T

UTS APLIKOM GENAP 2014/2015

rust is the glue that holds our societies and

economies together. To gain trust in
business, you have to ensure the integrity of
your products, services, and operations as

well as the protection of confidential information.

Do your customers trust you? How about your employees and business partners?
These questions are more important than ever in a world brimming over with
sensitive dataand where even relatively simple data security breaches can have
huge direct and indirect impacts.

Indeed, trust is a critical ingredient for

suppliers,

success in a fast-changing business

and

world. Customers buy products and

because they trust you will protect both

services at least in part because they

their contributions to success and the

trust youthat your products will work

secrets about your relationship. Last

as promised, that your services will be

but not least, your employees trust that

available whenever needed, and, most

their medical information and other

importantly, that you will protect their

personal data is safe, and that working

personal data. Your business partners

procedures protect their legal rights.

Ahmad Akbar 41208010021

development

distributorswork

partners,
with

you

At its core, information security is about more than merely protecting confidentiality or
making sure your systems are safeit's about maintaining the integrity of your
systems, and thus your business and production processes.

Losing Trust
Every week seems to bring headlines about security incidents; 2014 included the
steady stream of leaks about National Security Agency surveillance as well as news
of breaches that have hammered JPMorgan Chase and Sony. In many cases, it
seems that hackers remain a step ahead of the existing countermeasures. (For more
information see the appendix, "From Attack-as-a-Service to Cyberespionage: The
Latest Trends in Hacking,".)
It's tempting to relax if your firm hasn't beenor doesn't know it has beentargeted
yet. Too often, we hear statements such as, "We are secure; nothing has happened
to us before," or "Our firm is not important enough to be a target," or "Security costs
are greater than the potential damages." Unfortunately, many studies have
demonstratedand many executives have learned the hard waythat these
statements simply aren't true. While there is no commonly agreed-upon number for
the costs of worldwide security breaches, estimates range from $400 billion (about
the GDP of Austria) to as high as $2.2 trillion (roughly the GDP of Brazil)between
0.5 percent and
2.9 percent of the world's GDP. And that doesn't take into account the damages from
lost trust your own trust, your partners' trust, your customers' trust, and your
employees' trust.
Breaches also can have unexpectedly long-term consequences. According to
security intelligence company Mandiant, the average attack goes 243 days
undetected, plenty of time for a hacker to plumb your company of its information. The
Sony hack of late 2014 highlights a most extreme case of stolen datathe release of
five Sony movies, the leak of thousands of executive emails to the press, and the
public display of employee information such as social security numbers, passwords,
and salary data. Once the "bad guys" infect a company, it can take months to win
back territory, all while facing the fear that important systems are sabotaged in
revenge and that there is more damage that has not been uncovered yet.

No single industry has the ability to defend all attackseven the best-prepared, most
technologically advanced industries, such as telecom and banking, have faced
embarrassing incidents and the exposure of reams of public data. Other, potentially
far more damaging incidents have been successfully hidden with high financial
expenses. In manufacturing, where safety (avoiding accidents) has long been a
focus, information security has not been a priority. The same is true for infrastructure
industries such as traffic and utilities (other than nuclear plants, where the information
security focus derives from the industry's larger safety and security mindset). Despite
the imminent threats, senior management awareness seems quite low across
industries. This is changing, but only slowly.
With digitization increasing, breaches are inevitable, and the magnitude and
frequency of successful attacks will only increase. Only a significant, society-wide
change in awareness may be able to slow downand later reversethis
development.

Trust Requires Transparency and Strategic

Commitment
Silence is perhaps the largest hurdle in tackling information security. Many executives
choose to say nothingcertainly when the damage is hidden, and often even when it
becomes visible. However, true information security requires attacking tough issues
head on. For the leading companies, information security is a cross-functional, multidimensional task that starts at the top, with corporate leaders bringing together
various parties and specialists to address strategic alignment, organizational and
process setup, technical measures, communication, and culture.
For management teams at these firms, the first step is understanding that information
security risks are business risks. Board members are the ultimate owners of
information security risk and are best positioned to instill an information security
mindset across the organization.
The best information security departments seek to support the business side in
achieving business objectives securely, building trust both internally and externally
and setting mutual goals to create a stronger relationship (see sidebar: Using
Communications to Build Trust). For these leading firms, both business and

information security leaders share responsibility in evaluating protection levels and

identifying threats and vulnerabilities. With the business side supported by the
information security function in analyzing the business impact of information security,
they mutually define the value at risk. It is paramount that the information security
function perform the final risk evaluation with an eye toward keeping overall business
costs down. For these companies, there is transparency and trust about the true risk
landscape and about defining potential measures to mitigate those risks. Creating
informed decision processes for implementing measures or accepting risks ensures
that risks are only accepted when there is proper reasoning and documentation.

The Five Dimensions of Addressing

Information Security
How do these leading firms achieve cutting-edge information security? By addressing
five dimensions, each crucial to success: strategy, organization, processes,
technology, and culture (see figure 1). Rarely are security incidents linked to just one
of these five dimensions. Conversely, an integrated combination of measures across
all five can ensure your company is prepared to address information security issues.
The following section looks at the five dimensions and some of the leading practices
in addressing them (see figure 2).
Strategy. Solid strategy is the foundation for all information security. It focuses
resources on what is most important to protect and sets clear guidelines to help
define what level of protection is needed in different areas.
Information security leaders do three things particularly well when it comes to
strategy:

The information security strategy is clearly linked to the corporate strategy. It

defines what is important for the company and its stakeholders, and, hence,
what must be protected.

Leading companies put the greatest emphasis on defining and then

protecting their most critical assetsmaking it harder for attackers to increase

the damage after an initial breach. Information security policies clearly define
the requirements for security areas from data centers, devices, applications,
and production systems to processes and governance, such as risk
management, incident management, and the classification of information. And
guidelines for specific stakeholder groups (executives, administrators, and
external users, among others) serve as "best practices" specific to the
audience. This knowledge helps balance the desired level of protection against
the cost and effort to achieve appropriate securityin other words, the
acceptable risk that can be tolerated.

A well-defined road map defines short- and mid-term goals for information
security. Long-term goals would fail in a rapidly changing environment, or they
would come too late to address foreseeable issues.

Organization. Information security requires an organizational setup that can manage

through tough decisions. Often there is initial resistance to security measures or a
conflict of interest that slows progress. Only if the information security function can
act at "eye level" with the business can a company implement all important security
measures. This is even truer across divisional or regional organizations, where
attackers can use the weakest link to enter the corporate network and then easily
move across the entire corporation. Similarly, with external partners along the value
chain, every connection can become a potential entry point for the bad guys.
Properly addressing the internal organization and the entire ecosystem of partners is
critical.
Following are two best practices:

Leading companies have a dedicated chief information security officer

(CISO) who reports to another board member rather than the CIO, in order to
avoid potential conflicts of interest.

Divisions and regions also have their own information security officerswith
dotted-line reporting to the CISO; other roles responsible for information
security are consistently defined throughout the organization and sufficiently
staffed.

Processes. Security is a process, not a state. Well-defined processes ensure that a

strategy is implemented, that protection measures are regularly reviewed, and that
adjustments are made for changing requirements. Information security must be
integrated into all business and operational processes, otherwise protection will slip
or costs will rise.
Leaders follow five best practices:

Leading companies implement solid information security management

systems (ISMS) that conform to ISO 2700x, including information security risk
management and incident management. Consistent ISMSs across the
organization ensure cross-divisional, interregional consolidation and
coordination.

Information security leaders make sure they understand the risks to all
business-critical processes. Business continuity management secures business
even in case of incidents for all critical processes. All required parties regularly
conduct training regarding business continuity plans, ensuring that operability
and continuous improvement stay up-to-date with changing requirements.

All supporting processes are also aligned with information security

requirements. For example, the project management process involves early
security reviews, as including security from the beginning (rather than waiting
until everything is designed) lowers costs and increases effectiveness.

Identity and access management, which is often the eye of the storm of an
attack, is focused on the principle of least privilege. 1 Leaders have the checks
and controls in place to limit potential damage through insider attackers or
compromised accounts.

IT operations processes are designed with security in mind to reduce risk for
IT infrastructure and applications. Regular penetration tests verify the
effectiveness of security measures.

Technology. IT security is not the same thing as information security. The critical
difference is that information security accounts for the human factorwhich is central

to nearly all successful attacksas well as technology. For example, some

regrettable breaches have come from information stolen because of simple errors
such as disposing of sensitive information in a trash bin below the desk or behind the
building. Having said that, technology is obviously important. Almost all publicly
known major security breaches involve technology; in many cases the cause is an
avoidable mistake, such as an insufficiently patched IT system.
How do leading companies stand out in terms of technology?

Leading companies care most about the one attack they might missnot
the millions of malware attacks they know they can defend. These leading
security organizations are efficient in their technology use so that they are able
to spend more time working with the business side to secure core processes.

Servers and applications are protected according to security classification,

and administration occurs only through specifically secured channels with tight
control mechanisms.

Clientsdesktops, laptops, and mobile devicesare equipped with the

latest malware protection and protect data in case they are stolen or lost.
Access requires multifactor authentication wherever possible. At the same time,
these companies seek to ensure that the user experience is improved.

Best-practice networks are properly segmented with strict traffic control

between segments. Detection technologies are deployed at all critical places
linked to a central SIEM (security incident and event management) system as
the central monitoring instance. Security monitoring is managed by a 24-7 SOC
(security operation center), which evaluates incidents and drives remediation
activities together with the CERT (computer emergency response team).

Culture. Culture is about the people aspect of security. Almost all major incidents
involve the human elementtypically some employees who are tricked into malicious
behavior. But expecting everyone to understand the risk isn't faireducation is
required. Then, companies can mitigate the risk by making all employees true
stakeholders of information security.

Culture is a key cog in maintaining solid information security for leading firms. Best
practices include the following:

The commitment of top managers to information security and understanding

it as a cross-functional task can bring strong results. For firms with strong
information security, the culture ensures that everybody feels responsible for
their business's securityand that information security is a business enabler.

Leading firms understand that employees across functions are a great

source for identifying security gaps. They enable this by creating cultures that
are open to the idea that employees can freely report security problems without
fear of punishment for being the "bearers of bad news."

Typically, companies vary in their performance across categories, yet often there is a
clear overall trend. Using A.T. Kearney's health check to assess performance,
companies can outline their objectives in each category and create a program of
short- and mid-term measures that lead to the desired state. A comprehensive
program can require three years to complete (see figure 3 on page 8).

Information Security: Setup and Budget

There are many schools of thought on how much a company should spend on
information security. Five percent of the IT budget (with year-over-year growth of 5 to
10 percent) is often cited as a good rule, but in truth it depends on the individual
company and its industry. Not only should information security be independent from
IT, but where you are today and the gaps you need to reach the desired protection
level can mean more costs at the outset. That may be hard for some to swallow, but
following a generic benchmark would be a recipe for failure.
Building the budget bottom-up, based on identified risks and measures needed now,
is the best first step. This forces the organization to work on operational excellence.
In other words, the objective is not how to achieve the best theoretical solution, but
how to find a solution that is strong, feasible, and cost-effective in delivering
adequate protection to meet business objectives. The solution has to work in practice
and at a reasonable cost.

Lastly, cost creep often occurs after a project is approved. Rigorous project
management independent of the (mostly technical) implementation provider that
keeps operational excellence and business objectives in focus will help avoid this.

Trust Is the Glue

The business world is seeing disruptive technologies and business models at an
unprecedented rate. Industries are changing, with start-ups leading the change and
becoming partners to established corporations. Collaboration is a major crossindustry trend. With digitization, everything gets more interconnected. But one thing
does not change: Trust is the glue that holds our societies and economies together.
This shiny new world has dark clouds quickly approaching from the horizonor a
sudden tsunami appearing out of nowhere. To keep the trust up with all internal and
external stakeholders, you have to be prepared not only to defend, but also to deal
with a crisis. A systematic approach covering the five aforementioned dimensions
helps companies to establish the structures to be prepared, helping the employees to
trust in their own capabilities and carrying the trust outside the company.
Appendix

From Attack-as-a-Service to Cyberespionage:

The Latest Trends in Hacking
The next waves of attacks are as hard to predict as natural disasters, but some
trends are already evident, and others can be predicted. Here are a few to watch out
for:
Total global surveillance. Data enables activities beyond the wildest Orwellian
dreams, shaking the foundations of trust among different governments and between
governments and their citizens. Many corporate leaders are afraid of what it means
for their firms. Known security measures may fall short when coming up against
industrial espionage by intelligence agencies. One telecommunication company
providing services to a parliament found its network heavily compromised by a
foreign intelligence agency seeking to get its government into a better position for
major multinational negotiations.

Intentional weakening of IT defenses. The intended weakening of IT and security

products is a real nightmare. While you want to trust that the products you use help
you stay as secure as possible, many major companies have intentionallyand not
necessarily voluntarilyintroduced weaknesses and backdoors into their products
(notably security products and in particular, but not limited to, commercial
cryptography) at the behest of governments seeking information. In other cases,
governments have intervened in the shipping process to alter products in their favor.
Recently, The Intercept revealed documents detailing the NSA's Sentry Eagle and
claims that the program infiltrated commercial entitiesoften even physicallyin
South Korea, Germany, China, and possibly even in the United States to undermine
the physical infrastructure of the Internet and to make devices and products
exploitable.2 Russian security firm Kaspersky in February 2015 published evidence
that a group closely linked to the creators of Stuxnet found ways to permanently
embed surveillance so deep into hardware (firmware) that anti-malware solutions
cannot detect it. Kaspersky estimated the activities reach back as much as 15 to 20
years.
It's doubtful the United States is alone in these types of activitiessimilar
accusations have been lodged against China, and in recent years there have been
cyberespionage accusations against security agencies in many other countries as
well.
Backdoors such as these destroy trust in companies and their products and have a
devastating effect on security. As security guru Bruce Schneier puts it: "You can't
build a backdoor that only the good guys can walk through." 3 To name a couple cases
that have gone public, Gmail accounts in China were cracked using so-called "lawful
interception backdoors," and in Greece more than 100 cell phones belonging to the
Greek government (including the prime minister) were tapped in the mid-2000s,
according to Schneier. One online gaming company revealed at a recent security
conference how it installed two new servers before a weekend only to discover that
following Monday that there was already network activity even though it hadn't
started using them. It eventually discovered a backdoor in the servers' main
processors, and that its new systems had come from the same batch of servers
delivered to a military unit.

Network equipment producer Huawei provides an interesting example here, as the

company has been suspected by some countries of introducing backdoors for
Chinese agencies; later it was revealed they had been attacked by the NSA in an
attempt to implement backdoors. To combat the claims and win the trust of
customers, Huawei has offered to open its code to national intelligence agencies.
The rise of AaaS. Attack-as-a-service (AaaS) could be an important (albeit
clandestine) business model in coming years. The most dangerous attacks for
corporations are highly professional and customized to their targetsoften referred
to as advanced persistent threats (APTs) or targeted attacks. APTs require time,
money, and knowledge to execute, the kind that no single organization can create
alone, and thus lead to a very international cybercrime industry. Interestingly enough,
this industry is built largely on trust; as in other industries, it is evolving and creating
new business models. Presumably, customers can execute attacks without the deep
knowledge originally required. The first example we have seen involves the banking
industry, with Trojans ZeuS and SpyEye evolving toward this new service model
while the users of the respective services made incredible amounts of money.
Massive attacks on infrastructure. The cyber espionage campaign known as
Energetic Bearof origins still unconfirmedhas successfully compromised more
than 1,000 utility companies in 84 countries. The attack has not only stolen significant
data but also opened the door to sabotage by enabling the crippling of physical
systems such as wind turbines, gas pipelines, and power plants at will. Huge attacks
such as these could be preludes to strikes in something of a "lukewarm cyberwar."
These kinds of threats not only endanger utilities, but also other critical infrastructure
such as information and communication technology, healthcare, traffic and transport,
and banking. Users generally trust that the services of these sectors are safe; an
important question in these industries is "What happens when users lose trust?" And
we certainly don't want to find ourselves in a situation where public life suddenly
comes to a halt when the lifelines of our society are interrupted.
Automation systems as prime targets. Generally, automation systems are prime
targets. Damages can range from manipulated production processes, which render
products useless or even dangerous to use, to the destruction of facilities, even more
so with industry 4.0 on the doorstep. One automaker had a scary moment when its
robots began behaving abnormally think about the ill effects of manipulated cars. A

German steelmaker was even harder hit when attackers tricked employees and
found their way from the business into the production network. Control systems and
entire production units reported outages, and then a blast furnace reached an
"undefined state," so that it could not be shut down in an orderly fashion. The
damage was massive.
Ransom. Extortion can be directed at any critical resources of a corporation or even
the entire business. The fall of Code Spaces, which offered a cloud-based software
as a service (SaaS) solution for software developers, is an example of the risks. An
attacker mounted a distributed denial of service (DDoS) attack, leaving a message
requesting ransom for this to stop while demonstrating he had access to the
configuration of the complete cloud services upon which the company was built.
When they tried to get control back the attacker used backdoors he had prepared to
delete essentially all servers and customer data including all back-ups using the idea
that cloud services are as easily decommissioned as created. Within 12 hours the
company declared its business was finished. It is worth mentioning they prided
themselves by saying "Code Spaces has a full recovery plan that has been proven to
work and is, in fact, practiced." It proved to be a false sense of security; it is not
enough to apply security measures, you need to consider absolutely all ways they
can fail, and prepare for them.
- See more at: http://www.atkearney.com/strategic-it/ideasinsights/article/-/asset_publisher/LCcgOeS4t85g/content/information-security-its-allabout-trust/10192?_101_INSTANCE_LCcgOeS4t85g_redirect=%2Fstrategic-it
%2Fideas-insights%2Farticle#sthash.wMUdhdk7.dpuf