• Like
  • Save

Jason Witty, SVP & CISO at US Bank - Next eneration information security meets the board of directors

Uploaded on

Jason Witty, SVP & CISO at US Bank spoke at the CIO North America Event June 2013

Jason Witty, SVP & CISO at US Bank spoke at the CIO North America Event June 2013

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • billion trillion quadrillion quintillionData measured in Terabytes now Exabytes | bandwith measured in Mbps now GbpsPackets per second move from hundreds of thousands to millionsDevices connected move from millions to hundreds of millionsGlobal internet users: 2,405,518,376internet users per 100 people 2003 12.3 2011 32.8Email 1999 400 million email accounts 2011 3.1 bn email accounts144,834 new urls every day – up 21% # of PCs in the world: 2000 164,596,6142004757,351,444  Secure Internet servers 2003 36.8(per 1 million people) 2011 183.9Hosts Jan 200072,398,092 Jan 2012 888,239,420Active sites: Jan 2000 7,542,571 Jan 2012 182,441,983Fixed broadband Internet 2003 1.7subscribers (per 100 people) 2011 8.6 Weighted Ave. 2000175.2 Mbps per 1 million peoplebandwidth: 2005 939.8 Mbps per 1 million peopleGlobal e-commerce: Dec 2011 $961 billionDataHumankind has stored more than 295 billion gigabytes (or 295 exabytes) of data since 1986,  in 2007 we broadcast 1.9 zettabytes, or 1,900 exabytes, of information through technology such as televisions and GPS devices "That's equivalent to every person in the world reading 174 newspapers every day," 
  • This slide indicates relative proportions of physical/tangible assets (cash in circulation, mandated reserves, gold reserves – indicated by red circles) compared to ‘virtual’ funds that are either tied to commerce or banking (deposits, loans), where the money is entirely electronic (indicated by blue circles).As electronic representations of cash are considered equivalent to the physical notes (which in term are only representative of a perceived market value), there is nothing like enough physical monetary reserves (or gold reserves) to be able to cover the money held electronically. Broad Money (Actually “stock of broad money”). Stock of broad money – although includes short-to-medium-term liquid assets, reality is that this money (savings, loans, deposits, money markets) is not realizable in physical terms – the nature of fractional reserve banking is that FIs are required to only have a proportion of money held or on loan in the form of actual physical reservesStock of Broad Money comprises of:Total quantity of demand deposits (current/checking)Total quantity of time and savings depositsCredit union depositsInstitutional money market fundsTotal quantity of currency in circulation (NOT INCLUDED IN THIS FIGURE – we have subtracted it here as we account for it separately in the Monetary Base). The Stock of Broad Money figures come from CIA World FactbookThis entry covers all of "Narrow money," plus the total quantity of time and savings deposits, credit union deposits, institutional money market funds, short-term repurchase agreements between the central bank and commercial deposit banks, and other large liquid assets held by nonbank financial institutions, state and local governments, nonfinancial public enterprises, and the private sector of the economy. National currency units have been converted to US dollars at the closing exchange rate for the date of the information. Because of exchange rate movements, changes in money stocks measured in national currency units may vary significantly from those shown in US dollars, and caution is urged when making comparisons over time in US dollars. In addition to serving as a medium of exchange, broad money includes assets that are slightly less liquid than narrow money and the assets tend to function as a "store of value" - a means of holding wealth.Global OverviewVIRTUAL CAPITALCapital stock (bonds and stocks) - $212 trillion – McKinseyStock of Broad(M2+) Money - $81.61 trillion – CIA World Factbookstock of narrow (M1) money - $25.64 trillion – CIA World FactbookGlobal Monetary Base - $16.1 trillion – ballpark figure generated using data from a recent economics paper applied to Gross World Product of $69.99 trillion (CIA World Factbook) Approximately 23% of Gross World Product estimated using data from the paper Global Excess Liquidity & Asset Prices In Emerging Countries, A PVAR Approach (University of Bordeaux & Banque du France, Jan 2012)LIQUID RESERVE1,008.22 fine troy ounces in millions pegged to September 16 $1770 po -~1.785 trillion dollars - IMFAdditional figures (not used in diagram above)Gross World Product - $69.99 trillion Global Debt - $69.08 trillionU.S. OverviewMarket value of publicly traded shares - $15.64 trillion (CIA WF)Bond Market size (govt, municipal, agency, corp, mortgage) - $32.3 trillion (wikipedia, q2 2011) – this was combined with share valuation above to get 47.6 trillionStock of Broad Money - $12.99 trillion (CIA WF)Monetary base - $2.653 trillion (Fed Reserve) Fed Gold Holding (Dec 2010) -8,133.5 tons *$1770 troy ounce - $462.85 bn (Wikipedia)Info from:CIA World Factbook – All dates are December 31, 2011 unless stated otherwise.McKinsey Global Institute – Mapping Global Capital Markets Report 2011IMFAdditional figures (not used in diagram above)IMF figures for US - 141,512 billion financial assets – 46310 bn tangible assets – 12/31/2008U.S.D. Cash in circulation as of September 2012 - $1.127 trillion (Federal reserve) – included in Monetary baseUSA Stock of Narrow Money - $2.324 trillion (CIA WF)
  • Mobile: Pew Research Statistics, September 11, 2012 – 45 % of American adults own smartphones, up 10% from May 2011. They are particularly popular with young adults and those living in relatively higher income households; 66% of those ages 18-29 own smartphones, and 68% of those living in households earning $75,000 also own them.Some features we offer…Pay A Person transfersDepositPoint check depositInstant Credit appsMobile Wallet testingMobileWeb Pay A Person – transfer cash to individuals simply and easily, from checking to the person’s email or phone. DepositPoint – you can photograph a check and it deposits instantly. Additional apps include - Instant Credit Apps now on Android and iPhone – US Bank partnered with various retailers like REI & Aces Hardware to make it a snap to apply for credit cards in partner retail stores without the inconvenience of paperwork - the credit is available instantly.Cashless payments are next step, and USB has tested mobile wallet technologies that turn your smartphone into a debit card stand-in.“Susan Crawford, Harvard professor and formerly a special assistant for technology policy for President Barack Obama, points out that, “There is nothing more imaginary than a monetary system. The idea that we solemnly hand around printed slips of paper in exchange for food and water shows just how trusting and fond of patterned behavior we human beings are. So why not take the next step? Of course we'll move to even more abstract representations of value.”Pew Research Panel on the Future of Money in a Mobile Age – April 2012.Social media: 62% figure from March 28, 2012, from a survey conducted by Ipsos/Reuters. Increased our Facebook “likes” from 12,763 in April 2012 to 30,706 in August We use for CRM, awareness and promotion, marketing, reputation management, customer education (Tami) etc.ASB Bank in New Zealand has had a Facebook-based virtual bank presence for two years where you can use an app to talk with a service specialist in real time. FB is working with various banks to enable apps that allow people to make payments to third parties, etc.Digital BankingFuture is: Convenient & easyLower costAlways availableAccessible through multiple channels"Digital Banking to Be the Norm By 2015" -PricewaterhouseCooper (PwC), Jan 16, who say:The "digital tipping point" where more customers are expected to do their banking through online/digital means is estimated to be the year 2015.67% of Generation Y respondents currently use or were looking to use mobile bankingRoughly 2/3 of respondents said that they would be willing to pay nominal fees for use of these expanded digital services."To grow revenues and combat high customer inertia, banks need to focus on attracting the next generation of customers – which will be largely made up of Generation Y and the unbanked population. For these customers, a bank's digital services will be more central to their decision-making process than branch location or even brand.""The banks that provide a differentiated digital experience, with advice and relationship management elements tailored to the individual customer, will secure deeper engagement and more profitable relationships with their customers."Square: http://www.economist.com/node/21554744 - disruptive because it lowers cost of reader-ownership. Vendor actually provides the reader for free.
  • FraudstersHacktivistsNationsCyber-threats evolving dramaticallyTechnology advancements allow sophisticated cyber-attacksCyber-hacktivism now a major threatNation-state support a game changerNeed for actionable public-sector intelligence at all time high
  • Hacktivists – 58% figure from VerizonTypical pattern has two phases:stealthy investigation/infiltrationSwarming attacks to exploit vulnerabilities and/or bring down servershttp://threatpost.com/en_us/blogs/average-web-app-attacked-every-three-days-080812Threats to computing resources and data have changed significantly in the past 12-18 months. Insiders have caused major issues for many corporations. Hacktivists have used “botnets” (millions of computers under the control of an individual or group) to cause disruption to marquis sites like Visa, Mastercard, FBI, and US Department of Justice for the purpose of furthering political agendas. Organized crime has moved from a part-time market to full-time criminal corporations employing tens of thousands of people whose full-time jobs are to write viruses, exploit bugs in commercial software, distribute point-and-click hacking tools and services to less-skilled criminals, send SPAM email campaigns, rent-time on stolen computer networks, and package and distribute stolen personal records and banking information. Meanwhile, many nations have realized the asymmetric power of attacking enemies with computer-based weapons like Stuxnet, Duqu, and Flame malware which were reportedly designed to shut down nuclear enrichment facilities in the middle east. Putting this in perspective, over 100 countries have recently developed cyber-fighting capabilities and 36 countries now have formal military doctrines around cyber-warfare.


  • 1. Jason Witty SVP, Chief Information Security Officer U.S. Bancorp
  • 2. The Expanding Internet – Past 15 years 2013THE SUPERHIGHWAY, Circa 1998 1 3 2 1 2 3 Analogy 1998 2013 Cars  Billions (1,000,000,000)  60 mph  Quintillions (1,000,000,000,000,000,000)  60,000 mph Lanes  4  4,000 On/Off Ramps  Millions (1,000,000)  Hundreds of Millions (800,000,000)
  • 3. “Digital Currency” Setting the Stage: The Global Economy Global Overview Broad Money $65.5 trillion Monetary Base $16.1 trillion Gold Reserves $1.8 trillion Capital stock (bonds, stocks) $212 trillion U.S. Overview Broad Money $10.3 trillion Monetary Base $2.6 trillion Gold Reserves $462.8 billion Combined Market Value (bonds, Stocks) $47.6 trillion Approximate percentage of digital currency in the global market93.6% Cash and gold available as a proportion of banking & commerce funds6.4% Physical reserves (printed money, gold, etc.)Sources: CIA World Fact-book as of YE 2011 ; Global Capital stock est. by McKinsey FS-ISAC: For Official Use Only | 3
  • 4. Innovative Trends to Watch  Mobile Computing  Social Networking  Cloud
  • 5. Developing Innovative Trends & Opportunities Cloud Social Digital banking 45% Ranking in top ten strategic technologies list, according to Gartner Mobile of U.S. adults own a smartphone 15% annual growth of U.S. Bank retail mobile channel 1 Billion Approximate number of users on Facebook 62% of adults globally use social media 1 Facebook-based virtual bank, and Facebook online banking apps New sign-ups for Square’s smartphone- based payment card- processing service 2015 the year when online banking becomes the new norm 1m phone owners used mobile banking services in last year21% #1 $40 Billion Estimated spend by business on cloud computing this year Flexible… Collaborative… Disruptive… Enabling… 60% of the public cloud will serve software by 2016 PayPal account holders100m
  • 6. Setting the Stage: Social Media Social networking Content communities Blogs / microblogs Virtual / game worlds Collaborative projects Locational Facebook Most popular 1bn users LinkedIn Professionals 175m users Google+ Integrated apps 500m users Myspace Entertainment 25m users Klout Measures influence YouTube Video 1tr views Flickr Image gallery 80m visitors Pinterest Scrapbooking 25m visitors LiveJournal User generated 1.7m users DeviantArt Art portfolios 36m visitors Instagram Photo editing 100m users Twitter Microblog 500m users Tumblr User generated 77m blogs Huffington Post News / political blogging content provider 54m visitors monthly Steam Service 54m users Xbox Live Microsoft 35m users WoW Gaming 10m players Second Life Virtual world 1m users Habbo Virtual chat 10m users Reddit Social news 43m users Wikipedia Crowd-sourced Encyclopedia 1.5bn users Coursera educational 1m students Kickstarter Virtual chat 73k projects Foursquare Mobile / geo 20m users Reposting/Retweeting: No delete key on the Internet Smartphones Geographic data Key tenet *user counts approximate as of Nov 2012
  • 8. Cybersecurity Threats: Actor Groups • Cybercrime is a mature industry with marketing, support, advertising, R&D, and economies of scale Insiders Hacktivists Nation-states • Can be difficult to detect • Usually low-tech, relying on access privileges • Responsible for 58% of all data stolen in 2011 • 2011 targets included CIA, FBI, Visa, MasterCard, Sony, Amazon, others • Since 2010, nation-state linked malware increased from 1 to 9; 5 in 2012 • Malware for espionage, creating breach opportunities, even sabotage Organized crime
  • 9. Strategies Must Be Intelligence-Driven Regulatory Intelligence Expect we provide evidence of a STRONG information security program Employee Intelligence Strive for excellence and are interested in how and where they WORK. Shareholder Intelligence Require we protect revenue to enable GROWTH Business Line Intelligence Require AGILITY and fast time to market to meet business goals and customer demand Cyber-Threat Intelligence Exploit vulnerabilities and require the capability of a MATURE prevention and recovery response environment Customer Intelligence Place TRUST in us and demand we are careful stewards of their data FS-ISAC: For Official Use Only | 9
  • 10. Threat Intelligence Service Architecture Financial Industry FS-ISACBITSFSSCC Malware Intelligence Vulnerability Intelligence Microsoft Vulnerabilities MSDN OWASPCommon Vulnerabilities & Exposures Cyber Threat Intelligence Fraud & Phishing IntelligenceGovernment Agencies Homeland Security USSS Other Agencies FBI FS-ISAC: For Official Use Only | 10
  • 11. Strategies Must Be Comprehensive DEVICES Are secure and patched regularly to keep secure over time THIRD PARTIES & VENDORS Control parity is risk-based and protections are appropriate NETWORKS Are monitored 24x7 IDENTITY & ACCESS Is appropriate based on job role INDUSTRY & PARTNERSHIPS Provide actionable cost-effective threat and risk intelligence DATA & INFORMATION Is secure at rest and in transit CUSTOMERS & CLIENTS Are educated on cyber-risks and their role protecting their devices APPLICATIONS Are secure in development and production
  • 12. Managing Risks Associated with Cloud Computing
  • 13. Cloud Computing: Real or Hype?  Both!  Next Phase of the Internet  Early „90s – Mid „00s: Compute Connectivity (networks abound)  Mid „00s – Mid „20s: Compute Utility  Overhyped in the short term, underhyped in the long term Convert NY Times Articles (1851-1922) TIFF->PDF Nov 1, 2007 - Derek Gottfrid – NY Times “Thanks to the swell people at Amazon, I got access to a few more machines and churned through all 11 million articles in just under 24 hours using 100 EC2 instances, and generated another 1.5TB of data to store in S3.”
  • 14. Nightmare Scenario  June 2009 – UK IaaS provider, VAServ has 100,000 customer websites deleted at one time  Initial reports “attacked by zero-day exploit in version 2.0.7992 of the LXLabs-developed HyperVM.”  50% of VAServ customers lost all data: Had opted for unmanaged service – no backups  CEO of HyperVM Suicide  Hypervisor Password “Web Host Hack Deletes 100k Sites” SOURCES •http://en.wikipedia.org/wiki/HyperVM •http://www.theregister.co.uk/2009/06/08/webhost_attack •http://www.thewhir.com/web-hosting- news/060809_Web_Host_Hack_Deletes_100k_Sites
  • 15. Virtualized N-Tier Control Equivalence “Old Way” “New Way” HypervisorInternet Users Presentation Layer Data Layer How do we ensure control parity? Internet Users FW WAF NIDS / IPS FW WAF NIDS / IPS
  • 16. Managing Risks in the Cloud Copyright © 2013 Cloud Security Alliance
  • 17. Managing Risks in the Cloud  Popular best practices for securing cloud computing  Flagship research project  V2.1 released 12/2009  V3 released 11/2011 Guidance: cloudsecurityalliance.org/guidance Copyright © 2013 Cloud Security Alliance
  • 18. Cybersecurity Trends to Watch  Nation-States a Game-Changer  Advanced Malware / Tactics  Denial-of-Service
  • 19. Questions? Contact: jason.witty@usbank.com