5. The global economy loses up to $1 trillion per year
due to malicious cyber activity.
COMPLEX PROBLEMS, REAL COSTS
In 2013 alone, 552 million records were
exposed due to data breaches.
The annual cost to an individual business due to cyber
crime can range from $1M to $52M, on average.
6. • Malicious traffic was visible on 100% of networks sampled
• Nearly 70% of respondents have been
identified as issuing DNS queries for DDNS
• There is a need for visibility-driven,
threat-focused, and platform-based
security solutions
• Before
• During
• After
2014 Cisco Midyear Security Report:
Threat Intelligence & Industry Trends
7. THREAT INTELLIGENCE
Method Threat Description Findings
DDNS
DDNS is used by adversaries since it allows
botnets and other attack infrastructure to be
resilient against detection.
Nearly 70% of
respondents issue DNS
queries for DDNS.
MiTB
Palevo, SpyEye, and Zeus are malware families
that incorporate MiTB functionality. DNS
lookups for hosts compromised by them are
considered a high threat.
More than 90% of
customer networks
observed have traffic
going to websites that
host malware.
Java
Java’s extensive attack surface and high ROI
make it a primary target for exploitation.
Java exploits represented
93% of IOCs as of May
2014.
Source(s): Cisco 2014 Midyear Security Report
9. • The business community is
increasingly reliant on the use of
data.
• The need to secure critical data
is paramount to day-to-day
operations.
• Regulations and penalties for
security violations are increasing.
THE CURRENT THREAT LANDSCAPE
IS LIMITING BUSINESS GROWTH
10. • Security is becoming a bigger concern in the boardroom
• Identifying the personal and professional liability in failing to
secure networks
• As cyber threats become part of the business landscape, more will
put an emphasis on sound security practices
• Organizations must align cyber security and business
performance
• Shift IT from facilitator to driver of business outcomes
THE VIEW FROM THE TOP
Source(s): EY, Beating Cybercrime (2013)
11. What measures
are in place?
SOLUTIONS TO THE PROBLEM
Hardware
Software
People
Process
Hardware
Software
People
Process
Hardware
Software
People
Process
BEFORE DURING AFTER
How are security
events detected?
What is the
cleanup process?
12. • Nearly 1M unfilled jobs in the field
• Critical in the SOC
• Analyze network alerts and detect APTs
• Characterize and analyze network traffic to identify
anomalies and potential network resource threats
• Perform event correlation analysis to determine the
effectiveness of observed attacks
• Key areas of competency
• Ability to identify security incident as it happens
• Experience in implementing appropriate plan of action
quickly to minimize cost/damage
HELP WANTED:
SECURITY ANALYSTS
13. HOW TRAINING IS FALLING SHORT
• Focused on building static defenses
• No detection or response plan in place
• Few paths to train IT personnel to recognize security risks and
respond
• Not enough hands-on practice to implement
the theory being taught
• No ability to practice responding to
actual, real-life attacks on real-life
equipment
16. 4 Major Competencies
1. Monitor security events
2. Configure and tune security event
detection and alarming
3. Analyze traffic for security threats
4. Respond appropriately to security
incidents
17. 5 Key Differentiators
1. System Agnostic
2. Lab-Heavy
3. Inside-Out vs. Outside-In
4. Ease of Entry
5. Understand the “Why?”
18. SYSTEM AGNOSTIC
• Though training is provided by Cisco, course does not focus
solely on Cisco products
• Prepares students to operate
a variety of systems
• Can train security professionals to
“guard the castle,” with no additional
infrastructure investment
19. 60%
Of course time
spent in a lab
environment
Monitor,
analyze,
and respond
to actual
cyber attacks
20.
21. • Train your SOC staff
• Cross-train your IT staff on how to recognize security
incidents and how to work with the SOC team
• Great starting point for IT staff looking to migrate to
security
Ease of Entry for
Security Professionals
22. • Develops the skills necessary to effectively operate
within an SOC
• Process
• Hardware
• Software
• Identify threats, but also understand why something
is a threat
Moving Beyond the “How”
23. SCYBER CCNA Sec. CCNP Sec. CCIE Sec. Security + CEH
Pre-Req. N/A IINS/CCENT
CCNA Sec./
CCIE
N/A N/A N/A
Experience 0-2 Years 0-2 Years 4-6 Years 7+ Years 2-3 Years 2+ Years
Sample Job
Security
Analyst
System Admin.
Network
Security Eng.
Network
Security Eng.
System Admin. Ethical Hacker
Focus
Event
Detection
System
Administration
Building
Infrastructure
Management
System
Administration
Penetration
Testing
Instruction 1 Week 2 Weeks 4 Weeks Varied 1 Week 1 Week
Exam (s) 1 Exam 2 Exams 4 Exams 2 Exams 1 Exam 1 Exam
DoD 8570 Pending Yes No No Yes Yes
CERTIFICATION COMPARISON
24. SCYBER No Prerequisites
Understanding of TCP/IP
and a working knowledge of
CCNA is highly recommendedTECHNICAL DETAILS
Prepares students to take the
Cyber Security Specialist Certification Exam
600-199 SCYBER
ILT course covers 12 modules over 5 days
25. Day 1 Day 2 Day 3 Day 4 Day 5
Course Introduction
Module 1:
Attacker
Methodology
Module 3:
Defender Tools
Module 5:
Network Log
Analysis
Module 7:
Incidence Response
& Preparation
Module 8:
Security Incident
Detection
Module 10:
Mitigations & Best
Practices
Module 2:
Defender
Methodology
Module 4:
Packet Analysis
Module 6:
Baseline Network
Operations
Module 7:
Incidence Response
Preparation
Module 8:
Security Incident
Detection
Module 9:
Investigations
Module 11:
Communication
Module 12:
Post-Event Activity
Course Schedule
AM
PM
26. Cyber Attack Model
OSI Model TCP/IP Model
7
6
5
4
3
2
1
Application
Presentation
Session
Transport
Network
Data Link
Physical
Network Interface
Application
Transport
Internet
MITM (Intercept, Modify),
DoS, RF (Jam, Replay)
Session Hijacking and Spoofing
(Intercept, Modify, Bypass Network
Security), DoS
Malware, OS, and Application level;
Remote and Privilege Escalation
exploits, Bots, Phishing
RF, Fiber, Copper
27. IP Transport Cyber Attack Vectors
Network and System Architecture
- Centralized, Distributed, Redundant
- Physical and Logical
Transport Network
- RF, Fiber, Copper
Network Protocols
- Routing, Switching, Redundancy
- Apps, Client/Server
Client/Server Architecture
HW, SW, Apps, RDBMS
- Open Source
- Commercial
Trust Relationships
- Network Management and Network Devices
- Billing, Middleware, Provisioning
Common HW/SW configuration settings
Transport Network
Infrastructure Cyber Attack Tree
Network Infrastructure
Attack Vectors
SNMP Community
String Dictionary Attack
with Spoofing to
Download Router
Switch Configuration
Build New Router
Configuration File to
enable further privilege
escation
Upload New
Configuration File
Using Comprimised
SNMP RW String
UNIX NetMgt Server
Running NIS v1
Ypcat -d <domain>
<server IP> passwd
Grab shadow file hashes
Crack Passwords
Access Server
Directly
Exploit ACL Trust
Relationship
Attack SNMPTelnetSSH
Find NetMgt
passwords and
SNMP config files
Discover Backup
HW Configs
Crack Passwords
HP OpenView Server
Enumerate Oracle
TNS Listener to
Identify Default SID’s
Further Enumerate
Oracle SID’s to
Identify Default
DBA System Level
AcctsPasswords
Login to Oracle DB
with Discovered DBA
Privilege Account
Run Oracle SQL
CMDs
Execute OS CMDs
Add New
Privileged OS
Account
Crack Passwords
Further Enumerate
Oracle SID’s to
Identify User Accts.
Perform Dictionary
Attack
Execute OS CMDs from
Oracle PL/SQL
Attack Network from DB
Run Oracle SQL CMDs
Execute OS CMDs
Find NetMgt Passwords,
SNMP info, OS password
files
Network Mgt Application
Attempt to Login Using
Default LoginPassword
Reconfigure
Router or Switch
MITM
ARP Poisoning
Sniffing
Capture SNMP Community
Strings and Unencrypted
LoginPasswords, Protocol
Passwords
Configure
Device for
Further
Privilege
Escalation
TelnetSSH
Dictionary Attack
RouterSwitches
NetMgt Server
Inject New Routes
Or Bogus Protocol
Packets
Use New Privileged
OS account to
Escalate Privileged
Access to Network
Own Network
Infrastructure
Own Network
Infrastructure
Own Network
Infrastructure
Own Network
Infrastructure
Own Network
Infrastructure
Own Network
Infrastructure
Build New Router
Configuration File to
enable further privilege
escation
Attack Vectors - Deny, Disrupt, Delay, Intercept, Exploit
Man in the Middle Attacks (MITM)
Network Protocols
IP Spoofing
Apps/RDBMS/NetMgt
Traffic Analysis
28. In-Band Network Management
Network Management Protocols
• SNMP
• Telnet
• HTTP/s - XML
• TFTP
• TL1
• SSH
Users
NOC
Business and Network Management Traffic
Uses Common Infrastructure
Network Management Security
• Access List
• Firewalls
• VPN
• IDS/IPS
• AAA
• Trust levels
Data Center
Resources
User VLANs
VLAN Trunks
Trust Model – Defines Security Posture
- Network management features are
vulnerabilities (provides configuration and
access information)
- Security policies define trust model
- Users access
- Customer access
- Vendor/Mfg local/remote tech support
access
- NOC/Tech support staff
- Secure visualization and instrumentation
- Internal, Customer, Management operations
in separate IP subnets/VLANs/PVCs, etc.,
over shared network infrastructure.
- Log everything
- 2-Factor authentication
Management VLAN M
M
M M
M M
M M
M
Utilize MPLS VPNs and VRFs for
Management Network
Though this problem has been present, in one form or another, since the early 1900s, modern hacking methods have exploited holes in our IT infrastructure over the last 20 years or so
Since the dawn of the computer age, cyber criminals have sought disrupt business
Early on this was a singular problem
Connectivity between systems was limited, and data was not shared between systems the way we see today
With the introduction of the WWW, a shift in the strategies utilized by cyber criminals began to take hold
Singular issues had the potential to become systematic, and governments programs, businesses and individuals were increasingly exposed to the threat of cyber crime
This issue has only gotten worse since the dawn of mobile technology and cloud computing
Today, no matter who you are or where you reside, there is a high chance of being effected by cyber crime
These activities have a real cost to the institutions we really on on a daily basis, and pose one of the most serious threats to national security and the economy we see today
HSBC: On 11/1/2013 an employee with authorization to access account information stole an undisclosed number of records with the intent of misusing the data
Facebook: Facebook has been the victim of numerous attacks. Most recently 2 million usernames and passwords from a number of sites (the most effected being FB) were stolen as a result of malware.
Japan Airlines: Up to 750,000 records were stolen as a result of a computer security breach.
European Central Bank: The ECB fell victim to a blackmail scheme in which around 20,000 email addresses were stolen. The ECB refused to comply with the hacker’s demands.
Verizon: Verizon has been the victim of a number of security breaches, both from individual actors and government entities. The most shocking of these was the revelation that the use of a femtocell ($250). This device allows third-parties to track voicemails and text messages of users within 40 feet of a unit. Verizon has since patched the vulnerability.
Adobe: 150 million records were accessed as a result of a breach of Adobe’s customer database. The data included usernames, passwords, emails and financial info (of both active and inactive accounts).
Sony: Sony has fell victim to a number of breaches. The largest, the 2011 PlayStation Network breach, exposed over 100 million user accounts. There have been a number since then. Sony has been seen as a target by hacking groups since they pressed charges against George Hotz, a 20-year old hacker who reversed engineered Sony’s PS3 so it could run third party apps.
Fuji: The arrest of an alleged hacker led to the discovery that a breach had occurred at Fuji-Xerox Singapore. The incident exposed the bank statements of 647 of Standard Chartered’s richest clients.
DLR: A foreign intelligence service was able to access the computers of scientists and system administrators at the German Aerospace Center via a APT (advanced persistent threat) attack.
These crimes have serious consequences to both businesses and individuals
In 2013 alone, 552 million individual records were exposed due to data breaches
That nearly a quarter of all internet users
The global economy is adversely effected by malicious cyber activity to the tune of $1 Trillion per year
The median cyber security incident costs individual businesses anywhere from $1 Million to $52 Million dollars
Imagine what a business could do with those resources
There is projected to be approximately 1,000,000 unfilled cyber security jobs worldwide
This skills gap poses a serious risk to businesses
Something the business community recognizes, as nearly 70% of US business execs fear cyber crime will hamper the growth of their business
Cyber crime has a real affect on businesses
The average cyber attack costs an organization over $17,000 per day
On average, an attack persists for 42 days before it is identified
Cyber crime is a severe problem in EMEA
Advanced Persistent Threats (APTs) are one the more prevalent methods used by hackers to access information
Allows access to a network over a long period of time
Intention to steal data (vs. cause damage)
Often target “high value” industries (government, banking, etc.)
The UK, Germany and Saudi Arabia tend to be the most heavily effected by these costly breaches
Security has traditionally not been a focus of corporate executives
Much more concerned with driving sales and revenues, and creating efficiencies within the IT system
This is shifting, though security still lags behind emerging technologies in terms of the investment consideration at the CIO level
These separate initiatives need to go hand-in-hand
Emerging technologies (IoT, cloud computing, etc.) should reinforce the need for further investment in cyber security spending
The business community is becoming increasingly reliant on the use of data analytics
IT shifting to a driver of business outcomes
The need to secure critical data is paramount to day-to-day operations
Potential vulnerabilities increasing as a result of new technology (i.e. IoT)
BYOD device increases complexity of securing networks
Regulations and penalties for security violations are increasing
Rapidly evolving privacy regulations, banking/finance regulations, etc.
Cost of stolen services and intellectual property
Cost of sabotage
APT attacks increased 50% in EMEA for the first half of 2014
Primary industries targeted:
Governemnt
Finance
Telecom
Energy
Firms in the UK tend to lag behind the rest of EMEA, and the world, in their ability to identify cyber attacks quickly
There are no “easy fixes” to secure your network
It’s a combination of HW/SW, people and process
Organizations must have a strong plan in place
What measures are in place?
How are security events detected?
What is the cleanup process after an attack?
Training can play an important role in securing networks
Target attack, where human error led to significant data/financial loss
No matter how much you invest in HW/SW, no matter how good your process is, under skilled security teams are a liability
There is projected to be approximately 1,000,000 unfilled cyber security jobs worldwide
This problem is multifaceted, but has been accelerated by the movement of IT jobs overseas throughout the 1990s and early 2000s
Many countries do not have the knowledge base to deal with this issue
Cyber security analysts are critical to the operation of the SOC
“Guarding the Castle” to protect against outside threats
Analyze network traffic to identify anomalies
There is a disconnect between the way we approach training IT professionals and they way they’ll be required to effectively function in the field
Traditional cyber security courseware has focused on the theory of how systems function and communicate, and focuses on how hackers infiltrate systems
Brand name training programs have typically been tied to specific systems and IT platforms
The need for specialize, brand name training across a variety of systems
As was mentioned earlier, cyber security professionals are generally equipped with a skill set bent towards preventing attacks
One of the most critical components of an effective cyber security strategy is detection, so this is a general blind spot in the industry
The Target breach, for example, could have been prevented had analysts recognized the threats alerts generated by the malware detection system put in place
IT security SYSTEMS tend to work well, it’s individual analysts that often drop the ball
Speak to the reasoning behind SCYBER’s development
Tie back to “current state” slides from earlier
Speak to the competencies SCYBER looks to validate
Tie into the job role of a cyber security analyst
One of the key differentiators of the SCYBER program is that it is system agnostic
SCYBER delivers the benefits of a system agnostic course paired with the Cisco brand name
Easily recognizable by CIOs and end users
Students are exposed to a variety of threats across platforms and focus on general practices as opposed to those only pertaining to Cisco systems
Allows students more flexibility in their career path, something that will drive demand for training versus other products
Whether Juniper, HP, IBM or any number of any Cisco competitors, this course will equip students with the skills necessary to effectively manage cyber attacks in real time
Where many courses are primarily based in theory, SCYBER immerses students in the world of a Cyber Security Analyst
The course itself is 60% lab based, with instructors launching actual cyber attacks, in real time
Students who complete the training will have developed the skills necessary to monitor, analyze, and respond to actual cyber attacks in the private and public sectors
In particular, labs focus on event monitoring, security event and alarm tuning, traffic analysis, and incidence response
When an IT system is infiltrated, time is of the essence
Looking from the “Outside-In” doesn’t prepare professionals to act quickly to identify attacks
Rather focus on preventing them in the first place
We’ve discussed that it is no longer a question of if, but when malicious cyber activity will occur
This increases the emphasis on the timely identification of a system breach
Under such a scenario, each day that goes by could cost a business millions in losses, not to mention the corruption of valuable data, and lost customers
SCYER puts the focus on “Guarding the Castle” to ensure that when a system is breached, the damage, both to the business itself and consumers, is minimized
Many cyber security training courses require years of experience in order to sit for an exam
SCYBER has recommended that students possess a minimum of two years IT experience in order to take the course
This breaks a barrier for entry often seen in the cyber security filed, where qualified individuals are left out due to barriers to entry in the marketplace
This goes back to the job shortage we discussed earlier, and provides a solution both businesses seeking qualified cyber security professionals
Many cyber security training courses require years of experience in order to sit for an exam
SCYBER has recommended that students possess a minimum of two years IT experience in order to take the course
This breaks a barrier for entry often seen in the cyber security filed, where qualified individuals are left out due to barriers to entry in the marketplace
This goes back to the job shortage we discussed earlier, and provides a solution both businesses seeking qualified cyber security professionals
Now on to some technical details regarding SCYBER
As was mentioned, there are no set prerequisite for the course, though it is recommended that potential students have at minimum two years experience in the field
Students need to possess a basic understanding of Transmission Control and Internet Protocol
Additionally, it’s recommended students have a working knowledge of CCNA Security
SCYBER is a classroom based course, with 11 modules covered in the span of 5 days
Module 1: Course Introduction: Overview of Network Security and Operations
Module 2: Network and Security Operations Data Analysis
Module 3: Packet Analysis
Module 4: Network Log Analysis
Module 5: Baseline Network Operations
Module 6: Preparing for Security Incidents
Module 7: Detecting Security Incidents
Module 8: Investigating Security Incidents
Module 9: Reacting to an Incident
Module 10: Communicating Incidents Effectively
Module 11: Postevent Activity
This course prepares students to take the Cyber Security Specialist Certification Exam
There are semi-annual recertification requirements, the details of which can be made available