Cybersecurity and Risk Management

CYBERSECURITY
AND RISK
MANAGEMENT
Group 6
GROUP MEMBER
Asya Aulia Firmansyah Eka Salsa Mahadila

Wulandari Putra Laora
2102113065 2102110660 2102111157
LEARNING OBJECTIVES
Chapter 5
5.1 THE FACE AND FUTURE
OF CYBERTHREATS
More details
acha
NUMBER OF REPORTED DATA RECORDS
BREACHED WORLDWIDE, 2009–2013.
THE FACE AND FUTURE OF
CYBERTHREATS
Consequences Of Lax Cybersecurity :

• Damaged reputations,
Main Factor :
• Financial penalties,
• Federal and state government fine
• Lost market share Hacking
• Falling share prices
• Consumer backlash.
THE FACE AND FUTURE OF
CYBERTHREATS
the cyber security remind that batling distributed denial-
of-service (DDoS) and malware attacks has become part
of everyday business for all organizations.
the hacker hactivist and any other cybercrime will always
to attack networks for profit, fame, revenge, or an
ideology; to wage warfare, terrorism, or an antiterrorism
campaign; or to disable their target.
TYPE OF 1. SOCIAL 3.HACKTIVISTS’
ENGINEERING AND MOTIVATIONS AND
CYBERTHREATS
BYOD DANGEROUS PRANKS
2.CYBERCRIME SURVEY 4.HACKTIVIST ATTACKS

AND VICTIMS
F CYBERT
O H
E
RE
TY
ATS
5. THEFT OF TRADE 6. DONT CARRY
SECRETS AND OTHER RULES
CONFIDENTIAL
INFORMATION
1. SOCIAL ENGINEERING AND
BYOD
Social engineering is also known The BYOD trend is driven by

as human hacking-tricking users employees using their own devices
into revealing their credentials for business purposes because they
and then using them to gain are more powerful than those the
access to networks or accounts. company has provided.
2. CYBERCRIME
SURVEY
The results of Survey 2014 show that executives are responding
to the need to fund enhanced security activities and have
substantially improved technology safeguards, processes, and
strategies. Unfortunately, adversaries have done better.
3. HACTIVIST'S MOTIVATION AND DANGEROUS PRANKS
• LulzSec & Anonymous
One of LulzSec’s specialties is finding websites
with poor security, and then stealing and posting
information from them online. Some of their
attacks may seem more like Internet pranks than
serious cyberwarfare, but they are still illegal.
4. HACKTIVIST ATTACKS AND
VICTIMS
Combined Systems, Inc. CIA.
sells tear gas and crowd-control Within 10 days, the group also went
after Chinese electronics manufacturer
devices to law enforcement and
Foxconn, American Nazi groups,
military organizations, to protest antivirus firm Symantec, and the
war profiteers. office of Syria’s president.
5. THEFT OF TRADE SECRETS AND OTHER
CONFIDENTIAL INFORMATION
6. DONT CARRY RULES
U.S. companies,
government agencies,
and organizations are
now imposing donot-
carry rules.
5.2 CYBER RISK
MANAGEMENT
IT SECURITY FIELD
Assets Threat
Things of value that need to be
protected

Something/someone that can
Strategy —> protect the most valuable damage, disrupt, or destroy
assets that the company have rather an asset
than to protect all assets equally.
IT SECURITY FIELD
VULNERABILITY
EXPLOIT RISK
Gaps, holes, weaknesses or

A hacker tool/software Probability of a threat
flaws in corporate networks
program used to break into successfully exploiting a
that allow attacks to be
vulnerability and the
successful system, database or device
estimated cost of the loss
An action that takes advantage
or damage
of a vulnerability
HACKING
Contact hacker —> Hacker you can hire
Hackers use social networks and underground forums to share exploits,
usernames, and passwords. Hacker itself become virtually untouchable by
law enforcement because none sees the crime
Can happen due to the easy password that people set
Make a strong passwords by using combination such as upper-and lowercase
letters, numbers, and punctuation marks also to make it with at least 8
characters minimum.
INTERNAL THREATS
—> A threat from employees

Defences such as firewalls, Intrusion Detection System
(IDS), and Locked doors mostly protected External Threats.
Minimized with layared defense -in-depth strategy which
consist of security procedures, acceptable us policies, and
technology controls.
PHISHING AND WEB-BASED
THREATS
Phishing —> deceptive method of stealing confidential information by
pretending to be legitimate organization, such as bank, credit card
company , or any other sources.
3 top factors making malicious action like this successful

Mistakes or Human Error
Malfunctioning system
Misunderstanding the effects of adding incompatible software to an
existing system
GOVERNMENT REGULATIONS
COBIT
ERM
Control Objectives for Information and
Enterprise Risk Management Related Technology

intended to be part of routine Internationally accepted IT governance

planning processes rather than a and control framework for aligning IT
separate initiative with business objectives, delivering
value, and managing associated risks
IT SECURITY DEFENSE -IN-DEPTH
MODEL
STEPS IN IT SECURITY
DEFENSE-IN-DEPTH
MODEL
Step 3 - IT security Step 4 - Hardware
procedures and and software
enforcement Technology defense mechanisms need to
be:
Define enforcement procedures ·Able to provide strong authentication and
Designate and empower an internal access control
incident response team ·Industrial-grade
Define notification procedures, 4) ·Appropriate for the types of networks
Define a breach response and operating systems
communications plan ·Installed and configured correctly
Monitor Information and social ·Tasted rigorously
media source ·Maintained regularly.
UNINTENTIONAL & INTENTIONAL THREATS
Intentional Threats
The Examples:
Unintentional Threats Theft
Deliberate manipulation in handling,
Human Error
entering, processing, transferring, or
Environmental Hazards
programming data
Computer System Failures
Labor strikes, riots, or sabotage
Malicious damage to computer resource
Destruction from viruses
MALWARE A computer program or code that can infect
anything attached to the Internet and is
able to process the code
Designed for long-term control of infected

machines.
Malware Reinfacted Computer Because:

Malware is captured in backups or
archive
Malware infects removable media
TARGETED ATTACK
CORPORATE AND GOVERNMENT SECRETS ARE CURRENTLY
BEING STOLEN BY APTS (ADVANCED PERSISTENT
THREATS), THIS TYPE OF ATTACK BEGINS WITH SOME
RECONNAISSANCE ON THE PART OF ATTACKERS.
EXAMPLE
OPERATION AURORA BOTNETS SPEAR PHISHING

A collection of bots,
which are malware-
infected computers
IT DEFENCES
1 2 3
ANTIVIRUS INTRUSION INTRUSION
SOFTWARE DETECTION PREVENTION
SYSTEMS SYSTEMS (IPSS)
5.3 MOBILE, APP, AND
CLOUD SECURITY
VULNERABILITY
Vulnerabilities found in the system
must be fixed within a certain period
of time before the attacker can take
advantage of these vulnerabilities.
PERSONAL FILE
privacy
BUSINESS FILE
Secret
THREAT
MINIMUM
MALICIOUS
SECURITY FOR
MOBILE APSS
MOBILE
REAL TIME PROTECTION
RESIDENT
SHIELD
ON ACSESS
SCANNING
REALTIME PROTECTION - ACTIVE
5.4 DEFENDING
AGAINST FRAUD
More details
FRAUD
Occupational fraud refers to
the deliberate misuse of the
assets of one’s employer for
personal gain.
FRAUD TYPES
FRAUD TYPES
SOLUTION
The single most effective fraud prevention tactic
is making employees know that fraud will be
detected by IT monitoring systems and punished,
with the fraudster possibly turned over to the
police or FBI. The fear of being caught and
prosecuted is a strong deterrent. IT must play a
visible and major role in detecting fraud.
5.5 COMPLIANCE &
INTERNAL CONTROL
More details
COMPLIANCE
Compliance with regulations
always requires internal controls
to ensure that sensitive data are
protected and accurate.
INTERNAL CONTROL FUNCTION
OPERATIONAL EFFICIENCY
RELIABILITY OF FINANCIAL REPORTING, TO
PROTECT INVESTORS

COMPLIANCE WITH LAWS, REGULATIONS,

SAFEGUARDING OF ASSETS AND POLICIE
DEFENSE STRATEGY
The objective of IT security management practices is to defend
all of the components of an information system
1. Prevention and deterrence. Properly designed controls may

prevent errors from occurring, deter criminals from attacking
the system, and, better yet, deny access to unauthorized
people.
2. Detection. Like a fi re, the earlier an attack is detected, the

easier it is to combat, and the less damage is done. Detection
can be performed in many cases by using special diagnostic
software, at a minimal cost.
DEFENSE STRATEGY
3. Contain the damage. This can be accomplished, for example, by
including a fault-tolerant system that permits operation in a
degraded mode until full recovery is made. If a fault-tolerant system
does not exist, a quick and possibly expensive recovery must take
place. Users want their systems back in operation as fast as possible
4. Recovery. A recovery plan explains how to fix a damaged

information system as quickly as possible. Replacing rather than
repairing components is one route to fast recovery
DEFENSE STRATEGY
5. Correction. Correcting the causes of damaged systems can prevent
a problem from occurring again.
6. Awareness and compliance. All organization members must be

educated about the hazards and must comply with the security
rules and regulations.
THANKYOU

Cybersecurity and Risk Management

Uploaded by

Copyright:

Available Formats

Cybersecurity and Risk Management

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cybersecurity and Risk Management

Uploaded by

Copyright:

Available Formats

CYBERSECURITY

Asya Aulia Firmansyah Eka Salsa Mahadila

Consequences Of Lax Cybersecurity :

2.CYBERCRIME SURVEY 4.HACKTIVIST ATTACKS

Social engineering is also known The BYOD trend is driven by

Gaps, holes, weaknesses or

—> A threat from employees

3 top factors making malicious action like this successful

intended to be part of routine Internationally accepted IT governance

Designed for long-term control of infected

Malware Reinfacted Computer Because:

OPERATION AURORA BOTNETS SPEAR PHISHING

COMPLIANCE WITH LAWS, REGULATIONS,

1. Prevention and deterrence. Properly designed controls may

2. Detection. Like a fi re, the earlier an attack is detected, the

4. Recovery. A recovery plan explains how to fix a damaged

6. Awareness and compliance. All organization members must be

You might also like

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.