SlideShare une entreprise Scribd logo

Staying Ahead of Hackers

Mighty Guides, Inc.
Mighty Guides, Inc.

Mini Book 3 Full Ebook- http://www.fortinet.com/resource_center/whitepapers/securing-network-application-infrastructure.html

TechnologieLogiciels
1  sur  13
Télécharger pour lire hors ligne
SPONSORED BY: Part 3: Staying Ahead of Hackers 3 Experts Share Their Secrets Securing Your Network and Application Infrastructure
foreword Advanced Cybersecurity from the Inside Out Fortinet is a global leader and innovator, providing an integrated platform of high-performance, cybersecurity solutions that span from the datacenter to the cloud — serving small, medium and enterprise organizations around the globe. Strengthened by the industry’s highest level of real-time threat intelligence and recognized with unparalleled third party certifications, Fortinet solves the most important security challenges of more than 210,000 organizations. Trust Fortinet to take care of security so you can take care of business. Learn more at fortinet.com Sponsored by: 2 Network security challenges are evolving faster than ever as a result of new technologies and application complexity. In addition, many old issues continue to plague organizations, from simple password security to keeping software up-to-date. This collection of 24 essays covers a broad array of topics grouped into five major areas, ranging from the necessity of planning your network security up front to the new challenges that social engineering and other advanced, persistent threats bring. A major theme throughout many of them is the loss of the perimeter and the effectiveness of traditional defenses. Bring Your Own Device (BYOD) and cloud-based services open many holes in an organization’s network that require a rethinking of security to protect the data, not just the methods of access. Fortinet’s Cyber Security platform can address most of the problems outlined in the essays in this e-book. Our ASIC-powered FortiGate firewalls deliver the industry’s fastest Next Generation Firewall (NGFW) performance and are the foundation of an end-to-end security solution that spans your users, network, data centers, and the cloud. For the problems we can’t solve directly, we offer tools such as enforcing business policies on password changes and vulnerability scanners for your applications to help you catch weaknesses. We hope you find these essays as interesting and thought provoking as we do and that they can help you improve your network and application security defenses.
introduction For all the attention data security has received in recent years and all the technical advances in risk detection now available to protect network infrastructures, you might imagine that data are safer than ever before. Unfortunately, the number of recent, frighteningly large data breaches contradicts that notion. In the past 18 months alone, we have seen breaches at Adobe, eBay, JPMorgan Chase, Target, Home Depot, Community Health Services, and the US Government that together compromised more than 500 million records. Will the world ever be a safe place for the data so vital to businesses and individuals? With the generous support of Fortinet, we have created this e-book to help you better understand the security challenges that business—and midsized businesses in particular—face today. This e-book is a compilation of responses to the following question: A range of industry analysts, consultants, and hands-on security experts provided responses to this question. They offered fascinating insights into the security challenges we face today— security issues made even more challenging because of the changing character of infrastructure and its loss of network perimeter, rapidly evolving application environment, lack of security awareness among users, and the increasing complexity of security solutions. Attacks and data theft have also become a big business underwritten by sophisticated, well-funded entities. Security and vigilance are a never-ending battle, but I trust you will find the many perspectives provided by those who are on the front lines useful as you work to secure your own business infrastructures. What are the greatest challenges you face in securing your network and application infrastructure? Sponsored by: 3 All the best, David Rogelberg Publisher © 2015 Mighty Guides, Inc. I 62 Nassau Drive I Great Neck, NY 11021 I 516-360-2622 I www.mightyguides.com Mighty Guides make you stronger. These authoritative and diverse guides provide a full view of a topic. They help you explore, compare, and contrast a variety of viewpoints so that you can determine what will work best for you. Reading a Mighty Guide is kind of like having your own team of experts. Each heartfelt and sincere piece of advice in this guide sits right next to the contributor’s name, biography, and links so that you can learn more about their work. This background information gives you the proper context for each expert’s independent perspective. Credible advice from top experts helps you make strong decisions. Strong decisions make you mighty.
Staying Ahead of Hackers 4 Tom Eston Veracode................................................6 Steven Weiskircher ThinkGeek, Inc..................................8 Will Lefevers Constant Contact............................12 Sponsored by:
Becoming Proactive Once I was part of a no-holds-barred red team assessment of a famous actor. He had put a lot of digital safeguards in place and was confident his digital life was hack-proof. It wasn’t. As a first step, I had one of my team members place a phone call to Amazon tech support. He told the worker that he wanted to add a credit card to the actor’s Amazon account. The staffer asked a security question: What is one of your most recent purchases? My staff member knew that our guy was a Game of Thrones nut, so our caller winged it. “Game of Thrones, DVD Box, Season 1,” he said. “Right,” the support worker replied. “We’ll reset your password.” That single move gave my team access to a lot of the actor’s personal details. It allowed us to hack into his Twitter account, then his email. We reset passwords to practically every account he had. Within days, we had infiltrated his entire digital life. Needless to say, the actor was shocked. There is a lesson here for organizations: many respond to their vulnerabilities only after a breach. That’s not good enough. My take is that the defensive corporate mindset needs to become proactive. Tom Eston Tom Eston is the manager of Penetration Testing at Veracode. His work over the years has focused on security research, leading projects in the security community, improving testing methodologies, and team management. He is also a security blogger; co-host of the Shared Security Podcast; and a frequent speaker at security user groups and international conferences, including Black Hat, DEFCON, DerbyCon, Notacon, SANS, InfoSec World, OWASP AppSec, and ShmooCon. Manager, Penetration Testing, Veracode 6 Thatsinglemovegavemyteamaccesstoalotof theactor’spersonaldetails. Most corporate breaches start with social engineering tactics. Applications vulnerabilities and system misconfigurations are too often overlooked. Key Lessons 1 2 Twitter I Website I Blog b Sponsored by: Download the full eBook: Securing Your Network and Application Infrastructure
Here are three of the biggest electronic security challenges I see for companies that operate in the digital realm: • Social engineering. Most corporate breaches start with phishing emails or phone calls or with an attacker physically walking into a building and claiming to work there. It’s called social engineering because attackers take advantage of the natural human desire to trust. From a computer security perspective, this is a dangerous attack vector—the same one my team used to hack our actor friend. It shocks me how easy the human factor is to exploit. • Application vulnerability. Web applications are the front end of most organizations and the way most of them make money. In recent years, immense new layers of complexity have been introduced behind the scenes to allow apps to work in the cloud. With complexity comes human error. I often find that companies don’t take the time to build security into their application infrastructure or to perform proper security testing from the beginning. This remains true even today, when security is top of mind with most executives. • System misconfigurations. These, too, are often overlooked. Web management consoles, even production systems, often remain in their default configurations, accessible through default passwords. When hardening application coding and infrastructure that applications live on, spend some time focused on this piece. As an attacker, if I can access your web management console by using a default password, I no longer care about the application. I can access everything on your server. The moral is simple: be vigilant. Continually educate your employees. Have third-party consultants conduct penetration tests, and be prepared to hear things you wish you hadn’t— like you’ve already been hacked. Stage your own social engineering tests so that employees know what these attacks look like and what to do when they happen. A lot of what we call network security is really just a question of human awareness. Becoming Proactive 7 Stageyourown socialengineering testssothat employeesknow whattheseattacks looklikeandwhat todowhenthey happen. Sponsored by:
What Keeps Me up at Night Once, I tried to sell an executive management team on investing in an intrusion-prevention system (IPS) and web application firewall (WAF). They were not impressed. Who would attack us, they asked? To answer that question, I set up a dummy server—with up-to- date patches—just outside the corporate firewall. Within three minutes, it was being robotically mapped and scanned. Within 12 minutes, it was under direct assault. That convinced them. That was long ago, but people still see security investment as an insurance policy they will never collect on. That’s partly why these three challenges keep me up at night: • External predators. These are the attackers and nefarious bots that beat on the door, day and night, pounding away at my perimeter defenses trying to break in. As an e-commerce retailer, we deal with these a lot. I also see the tertiary effects of other breaches—somebody’s account or credit card is compromised during another retailer’s breach. Steven Weiskircher Steve Weiskircher has more than 19 years of direct leadership experience in the e-commerce industry, having served as the chief information officer of multiple top “e-tailers,” including Crutchfield, Fanatics, and most recently ThinkGeek, where he is responsible for the technology and user experience teams. Steve holds a B.S. degree in mechanical engineering from Virginia Tech and an M.S. degree in management information systems from the University of Virginia. Chief Information Officer, ThinkGeek, Inc. 8 Withinthreeminutes,itwasbeingrobotically mappedandscanned.Within12minutes,itwas underdirectassault. External predators, internal threats, and crumbling network boundaries are big worries. Thorough risk analysis should be part of any new technology implementation, particularly when you work with external parties. Key Lessons 1 2 Twitter I Website Sponsored by: Download the full eBook: Securing Your Network and Application Infrastructure
The nefarious individuals then use that account data on another site. More recently, I have seen a shift in this fraud where account data that was compromised during one of the mass breaches is sold or traded to another individual. That person attempts to buy product and return it for cash. They do not even have to go through the effort of hacking someone’s account, as there is ample supply of previously compromised accounts in the wild. • Crumbling boundaries. Familiar network and application boundaries are falling at an incredible rate. Cloud services, coupled with a next-generation Bring Your Own Device workforce, are blowing away the borders. We used to have nice, hardened perimeters, and extensive device management. That era has ended. We now have to protect our data in an always on, always connected world where there are no longer clear perimeter boundaries. Quite simply, we don’t have the same measure of control anymore. • Internal threats. These threats can come from disgruntled employees or contractors looking to profit off of your critical data. It is difficult to protect against every possible threat vector involving an internal employee that has access to sensitive data and the Internet. It has become too easy to shift large volumes of data relatively undetected. While this does occur, the more probable scenario is the unintentional hole that an employee or contractor creates. Outsourced third- party contractors can be a particular risk; they often have direct and/or privileged access into the interior of your network. The challenge is you do not manage their devices or the networks they connect into. Such unintentional exposures can create holes through all your defenses. There are mitigation steps you can take, of course. Providers like Fortinet and others offer advanced IPS, WAF, and centralized login tools. These technologies are requirements for any public-facing web servers or exposed application programming interfaces. Regular threat assessments are also key. Internal and external vulnerability scans should be regular events. The days of simply instituting IP restrictions or even stateful firewalls are over. For cloud-based risks, in conjunction with the threat-assessment piece, I recommend thorough risk analysis. That should also be part of any new technology implementation, particularly when you work with external parties. A full-on penetration test or vulnerability assessment starts with automated scanning, but you should also have your people performing careful risk-management assessments. What data does that server hold? What networks or systems can access it? Should you restrict access, or cordon it off all together? What Keeps Me up at Night 9Sponsored by: Thedaysofsimply institutingIP restrictionsoreven statefulfirewalls areover.
It would be great if there were such a thing as a straight, universal security checklist. Unfortunately information security is not a recipe that we can follow. We live in a world of gray, not black and white. Therefore, security will always be a combination of advanced technology and smart people. It is only by carefully sorting through the risk factors that you can come up with the right strategies to mitigate the danger. What Keeps Me up at Night 10Sponsored by: Securitywillalways beacombination ofadvanced technologyand smartpeople.
Hunting the Hunters My greatest challenge is finding talent. The market is awash with people who claim they can do InfoSec. Bolstered by a master’s degree in IT management, a freshly minted Certified Information Systems Security Professional certification, or a few years of managing firewalls, plenty of folks are willing to sign up to try network security. Most of them fall far short of the mark. I need hunters. The industry sells all manner of fascinating tools to find the bad guys on your network. Intrusion-prevention systems, next-generation firewalls, big data security analytics—they all offer you the grail. They’re each going to save you. Each claims to have built something that knows your network well enough to pinpoint aberrant behaviors in the vast oceans of noise. They all purport to find the needle in the haystack. I have yet to find one that does. To be clear, I’m hunting hunters—people who think like the bad guys. People who study offense and keep up to speed on the latest developments in hacker subculture. People who can write exploits and malware and know exactly why that new vulnerability is going to spread like wildfire in the Russian underground. Will Lefevers Will Lefevers is an information security architect who has 15 years of experience, including military tours in satellite operations, counterintelligence, cyber operations, and vulnerability research. Prior to joining Constant Contact, he was the application security engineer for a multimillion-dollar next-generation cloud platform. His foci include insider threat detection, behavioral analysis, malware reverse-engineering, and hunting threat actors in live networks. He’s also an avid homebrewer and writes exceptionally mediocre code. Lead Information Security Architect, Constant Contact 12 Mygreatestchallengeisfindingtalent....Ineed hunters. Nothing but experience can teach you how to respond in the moment when you have been breached. You need people who will run toward the fire. Finding talented people who study offense and keep up to speed on the latest developments in hacker subculture is key. Key Lessons 1 2 Twitter Sponsored by: Download the full eBook: Securing Your Network and Application Infrastructure
People who can quote off the top of their head the black market price of someone’s full medical file. People who blend in with both the suits and the punks. People who make it their lifestyle to stay on the cutting edge of security. People who live it instead of just working it. The reality is that each of us will be breached. We’ll all get to experience that dazzling rush of panic and excitement. We’ll all live under the pressure of unsteady upper management, certain that intense scrutiny will meet our every decision for the next few weeks. Maximum pressure will be applied with near-zero tolerance for common mistakes. Nothing but experience can teach you how to respond in that moment. In situations like that, I’ve seen two kinds of personalities: those who run from the fire and those who run toward it. I revel in those moments. I need people who run toward the fire. I need people who look forward to the next chance to prove their skills. The hacker world evolves in response to every new defense. The cat-and-mouse game between attacker and defender plays out continuously. At the end of the day, shiny toys and fancy degrees won’t save you. I need the hackers who hunt hackers. Hunting the Hunters 13 Therealityisthat eachofuswillbe breached.We’llall gettoexperience thatdazzling rushofpanicand excitement. Sponsored by:

Recommandé

A-Z Web Development Concept
A-Z Web Development ConceptA-Z Web Development Concept
A-Z Web Development ConceptBukhori Aqid
 
[Infographic] How will Internet of Things (IoT) change the world as we know it?
[Infographic] How will Internet of Things (IoT) change the world as we know it?[Infographic] How will Internet of Things (IoT) change the world as we know it?
[Infographic] How will Internet of Things (IoT) change the world as we know it?InterQuest Group
 
Mobile Is Eating the World (2016)
Mobile Is Eating the World (2016)Mobile Is Eating the World (2016)
Mobile Is Eating the World (2016)a16z
 
GAFAnomics: Using APIs to gain unfair competitive advantage in the network ec...
GAFAnomics: Using APIs to gain unfair competitive advantage in the network ec...GAFAnomics: Using APIs to gain unfair competitive advantage in the network ec...
GAFAnomics: Using APIs to gain unfair competitive advantage in the network ec...Fabernovel
 
Cyber Tech Israel 2016: Get Your Head in the Cloud
Cyber Tech Israel 2016: Get Your Head in the CloudCyber Tech Israel 2016: Get Your Head in the Cloud
Cyber Tech Israel 2016: Get Your Head in the CloudSymantec
 
CISA's Privacy Facts
CISA's Privacy FactsCISA's Privacy Facts
CISA's Privacy FactsU.S. Chamber of Commerce
 
Life on the Endpoint Edge: Winning the Battle Against Cyber Attacks
Life on the Endpoint Edge: Winning the Battle Against Cyber AttacksLife on the Endpoint Edge: Winning the Battle Against Cyber Attacks
Life on the Endpoint Edge: Winning the Battle Against Cyber AttacksIBM Security
 
16 Trends for 2016
16 Trends for 201616 Trends for 2016
16 Trends for 2016Steve Williamson
 

Contenu connexe

En vedette

2015 Future of Cloud Computing Study
2015 Future of Cloud Computing Study2015 Future of Cloud Computing Study
2015 Future of Cloud Computing StudyNorth Bridge
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the CloudGGV Capital
 
Infographic: A Anatomy of A DDoS Attack
Infographic: A Anatomy of A DDoS AttackInfographic: A Anatomy of A DDoS Attack
Infographic: A Anatomy of A DDoS AttackCheapSSLsecurity
 
10 Event Technology Trends to Watch in 2016
10 Event Technology Trends to Watch in 201610 Event Technology Trends to Watch in 2016
10 Event Technology Trends to Watch in 2016Eventbrite UK
 
Montreal Girl Geeks: Building the Modern Web
Montreal Girl Geeks: Building the Modern WebMontreal Girl Geeks: Building the Modern Web
Montreal Girl Geeks: Building the Modern WebRachel Andrew
 
What is Deep Learning?
What is Deep Learning?What is Deep Learning?
What is Deep Learning?NVIDIA
 
Top Rumors About Apple March 21 Big Event
Top Rumors About Apple March 21 Big EventTop Rumors About Apple March 21 Big Event
Top Rumors About Apple March 21 Big EventChromeInfo Technologies
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with DataSeth Familian
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017Drift
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheLeslie Samuel
 

En vedette (13)

2015 Future of Cloud Computing Study
2015 Future of Cloud Computing Study2015 Future of Cloud Computing Study
2015 Future of Cloud Computing Study
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 
Infographic: A Anatomy of A DDoS Attack
Infographic: A Anatomy of A DDoS AttackInfographic: A Anatomy of A DDoS Attack
Infographic: A Anatomy of A DDoS Attack
 
10 Event Technology Trends to Watch in 2016
10 Event Technology Trends to Watch in 201610 Event Technology Trends to Watch in 2016
10 Event Technology Trends to Watch in 2016
 
Cloud History 101
Cloud History 101Cloud History 101
Cloud History 101
 
Montreal Girl Geeks: Building the Modern Web
Montreal Girl Geeks: Building the Modern WebMontreal Girl Geeks: Building the Modern Web
Montreal Girl Geeks: Building the Modern Web
 
Digital Portfolios
Digital Portfolios Digital Portfolios
Digital Portfolios
 
What is Deep Learning?
What is Deep Learning?What is Deep Learning?
What is Deep Learning?
 
Top Rumors About Apple March 21 Big Event
Top Rumors About Apple March 21 Big EventTop Rumors About Apple March 21 Big Event
Top Rumors About Apple March 21 Big Event
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with Data
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017
 
Build Features, Not Apps
Build Features, Not AppsBuild Features, Not Apps
Build Features, Not Apps
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
 

Plus de Mighty Guides, Inc.

7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 Defender7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 DefenderMighty Guides, Inc.
 
7 Experts on Implementing Azure Sentinel
7 Experts on Implementing Azure Sentinel7 Experts on Implementing Azure Sentinel
7 Experts on Implementing Azure SentinelMighty Guides, Inc.
 
7 Experts on Implementing Microsoft Defender for Endpoint
7 Experts on Implementing Microsoft Defender for Endpoint7 Experts on Implementing Microsoft Defender for Endpoint
7 Experts on Implementing Microsoft Defender for EndpointMighty Guides, Inc.
 
8 Experts on Flawless App Delivery
8 Experts on Flawless App Delivery8 Experts on Flawless App Delivery
8 Experts on Flawless App DeliveryMighty Guides, Inc.
 
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience 7 Experts on How to Deliver a Secure, Productive Remote Employee Experience
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience Mighty Guides, Inc.
 
Sharktower: Will AI change the way you manage change?
Sharktower: Will AI change the way you manage change?Sharktower: Will AI change the way you manage change?
Sharktower: Will AI change the way you manage change?Mighty Guides, Inc.
 
Workfront: 7 Experts on Flawless Campaign Execution
Workfront: 7 Experts on Flawless Campaign ExecutionWorkfront: 7 Experts on Flawless Campaign Execution
Workfront: 7 Experts on Flawless Campaign ExecutionMighty Guides, Inc.
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyMighty Guides, Inc.
 
Workfront - 9 Experts on How to Align IT's Work to Company Strategy
Workfront - 9 Experts on How to Align IT's Work to Company StrategyWorkfront - 9 Experts on How to Align IT's Work to Company Strategy
Workfront - 9 Experts on How to Align IT's Work to Company StrategyMighty Guides, Inc.
 
Citrix: 7 Experts on Transforming Employee Experience
Citrix: 7 Experts on Transforming Employee ExperienceCitrix: 7 Experts on Transforming Employee Experience
Citrix: 7 Experts on Transforming Employee ExperienceMighty Guides, Inc.
 
7 Experts on Transforming Customer Experience with Data Insights (1)
7 Experts on Transforming Customer Experience with Data Insights (1)7 Experts on Transforming Customer Experience with Data Insights (1)
7 Experts on Transforming Customer Experience with Data Insights (1)Mighty Guides, Inc.
 
15 Experts on Reimagining Field Marketing
15 Experts on Reimagining Field Marketing15 Experts on Reimagining Field Marketing
15 Experts on Reimagining Field MarketingMighty Guides, Inc.
 
Kyriba: 7 Experts on Activating Liquidity
Kyriba: 7 Experts on Activating LiquidityKyriba: 7 Experts on Activating Liquidity
Kyriba: 7 Experts on Activating LiquidityMighty Guides, Inc.
 
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating ProvidersBlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating ProvidersMighty Guides, Inc.
 
11 Experts on Using the Content Lifecycle to Maximize Content ROI
11 Experts on Using the Content Lifecycle to Maximize Content ROI 11 Experts on Using the Content Lifecycle to Maximize Content ROI
11 Experts on Using the Content Lifecycle to Maximize Content ROI Mighty Guides, Inc.
 
Defining Marketing Success- 28 Experts Tell You How
Defining Marketing Success- 28 Experts Tell You HowDefining Marketing Success- 28 Experts Tell You How
Defining Marketing Success- 28 Experts Tell You HowMighty Guides, Inc.
 
7 Experts on Using the Content Lifecycle to Maximize Content ROI
7 Experts on Using the Content Lifecycle to Maximize Content ROI7 Experts on Using the Content Lifecycle to Maximize Content ROI
7 Experts on Using the Content Lifecycle to Maximize Content ROIMighty Guides, Inc.
 
Iron Mountain: 8 Experts on Workplace Transformation
Iron Mountain: 8 Experts on Workplace TransformationIron Mountain: 8 Experts on Workplace Transformation
Iron Mountain: 8 Experts on Workplace TransformationMighty Guides, Inc.
 
Avoiding Limitations of Traditional Approaches to Security
Avoiding Limitations of Traditional Approaches to SecurityAvoiding Limitations of Traditional Approaches to Security
Avoiding Limitations of Traditional Approaches to SecurityMighty Guides, Inc.
 
Avoiding Container Vulnerabilities
Avoiding Container VulnerabilitiesAvoiding Container Vulnerabilities
Avoiding Container VulnerabilitiesMighty Guides, Inc.
 

Plus de Mighty Guides, Inc. (20)

7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 Defender7 Experts on Implementing Microsoft 365 Defender
7 Experts on Implementing Microsoft 365 Defender
 
7 Experts on Implementing Azure Sentinel
7 Experts on Implementing Azure Sentinel7 Experts on Implementing Azure Sentinel
7 Experts on Implementing Azure Sentinel
 
7 Experts on Implementing Microsoft Defender for Endpoint
7 Experts on Implementing Microsoft Defender for Endpoint7 Experts on Implementing Microsoft Defender for Endpoint
7 Experts on Implementing Microsoft Defender for Endpoint
 
8 Experts on Flawless App Delivery
8 Experts on Flawless App Delivery8 Experts on Flawless App Delivery
8 Experts on Flawless App Delivery
 
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience 7 Experts on How to Deliver a Secure, Productive Remote Employee Experience
7 Experts on How to Deliver a Secure, Productive Remote Employee Experience
 
Sharktower: Will AI change the way you manage change?
Sharktower: Will AI change the way you manage change?Sharktower: Will AI change the way you manage change?
Sharktower: Will AI change the way you manage change?
 
Workfront: 7 Experts on Flawless Campaign Execution
Workfront: 7 Experts on Flawless Campaign ExecutionWorkfront: 7 Experts on Flawless Campaign Execution
Workfront: 7 Experts on Flawless Campaign Execution
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
 
Workfront - 9 Experts on How to Align IT's Work to Company Strategy
Workfront - 9 Experts on How to Align IT's Work to Company StrategyWorkfront - 9 Experts on How to Align IT's Work to Company Strategy
Workfront - 9 Experts on How to Align IT's Work to Company Strategy
 
Citrix: 7 Experts on Transforming Employee Experience
Citrix: 7 Experts on Transforming Employee ExperienceCitrix: 7 Experts on Transforming Employee Experience
Citrix: 7 Experts on Transforming Employee Experience
 
7 Experts on Transforming Customer Experience with Data Insights (1)
7 Experts on Transforming Customer Experience with Data Insights (1)7 Experts on Transforming Customer Experience with Data Insights (1)
7 Experts on Transforming Customer Experience with Data Insights (1)
 
15 Experts on Reimagining Field Marketing
15 Experts on Reimagining Field Marketing15 Experts on Reimagining Field Marketing
15 Experts on Reimagining Field Marketing
 
Kyriba: 7 Experts on Activating Liquidity
Kyriba: 7 Experts on Activating LiquidityKyriba: 7 Experts on Activating Liquidity
Kyriba: 7 Experts on Activating Liquidity
 
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating ProvidersBlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
BlueVoyant: 7 Experts Share Key Questions To Ask When Evaluating Providers
 
11 Experts on Using the Content Lifecycle to Maximize Content ROI
11 Experts on Using the Content Lifecycle to Maximize Content ROI 11 Experts on Using the Content Lifecycle to Maximize Content ROI
11 Experts on Using the Content Lifecycle to Maximize Content ROI
 
Defining Marketing Success- 28 Experts Tell You How
Defining Marketing Success- 28 Experts Tell You HowDefining Marketing Success- 28 Experts Tell You How
Defining Marketing Success- 28 Experts Tell You How
 
7 Experts on Using the Content Lifecycle to Maximize Content ROI
7 Experts on Using the Content Lifecycle to Maximize Content ROI7 Experts on Using the Content Lifecycle to Maximize Content ROI
7 Experts on Using the Content Lifecycle to Maximize Content ROI
 
Iron Mountain: 8 Experts on Workplace Transformation
Iron Mountain: 8 Experts on Workplace TransformationIron Mountain: 8 Experts on Workplace Transformation
Iron Mountain: 8 Experts on Workplace Transformation
 
Avoiding Limitations of Traditional Approaches to Security
Avoiding Limitations of Traditional Approaches to SecurityAvoiding Limitations of Traditional Approaches to Security
Avoiding Limitations of Traditional Approaches to Security
 
Avoiding Container Vulnerabilities
Avoiding Container VulnerabilitiesAvoiding Container Vulnerabilities
Avoiding Container Vulnerabilities
 

Dernier

Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...itnewsafrica
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sectoritnewsafrica
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 

Dernier (20)

Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorial
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 

Staying Ahead of Hackers

  • 1. SPONSORED BY: Part 3: Staying Ahead of Hackers 3 Experts Share Their Secrets Securing Your Network and Application Infrastructure
  • 2. foreword Advanced Cybersecurity from the Inside Out Fortinet is a global leader and innovator, providing an integrated platform of high-performance, cybersecurity solutions that span from the datacenter to the cloud — serving small, medium and enterprise organizations around the globe. Strengthened by the industry’s highest level of real-time threat intelligence and recognized with unparalleled third party certifications, Fortinet solves the most important security challenges of more than 210,000 organizations. Trust Fortinet to take care of security so you can take care of business. Learn more at fortinet.com Sponsored by: 2 Network security challenges are evolving faster than ever as a result of new technologies and application complexity. In addition, many old issues continue to plague organizations, from simple password security to keeping software up-to-date. This collection of 24 essays covers a broad array of topics grouped into five major areas, ranging from the necessity of planning your network security up front to the new challenges that social engineering and other advanced, persistent threats bring. A major theme throughout many of them is the loss of the perimeter and the effectiveness of traditional defenses. Bring Your Own Device (BYOD) and cloud-based services open many holes in an organization’s network that require a rethinking of security to protect the data, not just the methods of access. Fortinet’s Cyber Security platform can address most of the problems outlined in the essays in this e-book. Our ASIC-powered FortiGate firewalls deliver the industry’s fastest Next Generation Firewall (NGFW) performance and are the foundation of an end-to-end security solution that spans your users, network, data centers, and the cloud. For the problems we can’t solve directly, we offer tools such as enforcing business policies on password changes and vulnerability scanners for your applications to help you catch weaknesses. We hope you find these essays as interesting and thought provoking as we do and that they can help you improve your network and application security defenses.
  • 3. introduction For all the attention data security has received in recent years and all the technical advances in risk detection now available to protect network infrastructures, you might imagine that data are safer than ever before. Unfortunately, the number of recent, frighteningly large data breaches contradicts that notion. In the past 18 months alone, we have seen breaches at Adobe, eBay, JPMorgan Chase, Target, Home Depot, Community Health Services, and the US Government that together compromised more than 500 million records. Will the world ever be a safe place for the data so vital to businesses and individuals? With the generous support of Fortinet, we have created this e-book to help you better understand the security challenges that business—and midsized businesses in particular—face today. This e-book is a compilation of responses to the following question: A range of industry analysts, consultants, and hands-on security experts provided responses to this question. They offered fascinating insights into the security challenges we face today— security issues made even more challenging because of the changing character of infrastructure and its loss of network perimeter, rapidly evolving application environment, lack of security awareness among users, and the increasing complexity of security solutions. Attacks and data theft have also become a big business underwritten by sophisticated, well-funded entities. Security and vigilance are a never-ending battle, but I trust you will find the many perspectives provided by those who are on the front lines useful as you work to secure your own business infrastructures. What are the greatest challenges you face in securing your network and application infrastructure? Sponsored by: 3 All the best, David Rogelberg Publisher © 2015 Mighty Guides, Inc. I 62 Nassau Drive I Great Neck, NY 11021 I 516-360-2622 I www.mightyguides.com Mighty Guides make you stronger. These authoritative and diverse guides provide a full view of a topic. They help you explore, compare, and contrast a variety of viewpoints so that you can determine what will work best for you. Reading a Mighty Guide is kind of like having your own team of experts. Each heartfelt and sincere piece of advice in this guide sits right next to the contributor’s name, biography, and links so that you can learn more about their work. This background information gives you the proper context for each expert’s independent perspective. Credible advice from top experts helps you make strong decisions. Strong decisions make you mighty.
  • 4. Staying Ahead of Hackers 4 Tom Eston Veracode................................................6 Steven Weiskircher ThinkGeek, Inc..................................8 Will Lefevers Constant Contact............................12 Sponsored by:
  • 5.
  • 6. Becoming Proactive Once I was part of a no-holds-barred red team assessment of a famous actor. He had put a lot of digital safeguards in place and was confident his digital life was hack-proof. It wasn’t. As a first step, I had one of my team members place a phone call to Amazon tech support. He told the worker that he wanted to add a credit card to the actor’s Amazon account. The staffer asked a security question: What is one of your most recent purchases? My staff member knew that our guy was a Game of Thrones nut, so our caller winged it. “Game of Thrones, DVD Box, Season 1,” he said. “Right,” the support worker replied. “We’ll reset your password.” That single move gave my team access to a lot of the actor’s personal details. It allowed us to hack into his Twitter account, then his email. We reset passwords to practically every account he had. Within days, we had infiltrated his entire digital life. Needless to say, the actor was shocked. There is a lesson here for organizations: many respond to their vulnerabilities only after a breach. That’s not good enough. My take is that the defensive corporate mindset needs to become proactive. Tom Eston Tom Eston is the manager of Penetration Testing at Veracode. His work over the years has focused on security research, leading projects in the security community, improving testing methodologies, and team management. He is also a security blogger; co-host of the Shared Security Podcast; and a frequent speaker at security user groups and international conferences, including Black Hat, DEFCON, DerbyCon, Notacon, SANS, InfoSec World, OWASP AppSec, and ShmooCon. Manager, Penetration Testing, Veracode 6 Thatsinglemovegavemyteamaccesstoalotof theactor’spersonaldetails. Most corporate breaches start with social engineering tactics. Applications vulnerabilities and system misconfigurations are too often overlooked. Key Lessons 1 2 Twitter I Website I Blog b Sponsored by: Download the full eBook: Securing Your Network and Application Infrastructure
  • 7. Here are three of the biggest electronic security challenges I see for companies that operate in the digital realm: • Social engineering. Most corporate breaches start with phishing emails or phone calls or with an attacker physically walking into a building and claiming to work there. It’s called social engineering because attackers take advantage of the natural human desire to trust. From a computer security perspective, this is a dangerous attack vector—the same one my team used to hack our actor friend. It shocks me how easy the human factor is to exploit. • Application vulnerability. Web applications are the front end of most organizations and the way most of them make money. In recent years, immense new layers of complexity have been introduced behind the scenes to allow apps to work in the cloud. With complexity comes human error. I often find that companies don’t take the time to build security into their application infrastructure or to perform proper security testing from the beginning. This remains true even today, when security is top of mind with most executives. • System misconfigurations. These, too, are often overlooked. Web management consoles, even production systems, often remain in their default configurations, accessible through default passwords. When hardening application coding and infrastructure that applications live on, spend some time focused on this piece. As an attacker, if I can access your web management console by using a default password, I no longer care about the application. I can access everything on your server. The moral is simple: be vigilant. Continually educate your employees. Have third-party consultants conduct penetration tests, and be prepared to hear things you wish you hadn’t— like you’ve already been hacked. Stage your own social engineering tests so that employees know what these attacks look like and what to do when they happen. A lot of what we call network security is really just a question of human awareness. Becoming Proactive 7 Stageyourown socialengineering testssothat employeesknow whattheseattacks looklikeandwhat todowhenthey happen. Sponsored by:
  • 8. What Keeps Me up at Night Once, I tried to sell an executive management team on investing in an intrusion-prevention system (IPS) and web application firewall (WAF). They were not impressed. Who would attack us, they asked? To answer that question, I set up a dummy server—with up-to- date patches—just outside the corporate firewall. Within three minutes, it was being robotically mapped and scanned. Within 12 minutes, it was under direct assault. That convinced them. That was long ago, but people still see security investment as an insurance policy they will never collect on. That’s partly why these three challenges keep me up at night: • External predators. These are the attackers and nefarious bots that beat on the door, day and night, pounding away at my perimeter defenses trying to break in. As an e-commerce retailer, we deal with these a lot. I also see the tertiary effects of other breaches—somebody’s account or credit card is compromised during another retailer’s breach. Steven Weiskircher Steve Weiskircher has more than 19 years of direct leadership experience in the e-commerce industry, having served as the chief information officer of multiple top “e-tailers,” including Crutchfield, Fanatics, and most recently ThinkGeek, where he is responsible for the technology and user experience teams. Steve holds a B.S. degree in mechanical engineering from Virginia Tech and an M.S. degree in management information systems from the University of Virginia. Chief Information Officer, ThinkGeek, Inc. 8 Withinthreeminutes,itwasbeingrobotically mappedandscanned.Within12minutes,itwas underdirectassault. External predators, internal threats, and crumbling network boundaries are big worries. Thorough risk analysis should be part of any new technology implementation, particularly when you work with external parties. Key Lessons 1 2 Twitter I Website Sponsored by: Download the full eBook: Securing Your Network and Application Infrastructure
  • 9. The nefarious individuals then use that account data on another site. More recently, I have seen a shift in this fraud where account data that was compromised during one of the mass breaches is sold or traded to another individual. That person attempts to buy product and return it for cash. They do not even have to go through the effort of hacking someone’s account, as there is ample supply of previously compromised accounts in the wild. • Crumbling boundaries. Familiar network and application boundaries are falling at an incredible rate. Cloud services, coupled with a next-generation Bring Your Own Device workforce, are blowing away the borders. We used to have nice, hardened perimeters, and extensive device management. That era has ended. We now have to protect our data in an always on, always connected world where there are no longer clear perimeter boundaries. Quite simply, we don’t have the same measure of control anymore. • Internal threats. These threats can come from disgruntled employees or contractors looking to profit off of your critical data. It is difficult to protect against every possible threat vector involving an internal employee that has access to sensitive data and the Internet. It has become too easy to shift large volumes of data relatively undetected. While this does occur, the more probable scenario is the unintentional hole that an employee or contractor creates. Outsourced third- party contractors can be a particular risk; they often have direct and/or privileged access into the interior of your network. The challenge is you do not manage their devices or the networks they connect into. Such unintentional exposures can create holes through all your defenses. There are mitigation steps you can take, of course. Providers like Fortinet and others offer advanced IPS, WAF, and centralized login tools. These technologies are requirements for any public-facing web servers or exposed application programming interfaces. Regular threat assessments are also key. Internal and external vulnerability scans should be regular events. The days of simply instituting IP restrictions or even stateful firewalls are over. For cloud-based risks, in conjunction with the threat-assessment piece, I recommend thorough risk analysis. That should also be part of any new technology implementation, particularly when you work with external parties. A full-on penetration test or vulnerability assessment starts with automated scanning, but you should also have your people performing careful risk-management assessments. What data does that server hold? What networks or systems can access it? Should you restrict access, or cordon it off all together? What Keeps Me up at Night 9Sponsored by: Thedaysofsimply institutingIP restrictionsoreven statefulfirewalls areover.
  • 10. It would be great if there were such a thing as a straight, universal security checklist. Unfortunately information security is not a recipe that we can follow. We live in a world of gray, not black and white. Therefore, security will always be a combination of advanced technology and smart people. It is only by carefully sorting through the risk factors that you can come up with the right strategies to mitigate the danger. What Keeps Me up at Night 10Sponsored by: Securitywillalways beacombination ofadvanced technologyand smartpeople.
  • 11.
  • 12. Hunting the Hunters My greatest challenge is finding talent. The market is awash with people who claim they can do InfoSec. Bolstered by a master’s degree in IT management, a freshly minted Certified Information Systems Security Professional certification, or a few years of managing firewalls, plenty of folks are willing to sign up to try network security. Most of them fall far short of the mark. I need hunters. The industry sells all manner of fascinating tools to find the bad guys on your network. Intrusion-prevention systems, next-generation firewalls, big data security analytics—they all offer you the grail. They’re each going to save you. Each claims to have built something that knows your network well enough to pinpoint aberrant behaviors in the vast oceans of noise. They all purport to find the needle in the haystack. I have yet to find one that does. To be clear, I’m hunting hunters—people who think like the bad guys. People who study offense and keep up to speed on the latest developments in hacker subculture. People who can write exploits and malware and know exactly why that new vulnerability is going to spread like wildfire in the Russian underground. Will Lefevers Will Lefevers is an information security architect who has 15 years of experience, including military tours in satellite operations, counterintelligence, cyber operations, and vulnerability research. Prior to joining Constant Contact, he was the application security engineer for a multimillion-dollar next-generation cloud platform. His foci include insider threat detection, behavioral analysis, malware reverse-engineering, and hunting threat actors in live networks. He’s also an avid homebrewer and writes exceptionally mediocre code. Lead Information Security Architect, Constant Contact 12 Mygreatestchallengeisfindingtalent....Ineed hunters. Nothing but experience can teach you how to respond in the moment when you have been breached. You need people who will run toward the fire. Finding talented people who study offense and keep up to speed on the latest developments in hacker subculture is key. Key Lessons 1 2 Twitter Sponsored by: Download the full eBook: Securing Your Network and Application Infrastructure
  • 13. People who can quote off the top of their head the black market price of someone’s full medical file. People who blend in with both the suits and the punks. People who make it their lifestyle to stay on the cutting edge of security. People who live it instead of just working it. The reality is that each of us will be breached. We’ll all get to experience that dazzling rush of panic and excitement. We’ll all live under the pressure of unsteady upper management, certain that intense scrutiny will meet our every decision for the next few weeks. Maximum pressure will be applied with near-zero tolerance for common mistakes. Nothing but experience can teach you how to respond in that moment. In situations like that, I’ve seen two kinds of personalities: those who run from the fire and those who run toward it. I revel in those moments. I need people who run toward the fire. I need people who look forward to the next chance to prove their skills. The hacker world evolves in response to every new defense. The cat-and-mouse game between attacker and defender plays out continuously. At the end of the day, shiny toys and fancy degrees won’t save you. I need the hackers who hunt hackers. Hunting the Hunters 13 Therealityisthat eachofuswillbe breached.We’llall gettoexperience thatdazzling rushofpanicand excitement. Sponsored by: