Archives par étiquette : CTO

CTO Cybersecurity Forum, Yaoundé Edition, Write Up Part 2 : Critical Information Infrastructures Protection Workshop

Following the first part of the return on the 3rd CTO Cybersecurity Forum (which is reachable here) in the afternoon of Thursday, April 25, there were two tracks of choice and ours was to participate in the workshop on the Critical Information Infrastructure Protection (CIIP) led by David POLLINGTON from Microsoft Security in partnership with FIRST (Forum for Incident Response and Security Teams).

From the outset, the master session insisted that while it is Microsoft, during the workshop there will be no sale of any product of the firm’s employment, but rather to share  State of the art and best practices for CIIP and what is being done at Microsoft to get there.

The workshop was divided into two parts:

  • Critical Infrastructure Protection: Concept and Continuum: on the definition and contours of the Critical Infrastructure (CI) concept.
  • A Framework for Critical Information Infrastructure Risk Management, which offered us a set of process dedicated to the identification and management of risks in our CIIs (Critical Information Infrastructures).

For this purpose, two books were given to us, each focusing on a part of the workshop.

Speaking about CIIP, we should already be able to differentiate what is Critique and what isn’t. The criticality notion is variable from one state to another, there are no fixed patterns on it. However, some areas are included in several Critical Infrastructures models / catalogs in the example of Energy, Finance, Water, Transport, Food, Public Safety, … The following figure shows an overview of the areas considered critical in some countries.

CII_Sectors_By_Countries

Nowadays, with almost all automated and interconnected systems, our critical or not infrastructures  depends more and more on IT. However, when it comes to CIIP, it is not only a protection against threat which IT is the vector, including cyber attacks, but all types of factors that undermine our infrastructures which that either the original example of Terrorist Attacks, Natural Disasters, Wars, and many other kind of chaotic situations.

Critical Infrastructures Protection is intimately linked to four key points to be implemented :

  • Trustworthy Policies and Plans

This trustworthy need to meet the following three criteria : Build and reinforce strong cooperative partnerships among stakeholders, be Adaptable and Scalable, responding to ongoing changes in threat profiles and Contains Milestones and metrics that track the progress of a Critical Infrastructures Protection Program.

  • Resilient Operations

Resilience in this case is the ability to be able to anticipate or protect against the risk/significant attacks and to minimize the duration and impact of the incident suffered. Critical Infrastructure Resilience allows not only to protect for the potential risks, but also and especially to be able to optimally manage to return to normal as soon as possible. This can not be done without regulars exercises to test incident response capabilities and it involves governments, vendors and enterprises working together to appropriately assess, mitigate and recover from attacks.

  •  Investment in Innovation

CIP must be constantly aware of latest sophisticated threats. Due to that, People, processes and technology must be considered when defining CIP practices, programs, education/training and Reaseach and Development.

  • Trusted Collaboration and Information Sharing

The first three criteria mentioned above, put together thanks to a good collaboration and information sharing among different stakeholders enable partners said.

The figure below shows the structure exploded of four key steps listed above and their subsets

CIP_Continium

Following these strategic axes for the Critical Infrastructure Protection (CIP) Microsoft has established a framework for comprehensive management of risk associated with these assets. This framework is divided into five consecutive steps defined as follows :

1.  Determine Risk Management scope

This phase will determine the appropriate well as the objectives and activities for the risk management scope. It will be done into three consecutive steps :
– Reaching stakeholder consensus on statement of mission and vision, it in determining what should be protected and why.
– State the specific security and resiliency goals, objectives and assurances
– Identify essential services

2.  Identify Critical Information Infrastructures functions

Relation_Between_CII_And_Cybersecurity Determining the Critical Information Infrastructure functions is the second stage of the CII Risk Management plan. This refers to the stakeholders to have an open debate on the criticality of assets and together define which Information Infrastructure elements, critical functions and key resources are necessary to deliver vital government services, economy, and to ensure public safety.

3.  Analyze Critical Function Value Chain and Interdependencies

Services, processes and core functions are not partitioned entities, but rather composed of several closely related sub-components that jointly enable an end objective, understanding the complexity and interdependence between value chain is not just used to analyze threats, vulnerabilities and consequences, but more importantly, identifies stakeholders and strategic suppliers of value chains involved. As an example, the figure below shows an overview of what this step can bring:

CII_Value_Chain

4.  Assess Critical Function Risk

This step focuses specifically on threats and vulnerabilities of critical functions. In terms of CII, the risk is function of threat, vulnerability and their consequences. This results in the equation:

Risk = ƒ(Threat, Vulnerability, Consequence)

In this equation:
Threat refers to any natural or Human factor
Vulnerability here means a weakness or failure which can be exploited by a threat
Consequence also called « Impact » refers to costs, losses or results from the successful exploitation of a vulnerability by a threat.

 5.  Prioritize and Treat Critical Function risk

Prioritize and deal with a continual and ongoing risks to critical functions of our infrastructures leads to four possibilities:
– Risk Mitigation, Mitigating the impact/effect of risk
– Risk Prevention
– Risk Transfer (in the case of insurance, for example)
– Risk Acceptance/Retention, whose means to accept the probability and impact of a particular risk.

At the end the trainer noted in caption that CII Risk Management is not a static state, but a Continuous Process lead by the culture of ongoing risk management activity throughout each phase of the CIP Continuum. It is on this score that ended this very informative workshop on Critical Information Infrastructures Protection.

After this, we will like to know: How many African Countries have already setup this types of Critical Information Infrastructures Risk Management Process? much more how many of them have only finish with the first step of this framework? What about Cameroon, are we aware about this? too much work need to be done, but it’s not too late!

 Sources :

1- Microsoft Trustworthy Computing : Critical Infrastructure Protection : Concepts and ContinuumGlobal Security Strategy and Diplomacy

2- Microsoft Trustworthy Computing : A Framework for Critical Information Infrastructure Risk ManagementGlobal Security Strategy and Diplomacy

 



CTO Cybersecurity Forum, Yaoundé Edition, Write Up Part 1

Last days, was held at the Palais des Congrès of Yaoundé 3rd Cybersecurity Forum organized by the Commonwealth Telecommunications Organisation (CTO). We had the opportunity to take part in this event with the assistance of the organizing committee of the CTO Event, who has kindly granted to the non-governmental organization working in the areas of Cybersecurity and Awareness of populations in Cameroon called « Cameroon Cyber ​​Security (2CS) », a free entry pass. For information, note that access to the various workshops was paying, to the order of 130,000 FCFA and more per person, depending on the member’s affiliation. We hereby wish to thank the organizing committee of the CTO Cybersecurity Forum for their encouragement to our local initiative.

CTO Cybersecurity Forum 2013 (1)

The venue does not have an Internet connection, which is quite curious especially because the Internet was cut the spotlight as the subject, it was impossible to livetweet the event in its entirety. However, you can reach some of the tweets made during the various workshops that were held over via the hashtag #CTOSecure on Twitter.

As a prelude to the main conference, held from Monday 22 to Wednesday, April 24, a workshop on the protection of Children Online. Being arrived at the site of the conference on Wednesday 24, we have not had the opportunity to take part in this workshop. However, presentations made during this past session are available online on the website of the CTO [1], and are about the measure taken by the Commonwealth countries for the protection of Children in the online services and an Experience Sharing for the implementation of these programs with practical case for the Gambia, Nigeria, Mauritius, Ghana, Serra Leone and Cameroon.

The Thursday 25 marked the beginning of the Forum itself with messages of openings and welcome by Senior Representatives of various organisations involved in the event (ITU, Government of Cameroon, ART, …). This opening sequence is followed by various keynotes led by several high profile experts in their fields, each in a 15 minute « Fastrack » mode.

During these keynotes, we got to turn speeches by Professor Tim UNWIN, Secretary General of CTO, under the theme: « Cybersecurity in the Commonwealth: Setting the stage ». It was a matter to draw the attention of the public and in turn members of the Commonwealth states on the need and the importance of implementation operational and efficient Cybersecurity Program, this by recalling to everyone that Cybersecurity is not just about our computers, but extends to all ICT devices (Smartphone, tablets, mobile devices, home automation, …).

Following this very rewarding keynote, it was the turn of Jamie Sanders to talk on the theme: « Cybergovernance and Growth », where it was clear that the mastery of cyberspace is closely linked to the growth of a nation.

David POLLINGTON in his presentation: « Critical Information Infrastructure Protection: Implications for developing countries » thus, we talked about the problems and opportunities relating to the Critical Informations Infrastructure Protection (CIIP) at the state level for countries in development. Indeed, most of these countries have become platforms for expansion and pivot for cybercriminals, putting at risk the integrity of their CIIs (Critical Information Infrastrutures). This presentation was further at the workshop on the CIIP, always animated by David Pollington in partnership with the FIRST (Forum for Incidence Response and Security Teams).

Presentations of Alex SERGER on « Cybercrime: The Cost of Crime-The Benefits of Cooperation » and Mario MANIEWICZ « Internet governance: Towards a Global Approach on Cybersecurity » is challenged before a major aspect in the fight against Cybercrime: Information Sharing. It is therefore crucial to the various stakeholders, both national, international and non-governmental to setting up processes for Intelligence sharing on threats and attacks present on each of their networks, in order to generate a climate of cyber overall prevalence. Indeed, Cybersecurity is a process involving several links in the chain, without a global vision and comprehensive measures, cybercriminals can always slip between the cracks, exploiting these differences in processes and laws to their advantage. These topics also discuss about the Budapest Convention and it’s ratification buy many countries. The main idea here was « Cooperation and Sharing ».

We can not go on without mention to you the presentation of Pierre DANDJINOU from AfricaCERT under the theme: « Promoting Cyber ​​security in Africa » ​​where the issue was for him to present the evolution of this joint initiative from its genesis to its past, current and future accomplishments. This is a very promising program by which the Cybersecurity ecosystem in Africa was rise up several (creation of naAFRICACERTtional CERT/CIRT, Workshops and Training on Incident Detection and Security Management held annually, Sessions of Good Practices Sharing between our local CERTs and International Organizations – like Team Cymryu, JCERT, FIRST … – Cybersecurity bill submitted to the African Union, …).

It is on these keynotes that is completed the first part of the day. A second part will be the subject of our next publication and focus on the Workshop entitled « A Practical Approach to Critical Information Infrastructure Protection »

 

Source :

[1] CTO Cybersecurity Forum Presentations Repository :

[2] AfricaCERT Website