SlideShare a Scribd company logo

Getting Back to Security Basics

Download as PPTX, PDF
A
amyray28

Security

Engineering
1 of 32
1 GuidePoint Security Infosec Observations From the Life of a Security Consultant guidepointsecurity.com | GuidePoint Security © 2020
2 Introductions Gary Brickhouse CISO | VP, GRC Services • 20 years in Information Security • 10+ years in security practitioner roles • The Walt Disney Co. • Publix Super Markets, Inc • GuidePoint since 2012
3 What this talk is NOT about How to maximize your frequent traveler points Clear up consulting lifestyle misconceptions
4 What are we here to talk about? Three Key Observations • Getting Back to the Basics • InfoSec Pressures • Changing Landscape
5 Getting Back to the Basics
6 Just the Basics Good News: • Per the Verizon Data Breach and Investigations Report (DBIR), vulnerability exploits continue to decrease Warning: • Not the time to relax • Must continue with comprehensive patch management Vulnerability Management
7 Just the Basics Zero Day Exploits aren’t necessarily your biggest issue VS. Vulnerability Management
8 Just the Basics Top 10 Most Exploited Vulnerabilities 2016–2019 Vulnerability Management CVE Date Published CVE-2012-0158 04/10/2012 CVE-2015-1641 04/14/2015 CVE-2017-5638 03/10/2017 CVE-2017-0143 03/16/2017 CVE-2017-0199 4/12/2017 CVE-2017-8759 09/12/2017 CVE-2017-11882 11/14/2017 CVE-2018-4878 02/06/2018 CVE-2018-7600 03/29/2018 CVE-2019-0604 03/05/2019 Source: https://us-cert.cisa.gov/ncas/alerts/aa20-133a
9 Just the Basics Vulnerability Management Source: 2020 Verizon DBIR
10 Just the Basics Application Security Reactive vs. Proactive
11 Just the Basics Lacking Proactive Activities: • Security integration into SDLC • Secure code standards and practices for Developers - OWASP Top 10 o Four of the top 10 have been there since 2004! o Six of the top 10 have been there since 2013! Application Security
12 Just the Basics OWASP Top 10 2017 2013 2010 2007 2004 A1-Injection X X X X X A2-Broken Authentication X X X X X A3-Sensitive Data Exposure X X A4-XML External Entities (XXE) X A5-Broken Access Control X A6-Security Misconfiguration X X X X A7-Cross-Site Scripting (XSS) X X X X X A8-Insecure Deserialization X A9-Using Components with Known Vulnerabilities X X A10-Insufficient Logging & Monitoring X Application Security
13 Just the Basics Application Security 43% of breaches involved web app attacks Source: 2020 Verizon DBIR 2x increase over 2019 findings Source: 2020 Verizon DBIR
14 Just the Basics • Reuse of credentials / passwords • Simple, commonly used passwords • Lack of MFA • No password management tools Credential Management Source: 2020 Verizon DBIR 80% of breaches within Hacking involve brute force or the use of lost or stolen credentials
15 Just the Basics Patching the Human Firewall • Preventative controls are helping - Not a replacement for good security awareness and training • Users seem blissfully unaware of the value of data or their impact on data security
16 Just the Basics Network Segmentation Attacker Flat Network
17 InfoSec Pressures
18 Under Pressure 20 years ago the hardened perimeter was your best defense Keeping up with attackers Today it’s defense-in- depth and zero trust
19 Under Pressure Keeping up with attackers 80% of Malware-related incidents in EDU involved Ransomware Source: 2020 Verizon DBIR Ransomware is on the rise • Up from 48% in 2019 • Primary EDU distribution means through websites - Unmonitored web-based mail from BYOD
20 Under Pressure Getting them… Staffing Source: ISACA State of Cybersecurity 2020
21 Under Pressure Keeping them… Staffing Source: ISACA State of Cybersecurity 2020
22 Under Pressure • Seen most often with technology solutions • Often lacks accounting for the necessary supporting people and processes Chasing the Silver Bullet
23 Changing Landscape
24 Changing Landscape Data Privacy Here Today: Proposed: State Legislation New York Maryland Massachusetts Hawaii North Dakota Washington
25 Changing Landscape Data Privacy Does this even apply to you? • Not-for-profit vs. For-profit • Vendors / Services Providers - Obligation to protect covered data Good reference article on this topic: https://iapp.org/news/a/what-does-the-ccpa-mean-for-colleges-and-universities/
26 Changing Landscape Data Privacy Privacy Implications • Right of Access • Right of Erasure • Right to Data Portability • Right to Object / Opt-Out • Breach Notification Security Implications • Appropriate measures based on risk which may include: • pseudonymization and encryption of personal data • restore the availability and access to personal data • regularly testing, assessing and evaluating the effectiveness of controls Considerations for both Privacy and InfoSec
27 Changing Landscape Breaches are regularly occurring Third Party Risk Management • Breach through Canon Business Process Services • Data-leak through unauthorized access to an employee email account • Employee personal data • Ransomware • Exposed data from Tesla, SpaceX, Boeing, Lockheed Martin • Breach through Third Party Email Vendor • Malicious attack to access email accounts • >1MM customers and employees impacted • Breach through Third-party cloud hosting service • Misconfigured cloud services • Exposed SSN’s, drivers license numbers
28 Changing Landscape Third Party Risk Management 60% of organizations believe they are only somewhat or not effective at vetting third parties 8% of assessments result in organizational action Source: The Cost of Third-Party Cybersecurity Risk Management Ponemon Institute LLC, March 2019 Key Considerations • Vendor Identification - Critical / High Risk • Assessment Strategy • Contractual Requirements • Resources
29 Changing Landscape Key Challenges • Decentralization • Reliance on home networks • Remote connectivity • End point protection • Data leakage Remote Workforce
30 Lessons learned…
31
32 Gary Brickhouse gary.brickhouse@guidepointsecurity.com Thank You

Recommended

MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?Kurt Hagerman
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...Judith Beckhard Cardoso
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsIBM Security
 
Asset Security
Asset Security Asset Security
Asset Security Jagbir Singh
 
Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2Kabul Education University
 
Data erasure's role in limiting cyber attacks
Data erasure's role in limiting cyber attacksData erasure's role in limiting cyber attacks
Data erasure's role in limiting cyber attacksBlancco
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxAkramAlqadasi1
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 

Recommended

MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?Kurt Hagerman
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...Judith Beckhard Cardoso
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsIBM Security
 
Asset Security
Asset Security Asset Security
Asset Security Jagbir Singh
 
Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2Kabul Education University
 
Data erasure's role in limiting cyber attacks
Data erasure's role in limiting cyber attacksData erasure's role in limiting cyber attacks
Data erasure's role in limiting cyber attacksBlancco
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxAkramAlqadasi1
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 
Who is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityWho is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityUlf Mattsson
 
NextLevel Cyber Security Executive Briefing
NextLevel Cyber Security Executive BriefingNextLevel Cyber Security Executive Briefing
NextLevel Cyber Security Executive BriefingJoe Nathans
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesUlf Mattsson
 
Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig M...
Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig M...Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig M...
Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig M...IDERA Software
 
Threat Ready Data: Protect Data from the Inside and the Outside
Threat Ready Data: Protect Data from the Inside and the OutsideThreat Ready Data: Protect Data from the Inside and the Outside
Threat Ready Data: Protect Data from the Inside and the OutsideDLT Solutions
 
Federal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider ThreatsFederal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider ThreatsSolarWinds
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 
Learning from Verizon 2017 Data Breach Investigations Report – The New Targets
Learning from Verizon 2017 Data Breach Investigations Report – The New TargetsLearning from Verizon 2017 Data Breach Investigations Report – The New Targets
Learning from Verizon 2017 Data Breach Investigations Report – The New TargetsUlf Mattsson
 
Evidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsEvidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsPriyanka Aash
 
Protecting Your Business - All Covered Security Services
Protecting Your Business - All Covered Security ServicesProtecting Your Business - All Covered Security Services
Protecting Your Business - All Covered Security ServicesAll Covered
 
Secure Iowa Oct 2016
Secure Iowa Oct 2016Secure Iowa Oct 2016
Secure Iowa Oct 2016Larry Slobodzian
 
Using Threat Intelligence to Address Your Growing Digital Risk
Using Threat Intelligence to Address Your Growing Digital RiskUsing Threat Intelligence to Address Your Growing Digital Risk
Using Threat Intelligence to Address Your Growing Digital RiskSurfWatch Labs
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxControlCase
 
Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...
Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...
Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...SurfWatch Labs
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityJoel Cardella
 
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Cristian Garcia G.
 
Creating a culture of security.pdf
Creating a culture of security.pdfCreating a culture of security.pdf
Creating a culture of security.pdfTechSoup
 
Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksThis account is closed
 
How to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdfHow to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdfMetaorange
 
How to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptxHow to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptxMetaorange
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college projectTonystark477637
 

More Related Content

Similar to Getting Back to Security Basics

Who is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityWho is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityUlf Mattsson
 
NextLevel Cyber Security Executive Briefing
NextLevel Cyber Security Executive BriefingNextLevel Cyber Security Executive Briefing
NextLevel Cyber Security Executive BriefingJoe Nathans
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesUlf Mattsson
 
Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig M...
Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig M...Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig M...
Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig M...IDERA Software
 
Threat Ready Data: Protect Data from the Inside and the Outside
Threat Ready Data: Protect Data from the Inside and the OutsideThreat Ready Data: Protect Data from the Inside and the Outside
Threat Ready Data: Protect Data from the Inside and the OutsideDLT Solutions
 
Federal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider ThreatsFederal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider ThreatsSolarWinds
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 
Learning from Verizon 2017 Data Breach Investigations Report – The New Targets
Learning from Verizon 2017 Data Breach Investigations Report – The New TargetsLearning from Verizon 2017 Data Breach Investigations Report – The New Targets
Learning from Verizon 2017 Data Breach Investigations Report – The New TargetsUlf Mattsson
 
Evidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsEvidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsPriyanka Aash
 
Protecting Your Business - All Covered Security Services
Protecting Your Business - All Covered Security ServicesProtecting Your Business - All Covered Security Services
Protecting Your Business - All Covered Security ServicesAll Covered
 
Using Threat Intelligence to Address Your Growing Digital Risk
Using Threat Intelligence to Address Your Growing Digital RiskUsing Threat Intelligence to Address Your Growing Digital Risk
Using Threat Intelligence to Address Your Growing Digital RiskSurfWatch Labs
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxControlCase
 
Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...
Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...
Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...SurfWatch Labs
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityJoel Cardella
 
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Cristian Garcia G.
 
Creating a culture of security.pdf
Creating a culture of security.pdfCreating a culture of security.pdf
Creating a culture of security.pdfTechSoup
 
Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksThis account is closed
 
How to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdfHow to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdfMetaorange
 
How to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptxHow to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptxMetaorange
 

Similar to Getting Back to Security Basics (20)

Who is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityWho is the next target proactive approaches to data security
Who is the next target proactive approaches to data security
 
NextLevel Cyber Security Executive Briefing
NextLevel Cyber Security Executive BriefingNextLevel Cyber Security Executive Briefing
NextLevel Cyber Security Executive Briefing
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
 
Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig M...
Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig M...Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig M...
Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig M...
 
Threat Ready Data: Protect Data from the Inside and the Outside
Threat Ready Data: Protect Data from the Inside and the OutsideThreat Ready Data: Protect Data from the Inside and the Outside
Threat Ready Data: Protect Data from the Inside and the Outside
 
Federal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider ThreatsFederal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider Threats
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Learning from Verizon 2017 Data Breach Investigations Report – The New Targets
Learning from Verizon 2017 Data Breach Investigations Report – The New TargetsLearning from Verizon 2017 Data Breach Investigations Report – The New Targets
Learning from Verizon 2017 Data Breach Investigations Report – The New Targets
 
Evidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsEvidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five Controls
 
Protecting Your Business - All Covered Security Services
Protecting Your Business - All Covered Security ServicesProtecting Your Business - All Covered Security Services
Protecting Your Business - All Covered Security Services
 
Secure Iowa Oct 2016
Secure Iowa Oct 2016Secure Iowa Oct 2016
Secure Iowa Oct 2016
 
Using Threat Intelligence to Address Your Growing Digital Risk
Using Threat Intelligence to Address Your Growing Digital RiskUsing Threat Intelligence to Address Your Growing Digital Risk
Using Threat Intelligence to Address Your Growing Digital Risk
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptx
 
Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...
Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...
Credit Unions Caught in the Cybercrime Cross Hairs: How to Get Ahead of the C...
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics security
 
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
 
Creating a culture of security.pdf
Creating a culture of security.pdfCreating a culture of security.pdf
Creating a culture of security.pdf
 
Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber Risks
 
How to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdfHow to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdf
 
How to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptxHow to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptx
 

Recently uploaded

Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college projectTonystark477637
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxpranjaldaimarysona
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISrknatarajan
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Suman Mia
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations120cr0395
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingrknatarajan
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...ranjana rawat
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).pptssuser5c9d4b1
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlysanyuktamishra911
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Christo Ananth
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduitsrknatarajan
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSRajkumarAkumalla
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINESIVASHANKAR N
 

Recently uploaded (20)

Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college project
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSIS
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
 
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINEDJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduits
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 

Getting Back to Security Basics

  • 1. 1 GuidePoint Security Infosec Observations From the Life of a Security Consultant guidepointsecurity.com | GuidePoint Security © 2020
  • 2. 2 Introductions Gary Brickhouse CISO | VP, GRC Services • 20 years in Information Security • 10+ years in security practitioner roles • The Walt Disney Co. • Publix Super Markets, Inc • GuidePoint since 2012
  • 3. 3 What this talk is NOT about How to maximize your frequent traveler points Clear up consulting lifestyle misconceptions
  • 4. 4 What are we here to talk about? Three Key Observations • Getting Back to the Basics • InfoSec Pressures • Changing Landscape
  • 5. 5 Getting Back to the Basics
  • 6. 6 Just the Basics Good News: • Per the Verizon Data Breach and Investigations Report (DBIR), vulnerability exploits continue to decrease Warning: • Not the time to relax • Must continue with comprehensive patch management Vulnerability Management
  • 7. 7 Just the Basics Zero Day Exploits aren’t necessarily your biggest issue VS. Vulnerability Management
  • 8. 8 Just the Basics Top 10 Most Exploited Vulnerabilities 2016–2019 Vulnerability Management CVE Date Published CVE-2012-0158 04/10/2012 CVE-2015-1641 04/14/2015 CVE-2017-5638 03/10/2017 CVE-2017-0143 03/16/2017 CVE-2017-0199 4/12/2017 CVE-2017-8759 09/12/2017 CVE-2017-11882 11/14/2017 CVE-2018-4878 02/06/2018 CVE-2018-7600 03/29/2018 CVE-2019-0604 03/05/2019 Source: https://us-cert.cisa.gov/ncas/alerts/aa20-133a
  • 9. 9 Just the Basics Vulnerability Management Source: 2020 Verizon DBIR
  • 10. 10 Just the Basics Application Security Reactive vs. Proactive
  • 11. 11 Just the Basics Lacking Proactive Activities: • Security integration into SDLC • Secure code standards and practices for Developers - OWASP Top 10 o Four of the top 10 have been there since 2004! o Six of the top 10 have been there since 2013! Application Security
  • 12. 12 Just the Basics OWASP Top 10 2017 2013 2010 2007 2004 A1-Injection X X X X X A2-Broken Authentication X X X X X A3-Sensitive Data Exposure X X A4-XML External Entities (XXE) X A5-Broken Access Control X A6-Security Misconfiguration X X X X A7-Cross-Site Scripting (XSS) X X X X X A8-Insecure Deserialization X A9-Using Components with Known Vulnerabilities X X A10-Insufficient Logging & Monitoring X Application Security
  • 13. 13 Just the Basics Application Security 43% of breaches involved web app attacks Source: 2020 Verizon DBIR 2x increase over 2019 findings Source: 2020 Verizon DBIR
  • 14. 14 Just the Basics • Reuse of credentials / passwords • Simple, commonly used passwords • Lack of MFA • No password management tools Credential Management Source: 2020 Verizon DBIR 80% of breaches within Hacking involve brute force or the use of lost or stolen credentials
  • 15. 15 Just the Basics Patching the Human Firewall • Preventative controls are helping - Not a replacement for good security awareness and training • Users seem blissfully unaware of the value of data or their impact on data security
  • 16. 16 Just the Basics Network Segmentation Attacker Flat Network
  • 18. 18 Under Pressure 20 years ago the hardened perimeter was your best defense Keeping up with attackers Today it’s defense-in- depth and zero trust
  • 19. 19 Under Pressure Keeping up with attackers 80% of Malware-related incidents in EDU involved Ransomware Source: 2020 Verizon DBIR Ransomware is on the rise • Up from 48% in 2019 • Primary EDU distribution means through websites - Unmonitored web-based mail from BYOD
  • 20. 20 Under Pressure Getting them… Staffing Source: ISACA State of Cybersecurity 2020
  • 21. 21 Under Pressure Keeping them… Staffing Source: ISACA State of Cybersecurity 2020
  • 22. 22 Under Pressure • Seen most often with technology solutions • Often lacks accounting for the necessary supporting people and processes Chasing the Silver Bullet
  • 24. 24 Changing Landscape Data Privacy Here Today: Proposed: State Legislation New York Maryland Massachusetts Hawaii North Dakota Washington
  • 25. 25 Changing Landscape Data Privacy Does this even apply to you? • Not-for-profit vs. For-profit • Vendors / Services Providers - Obligation to protect covered data Good reference article on this topic: https://iapp.org/news/a/what-does-the-ccpa-mean-for-colleges-and-universities/
  • 26. 26 Changing Landscape Data Privacy Privacy Implications • Right of Access • Right of Erasure • Right to Data Portability • Right to Object / Opt-Out • Breach Notification Security Implications • Appropriate measures based on risk which may include: • pseudonymization and encryption of personal data • restore the availability and access to personal data • regularly testing, assessing and evaluating the effectiveness of controls Considerations for both Privacy and InfoSec
  • 27. 27 Changing Landscape Breaches are regularly occurring Third Party Risk Management • Breach through Canon Business Process Services • Data-leak through unauthorized access to an employee email account • Employee personal data • Ransomware • Exposed data from Tesla, SpaceX, Boeing, Lockheed Martin • Breach through Third Party Email Vendor • Malicious attack to access email accounts • >1MM customers and employees impacted • Breach through Third-party cloud hosting service • Misconfigured cloud services • Exposed SSN’s, drivers license numbers
  • 28. 28 Changing Landscape Third Party Risk Management 60% of organizations believe they are only somewhat or not effective at vetting third parties 8% of assessments result in organizational action Source: The Cost of Third-Party Cybersecurity Risk Management Ponemon Institute LLC, March 2019 Key Considerations • Vendor Identification - Critical / High Risk • Assessment Strategy • Contractual Requirements • Resources
  • 29. 29 Changing Landscape Key Challenges • Decentralization • Reliance on home networks • Remote connectivity • End point protection • Data leakage Remote Workforce
  • 31. 31