Cybersecurity Legos - We're all part of something bigger
•Download as PPTX, PDF•
0 likes•75 views
Presentation by Ben Boyd during the 2018 Northwest Arkansas Community College Cyber Security Awareness Symposium. Building a Cyber Security program is more than just technology or architecture. Managing Cyber Risk is the duty of anyone with a digital asset.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Cybersecurity Legos - We're all part of something bigger
Similar to Cybersecurity Legos - We're all part of something bigger (20)
Recently uploaded
Recently uploaded (20)
Cybersecurity Legos - We're all part of something bigger
- 1. Cybersecurity Legos We’re all part of something bigger Ben Boyd | vCISO | Integration Partners
- 2. Advisory Architecture Education Programs Processes What I do in Cybersecurity…
- 3. How I got here… Games • PC Builds Internship • Reports • 1st "App" Comp. Sci • C++ • Java • Apps • OS's • Networks ISP • Access • Core • Design Consulting • Networks • Firewalls • Security Tools Security Product Sales • DDoS • Firewalls • CASB Security Advisory
- 4. People Processes Technology The Key Assets of Cybersecurity no matter what you do in business or IT!
- 5. Data at Rest Data in Use Data in Motion Information Security is securing data
- 6. A Secure Delivery is Security Isn’t The Goal
- 7. Least Privilege Multi-Factor Authentication Micro-Segmentation Encryption Patching Stay clean San Diego… Cyber Hygiene
- 8. Public Data Flow Internet Internet Routers Perimeter Firewalls Load Balancers Web/App Servers Logic/Processing Servers Database Servers Storage Servers Securing Public Facing Data Presentation Tier Application Tier Data Tier Data in Motion Data in Use Data at Rest Unsecure! (Cloud and/or Datacenter) Interior Firewalls (virtual) DNS DDoS IDP Encryption PAM Encryption PAM Secure Domain Routing Threat Detection Tools Certificate Mgmt Virtualization Containerization Sec Dev Virtualization Containerization Sec Dev WAF Encryption People = Public Processes = Data in & Out (Banks, FB, & Google) Segmentation App-FW App-FW Anti-Malware Threat Prevention
- 9. Internal Data Flow WiFi Access Switch Load Balancers Web/App Servers Logic/Processing Servers Database Servers Storage Servers Securing Internal Data Presentation Tier Application Tier Data Tier Data in Motion Data in Use Data at Rest Interior Firewalls (virtual) Encryption PAM Encryption PAM IAM Secure Domain Routing Threat Detection Tools Virtualization Containerization Sec Dev Virtualization Containerization Sec Dev WAF Encryption People = Employees / Contractors Processes = Business Needs Corporate Firewalls Corporate Routers Data at Rest IDP User-FW App-FW Anti-Malware Threat Prevention DLP E-mail Security Anti-Malware
- 10. Cloud Data Flow WiFi Access Switch Securing Cloud-Based Data Data in Motion Data at Rest Secure Domain Routing Threat Detection Tools Encryption People = Employees / Contractors Processes = Business Needs Corporate Firewalls Internet Routers Data at Rest IDP User-FW App-FW Anti-Malware Threat Prevention Internet The “Cloud” SaaS PaaS IaaS Salesforce Google App Engine Digital Ocean Office 365. AWS Beanstalk AWS Gsuite SQL in Azure Azure Concur Heroku Salary.com Workday Webex DNS CASB IAM Virtual FW E-mail Security Caching DLP DLP E-mail Security Anti-Malware
- 11. The end of the CISO Cybersecurity is Everyone’s Job • Make Risk-Based Decisions! • If I leave X insecure, what is the impact to the organization? • Application Developers • Patched Libraries • No backdoors • No hardcoded credentials • System Admins • No “root” users • Patched Systems and Apps • Business Users • No “workarounds” and shadow IT
- 12. Continuous Diagnostics & Mitigation What the Feds are doing… Executive Order on Cybersecurity Accountability, Vulnerabilities, Modernization, Transparency
- 13. Story Time • The Traffic Also Rises • Chinese and Russian traffic on bank teller machine. • To kill a high power bill • Cryptocurrency mining by internal resource • Lord of the 10gig link • Compromised machines torrenting • For Whom the SQL Tolls • SQL Injection on major website • One Flew Over the VPN • TOR traffic • Hola VPN traffic Just a few failures I’ve come across Compromised on Inside Insider Attack Insiders, Shadow IT, Compromised External Hackers Insiders, Shadow IT, Compromised
- 14. Questions
- 15. Thank You!
Editor's Notes
- Cyber Security is the use of various technologies and processes to protect networks, computers, programs and data from attack, damage or unauthorized access. PEOPLE (Everyone) Make security a cultural focus of the organization !! Ensure Senior Management buy-in and commitment. Without this you will fail. Employ the right people with the right attitude, experience and qualifications. Train your people and test them periodically Rewards and recognition to reinforce behavior PROCESS (Bake Security in!) Build these first and then select the Technology Clearly communicate the established processes within the organization Train the People on the Processes and get their buy-in to see 'what's in it for them‘ The processes should be aligned to the organizations risk tolerance and business objectives TECHNOLOGY (Anything digital) Understand how the technology works and the exposure it creates Monitor changes in technology and deploy effective tools Ensure software patches and updates are done on a timely fashion Continuously monitor the log files against an established baseline
- Information Security is protecting information from unauthorized access, use, disruption, modification or destruction regardless of how the information is stored – electronic or physical Data at Rest Data is at rest when it is stored on a hard drive. In this relatively secure state, information is primarily protected by conventional perimeter-based defenses such as firewalls and anti-virus programs. However, these barriers are not impenetrable. Organizations need additional layers of defense to protect sensitive data from intruders in the event that the network is compromised. Encrypting hard drives is one of the best ways to ensure the security of data at rest. Other steps can also help, such as storing individual data elements in separate locations to decrease the likelihood of attackers gaining enough information to commit fraud or other crimes. Data in Use Data in use is more vulnerable than data at rest because, by definition, it must be accessible to those who need it. Of course, the more people and devices that have access to the data, the greater the risk that it will end up in the wrong hands at some point. The keys to securing data in use are to control access as tightly as possible and to incorporate some type of authentication to ensure that users aren’t hiding behind stolen identities. Organizations also need to be able to track and report relevant information so they can detect suspicious activity, diagnose potential threats, and proactively improve security. For example, an account being disabled due to a certain number of failed login attempts could be a warning sign that a system is under attack. Data in Motion Data is at its most vulnerable when it is in motion, and protecting information in this state requires specialized capabilities. Our expectation of immediacy dictates that a growing volume of sensitive data be transmitted digitally— forcing many organizations to replace couriers, faxes, and conventional mail service with faster options such as email. Today, more than 100 million business emails are sent every day.1 When you send an email, it typically takes a long and winding journey through the electronic infrastructure at universities, government facilities, and other network locations. Anyone with the right tools can intercept your email as it moves along this path. However, there are effective ways to make email more secure. The best way to ensure that your messages and attachments remain confidential is to transmit them through an encryption platform that integrates with your existing systems and workflows. Optimally, users should be able to send and receive encrypted messages directly from their standard email service. More than 90% of organizations that currently use email encryption report that they have this capability.2 Looking ahead, it will also become increasingly important for the encryption service your organization uses to cover mobile email applications. The Radicati Group1 predicts that 80% of email users will access their accounts via mobile devices by 2018, but more than 35% of organizations currently using email encryption say their users currently lack the ability to send secure messages from their mobile email client.2
- Following from an introduction of the C.I.A. Triangle another triangle is used to help explain the relationship between the concepts of security, functionality and ease of use. The use of a triangle is because an increase or decrease in any one of the factors will have an impact on the presence of the other two. As an example, increasing the amount of functionality in an application will also increase the surface area that a malicious user can attack when attempting to find an exploitable weakness. The trade-off between security and ease of use is commonly encountered in the real world, and often causes friction between users and those responsible for maintaining security. The numerous incidents of defeating security measures prompts my cynical slogan: The more secure you make something, the less secure it becomes. Why? Because when security gets in the way, sensible, well-meaning, dedicated people develop hacks and workarounds that defeat the security. Hence the prevalence of doors propped open by bricks and wastebaskets, of passwords pasted on the fronts of monitors or hidden under the keyboard or in the drawer, of home keys hidden under the mat or above the doorframe or under fake rocks that can be purchased for this purpose.
- 1. Least Privilege Users should be allowed only the minimum necessary access needed to perform their job and nothing more . And system components should be allowed only the minimum necessary function needed to perform their purpose and nothing more . If a least privilege environment has not been effectively implemented and users are provided with higher levels of access then they need, attackers can steal these credentials (user name and password) and gain broad access to systems . For example, in the Target and Sony breaches, attackers were able to gain administrative-level privileges . 2. Micro-segmentation The whole IT environment should be divided into small parts to make it more manageable to protect and to contain the damage if one part gets compromised (see sidebar) . If micro-segmentation has not been effectively implemented, attackers can break into one part of the network and then easily move around to other parts . For example, in the Target breach, after an initial intrusion into the HVAC system, the attackers were able to move around to the payment network system . In the Sony breach, the attackers were also able to move around from one part of the network to another . In the case of the OPM breach, the attackers obtained access to OPM’s local area network and then pivoted to the Interior Department’s data center . 3. Encryption For critical business processes, all data should be encrypted, while stored or transmitted . In the event of a data breach, stealing critical files should only result in obtaining unreadable data . If encryption has not been effectively implemented, attackers can exfiltrate data in readable form . For example, after a data breach at Royal & Sun Alliance Insurance PLC, government investigators determined that the company had not adequately encrypted the data . 4. Multi-factor Authentication The identity of users and system components should be verified using multiple factors (not just simple passwords) and be commensurate with the risk of the requested access or function . If multi-factor authentication (MFA) is not effectively implemented, attackers can obtain passwords and use them to access systems . For example, in the OPM breach, if the contractor logons had been enforced with a risk appropriate level of MFA it would have limited the ability of the attackers to use the stolen credentials of the government contractor . In the case of the breach at LinkedIn, the hack exposed inadequately protected passwords of 100 million users . Since consumers often use passwords on multiple sites, MFA would have reduced the risk 5. Patching Systems should be kept up to date and consistently maintained . Any critical system that is out of date is a meaningful security risk . If patching is not effectively implemented, attackers can exploit open holes in systems . For example, the WannaCry ransomware exploited a known software vulnerability for which a patch was available . Organizations that fell victim had failed to effectively patch .
- Why internal data? Because we need jobs! We work tickets, write emails, have meetings, plan things, deploy things, do slide presentations, do spreadsheets, input numbers. This is all data that needs to be secured.
- Why cloud data? Because most of the work we do today is done on “web apps”. This data needs to be secured as well!
- The term layer 8 is often used pejoratively by IT professionals to refer to employees’ lack of awareness and a weak overall cybersecurity culture. While organizations continue to purchase and deploy technical controls, not much has been done to focus on the human side of cybersecurity. Today, it is just as important to secure human assets — layer 8 — as it to secure layers 1 through 7. Don’t fall into a false sense of comfort thinking that your technical controls alone can keep you safe. According to Gartner, “Advanced targeted attacks are easily bypassing traditional firewalls and signature-based prevention mechanisms.” So how do we bring humans back into the security loop? How should a culture of cybersecurity be developed and fostered? According to The Wall Street Journal, IT teams should undertake four key efforts with support from the very top levels of the organization: Embed cybersecurity throughout business processes instead of restricting it to one function. Encourage collaboration between different departments and areas of the business. Promote shared responsibility. Empower employees to learn and develop. Antivirus company Avast outlined some advice to help organizations improve their cybersecurity culture. One recommendation is to ensure adequate focus on individual responsibility and spread awareness about the vital role everyone plays in cybersecurity. To create a culture of security, companies must address the need to: Educate employees on how the cybersecurity dots are connected to the organization’s ability to achieve its business objectives and avoid fines, loss of business, loss of brand reputation and possibly layoffs. Form security awareness allies, including supporters from across the organization, not just the security team. Empower employees to own their efforts in protecting data within the organization.