1

EGYPTNational Telecom Regulatory Authority

Integrating The Information Integrating The Information Security Awareness in Security Awareness in

Critical Infrastructure FirmsCritical Infrastructure FirmsCritical Infrastructure FirmsCritical Infrastructure FirmsMohamed ElHarrasCIIP Strategies and Policies Executive Director

The Connectivity Dissemination.

Current / Proposed Defense Models

AgendaAgenda

Current / Proposed Defense Models.

The Critical Infrastructure Information (CII).

The Importance of Awareness.

Case Study: Mobile Operators.

Q&A

National Telecom Regulatory Authority - EGYPT

2

2

The Internet has made it possible to connect (hence access or attempt to access) any computing device on/off  the net. 

The Dissolve of Political Borders

National Telecom Regulatory Authority - EGYPT

3

The Threat of pervasive andubiquitous computing while

The Consequences

ubiquitous computing whiletools of attacks becomesmore available as wrap‐up fornon technical people.

National Telecom Regulatory Authority - EGYPT

4

3

With that large number of connections, it will not be feasible (or possible) for  effective defense to the individual citizen level.

The Current Defense Model

Cyber warfare

Cyber terrorism

Government Responsibility

National Telecom Regulatory Authority - EGYPT

5

Industrial espionage

Cyber crime

Private Sector Responsibility

The cyber security staff is the focal point to handle : 

As Per this ModelAs Per this Model

Detection.

Reaction.

Correction.

Prevention.

National Telecom Regulatory Authority - EGYPT

6

The current model requires:  

On‐going increase in the number of specialized staff.

Associated increasing costs. 

Does not cover all possible weak points. 

4

Push the line of defense to non  

Balancing the Model Balancing the Model

specialized individuals.

Rely more on human element to help detecting basic threats / anomalies at early stage. 

The Individual is the First Line of Defense.The Individual is the First Line of Defense.

National Telecom Regulatory Authority - EGYPT

7

We need to build his capacity of We need to build his capacity of selfself--defense.defense.

Massive impact.

Quick win.

Selecting the Points of DefenseSelecting the Points of Defense

Q

Fast deployment.

Minimum cost.

On going. 

National Telecom Regulatory Authority - EGYPT

8

5

Affects large sectors of the society or the ability of the government to d it f ti

The Critical Infrastructure SectorsThe Critical Infrastructure Sectors

do its function.

Usually owned or operated by the private sector.

Each CI sector affects other sectors in a domino effect model.

The list of CI Sectors includes: Government services Financial service Telecommunication Energy Transportation Health Services Etc.

National Telecom Regulatory Authority - EGYPT

9

Case Study: Mobile TelecomsCase Study: Mobile Telecoms

National Telecom Regulatory Authority - EGYPT

10

6

Pervasive and ubiquitous  information on :

The The Telecom Critical Information Telecom Critical Information InfrastructureInfrastructure

Call details  social patterns and relations ..etc.

Location details  movement patterns, spontaneous location check ..etc.

Live call (on air).

Network architecture layout (BTS Telecom

Finance Media Emergency Service Health Etc.

Network  architecture layout (BTS, BSC, MSC, ..etc.)

Network coverage plans.

Network security measures (on‐air, core network, ..etc.)

Affects majority of the society. 

National Telecom Regulatory Authority - EGYPT

11

Energy / Transportation

The The Telecom in the Arab CountriesTelecom in the Arab Countries

100

120

20

40

60

80

Connections (m.)

Population (m.)

Unique subscriber (m.)

National Telecom Regulatory Authority - EGYPT

12

0

20

Mobile penetration in the Middle East (Source: GSMA Report, 2014)

7

Check list auditing approach.

The questionnaire approach

How to Measure AwarenessHow to Measure Awareness

The questionnaire approach.

Interviews: sample staff.

Observation : staff / processes.

Focus group: representing business areas.

C t d ( ll ft i id t ) Case study (usually after incidents).

National Telecom Regulatory Authority - EGYPT

13

Top Management : “security is necessary but to the minimum

Common Corporate Perception Common Corporate Perception of Security of Security

necessary but to the minimum required by law”.

Employees: computer security is an obstacle to productivity. A common feeling is that “we are paid to produce, not to protect” or “S it i t bj ti“Security is not on my objectives list”.

National Telecom Regulatory Authority - EGYPT

14

8

Security Knowledge Matrix Security Knowledge Matrix Awareness Training Education

Level Information Knowledge Insight

Objective Recognition Skill Understanding

Channel Media PracticalInstruction

Theoretical Instruction

Example Video, Newsletter,Poster, giveaways

Lectures,case study, hands-on practice

Seminars, essays

National Telecom Regulatory Authority - EGYPT

15

Test Method True/FalseMCQ

Problem solving

Essay

Attribute “What” “How” “Why”

Source: NIST800

Security Awareness Program Life Security Awareness Program Life CycleCycle

Measure

Measure• Snap

shot of

Planning• Timeframe• Objectives• Audience• Depth• Channels

Get Commitment• Top management• HR• CS, Sales, ..etc.

Execute• Different

channels• Embed in

Objectives

Measure• Change in

behavior• Consider feed

back• Improve

program

National Telecom Regulatory Authority - EGYPT

16

shot of current status

• Cost • Team /

materials• KPIs

Change in staff behavior is the best result we can get

9

Message Delivery Message Delivery Gathering Points. Firm restaurants. Banners by access points (doors / elevator). Stickers by electronic gates.

Internal Communications: Newsletter. Company briefing meetings. Monthly message from the CEO.

Interaction with Company Systems:

National Telecom Regulatory Authority - EGYPT

17

Screen savers. Screen wallpapers. Logon message. Daily tips. Quick quiz. Computer-based training.

Background workBackground work Human Resources. Incorporate security awareness in job responsibilities when

applicableapplicable.

Proportionately add security awareness to employees appraisal system.

Prepare the rewarding system for program heroes.

Review materials for message correctness and balance.

Legal / Regulatory: Add relevant laws / regulations to awareness program.

National Telecom Regulatory Authority - EGYPT

18

Highlight law penalties in case of violations.

Add other related issues (e.g. fraud, corruption ..etc.)

Give examples from legal arena.

10

Common PitfallsCommon Pitfalls Not fitting the environment.

Inadequate planning.

Not addressing applicable legal / regulatory requirements.

No motivation for staff.

Budget mismanagement or inadequate budget.

No leadership support.

Information overload

National Telecom Regulatory Authority - EGYPT

19

Not sharing experience.

Not evaluating the effectiveness of training.

The Impact of Social EngineeringThe Impact of Social Engineering Psychological manipulation of people to do action / divulging

confidential information.

Most common in people facing functions (e g customer care Most common in people-facing functions (e.g. customer care agents, technical support, marketing ).

Best technique: The familiar customer normal to be there so the CC lowers self-

defense. The angry customer angry at someone else rather than the target CC

agent. The knowledgeable customer customer equipped with the necessary

information about the company

National Telecom Regulatory Authority - EGYPT

20

information about the company.

How to fight? Training listen to customer calls, give examples. Prepare scripts to handle social engineering situations. Stick to the process. Train fro non-verbal communications.

11

Data Leak Data Leak –– Crafted AttacksCrafted Attacks Exploits zero-day / undocumented vulnerabilities.

Involves highly-skilled preparation and know how.

Aims at getting the information giving “commercial advantage” to the company.

Target individual functions, typically the ‘C’ level; the R&D and the Marketing departments .

How to fight? Awareness program for the company executive. Proportionate technical measures (e g encrypt data secure email

National Telecom Regulatory Authority - EGYPT

21

Proportionate technical measures (e.g. encrypt data, secure email, stringent email rules ..etc.)

Internal / external stake holders involvement.

Channels of Communications Channels of Communications

National Telecom Regulatory Authority - EGYPT

22

Source: multiple internet sites

12

Massive capacity builder.

Awareness is a take-home skill.

Model BenefitsModel Benefits

St t i

Lower coast per individual compared to building large specialized technical force.

Filters false positives.

Off load specialized staff to more serious threats.

Strategic

Organizational

Individual 

Early detection of some threats.

National Telecom Regulatory Authority - EGYPT

23

2013 US State of cybercrime Survey.

PWC,  “The Global State of Information Security Survey 2014”.

Homeland Security Cyber Security Publications at :http://www.dhs.gov/cybersecurity‐publications

Key ReferencesKey References

Homeland Security Cyber Security Publications at :http://www.dhs.gov/cybersecurity publications

Homeland Security  Critical Infrastructure Security  at: http://www.dhs.gov/topic/critical‐infrastructure‐security

ENISA : The European Union Agency for Network and Information Security , publications . 

GSMA, “The Mobile Economy 2014 Report , The Arab States” , https://gsmaintelligence.com/research/

The International Society of Security Awareness Professionals  http://www.iasapgroup.org/

Rebecca Herold, “Managing an Information Security and  Privacy Awareness and Program and Training Program”, CRC 2011

National Telecom Regulatory Authority - EGYPT

24

13

Q & AQ & A

National Telecom Regulatory Authority - EGYPT

25

YYYY

XXXXXXXX

National Telecom Regulatory Authority - EGYPT

26