hackers vs suits


Published on

My half of a tag team presentation for the Edmonton, Alberta, Canada ISACA chapter with renderman (http://www.renderlab.net), dealing with what is wrong with information security today. I, of course, was the suit. It looks like SlideShare bungled some of my slides. Click the download link to get the PowerPoint version.

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Rivner is correct, we do need a new doctrine. However, an anti-APT doctrine is not the answer.
  • It is good news that we can see that we have a mismatch
  • hackers vs suits

    1. 1. hackers vs suitswhats wrong with security today?
    2. 2. agenda the suit the hacker questions?
    3. 3. the suit http://www.flickr.com/photos/23912576@N05/
    4. 4. experimen t “playing card data loss”
    5. 5. T1: Sleight of hand T4: The pair is togetherC1: Dont let the attacker handle C4: Deal into two pilesthe cards T5: If the location of one card isT2: Marked cards known in one pack, the other cardC2: Keep the attacker at a will be in a similar location in thedistance where he cannot see other packsmall marks C5: Mix both packsT3: The approximate location ofthe pair is knownC3: Cut deck while attacker is notlookingcountermeasure
    6. 6. T1: Sleight of hand C1: Dont let the attacker handle the cards T2: Marked cards C2: Keep the attacker at a distance where he cannot see small marks T3: The approximate location of the pair is known C3: Cut deck while attacker is not looking T4: The pair is together C4: Deal into two piles T5: If the location of one card is known in one pack, the other card will be in a similar location in the other pack C5: Mix both packsModel Source: taosecurity.blogspot.com
    7. 7. anexperimen(unfortunately)t
    8. 8. 3 March 2011: A brief phishing attack began which targetedRSA staff with no unusual privileges6 April 2011, US defense contractors Lockheed Martin and L-3 had been attacked via cloned RSA SecurIDs6 June 2011, RSA partially admitted that something bad hadhappened in March and offered to replace current customersSecurIDs at no costSources• http://www.wired.com/threatlevel/2011/08/how-rsa-got-hacked/• http://blogs.rsa.com/rivner/anatomy-of-an-attack/• http://www.wired.com/threatlevel/2011/06/rsa-replaces-securid-tokens/• http://www.wired.com/threatlevel/2011/05/l-3/• http://www.rsa.com/node.aspx?id=3891
    9. 9. T1: Direct attacks from Internet T4: Malicious activity may goC1: State of the art perimeter unnoticeddefenses C4: State of the art monitoringT2: User authentication attacks T5: Sensitive data could exit theagainst Internet exposed services networkC2: State of the art authentication C5: State of the art data losscontrols prevention (DLP) technologyT3: Malware T6: Social engineeringC3: State of the art end-point C6: State of the art securitycontrols awareness programcountermeasure
    10. 10. T1: Direct attacks from Internet C1: State of the art perimeter defenses T2: User authentication attacks against Internet exposed services C2: State of the art authentication controls T3: Malware C3: State of the art end-point controls T4: Malicious activity may go unnoticed C4: State of the art monitoring T5: Sensitive data could exit the network C5: State of the art data loss prevention (DLP) technology T6: Social engineering C6: State of the art security awareness programModel Source: taosecurity.blogspot.com
    11. 11. http://blogs.rsa.com/rivner/anatomy-of-an- “Recently the UK payment council announced that in 2010 online banking fraud declined 22%, despite phishing levels increasing 21%. This is turning the tide. It took the financial sector 7 years to build a new defense doctrine against social engineering attacks like Phishing and Trojans. I was part of this gargantuan effort, and I think we’ve learned a thing or two that can help us build a new defense doctrine against APTs much faster. Already we’re learning fast, and every organization hit by an APT is much more prepared against the next one; I’m confident it will take us far less than 7 years to say we’ve turned the tide on APTs.”
    12. 12. good ideabut...
    13. 13. new threats our current approachIdentifying and cataloging new threatsStandardizing countermeasuresAdding these to vendor product lines When will we see the first APT-no-more product from a major vendor?Entrenching into the standards canon
    14. 14. All too often we only change our defensive doctrine when: • We get hit badly • Compliance standards change • When new products become available • When the new fiscal cycle starts The attackers we face change their offensive doctrine much more frequentlywe are too slow to adapt
    15. 15. John Boyd (1927-1997) a.k.a Forty Second Boyd .: Genghis John The Mad Major The Ghetto Colonel Photo credit: Wikipedia
    16. 16. The adversaries that weare defending against arecontinually producing Boydnovelty (there will besomething else after APT)“Now, in order to thrive and novelt ongrow in such a world wemust match our thinkingand doing, hence ourorientation, with that yemerging novelty”Winning in inherentlydynamic environmentsinvolves running throughflexible decision makingcycles faster than your
    17. 17. All major advances in science and engineering were born of the you are realization that current models - here or orientations, in Boyds terms - were mismatched with realityour challengeHow can we gain the ability to traverse theobserve, orient, decide, act cycle as rapidly or more rapidly than ouropponents?a possible answer?We need to change our information security doctrine from complianceand product-centred to innovation and human-centred
    18. 18. Chris Hammond-ThrasherCISSPAssociate Director, ConsultingSecurity, Privacy and ComplianceFounder, Fujitsu Edmonton Security LabFUJITSU CANADAchris.hammond-thrasher@ca.fujitsu.com7809178426
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.