recent developments in cyber€¦ · secops north america 2016 recent developments in cyber james...
TRANSCRIPT
SecOpsNorthAmerica2016
RecentDevelopmentsinCyberJamesP.O’SheaIIIRBCCapitalMarkets
DISCLAIMER:Theviewsandopinionsexpressedintoday’spresenta=onaremyown,anddonotrepresentthoseofRBCFinancialGroupandits
subsidiaries.
SecOpsNorthAmerica2016
CyberEvolvesfrom1990stoPresent
GenericAFacks
• RandomTargets• LowVolume,‘nuisance’value• Moderate/highdifficultytobuildanduseaFacktools
• Limitedskillpool• Isolatedtoindividualcomputersorsmallworkgroups
• RandomlyaFackwhatthevirusdecidestoaFack
• Return:onlynotorietytoaFacker
BroadlyTargetedAFacks
• Generalizedtargets• HighVolume,LowValue• Improvingskillpool• Commercialspamcampaigns• DenialofService• Generalizedphishing
• Hitandrun• AFackthe(hoped-for)holderofatradeablecommodity
• Return:propertyofthevicYm’swhichtheaFackercanre-sell,one-Yme,withshortlifespananddecreasingvalueoverYme(password;creditcard)
PersonalizedAFacks
• Specific,individual,targets• LowVolume,HighValue(USD1bn?)• MaturesupplychainforcrimewareandassociatedecosystemforeaseofaFack• SpearPhishing• Customizedexploitcode• AdvancedPersistentThreats
• Getinandstayin• AFackaspecificbusinessprocess• Return:abilitytoconYnuallyobserve&extractvaluedirectlyfrom/asthevicYm
SecOpsNorthAmerica2016
Howdoesabreachoccur?Moststartwithanemail…
SecOpsNorthAmerica2016
BreachesOccurFasterThanDetecYon
AFackersaregebngfasteratbreaching,andaredoingsomorerapidlythandefendersaregebngfasteratdetecYng
SecOpsNorthAmerica2016
1/3ofRecipientsWillOpenaPhishing(Test)Email;>50%of‘Openers’WillClickTheMaliciousLinkWithin3Hours
1min40sec.MedianYmeforthe1strecipientofaphishingcampaigntoopenthebademail
3min45sec.
MedianYmeunYlthemaliciousaFachmentisclickedonbyanyrecipientfromthestartofaphishingcampaign
SecOpsNorthAmerica2016
MostVicYmsDoNotKnowThey’reBreached
LawEnforcementandotherThirdPartyNoYficaYonstoVicYmarethemostcommonmethodsofdiscoveringabreach
FrauddetecYonandotherinternalcontrolshavebeenrapidlydecliningasmeansofdetecYngbreach
SecOpsNorthAmerica2016
AnOunceofPrevenYon:99%+OfBreachesExploitVulnerabiliYesThatAreMoreThan1YearOld
SecOpsNorthAmerica2016
WhatCanYouDo?
• Inventoryyourdataandprocesses.• Knowwhatismostimportanttoyourfirm.
• Classifyyourdata.• Whichofthoseimportantitemscomesfirst?
• Haveaplan;assumebreach.• Howwillyouoperatealerabreachoccurs?
• Youwill‘fightlikeyoutrain.’• Exerciseyourplansregularly.
• Shareinforma=onandexper=sewithinyourindustryandgovernmentregularly• ParYcipateininformaYonsharingorganizaYonslikeFS-ISACandFBI’sInfraGard• BuildtherelaYonshipsyouwillneedbeforeyouneedthem
SecOpsNorthAmerica2016
FurtherReading
• The2016VerizonDBIRdatain4-minuteformforFinancialServiceshFp://www.verizonenterprise.com/resources/reports/rp_2016-DBIR-Financial-Data-Security_en_xg.pdf• The2016fullVerizonDataBreachInvesYgaYonsReporthFp://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/• DataBreachDigest–Briefcasestudiesofwhoandhow.hFp://www.verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf• 20CriYcalSecurityControls–CenterforInternetSecurityhFps://www.cisecurity.org/criYcal-controls.cfm