Final report Detecting an

Responding to Cyber
security incidents Web-
version
Class:
Group:
◄ Member 1
◄ Member 2
◄ Member 3
◄ Member 4
◄ Member 5
Lecturer: Đoàn Thị Ngọc Trai
BACKGROUND
Deliver services
The NSW Government Organize and store information
relies on digital
Manage business processes
technology
Control critical infrastructure

The theft of information

Global The risk of cyber Denial of access to critical

interconnectivity security incidents technology
The hijacking of systems for
profit or malicious intent.
BACKGROUND
Importance of systems
The attack on the NSW Government
Australian Census Processes for detecting
agencies
highlight
Manage business processes

DEFINITION
a past or ongoing intrusion, disruption, or other event that impairs
A cyber security the confidentiality, integrity, or availability of electronic information,
incident information systems, services, or networks.
NIST Cyber Security Framework

Focus auditing two functions

of Detection and Response.
CONCLUSION

There is no whole-of-government capability to detect and respond

effectively to cyber security incidents

There is limited sharing of information on incidents amongst

agencies, and some of the agencies we reviewed have poor
detection and response

There is a risk that incidents will go undetected longer than they

should, and opportunities to contain and restrict the damage may
be lost.
CONCLUSION

The NSW public sector’s ability to detect and respond to incidents needs
to improve significantly and quickly.

DFSI has started to address this by appointing a Government Chief

Information Security Officer (GCISO) to improve cyber security capability
across the public sector.
AUDIT
OBJECTIVE
AUDIT QUESTIONS
 AUDIT QUESTIONS
Are cyber incidents in these agencies
1 detected effectively?

Did these agencies have processes to monitor

1.1 cyber incidents?

Are appropriate mechanisms in place for agencies

1.2 to report cyber incidents, including clear guidance
on whom to report for?
 AUDIT QUESTIONS
Did these agencies respond to
2 cyber incidents effectively?

Did agencies have comprehensive procedures

2.1 in place for responding to cyber incidents
and test their own procedures appropriately?

2.2 Did their staff receive training in incident?

2.3 Are the requirements and responsibilities clear?

 AUDIT QUESTIONS
Did DFSI provide timely and quality advice
3 on cyber incidents and remedial action?

Did DFSI have a clear mandate for reporting

3.1 detected cyber incidents to support agencies?

Were these agencies provided with

3.2 advice on remedial action?
 AUDIT
APPROACH
BASED ON CONTROL SYSTEM

This is because the result of this audit cannot be

measured directly. It just can be assessed
through agencies’ control systems
 AUDIT
SCOPE
- Monitoring and detection of cyber incidents.
WHAT - Reporting and responding to cyber incidents.
- The communication of advice on remedial action.

Ten case study agencies that should have a strong

WHO detection and response capability & DFSI

WHEN 2015 - 2017

WHERE NEW SOUTH WALES

 AUDIT
criteria
ISO 27001
It contains a range of requirements including the need
to ensure that detection, prevention and recovery
controls be implemented to contain a security incident
.
 AUDIT PROCEDURES
Interviewing relevant staff involved in detecting, reporting and sharing
1 information about cyber security incidents in the agencies

2 Examining:

Procedures and processes for detecting and responding to cyber security

incidents

Information on cyber incidents reported since July 2016

Procedures for gathering and sharing counter-intelligence information

including communications with other government agencies, NGOs and the
private sector
 Two case study agencies have good detection and response processes.
Four have a low capability and four have a medium capability to dete
ction and response

Agency cyber security incident detection

Most use an automated tool for detecting and alerting IT

administrators
FINDING 1:
Agency incident Some agencies do not use such a tool and only monitor
logs periodically or on an ad hoc basis
detection and response
approaches range from
Agency cyber security incident response
good to poor
Most have incident response procedures, but lack guidance
on who to notify and when and evaluation of their procedures

Some agencies do not have response procedures at all

 Most agencies indicated that key staff had been trained in
incident procedures

Only one agency was able to provide any training records to

support these claims.
FINDING 2:
Training is limited and
Few agencies undertake regular training or keep their staff up
role requirements and
-to-date on awareness of avoiding fraudulent website or email
responsibilities in
agencies are unclear

Agencies could provide little documentation on the role requi

rements and responsibilities of their staff to support an effecti
ve detection and response capability
 RECOMMENDATIONS
DFSI should assist agencies by providing:

◄ Better practice guidelines for incident detection, response and reporting

to help agencies develop their own practices and procedures.

◄ Training and awareness programs, including tailored programs for a range

of audiences such as cyber professionals, finance staff, and audit and risk
committees.
◄ Role requirements and responsibilities for cyber security across government
, relevant to size and complexity of each agency.

◄ A support model for agencies that have limited detection and response
capabilities
 DFSI does not give agencies a clear mandate to enforce
the policy which sets out requirements for public service
agencies regarding detection and response

DFSI has not allocated resources to gather or process

incoming threat intelligence and communicate it across
government
FINDING 3:
DFSI does not have a It cannot ensure agencies report incidents to it to share
clear mandate or Information effectively across the public sector and inform
capability to ensure whole-of-government responses
effective detection and
response across the
NSW public sector There are currently no requirements for DFSI to respond
to incidents impacting multiple agencies and no guidance
on what it is meant to do if such an incident is reported
 RECOMMENDATIONS
DFSI should:

◄ Develop whole-of-government procedure, protocol and supporting systems

to effectively share reported threats and respond to cyber security incidents
impacting multiple agencies, including follow-up and communicating lessons
learnt.
◄ Develop a means by which agencies can report incidents in a more effective
manner, such as a secure online template, that allows for early warnings and
standardized details of incidents and remedial advice.

◄ Enhance NSW public sector threat intelligence gathering and sharing

including formal links with Australian Government security agencies, other states
and the private Sector.
VIETNAMESE AIRPORTS
HACKINGS
Cyber security scandal in Vietnam
VIETNAMESE AIRPORTS HACKINGS

TAN SON NHAT

International Airport
13h46m
Date
29/07/2016

NOI BAI
International Airport
16h7m
Incidents
Flight information screens were
made attack
For these airports
Speaker system was took control.

For Vietnam Airlines

The page of the Vietnam Airlines’s official website was replaced

by the same picture that appeared on the airport’s screens.

The airlines’s customer database was stolen and made public on

the internet, affect over 400.000 passengers.
THANK YOU FOR
YOUR WATCHING