security in today’s age - american payroll association · •infosec •it infrastructure...
TRANSCRIPT
Information Security in Today’s Age:
Presented by:
Dr. Chuck Wood, Ph.D., CISSP
Duquesne University
Presented to the Western PA American Payroll Association
…and What We Can Learn from Them
…from an Accounting Perspective
• Expenses and Revenue
• Cost Benefit
• Audit and Control
• Some Compliance
• Career Viewpoints
Many security problems come from incorrect accounting or management practices!
About Me…• Chuck Wood
• Prof at Duquesne• Data Analytics (Data Science / Big Data)• InfoSec• IT Infrastructure• Development
• Consultant / Analyst• Data Scientist / Predictive Analytics• Security• Infrastructure• Database and Development
• Some Credentials• Ph.D. (Information and Decision Science)• CISSP (Top Security Certification)• Developer/DB certifications too• MBA• Undergrad
• Finance • Computer Science
So what is the problem?• Businesses generate
terabytes of information• Increasing analysis• Increasing demands by
regulators • Increasing compliance• Increasing security controls
verification• Increasing notifications
from the SIEM / IDS / IPS systems
• Increasing staff size? Guess again!
• SIEM (Security Information and Event Management) systems overloaded
• 2010 – Yahoo and Google hit by Chinese Military Hackers.• Google disclosed• Yahoo didn’t (!)
• 2013 –Yahoo easy target –Snowden Wiki dump• Yahoo does nothing
• Users Affected by Breaches:• 2013 (announced 2016) – 500K• 2014 (announced 2016) – 1 - 3 billion• 2015-2016-2017 (announced a
couple weeks ago) – Cookie hack (# of users not released (!!!) )
• It’s an accounting issue!• Security not worth it!• Now lawsuits, government, etc.• Killing Verizon $4.8Bil buyout by
$250Mil plus legal so far
You’re probably wondering what a slum has to do with Yahoo’s accounting and InfoSec, right?
What Yahoo Has Taught Us• Accounting measures
might need to be adjusted for security infrastructure investment• Potential Loss• Probabilistic Loss• The amount saved will
not come out of the existing expenses
• You, hopefully, will never find out how much you saved• Never Any Justification
• InfoSec Management needs to be from the top-down(!!!)• How many times do we
have to learn this!• InfoSec is a managerial
issue, not a technicalissue.
• If you don’t support your security, your breaches will be worse• Is that OK? Ethically,
probably not. From a cost/bene perspective, maybe!
The cost-benefit analysis is hugely problematic, and security cuts across areas. Where do your numbers come from?
• Russian Mafia• 25 major criminal orgs• Nation-state hacking• Installed RAM Scraper on Registers• Stole Credit Card Info
• Accessed through HVAC• Fazio Mechanical Services
• Don’t need password (!!!) • The IP address gets you in!
• Detected by Fire Eye and Symantec, but ignored (?)• Rumors say overworked employees• Rumors say limited funding• Employees forced to triage?• Limited resources cause perimeter
to shrink!
• Narrow perimeter issues
• Breach costs $148 million• Over 90 lawsuits• US Households dropped from
43% to 33% for Christmas• $90 mil in class action• Stock dropped
• $1.40 in one day, ultimately down 4.4%
• EPS from $.85 to $.78
• Lost Jobs• CEO, CIO• 475 employees
• Preventative investment would have been worth it• Increase in InfoSec - $61 mil• Implement Chip-and-PIN cards
($100 mil)• Increased Staffing
– Sad Times
Sure, we can figure out how much they should have invested. Now, anyway. But hindsight is 20/20
What Target Has Taught Us• Accounting
• It’s difficult to value InfoSec staff appropriately• So what staffing is
appropriate?
• How much do you spend?
• You simply can’t respond to every incident without unlimited funds
• Management
• Cutting staff also cuts what they can do
• Misclassifying a perimeter can lead to crazy things
• Pay attention to escalating warnings
• You can’t replace people with tech
“If you think InfoSec problems can be solved with technology, then you don’t understand the technology and you don’t understand the
problems” – Unknown, but maybe Bruce Schneier
DNC – Does Not Compute(Does Not Compute Well, at any rate. Maybe I should have titled it “DNC –Gone Phishing”)
• Emails stolen• Russian Government
• Forensics• Spy vs. Spy info
• WikiLeaked
• Phishing• John Podesta clicked on
an email – after beingtold not to!!!
• Victims• DNC Director – Fired• Podesta / Clinton relationship – Compromised• Strangely, no emails to or from Clinton on the WikiDump
• What did the DNC teach us? That we need training!!!• How do you control for who is not trained and audit it?• What’s the recurring cost? • The “Do you give up Wyoming?” accounting question.• What’s the policy / reward / punishment for not training?
Rumor has it that the RNC was hacked as well, but not released.
OPM Hack, Cylance, and AI
• Office of Personnel Management Hack• China? Probably.• 18 million individuals affected• All applicants for Top Secret clearance• All medical / psychological visits• SSNs• Fingerprints (!)• Director and CIO “retired”(!)
• Detected by Cylance• Uses AI and Machine Learning• Detects based upon patterns• Always evolving• Maybe stops Zero Day?
PWC says 23% are starting to use AI/ML in their security systems in 2016
We are all OPM (maybe)!
Many of you…of us…RIGHT NOW… are being hacked. (COMMUNICATE THAT!)Can Big Data / AI / Machine Learning / Predictive Analytics solve our problem? MAYBE!
AI / Machine Learning• Old Way – React with No AI/ML
• Track the way bad guys work • Constantly adapt to new techniques• Monitor
• Signatures / Bad Site Lists• Traffic / IP Addresses• Storage / File Size / File Date / Checksum
• New Way – React Better with AI/ ML!• Still do the Old Way stuff!• Track the way good guys work• Figure out deviations from the good guys
• Unknown (and unknowable) patterns• Stats / AI / Expert Systems / Neural Networks
• Old and New Way – Plan, Protect, and Assume that the disaster will happen … because it will happen!
We try to anticipate, but make no mistake – Security is reactive
BUT… Here’s anAccounting Valuation Issue
• Shortage of Security BUT…• Security
• Tied to expenses• Salaries depressed
• Analytics • Tied to revenue• You pay more for analytics (but often worth it!)
• So Using Analytics to Augment Security…• Will be more expensive• May catch new threats sooner / immediately• It might be cost effective
Information Security Jobs
20k-55k
55k-80k
80k-100k
100k+
Data Science Jobs
20k-55k
55k-80k
80k-100k
100k+
Collected from Indeed.com for Pittsburgh
RansomWare
Hacker’s Process:1. International hackers
gain access2. Hacker encrypts hard
drive3. Hacker demands
bitcoin for passcode4. Company pays! (Oh
yes they do!) • Haggling reduces fee on
average by 29%
5. Hackers give passcode to companies
Do you pay? FBI says no, don’t do it! Survey says yes, do it! (Sorry, FBI)
RansomWare• Hollywood Presbyterian
Medical Center -- $17k• University of Calgary --
$16k• MedStar -- $17k• Crylocker had over 8000
victims in 2 weeks in September!
• Targeting is going from individuals to big business
• Businesses keep very quiet about it
From 2005-2016, IC3 reports over 7,700 ransomware complaints and over $57 mil. Personal ransom is $200 to $10,000
Ransomware spiked 6000% in 2016!
CEO Spoofs!• The FBI reports CEO
Spoofs:• $2.3 billion from
2013-2016• 270% increase since
2015
Spoofing a CEO email is very simple!
• You definitely need some policies for responding to emails!
RansomWare Prevention• Separate Storage
• Secure, off line backups• Careful of continuous or cloud
based backups• Physically separate business units
• Training• Quit Clicking on emails!
• Patching• IDS / IPS• Watch out for IoT!• Least Privilege• Don’t run weird software
• No Macros• Software Restriction Policies
(SRPs)• Restrict
AppData/LocalAppData folder• Restrict temporary storage• Whitelisting
• Use Virtualized Environment
Dyn and DDoS
• DDoS is a Distributed Denial of Service attack• Lots of computers
request info from your server
• Your server can’t keep up
• Your server can’t process other clients
• Gaming sector most often hit
• Often RansomWare is involved
Dyn and DDoS• Dyn provides the Web to you
• When you type in “www”, Dyn tells your computer where the server computer is.
• On October 16, 2016, Dyn was shut down.• IoT attack (security cameras, baby
monitors, and routers, mainly)• Mirai Malware was used
• Investigated by Brain Krebs• …who implicated Paras Jha as the author• …who worked under the direction of
Christopher “CJ” Sculti• …and who, allegedly, released the Mirai
code on the Dark Web to ensure plausible deniability
• Broke the Internet on the East Coast• Who did it?
• First we said the Russians• Then, on Politico, hacktivists took credit:
• SpainSquad, Anonymous, New World Hackers
• Cited Ecuador turning off Assange’s Internet
• But it turned out that it was probably the work of Script Kiddies using the Mirai code
Brian Krebs
Paras Jha
Christopher “CJ” Sculti
Steps to DDoS Mitigation1. Identify Attack Early
• Increased Network Traffic• Strange IP Addresses
2. Overprovision Bandwidth3. Defend at the Network
Perimeter• Rate limit your router• Filter your router• Aggressively timeout• Drop spoofed packets• Set lower SYN, ICMP, and
UPDP threshholds
4. Call your hoster5. Call a specialist6. Make A Plan First (!!!)
Abusing Ukraine’s Power Grid• Spear Phishing to gain access• Hackers spent months in the
system• Rewrote Firmware• Used KillDisk malware to erase
hard drive files, then break drive
• Did a TDoS (Telephone Denial of Service) attack
• Disabled UPS to keep workers in the dark, just for fun
• Hijacked VPN • Took over computer• Turn everything off• Reset Admin password
• Ukraine actually had a good firewall subsystem infrastructure• Gave some protection• Let us track exactly what
happened
• Probably Russia did the attack
Other Nation State Attacks• Aurora Generator Test
• U.S. Test in 2007• Causes a diesel generator to
explode• Requires 21 lines of code!
• Stuxnet• Breaks centrifuges• Took down Iran’s nuclear
capabilities for about a decade
• Resulted in New standards • NERC-CIP (North American
Electric Reliability Corporation Critical Infrastructure Protection)
Continuous NERC-CIP Compliance for all Utilities still is a problem!
CIA – We need Q to come up with more tools!• Leak on March 3• All the methods for electronic
surveillance leaked.• Who leaked?• WikiLeaks says insider• Rumors – some insiders say
otherwise• Russia?• White House/FBI/NSA vs. CIA?
• CIA always could hack• Phones• Smart TVs• Vehicles
• If the CIA can hack you, so can EVERYBODY!
BYOD – It’s a huge risk• BYOD Risk:• Easily lost or stolen phones
• Remote attacks
• 40% of the Fortune 500 do nothing
• 50% of the Fortune 500 have no budget (!)
• 33% don’t test their security apps!
• Often Undetectable!• Corporate apps are unmanaged
• Personal apps are allowed
• You can detect intrusions into your DMZ, but you probably cannot detect phone hacks!!!
Imagine the press release … “We have no idea how the Russian Mafia got that data!”From a recent IBM / Ponemon study
CIA and BYOD Lessons Learned
• It depends, right?• If insider
• Least Privilege• Audit procedures• No removable data / No BYOD• Treat tools as companies treat
intellectual capital• (I thought they were doing all
of this already.)
• If Russia• Updated IDS/IPS/SIEM• Close monitoring of traffic• Close auditing of individuals
• If Competing Governmental Organization• Accountability • Log access• Chain of Evidence rules
What About the Cloud?• A lot more cloud IT
services:• Scalable
• Flexible
• Cost effective
• …with a lot more security• Responsive to threats at scale
• On-premise infrastructure usually can’t compete:• Storage Limits
• Processor Limits
• Scalability Limits
• The more anyone’s attack is mitigated, the stronger everyone becomes
• Threat Management Tools• Used by 62% of the
companies• Authentication, identity
and access management
• Real-time monitoring
• Analytics
• Threat intelligence
So, seriously, what happened to the other 50ish percent?
Thanks!•Questions?
•Comments?
•Experiences?