Top 12 Threats to Enterprise
-
Upload
argyle-executive-forum -
Category
Technology
-
view
273 -
download
0
Transcript of Top 12 Threats to Enterprise
2015 CHIEF INFORMATION OFFICER LEADERSHIP FORUM
WEDNESDAY, MARCH 11, 2015DALLAS, TX
Gene Scriven
Top 12 Threats to the Enterprise
The Land of Information Security
Threats to the Enterprise+
+
+
+
Gene’s Dirty Dozen
Also Known As…
2
• Nothing that’s Rocket Science• Concepts may very well be the same for everyone
– Details will be different• Enterprise or small business or personal• A combination of “Soft Stuff” and Technology• Vendor Agnostic (and even Technology Agnostic)• Not a “How To Fix It” presentation• You’ll notice some overlap – it’s intentional• My personal/professional opinion
– Your mileage may vary
3
What Will We Talk About?
Who Is This Guy??Chief Information Security Officer at Sabre• Prior to Sabre, CISO at The Home Depot
35+ years in Information Security• Commercial, military, federal government, government contract, and
the Intelligence Community
• Big-Six (and similar) background
Government and US Intelligence Community• Programmer, PM, Security Director, Development Director, Missile
Targeting, Electronic Wargames, Electronic Countermeasures, Federal Agent, Computer Crime Investigator
Commercial• Security Systems Development Director, QA Director, Process
Engineer, Consultant to the C Suite, Chief Information Security Officer
Not Particularly Related (but far more FUN)• College Professor, Paramedic, Lifeguard, Comedian
4
Why The “Dirty Dozen?”
• Everybody has a list…I wanted one too– Mitre has (used to have) the Top 20– SANS Institute Top 10 Cyber Threats– FBI Survey– Open Web Application Security Project (OWASP) has
the Top 10– “Cyber Security Veterans” Top 10 Security Menaces– Top 10 Security Risks to University Communities
• “Top 10” seemed like a great starting point– Quickly morphed to a “Dozen”
• Any list….is never enough!• Original list (in 1998) was a work assignment• Contrast Gene’s 1998 Dirty Dozen with today’s
5
#12The Next Employee You Lay Off
• Job market is improving, but lay-offs and cuts are still happening• HR errs on the side of “being nice” to employees during downsizing• Statistics still indicate that internal threats are on the rise
FBI reports, “Nearly 90 percent of such crimes (data theft) are committed
by employees of the victims.”
Most employees/companies have…• Excessive accesses
• Insufficient access reviews
• “Overlapping trust”
• Too much emphasis on the perimeter
• False sense of security
• Not enough prosecution
• Confusion between Disgruntled vs. “Under-Educated”
6
Ponemon Institute’s 2013 Cost of Cyber Crime Study
The Next Employees You Lay Off…should not be allowed to become Malicious Insiders
AVERAGE DAYS TO RESOLVE AN ATTACK
#11Desensitized by Media Saturation
Company X Loses
100,000 Customer
Identities
Government Laptop with SSNs Stolen
from AirportHackers Steal
Personal Info
From
Company Y’s
Database
Yet another retailer is
hacked and millions of CC numbers are
stolen
Job Bank Website
Hacked
Keylogger Compromises
250,000 Identities
8
#10Your Information is now VALUABLE to Criminals
9
Hacking for FUN and Website Defacement are still common, but motivations now focus on the value of INFORMATION
Credit Card Data
PII DataIdentity Theft & Social Engineering
Company InfoIP AND seemingly innocent info
Ponemon Institute’s 2013 Cost of Cyber Crime Study
PERCENTAGE OF COST FOR EXTERNAL CONSEQUENCES
Information Loss/Theft is Leading The Pack
#9Believing that ENCRYPTION = NIRVANA
11
But Geeeene…we don’t need to spend any more money on security because
our data is encrypted! Don’t you remember???
Realize the Encryption is just part of the total
solution set
Data can be decrypted – Key Management (and Protection) is Critical
Encrypted Data remains in-scope for PCI
Are you encrypting passwords? It may
not be good enough.
#8Not Prepared for THE CLOUD
• Everybody’s rushing to put their data into “The Cloud”• Some of the economic data is compelling• Jumping onto the Bandwagon may be dangerous – have a strategy• Address critical factors
• Only put certain classifications of data into the Cloud• Who will own the data?• Who’s liable for data breaches?• Destroying data when finished• What data protection controls are YOU responsible to provide?
• Ask Why…if the answer is “because everybody’s doing it,” maybe it’s not for you• The Cloud MAY BE the right answer – But be sure you’re asking the right questions
12
#7Information Security “Old Fogies”
13
“Younger Workers” who have grown up in the digital age have very different attitudes about security and privacy than older generations
People who have grown up with digital devices constantly at their fingertips, collaborating on social media or sharing documents, don’t react well to being told
they can no longer function that same way from their workplaces.
They will find ways to do what they want!A more competent workforce is changing how employees view workplace technology
#6Application/Middleware Vulnerabilities
• Most vendors will do the right thing with vulnerabilities and patches• Many enterprises still focus primarily on OS vulnerabilities• Attackers taking advantage of the proliferation of applications across the typical
enterprise• Internally developed applications need attention as well
• Are you frequently scanning your web apps?• Do your require your app teams to do code reviews?
• Establish an EFFECTIVE Application Security Program
Internal Applications
Application
Security
14
Breaching “The Perimeter” is no longer the Preferred Attack Vector
#5Failed Understanding of InfoSec and (Cyber) Risk
“How many incidents did you prevent last year?”
“Why aren’t you making the
company any money?”
Unable to Articulate Risk
41
39
Department Business Unit
Insignificant Minor Moderate Major Catostrophic
IMPACT
Unlikely
Rare
Possible
Likely
~Certain
LIKELIHOOD
61
64
81
84
93
114
137
178
194
196
200
229
261
266
269
295
312
317
321
341
348
356
358
362
368
369
372
375
379
387
388
397 402
404
431
443
444
459
485
507
1169
315300
291
RISK
Risk has to be seen through the eyes of the
Risk-Taker!
15
#4Service Providers become a Vulnerability
• Third parties have become a large part of many infrastructures
• Costs• Expertise• Companies now rely heavily on them
• Many are trusted with sensitive info• Are they properly evaluated for the right data protections?• Do your contracts hold them equally liable?• Are your SLAs adequate – especially on Incident Response?• What about “The Cloud?”
“Third party organizations accounted for 42% of all data breaches.”
– Ponemon Institute
16
#3Mobile & BYOD
• Everyone’s stats agree – Mobile Devices are on the rise in our enterprises• Have you seen your CEO’s iPad on the network? (Not yet??)• Sticking your head in the sand is not an option here• Be aware of the threats of unmanaged mobile devices
• Non-compliant devices• Jail-broken devices• Zero-day exploits• User savvy at getting around your controls
• BYOD – See the train storming down the tracks!• Partner with your users – and admit they may know more about this than you • Define what Mobile/BYOD means to you – and be prepared with a
comprehensive Mobile Device Management strategy
17
#2Poor Patching
(or…Perpetual Patching)
• “OK…But we’ll have to slip our development schedule.”
• “What do you mean by ‘Have the systems patched in 10 days?’”
• “But we have so many different platforms…”
• “It’s gonna take at least two months to test that patch.”
• “This is a lot of work….Why can’t you just block the exploits?”
• “It’s not my job, I just load the base images.”
• “We should be OK…it’s not like we’re the NSA or something.”
• Need an Iterative process, with Governance, and Required Compliance
• Comprehensive Patching – Applications, OS, Databases, Network Components
18
#1Sophisticated (and Zero-Day) Malware
1. Changing network settings2. Disabling anti-virus and anti-spyware tools3. Turning off Microsoft Security Center and/or other updates4. Installing rogue certificates5. Cascading file droppers6. Keystroke Logging7. URL monitoring, form scraping, and screen scraping 8. Turning on the microphone and/or camera
9. Pretending to be an antispyware or antivirus tool 10. Editing search results11. Acting as a spam relay12. Planting a rootkit - altering the system to prevent
removal 13. Installing a bot for attacker remote control 14. Intercepting sensitive documents … or encrypting
them for ransom 15. Planting a sniffer
Interesting Malware Activities
“Don’t worry about that spyware thing….it’s just someone trying to see where you’re going on the Internet – you know, for Marketing
purposes.”
Verizon Business Data Breach report from just a few years ago indicated that 38% of compromises were due to Malware. Ask yourself how many of the
recent breaches involved MALWARE?
19
ATTACK METHODS
THE HOME DEPOT (2014)Malware (Believed to be)
SALLY BEAUTY (2014)Malware installed by hackers
P.F. CHANGS (June 2014)Compromised POS terminals
TARGET (2013)Malware installed by hackers
NEIMAN MARCUS (2013)Malware installed by hackers
EPSILON (2011)Spear phishing
NASDAQ (2010)Zero-day Malware (Digital Bomb)
installed on several servers
TJ MAX (2007)Wireless network hacked
HEARTLAND (2008)Access via malicious software
source: informationisbeautiful.net
How Your CISO Can Help Him/Herself(CISO=Chief Information Security Officer)
• Know what you don’t know• Focus on the Message
– Content is critical– Delivery is just as important
• Be a Business Person first– …and a Technician second– …and a Politician third (build relationships)
• Organize your program based on RISK• Defense-In-Depth• Don’t be afraid to ask for help
21
Dirty Dozen – Then vs. Now
#12 - No Security Awareness Program#11 - Blind Trust of Insiders#10 - Reliance on Firewalls#9 - No Business Continuity Plan#8 - Chiefs Not Listening To “Indians”#7 - Not Enough Attention To Physical
Security#6 - Insufficient Security Policies#5 - Uncontrolled Modems#4 - Insecure Web Sites \ Pages#3 - No Verification Of Security#2 - No Security Monitoring#1 - Poor Password Practices
1998#12 – The Next Employee you Lay Off#11 – Desensitized by Media Saturation#10 – Your Info is Valuable to Criminals#9 – Believing Encryption=Nirvana#8 – Unprepared for the Cloud#7 – Information Security Fogies#6 – App/Middleware Vulnerabilities#5 – Not Understanding InfoSec or Risk#4 – Service Provider Problems#3 – Mobile & BYOD#2 – Poor Patching#1 – Sophisticated (& Zero-Day) Malware
2015
22
They only have to get lucky one time, but we have to be good all the time.
- Mark Weatherford, Deputy Undersecretary for Cybersecurity, Department of Homeland Security
Discussing the advantages the bad guys have over those responsible for defending networks, systems, and data in today’s Cyber environment
23
Truer Words Were Never Spoken…
24
You Know You’re Spending Too Much Time With Your Information Security Team if…
• You’ve ever written a nasty letter to Barnes & Noble because they didn’t carry this year’s Verizon Data Breach Report
• The only vacations your Significant Other will consider are cruises and cave-exploring because “the office” can’t reach you on your cell phone
• There are at least three “Two-Factor Tokens” on your keychain• You secretly hope you won’t miss the next big virus outbreak while
you’re out on vacation• You’ve got a new car with a built-in GPS and computer and remote
start, but you constantly worry about how easy it would be to hack• Your Grandmother has ever called you about the latest phishing
message she just received• Your teenagers go to friends’ houses to surf the Internet because they
know what you do for a living• You’re so tired of answering people’s security questions that you tell
the lady sitting next you on the plane that you’re “just an IT guy.”• Attending a SecureWorld, Argyle, or RSA Conference is like going to
your high-school reunion
You Know You’re Spending Too Much Time With Your Information Security Team if…
27
Questions?