NTU-Mastercard FlexiMasters in Cybersecurity & Digital Trust - CET940 Corporate Security Structure PDF

NTU-Mastercard FlexiMasters in Cybersecurity & Digital Trust CET940 Corporate Security Structure Lesson 1 - 7th - 9:30am - 11:30am SGT / GMT+8 ©2023 Mastercard. Proprietary and Confidential Dr. Alissa Abdullah, “Dr. Jay” Danny Chan Sep 2024 Class Content 1 Introduction of teaching staff 2 Introduction to Mastercard 3 Our Operating Environment 4 Introduction to Corporate Security 5 Group Discussion 6 Report out 7 Security Operations Center 8 Fusion Center 9 Vulnerability Management 10 Q&A Mastercard and NTU Singapore to Establish MOU to Drive Cybersecurity and Digital Trust Introduction of teaching staff Dr. Alissa Abdullah -“Dr. Jay” Danny Chan Objective This course aims to equip learners with essential knowledge of security management. Learners will be systematically and rigorously introduced to the functions and organizations of the various cybersecurity operations which are performed by different professional teams reporting to the Chief Information Security Officer. Learners will study the organizational structure that will enable them to be effective in their role as cyber threat intelligence professionals. At the end of the course, learners will be able to: Identify the different teams in an organization that exist to prevent and detect against cyber-attacks. Describe the functions of different teams in an organization and explain how they work together to prevent and detect against cyber-attacks AN ECOSYSTE M OF ACCELERATION Technology adoption is moving at an unrivalled pace, transforming the way we live and work. 1992 2022 Smartphone GPT 1873 3 years 2 months 1876 1983 Electricity Telephone Mobile Phone 46 years 35 years 13 years 1897 1975 1991 Radio PC Internet 31 years 16 years 7 years 1926 2004 Television 26 years Facebook ©2023 Mastercard. Proprietary and Confidential 2 years 50 40 30 20 10 1 Source: Singularity.com YEARS TAKEN UNTIL ADOPTED BY 25% U.S POPULATION ©2022 Mastercard. Proprietary and Confidential ©2022 Mastercard. Proprietary and Confidential 9 ©2022 Mastercard. Proprietary and Confidential 10 ©2022 Mastercard. Proprietary and Confidential Introduction to Mastercard Mastercard is a technology company in the global payments industry. We connect consumers, financial institutions, merchants, governments, digital partners, businesses and other organizations worldwide by enabling electronic payments and making those payment transactions safe, simple, smart and accessible. Understanding the Payments Ecosystem – The 4 Party Model Acquirer Service Providers Examples Issuer Payment Facilitator Processor Program Manager Processor ©2022 Mastercard. Proprietary and Confidential ISO/VAR Staged Digital Wallet Distributor Independent Sales Org. Operator Value Added Reseller Merchant Consumer 13 Why Mastercard? Our unique view Mastercard unique monitoring Mastercard unique intelligence 3,420+ 2x Banks and financial The number of organizations institutions monitored risk managing over 250 third-party 13m+ $18m 90 relationships doubled in 2023 from 2020.1 days ©2024 Mastercard. Proprietary and Confidential Merchants monitored 40+ Average financial exposure due to cyber Average no of days critical risk for organizations in the SEA vulnerabilities were left unpatched in Banks in SEA in Q4 2023 Source1: The State of Third-Party Risk Management: 2024 Outlook. Industries Mastercard Propriety Data. 2024 16 Our security ecosystem 270+ 5,500+ ©2024 Mastercard. Proprietary and Confidential Channel and alliance partners Global customers 200+ 94% 49% ©2024 Mastercard. Proprietary and Confidential Countries Customer renewal rate Non-financial customers 17 Mastercard Propriety Data. 2024 We have been working with Government, Policymakers and Regulators to advance Cybersecurity, mitigate threats and foster cyber resilience Belgium/EU MC EU Cyber Resilience Centre drives collaboration between public & private sectors, regulatory bodies and law enforcement agencies MC has a leadership role in the European Central Bank’s group on Cyber threat & Intelligence sharing United States UK MC co-leads the Cyber Defense Exercise –MC led and Financial Services organized the 2nd Tri-sector Cyber Cyber Collaboration Defense Exercise in 2024 bringing together Center (FSCCC) Indonesia organizations from energy, finance, and Digisec Lab to MC Academy seeking to telecommunications for a live-fire exercise pro-actively test KSA reach and train 100,000 designed to assess cyber-defense threats India people as certified capabilities. Cybersec analysts MC participates in the annual Cyber Storm ©2024 Mastercard. Proprietary and Confidential Cyber Defense Exercise with CISA and the Middle US Department of Treasury East Centre of Excellence in 2024 MA MC works with the National Institute of to run Cyber War is Standards and Technology (NIST) to Gaming Exercise strengthen workforce development, working UAE- Cyber threat casting exercise with with entities in education and training. KSA, which include with the Indian the UAE Banks to understand the possible Government to sector wide as well MC has strong relationships with leading cyber threats impacting UAE as cross sector strengthen Small colleges and universities across the USA to exercise. Business Cybersecurity help increase educational access to using our free toolkit cybersecurity resources for students. through the Global Cyber Alliance Our Operating Environment Globally, cybercrime cost is ~40 times higher than the cybersecurity industry market size Cyberattacks: Top 10 Global Risks Widespread cybercrime and vulnerabilities in cyber security are among the most severe risks facing businesses, governments and the public over the next decade# $8 Tr $220 Bn Globally in in 2023* ©2023 Mastercard. Proprietary and Confidential Set to cost governments Global market size of and organisations Cybersecurity industry 20 Source: *Cyber Security Ventures Report 2023; # World Economic Forum Global Risk Report 2023 Singapore is the most targeted country in the SEA region by cyber events, impacted by 21% of regional events KEY INSIGHTS 2.500 1 2 Singapore had the highest number of 3 1 cyber incidents across SEA, with Total # of occurrences in Southeast Asia 2.000 technology and public sectors being the primary targets due to the country's high technological growth. 1.500 2 In Cambodia and Laos, government agencies and software are the main targets. The increase in cyberattacks on 1.000 Cambodian government agencies could be linked to recent unrest regarding hindrances to democratic transition. 500 56% of the attacks on Vietnam in 3 Nov’23 can be attributed to black hat Confidential Confidential andConfidential and state-sponsored hackers. Chinese cyber warriors are the primary attackers and Proprietaryand 0 which could be attributed to the long- Proprietary Mastercard. Proprietary Jan-23 Feb-23 Mar-23 Apr-23 May-23 Jun-23 Jul-23 Aug-23 Sep-23 Oct-23 Nov-23 Dec-23 held tension between the two countries. Mastercard. ©2023 Mastercard. Malaysia & Brunei Singapore Philippines Vietnam Cambodia & Laos Indonesia Thailand ©2022 ©2023 Source: Mastercard Cyber Insights Data. Based on data for the time period between Jan 2023 – Dec 2023 21 Within Singapore, Technology and Public sectors have the greatest number of cyber occurrences Top targeted industries in Singapore KEY INSIGHTS 550 500 1 Singapore's digital sector is a cornerstone of its economy, malicious 450 actors, including government-backed cyber groups like APT41, are drawn to 400 exploit vulnerabilities Total # of occurrences 350 2 These malicious attackers commonly 300 utilize malware and remote access trojans to target the equipment and 250 source code of SG’s technology firms 200 3 Public sector is also highly targeted 150 (2,100 occurrences), primarily attributed to Black Hat and State Sponsored Confidential and Confidential 100 groups. Proprietary and 50 One noteworthy incident occurred in Mastercard. Proprietary November, involving a DDoS attack that 0 caused hours-long disruptions to the ©2023 Mastercard. Jan-23 Feb-23 Mar-23 Apr-23 May-23 Jun-23 Jul-23 Aug-23 Sep-23 Oct-23 Nov-23 Dec-23 websites of all public healthcare Technology Research Services clusters in Singapore ©2022 ©2023 Public Financial Source: Mastercard Cyber Insights Data. Based on data for the time period between Jan 2023 – Dec 2023 22 18.7% YoY increase in cyber attacks in SEA mainly targeted at public, technology, and financial sectors contributed by 3 major factors Cyber occurrences in SEA by industry (2022 vs 2023) +18.7% 61,217 12,227 53,894 10,351 11,781 9,490 8,552 7,692 6,684 5,849 4,917 6,224 15,595 15,749 2022 Technology Public Financial Media Services Others 2023 Public Technology Financial Media Services Others Total Total Confidential and Confidential This rise can be attributed to 3 major factors: Proprietary and Mastercard. Proprietary 1 2 3 Weak Digital Infrastructure Increased State-Sponsored Prevalence of DDoS as a ©2023 Mastercard. driven by prioritization of Attacks due to rising geopolitical service with the increased functionality over security tensions, particularly due to adoption of 5G technology ©2022 ©2023 China's influence Source: Mastercard Cyber Insights Data. Based on data for the time period between Jan 2023 – Dec 2023 23 SEA Top Targeted Assets, Threat Actors and Methods  Black Hat hackers (~33%) and organized crime groups (22%) contributed to most of the cyber attacks in SEA Attackers  Notable examples of Black Hat include Ransomware groups and Data Hackers  Malware (~30%) is the most employed TTP by attackers, in gaining access to IT systems of targeted sectors  Ransomware (e.g., Infostealer, Backdoor Trojan, etc) as well as Email Phishing Key SEA Methods (e.g, Spear Phishing, Malspam, etc) were also commonly employed by threat Cybersecurity actors Statistics Confidential and Confidential  Among the top 10 most targeted assets, more than half (~51%) were targeted at Customer Personal Information (e.g., Identity Information), Physical Assets Proprietary and Mastercard. Proprietary (e.g., IoT Devices and Equipment), and Intellectual Property (e.g., Patented Assets Technologies). ©2022 Mastercard. ©2023 Source: Mastercard Cyber Insights Data. Based on data for the time period between Jan 2023 – Dec 2023 24 Black Hat and Organized Crime groups were the primary attackers of cyber events in Singapore KEY INSIGHTS 2023 Top Attackers in Financial Industry Black Hat hackers and Organized of events in Singapore Crime groups were the main attackers were attributed to Black of cyber events in both Singapore and Black Hat 49.7% the region in 2023. Hat & Organized Crime 71% Groups Scammer gangs are more prevalent in Organized Crime 21.5% REGION average: 69% Singapore, constituting 30% of attackers compared to average of 11% in other SEA countries. Unskilled 12.7% State-sponsored attackers, particularly North Korea (12%), Vietnam (4%), and China (3%), were Examples of top attackers: highly active in conducting cyber Confidential and Confidential State Sponsored 10.4% espionage to infiltrate networks of financial institutions to obtain valuable - Malware and Ransomware Affiliate Proprietary and information. Mastercard. Proprietary - Multipurpose Malware Group Malicious Insider 5.6% - Scammer Gang ©2023 Mastercard. - North Korea State Sponsored ©2022 ©2023 Source: Mastercard Cyber Insights Data. Based on data for the time period between Jan 2023 – Dec 2023 25 * Highlighted above are noteworthy cyber events. This should not be taken as an exhaustive list. Malware emerged as the some of the most prevalent cyberattack methods in Singapore KEY INSIGHTS 2023 Top Cyber Attack Methods in Financial Industry Both SEA region and Singapore shows comparable cybercrime attack of attacks were methods using Malware, Email Malware 34.0% performed through Phishing and Ransomware. Malware, Email Phishing 82% & Ransomware In 2022, there was a notable surge in Email Phishing 27.8% the evolution and prevalence of REGION average: 82% ransomware, likely attributed to the rise of Ransomware-as-a-Service (RaaS) in Singapore, a trend that persisted into 2023. Ransomware 21.1% Banking Trojan designed to steal customer financial information are Confidential and Confidential Web Phishing 8.6% Examples of top attack methods: gaining sophistication with new capabilities to initiate authorized Proprietary and - Banking Trojan financial transaction, are on the rise. Mastercard. Proprietary - Infostealer Malware Credential Access 8.6% - Crypto Ransomware ©2023 Mastercard. - Credential Theft ©2022 ©2023 Source: Mastercard Cyber Insights Data. Based on data for the time period between Jan 2022 – Dec 2023 26 * Highlighted above are noteworthy cyber events. This should not be taken as an exhaustive list. Business systems and customer personal information were the leading target of cyber attacks in financial industry KEY INSIGHTS 2023 Top Targeted Assets in Financial Industry Business Systems (22%) are crucial assets vulnerable to cyber attacks in of events targeting the finance sector, especially Business Systems 22.1% Business System & considering the heavy reliance on Customer Personal interconnected technologies by banks, 44% Information many of which are digitally-driven in Customer Singapore. Personal 21.8% Information REGION average: 49% Customer Personal Information Customer (22%) and Financial Information (20%) also emerged as top targeted Financial 20.3% assets. Cybercriminals utilize Malware Information like infostealers and keyloggers to target banking information, such as Confidential account numbers and login credentials, and Confidential Examples of top targeted assets: Physical Assets 18.4% to perpetrate fraudulent transactions, unauthorized withdrawals, and Proprietary and - Business Operations account takeovers. Mastercard. Proprietary - Identity Information Intellectual - Payment Cards 17.4% ©2023 Mastercard. Property - Customer Credentials ©2022 ©2023 Source: Mastercard Cyber Insights Data. Based on data for the time period between Jan 2023 – Dec 2023 27 * Highlighted above are noteworthy cyber events. This should not be taken as an exhaustive list. Overall downtrend in cyber occurrences observed due to enforced regulation; however, periodic spikes highlight persistent evolution of attackers and methods In ‘23, Singapore's financial sector experienced 1,759 Cyber Occurrences, 29% less compared to ‘22, with 26% concentrated in May & Jun Period of analysis 350 295 May & Jun ‘23 accounted for 300 more than 26% of all attacks Total # of occurrences 250 200 150 100 50 0 Jan-22 Mar-22 May-22 Jul-22 Sep-22 Nov-22 Jan-23 Mar-23 May-23 Jul-23 Sep-23 Nov-23 Jan-24 Confidential and Confidential KEY INSIGHTS Proprietary and Mastercard. Proprietary  Despite the overall downwards trends in 2023, there is still periodic spike across 2023 mainly contributed by Multipurpose Malware Groups (+113% YoY compared to ’22) ©2023 Mastercard.  Notably, the peak in May & June ’23 can be attribute to banking-related malware scams involving unauthorized transactions with android devices; these scams involved users downloading malicious apps containing information-stealing malware ©2022 Source: Mastercard Cyber Insights Data. Based on data for the time period between Jan 2022 – Dec 2023 28 Introduction to Corporate Security Group Discussion Who should the CISO report to? - Chief Executive Officer, CEO - Chief Information Officer, CIO - or Chief Financial Officer, CFO Report out Security Operations Center (SOC) Security Operations Center (SOC) A SOC—usually pronounced "sock" and sometimes called an information security operations center, or ISOC—is an in-house or outsourced team of IT security professionals dedicated to monitoring an organization’s entire IT infrastructure 24x7. Its mission is to detect, analyze and respond to security incidents in real-time. This orchestration of cybersecurity functions allows the SOC team to maintain vigilance over the organization’s networks, systems and applications and ensures a proactive defense posture against cyber threats. The SOC also selects, operates and maintains the organization's cybersecurity technologies and continually analyzes threat data to find ways to improve the organization's security posture. SOC activities and responsibilities fall into three general categories. Preparation, planning and prevention Asset inventory: A SOC needs to maintain an exhaustive inventory of everything that needs to be protected, inside or outside the data center (for example applications, databases, servers, cloud services, endpoints, etc.) and all the tools used to protect them (firewalls, antivirus/anti-malware/anti-ransomware tools, monitoring software, etc.). Many SOCs will use an asset discovery solution for this task. Routine maintenance and preparation: To maximize the effectiveness of security tools and measures in place, the SOC performs preventive maintenance such as applying software patches and upgrades, and continually updating firewalls, allowlist and blocklists, and security policies and procedures. The SOC can also create system backups—or assist in creating backup policies or procedures—to ensure business continuity in the event of a data breach, ransomware attack or other cybersecurity incident. Incident response planning: The SOC is responsible for developing the organization's incident response plan, which defines activities, roles and responsibilities in the event of a threat or incident, and the metrics by which the success of any incident response will be measured. Regular testing: The SOC team performs vulnerability assessments—comprehensive assessments that identify each resource's vulnerability to potential or emerging threats and the associate costs. It also conducts penetration tests that simulate specific attacks on one or more systems. The team remediates or fine-tunes applications, security policies, best practices and incident response plans based on the results of these tests. Staying current: The SOC stays up to date on the latest security solutions and technologies, and on the latest threat intelligence—news and information about cyberattacks and the hackers who perpetrate them, gathered from social media, industry sources and the dark web. Monitoring, detection and response Continuous, around-the-clock security monitoring: The SOC monitors the entire extended IT infrastructure—applications, servers, system software, computing devices, cloud workloads, the network—24/7/365 for signs of known exploits and for any suspicious activity. For many SOCs, the core monitoring, detection and response technology has been security information and event management, or SIEM. Log management: Log management—the collection and analysis of log data generated by every network event—is an important subset of monitoring. While most IT departments collect log data, it's the analysis that establishes normal or baseline activity and reveals anomalies that indicate suspicious activity. Threat detection: The SOC team sorts the signals from the noise—the indications of actual cyberthreats and hacker uses from the false positives—and then triages the threats by severity. Modern SIEM solutions include artificial intelligence (AI) that automates these processes and which 'learns' from the data to get better at spotting suspicious activity over time. Incident response: In response to a threat or actual incident, the SOC moves to limit the damage. Actions can include: -Root cause investigation -Shutting down compromised endpoints or disconnecting them from the network. -Isolating compromised areas of the network or rerouting network traffic. -Pausing or stopping compromised applications or processes. -Deleting damaged or infected files. -Running antivirus or anti-malware software. -Decommissioning passwords for internal and external users. Recovery, refinement and compliance Recovery and remediation: Once an incident is contained, the SOC eradicates the threat, then works to recover the impacted assets to their state before the incident (for example wiping, restoring and reconnecting disks, user devices and other endpoints; restoring network traffic; restarting applications and processes). In the event of a data breach or ransomware attack, recovery might also involve cutting over to backup systems, and resetting passwords and authentication credentials. Post-mortem and refinement: To prevent a recurrence, the SOC uses any new intelligence gained from the incident to better address vulnerabilities, update processes and policies, choose new cybersecurity tools or revise the incident response plan. At a higher level, SOC team might also try to determine whether the incident reveals a new or changing cybersecurity trend for which the team needs to prepare. Compliance management: It's the SOC's job to ensure all applications, systems and security tools and processes comply with data privacy regulations such as GDPR (Global Data Protection Regulation) and PCI DSS (Payment Card Industry Data Security Standard. Following an incident, the SOC makes sure that users, regulators, law enforcement and other parties are notified in accordance with regulations and that the required incident data is retained for evidence and auditing. Security operations center (SOC) benefits Asset protection: The proactive monitoring and rapid response capabilities of SOCs help prevent unauthorized access and minimize the risk of data breaches. This will safeguard critical systems, sensitive data and intellectual property from security breaches and theft. Business continuity: By reducing security incidents and minimizing their impact, SOCs ensure uninterrupted business operations. This helps maintain productivity, revenue streams and customer satisfaction. Regulatory compliance: SOCs help organizations meet regulatory requirements and industry standards for cybersecurity by implementing effective security measures and maintaining detailed records of incidents and responses. Cost savings: Investing in proactive security measures through a SOC can result in significant savings by preventing costly data breaches and cyberattacks. The upfront investment is often far less than the financial damages and risks to reputation caused by a security incident, and, if outsourced, replaces the need for staffing security professionals in-house. Customer trust: Demonstrating a commitment to cybersecurity through the operation of a SOC enhances trust and confidence among customers and stakeholders. Enhanced incident response: The rapid response capabilities of SOCs reduce downtime and financial losses by containing threats and quickly restoring normal operations to minimize disruptions. Improved risk management: By analyzing security events and trends, SOC teams can identify an organization’s potential vulnerabilities. They can then take proactive measures to mitigate them before they are exploited. Proactive threat detection: By continuously monitoring networks and systems, SOCs can more quickly identify and mitigate security threats. This minimizes potential damage and data breaches and helps organizations stay ahead of an evolving threat landscape. Fusion Center Fusion Center Fusion Center “In today’s hyperconnected world, cybercrime is evolving and so are we,” said Michael Miebach, CEO of Mastercard. “This center will bring together the brightest minds from business, government and other sectors to stay ahead of threats and make the digital world as secure as possible. After all, the work to ensure people can trust that they are safe online doesn’t stop at our four walls — or our firewalls.” To push back against these threats, the Fusion Center will work with partners from across the public and private sectors, including national cyber intelligence centers, law enforcement agencies and industry bodies. “the heart of Mastercard’s organizational incident response,” as well as a digital forensics lab and representatives from more than 20 teams. Fusion Center Responsibilities of a Cyber Fusion Center Cyber fusion centers integrate multiple activities into one functional area. Key components of a cyber fusion center include: Threat Intelligence — Tactical, operational, and strategic intelligence, including indicators of compromise (IoC), endpoint and user data, vulnerabilities, threat intelligence platforms (TIPs), etc. Analytics — Analyzing operational and threat data, including user and entity behavior analytics. Threat Detection — Identifying threats through alerts and security tools, such as SIEM, firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS), endpoint detection and response (EDR), etc. Incident Response — Responding as quickly as possible to identified threats, breaches, and attacks. Governance & Compliance — Ensuring all IT and security activities align with regulations and compliance concerns. Fusion Center What is the Difference Between a Cyber Fusion Center and a SOC? Cyber fusion centers provide a more unified and proactive approach to threat management by integrating different but related teams through collaboration and knowledge sharing. While a SOC’s role is typically focused on detecting, identifying, investigating, and responding to security incidents, a cyber fusion center takes this one step further by enhancing an organization’s overall security profile and capabilities. Vulnerability Management Vulnerability management is a continuous, proactive, and often automated process that keeps your computer systems, networks, and enterprise applications safe from cyberattacks and data breaches. The goal of vulnerability management is to reduce the organization's overall risk exposure by mitigating as many vulnerabilities as possible. This can be a challenging task, given the number of potential vulnerabilities and the limited resources available for remediation. Vulnerability management should be a continuous process to keep up with new and emerging threats and changing environments. Vulnerability Management How vulnerability management works Threat and vulnerability management uses a variety of tools and solutions to prevent and address cyberthreats. An effective vulnerability management program typically includes the following components: Asset discovery and inventory IT is responsible for tracking and maintaining records of all devices, software, servers, and more across the company’s digital environment, but this can be extremely complex since many organizations have thousands of assets across multiple locations. That’s why IT professionals turn to asset inventory management systems, which help provide visibility into what assets a company has, where they’re located, and how they’re being used. Vulnerability scanners Vulnerability scanners usually work by conducting a series of tests against systems and networks, looking for common weaknesses or flaws. These tests can include attempting to exploit known vulnerabilities, guessing default passwords or user accounts, or simply trying to gain access to restricted areas. Patch management Patch management software is a tool that helps organizations keep their computer systems up to date with the latest security patches. Most patch management solutions will automatically check for updates and prompt the user when new ones are available. Some patch management systems also allow for deployment of patches across multiple computers in an organization, making it easier to keep large fleets of machines secure. Configuration Management Security Configuration Management (SCM) software helps to ensure that devices are configured in a secure manner, that changes to device security settings are tracked and approved, and that systems are compliant with security policies. Many SCM tools include features that allow organizations to scan devices and networks for vulnerabilities, track remediation actions, and generate reports on security policy compliance. Vulnerability Management Security incident and event management(SIEM) SIEM software consolidates an organization's security information and events in real time. SIEM solutions are designed to give organizations visibility into everything that's happening across their entire digital estate, including IT infrastructure. This includes monitoring network traffic, identifying devices that are trying to connect to internal systems, keeping track of user activity, and more. Penetration testing Penetration testing software is designed to help IT professionals find and exploit vulnerabilities in computer systems. Typically, penetration testing software provides a graphical user interface (GUI) that makes it easy to launch attacks and see the results. Some products also offer automation features to help speed up the testing process. By simulating attacks, testers can identify weak spots in systems that could be exploited by real-world attackers. Threat intelligence Threat protection software provides organizations with the ability to track, monitor, analyze, and prioritize potential threats to better protect themselves. By collecting data from a variety of sources—such as exploit databases and security advisories—these solutions help companies identify trends and patterns that could indicate a future security breach or attack. Remediation vulnerabilities Remediation involves prioritizing vulnerabilities, identifying appropriate next steps, and generating remediation tickets so that IT teams can execute on them. Finally, remediation tracking is an important tool for ensuring that the vulnerability or misconfiguration is properly addressed. Vulnerability management lifecycle The vulnerability management lifecycle has six key phases. Organizations looking to implement or improve their vulnerability management program can follow these steps. IN THE BUSINESS OF BUILDING TRUST 48 ©2022 Mastercard. Proprietary and Confidential Let’s Stay Connected…. [email protected] [email protected] Thank you SSG TRAQOM Quality Survey Course Run ID 983479 NTU-Mastercard FlexiMasters in Cybersecurity & Digital Trust CET940 Corporate Security Structure Lesson 2 - 14th - 9:30am - 11:30am SGT / GMT+8 ©2023 Mastercard. Proprietary and Confidential Dr. Alissa Abdullah, “Dr. Jay” Danny Chan Sep 2024 Class Content 1 Recap of Lesson 1 and around the grounds 2 Security awareness and culture 3 Security architecture 4 Penetration Tester 5 Threat Intelligence 6 Digital Forensics 7 Cryptography 8 External Engagement & Partnership 9 Final Thoughts 10 Q&A Recap of Lesson 1 and around the grounds Class Content 1 Introduction of teaching staff 2 Introduction to Mastercard 3 Introduction to Corporate Security 4 Group Discussion 5 Report out 6 Security Operations Center 7 Fusion Center 8 Emerging Security Solutions 9 Vulnerability Management 10 Q&A Course Grading 1. Group Assignment (30%) Task: Define the ideal organizational structure for corporate security in: a. A Bank b. Retail c. A University 2. Quiz (70%) Questions will be based on the course material covered. Security awareness and culture Security awareness and culture Creating a culture of security is necessary to safeguard your company from both internal and external threats. It is crucial to develop policies and practices that lower these risks since data breaches and cyberattacks can cause a company to suffer significant financial and reputational harm. All staff must be motivated to understand security issues and use the most up-to-date security technology in order to create a culture of security. By promoting a security-focused culture, employees will be more likely to take care to safeguard their work and refrain from risky behavior, such as using weak passwords or accessing sensitive information from unprotected devices. This can assist customers and stakeholders who are becoming increasingly concerned about data privacy and security by developing trust. At the end of the day, fostering a culture of security within your firm will help to safeguard your operations and your data against expensive and devastating security incidents while also encouraging employee accountability and responsibility. Why is security culture important? There are many reasons why security culture is crucial, including: A robust security culture makes identifying and addressing security threats before they are exploited easier. Motivating your employees to own their security and defend their company and themselves against external and sometimes internal threats. Protecting company data and assets. Loss of confidential information or intellectual property due to a security breach can have a detrimental financial and reputational impact. By fostering best practices like strong passwords and access controls, a security culture aids in protecting data and assets. Complying with international security regulations. Various regulations with obligatory and advisory compliance requirements govern data privacy and security. What are the necessary components in building a good security culture? The following six security culture best practices can help your organization create and sustain a robust security culture: 1. Make security your top priority: Everyone in your organization, from senior management to front-line staff, must place the highest importance on security. 2. Employee education and training programs: These will certainly assist staff members in understanding the value of security and the best practices to adhere to. 3. Establish solid rules and procedures: It is important to adopt well-defined policies and procedures so that everyone in the organization is aware of their obligations regarding security. 4. Use technology to improve security: Using multi-factor authentication, encryption, and intrusion detection systems are just a few examples of how technology may be utilized to improve security. 5. Frequent risk assessment and management: This is necessary to detect potential security threats and vulnerabilities as well as to create and put into place mitigation solutions. 6. Continuous adoption: It is critical to encourage a culture of continuous improvement since security cultures are dynamic and there is a requirement for constant improvement. Security architecture Security architecture Security architecture is the strategic design of systems, policies and technologies to protect IT and business assets from cyberthreats. A well-designed security architecture aligns cybersecurity with the unique business goals and risk management profile of the organization. A robust security architecture ensures that organizations have the IT infrastructure to properly prevent, detect and respond to attacks. It also helps determine when and which technologies to implement, giving security decision-makers the ability to add new capabilities as the threat landscape evolves. Key Objectives of Security Architecture The main objective of cybersecurity architecture is to reduce the risk of security breaches and protect organizations from threat actors. Embedding security into business operations is a core element of that goal. -Attack surfaces are growing exponentially alongside these major shifts, and adversaries find new ways to exploit weaknesses: -Organizations are under constant threat of attack, including denial of service, data theft, ransomware and extortion. -Attackers are more sophisticated through the use of automation, machine learning and artificial intelligence (AI). -Attackers have access to larger sources of funding, sometimes through government sponsors or organized crime. -They also have access to tools such as ransomware as a service (RaaS). -A distributed workforce increases the risk of internal breaches caused by malicious insiders and/or negligence or ignorance by employees. Benefits of Security Architecture 1. Reduce Security Breaches Organizations with a robust cybersecurity architecture don’t simply react to breaches when they occur—they drastically reduce the volume and severity of threats, if not prevent them altogether. At the same time, security embedded into an organization’s DNA (such as Zero Trust) ensures that security is a vital part of every development cycle. This eliminates gaps and enables a risk-free environment for DevOps to build and innovate. 2. Speed Up Response Times Skilled hackers can easily identify and exploit disconnects in infrastructure. That’s why many of today’s breaches are the result of breakdowns in security processes. 3. Improve Operational Efficiency Enterprises employ 31.5 cybersecurity tools on average, bolting on more products as needed. But the increasing complexity of IT infrastructure can often cause gaps in risk posture — on top of costing time, money and talent to manage the architecture. 4. Comply with Industry Regulations Organizations everywhere around the world adhere to the regulations set by their region and industry. For example, healthcare providers in the US must comply with HIPAA regulations, while businesses in the EU must meet GDPR requirements. Frameworks and Standards for Cybersecurity Architecture The three standard frameworks used by many security architects are: 1. TOGAF The Open Group Architecture Framework helps determine which problems need to be solved within the security infrastructure in an enterprise. Its primary focus is on the organization’s goal and scope, as well as the preliminary phases of security architecture. TOGAF does not give specific guidance on ways to address security issues. 2. SABSA The Sherwood Applied Business Security Architecture is a policy-driven framework. It helps define the critical questions that security architecture can only answer: what, why, when and who. The goal of SABSA is to ensure that after the design of security services, they are then delivered and supported as an integral part of the enterprise’s IT management. However, while often described as a “security architecture method,” SABSA doesn’t go into specifics for technical implementation. 3. OSA The Open Security Architecture (OSA) is a framework related to technical and functional security controls. OSA offers a comprehensive overview of crucial security components, principles, issues and concepts that underlie architectural decisions involved in designing effective security architectures. Frameworks and Standards for Cybersecurity Architecture The National Institute of Standards and Technology (NIST) also provides guidance. The NIST Framework for Improving Cybersecurity Infrastructure provides a common framework for organizations to: -Describe their current infrastructure -Describe their target state for cybersecurity -Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process -Assess progress toward the target state -Communicate among internal and external stakeholders about cybersecurity risk NIST provides a framework core that describes a set of cybersecurity activities, desired outcomes and applicable references that are common across critical infrastructure sectors. The core activities are: Identify, protect, detect, respond and recover. Best Practices for Security Architecture 1. Develop a Strategy Map the current environment, establish objectives, determine the approach and develop the framework. Solicit input from key stakeholders, including the executive suite, lines of business, DevOps, IT and more. Have the CISO and cyber team spearhead the effort. 2. Establish Key Objectives and Milestones Assess the plan for meeting key objectives. This may include cybersecurity consolidation; increased use of automation, AI and machine learning; Zero Trust; compliance; endpoint protection; and preventing known and unknown zero-day threats in real time. 3. Train the Organization Communicate the plan across the organization, establish education and training programs and use the architecture as a tool for building a cybersecurity culture within the enterprise. Continue collaboration and information sharing on an ongoing basis. 4. Run Tests and Audits Conduct regular security assessments and audits and combine them with regular incident response planning and testing, 5. Stay on Top of the Latest Threats Keep up with evolving cyberthreats and technologies and be particularly reactive to new types of threats in real time as your threat intelligence platform detects them. Penetration Tester Penetration Tester A penetration test (pen test) is an authorized simulated attack performed on a computer system to evaluate its security. Penetration testers use the same tools, techniques, and processes as attackers to find and demonstrate the business impacts of weaknesses in a system. Penetration tests usually simulate a variety of attacks that could threaten a business. They can examine whether a system is robust enough to withstand attacks from authenticated and unauthenticated positions, as well as a range of system roles. With the right scope, a pen test can dive into any aspect of a system. What are the benefits of penetration testing? Ideally, software and systems were designed from the start with the aim of eliminating dangerous security flaws. A pen test provides insight into how well that aim was achieved. Pen testing can help an organization -Find weaknesses in systems -Determine the robustness of controls -Support compliance with data privacy and security regulations (e.g., PCI DSS, HIPAA, GDPR) -Provide qualitative and quantitative examples of current security posture and budget priorities for management What are the phases of pen testing? Pen testers simulate attacks by motivated adversaries. To do this, they typically follow a plan that includes the following steps: Reconnaissance. Gather as much information about the target as possible from public and private sources to inform the attack strategy. Sources include internet searches, domain registration information retrieval, social engineering, nonintrusive network scanning, and sometimes even dumpster diving. This information helps pen testers map out the target’s attack surface and possible vulnerabilities. Reconnaissance can vary with the scope and objectives of the pen test; it can be as simple as making a phone call to walk through the functionality of a system. Scanning. Pen testers use tools to examine the target website or system for weaknesses, including open services, application security issues, and open source vulnerabilities. Pen testers use a variety of tools based on what they find during reconnaissance and during the test. Gaining access. Attacker motivations can include stealing, changing, or deleting data; moving funds; or simply damaging a company’s reputation. To perform each test case, pen testers determine the best tools and techniques to gain access to the system, whether through a weakness such as SQL injection or through malware, social engineering, or something else. Maintaining access. Once pen testers gain access to the target, their simulated attack must stay connected long enough to accomplish their goals of exfiltrating data, modifying it, or abusing functionality. It’s about demonstrating the potential impact. How much access is given to pen testers? Depending on the goals of a pen test, testers are given varying degrees of information about, or access to, the target system. In some cases, the pen testing team takes one approach at the start and sticks with it. Other times, the testing team evolves its strategy as its awareness of the system increases during the pen test. There are three levels of pen test access. Opaque box. The team doesn’t know anything about the internal structure of the target system. It acts as hackers would, probing for any externally exploitable weaknesses. Semi-opaque box. The team has some knowledge of one or more sets of credentials. It also knows about the target’s internal data structures, code, and algorithms. Pen testers might construct test cases based on detailed design documents, such as architectural diagrams of the target system. Transparent box. Pen testers have access to systems and system artifacts including source code, binaries, containers, and sometimes even the servers running the system. This approach provides the highest level of assurance in the smallest amount of time. Threat Intelligence What Is Cyber Threat Intelligence? Threat intelligence is data that is collected, processed, and analyzed to understand a threat actor’s motives, targets, and attack behaviors. Threat intelligence enables us to make faster, more informed, data-backed security decisions and change their behavior from reactive to proactive in the fight against threat actors. Why is Threat Intelligence Important? In the world of cybersecurity, advanced persistent threats (APTs) and defenders are constantly trying to outmaneuver each other. Data on a threat actor’s next move is crucial to proactively tailoring your defenses and preempt future attacks. Threat intelligence is important for the following reasons: Sheds light on the unknown, enabling security teams to make better decisions Empowers cyber security stakeholders by revealing adversarial motives and their tactics, techniques, and procedures (TTPs) Helps security professionals better understand the threat actor’s decision-making process Empowers business stakeholders, such as executive boards, CISOs, CIOs and CTOs; to invest wisely, mitigate risk, become more efficient and make faster decisions Why is Threat Intelligence Important? In the world of cybersecurity, advanced persistent threats (APTs) and defenders are constantly trying to outmaneuver each other. Data on a threat actor’s next move is crucial to proactively tailoring your defenses and preempt future attacks. Threat intelligence is important for the following reasons: Sheds light on the unknown, enabling security teams to make better decisions Empowers cyber security stakeholders by revealing adversarial motives and their tactics, techniques, and procedures (TTPs) Helps security professionals better understand the threat actor’s decision-making process Empowers business stakeholders, such as executive boards, CISOs, CIOs and CTOs; to invest wisely, mitigate risk, become more efficient and make faster decisions 3 Types of Threat Intelligence 27 ©2023 Mastercard. Proprietary and Confidential What Is Digital Forensics? Digital forensics is the practice of identifying, acquiring, and analyzing electronic evidence. Today almost all criminal activity has a digital forensics element, and digital forensics experts provide critical assistance to police investigations. An important part of digital forensics is the analysis of suspected cyberattacks, with the objective of identifying, mitigating, and eradicating cyber threats. This makes digital forensics a critical part of the incident response process. Electronic evidence can be gathered from a variety of sources, including computers, mobile devices, remote storage devices, internet of things (IoT) devices, and virtually any other computerized system. Why Is Digital Forensics Important? Digital evidence can be used as evidence in investigation and legal proceedings for: Data theft and network breaches—digital forensics is used to understand how a breach happened and who were the attackers. Online fraud and identity theft—digital forensics is used to understand the impact of a breach on organizations and their customers. Violent crimes like burglary, assault, and murder—digital forensics is used to capture digital evidence from mobile phones, cars, or other devices in the vicinity of the crime. White collar crimes—digital forensics is used to collect evidence that can help identify and prosecute crimes like corporate fraud, embezzlement, and extortion. What Are the Different Branches of Digital Forensics? Here is a brief overview of the main types of digital forensics: Computer Forensics Computer forensic science (computer forensics) investigates computers and digital storage evidence. It involves examining digital data to identify, preserve, recover, analyze and present facts and opinions on inspected information. Mobile Device Forensics Mobile device forensics focuses primarily on recovering digital evidence from mobile devices. It involves investigating any device with internal memory and communication functionality, such as mobile phones, PDA devices, tablets, and GPS devices. Network Forensics The network forensics field monitors, registers, and analyzes network activities. Network data is highly dynamic, even volatile, and once transmitted, it is gone. It means that network forensics is usually a proactive investigation process. Forensic Data Analysis Forensic data analysis (FDA) focuses on examining structured data, found in application systems and databases, in the context of financial crime. FDA aims to detect and analyze patterns of fraudulent activity. Database Forensics Database forensics involves investigating access to databases and reporting changes made to the data. You can apply database forensics to various purposes. For example, you can use database forensics to identify database transactions that indicate fraud. The Digital Forensics Process The digital forensics process may change from one scenario to another, but it typically consists of four core steps—collection, examination, analysis, and reporting. Collection The collection phase involves acquiring digital evidence, usually by seizing physical assets, such as computers, hard drives, or phones. It is critical to ensure that data is not lost or damaged during the collection process. Examination The examination phase involves identifying and extracting data. You can split this phase into several steps—prepare, extract, and identify. When preparing to extract data, you can decide whether to work on a live or dead system. For example, you can power up a laptop to work on it live or connect a hard drive to a lab computer. During the identification step, you need to determine which pieces of data are relevant to the investigation. For example, warrants may restrict an investigation to specific pieces of data. Analysis The analysis phase involves using collected data to prove or disprove a case built by the examiners. Here are key questions examiners need to answer for all relevant data items: -Who created the data -Who edited the data -How the data was created -When these activities occur Reporting The reporting phase involves synthesizing the data and analysis into a format that makes sense to laypeople. These reports are essential because they help convey the information so that all stakeholders can understand. Digital Forensic Techniques Here are common techniques: Reverse Steganography Cybercriminals use steganography to hide data inside digital files, messages, or data streams. Reverse steganography involves analyzing the data hashing found in a specific file. When inspected in a digital file or image, hidden information may not look suspicious. Stochastic Forensics Stochastic forensics helps analyze and reconstruct digital activity that does not generate digital artifacts. A digital artifact is an unintended alteration of data that occurs due to digital processes. Stochastic forensics helps investigate data breaches resulting from insider threats, which may not leave behind digital artifacts. Cross-drive Analysis Cross-drive analysis, also known as anomaly detection, helps find similarities to provide context for the investigation. These similarities serve as baselines to detect suspicious events. Live Analysis Live analysis occurs in the operating system while the device or computer is running. It involves using system tools that find, analyze, and extract volatile data, typically stored in RAM or cache. Live analysis typically requires keeping the inspected computer in a forensic lab to maintain the chain of evidence properly. Deleted File Recovery Deleted file recovery, also known as data carving or file carving, is a technique that helps recover deleted files. It involves searching a computer system and memory for fragments of files that were partially deleted in one location while leaving traces elsewhere on the inspected machine. Cryptography What is cryptography? Modern cryptography is a process used to keep digital communications secure, ensuring that only the intended senders and receivers of data can view the information. This is achieved by using cryptographic algorithms and keys, and includes a few key steps: -The user’s original information – known as plaintext – is encrypted into something called ciphertext, which will be indecipherable to anyone except the message’s intended recipients. -The encrypted message is then sent to the receiver. Even in the event of interception by an unintended recipient, the cryptographic algorithms will safeguard and protect data. -Once received, a key is used for decryption, enabling the receiver to access the original message. Why cryptography is important? It’s clear that cryptography provides vital data security, and this has become increasingly important in today’s interconnected world where data flows non- stop across devices and networks, and the confidentiality, integrity, and authenticity of information has become paramount. “Cryptography is one of the most important tools businesses use to secure the systems that hold their most important data assets,” writes Forbes in a 2021 article about cryptography. “Vulnerabilities resulting from an absence of cryptography or having noncompliant crypto and unmanaged public key infrastructure (PKI) lead to business disruptions, data breaches and brand erosion. The average cost of a breach in the U.S. is $8.6 million, according to IBM and the Ponemon Institute, and mega-breaches can surpass a whopping $1 billion.” Types of cryptography Symmetric cryptography. In symmetric cryptography, the same secret key – shared by the sender and the recipient – is used to encrypt and decrypt. The single key method is efficient for securing data, but securely exchanging the secret key between parties can present a security challenge. Asymmetric cryptography. Asymmetric cryptography, or public key cryptography, uses two different keys. The first is a public key, which is accessible to anyone, and the second is a private key, which is kept secret by its owner. Asymmetric cryptography and public key encryption eliminate the need to exchange secret keys, but are more computationally intensive than symmetric cryptography. Hash functions. Hashing algorithms that don’t require a key. For example, they’re used for verifying passwords. How is cryptography used in digital security? Cryptosystems have several key applications, including: Safeguarding sensitive information. Cryptography is used to encrypt sensitive data, such as credit card details and digital currencies and cryptocurrency, during transmission and storage. Enabling authentication systems. Cryptographic techniques ensure the authenticity of messages and the identity of the sender. This helps in verifying the legitimacy of the sender and detecting any tampering with the message. Cryptography also prevents non-repudiation, ensuring that the sender of a message cannot deny their involvement in sending it, because digital signatures provide evidence that the message was indeed sent by the claimed sender. Protecting data integrity. Cryptography ensures that data remains unchanged during transit by generating what’s known as a hash value, which is a fixed-size string derived from the original data. Any alteration to the data will result in a different hash value, alerting the recipient to potential tampering. Securing communications. Cryptography provides secure communications, particularly on websites. For example, SSL (secure sockets layer) and TLS (transport layer security) ensure that data exchanged between a user and a server remains confidential. Impact of quantum computing on cryptography What is quantum computing? It is similar to traditional computing, but operates at the far cooler temperature of nearly absolute zero, the temperature at which a thermodynamic system has the lowest energy – corresponding to minus 273.15 deg C. Traditional computers store information as either 0s or 1s. Quantum computers, on the other hand, use quantum bits (or qubits) to represent and store information in a complex mix of 0s and 1s simultaneously. As the number of qubits grows, a quantum computer becomes exponentially more powerful. By harnessing quantum physics, quantum computing has the potential to comb vast numbers of possibilities in hours and pinpoint a probable solution. It would take a traditional computer hundreds of thousands of years to perform a similar task. Each quantum computer costs upwards of US$100 million (S$135 million) to set up now. Today, the world’s fastest quantum computer is based on a 1,121-qubit quantum processor by IBM rolled out in December 2023. Impact of quantum computing on cryptography Quantum computers hold the key to breaking asymmetric cryptography used in digital signatures, digital currencies, and everyday internet communications based on HTTPs. A quantum computer with 20 million qubits would need as little as 8 hours to break a 1048-bit public-key cryptosystem such as RSA. Since 2016, IBM has offered online access to a quantum computer. Anyone can log in and execute commands on a 5-qubit or 14-qubit machine located in Yorktown Heights, New York, from the comfort of their own home. Google, for example, has a 72-qubit quantum computer that it plans to make available to outside researchers. Today, the world’s fastest quantum computer is based on a 1,121-qubit quantum processor by IBM rolled out in December 2023. Impact of quantum computing on cryptography Shor's algorithm poses threats to asymmetric cryptography Rivest-Shamir-Adleman (RSA) encryption and most public key cryptographies -- also known as asymmetric cryptographies -- are built on the ability to use mathematical algorithms to encrypt data. For example, RSA uses integer factoring with two prime numbers. A public and private key are generated that are mathematically related in public key algorithms. Even with a brute-force attack, it could take years for a classical computer to break encryption methods like RSA. Grover's algorithm goes after symmetric cryptography Organizations may also use symmetric cryptography, or secret key cryptography, to encrypt stored data. Examples of symmetric encryption algorithms are Advanced Encryption Standard (AES), Rivest Cipher 4 and Triple Data Encryption Algorithm. Impact of quantum computing on cryptography Impact of quantum computing on cryptography For example, AES-256 requires a 256-bit key to encrypt and decrypt data. A brute-force attacker would have to guess the key from about 1.1579209 x 1077 possible keys, or 2256 keys. This makes AES-256 and other similar symmetric encryption algorithms secure. However, someone sophisticated enough to run Grover's algorithm with quantum computing power could use it to find encryption keys. Grover's algorithm enables someone to conduct searches of large databases much faster than a classical computer. If an algorithm has N, a number of items, Grover's algorithm can search through the list of items and find a specific one in √N steps. This decreases the time it takes to find the key. Bad actors could also use Grover's algorithm to break hash functions, such as Secure Hash Algorithm 2 and 3, with a quantum computer. Candidates for post-quantum cryptography and quantum-resistant encryption There are various options being researched to help hedge against the threat of quantum computing-based attacks on data center infrastructure and data. Many are based on cryptographies that some researchers and experts believe could be quantum-resistant. Lattice-based cryptography Lattice cryptography is based on the mathematical concept of lattices and vectors. Most current cryptography follows algebraic problems, but lattice-based cryptography is based on geometrics. Lattice-based computational problems are based on the shortest vector problem, where an attacker must find a point closest to the origin. Quantum key distribution Quantum key distribution (QKD) uses quantum mechanics to distribute keys. It relies on the fact that, if you measure a quantum system, it will be disturbed. Therefore, if a malicious actor tries to intercept the key, the parties will know of eavesdropping. Code-based cryptography Code cryptography is based on error-correcting codes. It is based on how difficult it is to decode messages that contain random errors where the attacker must recover the code structure. One of the most well-known is the classic McEliece algorithm. Multivariate-based cryptography Multivariate cryptography is based on the difficulty of solving systems of equations. It uses a random system of polynomial equations where the recipient must use a private key to perform inverse operations on the generated ciphertext. Even with the encrypted data, attackers would have to solve the equations to read it, which is a difficult computational task. Isogeny-based cryptography Isogeny-based cryptography is similar to ECC in that it uses elliptic curves to encrypt data. Instead of relying on the logarithmic problems an ECC method would, isogeny-based cryptography relies on isogenies, or maps between the elliptic curves. Other areas organizations are researching for quantum-resistant encryption include zero-knowledge proofs and hash-based cryptographic systems. External Engagement & Partnership E-COMMERCE ALLIANCE FOR A RESPONSIBLE ECOSYSTEM © 2024 Pharmaceutical Security Institute | PSI Confidential 2021 2022 2023 TOTAL 2021 - 2023 Reported 9,816 12,250 takedowns 90% 81.4% 89.9% 80.1 2,765 3,083 3,968 % takedowns takedowns takedowns SOCIAL MEDIA PLATFORMS

NTU-Mastercard FlexiMasters in Cybersecurity & Digital Trust - CET940 Corporate Security Structure PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue