More Related Content

"Cyber" security - all good, no need to worry?

  1. "Cyber" security - all good, no need to worry? Ian Amit Director of Services, IOActive
  2. ¡Hola
  3. Source: datalossdb.org
  4. Incidents by Business Type - All Time Biz Gov Med Source: datalossdb.org Edu
  5. Incidents by Business Type - All Time 52% Biz Gov Med Source: datalossdb.org Edu
  6. Incidents by Business Type - All Time 52% 18% Biz Gov Med Source: datalossdb.org Edu
  7. Incidents by Business Type - All Time 16% 52% 18% Biz Gov Med Source: datalossdb.org Edu
  8. Incidents by Business Type - All Time 14% 16% 52% 18% Biz Gov Med Source: datalossdb.org Edu
  9. Source: datalossdb.org
  10. Incidents by Vector - All Time Outside Inside Inside - Accidental Inside - Malicious Source: datalossdb.org Unknown
  11. Incidents by Vector - All Time 57% Outside Inside Inside - Accidental Inside - Malicious Source: datalossdb.org Unknown
  12. Incidents by Vector - All Time 57% 20% Outside Inside Inside - Accidental Inside - Malicious Source: datalossdb.org Unknown
  13. Incidents by Vector - All Time 10% 57% 20% Outside Inside Inside - Accidental Inside - Malicious Source: datalossdb.org Unknown
  14. Incidents by Vector - All Time 7% 10% 57% 20% Outside Inside Inside - Accidental Inside - Malicious Source: datalossdb.org Unknown
  15. Incidents by Vector - All Time 7% 6% 10% 57% 20% Outside Inside Inside - Accidental Inside - Malicious Source: datalossdb.org Unknown
  16. DataLossDB.org Incidents Over Time 1800 1621 1350 1091 1048 900 829 775 728 695 644 450 157 43 0 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
  17. Problem ✓
  18. Problem ✓ Solution?
  19. What would CISO do?
  20. What would CISO do?
  21. WTF?
  22. RISK MANAGEMENT
  23. We need to get back to BASICS
  24. insert crowd pic here
  25. Prioritize ! Based on risk, impact, potential cost, and cost of remediation
  26. Summary 1. Stop throwing money on products 2. Identify assets, processes, technology, threats. 3. Assess your current posture. Identify gaps. 4. Address gaps based on priority and relevance. Consider cost (of impact, of fixing). 5. Test effectiveness. 6. Back to 2.
  27. REMEMBER! • You are not fighting off pentesters. 
 You are fighting off actual adversaries. • You are not fighting off auditors. 
 You keep your organization working. • You are not fighting off regulators. 
 You are trying to keep yourself out of jail.
  28. Thank You! ¡gracias Ian Amit Director of Services, IOActive ian.amit@ioactive.com Twitter: @iiamit