’s  on  the  other  side  of  the  wall?  •       Non-­‐Shared  Government  Facility  •       Shared  Government  Facility  •       Shared  Non-­‐Government  Facility  

ISM Controls Volume

1. Information Security Governance

2. Physical Security

3. Personnel Security

4. Communications Security *

5. Information Technology Security

Control:  1117;  Revision:  0;  Updated:  Nov-­‐10;  Applicability:  G,  P,  C,  S,  TS;  Compliance:  should;  Authority:  AA    

Agencies  should  use  fibre  op@c  cabling.    

What  does  a  ‘control’  look  like?  

How  do  we  use  controls  and  for  what  project  aspects?  

Statement  of  Applicability  

(SoA)  

ISM in Construction Identification, Inspectability and the ‘By-Association Factor’

My  PROTECTED  network  is  the  blue  one!?  

ISM in Construction

SoA   Design  &  Construc7on  

IRAP  verifica7on   Risk  Plan   System  Plan  

Thanks any questions?

The NDY communications group is a dedicated team looking after the specific ICT needs of our clients