Cyber attack cause huge lost of money in Asia and worldwide

Cyber security issues and challenges had become a critical problem among cyberspace users worldwide. According to latest reports, it is estimated that global cyber attack cost USD$53 billion in losses.

Reuters reported that a major, global cyber attack could trigger an average of $53 billion of economic losses, a figure on par with a catastrophic natural disaster such as U.S. Superstorm Sandy in 2012, Lloyd’s of London said in a report on Monday. (Suzanne, 2017)

Economic costs in the hypothetical cloud provider attack dwarf the $8 billion global cost of the “WannaCry” ransomware attack in May, which spread to more than 100 countries, according to Cyence. Economic costs typically include business interruptions and computer repairs. (Suzanne, 2017)

The situation in Asia is worst than EU and UK, According to a research, attacks cost Asian companies $81bn last year. The region is even more vulnerable to new scams. (Leo, 2016)

Cyber security is a growing concern globally but it is creating particular anxiety in Asia after a flurry of attacks affecting Bangladesh, the Philippines, Taiwan, Thailand and Vietnam. Experts say the spike is driven partly by growing political tensions, such as China’s dispute with its neighbours over islands in the South China Sea, but the other key trigger is the attraction of increasingly lucrative, but patchily defended, banks and companies. (Leo, 2016)

 

 

Reference:

Suzanne, 2017 – Reuters news – http://www.reuters.com/article/cyber-lloyds-report-idUSL1N1K32CD

Leo, 2016 – Leo Lewis, Don Weinland, Michael Peel – https://www.ft.com/content/38e49534-57bb-11e6-9f70-badea1b336d4?mhq5j=e2 -SEPTEMBER 20, 2016

 

 

 

Malaysia Boleh! We scored top 3 worldwide for UN cybersecurity Index

Congratulations to all Malaysian, for being recognized as the 3rd best globally by UN ITU’s global cybersecurity index 2017. Singapore has topped the International Telecommunication Union’s Global Cybersecurity Index (GCI) 2017, followed by United States and Malaysia. (CFO, 2017) Other countries in the Top 10 include Oman, Estonia, Mauritius, Australia, Georgia, France, and Canada.

The GCI is a survey that measures the commitment of Member States to cybersecurity in order to raise awareness. The GCI revolves around the ITU Global Cybersecurity Agenda (GCA) and its five pillars (legal, technical, organizational, capacity building and cooperation). (CFO, 2017)

One-hundred and thirty-four Member States responded to the survey throughout 2016.

The overall picture shows improvement and strengthening of all five elements of the cybersecurity agenda in various countries in all regions, according to the report. However, there is space for further improvement in cooperation at all levels, capacity building and organizational measures. As well, the gap in the level of cybersecurity engagement between different regions is still present and visible.(CFO, 2017)

The level of development of the different pillars varies from country to country in the regions, and while commitment in Europe remains very high in the legal and technical fields in particular, the challenging situation in the Africa and Americas regions shows the need for continued engagement and support. (CFO, 2017)

Strongest commitment

One of the strongest commitments is to outline a cybersecurity strategy describing how the country will prepare and respond to attacks against its digital networks, according to the GCI. (CFO, 2017)

Only 38% countries have a published cybersecurity strategy and only 11% have a dedicated standalone strategy; another 12% have a cybersecurity strategy under development. More effort is needed in this critical area, particularly since it conveys that the government considers digital risks high priority. (CFO, 2017)

In the area of training, efforts need to be enhanced particularly for those who are most likely going to legally handle cybersecurity crimes given that less than half the Member States (43%) have capacity-building programmes for law enforcement and the judicial system. (CFO, 2017)

Anyway, U.N. survey finds cybersecurity gaps everywhere, except Singapore, who scored top no 1 in the UN ITU’s global cybersecurity indiex 2017. (Tom, 2017) So we Malaysian, still need to work harder, smarter and wiser to close the gap, in order to make Malaysia online community safer and happier doing amost everything online. Hopefully within years, we will be globally recognized as the country that having the strongest,  the best and most excellent cybersecurity defense system in this world.

Reference:

CFO, 2017 –  CFO innovation Asia staff – https://www.cfoinnovation.com/story/13299/singapore-us-malaysia-top-itus-global-cybersecurity-index-2017

Tom, 2017 – Tom Miles, Geneva – https://www.reuters.com/article/us-cyber-un-idUSKBN19Q19L

Malaysian SME is still not so ready to combat and prevent social engineering issues and challenges

Recently, some of the Malaysian companies were badly hit by Ransomware attack. Even though officially, only few of the companies or organizations reportedly hit but many of the seriously affected companies choose not to expose or report their problem to the government. These SME choose to keep the matters to themselves and suffering silently. Officially, 16 cases of WannaCry Ransomware cases have been detected in Malaysia so far, but the number could be higher as many enterprises are reluctant to come forward to report the cyber attacks. Information technology (IT) security expert Fong Choong Fook said almost all of the WannaCry Ransomware attacks were through emails. “Most of these cases involved attacks through email attachments. Although it is not the only way (of attack), so far this is how the hackers are spreading the malware,” he told The Malaysian Reserve. (TMR, 2017)

This story serves as a reminder about how much of our real-world lives are tied to the digital world. While Digital News Asia (DNA) publishes its fair share of articles full of advice from experts in the security industry, having a human face to front such cautionary tales still remains the best vehicle to push the message forward. (Goh, 2014)

According to a comprehensive survey conducted by Trend-micro, Data protection is still the biggest weak spot for many organizations. Across the board, 26% of the respondents are not prepared for cyber-attacks involving data breaches. Meanwhile, 18% of all respondents are not ready for attacks involving online extortion, mobile malware, and other threats designed to target mobile payment systems. (TM, 2016) This show how serious Malaysian companies, especially SME, are being easy target and they are almost not ready to combat or win in this cyber security war.

Most of the SME in Malaysia, are not willing to spend a big IT budget on protection and preventive measures, related to social engineering or cyberspace security problem. The SME are more willing to spend in things that they can feel, use and see, example : expand and improve their ICT infrastructure, business software, data center hardware and upgrade their website and e-commerce procurement system. Little did they realize how serious the issues will be, if they are accidentally hit by social engineering issues, which could possibly wipe out their entire system and database. This will eventually destroy their reputation, business and operation which will create a critical situation that they could not handle.

Conclusion

CEO of SME Companies in Malaysia, should start changing their poor mindset but invest and spend more effort and money in preventive measures in order to be winner in combating cyberspace security attackers.

 

Reference:

TMR, 2017 –  https://themalaysianreserve.com/2017/05/18/more-ransomware-cases-detected-in-malaysia-unreported-cases-likely/

Goh, 2014 – https://www.digitalnewsasia.com/digital-economy/scammers-in-malaysia-up-their-game-with-social-engineering

TM, 2016 – http://www.trendmicro.com.my/vinfo/my/security/news/security-predictions/how-ready-is-your-company

 

 

Ransomware: A Wake up Call for all especially UK, EU and Asia

Currently, everyone is busy talking about ransomware, in Malaysia, in UK, USA, Japan, China and worldwide.

Recent headlines also show a new generation of worm threats going viral on a global scale.(cisco, 2017)

According to Trend Micro, if your system was in sleep mode during WannaCry’s attacks weekend around 12 May to 14 May 2017, there’s a good chance that your machine escaped WannaCry’s slew of attacks. But what happens when you wake the system up on 15 May 2017 Monday morning? The short answer: the kill switch will still prevent the ransomware’s encryption routine. This is a window of opportunity IT/system administrators and information security (InfoSec) professionals can take advantage of to patch or update vulnerable systems, preventing threats like WannaCry from affecting them in the future. (trendmicro, 2017)

Ransomware attacks are leaving many organizations unsure of what happened and how they may be impacted by future attacks. Cisco Annual Cybersecurity Report 2017 shows 44% of security alerts are never investigated.(cisco, 2017)

In the initial step before launching a sustained cyber attack, adversaries look for Internet vulnerabilities or network weaknesses that allow them to access users’ computers and, ultimately, to infiltrate organizations. With the impact of a breach costing organisations close to 30% of lost revenue. (cisco, 2017)

A review of 10-year data from CBL (not shown) suggests that 2016 spam volume is close to the record-high levels seen in 2010. New antispam technologies, and high-profile takedowns of spam-related botnets, have helped to keep spam levels low in recent years. Our threat researchers attribute the recent increase in global spam volume to the Necurs botnet. Necurs is a primary vector for Locky ransomware. It also distributes threats such as the Dridex banking Trojan.(cisco, 2017)

Web Attack Methods: “Long Tail” Snapshot Reveals Threats That Users Can Easily Avoid The so-called long tail of the web attack methods spectrum (Figure 20) includes a collection of lower-volume malware types that are employed at a later stage in the attack chain: installation. In this phase, the threat that has been delivered—a banking Trojan, a virus, a downloader, or some other exploit—installs a back door in the target system, providing adversaries with persistent access and the opportunity to exfiltrate data, launch ransomware attacks, and engage in other mischief.(cisco, 2017)

The fact that nearly half of alerts go uninvestigated should raise worldwide concern. What is in the group of alerts that is not being remediated: Are they low-level threats that might merely spread spam, or could they result in a ransomware attack or cripple a network? (cisco, 2017) To investigate and understand a greater slice of the threat landscape, organizations should not just rely on automation but need to consider properly integrated solutions.

Automation can help stretch precious resources and remove the burden of detection and investigation from the security team. The inability to view so many alerts raises questions about their impact on an organization’s overall success. What could these uninvestigated threats do to productivity, customer satisfaction, and confidence in the enterprise? As respondents told us, even small network outages or security breaches can have long-term effects on the bottom line. Even when losses were relatively minor and the affected systems were fairly easy to identify and isolate, security leaders regard breaches as significant because of the stress they put on the organization.(cisco, 2017)

According to Trendmicros, WannaCry underscores the importance of keeping systems and networks regularly patched and updated.  It is extremely important, to start patching your vulnerable systems and implement best practices in your company, home or office. Threats like WannaCry abuse vulnerabilities to penetrate security gaps in an organization’s perimeter. This is compounded by the window of exposure between exploitation and the release of a patch; the longer your systems and networks remain vulnerable, the more time it gives attackers to exploit it. Organizations must balance the need to maintain business operations with the need to secure them. (trendmicro, 2017)

Indeed, keeping attackers at bay is always a race against time for many enterprises. A defense-in-depth approach combining proactive security mechanisms, robust IT policies, and strong security posture in the workplace can help deter threats like WannaCry. 

Reference:

cisco, 2017 – http://www.cisco.com/c/dam/m/digital/en_us/Cisco_Annual_Cybersecurity_Report_2017.pdf – 2017

trendmicro, 2017 – https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/wannacry-wcry-ransomware-what-your-it-sysadmins-need-to-do – 2017

Quality In IT Project Management

Quality is an important factor in managing IT project in this high market competition. It has become the market differentiation for IT project KPI which determine the success or failure of an IT project.

The main purpose of the quality management in IT project is to ensure that the quality, value & standard of the IT project final outcome and result is consistent and satisfactory to all the project stakeholders.

IT project quality management consists of 3 main components: quality planning, quality control, quality assurance and quality improvement. IT project quality management is mainly focusing on the hardware, software and design quality of the IT product and services. IT project manager also emphasis on utilizing quality assurance and control of processes and IT products to achieve more consistent quality.

2 points which we should focus in quality IT project management is stated as below:

1. Quality control and quality assurance – Supervision should be to help IT project team, resources, machines and gadgets to do a better job.
   • Project manager use these techniques to maintain and enhance the project quality to ensure th end product and IT services meet the quality requirements and standards defined in project scopes and project papers.
   • The quality management is normally based on methods e.g.: TQM – Total quality management method, internal and external standards.
   • The standards usually define the IT project’s processes, activities and procedures and assist to maintain the quality in every aspect of IT project management functioning.
   • One of the key quality standards is ISO (International Standards Organization) which is a more prominent international bodies for defining quality standards for IT project management.
   • SEI-CMMi is one of the standards followed in the software development for IT project management.
   • IT Department for most of the companies prefers to get the certified project manager and if they are outsourcing their project management, they will choose a software developer who obtained ISO or SEI-CMMi certificates.
   • The process of making sure that the stakeholders are adhered to the defined standards and procedures is called quality control. In quality control, a verification process takes place. Certain activities and products are verified against a defined set of rules or standards.
   • Every organization that practices QC needs to have a Quality Manual. The quality manual outlines the quality focus and the objectives in the organization. organizations can define their own internal quality standards, processes and procedures; the organization will develop these over time and then relevant stakeholders will be required to adhere by them.
   • The quality manual gives the quality guidance to different departments and functions. Therefore, everyone in the organization needs to be aware of his or her responsibilities mentioned in the quality manual.
   • Quality Assurance is a broad practice used for assuring the quality of products or services. There are many differences between quality control and quality assurance. In quality assurance, a constant effort is made to enhance the quality practices in the organization.

• Quality assurance team of the organization has many responsibilities. First and foremost responsibility is to define a process for achieving and improving quality.
• Some organizations come up with their own process and others adopt a standard processes such as ISO or CMMi. Processes such as CMMi allow the organizations to define their own internal processes and adhere by them.
• Quality assurance function of an organization uses a number of tools for enhancing the quality practices. These tools vary from simple techniques to sophisticated software systems.
• The quality assurance professionals also should go through formal industrial trainings and get them certified. This is especially applicable for quality assurance functions in software development houses.
• Since quality is a relative term, there is plenty of opportunity to enhance the quality of products and services.
• The quality assurance teams of organizations constantly work to enhance the existing quality of products and services by optimizing the existing production processes and introducing new processes.

Conclusion:

• When it comes to our focus, we understand that quality control is a product-oriented process. When it comes to quality assurance, it is a process-oriented practice.
• When quality control makes sure the end product meets the quality requirements, quality assurance makes sure that the process of manufacturing the product does adhere to standards.
• Therefore, quality assurance can be identified as a proactive process, while quality control can be noted as a reactive process.

TQM

The planning and organization of an organization’s resources in order to move a specific task, event or duty toward completion. Project management typically involves a one-time project rather than an ongoing activity, and resources managed include both human and financial capital.

A project manager will help define the goals and objectives of the project, determine when the various project components are to be completed and by whom, and create quality control checks to ensure that completed components meet a certain standard e.g.: TQM and ISO standards.

TQM

TQM consists of organization-wide efforts to install and make permanent a climate and which an organization or company continuously improves its ability to deliver top quality products and services to customers. (TQMwiki) TQM has widespread attention during the late 1980s and early 1990s before the ISO 9000, Lean manufacturing and Six Sigma taking over the role and popularity of TQM.

 

Social Engineering ~ Security Awareness Is a Vital Defense

According to research done by Cisco, 2016,  “some security software is available to combat phishing and pharming, but the best defense against the full range of social-engineering attacks is a corporatewide culture of security awareness” (Cisco, 2016)

Security awareness is important for organizations of all sizes (and sometimes required by law and/or industry standards). Different organizations face different types of threats, and proper security awareness training should be tailored to the risks your organization is likely to encounter. This series offers a basic overview of security concepts. (Scott, 2017)

With regard to employees undergoing security awareness training, Lance Spitzner, director of SANS Securing the Human Program, says: “We’ve done tremendous work to secure computers but nothing to secure the human operating system. That’s why these social engineering techniques are so prevalent. (Infosec, 2017)

To change human behaviour, you need to educate and train employees, not just once a year but continuously. Like you continually patch computers and applications, you’re continually training and patching human operating systems.” In the same spirit, Spitzner made the observation that employees who undergo periodic security training exhibit better orientation in the event of cyber-threats and are as a whole less likely to become a victim of spear phishing and similar social engineering campaigns. (Infosec, 2017)

References:

Cisco, 2016 – Protect Against Social Engineering – http://www.cisco.com/c/en/us/about/security-center/protect-against-social-engineering.html

Scott, 2017 – http://www.thesecurityadvocate.com/2017/02/16/security-awareness-basics-social-engineering/

Infosec, 2017 – http://resources.infosecinstitute.com/how-social-engineering-security-awareness-stops-3-common-scams/#gref

Social Engineering issues are not that easy to be resolve using technology

Social engineering, in the context of information security is about psychological manipulation of CT users into performing actions, giving away sensitive information or divulging confidential data or password. It is a type of confidence trick for the purpose of information gathering, fraud, or system access. The weakest link for ICT security is actually human being psychological weakness.

The term “social engineering” as an act of psychological manipulation is also associated with the social sciences, but its usage has caught on among computer and information security professionals.

One classic example of social engineering is a service man who walks into a building and posts an official-looking announcement to the company bulletin that says the number for the help desk has changed. So, when staff call for help that man asks them for their passwords and IDs thereby gaining the ability to access the company’s private data. Another example of social engineering would be that the hacker contacts the target on facebook or whatsapp and starts a conversation with the target. After sometime, the hacker gains trust of the weak target and then uses it to get access to sensitive information like ID, password or bank account details. Even a simple program like team viewer program which hacker gain access to the targeted computer by winning trust from the staff who is mistakenly trusting a hacker as service provider, can caused huge disasters to the entire company or network system. she or he can keep staring at what the hacker do but if the staff does not have any technological knowledge on what’s going on, or if the hacker can successfully install some spyware and dangerous hacking tools into the computer and then remotely access that computer when the user is not around, then this social engineering disaster will happen.

We can install the best firewall, the best network switches, anti virus, anti spam, anti everything in our networking system, computer and servers, but if we are not careful and not investing in training the staffs to be alert and aware of the social engineering phenomenon, strategies and technique at working environment, all the latest technological strategies will be in vain.

Reformed computer criminal and later security consultant Kevin Mitnick points out that it is much easier to trick someone into giving a password for a system than to spend the effort to crack into the system. Which means any advance firewall or anti hacker software or hardware, will be in vain if people is the big problem, not the IT machines itself.

As it was proven by famous security consultant Mr. Mike Ridpath, it is so easy to get password via a simple phone call rather than using latest hacking technology to hack the system to steal the same password. Mike Ridpath is a famous security consultant, published author, and speaker. He emphasizes on techniques and tactics for social engineering cold calling. He became notable after his talks where he would play recorded calls and explain his thought process on what he was doing to get passwords through the phone and his live demonstrations.

 

Cyber Security – Social Engineering

What is the concept of Cybersecurity?

“ Cyberattacks – deliberate attempts by unauthorized persons to access ICT systems, usually with the goal of theft, discruption, damage or other unlawful actions”  ( Eric, 2016)

What is Social Engineering? (nabie,2016)
Art of “ Human OS” hacking

“ Social engineering is defined as the process of deceiving people into giving away access or confidential information.” (digital, 2016)

Social Engineering Attack Framework

“ The two classes of a social engineering attack are direct communication and indirect communication” (Francois, 2014) It is direct or indirect attack. “The direct communication class is further divided into two subclasses: bidirectional communication and unidirectional communication” or 3rd party mediums communications, normally via social media, email, internet link or telephone calls. (Francois, 2014)

Human-based Social Engineering (adebowale,2016)

• Posing as a legitimate end user
• Give identity and ask for sensitive-information
• Posing as an important user
• Posing as Technical support
• Posing as customer, supplier and top management

Mobile-based Social Engineering

• Cyber criminals are now taking over mobile devices

by using many of the psychological tricks used to con people online

• “social engineering is an attack method of choice to gain access to a person’s smartphone or tablet”. (Joan, 2011)
• Malicious apps that look like legitimate apps (Joan, 2011)
• Malicious mobile apps that come from ads (Joan, 2011)
• Apps that claim to be for “security“(Joan, 2011)
• SMS, notifications
• calls, recordings, IVR

Interactive voice response (IVR) is a technology that allows a computer to interact with humans through the use of voice and DTMF tones input via keypad.

“From a users perspective it is very hard to distinguish between an app that is legitimate with an app that turns out to be malicious,” said Zeltser. (Joan, 2011)

Reference:

• Research, 2016, 3(3): 64-66 ISSN:2394-2630 CODEN(USA): JSERBR – ResearchGate – 19 Sept 2016
• DOJ, 2015 – Best Practices for Victim Response and Reporting of Cyber Incidents –Version 1.0 – Computer Crime & Intellectual Property section, Criminal Division, U.S. A Department of Justice , Cybersecurity Unit – (202) 514-1026 – April 2015
• DIgital, 2016 – Digital Defense Incorporated USA – Social Engineering prevention- be prepared. It could happen to you! – WWW.DDIFRONTLINE.COM – 2016
• Eric, 2016 – Eric A. Fischer – Cybersecurity Issues and Challenges: In Brief – Senior Specialist in Science and Technology – Congressional Research Service 7-5700, R43831– www.crs.gov – 12 Aug 2016
• Frank, 2014 – Frank L. Greitzer & members, PsyberAnalytix – Analysis of Unintentional Insider Threats, Deriving from Social engineering exploits – 2014 IEEE Security and Privacy workshops – 2014
• Francois, 2014 – Francois Mouton , Mercia M. Malan and members – Social Engineering Attack framework – University of Pretoria, South Africa – IEEE 978-1-4799-3384-6/14 -2014
• Ibrahim, 2016 – Ibrahim Ghafir, FI and members – Social Engineering Attack Strategies and defence Approaches – Metropolitan University & Masaryk University – 2016 IEEE 4TH International Conference on Future Internet of Things and Cloud , Austria- August 22, 2016
• Joan, 2011 – Joan Goodchildand Senior Editor – Social engineering: 3 mobile malware techniques – CSO USA

• Kathleen, 2016 – Kathleen Crowe & members – Beyond Hacking: Coverage For Social Engineering Scams and Schemes – AON Risk solutions Inc. – American Bar Association Section of Litigation, Insurance Coverage Litigation Committee, Women in Insurance Conference, Washington DC, USA – 20 Oct 2016
• Malcolm, 2007 – Malcolm Allen – Social Engineering, A means to violate a computer system – SANS Institute 2007 – 2007
• Michael, 2015 – Michael Alexander, Rick Wanner – Methods for Understanding and Reducing Social Engneering Attacks – GIAC (GCCC) Gold Certification – 30 April 2016
• Mitnick, 2016 – Kevin D. Mitnick & William L. Simon – The Art of Deception, Controlling the human element of security – foreword by Steve Wozniak – 2016
• nabie,2016 – Nabie Y. Conteh and nabie J. Schmick – Cybersecurity: risks, vulnerabilities and countermeasures to prevent social engineering attacks – Southern University USA , International Journal of Advanced Computer Research, Vol 6(23), ISSN: 2249-7277 – 10 Feb 2016
• rob, 2015 – Rob Wainwright, – Director of Europol – The Internet Organised Crime Threat Assessment (IOCTA) 2015 – The annual presentation of the cybercrime threat landscape by Europol’s European Cybercrime Centre (EC3) –ISBN: 978-92-95200-65-4, ISSN: 2363-1627 – DOI: 10.2813/03524 – 2015
• Sectf, 2016 – The DEF CON 24, Social Engineering Capture the Flag Report – Social-Engineer, LLC USA– social-engineer.org –  11 Aug 2016

The global cyber security challenges – Literature Review

The global cyber security challenges

Writer: Andy Purdy (USA Cyber Security Officer)

Resources from: Huawei Whitepaper, Huawei Technologies

Date: June 2016

While there is still no simple answer or solution to the cyber security challenge, it is increasingly apparent that there are steps the global community can take – as well as individual organizations – to drive demonstrable progress in reducing cyber security risk, including that of collaborating so as to reach an agreement on principles, laws, standards, best practices, norms of conduct and protocols – with recognition that trust has to be earned and continuously validated.

NIST cyber security framework is a tool that can help an organization to understand their risk level and chart a path toward a more appropriate and sustainable risk environment and state of preparedness.

An organization to move to a more appropriate, sustainable and transparent supply chain risk posture requires 3 things:

1. Understand what supply chain risk
2. Know how to address the risk
3. Motivated to act by internal or external drivers and to be held accountable if they fall short

We have made the most progress on what stakeholders need to worry most about, risk awareness.

Cyber security supply chain risk.

Important tool help organizations address cyber security risks, the O-TTPS (Open trusted technology provider standard), focus on supply chain and 3^rd party risk. O-TTPS mitigating maliciously tainted and counterfeit products V1.0, recognized by ISO during 2^nd half of 2015.

http://www2.opengroup.org/ogsys/catalog/C139

efforts done by EastWest Institute (EWI) Global Cooperation in Cyberspace initiative to drive collaboration among key cyber stakeholders to address some major, difficult cyber issues, focus on their breakthrough group – co-led by Huawei, Microsoft and the Open Group. To promote global availability and use of more secure ICT products and services, by developing a type of framework for a risk-informed, fast-based, global level playing field for ICT products.

Critically important issue: how to motivate stakeholders who have appreciation of the importance of supply chain risk and what they need to do about it, to take the necessary actions and be held accountable if they fail in this regard. The bottom line is government and major private organizations need to step up and drive more significant, better coordinated progress to address supply chain risk if we are to be able to take full advantage of the benefits of ICT technology to make the world a better place for its citizens.

White paper focus on cyber security supply chain risk.

Organization has an understanding of its overall cyber security risk and preparedness posture, includes cyber security risk as one important component, develop and implement a plan to address it. NIST Cybersecurity framework important. The framework is an important tool help organization understand their risk and chart a path toward a more appropriate and sustainable cyber risk environment and state of preparedness. The NIST framework provides organizations with one piece of the puzzle with regard to addressing the risk they face. NIST  is a standard-neutral tool to assess their own cyber security risk and preparedness that gives them the ability to set a course toward a more appropriate security posture given their risk environment, with readily accessible references to standards and best practices, based on their unique circumstances.

There are some activities taking place around the world that can contribute to the effort to address supply chain risk : SAFECode, underwriters Laboratory; the ENISA report in European supply chain integrity, the EastWest Institute’s cyber initiative; in the UK – CPNI and the trustworthy software initiative. China – cyber security and anti-terrorism legislation. Japan – government efforts to implement a strategy on supply chain risk. USA – initiatives in the energy, defense and financial sectors to address this issue

O-TTPS standard identifies and categorizes applicable technology industry-secure engineering and supply chain integrity best practices whose systematic use can make a vendor’s products worthy of being considered more secure and trustworthy by commercial or governmental enterprise customers. Accreditation is only granted after an independent 3^rd party evaluator confirms it is warranted. OTTPS can help to meet the need of suppliers and buyers of ICT for greater clarity than they get from multiple standards to affect what they develop and how, and what the purchase and why.

To proactively manage cyber security in general and global supply chain risk required transparency and an even-handed, collaborative approach across our industry between and among the public and private sectors.

In 2014 white paper, Cyber Security Perspectives: 100 requirements when considering end-to-end cyber security with your technology vendors (December 2014), we detailed our top 100 requirements list, which focuses on what security-related requirements buyers of technology should consider asking of, or requiring from, technology vendors. Many countries, the number of legal and industry requirements relating to cyber security was on the increase and some governments and regulators were beginning to impose accountability and liability for failure related to cyber security issues, national critical infrastructure providers and IT service providers. Huawei anticipated optimistically that more companies will be required to detail both their approach to cyber security and the analysis and assessment they undertake to evaluate the risk from their technology vendors and service providers.

Success factors for an organization to address cyber security risks

 Success factors are important part of the journey to a more secure state for individual organizations, it is essential for every organization to recognize and put into place key mechanisms informed by their experience and that of other organizations- customized for their particular industry, organizational structure and culture, and risk environment, that can help successfully manage risk. The key success factors for addressing organizational security risk are commitment, governance, clear security requirements, consistent processes, and performance metrics for individuals, internal compliance and transparency.

Organization should make commitment at all levels to address cyber security and privacy risks, systematically incorporate these risks into their risk management program as part of an over-arching strategy to inform, prioritize and address current and future risk challenges.

Clear internal governance roles and responsibilities

• Active involvement of the leadership and senior management from across the organization
• Top leadership continually monitoring the effectiveness of the management of the risk and the program implementation.
• Senior leadership must own the risk management process and its results
• The incorporation of cyber security risks into organizational risk management is vital, include the establishment of processes and mechanisms to create and implement mitigation plans, even for very unlikely occurrences.
• Have performance metrics that align with the baseline requirements
• Have consistent and replicable processes imbedded into the regular business operations of the organization, and those should be continuously improved based on changing circumstances.
• Internal compliance and verification program based on the separation-of-duties principle to enable independent assessment and continuous improvements.
• To be open and have transparency with customers and stakeholders regarding risk management progress, success and failures. This transparency, coupled with individual and organizational accountability, to dynamically address risk in the fluid risk environment.

The NIST Framework: a Tool for assessing organizational Cyber Security Risks

Prioritized, flexible, repeatable, performance-based and cost-effective approach using a voluntary risk-based set of industry standards and best practices to help organizations manage cybersecurity risks.

• The framework focuses on using business drivers to guide cyber security activities and consider cybersecurity risks as part of the organization’s risk management processes.
• The framework give organizations one piece of the puzzle concerning the risk they face-a standard- and vendor-neutral tool to assess their own level of risk and preparedness that guides them toward a more appropriate stance on security posture given their risk circumstances.
• Help organization to compare their risk management with that of suppliers and business partners.
• Starting point to better understand and improve their risk posture
• Risk analytic tool, translation engine
• Provide insight into what an organization needs to consider from a risk and preparedness perspective, and provides reference to existing standards which organizations use to inform risk evaluation and the path forward to meaningful risk mitigation and management.

Supply Chain Risk – Organizations need to understand it and address it

The risk an adversary sabotage, maliciously introduce unwanted function, subvert the design, integrity, manufacturing, production, distribution, installation, operation or maintenance of a covered system so as to surveil, deny, disrupt or degrade the function, use or operation of such system

• Threats : sabotage, tampering ,counterfeiting, piracy, theft, destruction, disruption, exfiltration, infiltration, subversion, diversion,  export control violations, corruption, social engineering, insider threat, pseudo-insider threat and foreign ownership
• Examples of threats:
  • Installation of malicious logic on hardware or software
  • Installation of counterfeit hardware or software
  • Failure or disruption in the production or distribution of a critical product or service
  • Reliance upon a malicious or unqualified service-provider
  • Installation of unintentional vulnerabilities on hardware or software

Tainted product is a main threat in the supply chain. It is critical task to prevent it to happen

• Establish and maintain an effective traceability system for components and products is important to minimize the risk of tainted and counterfeit products entering the supply chain.

Organizations are beginning to understand the importance of supply chain risk

The supply chain for an ICT product typically consists of hundreds or even thousands of components from a similar number of companies, involving multiple processes and geographic locations.

• At present, organizations are less likely to think about risk from suppliers and 3^rd party providers and more likely to think of risk from perspective of a user or operator of a network or ICT system
• Huawei and Microsoft has long recognized the potential for hostile actors to insert malicious, unwanted and unauthorized functions or counterfeit elements or components into the global ICT supply chain, later used to disrupt or degrade technology systems or to facilitate surveillance
• Present a challenge for governments and businesses at a minimum require recognition that supply chain risk is a shared problem that necessitates cooperation among stakeholders to find solutions founded on standards and best practices and work to implement them.

Initiatives to address supply chain risks

SAFECode – The Software Assurance Forum for Excellence in Code(SAFECode) is a global, industry-led non-profit organization working to increase trust in ICT products and services by promoting availability, awareness and use of more secure and use of more secure and reliable software, hardware and services.

• SAFECode brings together subject matter experts with experience in managing complex global processes regarding software development, integrity controls and supply chain security.
• SAFECode created a framework help organization select most appropriate process-based assessment method for evaluating development process of commercial technology providers when there is no applicable international standard

 

8.2 Underwriters Laboratory

 It is an independent global safety science company working to help safeguard people, products and places by providing comprehensive functional safety services.

• It has a testing and certification schema for product carry UL seal, indicating conformance with a specific set of requirements unique to that product.
• It has cybersecurity assurance program (CAP), working on a program for testing, rating and certifying connected devices, with an initial focus on industrial control systems and medical devices

8.3 ENISA

Report EU agency for network and information security (ENISA) – “ supply chain integrity” overview of ICT supply chain risks and challenges, vision for the way forward, recommended that supply chain participants follow good practices that provide a basis to understand and address ICT supply chain risk.

• Report recommends that governments work with the private sector to develop international frameworks to facilitate comparison assessment of ICT supply chain risk management efforts.
• The report recommends that the frameworks should be risk-based and grounded in good threat modelling, transparent, consistent, flexible, and standards-based and based on recognition of the reciprocity that characterizes international trade relations.
• ENISA report that although many countries, industries, and agencies have concerns about supply chain risk, their efforts to address these have been fragmented and lacking in coordination and that greater cooperation is necessary.
• The need for a consistent view, practices and metrics that would result in an appropriately coordinated program, in R & D, the need for independent evaluation and certification, a supply chain integrity framework, referenced above and the need to consider legislative action.
• ENISA recommends that ISO develop a framework to measure and evaluate supply chain integrity so that performance can be measured.
• ISO recognized and released the O-TTPS as a new standard shortly after the ENISA report, which indicated that supply chain integrity frameworks are a common need

8.4 Chinese Government Initiatives

• The 1^st Chinese counter-terrorism law (CTL) took effect on 1.1.2016, outlines obligations for telecom and internet enterprises to cooperate with government authorities in investigating terrorism activities and these obligations may have a significant impact on the operation of internet and tech firms in china.
• Telecom and internet service providers required to support and assist efforts by government and national security authorities engaged in the lawful conduct of terrorism prevention and investigation
• CTL requires internet service providers implement network security and information and content monitoring systems, adopt technical security measures to prevent the dissemination of information contain terrorist or extremist content
• July 2015, china issued draft cyber security law, covered a range of issues, cyber security certification and inspection for critical network equipment, requirements for specialized network security products, and the security inspection of procurement of network products and service of critical information infrastructure operators. Require the localization of personal data for critical information infrastructure operators.

8.5 UK Government approach to supply chain risk

• UK, centre of the protection of national infrastructure (CPNI) has warned organizations of the national security threats that can come from ICT global supply chain (terrorism, cyber-attacks and large-scale cyber-crime)
• CPNI awareness efforts : organizations should incorporate supply chain risk as part of an existing risk management approach
• Advises organizations to implement a risk mitigation plan that includes :
  • Comprehensive mapping of all tiers of the upstream and downstream supply chains to the level of individual contracts
  • Risk-scoring each contract to link in to the organization’s existing security risk assessment
  • Due diligence
  • Accreditation
  • Assurance of suppliers
  • Adoption, through contracts of proportionate and appropriate measures to mitigate risk
  • Audit arrangement
  • compliance monitoring
  • Contract exit arrangements
• UK trustworthy software initiative (TSI) supported and funded by the UK government national cyber security programme (NCSP) with a mission to help promote trustworthy software among the supply, demand and education communities in a risk-based, whole lifecycle process
• TSI created a compendium of relevant standards and best practices and incorporated it into its trustworthy software framework (TSF)
• The framework has been formalized in a British standards institution publicly available specification PAS 754:2014 “software trustworthiness – governance and management – specification.
  • Include technical, physical, cultural and behavioural measures alongside effective leadership and governance techniques to address 5 key facets of trustworthiness : safety, reliability, availability, resilience and security