Cyber-Security

Threats Why we are losing the battle (and

probably don’t even know it!)

December 12th, 2013

“If you know the enemy and know yourself,

you need not fear the result of a hundred

battles. If you know yourself but not the

enemy, for every victory gained you will

also suffer a defeat. If you know neither the

enemy nor yourself, you will succumb in

every battle”

Sun Tzu, The Art of War

John Hudson

15 years designing security strategies

Business Process Engineer

Why cyber-security fails – a mission

CISO University of Pittsburgh 35,000+ users

Blocked over 100,000 attacks every day

Experienced Anonymous attacks

Bomb threats/Forensics investigations

Worked in distributed and closed environments

Plus Consulting

Cyber-Security Practice helps organizations:

Identify risk and control failures, based on their organization

Cyber-security frameworks

Pen-testing, vulnerability scanning, social engineering

Solve security problems (for example, doing business in high-

risk countries)

Compliance readiness

We help organizations plan refine and Implement cyber-

security strategies

Premise

Organizations are losing the cyber-security battle and

most don’t know that it is happening (or choose to

ignore it)

The persistent threat environment means that:

You have had a breach and may or may not know it

You will have a breach and may or may not know it

Growth in data, application features, and collaboration

makes cyber-security a greater challenge

Security tools in isolation of a continuous security

program only delay the inevitable

Attacks are complex, clever and continuous

Outline

Current threat environment

Organizational challenges

Why “they” are winning

Neutralizing “them” from winning

Threat Environment

The more things change,

the more they stay the same... Alphonse Karr, 1849

Acceptance

Attacks are more targeted

Malware is more complex and multi-dimensional

Social engineering is an art

Hactivism is here to stay

Anti-forensics is now the norm

Cyber-attacks are becoming strategic

Nearly all attacks are external (98%)

Hacking tools for sale online (with better SDLC than

most developers)

Simple Targeted Attack

Open source intelligence – find entry points

Collect data and profile – website scraping

Build spoof sites – your brand, your people

Email campaign from a ‘known-source”

Phone calls to “known targets”

Scan for vulnerabilities

Exploit with malware or walk through the front door

Keep the door open

Harvest under the radar

5-10% return

But...

Criminals are targeting organizations with sophisticated

attacks, but….

79% of attacks are still targets of opportunity

96% of attacks were not difficult

85% of breaches took weeks to months to discover

(source: Verizon 2012 Data Breach Investigation Report)

“it won’t happen to us – we are too small” is long gone!

We could now talk about the latest and

greatest zero day exploits, security

appliances, or regulations coming down the

pipeline all day long.................

but organizations are not dealing with the

basics...

Organizational Challenges

Big Data – Big Problem

2003

Year 0

2011

2013

5 Exabyte's every 2 days

5 Exabyte's every 10 minutes

Asset Value...

Few organizations know:

The value of their data

The value of uptime

The impact of its loss

Or the value placed on it by others

If you don’t know the value and loss impact – how

can you protect?

Have disaster plans, but ignore the disaster of lost data

At best, all data is treated as equal

The rules have changed...

Privacy is being challenged

Generational mindsets

BYOD/BYON

The Cloud (good or bad?)

Virtualization – paradigm change in deployment

Smartphone is your computer – what next?

Security budgets have not grown in ten years even

though the problem has exploded

Extension of Security Boundary =

More Points of Entry

Why “they” are winning

Organizations Are Abdicating Responsibility

Boards and Executives do not own the problem

They are not asking the right questions

It is not part of the strategy

They do not drive down security posture

At best, it is seen as an IT problem at the tactical level

CISO’s report to the wrong people (if they have one)

Potential career-ending decisions if doing job

Security is not a technical issue

Technology is the output of security, not the input

But security is now a specialist subject

Organizations are Abdicating Responsibility

Audits do not equal security

Checking boxes on flawed controls gives a false sense of

security

Compliance is not security – it has yet to stop an attack

Compliance is confusing and not backed

The wrong people are held accountable

Breach = ex-CISO

Policy manuals just kill more trees

Result

No mandate to invest in the right security

Little backing = no putting the head above the parapet

Problems are hidden

We are going live tomorrow with ERP, but there's a security

issue – what do you do?

Identified risk is only important if it does not stop the

operation

CISOs jump from job to job

Security staff feel undervalued

Wrong money spent solving yesterday’s problems

So let’s Summarize...

Threats = more complex, faster, multi-dimensional

For most organizations, simple exploits will gain results

State-run attacks and Hactivism is becoming the norm

Organizations are using data in ways unimaginable 10 years

ago, and treat security in the same way

Organizations are not talking about the value of their assets

Security is seen as a low-level technical responsibility

Many Fortune 500 companies do not have a CISO

The biggest disaster an organization may ever face is a

breach

Neutralizing “Them”

from winning

It’s a Journey

Until boards and executives own the problem, little will

change

Appoint board oversight of security

Identify the value of your assets

Identify the loss impact of your assets

Identify what can hurt you

This forms the security problem

It’s a Journey

Design a continuous security program around the

problem

Create choke-points

Back them

Audit the mitigation strategies

Secure Zone

Virtual ServersVirtual Desktop

User Desktop

Tablet or Laptop

Multi factor Authentication

No Port 80

BI with Scrambling

Encryption

IPS/IDS

The Choke

Point

It’s a Journey

Segregate Security reporting from IT

Reward based upon security metrics, not IT metrics

The board is responsible for security, people are

responsible for negligence

Build the security response around what is important

Worry less about the rest (not all assets are equal)

If you can’t prevent it or flag it – don’t put it in your

security policies

Acceptable use must have teeth

Quick takeaways

Ask this question when you get back to your organization...

If you received an email from a hacker saying we have got

your critical data – how would you know if they really do?

If you don’t know, you don’t have a

comprehensive security program

Quick takeaways

If you do nothing else, do these things:

Application whitelisting

Acceptable usage policy and mandatory awareness

training

Business Impact Analysis and Risk and Control

assessment – owned by the board and presented

back to the board

Love your security professionals

Questions?

John Hudson

Security & Strategy Practice Director

Plus Consulting

John.Hudson@plusconsulting.com

412.206.0160