cyber-security threats: why we are losing the battle (and probably don't even know it)
Post on 23-Jan-2015
348 Views
Preview:
DESCRIPTION
TRANSCRIPT
Cyber-Security
Threats Why we are losing the battle (and
probably don’t even know it!)
December 12th, 2013
“If you know the enemy and know yourself,
you need not fear the result of a hundred
battles. If you know yourself but not the
enemy, for every victory gained you will
also suffer a defeat. If you know neither the
enemy nor yourself, you will succumb in
every battle”
Sun Tzu, The Art of War
John Hudson
15 years designing security strategies
Business Process Engineer
Why cyber-security fails – a mission
CISO University of Pittsburgh 35,000+ users
Blocked over 100,000 attacks every day
Experienced Anonymous attacks
Bomb threats/Forensics investigations
Worked in distributed and closed environments
Plus Consulting
Cyber-Security Practice helps organizations:
Identify risk and control failures, based on their organization
Cyber-security frameworks
Pen-testing, vulnerability scanning, social engineering
Solve security problems (for example, doing business in high-
risk countries)
Compliance readiness
We help organizations plan refine and Implement cyber-
security strategies
Premise
Organizations are losing the cyber-security battle and
most don’t know that it is happening (or choose to
ignore it)
The persistent threat environment means that:
You have had a breach and may or may not know it
You will have a breach and may or may not know it
Growth in data, application features, and collaboration
makes cyber-security a greater challenge
Security tools in isolation of a continuous security
program only delay the inevitable
Attacks are complex, clever and continuous
Outline
Current threat environment
Organizational challenges
Why “they” are winning
Neutralizing “them” from winning
Threat Environment
The more things change,
the more they stay the same... Alphonse Karr, 1849
Acceptance
Attacks are more targeted
Malware is more complex and multi-dimensional
Social engineering is an art
Hactivism is here to stay
Anti-forensics is now the norm
Cyber-attacks are becoming strategic
Nearly all attacks are external (98%)
Hacking tools for sale online (with better SDLC than
most developers)
Simple Targeted Attack
Open source intelligence – find entry points
Collect data and profile – website scraping
Build spoof sites – your brand, your people
Email campaign from a ‘known-source”
Phone calls to “known targets”
Scan for vulnerabilities
Exploit with malware or walk through the front door
Keep the door open
Harvest under the radar
5-10% return
But...
Criminals are targeting organizations with sophisticated
attacks, but….
79% of attacks are still targets of opportunity
96% of attacks were not difficult
85% of breaches took weeks to months to discover
(source: Verizon 2012 Data Breach Investigation Report)
“it won’t happen to us – we are too small” is long gone!
We could now talk about the latest and
greatest zero day exploits, security
appliances, or regulations coming down the
pipeline all day long.................
but organizations are not dealing with the
basics...
Organizational Challenges
Big Data – Big Problem
2003
Year 0
2011
2013
5 Exabyte's every 2 days
5 Exabyte's every 10 minutes
Asset Value...
Few organizations know:
The value of their data
The value of uptime
The impact of its loss
Or the value placed on it by others
If you don’t know the value and loss impact – how
can you protect?
Have disaster plans, but ignore the disaster of lost data
At best, all data is treated as equal
The rules have changed...
Privacy is being challenged
Generational mindsets
BYOD/BYON
The Cloud (good or bad?)
Virtualization – paradigm change in deployment
Smartphone is your computer – what next?
Security budgets have not grown in ten years even
though the problem has exploded
Extension of Security Boundary =
More Points of Entry
Why “they” are winning
Organizations Are Abdicating Responsibility
Boards and Executives do not own the problem
They are not asking the right questions
It is not part of the strategy
They do not drive down security posture
At best, it is seen as an IT problem at the tactical level
CISO’s report to the wrong people (if they have one)
Potential career-ending decisions if doing job
Security is not a technical issue
Technology is the output of security, not the input
But security is now a specialist subject
Organizations are Abdicating Responsibility
Audits do not equal security
Checking boxes on flawed controls gives a false sense of
security
Compliance is not security – it has yet to stop an attack
Compliance is confusing and not backed
The wrong people are held accountable
Breach = ex-CISO
Policy manuals just kill more trees
Result
No mandate to invest in the right security
Little backing = no putting the head above the parapet
Problems are hidden
We are going live tomorrow with ERP, but there's a security
issue – what do you do?
Identified risk is only important if it does not stop the
operation
CISOs jump from job to job
Security staff feel undervalued
Wrong money spent solving yesterday’s problems
So let’s Summarize...
Threats = more complex, faster, multi-dimensional
For most organizations, simple exploits will gain results
State-run attacks and Hactivism is becoming the norm
Organizations are using data in ways unimaginable 10 years
ago, and treat security in the same way
Organizations are not talking about the value of their assets
Security is seen as a low-level technical responsibility
Many Fortune 500 companies do not have a CISO
The biggest disaster an organization may ever face is a
breach
Neutralizing “Them”
from winning
It’s a Journey
Until boards and executives own the problem, little will
change
Appoint board oversight of security
Identify the value of your assets
Identify the loss impact of your assets
Identify what can hurt you
This forms the security problem
It’s a Journey
Design a continuous security program around the
problem
Create choke-points
Back them
Audit the mitigation strategies
Secure Zone
Virtual ServersVirtual Desktop
User Desktop
Tablet or Laptop
Multi factor Authentication
No Port 80
BI with Scrambling
Encryption
IPS/IDS
The Choke
Point
It’s a Journey
Segregate Security reporting from IT
Reward based upon security metrics, not IT metrics
The board is responsible for security, people are
responsible for negligence
Build the security response around what is important
Worry less about the rest (not all assets are equal)
If you can’t prevent it or flag it – don’t put it in your
security policies
Acceptable use must have teeth
Quick takeaways
Ask this question when you get back to your organization...
If you received an email from a hacker saying we have got
your critical data – how would you know if they really do?
If you don’t know, you don’t have a
comprehensive security program
Quick takeaways
If you do nothing else, do these things:
Application whitelisting
Acceptable usage policy and mandatory awareness
training
Business Impact Analysis and Risk and Control
assessment – owned by the board and presented
back to the board
Love your security professionals
Questions?
John Hudson
Security & Strategy Practice Director
Plus Consulting
John.Hudson@plusconsulting.com
412.206.0160
top related