#TODO
This blog features all my notes regarding Governance Risk and Compliance while studying Cyber Security at KEA.
Homework note: Det her kunne man gøre og det her vil understøtte foranstaltningen.
Information technology is more than just a computer. All things that are carrying information is regarded within the scope of ISMS/ISO27001
We have an ISMS - We have this threat skĂŚrpe ikke udvande
Sources: ISO27001:2023 + ISO27002:2022 Document, NIST CSF 2.0, Lecturer from James H. Brink
Beside your job as IT-manager, you are now also IT-Security responsible, since the company want to implement:
IT-security ISO27001, so perhaps you ought to read it some dayâŚ
⢠You just got that title and hasnât yet meet with anyone â or done anything. No one bother since we are busy keeping the business goingâŚ
⢠Your company has around 500 employees and all activities involves email, databases and even the phones are depended on the call center servers. In other words: All business is going down if IT is going down
⢠On your way to lunch an employee calls you and explain the files on the common network drive are changing names and cannot be openedâŚ
⢠The employee shows you the file manager and you freezeâŚ. You know exactly what this is: This is a successfully penetration, and a ransomware has launched: WannaCry. And in every folder there is a text file claiming that you only get you files back if you pay ransom in bitcoins âŚ
⢠Thankfully the backup-procedures run every night â hopefully they work? And you hope the backup is air-gapped in its design
Author: JHB James Hindsgavl Brink â Lektor i IT-Sikkerhed â James.Brink@gmx.com
Glossary:
<-> = dependency
ISO27001 4.1 (Mandatory) <-> ISO38001:2018 5.4.1 & 6.3.3 External and Internal Context
| Internal Stakeholders | External Stakeholders | Cyber Security Expectations |
|---|---|---|
| Call Center | - | Expect systems and servers for call handling are available 99% of time |
| 500 employees | - | Changes to IT-proceses are easy to adopt, availability of 99% emails and documents / files |
| C-Suite | - | Expect their departments deliver on base KPIâs, expect that growth of business it-related processes are possbile, transparency in change management of IT processes can comply with standards that are familiar to the and devlops on current company standards, policies and procedures, satisfied employees |
| Board | - | Â |
| Managers | - | Â |
| HR | - | Store PII and be aware of regulatory compliance for conducting proactive recruiment |
| Precurement | - | easily understand and align porcess for aquiring systems with organisations ISMS. |
| Marketing | - | Need available timely information for sharing possibilities that can attract employees, busniess partners and customers. |
| - | Business Partners | Â |
| - | Legal/Regulatory | Â |
Available information:
If ISO was timely implemented we should have a documented incident response procedure according to control ISO27002:2022 - Clause 5.26
Clause 5.26 ISO27002:2022 :
We will ask a competent designated team to respond according to Clause 5.24 Incident Management Procedures:
The Incident Management Team must:
Prior to WannaCry. Management has created a incident management plan accoriding to Clause 5.24 Incident Management Procedures, which the designated teams follws:
Situtions for reporting IS-events:
đş Avoid testing and proving vulnerabilities.
Brief WannaCry:
We examine the list above and find that the case applies to:
We include this in the report:
Type of incident : suspected malware functions ransomeware Date and Time : Lunch-time Location : Every folder of Common Network Drive Severity : HIGH
Discovery Methode : Visual inspection of files names on filemanager, every folder on Common Network Drive .
Evidence:
Impact & Affacted Assets:
Data involved: Data on common network drive NAS server (default) redundant storage containers or RAID partion (not ransomeware protected). Uses Protocols: NFS, SMB, AFP.
Implement -> 3-2-1 Backup strategy
From National Cyber Security Centre
Steps to take if your organisation is already infected
If your organisation has already been infected with malware, these steps may help limit the impact:
Immediately disconnect the infected computers, laptops or tablets from all network connections, whether wired, wireless or mobile phone based. In a very serious case, consider whether turning off your Wi-Fi, disabling any core network connections (including switches), and disconnecting from the internet might be necessary. Reset credentials including passwords (especially for administrator and other system accounts) - but verify that you are not locking yourself out of systems that are needed for recovery. Safely wipe the infected devices and reinstall the OS. Before you restore from a backup, verify that it is free from any malware. You should only restore from a backup if you are very confident that the backup and the device youâre connecting it to are clean. Connect devices to a clean network in order to download, install and update the OS and all other software. Install, update, and run antivirus software. Reconnect to your network. Monitor network traffic and run antivirus scans to identify if any infection remains.
Hardware is expected to be maintained for 5 years, we need one to one equipment as bought, and service level agreements are made of 5 years duration.
Governments
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Exploits the cache when the HDD read write operations stored in the RAM (for speed up pupose). Linux system handles in the HDD the control of the cache. The SYSTEM was compromised, and can compromise the HDD even though the OS has been wiped, and cannot be inspected without physical acess to the HDD bios. Kaspersky discovered this since they wiped the systems and they still were communicating with the internet in their lab.
One of the most serious and advanced persistent threats in modern history.
Embedded picture with malware.
When hired for it-security we will find change management and implementing the more secure practices as the hardest part of the job, which is often the standard job when hired from college/ junior cyber security governance employee.
C-Suit, leaders are âbusyâ and often hard to get to listen.
We cannot implement the technologies alone, we have to orchestrate cross diciplinary (HR, IT, Operations, Leaders at all levels).
Assets
Vulnerabilties
How exposed am i?
How likely am i to be attacked?
Internal organization
Central Documents
Risks
IDS was not logging and active
Organisation is an organism. The size of organisation is growing and complexity is rising and maturity in the it leadership is often too low.
Firstly we must, as IT-professional, throw the ball to the CEO (in a well communicated manner towards our own boss).
We need the buy-in from the CEO, to get the authority to communicate to other employees the authority.
Key stakeholders in the company must be assembled to point out and describe the most effective policies.
Annex A of ISO27001 [Strategic] -> more specific in ISO27002 [Tactical]
ISO27001 [CERTIFIED] - includes - ISO27002 are tighly coupled
Remember to describe all incident plans. How to go from incident back to normal operation. (Remember!) We need a guide to act reasonable.
As security advisors, we can order the manager to fire people, since they get a salary compensation for firing.
Newly revised to match Cyber Security & Cloud growing need in ISMS controls.
Mapping 27002:2013
IMPORTANT MONITORING ## SIEM ## :
Further controls that could add on to ISO27002 93 controls:
Explain 4 Areas of controls
The idea of the Area Strategic Example for scoping the policy Pick a random control in the area - explain what its about (tactical) How would you implement that control? Rules and procedures (Operational)? How would you make a revision.
IMPORTANT : C-Suite language needs to understand the actions taken to mitigate WannaCry attack.
