Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NTXISSACSC1 Conference - Security is Doomed by Jesse Lee

898 views

Published on

Security is Doomed by Jesse Lee - Session #662 from the First Semi-Annual Cyber Security Conference in Plano, Texas held September 26-27, 2014.

  • Be the first to comment

  • Be the first to like this

NTXISSACSC1 Conference - Security is Doomed by Jesse Lee

  1. 1. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 1 Collin College – Fall 2014 Cyber Security Symposium Security is Doomed Why the current Defense in Depth Model is Unsustainable
  2. 2. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 2 Agenda • Here’s where we are • Here’s how we got here • Here’s what’s going on • Here’s why it’s unsustainable • Here’s where it’s going • Summary • Q&A
  3. 3. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 3 Collin College – Fall 2014 Cyber Security Symposium Here’s where we are
  4. 4. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 4 • Some sort of governance - Namely for Enterprises § Slowly rolling out to small businesses - PCI / HIPAA / SOX / ICD-503 / etc • Defense-in-Depth - Hardened Border - Hardened Middle - Hardened Core - Web & Email – Advanced Threat Detection - Limited Admin Access - Auditing Everywhere § Security Operations Center - Massive Patch & Vulnerability Management - Data Loss Prevention • Pen Testing • Forensics • Open Source Intelligence • Training Cyber Defense-in-Depth Best Practices to date
  5. 5. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 5 Collin College – Fall 2014 Cyber Security Symposium Here’s how we got here
  6. 6. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 6 1903 §Magician and inventor Nevil Maskelyne disrupts John Ambrose Fleming's public demonstration of Guglielmo Marconi's purportedly secure wireless telegraphy technology, sending insulting Morse code messages through the auditorium's projector. History of Hacking – per Wikipedia
  7. 7. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 7 1930’s §Hacking the Enigma Machine & Nazi Tech History of Hacking – per Wikipedia
  8. 8. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 8 1940’s - 70’s §Fairly Quiet History of Hacking – per Wikipedia
  9. 9. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 9 1980’s §Hackers, Phreakers, Coders, and Black hat-style underground computer geeks History of Hacking – per Wikipedia
  10. 10. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 10 1986 §US Computer Fraud and Abuse Act History of Hacking – per Wikipedia
  11. 11. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 11 1988 §Four men, including an employee of the First National Bank of Chicago, charged in an ill-fated attempt to embezzle $70 million by transferring the funds to banks in Austria. History of Hacking – per Wikipedia http://articles.chicagotribune.com/1988-05-19/news/8803180387_1_chase-manhattan-bank-wire-transfers-sources
  12. 12. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 12 1990’s § Movies (Sneakers, The Net, Hackers) § Underground § Politically Motivated Hacking § Conferences § Legislation § Raids § Public Fear History of Hacking – per Wikipedia
  13. 13. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 13 1999 §U.S. President Bill Clinton announces a $1.46 billion initiative to improve government computer security. The plan would establish a network of intrusion detection monitors for certain federal agencies and encourage the private sector to do the same. History of Hacking – per Wikipedia
  14. 14. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 14 1994 §Summer: Russian crackers siphon $10 million from Citibank and transfer the money to bank accounts around the world. History of Hacking – per Wikipedia
  15. 15. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 15 2000’s § Massive Worms / Viruses / Infections § Dawn of Microsoft Security Program § Legislation § Arrests § Botnets grow § Web Defacements § Governments get hacked History of Hacking – per Wikipedia
  16. 16. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 16 2010’s • Targeted Attacks go Mainstream • First recognized sophisticated cyber weapon – Stuxnet allegedly produced by the US and Israel • US Banks hacked by Russia • US Government & Contractors hacked by China • Massive Hactivism by Anonymous & LulzSec across the globe • Massive compromise of PII • World Record Defacements in 1 shot History of Hacking – per Wikipedia
  17. 17. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 17 2013 • Target History of Hacking
  18. 18. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 18 2014 • Apple • Home Depot History of Hacking
  19. 19. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 19 • Hacking has led to financial & privacy loss - Individually - Government & Corporate Industry Here’s how we got here
  20. 20. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 20 Collin College – Fall 2014 Cyber Security Symposium Here’s what’s going on
  21. 21. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 21 • Large and Small Businesses are starting to be regulated - Regulation is built for large business - Small Businesses can not afford it • Massive Influx of devices being connected to the Internet • Entities are dealing with “BYOD” • Large corporations are moving into lockdown • Small businesses can’t afford security • Rise of SOC as a service • Rise of emulation testing Here’s what’s going on
  22. 22. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 22 • Testing the pain tolerance - Constant training - security patches - Massive access control and red tape Here’s what’s going on
  23. 23. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 23 Collin College – Fall 2014 Cyber Security Symposium Here’s why it’s unsustainable
  24. 24. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 24 Cost, Risk, ROI • Attacker – very cheap to hack, low risk, high gain • Defender – very expensive, high risk, hard to show gain Here’s why it’s unsustainable
  25. 25. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 25 • IOT - How are we going to secure the corporate nework with respect to - § Cars § Appliances § Wearables § The End User Here’s also why it’s unsustainable
  26. 26. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 26 Defender has to be right 100% of the time Attacker only has to be right once Bottom Line.
  27. 27. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 27 Collin College – Fall 2014 Cyber Security Symposium Here’s where it’s going
  28. 28. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 28 • How? - Short Term: Authentication via analytics § Security Informatics § Consolidation & analysis of outputs from all security and non security tools q Meta Data collection & analysis § Must be able to prove beyond a shadow of a doubt q Requires collaboration between o Corporate entities o world governments q Requires new world cyber law We have to raise the risk and cost to an attacker
  29. 29. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 29 But what happens when a piece of data goes missing in the critical authentication chain? OR The integrity of the critical authentication chain is compromised due to a hack? Short Term: Authentication via Analytics
  30. 30. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 30 • Long Term: Extreme Authentication - Every interaction with any digital interface must be authenticated and logged § Every key touched § Every button pushed § Every voice command given § Every wearable worn We have to raise the risk and cost to an attacker
  31. 31. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 31 • #HereComesTheChip • #OrTheTattoo • #MaybeThePill • #SoldAsAService • #NoRealPrivacy Long Term: Extreme Authentication
  32. 32. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 32 • FBI director: Forget firewalls, Sabu proves attribution wins domestic cyber war - http://www.cso.com.au/article/455234/fbi_director_forget_firewalls_sabu_proves_attribution_wins_domestic_cyber_war_/ • Passwords In Tattoos And Pills? Motorola Announces Plans For Wearable Tech - "Essentially, your entire body becomes your authentication token,“ - http://www.huffingtonpost.com/2013/06/03/passwords-tattoos-pills-motorola_n_3378767.html - http://allthingsd.com/20130603/passwords-on-your-skin-and-in-your-stomach-inside-googles-wild-motorola-research-projects- video/ - 3 min in Media
  33. 33. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 33 Here’s where we are: • Attacker – very cheap to hack, low risk, high gain • Defender – very expensive, high risk, hard to show gain • Defender has to be right 100% of the time • Attacker only has to be right once Here’s where we are going: • Authentication through Analytics • Extreme Authentication Summary
  34. 34. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 34 Questions?
  35. 35. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 35 Presenter Bio E-mail: jesse@raytheon.com Jesse Lee Sr. Cyber Security Engineer @ Raytheon 13+ years in cyber security 7+ years in penetration testing 3+ years in advanced threat detection MS Network Security CISSP-ISSEP
  36. 36. Sep 26-27, 2014 Collin College – Fall 2014 Cyber Security Symposium 36

×