Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security measures deployed by e-communication providers

Published byOscar Merritt Modified over 6 years ago

Similar presentations

Presentation on theme: "Security measures deployed by e-communication providers"— Presentation transcript:

1 Security measures deployed by e-communication providers
21st Article13a EG meeting | Lisbon | 8 March 2017

2 Objectives Identify the implemented security measures and approaches of e-communication providers to mitigate the main types of incidents; Align the findings with earlier ENISA work in this area; Issue recommendations and good practices.

3 Methodology Online survey Interviews concise in form
48 providers (mostly EU Member States) participated Interviews several interviews to elaborate on the survey results Presentation Title | Speaker Name ( To edit click Insert/ Header & footer)

4 Structure of the report
Aligned with earlier ENISA work in this area Technical Guideline on Security Measures Security domain Security objectives (measures) Governance and risk management Information security policy Governance and risk management Security roles and responsibilities Security of third party access Security of systems and facilities Physical and environmental security Security of supplies Access control to network and information systems Integrity of network and information systems Operation management Operational procedures Change management Asset management Incident management Incident management procedures Incident detection capability Incident reporting and communication Business continuity management Service continuity strategy and plans Disaster recovery capabilities Monitoring, auditing and testing Monitoring and logging policies Exercise contingency plans Network and information systems testing Security assessments Compliance monitoring Security domain Human resources security was left out of the survey. Measures against DDoS attacks, for SS7 protocol were included as well as security standards used.

5 Main findings and conclusions
60% of providers report a very good level of compliance with ENISA security recommendations. Almost all providers have deployed a good level of basic security controls. Security of systems and facilities is an example of a security domain with a relatively high maturity of measures adopted. For other domains there is an ample room for improvement, in particular operational documentation is lower than desired. The achievement of higher maturity level is impeded by lack of sustainability mechanisms, i.e. repeatable processes and the regularly maintained documentation.

6 Governance and risk management
Satisfactory maturity level High level information security policy in 63% of cases

7 Governance and risk management
Only 56% providers employ risk management methodology. 60% have security requirements included in contracts with third parties. Also 60% differentiate between incidents caused internally and by third parties.

8 Security of systems and facilities
High level of implementation of soft- and hardware based tokens for multi-factor authentication

9 Security of systems and facilities
Offset by only a basic set of integrity controls (firewall level)

10 Security of systems and facilities
81% providers have measures (door locks, alarms, fire extinguishers etc.) in place to prevent unauthorized access. A solid 63% carry out a regular review of the physical security policies. The basic level of access control is implemented by vast majority of providers (in 92% cases users have unique IDs). Cross checks on access control mechanisms is performed by 48% providers.

11 Operations management
81% of providers follow predefined procedures for change management and 90% have the responsibilities assigned. Much lower number of providers have documented policies for these areas.

12 Incident management Well developed detection capabilities followed by incidents being assigned to appropriate personnel for resolution. Review and update of procedures lag behind.

13 Incident management On the positive side 27% use automated response based on detected deviation from normal behavior and 35% have user behavior monitoring. 52 % run in-house SOC, only 56% having SIEM systems deployed. Process-based incident detection is reported by only 23% of providers.

14 Business continuity management
High maturity domain with 40% providers having state-of-art disaster recovery capabilities. A significant number (85%) indicate availability of remote backups and geographically dispersed fail over sites.

15 Monitoring, auditing and testing
Another high maturity domain with a majority (90%) monitoring and testing critical system and networks. 60% have policies in place for both monitoring and testing. Main room for improvement is security scan that lags behind pre-deployment tests while it should be an integral part of testing procedure.

16 Security standards, frameworks and guidelines

17 Measures against DDoS attacks
Almost 50% of providers use configurations as well as close monitoring. 38% use specialized hardware (e.g. Arbor Networks) and 4% rely on upstream providers for DDoS mitigation. ENISA Annual Incident Report for 2015: The incidents caused by malicious actions (e.g. DDoS), although there were not many of them, had most impact in terms of duration, which lasted on average almost two days per incident.

18 Measures for SS7 protocol
High diversity of security measures implemented. About 35% deployed SS7 firewalls, less than 8 % rely on access controls to prevent unauthorized access to SS7 network. The other approaches range from monitoring, SS7 intrusion and fraud detection systems to administrative/procedural controls.

19 Domain evaluation SECURITY DOMAIN MATURITY LEVEL
Governance and risk management Satisfactory Security of systems and facilities High Operation management Incident management Business continuity management

20 Recommendations (I) Security domain Specific recommendations Governance and risk management Improve governance by utilizing policy templates provided as references to develop necessary company-wide topics for all aspects of security. The starting point for proper risk management could be ISO standard to turn risk management from ad-hoc human- driven activity into the properly managed business process. Select and adopt ISO or any other risk management framework that allows to build the processes to regularly and systematically address risks registered in the lists of risks. Security of systems and facilities Improve integrity controls by a wider adoption of file and file system-level integrity controls. Pay a particular attention to automated restore of desired configuration for critical systems and to integrity control of binary and configuration files deployed on them.

21 Recommendations (II) Security domain Specific recommendations Operations management Adopt Service Management framework (e.g. ITIL) in particular where it describes change management. Keep in mind that change management process is tightly connected to both problem and incident management. Document de-facto processes, nominate process owners with assigned responsibility for periodic review and update of operation management documentation. Incident management Adopt Service Management framework (e.g. ITIL) in particular where incident response procedure is connected to root-cause analysis activities and subsequent incident management process. Analyze de-facto as well as documented processes for the possibility of introducing high-level incident detection controls, define incident response trigger points at process level. Assign process-based incident detection controls review to the process owner.

22 Recommendations (III)
Security domain Specific recommendations Business continuity management Introduce regular testing and update of policies and procedures as part of semi-annual business continuity testing. Monitoring, auditing and testing Make security testing part of a pre-deployment testing procedure. Connect pre-deployment security testing with integrity controls, introduce integrity monitoring of the systems and networks. Reduce manual log analysis efforts by employing automated log review capabilities and integrate this capability with SIEM systems. Pay a particular attention to the effectiveness of automated capabilities (scanning and log review) to ensure the capability is aligned with current business requirements as it is capable to address the ever changing threat landscape.

23 Thank you

Download ppt "Security measures deployed by e-communication providers"

Similar presentations

Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
© BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005.

© BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005.
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.

Similar presentations

Ads by Google