SlideShare a Scribd company logo
Cyber-Security
Threats
Why we are losing the battle (and
probably don’t even know it!)

December 12th, 2013
“If you know the enemy and know yourself,
you need not fear the result of a hundred
battles. If you know yourself but not the
enemy, for every victory gained you will
also suffer a defeat. If you know neither the
enemy nor yourself, you will succumb in
every battle”
Sun Tzu, The Art of War
John Hudson









15 years designing security strategies
Business Process Engineer
Why cyber-security fails – a mission
CISO University of Pittsburgh 35,000+ users
Blocked over 100,000 attacks every day
Experienced Anonymous attacks
Bomb threats/Forensics investigations
Worked in distributed and closed environments
Plus Consulting
Cyber-Security Practice helps organizations:








Identify risk and control failures, based on their organization
Cyber-security frameworks
Pen-testing, vulnerability scanning, social engineering
Solve security problems (for example, doing business in highrisk countries)
Compliance readiness
We help organizations plan refine and Implement cybersecurity strategies
Premise
 Organizations are losing the cyber-security battle and
most don’t know that it is happening (or choose to
ignore it)
 The persistent threat environment means that:



You have had a breach and may or may not know it
You will have a breach and may or may not know it

 Growth in data, application features, and collaboration
makes cyber-security a greater challenge
 Security tools in isolation of a continuous security
program only delay the inevitable
 Attacks are complex, clever and continuous
Outline
 Current threat environment
 Organizational challenges
 Why “they” are winning

 Neutralizing “them” from winning
Threat Environment

The more things change,
the more they stay the same...
Alphonse Karr, 1849
Acceptance









Attacks are more targeted
Malware is more complex and multi-dimensional
Social engineering is an art
Hactivism is here to stay
Anti-forensics is now the norm
Cyber-attacks are becoming strategic
Nearly all attacks are external (98%)
Hacking tools for sale online (with better SDLC than
most developers)
Simple Targeted Attack










Open source intelligence – find entry points
Collect data and profile – website scraping
Build spoof sites – your brand, your people
Email campaign from a ‘known-source”
Phone calls to “known targets”
Scan for vulnerabilities
Exploit with malware or walk through the front door
Keep the door open
Harvest under the radar
5-10% return
But...
 Criminals are targeting organizations with sophisticated
attacks, but….
 79% of attacks are still targets of opportunity
 96% of attacks were not difficult
 85% of breaches took weeks to months to discover
(source: Verizon 2012 Data Breach Investigation Report)
 “it won’t happen to us – we are too small” is long gone!
We could now talk about the latest and
greatest zero day exploits, security
appliances, or regulations coming down the
pipeline all day long.................
but organizations are not dealing with the
basics...
Organizational Challenges
Big Data – Big Problem
5 Exabyte's
2013
every 10
minutes
5 Exabyte's
every 2 days

2003
Year 0

2011
Asset Value...
 Few organizations know:
 The value of their data
 The value of uptime
 The impact of its loss
 Or the value placed on it by others
 If you don’t know the value and loss impact – how
can you protect?
 Have disaster plans, but ignore the disaster of lost data
 At best, all data is treated as equal
The rules have changed...








Privacy is being challenged
Generational mindsets
BYOD/BYON
The Cloud (good or bad?)
Virtualization – paradigm change in deployment
Smartphone is your computer – what next?
Security budgets have not grown in ten years even
though the problem has exploded
Extension of Security Boundary =
More Points of Entry
Why “they” are winning
Organizations Are Abdicating Responsibility
 Boards and Executives do not own the problem





They are not asking the right questions
It is not part of the strategy
They do not drive down security posture
At best, it is seen as an IT problem at the tactical level

 CISO’s report to the wrong people (if they have one)


Potential career-ending decisions if doing job

 Security is not a technical issue



Technology is the output of security, not the input
But security is now a specialist subject
Organizations are Abdicating Responsibility
 Audits do not equal security




Checking boxes on flawed controls gives a false sense of
security
Compliance is not security – it has yet to stop an attack
Compliance is confusing and not backed

 The wrong people are held accountable


Breach = ex-CISO

 Policy manuals just kill more trees
Result
 No mandate to invest in the right security
 Little backing = no putting the head above the parapet
 Problems are hidden


We are going live tomorrow with ERP, but there's a security
issue – what do you do?

 Identified risk is only important if it does not stop the
operation
 CISOs jump from job to job
 Security staff feel undervalued
 Wrong money spent solving yesterday’s problems
So let’s Summarize...









Threats = more complex, faster, multi-dimensional
For most organizations, simple exploits will gain results
State-run attacks and Hactivism is becoming the norm
Organizations are using data in ways unimaginable 10 years
ago, and treat security in the same way
Organizations are not talking about the value of their assets
Security is seen as a low-level technical responsibility
Many Fortune 500 companies do not have a CISO
The biggest disaster an organization may ever face is a
breach
Neutralizing “Them”
from winning
It’s a Journey
 Until boards and executives own the problem, little will
change
 Appoint board oversight of security
 Identify the value of your assets
 Identify the loss impact of your assets
 Identify what can hurt you
 This forms the security problem
It’s a Journey
 Design a continuous security program around the
problem




Create choke-points
Back them
Audit the mitigation strategies

User Desktop
Tablet or Laptop
The Choke
Point

Multi factor Authentication
No Port 80
BI with Scrambling
Encryption
IPS/IDS

Secure Zone

Virtual Servers

Virtual Desktop
It’s a Journey
 Segregate Security reporting from IT
 Reward based upon security metrics, not IT metrics
 The board is responsible for security, people are
responsible for negligence
 Build the security response around what is important
 Worry less about the rest (not all assets are equal)
 If you can’t prevent it or flag it – don’t put it in your
security policies
 Acceptable use must have teeth
Quick takeaways
Ask this question when you get back to your organization...

If you received an email from a hacker saying we have got
your critical data – how would you know if they really do?
If you don’t know, you don’t have a
comprehensive security program
Quick takeaways
If you do nothing else, do these things:
 Application whitelisting
 Acceptable usage policy and mandatory awareness
training
 Business Impact Analysis and Risk and Control
assessment – owned by the board and presented
back to the board
 Love your security professionals 
Questions?

John Hudson
Security & Strategy Practice Director
Plus Consulting
John.Hudson@plusconsulting.com
412.206.0160

More Related Content

What's hot

Basics of Cyber Security
Basics of Cyber SecurityBasics of Cyber Security
Basics of Cyber Security
Nikunj Thakkar
 
Cyber Security India & Cyber Crime
Cyber Security India & Cyber CrimeCyber Security India & Cyber Crime
Cyber Security India & Cyber Crime
Deepak Kumar (D3)
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
Vicky Fernandes
 
Cyber Security in the Interconnected World
Cyber Security in the Interconnected WorldCyber Security in the Interconnected World
Cyber Security in the Interconnected World
Russell_Kennedy
 
Cyber security-report-2017
Cyber security-report-2017Cyber security-report-2017
Cyber security-report-2017
NRC
 
The Importance of Cybersecurity in 2017
The Importance of Cybersecurity in 2017The Importance of Cybersecurity in 2017
The Importance of Cybersecurity in 2017
R-Style Lab
 
cyber security
cyber securitycyber security
cyber security
abithajayavel
 
What is Cyber Security - Avantika University
What is Cyber Security - Avantika UniversityWhat is Cyber Security - Avantika University
What is Cyber Security - Avantika University
Avantika University
 
Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1
Mukesh Chinta
 
Cyber security
Cyber securityCyber security
Cyber security
vishakha bhagwat
 
Cyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measuresCyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measures
CBIZ, Inc.
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
rahulbhardwaj312501
 
Cyber security & Data Protection
Cyber security & Data ProtectionCyber security & Data Protection
Cyber security & Data Protection
Dr. Hemant Kumar Singh
 
2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-security2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-security
Stephen Cobb
 
Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...
Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...
Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...
Avantika University
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
Krutarth Vasavada
 
The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...
Aladdin Dandis
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
GGV Capital
 
eSentinel webinar with Netpluz & Straits Interactive on Cyber Security & PDPA...
eSentinel webinar with Netpluz & Straits Interactive on Cyber Security & PDPA...eSentinel webinar with Netpluz & Straits Interactive on Cyber Security & PDPA...
eSentinel webinar with Netpluz & Straits Interactive on Cyber Security & PDPA...
Netpluz Asia Pte Ltd
 
CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04
Kyle Lai
 

What's hot (20)

Basics of Cyber Security
Basics of Cyber SecurityBasics of Cyber Security
Basics of Cyber Security
 
Cyber Security India & Cyber Crime
Cyber Security India & Cyber CrimeCyber Security India & Cyber Crime
Cyber Security India & Cyber Crime
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
 
Cyber Security in the Interconnected World
Cyber Security in the Interconnected WorldCyber Security in the Interconnected World
Cyber Security in the Interconnected World
 
Cyber security-report-2017
Cyber security-report-2017Cyber security-report-2017
Cyber security-report-2017
 
The Importance of Cybersecurity in 2017
The Importance of Cybersecurity in 2017The Importance of Cybersecurity in 2017
The Importance of Cybersecurity in 2017
 
cyber security
cyber securitycyber security
cyber security
 
What is Cyber Security - Avantika University
What is Cyber Security - Avantika UniversityWhat is Cyber Security - Avantika University
What is Cyber Security - Avantika University
 
Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measuresCyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measures
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Cyber security & Data Protection
Cyber security & Data ProtectionCyber security & Data Protection
Cyber security & Data Protection
 
2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-security2015: The year-ahead-in-cyber-security
2015: The year-ahead-in-cyber-security
 
Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...
Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...
Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 
eSentinel webinar with Netpluz & Straits Interactive on Cyber Security & PDPA...
eSentinel webinar with Netpluz & Straits Interactive on Cyber Security & PDPA...eSentinel webinar with Netpluz & Straits Interactive on Cyber Security & PDPA...
eSentinel webinar with Netpluz & Straits Interactive on Cyber Security & PDPA...
 
CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04
 

Similar to Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even Know It)

DeltaV Security - Don’t Let Your Business Be Caught Without It
DeltaV Security - Don’t Let Your Business Be Caught Without ItDeltaV Security - Don’t Let Your Business Be Caught Without It
DeltaV Security - Don’t Let Your Business Be Caught Without It
Emerson Exchange
 
Slides to the online event "Creating an effective cybersecurity strategy" by ...
Slides to the online event "Creating an effective cybersecurity strategy" by ...Slides to the online event "Creating an effective cybersecurity strategy" by ...
Slides to the online event "Creating an effective cybersecurity strategy" by ...
Berezha Security Group
 
Assess risks to IT security.pptx
Assess risks to IT security.pptxAssess risks to IT security.pptx
Assess risks to IT security.pptx
lochanrajdahal
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
- Mark - Fullbright
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security
Matthew Pascucci
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
TheWalkerGroup1
 
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
John Bambenek
 
Yours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem SpaceYours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem Space
Jack Whitsitt
 
Enterprise security management II
Enterprise security management   IIEnterprise security management   II
Enterprise security management II
zapp0
 
Security Transformation
Security TransformationSecurity Transformation
Security Transformation
Faisal Yahya
 
Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?
Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?
Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?
Capgemini
 
Security Analytics for Certified Fraud Examiners
Security Analytics for Certified Fraud ExaminersSecurity Analytics for Certified Fraud Examiners
Security Analytics for Certified Fraud Examiners
The Lorenzi Group
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the Union
Ivanti
 
Enterprise incident response 2017
Enterprise incident response   2017Enterprise incident response   2017
Enterprise incident response 2017
zapp0
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party  Cyb...Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party  Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Rishi Singh
 
Threat Intelligence in Cybersecurity.pdf
Threat Intelligence in Cybersecurity.pdfThreat Intelligence in Cybersecurity.pdf
Threat Intelligence in Cybersecurity.pdf
Ciente
 
Five Reasons to Look Beyond Math-based Next-Gen Antivirus
Five Reasons to Look Beyond Math-based Next-Gen AntivirusFive Reasons to Look Beyond Math-based Next-Gen Antivirus
Five Reasons to Look Beyond Math-based Next-Gen Antivirus
Sarah Vanier
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructure
Anton Chuvakin
 
The SIEM Buyer Guide the siem buyer guide
The SIEM Buyer Guide the siem buyer guideThe SIEM Buyer Guide the siem buyer guide
The SIEM Buyer Guide the siem buyer guide
roongrus
 
Insider Threat - How Do You Find a Wolf in Sheep's Clothing?
Insider Threat - How Do You Find a Wolf in Sheep's Clothing?Insider Threat - How Do You Find a Wolf in Sheep's Clothing?
Insider Threat - How Do You Find a Wolf in Sheep's Clothing?
dianadvo
 

Similar to Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even Know It) (20)

DeltaV Security - Don’t Let Your Business Be Caught Without It
DeltaV Security - Don’t Let Your Business Be Caught Without ItDeltaV Security - Don’t Let Your Business Be Caught Without It
DeltaV Security - Don’t Let Your Business Be Caught Without It
 
Slides to the online event "Creating an effective cybersecurity strategy" by ...
Slides to the online event "Creating an effective cybersecurity strategy" by ...Slides to the online event "Creating an effective cybersecurity strategy" by ...
Slides to the online event "Creating an effective cybersecurity strategy" by ...
 
Assess risks to IT security.pptx
Assess risks to IT security.pptxAssess risks to IT security.pptx
Assess risks to IT security.pptx
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
 
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
 
Yours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem SpaceYours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem Space
 
Enterprise security management II
Enterprise security management   IIEnterprise security management   II
Enterprise security management II
 
Security Transformation
Security TransformationSecurity Transformation
Security Transformation
 
Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?
Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?
Failing and Failing Fast in AppDev – How Do We Keep up in AppSec?
 
Security Analytics for Certified Fraud Examiners
Security Analytics for Certified Fraud ExaminersSecurity Analytics for Certified Fraud Examiners
Security Analytics for Certified Fraud Examiners
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the Union
 
Enterprise incident response 2017
Enterprise incident response   2017Enterprise incident response   2017
Enterprise incident response 2017
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party  Cyb...Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party  Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
 
Threat Intelligence in Cybersecurity.pdf
Threat Intelligence in Cybersecurity.pdfThreat Intelligence in Cybersecurity.pdf
Threat Intelligence in Cybersecurity.pdf
 
Five Reasons to Look Beyond Math-based Next-Gen Antivirus
Five Reasons to Look Beyond Math-based Next-Gen AntivirusFive Reasons to Look Beyond Math-based Next-Gen Antivirus
Five Reasons to Look Beyond Math-based Next-Gen Antivirus
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructure
 
The SIEM Buyer Guide the siem buyer guide
The SIEM Buyer Guide the siem buyer guideThe SIEM Buyer Guide the siem buyer guide
The SIEM Buyer Guide the siem buyer guide
 
Insider Threat - How Do You Find a Wolf in Sheep's Clothing?
Insider Threat - How Do You Find a Wolf in Sheep's Clothing?Insider Threat - How Do You Find a Wolf in Sheep's Clothing?
Insider Threat - How Do You Find a Wolf in Sheep's Clothing?
 

Recently uploaded

Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
Patch Tuesday de julio
Patch Tuesday de julioPatch Tuesday de julio
Patch Tuesday de julio
Ivanti
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
alexjohnson7307
 
Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024
siddu769252
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and CitiesThe Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
Arpan Buwa
 
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
bellared2
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
SynapseIndia
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
sunilverma7884
 
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptxMAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
janagijoythi
 
Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
ZachWylie3
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
ssuser1915fe1
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
DianaGray10
 
The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
Razin Mustafiz
 
Tailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer InsightsTailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer Insights
SynapseIndia
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
BrainSell Technologies
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
Brian Pichman
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
AmandaCheung15
 

Recently uploaded (20)

Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
Patch Tuesday de julio
Patch Tuesday de julioPatch Tuesday de julio
Patch Tuesday de julio
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
 
Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
 
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and CitiesThe Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
 
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
 
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptxMAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
 
Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
 
The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
 
Tailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer InsightsTailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer Insights
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
 

Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even Know It)

  • 1. Cyber-Security Threats Why we are losing the battle (and probably don’t even know it!) December 12th, 2013
  • 2. “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle” Sun Tzu, The Art of War
  • 3. John Hudson         15 years designing security strategies Business Process Engineer Why cyber-security fails – a mission CISO University of Pittsburgh 35,000+ users Blocked over 100,000 attacks every day Experienced Anonymous attacks Bomb threats/Forensics investigations Worked in distributed and closed environments
  • 4. Plus Consulting Cyber-Security Practice helps organizations:       Identify risk and control failures, based on their organization Cyber-security frameworks Pen-testing, vulnerability scanning, social engineering Solve security problems (for example, doing business in highrisk countries) Compliance readiness We help organizations plan refine and Implement cybersecurity strategies
  • 5. Premise  Organizations are losing the cyber-security battle and most don’t know that it is happening (or choose to ignore it)  The persistent threat environment means that:   You have had a breach and may or may not know it You will have a breach and may or may not know it  Growth in data, application features, and collaboration makes cyber-security a greater challenge  Security tools in isolation of a continuous security program only delay the inevitable  Attacks are complex, clever and continuous
  • 6. Outline  Current threat environment  Organizational challenges  Why “they” are winning  Neutralizing “them” from winning
  • 7. Threat Environment The more things change, the more they stay the same... Alphonse Karr, 1849
  • 8. Acceptance         Attacks are more targeted Malware is more complex and multi-dimensional Social engineering is an art Hactivism is here to stay Anti-forensics is now the norm Cyber-attacks are becoming strategic Nearly all attacks are external (98%) Hacking tools for sale online (with better SDLC than most developers)
  • 9. Simple Targeted Attack          Open source intelligence – find entry points Collect data and profile – website scraping Build spoof sites – your brand, your people Email campaign from a ‘known-source” Phone calls to “known targets” Scan for vulnerabilities Exploit with malware or walk through the front door Keep the door open Harvest under the radar 5-10% return
  • 10. But...  Criminals are targeting organizations with sophisticated attacks, but….  79% of attacks are still targets of opportunity  96% of attacks were not difficult  85% of breaches took weeks to months to discover (source: Verizon 2012 Data Breach Investigation Report)  “it won’t happen to us – we are too small” is long gone!
  • 11. We could now talk about the latest and greatest zero day exploits, security appliances, or regulations coming down the pipeline all day long................. but organizations are not dealing with the basics...
  • 13. Big Data – Big Problem 5 Exabyte's 2013 every 10 minutes 5 Exabyte's every 2 days 2003 Year 0 2011
  • 14. Asset Value...  Few organizations know:  The value of their data  The value of uptime  The impact of its loss  Or the value placed on it by others  If you don’t know the value and loss impact – how can you protect?  Have disaster plans, but ignore the disaster of lost data  At best, all data is treated as equal
  • 15. The rules have changed...        Privacy is being challenged Generational mindsets BYOD/BYON The Cloud (good or bad?) Virtualization – paradigm change in deployment Smartphone is your computer – what next? Security budgets have not grown in ten years even though the problem has exploded
  • 16. Extension of Security Boundary = More Points of Entry
  • 18. Organizations Are Abdicating Responsibility  Boards and Executives do not own the problem     They are not asking the right questions It is not part of the strategy They do not drive down security posture At best, it is seen as an IT problem at the tactical level  CISO’s report to the wrong people (if they have one)  Potential career-ending decisions if doing job  Security is not a technical issue   Technology is the output of security, not the input But security is now a specialist subject
  • 19. Organizations are Abdicating Responsibility  Audits do not equal security    Checking boxes on flawed controls gives a false sense of security Compliance is not security – it has yet to stop an attack Compliance is confusing and not backed  The wrong people are held accountable  Breach = ex-CISO  Policy manuals just kill more trees
  • 20. Result  No mandate to invest in the right security  Little backing = no putting the head above the parapet  Problems are hidden  We are going live tomorrow with ERP, but there's a security issue – what do you do?  Identified risk is only important if it does not stop the operation  CISOs jump from job to job  Security staff feel undervalued  Wrong money spent solving yesterday’s problems
  • 21. So let’s Summarize...         Threats = more complex, faster, multi-dimensional For most organizations, simple exploits will gain results State-run attacks and Hactivism is becoming the norm Organizations are using data in ways unimaginable 10 years ago, and treat security in the same way Organizations are not talking about the value of their assets Security is seen as a low-level technical responsibility Many Fortune 500 companies do not have a CISO The biggest disaster an organization may ever face is a breach
  • 23. It’s a Journey  Until boards and executives own the problem, little will change  Appoint board oversight of security  Identify the value of your assets  Identify the loss impact of your assets  Identify what can hurt you  This forms the security problem
  • 24. It’s a Journey  Design a continuous security program around the problem    Create choke-points Back them Audit the mitigation strategies User Desktop Tablet or Laptop The Choke Point Multi factor Authentication No Port 80 BI with Scrambling Encryption IPS/IDS Secure Zone Virtual Servers Virtual Desktop
  • 25. It’s a Journey  Segregate Security reporting from IT  Reward based upon security metrics, not IT metrics  The board is responsible for security, people are responsible for negligence  Build the security response around what is important  Worry less about the rest (not all assets are equal)  If you can’t prevent it or flag it – don’t put it in your security policies  Acceptable use must have teeth
  • 26. Quick takeaways Ask this question when you get back to your organization... If you received an email from a hacker saying we have got your critical data – how would you know if they really do? If you don’t know, you don’t have a comprehensive security program
  • 27. Quick takeaways If you do nothing else, do these things:  Application whitelisting  Acceptable usage policy and mandatory awareness training  Business Impact Analysis and Risk and Control assessment – owned by the board and presented back to the board  Love your security professionals 
  • 28. Questions? John Hudson Security & Strategy Practice Director Plus Consulting John.Hudson@plusconsulting.com 412.206.0160