Cloud computing. Mobile computing and Bring your own device (BYOD). Global collaboration and communication. Big data. Governance, risk management and compliance. Rapidly escalating regulatory requirements. The world is changing faster than we can keep pace. Attackers evolve methods more rapidly than we can develop defenses, amplifying the asymmetric threat. These are, indeed, interesting times. The question is not how to win, but how to survive in the ever-changing risk landscape.
4. HYPOTHESES
1. A traditional approach is insufficient and not commercially reasonable
2. A tech-heavy approach is not commercially reasonable
3. A legally defensible position requires changing the game
5. “Those who cannot remember the
past are condemned to repeat it.”
(George Santayana)
HISTORICAL PERSPECTIVE
6. 1969 – First packet transmitted
1979 – Online transaction processing invented
1981 – First online home banking services (US)
… (lots of standards dev work) …
1990 – First Successful HTTP communication
1994 – First pizza ordered online
1994 – Amazon founded
1996 – NIST FIPS 161-2 EDI released; HTTP v1.0
1997 – First mobile commerce (SMS Coke)
1998 – PayPal launches, Google incorporated
2007 – iPhone released
2010 – Square releases first card reader product
HISTORICAL PERSPECTIVE
The Good…
7. HISTORICAL PERSPECTIVE
1962 – Malware invented
…
1981 – First widespread virus (Elk Cloner)
… (lots of activity over this period) …
1996 – CERT SYN Flood advisory
1998 – Forerunners of botnets emerge
2000 – DDoS attacks take down major sites
2001 – DoCoMo mobile malware outbreak
2003 – SQL Slammer wreaks havoc
2005 – First mobile worm (Commwarrior-A)
2008 – Cold Boot attack published
2012 – NFC exploits demonstrated
The Bad…
8. HISTORICAL PERSPECTIVE
1980 – IDS concept emerges
1983 – Orange Book published
1988 – First paper on the firewall; X.509 issued
1989 – IBM releases Viruscan; COPS released
1991 – PGP created
1992 – ISS; first commercial disk encryption
1994 – First commercial NIDS, Netscape SSL
1995 – IPsec published (RFCs 1825, 1829)
2001 – Vontu (DLP) founded; ASLR defined
2002 – Mobile AV emerges (Symantec)
2005 – SIEM coined by Gartner
>2005 – ??? (evolution, but not innovation?)
The Ugly…
9. HISTORICAL PERSPECTIVE
The Uglier…
1934 – Communications Act
1973 - HEW Fair Information Practices
1974 – Privacy Act
1980 – OECD Privacy Principles
1986 – ECPA; CFAA
1994 – CFAA (networked abuses added)
1995 – EU Data Protection Directive
1996 – Telecom Act; HIPAA
1998 – PIPEDA (Canada); DMCA;
COPPA
1999 – GLBA
2000 – ESIGN Act
2001 – USA PATRIOT Act; FERC Standard
Market Design (Appendix G)
2002 – Homeland Security Act;
FISMA; Sarbanes-Oxley
2003 – California SB 1386; FACTA
2004 – PCI DSS v1.0
2005 – FFIEC Guidance
2006 – Budapest Convention on Cybercrime
2009 – HITECH Act; EU Cookie Directive
2010 – Dodd-Frank; MA 201 CMR 17.00
2011 – SEC “cyber risk” disclosure guidance
13. “A long habit of not thinking a thing
wrong gives it a superficial appearance
of being right.” (Thomas Paine)
OUR APPROACH IS FLAWED
14. OUR APPROACH IS FLAWED
What’s of value? What control can we exert? Where’s the accountability?
http://www.flickr.com/photos/digitalcurrency/2438118655/sizes/m/in/photostream/
http://www.flickr.com/photos/global-jet/2124785243/sizes/m/in/photostream/
http://www.flickr.com/photos/ensh/6204837462/sizes/m/in/photostream/
15. HOW DID WE GET HERE?
“Never complain of that of which it is
at all times in your power to rid
yourself.” (Adam Smith)
16. A LITTLE BIT OF EVOLUTION
Undefined Emerging Organized Optimized Managed
18. BLIND LEADING THE BLIND?
http://www.flickr.com/photos/cmogle/2907198746/sizes/m/in/photostream/
http://www.flickr.com/photos/nakrnsm/3898384586/sizes/m/in/photostream/
CSA Guide 3.0. “NIST Visual Model of Cloud Computing Definition”
http://www.flickr.com/photos/25692668@N06/3428784441/sizes/m/in/photostream/
It takes a generation… Big data… Rapidly changing
environment
19. WHAT NOW?
“We have it in our power to begin the
world over again.” (Thomas Paine)
20. WHAT NOW?
Objective 1: Jump to the next curve – a mature GRC program
Objective 2: Jump to the next curve – better “security” awareness
Objective 3: Establish a culture of accountability
21. 3 STEPS FORWARD
“Common sense is seeing things as they
are; and doing things as they ought to
be.” (Harriet Beecher Stowe)
22. 1. GRC PROGRAM BUILD-OUT
Undefined Emerging Organized Optimized Managed
1. Elevate it
2. True, legally defensible enterprise risk management
3. Return security operations to IT, governing accordingly
23. 2. AGGRESSIVE AWARENESS
For Business Leaders For Legal For Everyone
http://cache.marriott.com/propertyimages/l/laxcv/phototour/laxcv_phototour20.jpg?Log=1
http://www.flickr.com/photos/crobj/4312159033/sizes/m/in/photostream/
http://www.flickr.com/photos/jurvetson/2487910168/sizes/m/in/photostream/
24. 3. ACCOUNTABILITY FOR ALL
Monitor Detect Correct
http://www.flickr.com/photos/highwaysagency/6281302040/sizes/m/in/photostream/
http://www.flickr.com/photos/reneeviehmann/4320360120/sizes/m/in/photostream/
http://www.flickr.com/photos/cefeida/4714238826/sizes/m/in/photostream/
http://www.flickr.com/photos/oregondot/3853990076/sizes/m/in/photostream/
26. THE THREE WAYS
The First Way: Systems Thinking
The Second Way: Amplifying Feedback Loops
The Third Way: Culture of Continual Experimentation & Learning
Holistic, No Silos, Understand Value Streams
Communication, Rapid Response, Embed Knowledge
Innovate, Fail Fast / Learn Fast, “Freedom & Responsibility”
Image: http://itrevolution.com/the-three-ways-principles-underpinning-devops/
28. IN SUMMARY
The status quo is undermining business survivability.
It’s (past) time to jump the curve – we cannot wait any longer.
3 Steps Forward:
1. “GRC” Program Build-Out
2. Aggressive Awareness
3. Accountability
http://www.flickr.com/photos/extranoise/350901033/sizes/z/in/photostream/
Disclaimer: It will seem at times like I’m wandering off track, but I assure you that everything ties back together in the end!
Framing the discussion is important… we’ll come back and add some narrative around this in a little bit…http://en.wikiquote.org/wiki/George_Santayana
On EDI, note that UNCITRAL did considerable work in the late 80s that led to NIST 161-2, which itself was preceded by 161-1 (1995)… and EFT preceded this in the early ‘80s…About Square… note that they’re now advertising on TV and give the swipe device away for free!http://speckycdn.sdm.netdna-cdn.com/wp-content/uploads/2011/11/shopping_infograhic_large2.jpg << (this graphic incorrectly state eBay and Dell founding years)
In fairness… there have been some evolutionary advances… sandboxing, micro-virtualization and virtual machines, improved ASLR, improved PRNG (Futura), intrusion deception, endpoint protection, signature-less next gen AV, UTMs, etc.http://csrc.nist.gov/publications/history/ande80.pdf – James P. Anderson “Computer Security Threat Monitoring and Surveillance”http://www.baselinemag.com/c/a/Security/A-Brief-History-of-Malware-291930/http://www.symantec.com/connect/articles/evolution-intrusion-detection-systemshttp://en.wikipedia.org/wiki/Comparison_of_disk_encryption_softwarehttp://www.securelist.com/en/analysis?pubid=170773606http://en.wikipedia.org/wiki/Address_space_layout_randomization
IRB – 3rd chapter of report is on eDiscovery and Commercially Reasonable SecurityAlso mention EU “Safeguarding Privacy in a Connected World A European Data Protection Framework for the 21st Century” and U.S.Cybersecurity Act of 2012Wikipedia (e.g., http://en.wikipedia.org/wiki/Cyber-security_regulation)On recent COPPA enforcement: http://www.infolawgroup.com/2012/10/articles/childrens-privacy/bieber-fever-gets-a-dose-of-the-ftc-operator-of-bieber-fan-site-among-others-agrees-to-one-million-dollar-settlement-for-coppa-violations/http://cwec.ucdavis.edu/rpsintegration/library/FERC%20RM01-12-000-SMD.pdfSEC CF Disclosure Guidance on cyber risk - http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
Let’s not forget the impact of ESPIONAGE and SUPPLY CHAIN RISK as highlighted by the recent House Intel Committee report on Huawei!http://datalossdb.org/statisticshttp://www.privacyrights.org/data-breach
US Report: “In this year’s study, the average per capita cost of data breach has declined from $214 to $194.”On 10/9/12 per PrivacyRights.org: 19,353,797 records have been reported compromised.That amounts to an estimated $3,754,636,618
Data exfiltration – particularly via mobile devices and cloud services – is not only inevitable, it’s already happening.http://images.allmoviephoto.com/2003_The_Matrix_Revolutions/M3_Hugo_Weaving_008.jpg
A transitional period in timeAccelerated expansion of risk environment, threat vectorsRapidly decreasing ability to directly manage risk factors
Today: lots of focus on vulns and threats, but to what end?Business Survival: How does your business function?Assets: The people, processes, and technologies that support business functions
It takes a generation (evolution is a slow process)Big data (lots of silos, but how do we aggregate, let alone monitor/detect/correct?)Rapidly changing environment
“jump the curve” comes from Guy Kawasaki’s “The Art of Innovation”http://blog.guykawasaki.com/2006/01/the_art_of_inno.html#axzz29Z6XHLpz
GRC program build-outElevate it (peers with CFO, GC, COO, etc.)True enterprise risk management (understand business functions, understand assets picture, manage to business tolerances, legally defensible)Returns sec ops to IT, governing accordingly
Aggressively train and educate *all* personnel (including execs and legal)Training for business leaders (RM, contract concerns, etc.)Training for legal (understanding tech concerns)Training for everyone (basic security, spearphishing, RM processes, etc.)
Hold *all* personnel accountable
Practical Application - DevOps, RM, & The 3 Ways * The First Way: Systems Thinking * The Second Way: Amplify Feedback Loops * The Third Way: Culture of Continual Experimentation and Learning
The Three Ways - The First Way: Systems Thinking – The performance of the entire system is paramount. Silos must be eliminated in favor of managing the business as a whole, including looking at all business value streams and how they are enabled (or, conversely, hindered) by ICT. Defects cannot be allowed to flow downstream, and optimization must be considered globally instead of locally, in order to achieve a Deming’esque understanding of the system . - The Second Way: Amplify Feedback Loops – Communication is vitally important, with a premium placed on ensuring that feedback is provided and incorporated quickly and at all levels . An interesting benefit of the second way is to also embed knowledge, which helps improve overall performance and quality while diminishing bottlenecks (as anticipated by the “theory of constraints” ). - The Third Way: Culture of Continual Experimentation and Learning – One of the largest challenges facing enterprises today is the notion of “technology debt.” How many ICT projects have languished, deprioritized by competing new work, only to crop up as a legacy failure point that introduces defects, continuously undermines performance, and, ultimately, business value? At the same time, experimentation and growth is of equal importance. As an example, consider the core values of Netflix corporate culture, which thrives on the “Freedom & Responsibility” mantra, and which encourages experimentation provided that problems are fixed quickly. Put another way, failing fast means learning fast , which not only enables creativity and innovation, but also results in more resilient code and operations.