Cyber-Security
Threats
Why we are losing the battle (and
probably don’t even know it!)

December 12th, 2013
“If you know the enemy and know yourself,
you need not fear the result of a hundred
battles. If you know yourself but not ...
John Hudson









15 years designing security strategies
Business Process Engineer
Why cyber-security fails – a...
Plus Consulting
Cyber-Security Practice helps organizations:








Identify risk and control failures, based on th...
Premise
 Organizations are losing the cyber-security battle and
most don’t know that it is happening (or choose to
ignore...
Outline
 Current threat environment
 Organizational challenges
 Why “they” are winning

 Neutralizing “them” from winn...
Threat Environment

The more things change,
the more they stay the same...
Alphonse Karr, 1849
Acceptance









Attacks are more targeted
Malware is more complex and multi-dimensional
Social engineering is ...
Simple Targeted Attack










Open source intelligence – find entry points
Collect data and profile – website ...
But...
 Criminals are targeting organizations with sophisticated
attacks, but….
 79% of attacks are still targets of opp...
We could now talk about the latest and
greatest zero day exploits, security
appliances, or regulations coming down the
pip...
Organizational Challenges
Big Data – Big Problem
5 Exabyte's
2013
every 10
minutes
5 Exabyte's
every 2 days

2003
Year 0

2011
Asset Value...
 Few organizations know:
 The value of their data
 The value of uptime
 The impact of its loss
 Or the...
The rules have changed...








Privacy is being challenged
Generational mindsets
BYOD/BYON
The Cloud (good or ba...
Extension of Security Boundary =
More Points of Entry
Why “they” are winning
Organizations Are Abdicating Responsibility
 Boards and Executives do not own the problem





They are not asking th...
Organizations are Abdicating Responsibility
 Audits do not equal security




Checking boxes on flawed controls gives ...
Result
 No mandate to invest in the right security
 Little backing = no putting the head above the parapet
 Problems ar...
So let’s Summarize...









Threats = more complex, faster, multi-dimensional
For most organizations, simple ex...
Neutralizing “Them”
from winning
It’s a Journey
 Until boards and executives own the problem, little will
change
 Appoint board oversight of security
 I...
It’s a Journey
 Design a continuous security program around the
problem




Create choke-points
Back them
Audit the mi...
It’s a Journey
 Segregate Security reporting from IT
 Reward based upon security metrics, not IT metrics
 The board is ...
Quick takeaways
Ask this question when you get back to your organization...

If you received an email from a hacker saying...
Quick takeaways
If you do nothing else, do these things:
 Application whitelisting
 Acceptable usage policy and mandator...
Questions?

John Hudson
Security & Strategy Practice Director
Plus Consulting
John.Hudson@plusconsulting.com
412.206.0160
Upcoming SlideShare
Loading in...5
×

Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even Know It)

430

Published on

Visit www.plusconsulting.com for more information. Organizations are losing the cyber-security battle and most don't know that it is happening (or choose to ignore it). The persistent threat environment means that you have had or will have a breach and may not know about it. Growth in data, applications features, and collaboration makes cyber-security a greater challenge. Complex, clever and continuous threats and security tools in isolation of a continuous security program only delay the inevitable.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
430
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
10
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even Know It)

  1. 1. Cyber-Security Threats Why we are losing the battle (and probably don’t even know it!) December 12th, 2013
  2. 2. “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle” Sun Tzu, The Art of War
  3. 3. John Hudson         15 years designing security strategies Business Process Engineer Why cyber-security fails – a mission CISO University of Pittsburgh 35,000+ users Blocked over 100,000 attacks every day Experienced Anonymous attacks Bomb threats/Forensics investigations Worked in distributed and closed environments
  4. 4. Plus Consulting Cyber-Security Practice helps organizations:       Identify risk and control failures, based on their organization Cyber-security frameworks Pen-testing, vulnerability scanning, social engineering Solve security problems (for example, doing business in highrisk countries) Compliance readiness We help organizations plan refine and Implement cybersecurity strategies
  5. 5. Premise  Organizations are losing the cyber-security battle and most don’t know that it is happening (or choose to ignore it)  The persistent threat environment means that:   You have had a breach and may or may not know it You will have a breach and may or may not know it  Growth in data, application features, and collaboration makes cyber-security a greater challenge  Security tools in isolation of a continuous security program only delay the inevitable  Attacks are complex, clever and continuous
  6. 6. Outline  Current threat environment  Organizational challenges  Why “they” are winning  Neutralizing “them” from winning
  7. 7. Threat Environment The more things change, the more they stay the same... Alphonse Karr, 1849
  8. 8. Acceptance         Attacks are more targeted Malware is more complex and multi-dimensional Social engineering is an art Hactivism is here to stay Anti-forensics is now the norm Cyber-attacks are becoming strategic Nearly all attacks are external (98%) Hacking tools for sale online (with better SDLC than most developers)
  9. 9. Simple Targeted Attack          Open source intelligence – find entry points Collect data and profile – website scraping Build spoof sites – your brand, your people Email campaign from a ‘known-source” Phone calls to “known targets” Scan for vulnerabilities Exploit with malware or walk through the front door Keep the door open Harvest under the radar 5-10% return
  10. 10. But...  Criminals are targeting organizations with sophisticated attacks, but….  79% of attacks are still targets of opportunity  96% of attacks were not difficult  85% of breaches took weeks to months to discover (source: Verizon 2012 Data Breach Investigation Report)  “it won’t happen to us – we are too small” is long gone!
  11. 11. We could now talk about the latest and greatest zero day exploits, security appliances, or regulations coming down the pipeline all day long................. but organizations are not dealing with the basics...
  12. 12. Organizational Challenges
  13. 13. Big Data – Big Problem 5 Exabyte's 2013 every 10 minutes 5 Exabyte's every 2 days 2003 Year 0 2011
  14. 14. Asset Value...  Few organizations know:  The value of their data  The value of uptime  The impact of its loss  Or the value placed on it by others  If you don’t know the value and loss impact – how can you protect?  Have disaster plans, but ignore the disaster of lost data  At best, all data is treated as equal
  15. 15. The rules have changed...        Privacy is being challenged Generational mindsets BYOD/BYON The Cloud (good or bad?) Virtualization – paradigm change in deployment Smartphone is your computer – what next? Security budgets have not grown in ten years even though the problem has exploded
  16. 16. Extension of Security Boundary = More Points of Entry
  17. 17. Why “they” are winning
  18. 18. Organizations Are Abdicating Responsibility  Boards and Executives do not own the problem     They are not asking the right questions It is not part of the strategy They do not drive down security posture At best, it is seen as an IT problem at the tactical level  CISO’s report to the wrong people (if they have one)  Potential career-ending decisions if doing job  Security is not a technical issue   Technology is the output of security, not the input But security is now a specialist subject
  19. 19. Organizations are Abdicating Responsibility  Audits do not equal security    Checking boxes on flawed controls gives a false sense of security Compliance is not security – it has yet to stop an attack Compliance is confusing and not backed  The wrong people are held accountable  Breach = ex-CISO  Policy manuals just kill more trees
  20. 20. Result  No mandate to invest in the right security  Little backing = no putting the head above the parapet  Problems are hidden  We are going live tomorrow with ERP, but there's a security issue – what do you do?  Identified risk is only important if it does not stop the operation  CISOs jump from job to job  Security staff feel undervalued  Wrong money spent solving yesterday’s problems
  21. 21. So let’s Summarize...         Threats = more complex, faster, multi-dimensional For most organizations, simple exploits will gain results State-run attacks and Hactivism is becoming the norm Organizations are using data in ways unimaginable 10 years ago, and treat security in the same way Organizations are not talking about the value of their assets Security is seen as a low-level technical responsibility Many Fortune 500 companies do not have a CISO The biggest disaster an organization may ever face is a breach
  22. 22. Neutralizing “Them” from winning
  23. 23. It’s a Journey  Until boards and executives own the problem, little will change  Appoint board oversight of security  Identify the value of your assets  Identify the loss impact of your assets  Identify what can hurt you  This forms the security problem
  24. 24. It’s a Journey  Design a continuous security program around the problem    Create choke-points Back them Audit the mitigation strategies User Desktop Tablet or Laptop The Choke Point Multi factor Authentication No Port 80 BI with Scrambling Encryption IPS/IDS Secure Zone Virtual Servers Virtual Desktop
  25. 25. It’s a Journey  Segregate Security reporting from IT  Reward based upon security metrics, not IT metrics  The board is responsible for security, people are responsible for negligence  Build the security response around what is important  Worry less about the rest (not all assets are equal)  If you can’t prevent it or flag it – don’t put it in your security policies  Acceptable use must have teeth
  26. 26. Quick takeaways Ask this question when you get back to your organization... If you received an email from a hacker saying we have got your critical data – how would you know if they really do? If you don’t know, you don’t have a comprehensive security program
  27. 27. Quick takeaways If you do nothing else, do these things:  Application whitelisting  Acceptable usage policy and mandatory awareness training  Business Impact Analysis and Risk and Control assessment – owned by the board and presented back to the board  Love your security professionals 
  28. 28. Questions? John Hudson Security & Strategy Practice Director Plus Consulting John.Hudson@plusconsulting.com 412.206.0160
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×