Good morning, everyone. Welcome to this session on combating cybercrimes proactively. My name is Chinna Suzu. I'm a managing cybersecurity consultant with Roste Cybercrime Solutions Limited. I am uh the founding past president of ISIS We Nigeria Chapter.I actually um initiated the ISIS We Nigeria Chapter in Nigeria and I'm a member of Global Isc Square Chapter Advisory committee. We assist all the branches, IC Square branches all over. I have over 20 years worth of experience in it and over 10 years in cybersecurity, I kicked off my cybersecurity profession in 2008. After under, under studying a, an expert, a security expert from a Os origin. I have master's degree in Information Systems Management. University of Liverpool BS C in, in, in Mathematics and Computer Science, University of Port Harcourt River State. I am an Isa Square authorized instructor and I'm a, I'm professionally certified in quite a lot of um information security certifications. CC. So I will advise you to please let's connect on linkedin so that you get to know more about me and about my publications. Ok. We're looking at combating cybercrimes proactively. How do we combat cybercrimes proactively? You know, we cannot talk about combating cybercrimes or proactive approach to it without referring to the digital age.

You know, the new normal brought about a paradigm shift, you know, a paradigm shift that is making life quite easy, a paradigm shift of the reality of internet of things, internet of devices, the reality of the cybernetics, you know, inter continent interconnectivity of, you know, um cybernetic elements.

We talk about the reality of internet service providers, too many of them. Now, you know, tech leaders are smiling to the bank, you know, it is a cyber world, a digital age, it's an electronic age, it's a technology age and the new normal has also brought about a paradigm shift for the good, you know, good paradigm shift for all, you know, you see a lot of things coming up in too many business transformations, too many handshakes, seamless retrieval of information, seamless flow of information, seamless communications.

And as we are now that we have a release of thousands of applications on daily basis, mobile applications, web applications, social media apps are overwhelming, you know, the whole world is more like a global village and it is indeed the cyber war that has brought about a good paradigm shift.

But then even though we're running on a good paradigm shift, it has also attracted quite a lot of paradigm shift of the pa you know, we we talk about the a good paradigm shift and then bad paradigm shift, you know, it looks like, you know, the, the bad guys, you know, the bad guys, you know, notorious guys, you know, carrying guns, you know, uh armed robbers.

They are now on white collar suits, you know, they are, they've now gone to train themselves, you know, to play ahead the evolvement of technology. So if you're not careful, you know, you would swim into the good paradigm shift without taking a, without having a thorough uh grab around the bad side. You know, the past side also has introduced a lot of losses, global loss to cybercrime, global loss to spearfishing attacks, spear fishing attacks are the most targeted attacks. It's targeting the key players of organizations with cloud based attacks, you know, increase cyberattacks, you know, web application bridges all over, you know, ransom attacks are more like a normal, you know, it it is like it's part of the new normal. So you find out that we're looking at a paradigm shift of the good and paradigm shift of the bad. But today we actually after the paradigm shift of the bad, how can we go about uh combating them in a proactive manner, not reactive, you know, not a talk but proactively staying ahead of the bad guys so that these guys will not be able to achieve their aim.

You know, they are really doing badly. Virtually every organization is reporting on, on cybercrimes. I was shocked when I visited a particular reporting board and very soon, particularly only to realize that these guys are reporting crimes every day. There are cases of crimes on daily basis from very soon and other reporting bodies. So it is a case that we really need to, you know, be, be serious about. Now, we're going to look at, you know, the step by step approach to combating cybercrimes, you know, step by step approach to remaining resident when these bad guys hit at you, you remain resident when they hit at you from the right to remain residents, when they hit at you from any corner, at any time you are resident, that resilience means just like the concept of an umbrella umbrella.

You know, a resident umbrella would not drop through when it is raining, whether in snow in uh rain or what have you. So a resident promotes good security, good posture, se good security hygiene, you know, in such a way that you know, even do everywhere, the the the digital world is too rowdy. You are all, you are still maintaining a good ambience, you know, a good security ambience that even your your the bad guys. The bad guys are the the traitors, the the threat actors, the the cyber criminals, you know the cyber Attackers by the time they hit at you, they don't need anybody to tell them. Oh, there's no room for you here. So we're going to look at the step by step approach to achieving that we will look at identifying your information assets, classifying and ascertaining the value of the information assets or the concept of multi layered security. You know, I really need us to understand this very well at a granular level, you know, cybersecurity concepts, you know, three types of control, several measures of control. This is actually our target line.

You must be able to imbibe this knowledge, you know, grab this knowledge in order to imbibe the good security culture for your organization or even for your family or your personal information access, then you need to understand how to proactively ascertain the actual time to provide the ideal security control.

And then we look at the various ways we can remain persistent and resilient. I would only use the concept of the umbrella and the concept of the keylock to uh uh uh conclude that and then we leave. Um I have a question for you here. Just help me to answer on the chat board. Have you or your organization expressed a cyber related crime or attack in the past? Just yes or no. Was it a successful cyberattack? Yes or no? If the answer is the two, question two is no. How did you practice, combat the cybercrimes or attacks? You know, if your organization, if the attack was not successful, how did you go about it? Well, we are the security measures you placed in, you put in place, you know, was it at a resilience stage? Baseline? Stage or minimal stage, then if you had this attack was actually successful, what could you have done differently? Defense in depth business impact analysis, risk analysis or you would have done nothing, select all that apply, just try to answer answer based on the number you can say number one, yes, two, no. And what have you? We will look at it later. Ok. Combating cyber crunch proactively, like I said, you need to um identify your information assets, your critical information assets, ok? You need to identify your information assets sort out with clarity and appropriate level.

You know, when we talk about identification, identification goes with a claim you're making, you know, you need to understand your portfolio, your words, identify your information as, as assets and tells your words all that you've got, you know, you're putting them in one basket, you know, as your information assets, you need to identify them.

You need to categorize each data set into groups or zones and then you need to make sure you, you should be able to trace each information asset to each authoritative source. Uh the the authenticity, where is it coming from? What are the necessary approval for it and all that, that assures you that you are working with a an authentic um identifiable information assets. So identification of your personal information assets or those of your organization would establish, establish a clear view of all you've got, you know, every bit of all you've got atomize them, create established convention for them and sort them. Now, after identifying your critical information assets, you need to classify and ascertain the value of the information assets. You know, you classify uh based on um business impact analysis. Business impact analysis is more like a concept, you know, that I A process is put in place to ascertain or determine how much impact is the assets, how, how much is the asset impacting on your organization, especially on your organization's bottom line. If the asset is not making much impact, then you, you place it, you know, at a minimal stage.

If it is an asset, that organization cannot live without, you know, if anything goes wrong with the asset assets, an organization could collapse an organization's um reputation image could go down, then it is seen as a critical asset and you must place a priority around it and then um place a classification value and then, you know, look for various ways to protect it.

Now, the reason why we do go with classification lever on business impact analysis is for us to ascertain the value of the asset value of every asset is very, very important because it is the value you think first that will determine the security measure that should be applied on it.

So what process do you have in place to ascertain the classification level of your identified information assets? Then as you identify your information assets, classifying your information assets. It is paramount that you have a good understanding of the concept of multi-layered security, you know concept of mind.

You can also call it concept of cybersecurity concept of cybersecurity is centered around the CIA triad. I grouped it into three layers. If you look at the diagram I have there, the diagram I have there is in three layers. The fourth layer is the CIA triad. The second layer is the three control types and the fourth layer is the seven measures of control. Now, I will try to explain this layer and then we move to the next slide. Now, the CIA triad is actually our primary focus and objective. When you talk about cybersecurity, you know, we're looking looking at a level of assuring confidentiality, you know, we're we're assuring that your the organization or uh critical information assets or your critical information assets are only assessed can only be assessed by the authorized parties and not disclosed to the bad guys at any point in time.

Then we talk about integrity, integrity is saying is uh uh a assuring that your critical information assets is not tampered with, is accurate. It is not missing, is not unduly modified and it is not coming up with errors. So at this level, we ensure that oh it, even if it's modified, it's only modified by the authorized patents and none of that not the bad guys, then we talk about availability. We want to assure that your critical information assets are always available as and when they are required, you know, and by the authorized parties. So this is our primary focus. See that at the center of the umbrella, you're looking at that diagram there looks like an umbrella. Yeah.

Is it covering? Yeah, so that's our our primary focus if you see the CIA triad is is this triangle at the center of the umbrella. And then we have the second layer. The second layer is the three control types which um comprise the administrative control of uh phase of the organization, the technical control phase of the organization and the physical control phase of the organization. The straight to control phase of the organization is looking at the procedures, the governance of the organization, the regulations tied to the organization, the legal binding, the policies, the standards, the procedures and all that and the personnel management of the organization.

You know, the just like our focus is on CIA triad, the confidentiality, integrity and availability. They can, they work hand in hand. That's why it's a triad. You know, you cannot focus on confidentiality and leave availability out of it. You can focus on integrity and leave confidentiality out of it. The same applies on the uh the control types. You as a cybersecurity professional, you cannot just concentrate on technical controls and leave the administrative path and physical path out of it. They work hand in hand, they do not work at far. So that's why you must build, establish a good teamwork with all the people in these areas so that you ensure that you have a good framework, a good cybersecurity framework that you're working with. So we we um technical control is looking at safeguarding the systems, the the networks, the databases, infrastructure, the platforms, the applications, the host, the database, the data, physical um uh physical controls are looking at safeguarding the facilities and environment where the asset reside.

Now that is the second layer. You know, you've got, you've got the objective which is your focus and then the you now group it for you to achieve that focus. You need to understand the three major areas of the organization, the administrative, the the the the the technical and the physical. Then we now talk about the security measures that you need to apply on these three areas of ar in areas of the organization. We talk about the preventative controls, we talk about the dictator controls, the deterrent controls, the corrective controls, the compensative control, the recovery controls and the directive controls. Now look at it very well and do a check around them. For example, we have a policy is policies, is seen as a preventive control. You need policies to to make sure that you know, uh compliance and legal bindings apply. Now, policy is seen as um preventive administrative control, encryption, access control is seen as preventive technical control, then perimeters facilities are seen as preventive physical control. And so it applies in every other measure of control embedded under this measure of control are not the direct controls.

There are right tools, there are direct solutions that we apply. In order to assure a level of CIA triad. Now, you cannot ascertain your CIA trial without having a good understanding of um of your, your um the idea security measure to apply. So I have the risk analysis here. You know, you must understand the vulnerabilities, the weaknesses, understand the threats, understand the points at which you are scared, that is a threat. You are scared that oh a vulnerability could be exploited and then you must walk around it, then you apply the risk treatment. You either mitigate, accept, avoid or transfer the risks to the third party. The your risk street is actually assumed to be your ideal measure of control.

Then you should ensure that the cost of control is not higher than the value of the asset we are protecting. So I have the direct question here. If you want to go about it, then I have how you can ascertain the cost of control and how you should make sure that the cost of control is not at any point in time higher than the value of the asset you are protecting. So you may need to go back again to review it and then you must remain persistent and resilient. Stay ahead of the cybercriminals following the ideal security hygiene. You must follow the the the the learn from the concept of the umbrella. Learn from the concept of the key lock, you know, you must practically remain resilient. If a good security hygiene is maintained, must be maintained seamlessly. In conclusion, you need to proactively combat cybercrimes. You need to identify your information assets, you need to um classify them.

You need to understand the concept of cybersecurity and then you need to uh run your risk analysis to be sure you are applying the ideal security control and then, and make sure you leverage your multi layered security control that is called defense in depth. With that. We are sure that your critical organi uh information assets will be proactively and seamlessly secured and the bad guys will hit at you and they will not be able to penetrate. Thank you very much. Um, any question here. OK. And someone is asking a question here, what is the most difficult attack type to prevent well, attack type to prevent? I can't tell you there's anyone that is difficult to, if you apply the rules, if you apply the rules and, and you have a good technical know how you know, and, and you play your game ahead, you know, these bad guys are always there. You need to play ahead of them by, by consistent research development. I, I can't tell you there is one that is easy or there is one that is difficult but you can, whichever way, whichever case you can proactively combat that you can remain resilient even in cases of difficult, um, attacks. Yeah. Too many attacks are out there.

But I can't tell you this is the most difficult. Sorry. Yeah, I, I, that's my job. My, my company logo is on combating cybercrimes. Yeah, there's really nothing. There is no crime that you cannot come back but you need to be proactive. You don't need to wait until there is a crime before you react proactively. Sit down be gran about it. Work with your team, your organization and then you, you will be good. You know, you will feel secured inside of you just like normal security hygiene. Ok? Thanks everyone and thanks for your kind words. I I would take your email addresses now and do the needful cheers and meanwhile you can also hook up with me. I will send my linkedin page now and send my slides page at the same time and you can always hook up with me. Thank you very much and cheers. Bye.