SlideShare a Scribd company logo

Leveraging Compliance to “Help” Prevent a Future Breach

Download as PPTX, PDF
Kevin Murphy
Kevin Murphy

This presentation will use the major attacks of 2017 as examples to show how “real” compliance could have prevented these attacks. The call to action will show how a responsive GRC program partnered with your Security Engineering teams is the best defense for future attacks.

Internet
1 of 31
IOActive, Inc. Copyright ©2018. All Rights Reserved. Leveraging Compliance to “Help” Prevent a Future Breach Kevin J. Murphy, CISSP, CISM, CGEIT Vice President Cyber Governance Kevin.murphy@ioactive.com February 20, 2018, ISACA Monthly Meeting
IOActive, Inc. Copyright ©2018. All Rights Reserved. Agenda A very interactive discussion – We learn from each other! • Who is in the room? • The role of Compliance? • Lessons from 2017 • Responsive GRC in 2018 • Corporate Risk Score Card
IOActive, Inc. Copyright ©2018. All Rights Reserved. Who is in the room? • Healthcare • Energy • Telecom • Financial • Manufacturing • Government & Utilities • Retail • Technology • Transportation • Services • Law Enforcement
IOActive, Inc. Copyright ©2018. All Rights Reserved. Job Roles in the room? • Audit • Risk Mgmt • Governance • Compliance • Attorney • Consulting • Security • Executive Leadership • IT Engineering • New to the Industry • New to the ISACA
IOActive, Inc. Copyright ©2018. All Rights Reserved. What is the Purpose of the Compliance Mgmt? • Confirm adherence to a standard or regulatory requirement: e.g. ISO, NIST, PCI-DSS, GDPR • Verification: Audit • Transfer Risk So how are we doing?
IOActive, Inc. Copyright ©2018. All Rights Reserved. 2017 Compliance Mgmt. • The problem with standards and regulations is it takes ~3 years for a standard to be implemented • That is not responsive enough to protect you from “new” attacks • It “may” protect you from known attacks of the past. So what do we do?
IOActive, Inc. Copyright ©2018. All Rights Reserved. Why would I attack your industry? • What am I after? – Your IP (Intellectual Property) – Client PII (Personally identifiable information) – “Your Employee” PII – I can sell this info for credit fraud – To extort money from you (Ransomware) – To punish your government in a geopolitical disagreement – Cyberwar – Economic Disruption
IOActive, Inc. Copyright ©2018. All Rights Reserved. Lets look at the big attacks from 2017 • Ransomware : Wannacry, etc. • Equifax: Breach • How many of you have incorporated lessons learned from these attacks? • What did you change in your governance program as a result?
IOActive, Inc. Copyright ©2018. All Rights Reserved. Ransomware? • Ransomware - Ransomware is a type of malicious software that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. • Recovering your files without the decryption key is unlikely • Digital currencies such as Bitcoin are used for the ransoms, making tracing and prosecuting difficult.
IOActive, Inc. Copyright ©2018. All Rights Reserved. Who is attacking? On October 24th, Bad Rabbit targets Windows machines, impersonating as an Adobe Flash update. The cyber attack has seen computers go down in Russia, Ukraine, Germany and Turkey.
IOActive, Inc. Copyright ©2018. All Rights Reserved.
IOActive, Inc. Copyright ©2018. All Rights Reserved. Ransomware? • WannaCry worm traveled between unpatched computers without user interaction. • March 14, 2017 - Microsoft issued critical security bulletin MS17-010 • May 12, 2017 - WannaCry launched “The answer is to patch your systems earlier!” What is your patching policy for a critical patch?
IOActive, Inc. Copyright ©2018. All Rights Reserved. The real threat from Ransomware • The bad guys are on your network! • Your IP or data is at risk of compromise, publication or deletion • They can make your network unusable which puts your business viability at risk Anything new here?
IOActive, Inc. Copyright ©2018. All Rights Reserved. Game Changing Attack Inflection Points • APT – Nation State espionage • Stuxnet – Embedded and SCADA systems attack Nation State targeted attacks • Heartbleed – 3rd party software and network appliances • Ransomware – WannaCry, Petya, notPetya, BadRabit, .etc. Nation State cyber attacks “Can GRC help?”
IOActive, Inc. Copyright ©2018. All Rights Reserved. Cyber breach at Equifax affect 143M U.S. consumers • Occurred from mid-May through July 2017 and primarily: names, social security numbers, birth dates, addresses and some driver's license numbers • Credit card numbers for roughly 209,000 consumers • Equifax Canada said 100,000 Canadians affected. – Names, addresses, social insurance numbers (SIN) and, in limited cases, credit card numbers. – Equifax Canada has been unable to provide clarity on who was impacted
IOActive, Inc. Copyright ©2018. All Rights Reserved. Summary • Both breaches could have been prevented by existing compliance controls. – Patch Mgmt: Ask detailed questions about IT Inventory and applying patches within guidelines. Note exceptions and track remediation plans – Monitoring: Equifax was not monitoring outbound traffic. A comprehensive governance of their monitoring plans would have perhaps detected this massive breach.
IOActive, Inc. Copyright ©2018. All Rights Reserved. Responsive GRC for 2018 1. Traditional regulatory and standards compliance 2. NIST Cybersecurity Framework 3. Proactive Threat Management 4. GRC Reporting as part of the overall Corporate Risk Scorecard to the Board of Directors
IOActive, Inc. Copyright ©2018. All Rights Reserved.
IOActive, Inc. Copyright ©2018. All Rights Reserved. Cybersecurity Framework: Identify • Identify your Critical Business Information: IP, Strategic Plans, Financial Data, Customer Data, Employee Data, etc. Protect it with a defense in depth strategy • IT Inventory Mgmt: Know your IT inventory better than your attacker. They will find the one server or appliance you didn’t patch. • Don’t store your Risk Assessments in clear view of your attacker. Secure those SharePoints!
IOActive, Inc. Copyright ©2018. All Rights Reserved. Proactive Threat Management • When a new attack occurs in the news, activate your incident response team. Ask: – “Can this happen here?” – “How are we protected and where are we vulnerable?” – “How can you help your IT Engineering teams?”
IOActive, Inc. Copyright ©2018. All Rights Reserved. Proactive Threat Management • Threat Models: Use them – IoT devices to applications and your supply chain. • Update Threat Models and your KPIs after a reported threat. Learn from the attacks on other companies • Incorporte best practices
IOActive, Inc. Copyright ©2015. All Rights Reserved. Do you have a mobile app policy? Biometrics App Store Cloud ArchitectureSystem on chipOS Device Network
Cyber Security Framework Scorecard KPIs Top 5 Risks
IOActive, Inc. Copyright ©2018. All Rights Reserved. Your Board of Directors
IOActive, Inc. Copyright ©2018. All Rights Reserved. Your Board of Directors • Cyberprotection is no longer a technical issue; it is a business issue requiring board attention. • Does the board get direct feedback from the CISO who can explain in “business and strategic terms” the cyber risk and controls approach?
IOActive, Inc. Copyright ©2018. All Rights Reserved. Your Board of Directors • Is sufficient attention given to the ability to defend against intrusions as well as the ability to recover and restore essential functions and services? • Is the board routinely informed about the potential material operational risk and risk mitigation strategies as well as incidents that could impact the brand? • To what extent have essential services and functions been identified and programs implemented to provide for their resilience in the event of a disruption or cyber incident?
IOActive, Inc. Copyright ©2018. All Rights Reserved. Good Reading
IOActive, Inc. Copyright ©2018. All Rights Reserved. Call to Action • Evaluate your GRC program effectiveness – Does it allow you to meet your regulatory requirements? – Does it truly measure your enterprise risk profile? – Is it agile and adaptable to new threats? – Using a scorecard to track your progress? – Is it more than “checkbox?”
IOActive, Inc. Copyright ©2018. All Rights Reserved. Call to Action • Learn from other industries as they might get hit before yours. • Use the NIST Cybersecurity framework • Evaluate your threat models with the latest attack vectors. Ask, “Can that happen here?” • Know your IT Inventory and patch status • Cybersecurity Risks need to be reported to your BoD • Test your BCM plans with a cyber attack scenario
IOActive, Inc. Copyright ©2018. All Rights Reserved. Thank You
IOActive, Inc. Copyright ©2018. All Rights Reserved. GDPR (General Data Protection Regulation) EU • The US and Canada will have something similar in the future so plan for it now. • Heads up: GDPR includes penalties • https://en.wikipedia.org/wiki/General_Data_Protection_ Regulation#Sanctions

Recommended

Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.
Vertex Holdings
 
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationTop 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
PECB
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
Imperva
 
How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?
PECB
 
How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...
PECB
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryCyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial Industry
William McBorrough
 
The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...
Aladdin Dandis
 
Key Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence IndexKey Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence Index
IBM Security
 

Recommended

Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.
Vertex Holdings
 
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationTop 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
PECB
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
Imperva
 
How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?
PECB
 
How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...
PECB
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryCyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial Industry
William McBorrough
 
The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...
Aladdin Dandis
 
Key Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence IndexKey Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence Index
IBM Security
 
How to secure your business on the cloud? practical approach from strategy to...
How to secure your business on the cloud? practical approach from strategy to...How to secure your business on the cloud? practical approach from strategy to...
How to secure your business on the cloud? practical approach from strategy to...
Aladdin Dandis
 
Understanding Identity Management and Security.
Understanding Identity Management and Security.Understanding Identity Management and Security.
Understanding Identity Management and Security.
Chinatu Uzuegbu
 
Guardians of the future what should we do to secure future cyberspace
Guardians of the future what should we do to secure future cyberspace Guardians of the future what should we do to secure future cyberspace
Guardians of the future what should we do to secure future cyberspace
Aladdin Dandis
 
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl PereiraCyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Knowledge Group
 
Protecting Essential Information
Protecting Essential InformationProtecting Essential Information
Protecting Essential Information
Kim Jensen
 
Practical approach to combating cyber crimes
Practical approach to combating cyber crimesPractical approach to combating cyber crimes
Practical approach to combating cyber crimes
Chinatu Uzuegbu
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
PECB
 
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
PECB
 
What is still missed for security real life facts
What is still missed for security real life factsWhat is still missed for security real life facts
What is still missed for security real life facts
Aladdin Dandis
 
True Cost of Data Breaches
True Cost of Data BreachesTrue Cost of Data Breaches
True Cost of Data Breaches
Matthew Rosenquist
 
Data security 2016 trends and questions
Data security 2016 trends and questionsData security 2016 trends and questions
Data security 2016 trends and questions
Bill McCabe
 
Security - A Digital Transformation Enabler
Security - A Digital Transformation EnablerSecurity - A Digital Transformation Enabler
Security - A Digital Transformation Enabler
Alexander Akinjayeju. MSc, CISM, Prince2
 
Cyber Six: Managing Security in Internet
Cyber Six: Managing Security in InternetCyber Six: Managing Security in Internet
Cyber Six: Managing Security in Internet
Richardus Indrajit
 
Policies and Law in IT
Policies and Law in ITPolicies and Law in IT
Policies and Law in IT
Anushka Perera
 
Case Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityCase Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information Security
PECB
 
Top Cyber Threat Predictions for 2019
Top Cyber Threat Predictions for 2019Top Cyber Threat Predictions for 2019
Top Cyber Threat Predictions for 2019
PECB
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
Dinesh O Bareja
 
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
Michael Noel
 
Combating Cyber Security Using Artificial Intelligence
Combating Cyber Security Using Artificial IntelligenceCombating Cyber Security Using Artificial Intelligence
Combating Cyber Security Using Artificial Intelligence
Inderjeet Singh
 
Top 5 Cybersecurity Trends in 2021 and Beyond
Top 5 Cybersecurity Trends in 2021 and BeyondTop 5 Cybersecurity Trends in 2021 and Beyond
Top 5 Cybersecurity Trends in 2021 and Beyond
Nandita Nityanandam
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
OSIsoft, LLC
 
Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017 Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017
Kevin Murphy
 

More Related Content

What's hot

How to secure your business on the cloud? practical approach from strategy to...
How to secure your business on the cloud? practical approach from strategy to...How to secure your business on the cloud? practical approach from strategy to...
How to secure your business on the cloud? practical approach from strategy to...
Aladdin Dandis
 
Understanding Identity Management and Security.
Understanding Identity Management and Security.Understanding Identity Management and Security.
Understanding Identity Management and Security.
Chinatu Uzuegbu
 
Guardians of the future what should we do to secure future cyberspace
Guardians of the future what should we do to secure future cyberspace Guardians of the future what should we do to secure future cyberspace
Guardians of the future what should we do to secure future cyberspace
Aladdin Dandis
 
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl PereiraCyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Knowledge Group
 
Protecting Essential Information
Protecting Essential InformationProtecting Essential Information
Protecting Essential Information
Kim Jensen
 
Practical approach to combating cyber crimes
Practical approach to combating cyber crimesPractical approach to combating cyber crimes
Practical approach to combating cyber crimes
Chinatu Uzuegbu
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
PECB
 
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
PECB
 
What is still missed for security real life facts
What is still missed for security real life factsWhat is still missed for security real life facts
What is still missed for security real life facts
Aladdin Dandis
 
True Cost of Data Breaches
True Cost of Data BreachesTrue Cost of Data Breaches
True Cost of Data Breaches
Matthew Rosenquist
 
Data security 2016 trends and questions
Data security 2016 trends and questionsData security 2016 trends and questions
Data security 2016 trends and questions
Bill McCabe
 
Security - A Digital Transformation Enabler
Security - A Digital Transformation EnablerSecurity - A Digital Transformation Enabler
Security - A Digital Transformation Enabler
Alexander Akinjayeju. MSc, CISM, Prince2
 
Cyber Six: Managing Security in Internet
Cyber Six: Managing Security in InternetCyber Six: Managing Security in Internet
Cyber Six: Managing Security in Internet
Richardus Indrajit
 
Policies and Law in IT
Policies and Law in ITPolicies and Law in IT
Policies and Law in IT
Anushka Perera
 
Case Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityCase Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information Security
PECB
 
Top Cyber Threat Predictions for 2019
Top Cyber Threat Predictions for 2019Top Cyber Threat Predictions for 2019
Top Cyber Threat Predictions for 2019
PECB
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
Dinesh O Bareja
 
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
Michael Noel
 
Combating Cyber Security Using Artificial Intelligence
Combating Cyber Security Using Artificial IntelligenceCombating Cyber Security Using Artificial Intelligence
Combating Cyber Security Using Artificial Intelligence
Inderjeet Singh
 
Top 5 Cybersecurity Trends in 2021 and Beyond
Top 5 Cybersecurity Trends in 2021 and BeyondTop 5 Cybersecurity Trends in 2021 and Beyond
Top 5 Cybersecurity Trends in 2021 and Beyond
Nandita Nityanandam
 

What's hot (20)

How to secure your business on the cloud? practical approach from strategy to...
How to secure your business on the cloud? practical approach from strategy to...How to secure your business on the cloud? practical approach from strategy to...
How to secure your business on the cloud? practical approach from strategy to...
 
Understanding Identity Management and Security.
Understanding Identity Management and Security.Understanding Identity Management and Security.
Understanding Identity Management and Security.
 
Guardians of the future what should we do to secure future cyberspace
Guardians of the future what should we do to secure future cyberspace Guardians of the future what should we do to secure future cyberspace
Guardians of the future what should we do to secure future cyberspace
 
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl PereiraCyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
 
Protecting Essential Information
Protecting Essential InformationProtecting Essential Information
Protecting Essential Information
 
Practical approach to combating cyber crimes
Practical approach to combating cyber crimesPractical approach to combating cyber crimes
Practical approach to combating cyber crimes
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
 
What is still missed for security real life facts
What is still missed for security real life factsWhat is still missed for security real life facts
What is still missed for security real life facts
 
True Cost of Data Breaches
True Cost of Data BreachesTrue Cost of Data Breaches
True Cost of Data Breaches
 
Data security 2016 trends and questions
Data security 2016 trends and questionsData security 2016 trends and questions
Data security 2016 trends and questions
 
Security - A Digital Transformation Enabler
Security - A Digital Transformation EnablerSecurity - A Digital Transformation Enabler
Security - A Digital Transformation Enabler
 
Cyber Six: Managing Security in Internet
Cyber Six: Managing Security in InternetCyber Six: Managing Security in Internet
Cyber Six: Managing Security in Internet
 
Policies and Law in IT
Policies and Law in ITPolicies and Law in IT
Policies and Law in IT
 
Case Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityCase Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information Security
 
Top Cyber Threat Predictions for 2019
Top Cyber Threat Predictions for 2019Top Cyber Threat Predictions for 2019
Top Cyber Threat Predictions for 2019
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
 
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
 
Combating Cyber Security Using Artificial Intelligence
Combating Cyber Security Using Artificial IntelligenceCombating Cyber Security Using Artificial Intelligence
Combating Cyber Security Using Artificial Intelligence
 
Top 5 Cybersecurity Trends in 2021 and Beyond
Top 5 Cybersecurity Trends in 2021 and BeyondTop 5 Cybersecurity Trends in 2021 and Beyond
Top 5 Cybersecurity Trends in 2021 and Beyond
 

Similar to Leveraging Compliance to “Help” Prevent a Future Breach

How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
OSIsoft, LLC
 
Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017 Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017
Kevin Murphy
 
CompTIA powered Cybersecurity Apprenticeships
CompTIA powered Cybersecurity ApprenticeshipsCompTIA powered Cybersecurity Apprenticeships
CompTIA powered Cybersecurity Apprenticeships
Zeshan Sattar
 
Law seminars intl cybersecurity in the power industry
Law seminars intl cybersecurity in the power industryLaw seminars intl cybersecurity in the power industry
Law seminars intl cybersecurity in the power industry
Kevin Murphy
 
Proactive Risk Management and Compliance in a World of Digital Disruption
Proactive Risk Management and Compliance in a World of Digital DisruptionProactive Risk Management and Compliance in a World of Digital Disruption
Proactive Risk Management and Compliance in a World of Digital Disruption
Mike Wons
 
Isaca csx2018-continuous assurance
Isaca csx2018-continuous assuranceIsaca csx2018-continuous assurance
Isaca csx2018-continuous assurance
François Samarcq
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
Vicky Fernandes
 
The Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditThe Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance Audit
SBWebinars
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics security
Joel Cardella
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
Cameron Forbes Over
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
Cameron Forbes Over
 
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
apidays
 
The Importance of Cybersecurity in 2017
The Importance of Cybersecurity in 2017The Importance of Cybersecurity in 2017
The Importance of Cybersecurity in 2017
R-Style Lab
 
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec StakeholdersIvanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti
 
Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats
Jim Kaplan CIA CFE
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained Environments
Denim Group
 
Cyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxCyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptx
RambilashTudu
 
Fortify technology
Fortify technologyFortify technology
Fortify technology
Imad Nom de famille
 
info-sys-security3.pptx
info-sys-security3.pptxinfo-sys-security3.pptx
info-sys-security3.pptx
MhndHTaani
 
Aalto cyber-10.4.18
Aalto cyber-10.4.18Aalto cyber-10.4.18
Aalto cyber-10.4.18
japijapi
 

Similar to Leveraging Compliance to “Help” Prevent a Future Breach (20)

How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
 
Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017 Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017
 
CompTIA powered Cybersecurity Apprenticeships
CompTIA powered Cybersecurity ApprenticeshipsCompTIA powered Cybersecurity Apprenticeships
CompTIA powered Cybersecurity Apprenticeships
 
Law seminars intl cybersecurity in the power industry
Law seminars intl cybersecurity in the power industryLaw seminars intl cybersecurity in the power industry
Law seminars intl cybersecurity in the power industry
 
Proactive Risk Management and Compliance in a World of Digital Disruption
Proactive Risk Management and Compliance in a World of Digital DisruptionProactive Risk Management and Compliance in a World of Digital Disruption
Proactive Risk Management and Compliance in a World of Digital Disruption
 
Isaca csx2018-continuous assurance
Isaca csx2018-continuous assuranceIsaca csx2018-continuous assurance
Isaca csx2018-continuous assurance
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
 
The Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditThe Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance Audit
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics security
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
 
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
 
The Importance of Cybersecurity in 2017
The Importance of Cybersecurity in 2017The Importance of Cybersecurity in 2017
The Importance of Cybersecurity in 2017
 
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec StakeholdersIvanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
 
Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained Environments
 
Cyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptxCyber Security – Challenges [Autosaved].pptx
Cyber Security – Challenges [Autosaved].pptx
 
Fortify technology
Fortify technologyFortify technology
Fortify technology
 
info-sys-security3.pptx
info-sys-security3.pptxinfo-sys-security3.pptx
info-sys-security3.pptx
 
Aalto cyber-10.4.18
Aalto cyber-10.4.18Aalto cyber-10.4.18
Aalto cyber-10.4.18
 

Recently uploaded

成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
ysasp1
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
hackersuli
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
zoowe
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
cuobya
 
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
ukwwuq
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
fovkoyb
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
Trish Parr
 
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
bseovas
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
Toptal Tech
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
Trending Blogers
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
wolfsoftcompanyco
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
Laura Szabó
 

Recently uploaded (20)

成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
 
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
 
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
 

Leveraging Compliance to “Help” Prevent a Future Breach

  • 1. IOActive, Inc. Copyright ©2018. All Rights Reserved. Leveraging Compliance to “Help” Prevent a Future Breach Kevin J. Murphy, CISSP, CISM, CGEIT Vice President Cyber Governance Kevin.murphy@ioactive.com February 20, 2018, ISACA Monthly Meeting
  • 2. IOActive, Inc. Copyright ©2018. All Rights Reserved. Agenda A very interactive discussion – We learn from each other! • Who is in the room? • The role of Compliance? • Lessons from 2017 • Responsive GRC in 2018 • Corporate Risk Score Card
  • 3. IOActive, Inc. Copyright ©2018. All Rights Reserved. Who is in the room? • Healthcare • Energy • Telecom • Financial • Manufacturing • Government & Utilities • Retail • Technology • Transportation • Services • Law Enforcement
  • 4. IOActive, Inc. Copyright ©2018. All Rights Reserved. Job Roles in the room? • Audit • Risk Mgmt • Governance • Compliance • Attorney • Consulting • Security • Executive Leadership • IT Engineering • New to the Industry • New to the ISACA
  • 5. IOActive, Inc. Copyright ©2018. All Rights Reserved. What is the Purpose of the Compliance Mgmt? • Confirm adherence to a standard or regulatory requirement: e.g. ISO, NIST, PCI-DSS, GDPR • Verification: Audit • Transfer Risk So how are we doing?
  • 6. IOActive, Inc. Copyright ©2018. All Rights Reserved. 2017 Compliance Mgmt. • The problem with standards and regulations is it takes ~3 years for a standard to be implemented • That is not responsive enough to protect you from “new” attacks • It “may” protect you from known attacks of the past. So what do we do?
  • 7. IOActive, Inc. Copyright ©2018. All Rights Reserved. Why would I attack your industry? • What am I after? – Your IP (Intellectual Property) – Client PII (Personally identifiable information) – “Your Employee” PII – I can sell this info for credit fraud – To extort money from you (Ransomware) – To punish your government in a geopolitical disagreement – Cyberwar – Economic Disruption
  • 8. IOActive, Inc. Copyright ©2018. All Rights Reserved. Lets look at the big attacks from 2017 • Ransomware : Wannacry, etc. • Equifax: Breach • How many of you have incorporated lessons learned from these attacks? • What did you change in your governance program as a result?
  • 9. IOActive, Inc. Copyright ©2018. All Rights Reserved. Ransomware? • Ransomware - Ransomware is a type of malicious software that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. • Recovering your files without the decryption key is unlikely • Digital currencies such as Bitcoin are used for the ransoms, making tracing and prosecuting difficult.
  • 10. IOActive, Inc. Copyright ©2018. All Rights Reserved. Who is attacking? On October 24th, Bad Rabbit targets Windows machines, impersonating as an Adobe Flash update. The cyber attack has seen computers go down in Russia, Ukraine, Germany and Turkey.
  • 11. IOActive, Inc. Copyright ©2018. All Rights Reserved.
  • 12. IOActive, Inc. Copyright ©2018. All Rights Reserved. Ransomware? • WannaCry worm traveled between unpatched computers without user interaction. • March 14, 2017 - Microsoft issued critical security bulletin MS17-010 • May 12, 2017 - WannaCry launched “The answer is to patch your systems earlier!” What is your patching policy for a critical patch?
  • 13. IOActive, Inc. Copyright ©2018. All Rights Reserved. The real threat from Ransomware • The bad guys are on your network! • Your IP or data is at risk of compromise, publication or deletion • They can make your network unusable which puts your business viability at risk Anything new here?
  • 14. IOActive, Inc. Copyright ©2018. All Rights Reserved. Game Changing Attack Inflection Points • APT – Nation State espionage • Stuxnet – Embedded and SCADA systems attack Nation State targeted attacks • Heartbleed – 3rd party software and network appliances • Ransomware – WannaCry, Petya, notPetya, BadRabit, .etc. Nation State cyber attacks “Can GRC help?”
  • 15. IOActive, Inc. Copyright ©2018. All Rights Reserved. Cyber breach at Equifax affect 143M U.S. consumers • Occurred from mid-May through July 2017 and primarily: names, social security numbers, birth dates, addresses and some driver's license numbers • Credit card numbers for roughly 209,000 consumers • Equifax Canada said 100,000 Canadians affected. – Names, addresses, social insurance numbers (SIN) and, in limited cases, credit card numbers. – Equifax Canada has been unable to provide clarity on who was impacted
  • 16. IOActive, Inc. Copyright ©2018. All Rights Reserved. Summary • Both breaches could have been prevented by existing compliance controls. – Patch Mgmt: Ask detailed questions about IT Inventory and applying patches within guidelines. Note exceptions and track remediation plans – Monitoring: Equifax was not monitoring outbound traffic. A comprehensive governance of their monitoring plans would have perhaps detected this massive breach.
  • 17. IOActive, Inc. Copyright ©2018. All Rights Reserved. Responsive GRC for 2018 1. Traditional regulatory and standards compliance 2. NIST Cybersecurity Framework 3. Proactive Threat Management 4. GRC Reporting as part of the overall Corporate Risk Scorecard to the Board of Directors
  • 18. IOActive, Inc. Copyright ©2018. All Rights Reserved.
  • 19. IOActive, Inc. Copyright ©2018. All Rights Reserved. Cybersecurity Framework: Identify • Identify your Critical Business Information: IP, Strategic Plans, Financial Data, Customer Data, Employee Data, etc. Protect it with a defense in depth strategy • IT Inventory Mgmt: Know your IT inventory better than your attacker. They will find the one server or appliance you didn’t patch. • Don’t store your Risk Assessments in clear view of your attacker. Secure those SharePoints!
  • 20. IOActive, Inc. Copyright ©2018. All Rights Reserved. Proactive Threat Management • When a new attack occurs in the news, activate your incident response team. Ask: – “Can this happen here?” – “How are we protected and where are we vulnerable?” – “How can you help your IT Engineering teams?”
  • 21. IOActive, Inc. Copyright ©2018. All Rights Reserved. Proactive Threat Management • Threat Models: Use them – IoT devices to applications and your supply chain. • Update Threat Models and your KPIs after a reported threat. Learn from the attacks on other companies • Incorporte best practices
  • 22. IOActive, Inc. Copyright ©2015. All Rights Reserved. Do you have a mobile app policy? Biometrics App Store Cloud ArchitectureSystem on chipOS Device Network
  • 23. Cyber Security Framework Scorecard KPIs Top 5 Risks
  • 24. IOActive, Inc. Copyright ©2018. All Rights Reserved. Your Board of Directors
  • 25. IOActive, Inc. Copyright ©2018. All Rights Reserved. Your Board of Directors • Cyberprotection is no longer a technical issue; it is a business issue requiring board attention. • Does the board get direct feedback from the CISO who can explain in “business and strategic terms” the cyber risk and controls approach?
  • 26. IOActive, Inc. Copyright ©2018. All Rights Reserved. Your Board of Directors • Is sufficient attention given to the ability to defend against intrusions as well as the ability to recover and restore essential functions and services? • Is the board routinely informed about the potential material operational risk and risk mitigation strategies as well as incidents that could impact the brand? • To what extent have essential services and functions been identified and programs implemented to provide for their resilience in the event of a disruption or cyber incident?
  • 27. IOActive, Inc. Copyright ©2018. All Rights Reserved. Good Reading
  • 28. IOActive, Inc. Copyright ©2018. All Rights Reserved. Call to Action • Evaluate your GRC program effectiveness – Does it allow you to meet your regulatory requirements? – Does it truly measure your enterprise risk profile? – Is it agile and adaptable to new threats? – Using a scorecard to track your progress? – Is it more than “checkbox?”
  • 29. IOActive, Inc. Copyright ©2018. All Rights Reserved. Call to Action • Learn from other industries as they might get hit before yours. • Use the NIST Cybersecurity framework • Evaluate your threat models with the latest attack vectors. Ask, “Can that happen here?” • Know your IT Inventory and patch status • Cybersecurity Risks need to be reported to your BoD • Test your BCM plans with a cyber attack scenario
  • 30. IOActive, Inc. Copyright ©2018. All Rights Reserved. Thank You
  • 31. IOActive, Inc. Copyright ©2018. All Rights Reserved. GDPR (General Data Protection Regulation) EU • The US and Canada will have something similar in the future so plan for it now. • Heads up: GDPR includes penalties • https://en.wikipedia.org/wiki/General_Data_Protection_ Regulation#Sanctions

Editor's Notes

  1. Often when security firms say they “do mobile security”, they typically mean just the mobile apps. In our case, we handle everything from chip to code – everything from the processors, to embedded systems, the device itself, the apps, the network, the storage – and everything in between.