Insights for the CFO and the finance function about cybersecurity and their role in preventing, detecting and enabling the security team

1. Modern infosec for the CFO
FEI Brisbane Lunch Event
00110010001100000011000100110110001011010011000000110010001011010011001000110011

2. Is it really that bad?
384
375
155

3. Reported
vulnerabilities
Unreported
vulnerabilities

4. Is it really that bad?
It’s pretty bad.
384
375
155

5. Why?
Money (mainly) but each player has their
own agenda

6. The main players
Hacktivists
Contract/lonewolf hackers
Hacker groups
Organised crime syndicates
Government/intelligence agencies

7. Breakdown
Partner
Internal
Collusion
External
100%
80%
60%
40%
20%
0%
2010 2011 2012 2013 2014
Courtesy Verizon 2016 Data Breach Investigations Report
http://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_Insiders_en_xg.pdf
2015

8. Common attack methods
Phishing and social engineering
Weak web-based services
Physical
Deep web information gathering
Poor authentication and system controls

9. Common attack tools
Metasploit
Hardware plants
Wireless interceptors
Powershell
Veil-evasion

10. Common attack tools
Metasploit
Hardware plants
Wireless interceptors
Powershell
Veil-evasion

11. Cracking the perimeter
Very determined attacker developed a
customised exploit to compromise a perimeter
system, allowing access to the internal network
Unconfirmed, but likely a web-based
vulnerability, allowing full access to the
corporate network
While complete details aren’t available,
reports of physical intrusions into a
company facility support the timeline and
analysis of the breach at Sony

12. Cracking the perimeter
State-sponsored attackers gained a foothold
within the OPMM network via a carefully
targeted phishing email containing an infected
Office document
Not sure how exactly the breach occurred, but
sources indicate that it was state-sponsored
attack by China

13. Defence
Enterprise-level protections have limitations
Interconnected requirements of the digital
economy
Attackers regularly use native tools
New vulnerabilities found daily
Patching large organisations takes time
We’re just not good enough.

14. The CFO
Key player when it comes to the protection of the business
Knows how money is made, where the core assets lie and
what the business simply cannot proceed without
Has knowledge of longer term initiatives and emerging
business opportunities
Can influence culture

15. Security challenges
Identifying value for money when it comes to security
spend can be difficult
Many modern security solutions require multiple FTE to
operate, and only address part of the security problem
Knowing what data to protect as a priority can be difficult
to identify for security teams

16. Security challenges
Too many organisations still pursue tightly scoped security
testing engagements
Effectively planning future security spends requires
foresight of upcoming business changes
Major business changes can attract significant attention
from criminal elements

17. How you can help
Highlight core business processes/services/systems
directly to the CIO/CISO to ensure they attract the lions
share of focus
‘Encouraging’ the CIO/CISO to regularly review IT security
spend against effectiveness will help identify infective or
deprecated systems and services
Helping to ensure spend is even distributed across prevent
and detect puts the business in the best possible position

18. How you can help
Insist on being a key stakeholder for any penetration test
or security assessment
Support the concept of an unscoped testing approach with
appropriate protections
Share plans on critical projects and initiatives as early as
possible
Build a strong relationship with your lead security contact

19. Your business is valuable , and you have things that
attackers want
Spending on cyber security can be justified and should be
measurable – you can help
Supporting a ‘no-rules’ approach to penetration testing
delivers the most value
The focus should be on fast response to an attack, not an
attempt to prevent all possible breaches
Summary