hackers vs suits
DESCRIPTION
My half of a tag team presentation for the Edmonton, Alberta, Canada ISACA chapter with renderman (http://www.renderlab.net), dealing with what is wrong with information security today. I, of course, was the suit. It looks like SlideShare bungled some of my slides. Click the download link to get the PowerPoint version.TRANSCRIPT
hackerswhat's wrong with security
today?
vs suits
agenda
the suitthe hackerquestions?
the suit
http://www.flickr.com/photos/23912576@N05/
experiment
“playing card data loss”
countermeasuresthreats
T1: Sleight of handC1: Don't let the attacker handle the cards
T2: Marked cardsC2: Keep the attacker at a distance where he cannot see small marks
T3: The approximate location of the pair is knownC3: Cut deck while attacker is not looking
T4: The pair is together C4: Deal into two piles
T5: If the location of one card is known in one pack, the other card will be in a similar location in the other packC5: Mix both packs
Model Source: taosecurity.blogspot.com
T1: Sleight of handC1: Don't let the attacker handle the cards
T2: Marked cardsC2: Keep the attacker at a distance where he cannot see small marks
T3: The approximate location of the pair is knownC3: Cut deck while attacker is not looking T4: The pair is together C4: Deal into two piles
T5: If the location of one card is known in one pack, the other card will be in a similar location in the other packC5: Mix both packs
experiment
not(unfortunately)
an
Sources• http://www.wired.com/threatlevel/2011/08/how-rsa-got-hacked/• http://blogs.rsa.com/rivner/anatomy-of-an-attack/• http://www.wired.com/threatlevel/2011/06/rsa-replaces-securid-tokens/• http://www.wired.com/threatlevel/2011/05/l-3/• http://www.rsa.com/node.aspx?id=3891
3 March 2011: A brief phishing attack began which targeted RSA staff with no unusual privileges
6 April 2011, US defense contractors Lockheed Martin and L-3 had been attacked via cloned RSA SecurIDs
6 June 2011, RSA partially admitted that something bad had happened in March and offered to replace current customers' SecurIDs at no cost
T1: Direct attacks from Internet C1: State of the art perimeter defenses
T2: User authentication attacks against Internet exposed services C2: State of the art authentication controls
T3: MalwareC3: State of the art end-point controls
T4: Malicious activity may go unnoticed C4: State of the art monitoring
T5: Sensitive data could exit the networkC5: State of the art data loss prevention (DLP) technology
T6: Social engineeringC6: State of the art security awareness program
countermeasuresthreats
Model Source: taosecurity.blogspot.com
T1: Direct attacks from Internet C1: State of the art perimeter defenses
T2: User authentication attacks against Internet exposed services C2: State of the art authentication controls
T3: MalwareC3: State of the art end-point controls T4: Malicious activity may go unnoticed C4: State of the art monitoring
T5: Sensitive data could exit the networkC5: State of the art data loss prevention (DLP) technology
T6: Social engineeringC6: State of the art security awareness program
“Recently the UK payment council announced that in 2010 online banking fraud declined 22%, despite phishing levels increasing 21%. This is turning the tide. It took the financial sector 7 years to build a new defense doctrine against social engineering attacks like Phishing and Trojans. I was part of this gargantuan effort, and I think we’ve learned a thing or two that can help us build a new defense doctrine against APTs much faster. Already we’re learning fast, and every organization hit by an APT is much more prepared against the next one; I’m confident it will take us far less than 7 years to say we’ve turned the tide on APTs.”
- Uri Rivner, RSA
http
://bl
ogs.
rsa.
com
/riv
ner/
anat
omy-
of-a
n-at
tack
/
good idea but...
Identifying and cataloging new threats
Standardizing countermeasures
Adding these to vendor product lines
Entrenching into the standards canon
When will we see the first APT-no-more product from a major vendor?
our current approachnew threats
All too often we only change our defensive doctrine when:
• We get hit badly• Compliance standards change• When new products become available• When the new fiscal cycle starts
The attackers we face change their offensive doctrine much more frequently
we are too slow to adapt
John Boyd (1927-1997)
Photo credit: Wikipedia
a.k.a.:Forty Second BoydGenghis JohnThe Mad MajorThe Ghetto Colonel
Boyd on
The adversaries that we are defending against are continually producing novelty (there will be something else after APT)
“Now, in order to thrive and grow in such a world we must match our thinking and doing, hence our orientation, with that emerging novelty”
Winning in inherently dynamic environments involves running through flexible decision making cycles faster than your opponent
novelty
How can we gain the ability to traverse the observe, orient, decide, act cycle as rapidly or more rapidly than our opponents?
our challenge
you are
here
All major advances in science and engineering were born of the realization that current models - or orientations, in Boyd's terms - were mismatched with reality
We need to change our information security doctrine from compliance and product-centred to innovation and human-centred
a possible answer?
Chris Hammond-Thrasher CISSPAssociate Director, ConsultingSecurity, Privacy and ComplianceFounder, Fujitsu Edmonton Security LabFUJITSU [email protected]
* All John Boyd quotations are taken from his Discourse On Winning and Losing http://dnipogo.org/john-r-boyd/