POSTCARDS FROM THE EDGE

CYBER-SECURITY RISK MANAGEMENT IN AN ESCALATING THREAT ENVIRONMENT

• Pharming• > 50% of all PCs

compromised• Application Attacks• BotArmies/DDOS2

• Organized Cyber-crime Ecosystem• Hacktivism • Cyber Terrorism

• Phishing• Identity Theft • OS Hacking• BotNets/DDOS• Cyber Criminals• Script Kiddies

• Nothing short of game-change innovation can stem this rising tide

• Seems everything changes, everyday

THREATS ARE ESCALATING AT A NEAR EXPONENTIAL RATES

THE US REACTION HAS BEEN WEAK WITHOUT A CIVILIAN “CYBER-CZAR” NAMED AT PRESENT

THE NEW CYBER COMMAND IS STILL VERY YOUNG AND DOES NOT YET HAVE A BASE OF OPERATIONS

Needs a good home

PUBLIC AWARENESS IS LARGELY ABSENCE DRIVEN BY UNCONNECTED AND ONE-OFF DRAMATIC EVENTS.

MANY IN THE MEDIA LACK A THOROUGH UNDERSTANDING OF THE

ISSUES“Estonia Sending Cyber Defense Experts to Georgia”

Network World

MOST SECURITY TECHNOLOGY PROVIDERS HAVE A NARROW PERSPECTIVE OF THE

CYBER-SECURITY LANDSCAPE

UNFORTUNATELY THE REALITY OF THE CYBER SECURITY LANDSCAPE IS

SOMEWHAT LARGER

SUMMARIZING THE CONTEXT

THREATS ARE ESCALATING AT AN ALARMING RATE PUBLIC POLICY HAS GENERALLY FAILED US GOVERNMENT ACTION HAS BEEN INADEQUATE MEDIA/PUBLIC IS AT BEST CONFUSED ABOUT

CYBER THREATS TECHNOLOGY HAS PROVIDED LITTLE MORE THAN

A BAND-AID MANY BELIEVE CYBER-CRIMINALS HAVE ALMOST

MYSTICAL POWERS

MOST CYBER-SECURITY CONVENTIONAL WISDOM ATTEMPTS TO MODEL OUR CYBER DEFENSES BASED ON TRADITIONAL DEFENSE IN DEPTH IMPLEMENTATIONS

Calsten Fortress c. 1600’s, Marstrand, Sweden

CHANGING THE GAMEThe digital warrior

A FUNDAMENTAL CHANGE IN TACTICSPRINCIPLES OF A RESILIENT CYBER DEFENSE

1. IT’S TOO EASY TOO BE HARD!

Where: 80%+ of all successful cyber-attacks exploit vulnerabilities in four categories;

none require rocket science to fix Input validation, poor coding technique – business logic, authentication and access

control, device hardening – patching, secure baselines Building in security is 60 times less expensive that bolting-on later

Up-level security in SDLC

We must develop: Strong vulnerability management program Assessment and remediation of legacy code used in operating systems and

applications Assessment and remediation of web site vulnerabilities

This will continue to be the most sought-after attack vectors by criminals to host links to phishing and identity theft code.

Assessment and remediation third party code and widgets An attractive attack vector

Demonstrated by the “Secret Crush” malware that posed as a Facebook widget to install itself on about 1 million PCs in late 2007 and early 2008

2. BE A REALLY GOOD FIRST RESPONDER

Where: Complex systems fail complexly, it is not possible to anticipate all

the failure modes Complexity provides both opportunity and hiding places for

attackers Damping out complexity is impossible when coupled with change,

growth and innovation Security failures are inevitable

We Must Develop: Robust incident management integrating all aspects of business

(e.g. communications, development, legal) Security SME throughout the SDLC Deploy analytical tools to continually assess the security of

development and the infrastructure Provide security training to development and infrastructure teams

3. GRACEFULLY DEGRADE

If: A successful attack is inevitable

Then we must develop: A thorough understanding of the business, key

business assets and critical functionality Define defensible perimeters Expanded firewall and IPS footprint Develop/understanding network choke-points Bandwidth allocation Dynamic re-configuration

3A. DIVERSITY…DIVERSITY…DIVERSITY

Where: You can’t live without it!

“Run from monoculture in the name of survivability” – Dan Geer

We must develop: Multiple tools for detection and analysis Multiple mitigation methods Segmentation for everything New thinking – situational awareness – attack

simulation…

4. TREAT THE INSIDE LIKE THE OUTSIDE

Where: Every cyber criminal is our next door neighbor We can never retreat to a safe neighborhood

We must develop: The ability to defend knowing the current

threat profile, generally and specifically to us. Encryption for everything moving in our

networks Defensive applications coding

More important than ever with 3rd party software

5. IT’S THE DATA AND THE TRANSACTIONS

Where: Cyber criminals are attacking transaction

streams Transaction attacks are extremely difficult

to detectWe must develop: Protect data Protect the transactions Employee exfiltration blocking

6. DEFENSE IS GUARANTEED TO BE A LOSING STRATEGY,

PLAY OFFENSE WHENEVER POSSIBLE

May be averting a crises, but not getting in front of the problem

7. INNOVATE…INNOVATE…INNOVATE

Innovating for impact Incremental Sustaining core and context Radical

8. KNOW WHAT IS HAPPENING, KNOW WHAT HAPPENED

Where: Attacks are becoming much more subtle Attacks are using multiple channels

9. CONTINUOUSLY ADAPT THE STRATEGY – BE AGILE

• If you are not moving forward you are falling behind…status quo is unacceptable• Nothing is stable• Surprise is constant• We work at a permanent, structural disadvantage compared to our attackers

SUCCESS NOW AND IN THE FUTURE:

WE ARE VIGILANT AND MINDFUL TO THE POTENTIAL PERILS

REMEMBER – 90% OF THE PUTTS THAT ARE SHORT

DON’T GO IN.

Yogi Berra