Everything is not awesome: The rising threat of Cyber-attack and what to do about it
1. Everything Is
Not Awesome
The rising threat of Cyber-attack and
what to do about it
Robi Sen, CSO, Department 13, LLC
robi.sen@department13.com
2. Agenda
• Its all just getting worse
• Data breaches more common and larger
• Number of attacks in total rapidly increasing
• Threats are more sophisticated and hard to stop
• Technology is failing us
• Why is it getting worse
• High value low risk
• Low barrier to entry - Its so easy
• As technology gets more complex its harder to secure
• Vendors don’t really care
• What can we do
• Be realistic and plan for compromise
• Focus on security early not after a event
• Realize that the best defense is people
• What you can do right now
3. Realize security is core to your business
If you can answer no to any of these questions then your can ignore
security.
• Does your brand matter to you?
• Do you care about your customers and customer trust?
• Do you have important Intellectual Property?
• Do you have company secrets?
• Do your products, services, or systems effect peoples lives?
6. Technology is failing us; fighting yesterdays
battles
Antivirus "is dead," Brian Dye SVP INFOSEC at (2)
Symantec(1). "We don't think of antivirus as a
moneymaker in any way."
82 percent of all malware it detects stays active for a mere
hour, and 70 percent of all threats only surface once, as
malware authors rapidly change their software to skirt
detection from traditional antivirus solutions(3).
8. Why? Its just to easy
• Tools such as Kali are widely
• Point and click hacking tools
• Hacking and Malware as a service are now wide spread
• Most companies don’t even know if their are being hacked
• Most companies don’t know how to respond
9. Why? Complexity is the bane of security
• Organically grown systems – Bash and Shellshock are a great example
(1)
• Systems layered and so complex they are hard to understand (2)
• Overly specialized – nonsystem thinking
10. Why? Vendors really don’t care
• Vendors focus on features of their product and services first
• Vendors product cycle is vicious allowing little time for security testing
and analysis
• Vendors think security is something that should be added latter
• Vendors are rarely sued or held responsible for the low quality of
security in their products
12. Realize your going to get compromised
• Its not if. Its When!
• Ask your self… What do you do when your compromised?
• How well do you know how you will react? Timing, escalation, and
appropriateness.
• Have you made connections with law enforcement, legal, PR, and
your vendors?
• Who owns security in your company?
• Who are the people who are most likely to attack you?
13. Focus on security early
• Include security in your business plan
• Add security to your business model
• At the start of a new service, product, or business
• Add security as part of your cultural of excellence
• Plan for the inevitable and make a response plan
14. Your people are your best security resource
• Humans are better identifying modern threats
• People are flexible
• Humans assisted by technology are better than either
• Your people and employees can respond to your needs while vendors
may not
15. What you can do right now
1. Prioritize your assets based on YOUR BUSINESS NEEDS
2. Identify your major risks
3. Do a security assessment but make sure it focuses on YOUR BUSINESS NEEDS
4. Work internally to understand your current policies and process to see if they
align with one and two
5. Clarify and simplify
6. Make a response plan
7. Create the ONION – Add your technical, physical, and human security systems
8. Game and test
9. Lather, Rinse, Repeat!
16. What you can do right now
• Hire a CSO or senior security professional
• Invest in training
• Empower you security staff
• Invest in tools that empower people not replace
• Join security groups
• Connect with the FBI and local law enforcement
• Make a relationship with a security partner
• Remember security is a state not a goal
The problem is we think of Security all wrong. We think it’s a end goal. Its not it’s a changing state. That end goal drives the myth that tools and techniques can stop attacks. It does not. At some point the attacker will be successful especially when they can always attack and attack and attack. We need to change how we think of security.
Furthermore we have security backwards. We tend to focus on security, because we think of it as a static goal, a set of boxes on a check list. Its not. Threats constantly change. The attack surface, the techniques, and even the goals of attackers always change.
More importantly, you the target, have different needs, goals, and risks that cannot be accounted for by a simple checklist. Only you and your organization can decide what's important to you, not a government agency or third party. All your security goals, policies, and procedures must cascade from those business criteria and needs.
This is not just FUD. Attacks are more common and more sophisticated. They are also more likely to succeed. You need to accept this. You will be compromised and its worth repeating.
Even your email is worth something. Spammers and hackers will pay between a fraction of a cent to 5 to 10 cents for fully vetted valid emails
ALSO knowledge is power. If you know who is talking to who, who is investing in what, how someone will vote, what new laws are being made, and the like then you have REAL POWER.
Your people are worth a lot. CEO’s, CFO’s, your lawyers, and traveling representatives are now common targets of organized crime and state security apparatus. Everyone wants to know what your CEO is thinking!
1- http://blog.erratasec.com/2014/09/the-shockingly-bad-code-of-bash.html#.VE2fPvnF_xU and also read http://blog.erratasec.com/2014/09/many-eyes-theory-conclusively-disproven.html
2- http://www.wired.com/2013/01/uncovering-the-dangers-of-network-security-complexity/ 50+% of respondents' said complexity created security issues.
3 - – Engineers focus to much on one specific area of a system they touch, such a User Interface, instead of the system as a whole
You need to think about who is likely to attack you. If you don’t have a security back ground this might be hard. For example if your NGO helping poor farmers in Africa you might think you have no security risk. Yet one of the NGO’s who are a customer was compromised by a major state security group who has interests in African governments and business. Remember not everyone is after just simply money.
Your biggest threat are also your own people. Choose wisely!
Security has to be thought of as part of your business and your business model. As such only you can determine what levels of investment you need to make to balance risk versus investment. That being said you cannot make this assessment until you have really assessed your security, your threats, and your risks
Humans are better identifying modern threats than computers
People are flexible
Humans assisted by technology are better than either technology or people
Your people and employees can respond to your needs while vendors will not always
That being said finding the right people is very hard.
Talk about what the right people look like and how one good person can build a great team from just decent IT folks but a bunch of developers, IT folks, networking guys, and programmers rarely understand security.
2 - By risks we mean what would happen if you lost data, some got access, and the like not specific technology threats or issues
3 – you can do this yourself but its best practice to work with a third party
4 – don’t just follow a check list. Think this through.
5 – as we mentioned policy complexity leads to confusion and even security failures. Also simple policies and plans allow your team to use common sense and “on the ground” knowledge.
6 – You need to have a detailed plan but it does not need to be complex. Also your staff needs to know when to deviate and when to follow the script. This often requires you hiring good people.
7 – put in place your tools but make sure they are backed up by people who know how to use those tools, know when to get new tools, and know how to respond
8 – you have to test your system and not just penetration tests. You have to game the whole process. This may seem complex and expensive but often can be done in ½ a day with key stakeholders and staff and is far cheaper than a breach.