How to assess your Cybersecurity Vulnerability_.pptx
HackersAttackersCriminals_2014
1. Company Confidential | www.SalientCommercial.com | 1
Hackers, Attackers and Criminals
The never ending, dynamic and evolving threat
2. Company Confidential | www.SalientCommercial.com | 2
“The further backward you look, the further forward you can see.”
Sir Winston S. Churchill
2/25/2015
3. Company Confidential | www.SalientCommercial.com | 3
Carlos Fernandes, CISSP
• Leads Salient’s Cyber Security Center of Excellence
• Responsible for developing and implementing Salient’s
Cyber Security Strategy of expanding market distinctions
and innovation
• Certified Information Systems Security Professional with
over 20 years of industry experience
• Founder and Managing Principal/CEO of Agile
Cybersecurity Solutions LLC (ACS)
• United States Air Force veteran, Intelligence Analysis and
Applications Officer
• BS Electrical Engineering from Virginia Military Institute
(VMI)
2/25/2015
4. Company Confidential | www.SalientCommercial.com | 4
Hackers, Attackers and Criminals
• Objectives
–Highlight the evolving threat.
–Why should we care?
–What we can’t do.
–What can we all do?
• Disclaimer: Warning - The content of this
presentation might scare the Hell out of you.
2/25/2015
6. Company Confidential | www.SalientCommercial.com | 6
The Evolving Threat
“The threat is much worse than any of us can
imagine.”
- Admiral “Mike” McConnell, Vice Chairman, Director of
the National Security Agency from 1992 to 1996.
2/25/2015
7. Company Confidential | www.SalientCommercial.com | 7
Typical Threats To Security
2/25/2015
8. Company Confidential | www.SalientCommercial.com | 8
Advanced Persistent Threat (APT)
An adversary that —
Possesses significant levels of expertise / resources.
Creates opportunities to achieve its objectives by using
multiple attack vectors (e.g., cyber, physical, deception).
Establishes footholds within IT infrastructure of targeted
organizations:
To exfiltrate information.
Undermine / impede critical aspects of a mission, program, or organization.
Position itself to carry out these objectives in the future.
2/25/2015
10. Company Confidential | www.SalientCommercial.com | 10
Why should we care?
“The stakes are enormous. If a cyber incident
disrupted our financial and accounting transactions,
our equities and bond markets or our retail commerce
… or created confusion about the legitimacy of those
transactions … chaos would result.”
“Our power grids, air and ground transportation,
telecommunications and water filtration systems are
in jeopardy as well.”
- Admiral “Mike” McConnell, Director of the National Security
Agency from 1992 to 1996.
2/25/2015
12. Company Confidential | www.SalientCommercial.com | 12
What we can’t do
• Authority limitations – Legally, we cannot respond
to an international cyber incident.
• Attribution – There are technical limitations with
regards to knowing for certain where the cyber
incident originated.
• It is not possible to be 100% secure in
cyberspace.
2/25/2015
14. Company Confidential | www.SalientCommercial.com | 14
What can we all do?
• More cross-industry collaboration
• Sharing of threat information & mitigation
strategies
• Agree to a voluntary set of standards/best
practices that address liability, privacy and
security with rewards for compliance
• Identify, retain and train cyber security
professionals
2/25/2015
16. Company Confidential | www.SalientCommercial.com | 16
Where to begin
• Develop a security and risk assessment strategy
• Implement the strategy
• Establish a security baseline, based on best
practices
• Identify security gaps
• Prioritize findings
• Develop and implement a mitigation strategy
• Continuously monitor
• Constantly remind yourself and others that cyber
security is a journey not a destination
2/25/2015
20. Company Confidential | www.SalientCommercial.com | 20
“A leader never walks by a mistake”
General Norman Schwarzkopf
Commander of Operations for Desert Shield & Desert Storm
2/25/2015
The attached video clip provides some insight into the idea behind our “Precognitive Capabilities”
http://www.imdb.com/video/imdb/vi355440921/
Hackers, cyber crime, and a new kind of war (3:53) – “Salient” point of our discussion
http://www.youtube.com/watch?v=PrP0WZFrTYg
Cybercrime continues to increase, with 92% of Forbes Global 2000 companies reporting data breaches within the last 12 months. US, by policy, does not engage in economic espionage. By contrast, most other nations do. It is estimated that over 200 nations have an Intelligence capability. Cyber tools, used for exploitation, can also be used for cyber attacks. These capabilities are being built by the 1,000s. The result is that most us corporations have been penetrated.
The Magnitude of Cyber Threats – Mike McConnell (4:24)
http://www.youtube.com/watch?v=K04SMZAkh34&list=PL5nWsySehsd2i4Yoy2cKfIzOg4f1V3JAU
Description of the Cyber Attack – Mike McConnel (1:50 - 8:45)
http://www.youtube.com/watch?v=8UARznPdjaM
Can Cyber Attacks Prompt the Next Financial Crisis? – Howard Schmidt, FMR. Whitehouse Cybersecurity Coordinator (4:14)
http://www.youtube.com/watch?v=vi2M1sSVtPY
Critical infrastructure is at risk (power, water, nuclear, communications, etc). Like the nuclear threat, mutually assured destruction is a deterrent for nation states. Terrorists are not deterred. Economic espionage is common practice by most nations. New technologies, e.g. wearable devices such as Google Glass, add to the complexity of the problem.
Exfiltrate definition – In cyberspace, exfiltrate is defined as the removal of information (digital data) by stealth, deception, surprise, or clandestine means. Other terms used to conduct these types of operations: Computer Network Operations (CNO), Computer Network Exploitation (CNE). The advanced persistent threat has matured from disruption (DDoS) to destruction, where either a malicious insider or outsider will launch a cyber attack with the intent to destroy data and/or hardware assets.
APT – a dedicated and motivated adversary.
Show the following youtube clip to bring home the point:
Cyber Warfare – from disruption to destruction (3:53)
http://www.youtube.com/watch?v=DSMOs7CF1Eo&feature=related
Threats have grown from disruption to destruction, as exemplified by the recent cyber incident at Saudi Aramco (Saudi Arabian Oil Co.), the world’s largest state-owned crude oil exporter. The cyber incident destroyed 55,000 computers.
Organizations do not have a legal framework to effectively address and deal with international cyber incidents. Special interests hinder progress. 100% secure is not possible. The fact is that we, as a nation, are becoming increasingly more dependent on cyberspace. In order to stay ahead of the growing problem, we must engage in strategic dialogue. It will take collaboration and the forming of partnerships between public, private and international communities.
Apply industry best practices
Incentivize compliance
Market based incentives vs. government mandates
Robert Bigman, former Chief of Information Assurance at the CIA, has publically stated that industry best practices are not being followed. We know what to do but we are not doing it.
Federal Information Processing Standards (FIPS) – Publically announced standards developed by the Federal Government
National Institute of Standards and Technology (NIST) – Agency of the US Department of Commerce
Precognitive Capabilities, focused on using artificial intelligence and human capital to predict and prevent attacks before they happen.
As leaders, I encourage all of you to stay alert and do all you can to promote cyber security awareness.