Discussion with NAU students

1. We are all InfoSec
Michael Swinarski
Director Information Security

2. TOP 5 CYBERSECURITY FACTS FOR 2018
-CSO ONLINE JAN 2018
1. CYBER CRIME DAMAGE COSTS TO HIT $6 TRILLION ANNUALLY BY 2021.
2. CYBERSECURITY SPENDING TO EXCEED $1 TRILLION FROM 2017 TO 2021.
3. CYBER CRIME WILL MORE THAN TRIPLE THE NUMBER OF UNFILLED CYBERSECURITY JOBS,
WHICH IS PREDICTED TO REACH 3.5 MILLION BY 2021.
4. HUMAN ATTACK SURFACE TO REACH 6 BILLION PEOPLE BY 2022.
5. GLOBAL RANSOMWARE DAMAGE COSTS EXCEEDED $5 BILLION IN 2017.

3. CURRENT EVENTS - MALWARE
THE AV-TEST INSTITUTE REGISTERS OVER
250,000 NEW MALICIOUS PROGRAMS
EVERY DAY.

4. 2017, THE YEAR OF RANSOMWARE
1. 250% RISE IN ATTACKS
2. TO NAME A FEW…
1. WANNA CRY
2. PETYA
3. NOTPETYA

5. 2018, THE YEAR OF HARDWARE

6. RECENT EVENTS – 2017 DATA BREACHES
E-Sports Entertainment Association (ESEA)
Xbox 360 ISO and PSP ISO
InterContinental Hotels Group (IHG)
Arby’s
River City Media
Verifone
Dun & Bradstreet
Saks Fifth Avenue
UNC Health Care
America’s JobLink
FAFSA: IRS Data Retrieval Tool
Chipotle
Sabre Hospitality Solutions
Gmail
Bronx Lebanon Hospital Center
Brooks Brothers
DocuSign
One Login
Kmart
University of Oklahoma
Washington State University
Deep Root Analytics
Blue Cross Blue Shield / Anthem
California Association of Realtors
Verizon
Online Spam bot
TalentPen and TigerSwan
Equifax
U.S. Securities and Exchange Commission (SEC)
SVR Tracking
Deloitte
Sonic
Whole Foods Market

7. MICHAEL’S INSOMNIA
• SECURITY AWARENESS
• PHISHING
• TECHNOLOGY DEBT
• TECHNOLOGY IMPLEMENTATION
• TODAYS PROBLEMS, WHERE YESTERDAYS SOLUTIONS
• CLOUD ADOPTION
• TECHNOLOGY CONTROLS, T & C’S
• THIRD PARTY VENDOR RISK MANAGEMENT
This Photo by Unknown Author is licensed under CC BY-NC-ND

8. WE ARE ALL SECURITY PROFESSIONALS
“THE RISE OF CYBER THREATS MEANS THAT THE PEOPLE
ONCE ASSIGNED TO SETTING UP COMPUTERS AND EMAIL
SERVERS MUST NOW TREAT SECURITY AS TOP PRIORITY”
-CHRISTOPHER MIMS, WALL STREET JOURNAL

9. FOR DEVELOPERS AND TESTERS
• OWASP TOP 10
• MOST CRITICAL WEB APPLICATION
SECURITY RISKS
• HTTPS://WWW.OWASP.ORG

10. OWASP TOP 10 (2017 RC2)
• A1 INJECTION
• A2 BROKEN AUTHENTICATION AND SESSION MANAGEMENT
• A3 CROSS-SITE SCRIPTING (XSS)
• A4 BROKEN ACCESS CONTROL
• A5 SECURITY MISCONFIGURATION
• A6 SENSITIVE DATA EXPOSURE
• A7 INSUFFICIENT ATTACK PROTECTION
• A8 CROSS-SITE REQUEST FORGERY (CSRF)
• A9 USING COMPONENTS WITH KNOWN VULNERABILITIES
• A10 UNDER PROTECTED APIS
Source

11. A1 INJECTION (Since 1998)
INJECTION FLAWS, SUCH AS SQL, OS, AND
LDAP INJECTION OCCUR WHEN UNTRUSTED
DATA IS SENT TO AN INTERPRETER AS PART OF
A COMMAND OR QUERY. THE ATTACKER’S
HOSTILE DATA CAN TRICK THE INTERPRETER
INTO EXECUTING UNINTENDED COMMANDS
OR ACCESSING DATA WITHOUT PROPER
AUTHORIZATION.
Source

12. Little Bobby Tables

13. PREVENT INJECTION
How Do I Prevent Injection? Preventing injection requires keeping data separate from commands and queries.
• The preferred option is to use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface,
or migrate to use ORMs or Entity Framework. NB: When parameterized, stored procedures can still introduce SQL injection if
PL/SQL or T-SQL concatenates queries and data, or executes hostile data with EXECUTE IMMEDIATE or exec().
• Positive or "white list" input validation, but this is not a complete defense as many applications require special characters, such
as text areas or APIs for mobile applications
• For any residual dynamic queries, escape special characters using the specific escape syntax for that interpreter. OWASP's
Java Encoder and similar libraries provide such escaping routines. NB: SQL structure such as table names, column names,
and so on cannot be escaped, and thus user-supplied structure names are dangerous. This is a common issue in report writing
software.
• Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of SQL injection.
Source

14. FOR SYSTEM ENGINEERS/ADMIN/IMPLEMENTERS
• CENTER FOR INTERNET SECURITY (CIS) TOP 20
• SECURE YOUR ENTIRE ORGANIZATION AGAINST TODAY'S MOST PERVASIVE THREATS
• HTTPS://WWW.CISECURITY.ORG

15. CIS TOP 20
1. INVENTORY OF AUTHORIZED AND UNAUTHORIZED DEVICES
2. INVENTORY OF AUTHORIZED AND UNAUTHORIZED SOFTWARE
3. SECURE CONFIGURATIONS FOR HARDWARE AND SOFTWARE
4. CONTINUOUS VULNERABILITY ASSESSMENT AND REMEDIATION
5. CONTROLLED USE OF ADMINISTRATIVE PRIVILEGES
6. MAINTENANCE, MONITORING, AND ANALYSIS OF AUDIT LOGS
7. EMAIL AND WEB BROWSER PROTECTIONS
8. MALWARE DEFENSES
9. LIMITATION AND CONTROL OF NETWORK PORTS
10. DATA RECOVERY CAPABILITY
11. SECURE CONFIGURATIONS FOR NETWORK DEVICES
12. BOUNDARY DEFENSE
13. DATA PROTECTION
14. CONTROLLED ACCESS BASED ON THE NEED TO KNOW
15. WIRELESS ACCESS CONTROL
16. ACCOUNT MONITORING AND CONTROL
17. SECURITY SKILLS ASSESSMENT AND APPROPRIATE TRAINING TO FILL
GAPS
18. APPLICATION SOFTWARE SECURITY
19. INCIDENT RESPONSE AND MANAGEMENT
20. PENETRATION TESTS AND RED TEAM EXERCISES
Source

16. REFERENCES FOR ALL
• NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST)
• CYBER SECURITY FRAMEWORK
• HTTPS://WWW.NIST.GOV/CYBERFRAMEWORK
• EXAMPLES
• NIST 800-50: Building an Information Technology Security Awareness and Training Program
• NIST 800-52: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations
• NIST 800-53: Security and Privacy Controls for Federal Information Systems and Organizations
• NIST 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems
• NIST 800-57: Recommendation provides cryptographic key management guidance
• NIST 800-61: Guidelines for Computer Security Incident Handling
• NIST 800-63: Digital Identity Guidelines. Authentication and Lifecycle Management

17. INFORMATION SECURITY CAREERS
• “'NEGATIVE JOBLESSNESS' IN INFOSEC"
• BANKINFOSECURITY.COM (JULY 2014)
• "ZERO-PERCENT CYBERSECURITY
UNEMPLOYMENT, 1 MILLION JOBS UNFILLED"
• CSOONLINE.COM (SEPT 2016)
• “THE AVERAGE TIME TO FILL AN OPEN POSITION
IN INFORMATION SECURITY IS 130 DAYS”
• CEB ANALYSIS
Salaries according to Dice.com (April 2016)
Application Security Manager $165,000
Cybersecurity Engineer $170,000
Lead Security Engineer $174,375
Cybersecurity Lead $175,000
Director of Security $178,333
Chief Information Security Officer $192,500
IT Security Consultant $198,909
Global Information Security Director $200,000
Chief Security Officer $225,000
Lead Software Security Engineer $233,333

18. Q&A - DISCUSSION

19. THANK YOU
MICHAEL SWINARSKI
LINKED IN: linkedin.com/in/mswinarski
TWITTER: @RogueITLeader
SLIDE SHARE: https://www.slideshare.net/MichaelSwinarski/presentations