Your Vendor Security Programs are

not a Secret

Hacking Skills Not Required:

Bloomberg

Chris BergerGlobal Head of Vendor Risk

RiskRecon

Michael FowkesVP, Engineering & Analytics

sig.org/eval

ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements

In our New WorldData is the Silver Bullet

(…it might be the only bullet…)

Control your third party risk reality

Confidential

Confidential

Confidential

ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements

ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements

ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements

SaaS growthvs on-premise

SaaS – 17.3% CAGR vs On-prem – 3.1% CAGR

% of enterprise apps SaaS-based by 2018

5x

27.8%“10x increase in number of cloud based solutions by 2018” – IDC Chief Analyst (2015)

$216 BillionCloud market site by 2020

17.3% CAGRCloud market thru 2020

ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements

ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements

ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements

Confidential

Confidential

Confidential

ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements

ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements

When companies do things on the internet….

Confidential

…they reveal a lot of stuff

Confidential

Confidential

Confidential

Confidential

Confidential

Confidential

Confidential

Confidential

Confidential

Confidential

Confidential

Confidential

Confidential

Data Processing

CompanyWhat you can learn starting with just the company

name

- No inside information

- No hacking

- JUST LOOKING

Confidential

265 Web

Servers

Confidential

28 Hosting

Providers

Confidential

7 Hosting

Countries

Confidential

6 Email

Providers

Software

Confidential

Software Patching

Confidential

8% of Web Servers EOL

• IIS 4.0 – 1

• Netscape Enterprise 4.1 – 2

• IIS 6 – 13

• Apache 1.3 – 4

• NGINX 1.6 - 1

Software Patching

Confidential

8% of Web Servers EOL

• IIS 4.0 – 1

• Netscape Enterprise 4.1 – 2

• IIS 6 – 13

• Apache 1.3 – 4

• NGINX 1.6 - 1

12% of App Servers EOL

• PHP 4.1 -1

• PHP 5.2 – 2

• PHP 5.3 – 5

• Phusion Passenger 4.0 – 2

• Jetty 4.0 - 1

Software Patching

Confidential

8% of Web Servers EOL

• IIS 4.0 – 1

• Netscape Enterprise 4.1 – 2

• IIS 6 – 13

• Apache 1.3 – 4

• NGINX 1.6 - 1

12% of App Servers EOL

• PHP 4.1 -1

• PHP 5.2 – 2

• PHP 5.3 – 5

• Phusion Passenger 4.0 – 2

• Jetty 4.0 - 1

60% of CMS software EOL

• vBulletin 3.0 – 1

• WordPress 3.0 – 2

• WordPress 4.3 – 2

• Drupal 6.x - 2

Software Patching

Confidential

8% of Web Servers EOL

• IIS 4.0 – 1

• Netscape Enterprise 4.1 – 2

• IIS 6 – 13

• Apache 1.3 – 4

• NGINX 1.6 - 1

12% of App Servers EOL

• PHP 4.1 -1

• PHP 5.2 – 2

• PHP 5.3 – 5

• Phusion Passenger 4.0 – 2

• Jetty 4.0 - 1

60% of CMS software EOL

• vBulletin 3.0 – 1

• WordPress 3.0 – 2

• WordPress 4.3 – 2

• Drupal 6.x - 2

Web Encryption

Confidential

36% running SSLv2 or SSLv3

32% with invalid certificate subjects

12% with expired certificates

DNS Security

Confidential

45% missing basic domain hijacking

protection

11 different DNS hosting providers

Email Security

Confidential

44% missing email

encryption

6 email hosting providers

97% missing email domain

authentication (SPF / DKIM)

Confidential

Insurance CompanyWhat you can learn starting with just the company

name

- No inside information

- No hacking

- JUST LOOKING

Confidential

347 Web

Servers

Hosting Providers

Confidential

42 Hosting

Providers

Hosting Countries

Confidential

18 Hosting

Countries

Email Providers

Confidential

33 Email

Providers

Software

Confidential

Software Patching

Confidential

12% of Web Servers EOL

• IIS 6.0 – 55

• NGINX 1.4 – 2

• NGINX 1.2 -1

Software Patching

Confidential

12% of Web Servers EOL

• IIS 6.0 - 55

• NGINX 1.4 – 2

• NGINX 1.2 - 1

10% of App Servers EOL

• PHP 5.3 – 5

• PHP 5.4 -1

• Phusion Passenger 4.0 - 2

Software Patching

Confidential

8% of Web Servers EOL

• IIS 4.0 – 1

• Netscape Enterprise 4.1 – 2

• IIS 6 – 13

• Apache 1.3 – 4

• NGINX 1.6 - 1

12% of App Servers EOL

• PHP 4.1 -1

• PHP 5.2 – 2

• PHP 5.3 – 5

• Phusion Passenger 4.0 – 2

• Jetty 4.0 - 1

9% of CMS software EOL

• Adobe GoLive – 1

• Drupal 6.22 – 1

• Drupal 7.3 - 1

Software Patching

Confidential

8% of Web Servers EOL

• IIS 4.0 – 1

• Netscape Enterprise 4.1 – 2

• IIS 6 – 13

• Apache 1.3 – 4

• NGINX 1.6 - 1

12% of App Servers EOL

• PHP 4.1 -1

• PHP 5.2 – 2

• PHP 5.3 – 5

• Phusion Passenger 4.0 – 2

• Jetty 4.0 - 1

9% of CMS software EOL

• Adobe GoLive – 1

• Drupal 6.22 – 1

• Drupal 7.3 - 1

Web Encryption

Confidential

37% running SSLv2 or SSLv3

38% with invalid certificate subjects

7% with expired certificates

DNS Security

Confidential

70% missing basic domain hijacking

protection

90 different DNS hosting providers

Email Security

Confidential

17% missing email

encryption

33 email hosting providers

98% missing email domain

authentication (SPF / DKIM)

ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements

Confidential

Confidential

ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements

ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements

ConfidentialMay not be distributed outside of Medtronic – subject to non-disclosure and confidentiality agreements

Michael Fowkesmike@riskrecon.net

Control your third party risk reality

Evaluation How-to:

Your feedback drives

SIG Event content

By signing and

submitting your

evaluation, you are

automatically entered

into a prize drawing

Why?

Option 1: App

1. Select Schedule2. Select Schedule by Day3. Select Day4. Select Session5. Scroll to Description

6. Click on the Evaluation link

Option 2: Browser

1. Go to www.sig.org/eval2. Select Session (#28)

How?

COMPLETE &SUBMIT EVAL

Tweet: #SIGfall16

Session #28

Hacking Skills Not Required: Your Vendor Security Programs are not a Secret

Speakers:

www.sig.org/eval

Download the App: bit.ly/SIGfall16

RiskRecon Michael Fowkes 801-558-6150 mike@riskrecon.net

Bloomberg Chris Berger 631-374-1185 CBerger17@Bloomberg.net