Embed Size (px)
Citation preview
Tendances et nouveaux aspects de la sécurité informatique
3 © 2014 CA. ALL RIGHTS RESERVED.
4 © 2014 CA. ALL RIGHTS RESERVED.
Factors Impacting the Need for Improved Cyber Security
Source: ISACA, 2014
5 © 2014 CA. ALL RIGHTS RESERVED.
Consumerization
•Mobile devices •Social media •Cloud services •Nonstandard •Security as a
Service
Continual Regulatory and Compliance Pressures • SOX, PCI, EU
Privacy • ISO 27001 • Other regulations
Emerging Trends
•Decrease in time to
exploit •Targeted attacks •Advanced persistent
threats (APTs)
Source: ISACA, 2014
Key Trends and Drivers of Security
6 © 2014 CA. ALL RIGHTS RESERVED.
he WOrld is Changing
Source: ISACA, 2012
7 © 2014 CA. ALL RIGHTS RESERVED.
The APT Life cycle
History shows that most sophisticated attackers, regardless of their motives, funding or control, tend to operate in a certain cycle and are extremely effective at attacking their targets.
7
8 © 2014 CA. ALL RIGHTS RESERVED.
APT sont différents ils sont ciblés
VS
Attaques ciblées • Adversary’s persistence
– They know what they want and they pursue their goal – They will repeatedly try to get in – Once they’re in they try to stay – When you throw them out they will try to come back
• Initial infection very difficult to avoid – Spear-phishing e-mails – Social engineering to trick the user into running malware installers – Watering hole attacks using known exploits – Watering hole attacks that rely on social engineering
• Take control over the infrastructure: 10’-> 48hours • Detection: average 229 days (or never)
• Remediation: 1-6 months
Stratégie Européenne de Cybersécurité
12 © 2014 CA. ALL RIGHTS RESERVED.
Strategie Européenne de Cybersecurité
The Five strategic objectives of the strategy are as follows:
– Achieving cyber resilience
– Drastically reducing cybercrime
– Developing cyberdefence policy and capabilities related to the Common Security and Defence Policy (CSDP)
– Developing the industrial and technological resources for cybersecurity
– Establishing a coherent international cyberspace policy for the European Union and promote core EU values.
13 © 2014 CA. ALL RIGHTS RESERVED.
Network and Information Security (NIS) Directive Key Elements Capabilities: Common NIS requirements at national level
– NIS strategy and cooperation plan – NIS competent authority – Computer Emergency Response Team (CERT)
Cooperation: NIS competent authorities to cooperate within a network at EU level – Early warnings and coordinated response – Capacity building – NIS exercises at EU level – ENISA to assist
Risk management and incident reporting for: – Energy – electricity, gas and oil – Credit institutions and stock exchanges – Transport – air, maritime, rail – Healthcare – Internet enablers – Public administrations
14 © 2014 CA. ALL RIGHTS RESERVED.
NIS Directive legal actions
7 February 2013 The European Commission published the draft Network and Information Security (NIS) Directive, which set out proposals to enhance the EU’s resilience to cyber security threats and ensure a common level of network and information security across the EU. 13 March 2014 The European Parliament successfully voted through the proposed NIS Directive with a number of amendments to the proposed text. 19 November 2014 EU Member States remain divided whether Internet companies should comply with the proposed NIS Directive. The Council presidency said that it is "confident" that the Council and Parliament would be able to "reach a deal before the end of the year" on the final wording of the legislation.
15 © 2014 CA. ALL RIGHTS RESERVED.
NIS Public-Private Platform
NIS Platform is complementing and underpinning the NIS Directive. It will help implement the measures set out in the Directive, e.g. by simplifying incident reporting, and ensure its convergent and harmonised application across the EU.
First meeting of the NIS Platform on 17 June 2013, it was decided to set up 3 working groups which should be cross-cutting, with all relevant sectors represented: – WG1 on risk management, including information assurance, risks metrics
and awareness raising; – WG2 on information exchange and incident coordination, including
incident reporting and risks metrics for the purpose of information exchange; – WG3 on secure ICT research and innovation.
The NIS Platform on 25 November 2014, decided that the aim is to have NISP finalised guidance of all Chapters in October 2015 and Commission recommendations on good cyber security practices due to be adopted in late 2015.
16 © 2014 CA. ALL RIGHTS RESERVED.
Breakdown and tentative timing of Chapters per W.G.
Source: NIS Public-Private Platform 25 november 2014 Meeting Report
17 © 2014 CA. ALL RIGHTS RESERVED.
France
La loi de programmation militaire du 18 décembre 2013
Décret no 2015-349 du 27 mars 2015 relatif à l’habilitation et à l’assermentation des agents de l’autorité nationale de sécurité des systèmes d’information
Décret no 2015- 350 du 27 mars 2015 relatif à la qualification des produits de sécurité
Décret no 2015-351 du 27 mars 2015 relatif à la sécurité des systèmes d’information des opérateurs d’importance vitale.
18 © 2014 CA. ALL RIGHTS RESERVED.
France
218 organisations stratégiques pour la nation, ont l'obligation de se protéger contre les intrusions informatiques.
Secteurs étatiques : activités civiles de l’Etat, activités militaires de l’Etat, activités judiciaires.
Secteurs de la protection des citoyens : santé, gestion de l'eau, alimentation.
Secteurs de la vie économique et sociale de la nation : énergie, communication, électronique, audiovisuel et information (les quatre représentent un secteur), transports, finances, industrie.
Audits externes réguliers contrôlant la sécurité de leur système d'information
Installation de logiciels ou matériels qui détectent en permanence les intrusions informatiques venues de l'extérieur.
ISACA European Cybersecurity Implementation Series
20 © 2014 CA. ALL RIGHTS RESERVED.
ISACA has released the European Cyber security Implementation Series primarily to provide practical implementation guidance that is aligned with European requirements and good practice.
Source: ISACA, 2014
21 © 2014 CA. ALL RIGHTS RESERVED.
Source: ISACA, 2014
22 © 2014 CA. ALL RIGHTS RESERVED.
23 © 2014 CA. ALL RIGHTS RESERVED.
SIX QUESTIONS THE BOARD SHOULD ASK
Does the organization use a security framework?
What are the top five risks the organization has related to cybersecurity?
How are employees made aware of their role related to cybersecurity?
Are external and internal threats considered when planning cybersecurity program activities?
How is security governance managed within the organization?
In the event of a serious breach, has management developed a robust response protocol?
24 © 2014 CA. ALL RIGHTS RESERVED.
Overview
When implementing cybersecurity steps and measures enterprises should perform :
1. Analyse impact (with a view to business impacts and other, nonfinancial impacts).
2. Identify and analyse risk
3. Determine risk treatment.
4. Determine cybersecurity strategy options based on risk profile.
25 © 2014 CA. ALL RIGHTS RESERVED.
Source: ENISA, 2014
Mapping ERMP to COBIT 5
Source: ISACA, 2014
Some exemples of Cybersecurity Risk
Risk Scenario in COBIT 5 Risk Management
Cobit 5 Risk Management Framework
Trois lignes de défense
European restriction on Audit
Legal and contractual relationships
Data logging & retention
Le dernier paru
