Why it is the shiny object?Cyber is all about definitionsIt is much talked about, but little defined and very misunderstood
DHS has provided:CIKR facility risk assessmentsData center risk assessmentsThese guidelines exist to connect physical and cyber securityEven PCI DSS and ISO/IEC 27001:2005 have physical security control requirements
No companies will be harmed to deliver this presentation
To understand the fear, let’s breakdown of some of the advanced attacks affecting a region of the worldIn rough chronological order:Stuxnet- Discovered in June 2010, Stuxnet is believed to be the first malware targeted specifically at critical infrastructure systems. - NYT reported this was part of a U.S.-Israeli operation "Operation Olympic Games" - Began during President George W. Bush’s time in office- An attempt to sabotage Iran's nuclear program- Designed to shut down centrifuges at Iran's Natanz uranium enrichment plantA sophisticated worm spread via USB drives And with 4 previously unknown, zero-day vulnerabilities in Windows- Used two stolen digital certificatesAimed directly at Siemens supervisory control and data acquisition (SCADA) systems Used to control industrial processes- Malware infected programmable logic controllers Duqu- The Duqu worm emerged in September 2011Researchers say it shared a lot of code with Stuxnet It hit computers in Iran but did not appear to be directed at industrial or critical infrastructures specificallyExploited zero-day Windows kernel vulnerabilitiesUsed stolen digital certificatesInstalled a backdoorCaptured keystrokes and information that could be used to attack industrial control systemsDesigned for a different purpose than Stuxnet--Stealing data for surveillance and intelligence gatheringResearchers believe Duqu was a cyberespionage operation to gauge the status of Iran's nuclear programGauss- Launched around September 2011 and discovered in June 2012Malware was found on computers mostly in Lebanon, Israel, and Palestine, followed by the U.S. and the United Arab EmiratesCapable of stealing browser passwords, online banking accounts, cookies, and system configurationsResearchers believe that Gauss comes from the same nation-state that produced Stuxnet, Duqu, and Flame Mahdi- Discovered in February 2012 and publicly disclosed in July 2012 Used for espionage since December 2011It’s a data stealing trojan Records keystrokes, screenshots, and audio and steals text and image filesInfected computers primarily in Iran, Israel, Afghanistan, the United Arab Emirates, and Saudi Arabia, Aimed at systems used by critical infrastructure companies, government embassies, and financial services firmsUsed social engineering to get people to click on attachments that have malicious Word or PowerPoint attachmentsUnknown who's responsible for the malware Flame- Discovered in May 2012 - Has been in the wild since December 2007 First hit Iranian Oil Ministry computers in April 2012Most of the infections were in Iran, but other countries hit were Israel, Sudan, Syria, Lebanon, Saudi Arabia, and EgyptSpread via USB stick, local network, or shared printer spool vulnerabilityUsed a fraudulent digital certificate Left a backdoor on computersSniffed network traffic and recorded audio, screenshots, Skype conversations, and keystrokesDownloaded information from other devices via BluetoothStole PDF, text, and AutoCAD filesDesigned for general espionage and intelligence gatheringNot targeted at any particular industryShares characteristics with Stuxnet and DuquAlso believed to have been developed as part of the Olympic Games project along with StuxnetWiper- Reported in April 2012 Shut down computer systems at companies in Iran, including the Oil MinistryWiped data from hard drivesDeleted all traces of itselfVery similar IOCs as Stuxnet and DuquThe discovery of Wiper led to the discovery of Flame, which led researchers to GaussPoint of origin is uncertainShamoon- Discovered August 2012Virus attacked Windows computers Designed for espionageInitially confused with Wiper but is believed to be a Wiper copycat targeting oil companiesCode of Shamoon points to the work of amateurs rather than a nation-state operationProgrammed to overwrite files with an image of a burning U.S. flag,Stole dataShamoon hit Saudi Aramco and shut down 30,000 workstationsLet’s call these advanced attacksLet’s call these nation-state sponsored operations or attacks
So here’s why there is confusion…It’s the simple attacks / compromise that’s confusing.Adding on to the 2011 Insulin pump issue, which we agree was very simpleIn 2011, a computer virus infected the cockpits of America’s Predator and Reaper drones- A keylogger infected several computers the pilots use to operate the Predator and Raptor drones in the fleet in missions- Logged pilots’ every keystroke as they remotely flew missions over Afghanistan and other warzonesA fleet of approximately 30 CIA-directed drones have hit targets in Pakistan more than 230 times; These drones have killed more than 2,000 suspected militants and civilians according to the Washington PostThere are more than 150 additional Predator and Reaper drones, under U.S. Air Force control, that watch over the fighting in Afghanistan and IraqAmerican military drones struck 92 times in Libya between mid-April and late AugustBut despite their widespread use, the drone systems are known to have security flaws. Many Reapers and Predators don’t encrypt the video they transmit to American troops on the ground. In the summer of 2009, U.S. forces discovered days of the drone footage on the laptops of Iraqi insurgents.A $26 piece of software allowed the militants to capture the videoVirus kept reinfecting systemsEstimated that 1/3 of the drone fleet had malwareOMG - “After repeated attempts to remove the malware, the technicians used a tool to completely erase and rebuild the systems from scratch. We keep wiping it off, and it keeps coming back," a source told Wired.Also in 2012, demonstration showed that pacemakers could be infiltrated to deliver deadly shocksA series of 830-volt shocks could be sent to a remote pacemakerResearchers could activate all pacemakers and implantable defibrillators within a 30-foot radius to give up their serial numbersAllows a would-be assassin to breach device firmware and upload nefarious malware that could spread to other pacemakers like a virus - NetworkedAlso in 2012, new Smart TV technology was exploited upon launchSmart TVs run AndroidGained access to the device’s built-in camera and microphones remotelyAllows an intruder to watch everything you doIn 2013, authorities have confirmed tor the first time everUsed well known security issues (that have existed for a decade) on online voting systems Hackers attempted and almost succeeded at rigging a Miami primary vote last AugustRequests for over 2,500 phantom absentee ballots flooded the Miami Dade voter registration siteDetected through audit process (People and Process)Symc, rsa, vrsn, and Bit9 were all simple, not advanced and caused collateral damageSne, amzn, appl, yhoo, and lnkd were all simple and exploited basic security controls known for a long time2012 Dept of Energy Hacked- Report published in 2012 by the U.S. China Economic and Security Review Commission- “In 2012, Chinese state-sponsored actors continued to exploit U.S. government, military, industrial, and nongovernmental computer systems,” It’s a continuing storyhttp://securityaffairs.co/wordpress/12188/cyber-crime/us-department-of-energy-hit-by-a-sophisticated-cyber-attack.html
Bottom line is that cyber-adversaries are getting increasingly more sophisticated at their targets and attacks. We need to ensure that basic security is done to even begin to deal with advanced offensives.
- Cybersecurity was a big issue in the 112th Congress- But there was little progressDemocrats and Republicans deadlocked over whether to give lead authority to the Department of Homeland Security (DHS), a civilian agency, or the National Security Agency (NSA), a military agency. Meanwhile evidence of threats to the nation's infrastructure increased.
The President could have issued this executive order at any time, but chose the State of the Union to emphasize the importance of the issue. Timeline
"Critical infrastructure" covers a lot of economic activity One of the 18 critical infrastructure sectors is Information Technology- Threat detection and prevention is key for effective cybersecurity, Presently no clear rules exist about how to collect and share informationBusinesses are concerned about the disclosure of confidential informationGovernments have classified data, and data sharing has privacy implications for Internet usersThe executive order sets out a framework to collect and gather information about cybersecurity where currently none existsThe Commerce Department, a civilian agency, thru NIST leads the Cybersecurity Framework, not NSA- [EPIC] A clear victory for open government and academic freedomPartnerships and mandates – WH is trying to ensure private sector support for better cybersecurity standards without imposing actual requirements To describe cybersecurity policy as "technology neutral" is important to almost all of the players in the cybersecurity debate. The concern is that government will mandate a standard that becomes outdated. On Voluntary - The White House wants to leave no doubt that it is not forcing anyone to do anything. Since 9/11, the US has moved toward risk-based assessments to decide how to allocate security resourcesThis is the reason travelers go through body scanners at airports and not at bus stations. But identifying high-priority critical infrastructure is more difficult. Systems are interconnected. There are multiple operators, some outside the US.
This down payment is to begin to mobile people, companies, and the gov’t to actTo secure cyber spaceTo develop how to secure cyber space
Cyber security is all about coming to agreement on MANY definitionsWhat is cyber?What does safe mean?Water quality and safety in the US vsMexcioCorrelating infrastructure security of water treatment plantsOne size does not fit allRisk-based security using evidence moves information security and physical security (cyber security) from art to scienceWe need to start with basics (crawl, walk, run methodology)Security is Everyone’s Responsibility. Stop. Think. Connect. (DHS)Discuss Keys to cyberFire is a great example of thisGives everyone a roleFairly clear that it needs to be dealt withMinimum fire safety protocols in placeWho to callYour role and responsibilityRole of companiesAnother example is seat belt safety
Everyone with Information Technology is in scope You are CIKRSKIP to NEXT SLIDE – COME BACKThink Security BasicsApply Evidence-based Security ModelStatistics by Sector ExistShould Threat ModelStart by asking does this have a computer inside? Mobile phones countTablets, etc…Does it have an IP?You are accountable in the cyber ecosystem – cyber space.Use Verizon VERIS model to think about What? Who? Why? How? When? Where? You can be attacked.Threat ModelingLook up your industry to assess how your industry is being attacked…We’ll show more in the Evidence section how to look at this
All I did was remove the words from page 4, 5, and 6Need to think how you affect the other 17 sectorsThink insulin pump or pace maker examplesSmart TVMust add economic espionage conceptWhat IP do you have that can arm hostile nation states thinking long term ill will towards the US?Counterfeit chips in space, war ships, etc. ?Next gen designs?What happened to Nortel? They no longer exist.
You are either part of the solution or part of the problem
2 frameworks have emerged as the most relevant to Cyber Security:1- the standards often used by Federal agencies to meet the Federal Information Security Management Act (FISMA) of 2002 requirements that havebeen developed by NIST (11 yrs old) and2- the standards developed internationally that are published by ISO/IEC and adopted by many global commercial organizations in the ISO/IEC 27000 series (BS 7799 1995 and 18 yrs old).Both of these standards provide a general framework for managing IT securityISO/IEC 27001 standard focuses on making sure that an organization has a management system that is capable of managing informationSecurityStandards included in the ISO/IEC 27000 family include:⚫ ISO/IEC 27000 Fundamentals and principles⚫ ISO/IEC 27001 ISMS requirements⚫ ISO/IEC 27002 Security controls (Code of Practice for Information Security Management)⚫ ISO/IEC 27003 ISMS implementation guidance⚫ ISO/IEC 27004 Information security management metrics and measurements⚫ ISO/IEC 27005 ISMS risk managementFISMA standards include a risk assessment methodology (Special Publication 199) a detailed controls list (SP 800-53), and has Objective assessment criteria (SP 800-53A)The focus of the framework is on the Information Technology systems, and On their certification and accreditation to operate.Other standards such as the Payment Card Industry Data Security Standard (PCI DSS) focus on particular information assets (credit card security) So in practice must be integrated with another general frameworks in order to meet the real-world requirements of an organization needing to protect ALL of their assetsBest put:ISO 270001 and FISM – Ensures you’re secureITIL – Ensures you’re operating efficientlyCOBIT – Ensures you’re aligned with your businessCOBIT 5 also recently releasedEvaluate, Direct, and Monitor: ISO/IEC 38500 & ISO 31000Align, Plan, and Organize: TOGAF, Prince2, and CMMIISO/IEC 2700 – Straddles:Align, Plan, and Organize Build, Acquire, and ImplementMonitor, Evaluate, and AssessBuild, Acquire, and Implement: ITIL v3We have struggled as an industry to set standardsWe have standards for each vertical right nowWe built one for cloud at CSA using common controls from HITRUST for multi-tenant cloud service providersAs mentioned earlier, Cyber for most sectors right now is about the basicsEach sector needs to figure this out and work with their Sector Specific Agency (SSA) and NIST to come up with their basics
We have developed the myth that technology can be an effective fortress – we can have securityPeople, Process, and TechnologyIn that order…Some basics – Slide speaks for itself…A new of defending
Same issues highlighted in 2 different reports.FundingCultureLegacy technology/deploymentsBudget (funding again)Lack of SkillsWe need to expect more from our ecosystem1- Ourselves2- VendorsGlasshouses?We need to understand our limitations-Technology is ahead of SecurityWe live in a Information Technology ecosystemSecurity is Everyone’s Responsibility.
The game has changed as well with AVWith CloudWith Mobile – BYODBasics firstAddress evolution next Again, Tech is ahead of SecurityWe’ll deal with advanced NEXTCrawl, Walk, and then RunThe next iteration of our security is to apply evidence that we have.Industry security evidence exists, but mostly ignored.We need to use this evidence to better:invest in basicsFocus on the most critical data and ensure resilience By sectorBy attacker
Isn’t it spooky that the same old information keeps cropping up everywhere?The Moneysec approach says to look at the correlations.Notable bias in AV vendor reportsNotable bias in security service provider reportsTraining company bias towards training or their philosophy…Mandiant reports bias towards APT/Nation State attackersVZ DBIR and TW GSR bias towards credit card and PIIPrivacy Rights Clearing House towards privacyAnd so on…But these reports, stitched together alaMoneysec tell us some thingsAnd there’s a wealth of information out thereThis is our BIG DATA I’m waiting for it to be holistically analyzed- I’m an amatuer- Bias extractedVendors need to fix their bias…come onThis is how we will identify trends in the futureBe more nimble as defendersWe need to apply what we’re learning as an overlay to basics that are WORKING
Now that we have this data.Need to prioritize what needs to be secured firstRisk Management gives this to us.There’s a lot of define and come to agreement on when it comes to risk managementPCIS – Sector meetingDefined risk as consequence (as impact only) by $$$NO!!!Basic definitionRisk = Probability x ImpactFactor Analysis of Information Risk (FAIR)Risk = The probable frequency and probable magnitude of future lossFAIR provides a reasoned and logical framework for answering these questions:‣ A taxonomy of the factors that make up information risk. This taxonomy provides a foundational understanding of information risk, without which we couldn’t reasonably do the rest. It also provides a set of standard definitions for our terms.‣ A method for measuring the factors that drive information risk, including threat event frequency, vulnerability, and loss.‣ A computational engine that derives risk by mathematically simulating the relationships between the measured factors.‣ A simulation model that allows us to apply the taxonomy, measurement method, and computational engine to build and analyze risk scenarios of virtually any size or complexity.All of this is used to make informed decisions and act accordinglyAll of this is subject to error, but it’s informed.
Moneysec ideas borrowed from:Jared Pfost, Chief Executive Officer, Third DefenseBrian Keefer, Security Architect, Leading SaaS Security CompanyWhat are your measures of success?
Median time an attacker was present on a victim network is 243 days Down from 416 days in 2011- Worse case, it took 4 years and 10 months to detect APTNot goodOnly 1/3 detected their compromise2/3 were told by an external entity (LEA or service provider)Not goodWhere Information Sharing may be beneficialThe bad guys share… Why don’t we?Industries being TargetedYour network is only as secure as your outsourced service provider.Make sure your organization understands the security posture of these providers, and apply as stringent policies to their access as you would to your own employees. Once a target always a target
Information about your networks, systems, and organization provide a road map for attackers to quickly find what they are searching for. Apply the appropriate data classifications to such information and secure it accordingly. Attackers with an objective of economic espionage have specific goalsand will return until their mission is complete. Treat incident detection and response as a consistent business process — not just something you do reactively. Constant vigilance and rapid response is necessary to keep an organization secure. Exploiting Web servers used to be indicative of crimes of opportunity rather than targeted, pre-meditated attacks. However, in 2012, Mandiant witnessed compromised Web servers being used as an initial means of access to conduct economic espionage6.5 Terabytes was stolen from a single organizationRemember the bias is nation states, APT, and cybercrime for Mandiant reportsConducting economic espionageStealing IPDisrupting and intercepting services
VZ DBIR bias is towards PCI / credit cards and Cyber crimecorporate and SMB attacks
Over $13 Billion Spent on PersonnelThe most revealing figure to come out of the report is the increase in personnel expenses. Of the $14.6 billion spent on cybersecurity in 2012 a whopping 90% went to personnel, an increase from 76% in 2011. Although IT security software and hardware is growing more sophisticated and automated, it only accounted for 5% of spending. Cybersecurity Education DownCyber protection is a bottom up process now. It’s been A Challenging YearThe top reported cybersecurity challenges were:- Funding the administration’s priority initiatives- Cultural challenges- Upgrading legacy technology- The current budget structure- Acquiring skilled personnel Top Three Government Cybersecurity Spenders in 2012 were:- Department of Defense: $12 billion- Department of Homeland Security: $615.5 million- Treasury Department: $404 million Security Incidents on the Rise49,000 security incidents were reported in 2012, Up from 43,889 in 2011. Majority of incidents were the result of lost or stolen equipment and data, not unauthorized access
Ponemon and CSO Studies show trends.We also saw these results in the Mandiant reportWe’ve heard these words with the DoE compromiseWe’ve seen that SMBs are being heavily targeted right now
We see trends in the Trustwave GSR, Mandiant Threat Report, and VZ DBIRVZ’s Vocabulary for Event Recording and Incident Sharing (VERIS) is a way to tie incident sharing and event recording togetherWe all need to adopt it or parts of itWe need to figure out how/if to make it light weight to follow itWe need to use public sources:DatalossDB.orgPrivacy Rights ClearinghouseThe Security IndexAll of these reports…Do we have anything else?
We also need to leverage forms of threat modeling that allowsOffense to Inform Defense how to better secure -- The Cyber Kill ChainJust one mitigation disrupts the chain and the adversary
Moving response and countermeasures to earlier phases of the kill chain is essential in defending today’s networks
Some trends that I’ve seen…Phishing and EmailExploitable Links and BrowsersJava, Flash, PDF, MS OfficeA/V CoverageAndroid, iOS, Windows, and MacOSAir Gaps and Removable MediaEndpoint SecuritySecurity AwarenessSecurity BasicsWe’re back here
Take our timeDo this right
I’m my father’s son…It’s our time.We need thisThis is what winning looks and feels like
CSO Magazine Confab 2013 Atlanta - Cyber Security
The Executive Order – Defining the Internet Security Ecosystem Phil Agcaoili April 2, 2013
2Cyber what? Defining Cyber• Cyber space is the connected Internet ecosystem• Our daily life, economic vitality, and national security depend on a stable, safe, and resilient cyber space• DHS defined 18 Critical Infrastructure Sectors (CIKR) Food and Agriculture Banking and Finance Chemical Commercial Facilities Communications Critical Manufacturing Dams Defense Industrial Base Emergency Services Energy Government Facilities Healthcare and Public Health Information Technology National Monuments Nuclear Reactors, Materials and Icons and Waste Postal and Transportation Water Shipping Systems• Cyber intrusions and attacks have increased dramatically over the last decade, exposing sensitive personal and business information, disrupting critical operations, and imposing high costs on the economy• Cyber security is protecting our cyber space (critical infrastructure) from attack, damage, misuse, and economic espionage
3Our physical infrastructure has become intertwined and reliant onour cyber infrastructure Source: DHS, "Securing the Nation’s Critical Cyber Infrastructure
9Expectations on Critical Infrastructure• S. 21, Cybersecurity and American Cyber Competitiveness Act of 2013 Senators Rockefeller (D-W.Va.), Carper (D-DE), Feinstein (D-CA), Levin (D-MI), Mikulski (D-MD), Whitehouse (D-RI), and Coons (D-DE)• H.R. 624, Cyber Intelligence Sharing and Protection Act (CISPA), 2013 Representative Rogers (R-MI) and 111 co-sponsors It’s unlikely that these will pass in 2013…
10Fact Sheet: Executive Order on Cybersecurity / Presidential PolicyDirective on Critical Infrastructure Security and ResiliencePresidential Executive Order 13,636• New information sharing programs to provide both classified and unclassified threat and attack information to U.S. companies• The development of a Cybersecurity Framework• Establishes a voluntary program to promote the adoption of the Framework• Calls for a review of existing cybersecurity regulation• Includes strong privacy and civil liberties protections based on the Fair Information Practice PrinciplesPresidential Policy Directive 21 (PPD-21)• Directs the government to identify the functional relationships across the government• Directs the government to develop an efficient situational awareness capability• Directs the government to address other information sharing priorities• Calls for a comprehensive research and development plan for critical infrastructure http://www.dhs.gov/news/2013/02/13/fact-sheet-executive-order-cybersecurity-presidential-policy-directive-critical
11Highlights of “Down Payment” February 12, 2013 Executive Order• EO 13636 and PPD-21 Issued February 12, 2013• Defines Roadmap 240 Days• Focus Areas for CIKR: October 10 Draft of • Information Sharing US Cybersecurity • US Cybersecurity Framework Framework • Standards • Identifying Critical Infrastructure 1 Year • Supply Chain February 12,• Sector-Specific Agencies and Sector Coordinating Councils 2014 Final US• FBI and NCIJTF Cybersecurity Framework 3 Year “Safe and Resilient Internet” Agencies report on critical infrastructure
12Highlights of “Down Payment”• “Don’t assume you’re not in scope” • "Critical infrastructure" covers a lot of economic activity • Covers a lot of technology• Privacy concerns need to be addressed for “information sharing”• Department of Commerce, National Institutes of Standards and Technology (NIST), and Cybersecurity Framework • Reduce cyber risks to critical infrastructure within one year, • Incorporate “voluntary consensus standards and industry best practices to the fullest extent possible.” • Federal Supply Chain• Partnerships and mandates• Open standards• “Technology neutral”• Risk-based assessments
14 Keys to Cyber Security: Information Sharing 1. Balance with PrivacyOne Size Does Not Fit All… 2. One step at a time Cybersecurity Framework 1. Common definitions 2. Don’t assume you’re not in scope (Think Ecosystem) 3. Sector specific, Risk-based Framework using Evidence with basic guidelines 5. Crawl, Walk, Run Supply Chain 1. Align with Cyber Framework 2. Provide Assurance Security is Everyone’s Responsibility.
15Don’t Assume You’re Not in Scope• Everyone with Information Technology is in scope (CIKR) • Security Basics • Apply Evidence-based Security Model • Statistics by Sector Exist • Should Threat Model Think Ecosystem.
16Threat ModelYour Role in the Cyber Space Ecosystem
18 2012 Top 20 ISO 27001 Mitigating ControlsWhat standard are Number of Times Control Mapped Ranking 1 Control A.10.9.1 to a Real-World Security Breach 447 What Framework?you following? 2 3 A.10.9.2 A.10.9.3 447 447Point Security Standards / Controls 4 A.8.2.2 184 5 A.7.2.1 94• PCI DSS 6 A.7.2.2 94 • Protects credit cards 7 A.8.1.1 90 • 12 Requirements (Domains) 8 A.8.1.2 90 • ~290 controls 9 A.8.1.3 90• HIPAA / HITECH 10 A.8.2.1 90 • Protects health information 11 A.8.3.2 90• NERC CIP 12 A.8.3.3 90• CSA Cloud Controls Matrix / Open 13 A.9.2.5 87 14 A.11.7.1 87 Certification Framework 15 A.11.7.2 87• SANS 20 Critical Security Controls / 16 A.9.1.1 50 CAG 17 A.9.1.2 50 • “International” security standards 18 A.9.2.1 50 • 20 controls (Domains) 19 A.10.8.4 16 • Mapped to ~150 20 A.10.8.3 15 NIST 800-53 controls *Based on datalossdb.org and Privacy Rights ClearinghouseHolistic Security StandardFrameworks• ISO/IEC 27001:2005 • International security standards • 11 Domains Consensus Audit Guidelines (CAG) • 133 controls Hardware asset management• FISMA • Software white listing and asset • Includes NIST 800-53 management • Vulnerability management • US government standard • Configuration settings • 22 Control Families (Domains) • Anti-virus • ~ 850 controls *Modified SANS 20 Critical Security Controls 2012• COBIT 5 continuous monitoring policy issued by DHS
19 Simplify to Basic Security Guidelines Based on Evidence and Risk We have developed the myth that technology can be an effective fortress You cannot protect all your data You cannot stop every attackTherefore,• Don’t protect everything • Protect most important data and ensure services• Increase focus on closing the detection and response gap • Establish access norms and monitor for anomalies• Reduce your attack surface • Don’t store/transmit what you don’t need• Collapse to cores • Segregrate and protect your most critical data • Protect cores really, really well• Treat all endpoints as hostile• Make small, targeted investments • Pass the Red Face Test – Reduce Investments through integration • Antivirus - Forefront • Full Disk Encryption – Bitlocker Sector-based• Patch and harden configurations• Change default credentials and restrict/monitor privileged accounts• Secure development through application testing and code reviews• Increase awareness and change culture • Social engineering and phishing • Destroy and don’t save what you don’t need• Collect your own metrics and apply security as necessary with available industry evidence
20Barriers to Implement Basics• 2012 FISMA Report The top reported cybersecurity challenges were: - Funding the administration’s priority initiatives - Cultural challenges - Upgrading legacy technology - The current budget structure - Acquiring skilled personnel • Define – Accountability (Vendors and Customers) • Customers are dependent on vendors • Vendors rely on customers
Traditional Security is Insufficient Advanced Empowered Elastic Persistent Threats Employees PerimeterTrend Micro evaluations find over 90%of enterprise networks contain activemalicious malware! Copyright 2012 Trend Micro Inc.
22Risk-Based Approach Using Evidence The REAL Big Data for Infosec
23First, Define Risk• Partnership for Critical Infrastructure Security (PCIS) • Defined: Risk = Consequence (Impact ONLY!!!) NO!!!• General Risk Equation Risk = Probability x Impact• Factor Analysis of Information Risk (FAIR) Risk = The probable frequency and probable magnitude of future loss• Many other definitions, let’s pick…• Limitations of risk analysis • Risk analysis is never perfect • All risk analysis models are approximations of reality • Reality is far too complex to ever model exactly • Any analysis model will be limited• Sometimes you have enough information to make an informed decision ~SIRA Prediction is very difficult,• Define: Risk Appetite especially about the future. ~Niels Bohr
24Second, Apply Evidence-Based Security*Abridged Version of Moneysec• Use industry data (Evidence) • “You’re not a beautiful snowflake.”• Use with [Moneysec] metrics ~JPfost• Don’t make emotional decisions • Recognize your bias• Collect the “right” data • Look for correlations• Set reasonable criteria for success • Don’t overspend• You can measure anything! Even intangibles. ~Douglas Hubbard • You don’t always need to be exact • Reducing uncertainty adds value • Having just some data can go a long way to help a decision maker• Not all measures are equally important (80/20)• Track and trend performance over time• Benchmark performance vs. self (and peers)• All metrics are worthless – unless you do something with them
27 2012 Verizon Data Breach Investigations Report (DBIR)• 5th year of public releases – Starting in 2008 – 7 total reports (mid-year supplementals in 2008 and 2009)• Dataset now contains: – 8 years of data
282012 Verizon Data Breach Investigations Report (DBIR) 2012 Trustwave Global Security Report In those cases in which an external entity was necessary for detection, analysis found that attackers had an average of 173.5 days within the victim’s environment before detection occurred. Conversely, organizations that relied on self-detection were able to identify attackers within their systems an average of 43 days after initial compromise.
292012 Verizon Data Breach Investigations Report (DBIR)
30Trend - 2011 Verizon Data Breach Investigations Report (DBIR)
31Trend - 2011 Verizon Data Breach Investigations Report (DBIR) • Eastern Europe takes a commanding lead Who are the (external) bad guys?
32 2012 Federal Information Security Management Act report• Over $13 Billion Spent on Personnel • Of the $14.6B spent on cybersecurity in 2012, a whopping 90% went to personnel • An increase from 76% in 2011• Cybersecurity Education Down • Training only accounted for 0.9% of the total spent on cybersecurity, almost 2% lower than 2011• A Challenging Year The top reported cybersecurity challenges were: - Funding the administration’s priority initiatives - Cultural challenges - Upgrading legacy technology - The current budget structure - Acquiring skilled personnel• Top Three Government Cybersecurity Spenders The organizations who spent the most in 2012 were: - Department of Defense: $12 billion - Department of Homeland Security: $615.5 million - Treasury Department: $404 million• Security Incidents on the Rise • 49,000 security incidents were reported in 2012, up from 43,889 in 2011 • Worth noting that the majority were the result of lost or stolen equipment and data, not unauthorized access• 2012 FISMA report reflects the major concerns we’ve recently heard in the media: • An increase in successful cyberattacks • A shortage of trained cybersecurity professionals; and • An IT infrastructure too weak to repel sophisticated attacks• This recent surge in cyberattacks on government systems is the new normal• However, the amount of successful attacks can and will decrease when agencies invest in security automation IT, which will decrease personnel costs, freeing the resources needed to properly invest in a fully trained cybersecurity workforce
33 Connecting the Dots Information Leakage • Ex-employees, partners, and customers • Over 1/3 due to negligence • Increasing loss from external collaboration Ponemon Study finds: 55% of SMBs were breached in 2012Percentage cause of data breach Estimated sources of data breach 2010 CSO Cost of Data Breach report Global State of Information Security Survey Ponemon Institute 2010
Connecting the Dots VERIS: (Vocabulary for Event Recording and Incident Sharing) What How Who Why When2012 Trustwave GSR 2013 Mandiant TR 2012 Verizon DBIR
35Third, Add Threat Modeling Supports Risk ModelCyber Kill Chain Model • Intrusions must be studied from the adversary’s perspective – analyzing the “kill chain” to inform actionable security intelligence • An adversary must progress successfully through each stage of the chain before it can achieve its desired objective Command Actions onRecon Weapon Delivery Exploit Install and Objectives Control • Just one mitigation disrupts the chain and the adversary
36Threat Modeling - Countermeasures • Moving detection and mitigation to earlier phases of the kill chain is essential in defending today’s networks Command Actions onRecon Weapon Delivery Exploit Install and Objectives Control
37Bring it All Together - Trends in the Evidence MotivatingFix what’s broken Event• Hacks and compromise • Fix what’s already been hacked at your company • Utilize Cyber Kill Chain Model to focus defense in depth strategy• Understand security trends for your industry • Small and Medium Business beware • Banks – DDOS, fraud, botnets, and web authentication attacks • Hospitality – Credit cards, point of sale systems, Wifi, and admin accounts • DIB – RSA hack - Adobe/Microsoft 0days, remote access, and phishing • News – NYT/WSJ - phishing, Oracle Java 0days • Retail – Open Wifi, POS • LEA – 0day, social engineering and phishing • Credit card processors – Phishing and egress traffic • Websites – SNE (SQL Injection) and exclusion from core security• Know your threat landscape to prioritize your treatment strategy based on risk• In advertising, the best insights are often minor alterations in trends which occur over long periods of time (and take time to see due to their nuanced nature).~Neira JonesSomebody needs to thoroughly analyze the important industry data by sector. KNOW THE BIAS!!! Adjust from there.
38Crawl, Walk, and then Run…• Agree on definitions at each step of this process• Agree on roles in cyber space ecosystem• Need to develop better understanding • Cyber effect on way of life, economic vitality, and national security • Top threats by sector • Attackers/Adversaries by sector • Evidence of risks by sector• Agree on countermeasures / controls
40Conclusion• The time is now for cyber security• Agree on definitions as we proceed to each step• Security is Everyone’s Responsibility• Think Risk• Use the evidence we have • There is a lot industry data that needs to be analyzed• Proceed with care, methodically, and by sector • Agree on the basics• Get it done. We can do it. Cyber Space Ecosystem
41 Questions & AnswersPhil AgcaoiliCISO, Cox Communications, Inc.Co-Chair, Communication Sector Coordinating Council (CSCC), Cybersecurity Committee – Technology Sub-CommitteeCo-Founder & Board Member, Southern CISO Security CouncilDistinguished Fellow and Fellows Chairman, Ponemon InstituteFounding Member, Cloud Security Alliance (CSA)Inventor & Co-Author, CSA Cloud Controls Matrix, GRC Stack, Security, Trust and Assurance Registry (STAR), and Open Certification Framework (OCF) @hacksec https://www.linkedin.com/in/philA