patch upgrade version firewall rulebase ips signatures ...pittsburgh.issa.org › issa ›...
TRANSCRIPT
Patch
Upgrade
New
Version
Firewall
Rulebase
IPS
Signatures
Virus
Regulation
Worm
Subversive
Multi-Vector
Threats
Government
Sponsorship
Advanced
Persistent Threats
9/14/2010 Copyright 2010. All Rights Reserved.7
―Malicious computer code, placed
there by a foreign intelligence agency‖
―Digital Beachhead‖ that allowed the
foreign agency to suck data from the
Pentagon’s classified and
unclassified networks
―Network administrator’s worst fear‖
Cyber criminals have stolen at least
from small to mid-
sized companies across America in a
sophisticated but increasingly common
form of online banking fraud…
— Brian Krebs, Washington Post, 26 October 2009
$100 million
The City of Norfolk, Virginia is reeling
from a massive computer meltdown…
an unidentified family of malicious
code destroyed data on nearly
citywide.
— krebsonsecurity.com, February, 2010
800 computers
Hillary Machinery lost
in fraudulent transfers to cyberthieves
from their account at Plains Capital Bank.
The bank is now suing Hillary Machinery!
$801,495
— forbes.com, February, 2010
Assuming the data is in the data center
Assuming the data is in the data center
IDC research shows
that desktops &
laptops represent the
most serious concern
for Data Loss
Prevention (DLP.)
Assuming the data is in the data center
Forgetting the value of data on mobile devices
Forgetting the value of data on mobile devices
Forgetting the value of data on mobile devices
Assuming the data is in the data center
Forgetting the value of data on mobile devices
Believing that company data never finds its way to home systems
Believing that company data never finds its way to home systems.
Assuming the data is in the data center
Forgetting the value of data on mobile devices
Believing that company data never finds its way to home systems
Treating mobile devices as desktops
Treating mobile devices as desktops
People are working — accessing
the most up-to-date information,
responding immediately to client
contacts, and taking care of many
more daily tasks — around the
clock. …..this environment has
created a new corporate
vulnerability that is likely to be
targeted by emerging threats.
– IDC
The days of the Traditional Legacy Perimeter Defense
are behind us.
Your approach to security needs to keep up.
The corporate perimeter is porous and permeable.
"Endpoint . . . solutions are now
a PRIMARY line of defense . . .‖
Charles Kolodgy
Research Director
IDC Security Products Program
The Data On The Endpoint Is The Goal
Internet Video
Personal Websites
Business Websites
Social Media
Assuming the data is in the data center
Forgetting the value of data on mobile devices
Believing that company data never finds its way to home systems
Treating mobile devices as desktops
Adopting of social media without protection
Adopting Social Media Without Protection
However, aside from being a potential drain on corporate
resources, they also jeopardize the integrity of your data,
encourage employees to post potentially sensitive data
without thinking, and empower a new wave of identity theft
based on abuse of trust.
Assuming the data is in the data center
Forgetting the value of data on mobile devices
Believing that company data never finds its way to home systems
Treating mobile devices as desktops
Adopting of social media without protection
Focusing too much on Prevention
ResponseDetectionPrevention
• 95% of respondents listed the 12 items below
• 95% thought that Prevention was key
• IT Security spending follows the same mindset
Focusing on Prevention vs. Detection and Response
Alarm Motion detectorMonitoring Crime watch
Doors LocksWindows Fence
Dog GunPolice Insurance
Source: ―Data @ Risk‖ by David H. Stelzl
How They Break In:
34%
9%
23% 4%
22%
2%
Assuming the data is in the data center
Forgetting the value of data on mobile devices
Believing that company data never finds its way to home systems
Treating mobile devices as desktops
Adopting of social media without protection
Focusing on Protection versus Detection and Response
Failing to foster a culture of awareness
Unintentional Data Breaches
Hidden Columns on Excel Spreadsheets with
•Credit Card numbers
•Social Security Numbers
•PII data
Intellectual Property
Marketing Plans
Embargoed Announcements
Corporate betting pools
Education is usually the first line item cut when
there are budgetary pressures.
If you only have ONE DOLLAR to spend in security,
make sure you spend it in security awareness.
Assuming the data is in the data center
Forgetting the value of data on mobile devices
Believing that company data never finds its way to home systems
Treating mobile devices as desktops
Adopting of social media without protection
Focusing on Protection versus Detection and Response
Failing to foster a culture of awareness
Under-reporting of security breaches
Underreporting of security breaches
―According to the FBI, cybercrime
officially cost Americans almost
$560 million last year, more than
double the 2008 tally, although
experts say the true number is
undoubtedly much higher,
since many cyberattacks
go unreported.‖
— Dallas Morning News, May 2, 2010
Underreporting of security breaches
―The European Commission
claims that the cost of
cybercrime in the EU, at
€750 billion annually, vastly
exceeds drug trafficking and
is equivalent to 1% of global
GDP‖
EurActiv Network, April 28, 2010
Unable to create proper actuarial tables for cybercrime due to lack of
data
Main causes for under-reporting
•Fear of embarrassment
•Loss of public or customer confidence
•Legal Liabilities
•Jurisdictional Limitations
Albert ―Segvec‖ Gonzalez has been indicted by a federal
grand jury, along with two unnamed Russian conspirators , on
charges of hacking into Heartland Payment Systems… as well as Hannaford
Brothers, 7-Eleven and two unnamed national retailers…
[Gonzalez] and 10 others were charged in May and August 2008 with network intrusions
into TJX, OfficeMax, Dave & Busters…and other companies
wired.com, August 17, 2009
Laying the Foundation to Combat Privateers on
the High Seas of the Internet
http://cassandrasecurity.com/?p=1301
Assuming the data is in the data center
Forgetting the value of data on mobile devices
Believing that company data never finds its way to home systems
Treating mobile devices as desktops
Adopting of social media without protection
Focusing on Protection versus Detection and Response
Failing to foster a culture of awareness
Under-reporting of security breaches
Settling for compliance
Settling for Compliance
Compliance… just one step
north of negligence.— Josh Corman, The 451 Group
A perfect example of aiming for compliance is the number
of lifeboats on the Titanic.
The British Board of Trade, the regulatory agency that mandated
Titanic, required the ship to have lifeboat capacity for 1,060 people.
Unfortunately, she had a maximum capacity of 3,547, between
passengers and crew.
AFTER the Titanic sank, the regulations were changed.
That seems to be the way it always happens...
After ENRON and WorldCom, we get Sarbanes Oxley… After TJX, we get
PCI.
Assuming the data is in the data center
Forgetting the value of data on mobile devices
Believing that company data never finds its way to home systems
Treating mobile devices as desktops
Adopting of social media without protection
Focusing on Protection versus Detection and Response
Failing to foster a culture of awareness
Under-reporting of security breaches
Settling for compliance
How many times have you heard your IT team say:
only to have your expensive external audit firm come
in and deliver a scathing report that enumerates
thousands of missed items, erroneous
configurations, and process violations?
“We’re covered… We are compliant”
Assuming Everything is OK
9/14/2010 Copyright 2010. All Rights Reserved.42
Stephan Thought He Was Secure
Companies think they are secure.
But who is accessing your data?
- Number of Infections found per hour
Assuming the data is in the data center
Forgetting the value of data on mobile devices
Believing that company data never finds its way to home systems
Treating mobile devices as desktops
Adopting of social media without protection
Focusing on Protection versus Detection and Response
Failing to foster a culture of awareness
Under-reporting of security breaches
Settling for compliance
Assuming Everything is OK
―We’ve got it covered.‖
What Is The Likelihood Of An Attack?
BTW… Likelihood decreases with Detection and
Response
―We had no idea this malware was getting through.‖
Impact of Risk HighLow
Low
High
Pro
ba
bili
ty o
f Occ
urr
ence
Michael TysonPhilosopher and Pugilist
―Everyone Has a Plan… Until They Get Hit‖
When it comes to security,
1. If you didn’t go looking for it, remove it.
2. If you did go looking for it, make sure you patch it.
3. If you don’t need it, get rid of it.
Brian Krebs, April 2010
9/14/2010 Copyright 2010. All Rights Reserved.47
The Growing Malware Threat
1,600,000
1,400,000
1,200,000
1,000,000
800,000
600,000
400,000
200,000
0
1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008
30,000
3,500+
1,115
3,312,682
New threats per day
New signatures per day
Mobile Malware Signaturesas of December 2009
Total as of December 2009
9/14/201048 Copyright 2010. All Rights Reserved.
IT Spend Is Not What It Should Be
Minimal Increase In IT Security Software
Spending with Little Thought to Likelihood
Exponential Growth in Malware and Attacks
at the Endpoint
Malware growth IT spend
• A Pioneer in Fighting IT Threats for 25 Years
• Security Technology of Choice
9/14/2010 Copyright 2010. All Rights Reserved.50
Small Updates for the Best Protection and User Experience
Microsoft
Symantec
Trend Micro
CA
McAfee
Updates per Month
0 100 200 300 400 500 600 700
24
28
32
33
138
9/14/201051 Copyright 2010. All Rights Reserved.
Eset
Sophos
AVG
Symantec
McAfee
Hours
0 2 4 6 8
4 to 8 hours
4 to 6 hours
4 to 6 hours
2 to 4 hours
2 to 4 hours
< 2 hours
9/14/201052 Copyright 2010. All Rights Reserved.
9/14/201053 Copyright 2010. All Rights Reserved.
9/14/201054 Copyright 2010. All Rights Reserved.
Short Hold Times
85% of calls closed by Tier 1Dedicated Engineers
< 5 minute average answer time
Free Standard SupportEnglish, French, Spanish, Portuguese
9/14/201055 Copyright 2010. All Rights Reserved.
Test production machines
Set up evaluation
Perform a Proof of Concept
Dedicated Kaspersky Support Engineer
Kaspersky Concierge Program
9/14/2010 Copyright 2010. All Rights Reserved.57
Testing Detection and Response Capability
TAKETHE
9/14/2010 Copyright 2010. All Rights Reserved.58