MANAGING CYBERSECURITY RISK

IN THE DIGITAL ERA FOR NON-IT

PROFESSIONALS

11 August 2017 / Tan Lay Ngan & Ng Kok Leong

#ISSlearn

#ISSlearn © 2017 National University of Singapore. All Rights Reserved

 What is Cybersecurity
Cyber security refers to the body of
Cybersecurity is the body of technologies, processes and practices
technologies, processes, and practices
designed to protect networks, computers, programs and data from attack,
designed to protect networks, devices,
damage or unauthorized access.
programs, and data from attack, damage,
or unauthorized access. Cyber security
may also be referred to as information
technology security

#ISSlearn 2
 Smart Nation
 Smart City must be Secure by design
 Smart City by their nature introduce connections between multiple systems
at multiple touch points and create an intersection between many other systems,
including vehicles, energy grids, media streaming and the cloud.
 An exploitable vulnerability in the city could lead to more serious breaches
in any system it touches, which complicates the security landscape.

#ISSlearn 3
 Cybersecurity Threat – Examples (1 of 3)
(August 2012)
Cyber Attack on Saudi Aramco. The computer network of Saudi Aramco was struck by a self-replicating virus that
infected as many as 30,000 of its windows-based machines. Despite its vast resources as Saudi Arabia’s national oil and
gas firm, Aramco, took almost two weeks to recover from the damage.
https://www.iiss.org/en/publications/survival/sections/2013-94b0/survival--global-politics-and-strategy-april-may-2013-
b2cc/55-2-08-bronk-and-tikk-ringas-e272
(2 June 2014)
SingPass, a single factor authentication system allowing users to login to various government e-services. It was
reported that more than 1,500 users may have their IDs and passwords accessed without permission.
http://www.channelnewsasia.com/news/singapore/1-500-singpass-accounts/1136316.html
(14 Oct 2014)
SMRT’s webpage hacked redirecting users to another page. A media advertising webpage under SMRT’s was
apparently hacked with users redirected to another page in a foreign language that states “Hacked by: Bortecine Tim”.
http://www.straitstimes.com/singapore/smrts-webpage-hacked-users-redirected-to-another-page
/
(10 March 2015)
Curtin Singapore’s website defaced by hackers claiming to represent ISIS
Hackers claiming to be from the Islamic State (ISIS) has defaced Curtin Singapore’s website. As to why Curtin Singapore
was chosen is not clear and the militant group’s flag was displayed on the defaced website.
https://www.sgcybersecurity.com/securityarticle/securityarticle/curtin-singapore-s-website-defaced-by-hackers-claiming-to-
represent-isis

(December 2015)
Iranian Hackers Claim Cyber Attack on New York Dam. An Iranian hacktivist group has claimed responsibility for a
cyberattack that gave it access to the control system for a dam in the suburbs of New York — an intrusion that one official
said may be "just the tip of the iceberg."
http://www.nbcnews.com/news/us-news/iranian-hackers-claim-cyber-attack-new-york-dam-n484611

#ISSlearn
 Cybersecurity Threat Examples (2 of 3)

(July 2016)
Taiwan’s First Bank loss of US$2 million. Law enforcement in Taiwan investigating the attacks against ATMs of a major
nations bank, the Taiwan’s First Bank. Crooks used a malware to withdraw more than $2 million from dozens of ATMs in the
country, it is the first time that cyber criminals used this technique in Taiwan.
http://securityaffairs.co/wordpress/49429/cyber-crime/taiwan-atm-hacking.html

(November 2016)
San Francisco Transit cyber attack. The November hack targeted the computer systems of the San Francisco Municipal
Transportation Agency. The transit agency waived fares that weekend, according to the San Francisco Chronicle, as hackers
requested $73,000 in exchange for unlocking the agency’s computers, a ransom the transit agency refused to pay.
https://www.washingtonpost.com/news/dr-gridlock/wp/2017/01/09/cyberattack-on-san-francisco-transit-agency-prompts-
senate-questions-for-metro/?utm_term=.aa6f9ffa2a4b

(January 2017)
Czech cyber-attack: hacking diplomats’ emails. The Czech Republic has suffered a damaging security breach after
hackers infiltrated the emails of dozens of its most senior diplomats in a massive cyber-attack thought to have been carried
out by Russia.
https://www.theguardian.com/world/2017/jan/31/czech-cyber-attack-russia-suspected-of-hacking-diplomats-emails

#ISSlearn
 Cybersecurity Threat Examples (3 of 3)
■(Feb 2017)
SINGAPORE - The personal details of 850 national servicemen and staff at the Ministry of Defence (Mindef) were stolen in
what Mindef has described as a targeted and carefully planned" cyber attack. The breach of Mindef's I-net system was
discovered in early February. The I-net system provides Internet access to national servicemen and employees for their
personal communications and Internet surfing via thousands of dedicated computer terminals in Mindef, as well as in
Singapore Armed Forces (SAF) camps and premises. No classified military information is stored on I-net.
Mindef said this was the first time that the I-net system was breached, resulting in the loss of the 850 personnel's NRIC
numbers, telephone numbers and birth dates. The attack was executed remotely over the Internet.

■(April 2017)
SINGAPORE - NUS, NTU networks hit by 'sophisticated' cyber attacks The objective of the attacks "may be to steal
information related to Government or research", said authorities, adding that "there is no evidence that information or data
related to students was being targeted". The cyber-attacks, which appeared aimed at stealing government information and
research documents, were what is known as APT (advanced persistent threat) attacks - carefully planned cyber intrusions
executed over a considerable period of time, and which are not the work of casual hackers.

■(May 2017 )
For months, the ransom money from the massive WannaCry cyberattack sat untouched in online accounts. Now, someone
moved it.
More than $140,000 worth of digital currency bitcoin has been drained from three accounts linked to the ransomware virus
that hit hundreds of thousands of computers around the world in May.

■(August 2017)
New York - HBO has fallen victim to a cyber attack, the Time Warner-owned cable network said on Monday, after hackers
claimed to have stolen material including plot points from an upcoming episode of its hit series Game of Thrones. “There
been a cyber incident directed at the company which has resulted in some stolen proprietary information, including some
our programming,” Richard Plepler, HBO chairman, wrote in a message to employees.

#ISSlearn
Types of Cyber Attacks
(non-Exhaustive)

#ISSlearn
Social Engineering

#ISSlearn 8
 WannaCry Ransomware 2017

• Computers become
infected by WannaCry
when unsuspecting
users click on a bogus
link or e-mail attachment
- a method known as
"phishing".

• Once in, the malware

spreads to multiple
machines over the
corporate intranet.

• Infected systems were

locked down with a note
demanding a ransom.

#ISSlearn 9
DDoS attacks – Denial of Services

#ISSlearn 10
The Internet of Things

#ISSlearn 11
Are you prepared?

#ISSlearn
• Do you feel your organisation is doing enough to protect
itself against cyber threats?

• Cybersecurity is an issue for the IT

department ?

• Software is the key to solving this issue ?

• When we invest in best-of-class technical

tools, we are safe?

• Small and medium business are not going to

be attacked ?

• My business are not going to be attacked?

• I don’t have anything worth stealing ?

• Cybersecurity compliance is all about

effective monitoring ?
#ISSlearn 13
What type of threats are you most
concerned about?

http://info.vectranetworks.com/insider-threat-survey-report-registration

#ISSlearn 14
What is Risk ?
The probability (likelihood) that a given threat source will exercise a
particular vulnerability and the resulting impact should that occur

Risk = f(likelihood, impact)

Are you able to identify the threats and risks

that are relevant to your organisation and system?

#ISSlearn 15
Assess the business impact of
identified threats

Example
High Medium Risk High Risk High Risk
(5) (5) (15) (75)

Medium Low Risk Medium Risk High Risk

(3) (3) (9) (45)
Likelihood

Low Low Risk Low Risk High Risk

(1) (1) (3) (15)

Low Medium High

(1) (3) (15)

Impact

#ISSlearn 16
Legal and Compliance

• Are we complying with relevant regulatory and

international certification standards?
- Issue circulars on cybersecurity regulations to the financial
institutions
- Circulate Early Detection of Cyber Intrusion
- Circulate Risk and Cyber Security Training for Board

- Administrate and enforce the Personal Data Protection Act

2012(PDPA)
- Undertake public education and engagement programmes to
help organisations understand and comply with the PDPA
- Promote greater awareness of the importance of personal data
protection in Singapore Personal Data Protection Act.

- Provide government ICT policies and principles for

Government agencies

#ISSlearn © 2016 National University of Singapore. All Rights Reserved 17

 Legal and Compliance

SINGAPORE - Critical information infrastructure (CII) owners in Singapore must report

security breaches, and cyber-security vendors providing highly sensitive services here will
need to be licensed if a proposed Cybersecurity Bill gets the greenlight.

• The draft Bill was released on Monday (July 10) for public consultation.

• The Bill aims to harmonise the requirements to protect CII across the public and
private sectors.

• It also aims to clarify organisations' obligations to share information to facilitate in the

investigations of cyber-security threats or incidents

CII owners

• Conduct regular system audits by a commissioner-approved third-party;

• Conduct regular risk assessments of the CII;

• Comply with directions issued by the commissioner, including providing access to

premises, computers or information during investigations.

• Depending on the offences, the maximum penalty is a fine of $100,000 or jail term of up
to 10 years.

#ISSlearn © 2016 National University of Singapore. All Rights Reserved 18

 Preparing for
And Handling Cyber Threats

#ISSlearn © 2016 National University of Singapore. All Rights Reserved 19

Creating Strategies, Policies and
Procedure

• Start with Strategies and

Policies
• Encoded in procedure
• Audit the practices
• Security is not the same
My
as compliance Cybersecurity
Strategies
• You can be compliant &
yet not secure

#ISSlearn © 2016 National University of Singapore. All Rights Reserved 20

Data Governance

• Master data management

• Know your data assets
• Identify your sensitive and
high value data Data Classifications,
Control &
• Classify data accordingly to Encryption
its value to the organisation
• Minimize your classified data
• Mobile is a risk management
issue, not a technical issue
• Employ security control and
protection measures

#ISSlearn © 2016 National University of Singapore. All Rights Reserved 21

Training and Capacity building

• Capacity must be
developed

Stakeholders
Leaders/ Internal
Business

Leaders
Digital
Leaders
Senior

Professionals
Cyber Security

ICT
Professional

Stakeholders
External
internally

• Another forms of
insurance Awareness Program

Be prepared
• Outsource services
Set the bar
not competency Set the basic right

Personal Protection

(ISS has a series of Cybersecurity training)

#ISSlearn 22
Response to Cyber Attacks

Roles and responsibility

#ISSlearn © 2016 National University of Singapore. All Rights Reserved 23

Operation

• Identity and Access

Management

• Security Assessment
and Testing

#ISSlearn © 2016 National University of Singapore. All Rights Reserved 24

Disaster Recovery Plan

#ISSlearn © 2016 National University of Singapore. All Rights Reserved 25

Plan for enabling cyber resiliency in
the organsation

• You will be attacked

• You will likely be

breached

• You may not know it

• What will you do?

#ISSlearn © 2016 National University of Singapore. All Rights Reserved 26

 Every day the gazelle wakes up
knowing that if it can’t run faster than
lion, it’s going to be somebody’s
breakfast.

Every day the lion wakes up

knowing that if it can’t overrun the
slowest gazelle it will starve to death

Old African Proverb

#ISSlearn
Understanding Cybersecurity
vulnerabilities

An exercise to experience cybersecurity

vulnerabilities….

#ISSlearn 28
Gamification:
Learning through Serious
Gaming

#ISSlearn
#ISSlearn
#ISSlearn
Understanding Cybersecurity
Vulnerabilities: 3 illustrations

#ISSlearn
 Vulnerability 1

Human – one of the weakest link in security chain

#ISSlearn 33
 Vulnerability 2

Hacking does not need deep technical skills

Example –
hacking CCTV camera is a matter of downloading ready-made
hacking software from Internet

#ISSlearn 34
 Vulnerability 3

Anything can be hacked, CCTV camera… even vehicle…

Link

#ISSlearn 35
THANK YOU 
issngln@nus.edu.sg
and
kokleong@nus.edu.sg

#ISSlearn © 2017 National University of Singapore. All Rights Reserved 36