2015 CHIEF INFORMATION OFFICER LEADERSHIP FORUM

WEDNESDAY, MARCH 11, 2015DALLAS, TX

Gene Scriven

Top 12 Threats to the Enterprise

The Land of Information Security

Threats to the Enterprise+

+

+

+

Gene’s Dirty Dozen

Also Known As…

2

• Nothing that’s Rocket Science• Concepts may very well be the same for everyone

– Details will be different• Enterprise or small business or personal• A combination of “Soft Stuff” and Technology• Vendor Agnostic (and even Technology Agnostic)• Not a “How To Fix It” presentation• You’ll notice some overlap – it’s intentional• My personal/professional opinion

– Your mileage may vary

3

What Will We Talk About?

Who Is This Guy??Chief Information Security Officer at Sabre• Prior to Sabre, CISO at The Home Depot

35+ years in Information Security• Commercial, military, federal government, government contract, and

the Intelligence Community

• Big-Six (and similar) background

Government and US Intelligence Community• Programmer, PM, Security Director, Development Director, Missile

Targeting, Electronic Wargames, Electronic Countermeasures, Federal Agent, Computer Crime Investigator

Commercial• Security Systems Development Director, QA Director, Process

Engineer, Consultant to the C Suite, Chief Information Security Officer

Not Particularly Related (but far more FUN)• College Professor, Paramedic, Lifeguard, Comedian

4

Why The “Dirty Dozen?”

• Everybody has a list…I wanted one too– Mitre has (used to have) the Top 20– SANS Institute Top 10 Cyber Threats– FBI Survey– Open Web Application Security Project (OWASP) has

the Top 10– “Cyber Security Veterans” Top 10 Security Menaces– Top 10 Security Risks to University Communities

• “Top 10” seemed like a great starting point– Quickly morphed to a “Dozen”

• Any list….is never enough!• Original list (in 1998) was a work assignment• Contrast Gene’s 1998 Dirty Dozen with today’s

5

#12The Next Employee You Lay Off

• Job market is improving, but lay-offs and cuts are still happening• HR errs on the side of “being nice” to employees during downsizing• Statistics still indicate that internal threats are on the rise

FBI reports, “Nearly 90 percent of such crimes (data theft) are committed

by employees of the victims.”

Most employees/companies have…• Excessive accesses

• Insufficient access reviews

• “Overlapping trust”

• Too much emphasis on the perimeter

• False sense of security

• Not enough prosecution

• Confusion between Disgruntled vs. “Under-Educated”

6

Ponemon Institute’s 2013 Cost of Cyber Crime Study

The Next Employees You Lay Off…should not be allowed to become Malicious Insiders

AVERAGE DAYS TO RESOLVE AN ATTACK

#11Desensitized by Media Saturation

Company X Loses

100,000 Customer

Identities

Government Laptop with SSNs Stolen

from AirportHackers Steal

Personal Info

From

Company Y’s

Database

Yet another retailer is

hacked and millions of CC numbers are

stolen

Job Bank Website

Hacked

Keylogger Compromises

250,000 Identities

8

#10Your Information is now VALUABLE to Criminals

9

Hacking for FUN and Website Defacement are still common, but motivations now focus on the value of INFORMATION

Credit Card Data

PII DataIdentity Theft & Social Engineering

Company InfoIP AND seemingly innocent info

Ponemon Institute’s 2013 Cost of Cyber Crime Study

PERCENTAGE OF COST FOR EXTERNAL CONSEQUENCES

Information Loss/Theft is Leading The Pack

#9Believing that ENCRYPTION = NIRVANA

11

But Geeeene…we don’t need to spend any more money on security because

our data is encrypted! Don’t you remember???

Realize the Encryption is just part of the total

solution set

Data can be decrypted – Key Management (and Protection) is Critical

Encrypted Data remains in-scope for PCI

Are you encrypting passwords? It may

not be good enough.

#8Not Prepared for THE CLOUD

• Everybody’s rushing to put their data into “The Cloud”• Some of the economic data is compelling• Jumping onto the Bandwagon may be dangerous – have a strategy• Address critical factors

• Only put certain classifications of data into the Cloud• Who will own the data?• Who’s liable for data breaches?• Destroying data when finished• What data protection controls are YOU responsible to provide?

• Ask Why…if the answer is “because everybody’s doing it,” maybe it’s not for you• The Cloud MAY BE the right answer – But be sure you’re asking the right questions

12

#7Information Security “Old Fogies”

13

“Younger Workers” who have grown up in the digital age have very different attitudes about security and privacy than older generations

People who have grown up with digital devices constantly at their fingertips, collaborating on social media or sharing documents, don’t react well to being told

they can no longer function that same way from their workplaces.

They will find ways to do what they want!A more competent workforce is changing how employees view workplace technology

#6Application/Middleware Vulnerabilities

• Most vendors will do the right thing with vulnerabilities and patches• Many enterprises still focus primarily on OS vulnerabilities• Attackers taking advantage of the proliferation of applications across the typical

enterprise• Internally developed applications need attention as well

• Are you frequently scanning your web apps?• Do your require your app teams to do code reviews?

• Establish an EFFECTIVE Application Security Program

Internal Applications

Application

Security

14

Breaching “The Perimeter” is no longer the Preferred Attack Vector

#5Failed Understanding of InfoSec and (Cyber) Risk

“How many incidents did you prevent last year?”

“Why aren’t you making the

company any money?”

Unable to Articulate Risk

41

39

Department Business Unit

Insignificant Minor Moderate Major Catostrophic

IMPACT

Unlikely

Rare

Possible

Likely

~Certain

LIKELIHOOD

61

64

81

84

93

114

137

178

194

196

200

229

261

266

269

295

312

317

321

341

348

356

358

362

368

369

372

375

379

387

388

397 402

404

431

443

444

459

485

507

1169

315300

291

RISK

Risk has to be seen through the eyes of the

Risk-Taker!

15

#4Service Providers become a Vulnerability

• Third parties have become a large part of many infrastructures

• Costs• Expertise• Companies now rely heavily on them

• Many are trusted with sensitive info• Are they properly evaluated for the right data protections?• Do your contracts hold them equally liable?• Are your SLAs adequate – especially on Incident Response?• What about “The Cloud?”

“Third party organizations accounted for 42% of all data breaches.”

– Ponemon Institute

16

#3Mobile & BYOD

• Everyone’s stats agree – Mobile Devices are on the rise in our enterprises• Have you seen your CEO’s iPad on the network? (Not yet??)• Sticking your head in the sand is not an option here• Be aware of the threats of unmanaged mobile devices

• Non-compliant devices• Jail-broken devices• Zero-day exploits• User savvy at getting around your controls

• BYOD – See the train storming down the tracks!• Partner with your users – and admit they may know more about this than you • Define what Mobile/BYOD means to you – and be prepared with a

comprehensive Mobile Device Management strategy

17

#2Poor Patching

(or…Perpetual Patching)

• “OK…But we’ll have to slip our development schedule.”

• “What do you mean by ‘Have the systems patched in 10 days?’”

• “But we have so many different platforms…”

• “It’s gonna take at least two months to test that patch.”

• “This is a lot of work….Why can’t you just block the exploits?”

• “It’s not my job, I just load the base images.”

• “We should be OK…it’s not like we’re the NSA or something.”

• Need an Iterative process, with Governance, and Required Compliance

• Comprehensive Patching – Applications, OS, Databases, Network Components

18

#1Sophisticated (and Zero-Day) Malware

1. Changing network settings2. Disabling anti-virus and anti-spyware tools3. Turning off Microsoft Security Center and/or other updates4. Installing rogue certificates5. Cascading file droppers6. Keystroke Logging7. URL monitoring, form scraping, and screen scraping 8. Turning on the microphone and/or camera

9. Pretending to be an antispyware or antivirus tool 10. Editing search results11. Acting as a spam relay12. Planting a rootkit - altering the system to prevent

removal 13. Installing a bot for attacker remote control 14. Intercepting sensitive documents … or encrypting

them for ransom 15. Planting a sniffer

Interesting Malware Activities

“Don’t worry about that spyware thing….it’s just someone trying to see where you’re going on the Internet – you know, for Marketing

purposes.”

Verizon Business Data Breach report from just a few years ago indicated that 38% of compromises were due to Malware. Ask yourself how many of the

recent breaches involved MALWARE?

19

ATTACK METHODS

THE HOME DEPOT (2014)Malware (Believed to be)

SALLY BEAUTY (2014)Malware installed by hackers

P.F. CHANGS (June 2014)Compromised POS terminals

TARGET (2013)Malware installed by hackers

NEIMAN MARCUS (2013)Malware installed by hackers

EPSILON (2011)Spear phishing

NASDAQ (2010)Zero-day Malware (Digital Bomb)

installed on several servers

TJ MAX (2007)Wireless network hacked

HEARTLAND (2008)Access via malicious software

source: informationisbeautiful.net

How Your CISO Can Help Him/Herself(CISO=Chief Information Security Officer)

• Know what you don’t know• Focus on the Message

– Content is critical– Delivery is just as important

• Be a Business Person first– …and a Technician second– …and a Politician third (build relationships)

• Organize your program based on RISK• Defense-In-Depth• Don’t be afraid to ask for help

21

Dirty Dozen – Then vs. Now

#12 - No Security Awareness Program#11 - Blind Trust of Insiders#10 - Reliance on Firewalls#9 - No Business Continuity Plan#8 - Chiefs Not Listening To “Indians”#7 - Not Enough Attention To Physical

Security#6 - Insufficient Security Policies#5 - Uncontrolled Modems#4 - Insecure Web Sites \ Pages#3 - No Verification Of Security#2 - No Security Monitoring#1 - Poor Password Practices

1998#12 – The Next Employee you Lay Off#11 – Desensitized by Media Saturation#10 – Your Info is Valuable to Criminals#9 – Believing Encryption=Nirvana#8 – Unprepared for the Cloud#7 – Information Security Fogies#6 – App/Middleware Vulnerabilities#5 – Not Understanding InfoSec or Risk#4 – Service Provider Problems#3 – Mobile & BYOD#2 – Poor Patching#1 – Sophisticated (& Zero-Day) Malware

2015

22

They only have to get lucky one time, but we have to be good all the time.

- Mark Weatherford, Deputy Undersecretary for Cybersecurity, Department of Homeland Security

Discussing the advantages the bad guys have over those responsible for defending networks, systems, and data in today’s Cyber environment

23

Truer Words Were Never Spoken…

24

You Know You’re Spending Too Much Time With Your Information Security Team if…

• You’ve ever written a nasty letter to Barnes & Noble because they didn’t carry this year’s Verizon Data Breach Report

• The only vacations your Significant Other will consider are cruises and cave-exploring because “the office” can’t reach you on your cell phone

• There are at least three “Two-Factor Tokens” on your keychain• You secretly hope you won’t miss the next big virus outbreak while

you’re out on vacation• You’ve got a new car with a built-in GPS and computer and remote

start, but you constantly worry about how easy it would be to hack• Your Grandmother has ever called you about the latest phishing

message she just received• Your teenagers go to friends’ houses to surf the Internet because they

know what you do for a living• You’re so tired of answering people’s security questions that you tell

the lady sitting next you on the plane that you’re “just an IT guy.”• Attending a SecureWorld, Argyle, or RSA Conference is like going to

your high-school reunion

You Know You’re Spending Too Much Time With Your Information Security Team if…

27

Questions?