150 likes | 407 Views
Cyber Crime Evolving Risks for Supply Chain Data Security. Iain McNab Supply Chain Symposium July 28, Shangri La Hotel. Agenda. Information Systems Security Cyber crime and its categories Exploring supply chain vulnerabilities Actors in the supply chain Day in the life dataflow
E N D
Cyber CrimeEvolving Risks for Supply Chain Data Security Iain McNab Supply Chain Symposium July 28, Shangri La Hotel
Agenda • Information Systems Security • Cyber crime and its categories • Exploring supply chain vulnerabilities • Actors in the supply chain • Day in the life dataflow • Warnings and vulnerabilities • Common prevention practices
Information Systems Security • Market demand and supply • Sheridan, FAST and ISS • Programs • ISS • Capstone • Applied Research • Co-op
Market Demand and Supply • The explosion of Internet traffic has created enormous demand for information systems security professionals • Sheridan Bachelor of Applied Information Sciences (BAISc) program is a one-of-a-kind Information Systems Security degree program with a stellar reputation among employers: • It has very restricted enrollment • We have 100% placement rate, • Grads have offers usually 12-18 months before they graduate • The have, by far, the highest starting salary range of any program in the school BACHELOR OF APPLIED INFORMATION SCIENCES (INFORMATION SYSTEMS SECURITY)
Applied Research at Sheridan As innovation becomes an increasingly important driver of our economy, the Office of Undergraduate Research at Sheridan is focused on creating unique opportunities for our students to work directly with our partners to address real-world challenges that strengthen our society and develop the leaders of tomorrow.Our mission: to help grow fruitful, mutually rewarding connections between our students, faculty, and industry/community partners by providing experiential learning opportunities through solutions-based research projects.As we transition to a distinct undergraduate teaching university, research will play an increasingly important role for our professors, administrators, and students. Our vision: Sheridan’s undergraduate research and creative activities will be fully integrated within curriculum, strengthening the undergraduate professional education our students receive
Cyber Crime and its Categories • Cyber Terrorism • Simple-unstructured, advanced-structured, complex- coordinated • Particularly worried about “electronic jihad” targeting SCADA, (Supervisory Control and Data Acquisition) industrial control systems such as power grid, water treatment, oil refinery, electrical power transmission, dam, gas pipelines etc. • Advanced Persistent Threat • Closely resembles espionage and goal is to steal IP • State funded actors: Russia, China, Israel, Iran, India etc • Actors are successful in harvesting enormous amounts of critical information inducing proprietary data, source code, negotiation tactics, strategic and operational plans • USA now loses $400B of IP annually – labelled greatest transfer of wealth in history by FBI • Organized Cyber Crime • Cybercriminals operating on this form are providing increasingly professional services and are monetizing stolen data and access to compromised networks • Locate business partners and plan criminal conspiracies • including theft, drug and human trafficking, extortions etc. • Hacktivism : unauthorized access to computer system to gain political & social goals • Advance a political purpose e.g. WikiLeaks • Bypass censorship, Geo-bombing,Anonymous blogging
Is only retail vulnerable? • The headlines are shifting: • From: Retail-specific hacking • To: General Cyber Security awareness • Quote from Wal Mart Exec at recent retail conference: ”Our SKU level data is extremely valuable. We would never want to share this with anyone”
Our position • The supply chain is vulnerable to Cyber Crime • Supply chain and logistics involve a broad range of diverse actors who are geographically dispersed and are entrusted with handling of large volumes of sensitive client data • Heightened awareness and sensible precautions are in order
Communication methods in SCM • AS2 • AS2 (Applicability Statement 2) is a specification about how to transport data securely and reliably over the Internet. Security is achieved by using digital certificates and encryption. • FTP • The File Transfer Protocol (FTP) is a standard network protocol used to transfer computer files from one host to another host over a TCP-based network, such as the Internet. It is UNENCRYTED. SFTP is used for secure transmission • Web • HTTP The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, hypermedia information systems. It is UNENCRYTED. HTTPS is used for encrypted web • Email • Email is unsecured. After 180 days in the U.S., email messages stored on a server lose their status as a protected communication under the Electronic Communications Privacy Act, and become just another database record. After this time has passed, a government agency needs only a subpoena—instead of a warrant—in order to access email from a provider.[1] Other countries may even lack this basic protection, and Google's databases are distributed all over the world.[3]
Typical Canadian Supply Chain actors and Data DATA • Purchase Order • BOM • Insurance • ASN • Export Declaration • RNS release notification • CFS • Booking • Steamship • Rail • Container • Dispatch • Status reports • Commercial Documentation • Goods receipt ACTORS • Agent • Vendor • Buyer • Customs Official • Exporter • Bank • Forwarder • Customs Broker • Government Agencies • Rail • Port Authority • Trucker • Warehouse • Consular Services
Insert K+N Data flow in SC • Need this in source form and need to narrate and animate it
Considerations • Long term Storage of data? • Back -up and recovery processes? • Paper copies? • Online brokering?
Prevention • Predict (proactive exposure analysis, predict attacks, baseline system) • Prevent (harden + isolate system, divert attackers, prevent incidents) • Detect Incidents (confirm, prioritize, contain) • Respond • Authenticate users • Encrypt data is use or transit • Tokenize data at rest