the importance of it security · verizon’s data breach investigation report - 2015. more recent...
TRANSCRIPT
The Importance of IT SecurityInformation security preparedness for Australian Business
WHO AM I…?
CSIRT team memberInformation Security Specialist
Board Game Designer Trainer
Overview• Something is out there!
• Threats and vulnerabilities in today’s online environment
• What are you protecting?• Threats and vulnerabilities in today’s online environment
• Cyber Defences• What can you put in place immediately - quick wins
• Opportunities for further action• Proactive steps businesses can take to ensure longer term data security
• References and more information
Do you have an information security emergency response plan?
Question…
Australian - Cyber crime security survey report 2013 – CERT Australia
Australian organisationsYES
NO
Something is out there…
THREAT + VULNERABILITY = POTENTIAL SECURITY BREACH
Something is coming…
THREAT + VULNERABILITY = POTENTIAL SECURITY BREACH
Something is here!
THREAT + OPPORTUNITY = SECURITY BREACH
Data Breach Investigations report 2014 - Verizon
The Threats are many…
…and they come from different directions…
Data Breach Investigations report 2014 - Verizon
Threats resulting in a breach…Data Breach Investigations report 2014 - Verizon
Hewlett-Packard's Cyber Risk Report- Hewlett Package - 2014
• Many vulnerabilities exploited in 2014 took advantage of code written many years ago— “some are even decades old" the report noted.
"Adversaries continue to leverage these classic avenues for attack. …”
Ten-year old Vulnerabilities
“99.9% OF THE [REPORTED] EXPLOITED VULNERABILITIES WERE COMPROMISED MORE THAN A YEAR AFTER THE CVE WAS PUBLISHED.”
Verizon’s Data Breach Investigation Report - 2015
More recent Vulnerabilities – but still old!
Vulnerabilities – some stats..• 44% of known breaches in 2014 came from vulnerabilities that were between two
and four years old…!
• Malware: the majority of these automated threat tools found by HP’s security team attempted to exploit older vulnerabilities.
• 11% of breaches targeted vulnerabilities in Adobe Reader and Acrobat.
• Whilst Oracle Java was blamed for 9 %
Of the top 10 vulnerabilities identified, three were Microsoft vulnerabilities and six were tied to Oracle Java.
Hewlett-Packard's Cyber Risk Report- Hewlett Package - 2014
Attacker success formula:• A criminal requires:
• Motive+ Opportunity
Opportunity = Vulnerability + Capability
Attacker success formula:
• A cyber-criminal requires
• Motive • Opportunity
o Vulnerability+
o Capability
Cyber Defences –Stopping a cyber-criminal:
• We cannot control:• Motive
or• Capability
• We can control:• The Vulnerability – to an extent
What can we do?• Reduce the opportunity for a cyber attack through
vulnerability management.
• By reducing or removing access to vulnerable systems, so exploitations are less likely to take place.
• The problem is:• It’s a big job dealing with every vulnerability that is
discovered…
What can we do?
• So, we have to choose the most important ones to reduce or eliminate…
• We need to prioritise…
Ask yourself…
• What assets are you protecting?
• Customer data (PII)
• Your organisation’s IP – knowledge and methods
• Your organisation’s reputation
• Your staff – their identity / profile
Ask yourself…• Are you a likely target of cyber attack?
• “Probably not – I don’t have that much corporate IP worth protecting”
• But – what about those you do work for?• What about your staff?• What about you personally – (Director/CEO)?
• Clients or Partners?• You could you be a ‘way-in’ for a bad guy to target one of your
clients or stakeholders..!
What could you do right now to improve your security posture?
• The ASD Top 4 :• Application Whitelisting
• Patching applications and OS’s
• Using the latest versions of software
• Restrict Administrative privileges
What could you do right now to improve your security posture?
• Have an emergency plan• Minimal = who to call list
i.e. Techs, Legal or Financial reps, PR, the CEO…
• Backups of sensitive information kept safe* for restoration of systems after a breach – continuity..
(*Offline copies if possible to avoid infections and ‘ransomware’ … aka ‘crypto-attacks’)
Quick-wins
“40% OF CONTROLS DETERMINED TO BE MOSTEFFECTIVE FALL INTO THE QUICK WIN CATEGORY.”
- Verizon DIBR 2015
The ASD Top 4 (85% of intrusions mitigated)
A ‘Who To Call’ List
Backups (hopefully you are already doing this…)
Examples:
Opportunities for further action
• How to know what you have lost/was stolen (or what was damaged or corrupted)?• Logging and monitoring mechanisms
• How to know what happened so you can fix it for next time someone tries it
• Understand Vectors of attack (Threats/IOTs)• Vulnerabilities you need to fix or vulnerable systems to protect
• Fixing it long term…• May need to review your technical controls, process or policy procedures
• Some of these may require expert help…
References and further reading• StaySmart Online Small Business Guide
• (www.communications.gov.au/what-we-do/internet/stay-smart-online/smallbusinessguide)
• ScamWatch• (www.scamwatch.gov.au/)
• ASD Top -4 (Top 4 Strategies to Mitigate Targeted Cyber Intrusions)• www.asd.gov.au/publications/protect/top_4_mitigation
s.htm
References and further reading• US-CERT Tips - Tips describe and offer advice about common security
issues for non-technical computer users.• (https://www.us-cert.gov/ncas/tips)
• Surveys and Publications• “ACSC Threat Report 2015”• “ACSC Commonly exploited software vulnerabilities targeting critical
networks”• “Mobile Cyber Threats” – Oct 2014 – Kaspersky and INTERPOL• “Data Breach Investigations Report” – 2014 – Verizon• “2014 Cost of Data Breach Australia” – Ponemon Institute• “Winning the Cyber Security Small-Medium Business Opportunity” –
FireEye 2014• “Australian - Cyber crime security survey report 2013” – CERT Australia
Reporting a security breach or incident• Australian government organisations should contact the ACSC on
1300 CYBER1 (1300 292 371) or [email protected]• Australian businesses or other private sector organisations*
seeking assistance should contact CERT Australia by emailing [email protected] or by calling 1300 172 499
(*CERT Australia is primarily interested in Large or Mediumenterprises operating systems of national interest [e.g. critical infrastructure] but will always speak to you )
• Australian SMEs may choose membership with AusCERT (a not-for-profit security group based at the University of Queensland)• “AusCERT members receive timely threat and vulnerability alerts and
access to the following services”• Contact AusCERT by emailing [email protected] or by calling
07 3365 4417
Reporting Cyber Crime:• ACORN (Australian Cybercrime Online Reporting Network)
(www.acorn.gov.au/)
• Australian Cyber Security Centre (www.acsc.gov.au/news.html)• Includes: CERT Australia (www.cert.gov.au) and other
Federal Government partners
• AusCERT (www.auscert.org.au)
Seeking Advice:
Video (dramatization) by Deloitte...• https://www.youtube.com/watch?v=l_XOrcBxy-E
Mark McPherson
Game-On ITCInfoSec Training & Consulting
Phone: 0417631889
Information Security Specialist
Training, CyberSec Exercises, Workshops, Advice