SlideShare une entreprise Scribd logo

CSO Magazine Confab 2013 Atlanta - Cyber Security

Télécharger en tant que PPTX, PDF
Phil Agcaoili
Phil Agcaoili

CSO Magazine Confab 2013 Atlanta - Cyber Security

1  sur  41
The Executive Order – Defining the Internet Security Ecosystem Phil Agcaoili April 2, 2013
2 Cyber what? Defining Cyber • Cyber space is the connected Internet ecosystem • Our daily life, economic vitality, and national security depend on a stable, safe, and resilient cyber space • DHS defined 18 Critical Infrastructure Sectors (CIKR) Food and Agriculture Banking and Finance Chemical Commercial Facilities Communications Critical Manufacturing Dams Defense Industrial Base Emergency Services Energy Government Facilities Healthcare and Public Health Information Technology National Monuments Nuclear Reactors, Materials and Icons and Waste Postal and Transportation Water Shipping Systems • Cyber intrusions and attacks have increased dramatically over the last decade, exposing sensitive personal and business information, disrupting critical operations, and imposing high costs on the economy • Cyber security is protecting our cyber space (critical infrastructure) from attack, damage, misuse, and economic espionage
3 Our physical infrastructure has become intertwined and reliant on our cyber infrastructure Source: DHS, "Securing the Nation’s Critical Cyber Infrastructure
4
5 Why the fear? Cyber Trends - Advanced • StuxNet • Duqu • Gauss • Mahdi • Flame • Wiper • Shamoon - Saudi Aramco • SCADA Network Attacks Advanced attacks on critical infrastructure
6 Cyber Trends – Not So Advanced • Insulin pumps • Pace makers • Smart TVs • Voting and elections • US drone fleet • SYMC – RSA – VRSN – Bit9 • SNE – AMZN – AAPL – YHOO – LNKD • DoE
7 General Observations on Cyber Trends • Phishing and Email • Exploitable Links and Browsers • Java, Flash, PDF, MS Office • A/V Coverage • Android, iOS, Windows, and MacOS • Air Gaps and Removable Media • Endpoint Security • Security Awareness • Security Basics
8 A SHIFT It’s here…
9 Expectations on Critical Infrastructure • S. 21, Cybersecurity and American Cyber Competitiveness Act of 2013 Senators Rockefeller (D-W.Va.), Carper (D-DE), Feinstein (D-CA), Levin (D-MI), Mikulski (D-MD), Whitehouse (D-RI), and Coons (D-DE) • H.R. 624, Cyber Intelligence Sharing and Protection Act (CISPA), 2013 Representative Rogers (R-MI) and 111 co-sponsors It’s unlikely that these will pass in 2013…
10 Fact Sheet: Executive Order on Cybersecurity / Presidential Policy Directive on Critical Infrastructure Security and Resilience Presidential Executive Order 13,636 • New information sharing programs to provide both classified and unclassified threat and attack information to U.S. companies • The development of a Cybersecurity Framework • Establishes a voluntary program to promote the adoption of the Framework • Calls for a review of existing cybersecurity regulation • Includes strong privacy and civil liberties protections based on the Fair Information Practice Principles Presidential Policy Directive 21 (PPD-21) • Directs the government to identify the functional relationships across the government • Directs the government to develop an efficient situational awareness capability • Directs the government to address other information sharing priorities • Calls for a comprehensive research and development plan for critical infrastructure http://www.dhs.gov/news/2013/02/13/fact-sheet-executive-order-cybersecurity-presidential-policy-directive-critical
11 Highlights of “Down Payment” February 12, 2013 Executive Order • EO 13636 and PPD-21 Issued February 12, 2013 • Defines Roadmap 240 Days • Focus Areas for CIKR: October 10 Draft of • Information Sharing US Cybersecurity • US Cybersecurity Framework Framework • Standards • Identifying Critical Infrastructure 1 Year • Supply Chain February 12, • Sector-Specific Agencies and Sector Coordinating Councils 2014 Final US • FBI and NCIJTF Cybersecurity Framework 3 Year “Safe and Resilient Internet” Agencies report on critical infrastructure
12 Highlights of “Down Payment” • “Don’t assume you’re not in scope” • "Critical infrastructure" covers a lot of economic activity • Covers a lot of technology • Privacy concerns need to be addressed for “information sharing” • Department of Commerce, National Institutes of Standards and Technology (NIST), and Cybersecurity Framework • Reduce cyber risks to critical infrastructure within one year, • Incorporate “voluntary consensus standards and industry best practices to the fullest extent possible.” • Federal Supply Chain • Partnerships and mandates • Open standards • “Technology neutral” • Risk-based assessments
13
14 Keys to Cyber Security: Information Sharing 1. Balance with Privacy One Size Does Not Fit All… 2. One step at a time Cybersecurity Framework 1. Common definitions 2. Don’t assume you’re not in scope (Think Ecosystem) 3. Sector specific, Risk-based Framework using Evidence with basic guidelines 5. Crawl, Walk, Run Supply Chain 1. Align with Cyber Framework 2. Provide Assurance Security is Everyone’s Responsibility.
15 Don’t Assume You’re Not in Scope • Everyone with Information Technology is in scope (CIKR) • Security Basics • Apply Evidence-based Security Model • Statistics by Sector Exist • Should Threat Model Think Ecosystem.
16 Threat Model Your Role in the Cyber Space Ecosystem
17 Get the Point?
18 2012 Top 20 ISO 27001 Mitigating Controls What standard are Number of Times Control Mapped Ranking 1 Control A.10.9.1 to a Real-World Security Breach 447 What Framework? you following? 2 3 A.10.9.2 A.10.9.3 447 447 Point Security Standards / Controls 4 A.8.2.2 184 5 A.7.2.1 94 • PCI DSS 6 A.7.2.2 94 • Protects credit cards 7 A.8.1.1 90 • 12 Requirements (Domains) 8 A.8.1.2 90 • ~290 controls 9 A.8.1.3 90 • HIPAA / HITECH 10 A.8.2.1 90 • Protects health information 11 A.8.3.2 90 • NERC CIP 12 A.8.3.3 90 • CSA Cloud Controls Matrix / Open 13 A.9.2.5 87 14 A.11.7.1 87 Certification Framework 15 A.11.7.2 87 • SANS 20 Critical Security Controls / 16 A.9.1.1 50 CAG 17 A.9.1.2 50 • “International” security standards 18 A.9.2.1 50 • 20 controls (Domains) 19 A.10.8.4 16 • Mapped to ~150 20 A.10.8.3 15 NIST 800-53 controls *Based on datalossdb.org and Privacy Rights Clearinghouse Holistic Security Standard Frameworks • ISO/IEC 27001:2005 • International security standards • 11 Domains Consensus Audit Guidelines (CAG) • 133 controls Hardware asset management • FISMA • Software white listing and asset • Includes NIST 800-53 management • Vulnerability management • US government standard • Configuration settings • 22 Control Families (Domains) • Anti-virus • ~ 850 controls *Modified SANS 20 Critical Security Controls 2012 • COBIT 5 continuous monitoring policy issued by DHS
19 Simplify to Basic Security Guidelines Based on Evidence and Risk We have developed the myth that technology can be an effective fortress You cannot protect all your data You cannot stop every attack Therefore, • Don’t protect everything • Protect most important data and ensure services • Increase focus on closing the detection and response gap • Establish access norms and monitor for anomalies • Reduce your attack surface • Don’t store/transmit what you don’t need • Collapse to cores • Segregrate and protect your most critical data • Protect cores really, really well • Treat all endpoints as hostile • Make small, targeted investments • Pass the Red Face Test – Reduce Investments through integration • Antivirus - Forefront • Full Disk Encryption – Bitlocker Sector-based • Patch and harden configurations • Change default credentials and restrict/monitor privileged accounts • Secure development through application testing and code reviews • Increase awareness and change culture • Social engineering and phishing • Destroy and don’t save what you don’t need • Collect your own metrics and apply security as necessary with available industry evidence
20 Barriers to Implement Basics • 2012 FISMA Report The top reported cybersecurity challenges were: - Funding the administration’s priority initiatives - Cultural challenges - Upgrading legacy technology - The current budget structure - Acquiring skilled personnel • Define – Accountability (Vendors and Customers) • Customers are dependent on vendors • Vendors rely on customers
Traditional Security is Insufficient Advanced Empowered Elastic Persistent Threats Employees Perimeter Trend Micro evaluations find over 90% of enterprise networks contain active malicious malware! Copyright 2012 Trend Micro Inc.
22 Risk-Based Approach Using Evidence The REAL Big Data for Infosec
23 First, Define Risk • Partnership for Critical Infrastructure Security (PCIS) • Defined: Risk = Consequence (Impact ONLY!!!) NO!!! • General Risk Equation Risk = Probability x Impact • Factor Analysis of Information Risk (FAIR) Risk = The probable frequency and probable magnitude of future loss • Many other definitions, let’s pick… • Limitations of risk analysis • Risk analysis is never perfect • All risk analysis models are approximations of reality • Reality is far too complex to ever model exactly • Any analysis model will be limited • Sometimes you have enough information to make an informed decision ~SIRA Prediction is very difficult, • Define: Risk Appetite especially about the future. ~Niels Bohr
24 Second, Apply Evidence-Based Security *Abridged Version of Moneysec • Use industry data (Evidence) • “You’re not a beautiful snowflake.” • Use with [Moneysec] metrics ~JPfost • Don’t make emotional decisions • Recognize your bias • Collect the “right” data • Look for correlations • Set reasonable criteria for success • Don’t overspend • You can measure anything! Even intangibles. ~Douglas Hubbard • You don’t always need to be exact • Reducing uncertainty adds value • Having just some data can go a long way to help a decision maker • Not all measures are equally important (80/20) • Track and trend performance over time • Benchmark performance vs. self (and peers) • All metrics are worthless – unless you do something with them
25 Mandiant M-Trends 2013 Threat Report
26 Mandiant M-Trends 2013 Threat Report
27 2012 Verizon Data Breach Investigations Report (DBIR) • 5th year of public releases – Starting in 2008 – 7 total reports (mid-year supplementals in 2008 and 2009) • Dataset now contains: – 8 years of data
28 2012 Verizon Data Breach Investigations Report (DBIR) 2012 Trustwave Global Security Report In those cases in which an external entity was necessary for detection, analysis found that attackers had an average of 173.5 days within the victim’s environment before detection occurred. Conversely, organizations that relied on self-detection were able to identify attackers within their systems an average of 43 days after initial compromise.
29 2012 Verizon Data Breach Investigations Report (DBIR)
30 Trend - 2011 Verizon Data Breach Investigations Report (DBIR)
31 Trend - 2011 Verizon Data Breach Investigations Report (DBIR) • Eastern Europe takes a commanding lead Who are the (external) bad guys?
32 2012 Federal Information Security Management Act report • Over $13 Billion Spent on Personnel • Of the $14.6B spent on cybersecurity in 2012, a whopping 90% went to personnel • An increase from 76% in 2011 • Cybersecurity Education Down • Training only accounted for 0.9% of the total spent on cybersecurity, almost 2% lower than 2011 • A Challenging Year The top reported cybersecurity challenges were: - Funding the administration’s priority initiatives - Cultural challenges - Upgrading legacy technology - The current budget structure - Acquiring skilled personnel • Top Three Government Cybersecurity Spenders The organizations who spent the most in 2012 were: - Department of Defense: $12 billion - Department of Homeland Security: $615.5 million - Treasury Department: $404 million • Security Incidents on the Rise • 49,000 security incidents were reported in 2012, up from 43,889 in 2011 • Worth noting that the majority were the result of lost or stolen equipment and data, not unauthorized access • 2012 FISMA report reflects the major concerns we’ve recently heard in the media: • An increase in successful cyberattacks • A shortage of trained cybersecurity professionals; and • An IT infrastructure too weak to repel sophisticated attacks • This recent surge in cyberattacks on government systems is the new normal • However, the amount of successful attacks can and will decrease when agencies invest in security automation IT, which will decrease personnel costs, freeing the resources needed to properly invest in a fully trained cybersecurity workforce
33 Connecting the Dots Information Leakage • Ex-employees, partners, and customers • Over 1/3 due to negligence • Increasing loss from external collaboration Ponemon Study finds: 55% of SMBs were breached in 2012 Percentage cause of data breach Estimated sources of data breach 2010 CSO Cost of Data Breach report Global State of Information Security Survey Ponemon Institute 2010
Connecting the Dots VERIS: (Vocabulary for Event Recording and Incident Sharing) What How Who Why When 2012 Trustwave GSR 2013 Mandiant TR 2012 Verizon DBIR
35 Third, Add Threat Modeling Supports Risk Model Cyber Kill Chain Model • Intrusions must be studied from the adversary’s perspective – analyzing the “kill chain” to inform actionable security intelligence • An adversary must progress successfully through each stage of the chain before it can achieve its desired objective Command Actions on Recon Weapon Delivery Exploit Install and Objectives Control • Just one mitigation disrupts the chain and the adversary
36 Threat Modeling - Countermeasures • Moving detection and mitigation to earlier phases of the kill chain is essential in defending today’s networks Command Actions on Recon Weapon Delivery Exploit Install and Objectives Control
37 Bring it All Together - Trends in the Evidence Motivating Fix what’s broken Event • Hacks and compromise • Fix what’s already been hacked at your company • Utilize Cyber Kill Chain Model to focus defense in depth strategy • Understand security trends for your industry • Small and Medium Business beware • Banks – DDOS, fraud, botnets, and web authentication attacks • Hospitality – Credit cards, point of sale systems, Wifi, and admin accounts • DIB – RSA hack - Adobe/Microsoft 0days, remote access, and phishing • News – NYT/WSJ - phishing, Oracle Java 0days • Retail – Open Wifi, POS • LEA – 0day, social engineering and phishing • Credit card processors – Phishing and egress traffic • Websites – SNE (SQL Injection) and exclusion from core security • Know your threat landscape to prioritize your treatment strategy based on risk • In advertising, the best insights are often minor alterations in trends which occur over long periods of time (and take time to see due to their nuanced nature).~Neira Jones Somebody needs to thoroughly analyze the important industry data by sector. KNOW THE BIAS!!! Adjust from there.
38 Crawl, Walk, and then Run… • Agree on definitions at each step of this process • Agree on roles in cyber space ecosystem • Need to develop better understanding • Cyber effect on way of life, economic vitality, and national security • Top threats by sector • Attackers/Adversaries by sector • Evidence of risks by sector • Agree on countermeasures / controls
39 Inspiration • I’m my father’s son… • It’s our time. • <Video> https://www.youtube.com/watch?feature=player_embedde d&v=Z2PloBdHeow
40 Conclusion • The time is now for cyber security • Agree on definitions as we proceed to each step • Security is Everyone’s Responsibility • Think Risk • Use the evidence we have • There is a lot industry data that needs to be analyzed • Proceed with care, methodically, and by sector • Agree on the basics • Get it done. We can do it. Cyber Space Ecosystem
41 Questions & Answers Phil Agcaoili CISO, Cox Communications, Inc. Co-Chair, Communication Sector Coordinating Council (CSCC), Cybersecurity Committee – Technology Sub-Committee Co-Founder & Board Member, Southern CISO Security Council Distinguished Fellow and Fellows Chairman, Ponemon Institute Founding Member, Cloud Security Alliance (CSA) Inventor & Co-Author, CSA Cloud Controls Matrix, GRC Stack, Security, Trust and Assurance Registry (STAR), and Open Certification Framework (OCF) @hacksec https://www.linkedin.com/in/philA

Recommandé

Cyber defence sebagai garda terdepan ketahanan nasional
Cyber defence sebagai garda terdepan ketahanan nasionalCyber defence sebagai garda terdepan ketahanan nasional
Cyber defence sebagai garda terdepan ketahanan nasionalEdi Suryadi
 
Hakin9 interview w Prof Sood
Hakin9 interview w Prof SoodHakin9 interview w Prof Sood
Hakin9 interview w Prof SoodZsolt Nemeth
 
Models of Escalation and De-escalation in Cyber Conflict
Models of Escalation and De-escalation in Cyber ConflictModels of Escalation and De-escalation in Cyber Conflict
Models of Escalation and De-escalation in Cyber ConflictZsolt Nemeth
 
Ncma saguaro cyber security 2016 law &amp; regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law &amp; regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law &amp; regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law &amp; regulations asis phoenix dely fina...John Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 
Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutionsZsolt Nemeth
 
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...Dinesh O Bareja
 
Industrial Control Security USA Sacramento California Oct 6/7
Industrial Control Security USA Sacramento California Oct 6/7Industrial Control Security USA Sacramento California Oct 6/7
Industrial Control Security USA Sacramento California Oct 6/7James Nesbitt
 
2-25-2014 Part 1 - NRECA Kickoff Meeting v2
2-25-2014 Part 1 - NRECA Kickoff Meeting v22-25-2014 Part 1 - NRECA Kickoff Meeting v2
2-25-2014 Part 1 - NRECA Kickoff Meeting v2Charles "Chuck" Speicher Jr.
 

Recommandé

Cyber defence sebagai garda terdepan ketahanan nasional
Cyber defence sebagai garda terdepan ketahanan nasionalCyber defence sebagai garda terdepan ketahanan nasional
Cyber defence sebagai garda terdepan ketahanan nasionalEdi Suryadi
 
Hakin9 interview w Prof Sood
Hakin9 interview w Prof SoodHakin9 interview w Prof Sood
Hakin9 interview w Prof SoodZsolt Nemeth
 
Models of Escalation and De-escalation in Cyber Conflict
Models of Escalation and De-escalation in Cyber ConflictModels of Escalation and De-escalation in Cyber Conflict
Models of Escalation and De-escalation in Cyber ConflictZsolt Nemeth
 
Ncma saguaro cyber security 2016 law &amp; regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law &amp; regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law &amp; regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law &amp; regulations asis phoenix dely fina...John Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 
Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutionsZsolt Nemeth
 
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...Dinesh O Bareja
 
Industrial Control Security USA Sacramento California Oct 6/7
Industrial Control Security USA Sacramento California Oct 6/7Industrial Control Security USA Sacramento California Oct 6/7
Industrial Control Security USA Sacramento California Oct 6/7James Nesbitt
 
2-25-2014 Part 1 - NRECA Kickoff Meeting v2
2-25-2014 Part 1 - NRECA Kickoff Meeting v22-25-2014 Part 1 - NRECA Kickoff Meeting v2
2-25-2014 Part 1 - NRECA Kickoff Meeting v2Charles "Chuck" Speicher Jr.
 
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...Andris Soroka
 
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropeIndustrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropePositive Hack Days
 
Need for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure ProtectionNeed for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure ProtectionWilliam McBorrough
 
Combating cyber crimes chinatu
Combating cyber crimes chinatuCombating cyber crimes chinatu
Combating cyber crimes chinatuChinatu Uzuegbu
 
David Snead - Nailing Down Security Regulations
David Snead - Nailing Down Security RegulationsDavid Snead - Nailing Down Security Regulations
David Snead - Nailing Down Security RegulationsSource Conference
 
The Realities and Challenges of Cyber Crime and Cyber Security in Africa
The Realities and Challenges of Cyber Crime and Cyber Security in AfricaThe Realities and Challenges of Cyber Crime and Cyber Security in Africa
The Realities and Challenges of Cyber Crime and Cyber Security in AfricaZsolt Nemeth
 
Lessons learned from the SingHealth Data Breach COI Report
Lessons learned from the SingHealth Data Breach COI ReportLessons learned from the SingHealth Data Breach COI Report
Lessons learned from the SingHealth Data Breach COI ReportBenjamin Ang
 
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...Cybersecurity Education and Research Centre
 
2015 Global Threat Intelligence Report Executive Summary | NTT i3
2015 Global Threat Intelligence Report Executive Summary | NTT i32015 Global Threat Intelligence Report Executive Summary | NTT i3
2015 Global Threat Intelligence Report Executive Summary | NTT i3NTT Innovation Institute Inc.
 
National Cyber Security Policy 2013 (NCSP)
National Cyber Security Policy 2013 (NCSP)National Cyber Security Policy 2013 (NCSP)
National Cyber Security Policy 2013 (NCSP)Gopal Choudhary
 
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...ijtsrd
 
Capitol Tech Talk Feb 17 2022 Cybersecurity Challenges in Financial Sector
Capitol Tech Talk Feb 17 2022 Cybersecurity Challenges in Financial SectorCapitol Tech Talk Feb 17 2022 Cybersecurity Challenges in Financial Sector
Capitol Tech Talk Feb 17 2022 Cybersecurity Challenges in Financial SectorCapitolTechU
 
Cybersecurity for Critical National Information Infrastructure
Cybersecurity for Critical National Information InfrastructureCybersecurity for Critical National Information Infrastructure
Cybersecurity for Critical National Information InfrastructureDr David Probert
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsDinesh O Bareja
 
WCIT 2014 Som Mittal - Managing risks in an interdependent economy risks rela...
WCIT 2014 Som Mittal - Managing risks in an interdependent economy risks rela...WCIT 2014 Som Mittal - Managing risks in an interdependent economy risks rela...
WCIT 2014 Som Mittal - Managing risks in an interdependent economy risks rela...WCIT 2014
 
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...Minh Le
 
SMi Group's Oil and Gas Cyber Security North America
SMi Group's Oil and Gas Cyber Security North AmericaSMi Group's Oil and Gas Cyber Security North America
SMi Group's Oil and Gas Cyber Security North AmericaDale Butler
 
Critical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challengesCritical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challengesCommunity Protection Forum
 
Cyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply ChainCyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply Chainaletarw
 
Cybersecurity and continuous intelligence
Cybersecurity and continuous intelligenceCybersecurity and continuous intelligence
Cybersecurity and continuous intelligenceNISIInstituut
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathClubHack
 
Oil and gas cyber security nov 2012
Oil and gas cyber security nov 2012Oil and gas cyber security nov 2012
Oil and gas cyber security nov 2012Dale Butler
 

Contenu connexe

Tendances

DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...Andris Soroka
 
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropeIndustrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropePositive Hack Days
 
Need for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure ProtectionNeed for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure ProtectionWilliam McBorrough
 
Combating cyber crimes chinatu
Combating cyber crimes chinatuCombating cyber crimes chinatu
Combating cyber crimes chinatuChinatu Uzuegbu
 
David Snead - Nailing Down Security Regulations
David Snead - Nailing Down Security RegulationsDavid Snead - Nailing Down Security Regulations
David Snead - Nailing Down Security RegulationsSource Conference
 
The Realities and Challenges of Cyber Crime and Cyber Security in Africa
The Realities and Challenges of Cyber Crime and Cyber Security in AfricaThe Realities and Challenges of Cyber Crime and Cyber Security in Africa
The Realities and Challenges of Cyber Crime and Cyber Security in AfricaZsolt Nemeth
 
Lessons learned from the SingHealth Data Breach COI Report
Lessons learned from the SingHealth Data Breach COI ReportLessons learned from the SingHealth Data Breach COI Report
Lessons learned from the SingHealth Data Breach COI ReportBenjamin Ang
 
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...Cybersecurity Education and Research Centre
 
2015 Global Threat Intelligence Report Executive Summary | NTT i3
2015 Global Threat Intelligence Report Executive Summary | NTT i32015 Global Threat Intelligence Report Executive Summary | NTT i3
2015 Global Threat Intelligence Report Executive Summary | NTT i3NTT Innovation Institute Inc.
 
National Cyber Security Policy 2013 (NCSP)
National Cyber Security Policy 2013 (NCSP)National Cyber Security Policy 2013 (NCSP)
National Cyber Security Policy 2013 (NCSP)Gopal Choudhary
 
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...ijtsrd
 
Capitol Tech Talk Feb 17 2022 Cybersecurity Challenges in Financial Sector
Capitol Tech Talk Feb 17 2022 Cybersecurity Challenges in Financial SectorCapitol Tech Talk Feb 17 2022 Cybersecurity Challenges in Financial Sector
Capitol Tech Talk Feb 17 2022 Cybersecurity Challenges in Financial SectorCapitolTechU
 
Cybersecurity for Critical National Information Infrastructure
Cybersecurity for Critical National Information InfrastructureCybersecurity for Critical National Information Infrastructure
Cybersecurity for Critical National Information InfrastructureDr David Probert
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsDinesh O Bareja
 
WCIT 2014 Som Mittal - Managing risks in an interdependent economy risks rela...
WCIT 2014 Som Mittal - Managing risks in an interdependent economy risks rela...WCIT 2014 Som Mittal - Managing risks in an interdependent economy risks rela...
WCIT 2014 Som Mittal - Managing risks in an interdependent economy risks rela...WCIT 2014
 
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...Minh Le
 
SMi Group's Oil and Gas Cyber Security North America
SMi Group's Oil and Gas Cyber Security North AmericaSMi Group's Oil and Gas Cyber Security North America
SMi Group's Oil and Gas Cyber Security North AmericaDale Butler
 
Critical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challengesCritical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challengesCommunity Protection Forum
 

Tendances (18)

DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
 
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropeIndustrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
 
Need for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure ProtectionNeed for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure Protection
 
Combating cyber crimes chinatu
Combating cyber crimes chinatuCombating cyber crimes chinatu
Combating cyber crimes chinatu
 
David Snead - Nailing Down Security Regulations
David Snead - Nailing Down Security RegulationsDavid Snead - Nailing Down Security Regulations
David Snead - Nailing Down Security Regulations
 
The Realities and Challenges of Cyber Crime and Cyber Security in Africa
The Realities and Challenges of Cyber Crime and Cyber Security in AfricaThe Realities and Challenges of Cyber Crime and Cyber Security in Africa
The Realities and Challenges of Cyber Crime and Cyber Security in Africa
 
Lessons learned from the SingHealth Data Breach COI Report
Lessons learned from the SingHealth Data Breach COI ReportLessons learned from the SingHealth Data Breach COI Report
Lessons learned from the SingHealth Data Breach COI Report
 
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
 
2015 Global Threat Intelligence Report Executive Summary | NTT i3
2015 Global Threat Intelligence Report Executive Summary | NTT i32015 Global Threat Intelligence Report Executive Summary | NTT i3
2015 Global Threat Intelligence Report Executive Summary | NTT i3
 
National Cyber Security Policy 2013 (NCSP)
National Cyber Security Policy 2013 (NCSP)National Cyber Security Policy 2013 (NCSP)
National Cyber Security Policy 2013 (NCSP)
 
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...
 
Capitol Tech Talk Feb 17 2022 Cybersecurity Challenges in Financial Sector
Capitol Tech Talk Feb 17 2022 Cybersecurity Challenges in Financial SectorCapitol Tech Talk Feb 17 2022 Cybersecurity Challenges in Financial Sector
Capitol Tech Talk Feb 17 2022 Cybersecurity Challenges in Financial Sector
 
Cybersecurity for Critical National Information Infrastructure
Cybersecurity for Critical National Information InfrastructureCybersecurity for Critical National Information Infrastructure
Cybersecurity for Critical National Information Infrastructure
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
 
WCIT 2014 Som Mittal - Managing risks in an interdependent economy risks rela...
WCIT 2014 Som Mittal - Managing risks in an interdependent economy risks rela...WCIT 2014 Som Mittal - Managing risks in an interdependent economy risks rela...
WCIT 2014 Som Mittal - Managing risks in an interdependent economy risks rela...
 
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
 
SMi Group's Oil and Gas Cyber Security North America
SMi Group's Oil and Gas Cyber Security North AmericaSMi Group's Oil and Gas Cyber Security North America
SMi Group's Oil and Gas Cyber Security North America
 
Critical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challengesCritical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challenges
 

Similaire à CSO Magazine Confab 2013 Atlanta - Cyber Security

Cyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply ChainCyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply Chainaletarw
 
Cybersecurity and continuous intelligence
Cybersecurity and continuous intelligenceCybersecurity and continuous intelligence
Cybersecurity and continuous intelligenceNISIInstituut
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathClubHack
 
Oil and gas cyber security nov 2012
Oil and gas cyber security nov 2012Oil and gas cyber security nov 2012
Oil and gas cyber security nov 2012Dale Butler
 
Himss 2011 securing health information in the cloud -- feisal nanji
Himss 2011 securing health information in the cloud -- feisal nanjiHimss 2011 securing health information in the cloud -- feisal nanji
Himss 2011 securing health information in the cloud -- feisal nanjiFeisal Nanji
 
Supply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorSupply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorKaspersky
 
Cyber Security in Manufacturing
Cyber Security in ManufacturingCyber Security in Manufacturing
Cyber Security in ManufacturingCentraComm
 
Gus Hunt's Work-Bench Enterprise Security Summit Keynote
Gus Hunt's Work-Bench Enterprise Security Summit KeynoteGus Hunt's Work-Bench Enterprise Security Summit Keynote
Gus Hunt's Work-Bench Enterprise Security Summit KeynoteWork-Bench
 
Cybersecurity R&D briefing
Cybersecurity R&D briefingCybersecurity R&D briefing
Cybersecurity R&D briefingNaba Barkakati
 
2012 02 14 Afcom Presentation
2012 02 14 Afcom Presentation2012 02 14 Afcom Presentation
2012 02 14 Afcom PresentationEric Gallant
 
Southern Risk Council - Cybersecurity Update 10-9-13
Southern Risk Council - Cybersecurity Update 10-9-13Southern Risk Council - Cybersecurity Update 10-9-13
Southern Risk Council - Cybersecurity Update 10-9-13Phil Agcaoili
 
Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014Peter ODell
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesUlf Mattsson
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloudInterop
 
Securing Your Digital Files from Legal Threats
Securing Your Digital Files from Legal ThreatsSecuring Your Digital Files from Legal Threats
Securing Your Digital Files from Legal ThreatsAbbie Hosta
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?Kurt Hagerman
 

Similaire à CSO Magazine Confab 2013 Atlanta - Cyber Security (20)

Cyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply ChainCyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply Chain
 
Cybersecurity and continuous intelligence
Cybersecurity and continuous intelligenceCybersecurity and continuous intelligence
Cybersecurity and continuous intelligence
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy Hiremath
 
Oil and gas cyber security nov 2012
Oil and gas cyber security nov 2012Oil and gas cyber security nov 2012
Oil and gas cyber security nov 2012
 
Himss 2011 securing health information in the cloud -- feisal nanji
Himss 2011 securing health information in the cloud -- feisal nanjiHimss 2011 securing health information in the cloud -- feisal nanji
Himss 2011 securing health information in the cloud -- feisal nanji
 
Supply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy SectorSupply Chain Threats to the US Energy Sector
Supply Chain Threats to the US Energy Sector
 
Cyber Security in Manufacturing
Cyber Security in ManufacturingCyber Security in Manufacturing
Cyber Security in Manufacturing
 
Gus Hunt's Work-Bench Enterprise Security Summit Keynote
Gus Hunt's Work-Bench Enterprise Security Summit KeynoteGus Hunt's Work-Bench Enterprise Security Summit Keynote
Gus Hunt's Work-Bench Enterprise Security Summit Keynote
 
Cybersecurity R&D briefing
Cybersecurity R&D briefingCybersecurity R&D briefing
Cybersecurity R&D briefing
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small Business
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small Business
 
2012 02 14 Afcom Presentation
2012 02 14 Afcom Presentation2012 02 14 Afcom Presentation
2012 02 14 Afcom Presentation
 
Nreca kickoff meeting
Nreca kickoff meetingNreca kickoff meeting
Nreca kickoff meeting
 
Southern Risk Council - Cybersecurity Update 10-9-13
Southern Risk Council - Cybersecurity Update 10-9-13Southern Risk Council - Cybersecurity Update 10-9-13
Southern Risk Council - Cybersecurity Update 10-9-13
 
Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014Cyber threat enterprise leadership required march 2014
Cyber threat enterprise leadership required march 2014
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloud
 
The Cybersecurity Mess
The Cybersecurity MessThe Cybersecurity Mess
The Cybersecurity Mess
 
Securing Your Digital Files from Legal Threats
Securing Your Digital Files from Legal ThreatsSecuring Your Digital Files from Legal Threats
Securing Your Digital Files from Legal Threats
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?
 

Plus de Phil Agcaoili

Cybersecurity Market 2020 - Bring the Noise
Cybersecurity Market 2020 - Bring the NoiseCybersecurity Market 2020 - Bring the Noise
Cybersecurity Market 2020 - Bring the NoisePhil Agcaoili
 
4th Industrial Revolution (4IR) - Cyber Canaries Get Out of the Mine
4th Industrial Revolution (4IR) - Cyber Canaries Get Out of the Mine4th Industrial Revolution (4IR) - Cyber Canaries Get Out of the Mine
4th Industrial Revolution (4IR) - Cyber Canaries Get Out of the MinePhil Agcaoili
 
2016 ISSA Conference Threat Intelligence Keynote philA
2016 ISSA Conference Threat Intelligence Keynote philA2016 ISSA Conference Threat Intelligence Keynote philA
2016 ISSA Conference Threat Intelligence Keynote philAPhil Agcaoili
 
CSA Atlanta Q1'2016 Chapter Meeting
CSA Atlanta Q1'2016 Chapter MeetingCSA Atlanta Q1'2016 Chapter Meeting
CSA Atlanta Q1'2016 Chapter MeetingPhil Agcaoili
 
Archer Users Group / Southern Risk Council 2016 Enterprise Risk Management an...
Archer Users Group / Southern Risk Council 2016 Enterprise Risk Management an...Archer Users Group / Southern Risk Council 2016 Enterprise Risk Management an...
Archer Users Group / Southern Risk Council 2016 Enterprise Risk Management an...Phil Agcaoili
 
2015 KSU So You Want To Be in Cyber Security
2015 KSU So You Want To Be in Cyber Security2015 KSU So You Want To Be in Cyber Security
2015 KSU So You Want To Be in Cyber SecurityPhil Agcaoili
 
OWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter MeetingOWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter MeetingPhil Agcaoili
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Phil Agcaoili
 
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Phil Agcaoili
 
Data Breaches. Are you next? What does the data say?
Data Breaches. Are you next? What does the data say? Data Breaches. Are you next? What does the data say?
Data Breaches. Are you next? What does the data say? Phil Agcaoili
 
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and AfraidAECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and AfraidPhil Agcaoili
 
2014 - KSU - So You Want to Be in Cyber Security?
2014 - KSU - So You Want to Be in Cyber Security?2014 - KSU - So You Want to Be in Cyber Security?
2014 - KSU - So You Want to Be in Cyber Security?Phil Agcaoili
 
CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...
CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...
CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...Phil Agcaoili
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Phil Agcaoili
 
What CIOs and CFOs Need to Know About Cyber Security
What CIOs and CFOs Need to Know About Cyber SecurityWhat CIOs and CFOs Need to Know About Cyber Security
What CIOs and CFOs Need to Know About Cyber SecurityPhil Agcaoili
 
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA AnnouncementsCSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA AnnouncementsPhil Agcaoili
 
Moneysec - Moneyball for Security
Moneysec - Moneyball for SecurityMoneysec - Moneyball for Security
Moneysec - Moneyball for SecurityPhil Agcaoili
 
IAPP Atlanta Chapter Meeting 2013 February
IAPP Atlanta Chapter Meeting 2013 FebruaryIAPP Atlanta Chapter Meeting 2013 February
IAPP Atlanta Chapter Meeting 2013 FebruaryPhil Agcaoili
 
Cloud Security Alliance (CSA) Chapter Meeting Atlanta 082312
Cloud Security Alliance (CSA) Chapter Meeting Atlanta 082312Cloud Security Alliance (CSA) Chapter Meeting Atlanta 082312
Cloud Security Alliance (CSA) Chapter Meeting Atlanta 082312Phil Agcaoili
 
2013 Democratization Of Technology How Cloud And Consumerization Change Eve...
2013 Democratization Of Technology How Cloud And Consumerization Change Eve...2013 Democratization Of Technology How Cloud And Consumerization Change Eve...
2013 Democratization Of Technology How Cloud And Consumerization Change Eve...Phil Agcaoili
 

Plus de Phil Agcaoili (20)

Cybersecurity Market 2020 - Bring the Noise
Cybersecurity Market 2020 - Bring the NoiseCybersecurity Market 2020 - Bring the Noise
Cybersecurity Market 2020 - Bring the Noise
 
4th Industrial Revolution (4IR) - Cyber Canaries Get Out of the Mine
4th Industrial Revolution (4IR) - Cyber Canaries Get Out of the Mine4th Industrial Revolution (4IR) - Cyber Canaries Get Out of the Mine
4th Industrial Revolution (4IR) - Cyber Canaries Get Out of the Mine
 
2016 ISSA Conference Threat Intelligence Keynote philA
2016 ISSA Conference Threat Intelligence Keynote philA2016 ISSA Conference Threat Intelligence Keynote philA
2016 ISSA Conference Threat Intelligence Keynote philA
 
CSA Atlanta Q1'2016 Chapter Meeting
CSA Atlanta Q1'2016 Chapter MeetingCSA Atlanta Q1'2016 Chapter Meeting
CSA Atlanta Q1'2016 Chapter Meeting
 
Archer Users Group / Southern Risk Council 2016 Enterprise Risk Management an...
Archer Users Group / Southern Risk Council 2016 Enterprise Risk Management an...Archer Users Group / Southern Risk Council 2016 Enterprise Risk Management an...
Archer Users Group / Southern Risk Council 2016 Enterprise Risk Management an...
 
2015 KSU So You Want To Be in Cyber Security
2015 KSU So You Want To Be in Cyber Security2015 KSU So You Want To Be in Cyber Security
2015 KSU So You Want To Be in Cyber Security
 
OWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter MeetingOWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter Meeting
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
 
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6
 
Data Breaches. Are you next? What does the data say?
Data Breaches. Are you next? What does the data say? Data Breaches. Are you next? What does the data say?
Data Breaches. Are you next? What does the data say?
 
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and AfraidAECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
 
2014 - KSU - So You Want to Be in Cyber Security?
2014 - KSU - So You Want to Be in Cyber Security?2014 - KSU - So You Want to Be in Cyber Security?
2014 - KSU - So You Want to Be in Cyber Security?
 
CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...
CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...
CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...
 
What CIOs and CFOs Need to Know About Cyber Security
What CIOs and CFOs Need to Know About Cyber SecurityWhat CIOs and CFOs Need to Know About Cyber Security
What CIOs and CFOs Need to Know About Cyber Security
 
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA AnnouncementsCSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements
 
Moneysec - Moneyball for Security
Moneysec - Moneyball for SecurityMoneysec - Moneyball for Security
Moneysec - Moneyball for Security
 
IAPP Atlanta Chapter Meeting 2013 February
IAPP Atlanta Chapter Meeting 2013 FebruaryIAPP Atlanta Chapter Meeting 2013 February
IAPP Atlanta Chapter Meeting 2013 February
 
Cloud Security Alliance (CSA) Chapter Meeting Atlanta 082312
Cloud Security Alliance (CSA) Chapter Meeting Atlanta 082312Cloud Security Alliance (CSA) Chapter Meeting Atlanta 082312
Cloud Security Alliance (CSA) Chapter Meeting Atlanta 082312
 
2013 Democratization Of Technology How Cloud And Consumerization Change Eve...
2013 Democratization Of Technology How Cloud And Consumerization Change Eve...2013 Democratization Of Technology How Cloud And Consumerization Change Eve...
2013 Democratization Of Technology How Cloud And Consumerization Change Eve...
 

CSO Magazine Confab 2013 Atlanta - Cyber Security

  • 1. The Executive Order – Defining the Internet Security Ecosystem Phil Agcaoili April 2, 2013
  • 2. 2 Cyber what? Defining Cyber • Cyber space is the connected Internet ecosystem • Our daily life, economic vitality, and national security depend on a stable, safe, and resilient cyber space • DHS defined 18 Critical Infrastructure Sectors (CIKR) Food and Agriculture Banking and Finance Chemical Commercial Facilities Communications Critical Manufacturing Dams Defense Industrial Base Emergency Services Energy Government Facilities Healthcare and Public Health Information Technology National Monuments Nuclear Reactors, Materials and Icons and Waste Postal and Transportation Water Shipping Systems • Cyber intrusions and attacks have increased dramatically over the last decade, exposing sensitive personal and business information, disrupting critical operations, and imposing high costs on the economy • Cyber security is protecting our cyber space (critical infrastructure) from attack, damage, misuse, and economic espionage
  • 3. 3 Our physical infrastructure has become intertwined and reliant on our cyber infrastructure Source: DHS, "Securing the Nation’s Critical Cyber Infrastructure
  • 4. 4
  • 5. 5 Why the fear? Cyber Trends - Advanced • StuxNet • Duqu • Gauss • Mahdi • Flame • Wiper • Shamoon - Saudi Aramco • SCADA Network Attacks Advanced attacks on critical infrastructure
  • 6. 6 Cyber Trends – Not So Advanced • Insulin pumps • Pace makers • Smart TVs • Voting and elections • US drone fleet • SYMC – RSA – VRSN – Bit9 • SNE – AMZN – AAPL – YHOO – LNKD • DoE
  • 7. 7 General Observations on Cyber Trends • Phishing and Email • Exploitable Links and Browsers • Java, Flash, PDF, MS Office • A/V Coverage • Android, iOS, Windows, and MacOS • Air Gaps and Removable Media • Endpoint Security • Security Awareness • Security Basics
  • 9. 9 Expectations on Critical Infrastructure • S. 21, Cybersecurity and American Cyber Competitiveness Act of 2013 Senators Rockefeller (D-W.Va.), Carper (D-DE), Feinstein (D-CA), Levin (D-MI), Mikulski (D-MD), Whitehouse (D-RI), and Coons (D-DE) • H.R. 624, Cyber Intelligence Sharing and Protection Act (CISPA), 2013 Representative Rogers (R-MI) and 111 co-sponsors It’s unlikely that these will pass in 2013…
  • 10. 10 Fact Sheet: Executive Order on Cybersecurity / Presidential Policy Directive on Critical Infrastructure Security and Resilience Presidential Executive Order 13,636 • New information sharing programs to provide both classified and unclassified threat and attack information to U.S. companies • The development of a Cybersecurity Framework • Establishes a voluntary program to promote the adoption of the Framework • Calls for a review of existing cybersecurity regulation • Includes strong privacy and civil liberties protections based on the Fair Information Practice Principles Presidential Policy Directive 21 (PPD-21) • Directs the government to identify the functional relationships across the government • Directs the government to develop an efficient situational awareness capability • Directs the government to address other information sharing priorities • Calls for a comprehensive research and development plan for critical infrastructure http://www.dhs.gov/news/2013/02/13/fact-sheet-executive-order-cybersecurity-presidential-policy-directive-critical
  • 11. 11 Highlights of “Down Payment” February 12, 2013 Executive Order • EO 13636 and PPD-21 Issued February 12, 2013 • Defines Roadmap 240 Days • Focus Areas for CIKR: October 10 Draft of • Information Sharing US Cybersecurity • US Cybersecurity Framework Framework • Standards • Identifying Critical Infrastructure 1 Year • Supply Chain February 12, • Sector-Specific Agencies and Sector Coordinating Councils 2014 Final US • FBI and NCIJTF Cybersecurity Framework 3 Year “Safe and Resilient Internet” Agencies report on critical infrastructure
  • 12. 12 Highlights of “Down Payment” • “Don’t assume you’re not in scope” • "Critical infrastructure" covers a lot of economic activity • Covers a lot of technology • Privacy concerns need to be addressed for “information sharing” • Department of Commerce, National Institutes of Standards and Technology (NIST), and Cybersecurity Framework • Reduce cyber risks to critical infrastructure within one year, • Incorporate “voluntary consensus standards and industry best practices to the fullest extent possible.” • Federal Supply Chain • Partnerships and mandates • Open standards • “Technology neutral” • Risk-based assessments
  • 13. 13
  • 14. 14 Keys to Cyber Security: Information Sharing 1. Balance with Privacy One Size Does Not Fit All… 2. One step at a time Cybersecurity Framework 1. Common definitions 2. Don’t assume you’re not in scope (Think Ecosystem) 3. Sector specific, Risk-based Framework using Evidence with basic guidelines 5. Crawl, Walk, Run Supply Chain 1. Align with Cyber Framework 2. Provide Assurance Security is Everyone’s Responsibility.
  • 15. 15 Don’t Assume You’re Not in Scope • Everyone with Information Technology is in scope (CIKR) • Security Basics • Apply Evidence-based Security Model • Statistics by Sector Exist • Should Threat Model Think Ecosystem.
  • 16. 16 Threat Model Your Role in the Cyber Space Ecosystem
  • 18. 18 2012 Top 20 ISO 27001 Mitigating Controls What standard are Number of Times Control Mapped Ranking 1 Control A.10.9.1 to a Real-World Security Breach 447 What Framework? you following? 2 3 A.10.9.2 A.10.9.3 447 447 Point Security Standards / Controls 4 A.8.2.2 184 5 A.7.2.1 94 • PCI DSS 6 A.7.2.2 94 • Protects credit cards 7 A.8.1.1 90 • 12 Requirements (Domains) 8 A.8.1.2 90 • ~290 controls 9 A.8.1.3 90 • HIPAA / HITECH 10 A.8.2.1 90 • Protects health information 11 A.8.3.2 90 • NERC CIP 12 A.8.3.3 90 • CSA Cloud Controls Matrix / Open 13 A.9.2.5 87 14 A.11.7.1 87 Certification Framework 15 A.11.7.2 87 • SANS 20 Critical Security Controls / 16 A.9.1.1 50 CAG 17 A.9.1.2 50 • “International” security standards 18 A.9.2.1 50 • 20 controls (Domains) 19 A.10.8.4 16 • Mapped to ~150 20 A.10.8.3 15 NIST 800-53 controls *Based on datalossdb.org and Privacy Rights Clearinghouse Holistic Security Standard Frameworks • ISO/IEC 27001:2005 • International security standards • 11 Domains Consensus Audit Guidelines (CAG) • 133 controls Hardware asset management • FISMA • Software white listing and asset • Includes NIST 800-53 management • Vulnerability management • US government standard • Configuration settings • 22 Control Families (Domains) • Anti-virus • ~ 850 controls *Modified SANS 20 Critical Security Controls 2012 • COBIT 5 continuous monitoring policy issued by DHS
  • 19. 19 Simplify to Basic Security Guidelines Based on Evidence and Risk We have developed the myth that technology can be an effective fortress You cannot protect all your data You cannot stop every attack Therefore, • Don’t protect everything • Protect most important data and ensure services • Increase focus on closing the detection and response gap • Establish access norms and monitor for anomalies • Reduce your attack surface • Don’t store/transmit what you don’t need • Collapse to cores • Segregrate and protect your most critical data • Protect cores really, really well • Treat all endpoints as hostile • Make small, targeted investments • Pass the Red Face Test – Reduce Investments through integration • Antivirus - Forefront • Full Disk Encryption – Bitlocker Sector-based • Patch and harden configurations • Change default credentials and restrict/monitor privileged accounts • Secure development through application testing and code reviews • Increase awareness and change culture • Social engineering and phishing • Destroy and don’t save what you don’t need • Collect your own metrics and apply security as necessary with available industry evidence
  • 20. 20 Barriers to Implement Basics • 2012 FISMA Report The top reported cybersecurity challenges were: - Funding the administration’s priority initiatives - Cultural challenges - Upgrading legacy technology - The current budget structure - Acquiring skilled personnel • Define – Accountability (Vendors and Customers) • Customers are dependent on vendors • Vendors rely on customers
  • 21. Traditional Security is Insufficient Advanced Empowered Elastic Persistent Threats Employees Perimeter Trend Micro evaluations find over 90% of enterprise networks contain active malicious malware! Copyright 2012 Trend Micro Inc.
  • 22. 22 Risk-Based Approach Using Evidence The REAL Big Data for Infosec
  • 23. 23 First, Define Risk • Partnership for Critical Infrastructure Security (PCIS) • Defined: Risk = Consequence (Impact ONLY!!!) NO!!! • General Risk Equation Risk = Probability x Impact • Factor Analysis of Information Risk (FAIR) Risk = The probable frequency and probable magnitude of future loss • Many other definitions, let’s pick… • Limitations of risk analysis • Risk analysis is never perfect • All risk analysis models are approximations of reality • Reality is far too complex to ever model exactly • Any analysis model will be limited • Sometimes you have enough information to make an informed decision ~SIRA Prediction is very difficult, • Define: Risk Appetite especially about the future. ~Niels Bohr
  • 24. 24 Second, Apply Evidence-Based Security *Abridged Version of Moneysec • Use industry data (Evidence) • “You’re not a beautiful snowflake.” • Use with [Moneysec] metrics ~JPfost • Don’t make emotional decisions • Recognize your bias • Collect the “right” data • Look for correlations • Set reasonable criteria for success • Don’t overspend • You can measure anything! Even intangibles. ~Douglas Hubbard • You don’t always need to be exact • Reducing uncertainty adds value • Having just some data can go a long way to help a decision maker • Not all measures are equally important (80/20) • Track and trend performance over time • Benchmark performance vs. self (and peers) • All metrics are worthless – unless you do something with them
  • 25. 25 Mandiant M-Trends 2013 Threat Report
  • 26. 26 Mandiant M-Trends 2013 Threat Report
  • 27. 27 2012 Verizon Data Breach Investigations Report (DBIR) • 5th year of public releases – Starting in 2008 – 7 total reports (mid-year supplementals in 2008 and 2009) • Dataset now contains: – 8 years of data
  • 28. 28 2012 Verizon Data Breach Investigations Report (DBIR) 2012 Trustwave Global Security Report In those cases in which an external entity was necessary for detection, analysis found that attackers had an average of 173.5 days within the victim’s environment before detection occurred. Conversely, organizations that relied on self-detection were able to identify attackers within their systems an average of 43 days after initial compromise.
  • 29. 29 2012 Verizon Data Breach Investigations Report (DBIR)
  • 30. 30 Trend - 2011 Verizon Data Breach Investigations Report (DBIR)
  • 31. 31 Trend - 2011 Verizon Data Breach Investigations Report (DBIR) • Eastern Europe takes a commanding lead Who are the (external) bad guys?
  • 32. 32 2012 Federal Information Security Management Act report • Over $13 Billion Spent on Personnel • Of the $14.6B spent on cybersecurity in 2012, a whopping 90% went to personnel • An increase from 76% in 2011 • Cybersecurity Education Down • Training only accounted for 0.9% of the total spent on cybersecurity, almost 2% lower than 2011 • A Challenging Year The top reported cybersecurity challenges were: - Funding the administration’s priority initiatives - Cultural challenges - Upgrading legacy technology - The current budget structure - Acquiring skilled personnel • Top Three Government Cybersecurity Spenders The organizations who spent the most in 2012 were: - Department of Defense: $12 billion - Department of Homeland Security: $615.5 million - Treasury Department: $404 million • Security Incidents on the Rise • 49,000 security incidents were reported in 2012, up from 43,889 in 2011 • Worth noting that the majority were the result of lost or stolen equipment and data, not unauthorized access • 2012 FISMA report reflects the major concerns we’ve recently heard in the media: • An increase in successful cyberattacks • A shortage of trained cybersecurity professionals; and • An IT infrastructure too weak to repel sophisticated attacks • This recent surge in cyberattacks on government systems is the new normal • However, the amount of successful attacks can and will decrease when agencies invest in security automation IT, which will decrease personnel costs, freeing the resources needed to properly invest in a fully trained cybersecurity workforce
  • 33. 33 Connecting the Dots Information Leakage • Ex-employees, partners, and customers • Over 1/3 due to negligence • Increasing loss from external collaboration Ponemon Study finds: 55% of SMBs were breached in 2012 Percentage cause of data breach Estimated sources of data breach 2010 CSO Cost of Data Breach report Global State of Information Security Survey Ponemon Institute 2010
  • 34. Connecting the Dots VERIS: (Vocabulary for Event Recording and Incident Sharing) What How Who Why When 2012 Trustwave GSR 2013 Mandiant TR 2012 Verizon DBIR
  • 35. 35 Third, Add Threat Modeling Supports Risk Model Cyber Kill Chain Model • Intrusions must be studied from the adversary’s perspective – analyzing the “kill chain” to inform actionable security intelligence • An adversary must progress successfully through each stage of the chain before it can achieve its desired objective Command Actions on Recon Weapon Delivery Exploit Install and Objectives Control • Just one mitigation disrupts the chain and the adversary
  • 36. 36 Threat Modeling - Countermeasures • Moving detection and mitigation to earlier phases of the kill chain is essential in defending today’s networks Command Actions on Recon Weapon Delivery Exploit Install and Objectives Control
  • 37. 37 Bring it All Together - Trends in the Evidence Motivating Fix what’s broken Event • Hacks and compromise • Fix what’s already been hacked at your company • Utilize Cyber Kill Chain Model to focus defense in depth strategy • Understand security trends for your industry • Small and Medium Business beware • Banks – DDOS, fraud, botnets, and web authentication attacks • Hospitality – Credit cards, point of sale systems, Wifi, and admin accounts • DIB – RSA hack - Adobe/Microsoft 0days, remote access, and phishing • News – NYT/WSJ - phishing, Oracle Java 0days • Retail – Open Wifi, POS • LEA – 0day, social engineering and phishing • Credit card processors – Phishing and egress traffic • Websites – SNE (SQL Injection) and exclusion from core security • Know your threat landscape to prioritize your treatment strategy based on risk • In advertising, the best insights are often minor alterations in trends which occur over long periods of time (and take time to see due to their nuanced nature).~Neira Jones Somebody needs to thoroughly analyze the important industry data by sector. KNOW THE BIAS!!! Adjust from there.
  • 38. 38 Crawl, Walk, and then Run… • Agree on definitions at each step of this process • Agree on roles in cyber space ecosystem • Need to develop better understanding • Cyber effect on way of life, economic vitality, and national security • Top threats by sector • Attackers/Adversaries by sector • Evidence of risks by sector • Agree on countermeasures / controls
  • 39. 39 Inspiration • I’m my father’s son… • It’s our time. • <Video> https://www.youtube.com/watch?feature=player_embedde d&v=Z2PloBdHeow
  • 40. 40 Conclusion • The time is now for cyber security • Agree on definitions as we proceed to each step • Security is Everyone’s Responsibility • Think Risk • Use the evidence we have • There is a lot industry data that needs to be analyzed • Proceed with care, methodically, and by sector • Agree on the basics • Get it done. We can do it. Cyber Space Ecosystem
  • 41. 41 Questions & Answers Phil Agcaoili CISO, Cox Communications, Inc. Co-Chair, Communication Sector Coordinating Council (CSCC), Cybersecurity Committee – Technology Sub-Committee Co-Founder & Board Member, Southern CISO Security Council Distinguished Fellow and Fellows Chairman, Ponemon Institute Founding Member, Cloud Security Alliance (CSA) Inventor & Co-Author, CSA Cloud Controls Matrix, GRC Stack, Security, Trust and Assurance Registry (STAR), and Open Certification Framework (OCF) @hacksec https://www.linkedin.com/in/philA

Notes de l'éditeur

  1. Why it is the shiny object?Cyber is all about definitionsIt is much talked about, but little defined and very misunderstood
  2. DHS has provided:CIKR facility risk assessmentsData center risk assessmentsThese guidelines exist to connect physical and cyber securityEven PCI DSS and ISO/IEC 27001:2005 have physical security control requirements
  3. No companies will be harmed to deliver this presentation
  4. To understand the fear, let’s breakdown of some of the advanced attacks affecting a region of the worldIn rough chronological order:Stuxnet- Discovered in June 2010, Stuxnet is believed to be the first malware targeted specifically at critical infrastructure systems. - NYT reported this was part of a U.S.-Israeli operation &quot;Operation Olympic Games&quot; - Began during President George W. Bush’s time in office- An attempt to sabotage Iran&apos;s nuclear program- Designed to shut down centrifuges at Iran&apos;s Natanz uranium enrichment plantA sophisticated worm spread via USB drives And with 4 previously unknown, zero-day vulnerabilities in Windows- Used two stolen digital certificatesAimed directly at Siemens supervisory control and data acquisition (SCADA) systems Used to control industrial processes- Malware infected programmable logic controllers Duqu- The Duqu worm emerged in September 2011Researchers say it shared a lot of code with Stuxnet It hit computers in Iran but did not appear to be directed at industrial or critical infrastructures specificallyExploited zero-day Windows kernel vulnerabilitiesUsed stolen digital certificatesInstalled a backdoorCaptured keystrokes and information that could be used to attack industrial control systemsDesigned for a different purpose than Stuxnet--Stealing data for surveillance and intelligence gatheringResearchers believe Duqu was a cyberespionage operation to gauge the status of Iran&apos;s nuclear programGauss- Launched around September 2011 and discovered in June 2012Malware was found on computers mostly in Lebanon, Israel, and Palestine, followed by the U.S. and the United Arab EmiratesCapable of stealing browser passwords, online banking accounts, cookies, and system configurationsResearchers believe that Gauss comes from the same nation-state that produced Stuxnet, Duqu, and Flame Mahdi- Discovered in February 2012 and publicly disclosed in July 2012 Used for espionage since December 2011It’s a data stealing trojan Records keystrokes, screenshots, and audio and steals text and image filesInfected computers primarily in Iran, Israel, Afghanistan, the United Arab Emirates, and Saudi Arabia, Aimed at systems used by critical infrastructure companies, government embassies, and financial services firmsUsed social engineering to get people to click on attachments that have malicious Word or PowerPoint attachmentsUnknown who&apos;s responsible for the malware Flame- Discovered in May 2012 - Has been in the wild since December 2007 First hit Iranian Oil Ministry computers in April 2012Most of the infections were in Iran, but other countries hit were Israel, Sudan, Syria, Lebanon, Saudi Arabia, and EgyptSpread via USB stick, local network, or shared printer spool vulnerabilityUsed a fraudulent digital certificate Left a backdoor on computersSniffed network traffic and recorded audio, screenshots, Skype conversations, and keystrokesDownloaded information from other devices via BluetoothStole PDF, text, and AutoCAD filesDesigned for general espionage and intelligence gatheringNot targeted at any particular industryShares characteristics with Stuxnet and DuquAlso believed to have been developed as part of the Olympic Games project along with StuxnetWiper- Reported in April 2012 Shut down computer systems at companies in Iran, including the Oil MinistryWiped data from hard drivesDeleted all traces of itselfVery similar IOCs as Stuxnet and DuquThe discovery of Wiper led to the discovery of Flame, which led researchers to GaussPoint of origin is uncertainShamoon- Discovered August 2012Virus attacked Windows computers Designed for espionageInitially confused with Wiper but is believed to be a Wiper copycat targeting oil companiesCode of Shamoon points to the work of amateurs rather than a nation-state operationProgrammed to overwrite files with an image of a burning U.S. flag,Stole dataShamoon hit Saudi Aramco and shut down 30,000 workstationsLet’s call these advanced attacksLet’s call these nation-state sponsored operations or attacks
  5. So here’s why there is confusion…It’s the simple attacks / compromise that’s confusing.Adding on to the 2011 Insulin pump issue, which we agree was very simpleIn 2011, a computer virus infected the cockpits of America’s Predator and Reaper drones- A keylogger infected several computers the pilots use to operate the Predator and Raptor drones in the fleet in missions- Logged pilots’ every keystroke as they remotely flew missions over Afghanistan and other warzonesA fleet of approximately 30 CIA-directed drones have hit targets in Pakistan more than 230 times; These drones have killed more than 2,000 suspected militants and civilians according to the Washington PostThere are more than 150 additional Predator and Reaper drones, under U.S. Air Force control, that watch over the fighting in Afghanistan and IraqAmerican military drones struck 92 times in Libya between mid-April and late AugustBut despite their widespread use, the drone systems are known to have security flaws. Many Reapers and Predators don’t encrypt the video they transmit to American troops on the ground. In the summer of 2009, U.S. forces discovered days of the drone footage on the laptops of Iraqi insurgents.A $26 piece of software allowed the militants to capture the videoVirus kept reinfecting systemsEstimated that 1/3 of the drone fleet had malwareOMG - “After repeated attempts to remove the malware, the technicians used a tool to completely erase and rebuild the systems from scratch. We keep wiping it off, and it keeps coming back,&quot; a source told Wired.Also in 2012, demonstration showed that pacemakers could be infiltrated to deliver deadly shocksA series of 830-volt shocks could be sent to a remote pacemakerResearchers could activate all pacemakers and implantable defibrillators within a 30-foot radius to give up their serial numbersAllows a would-be assassin to breach device firmware and upload nefarious malware that could spread to other pacemakers like a virus - NetworkedAlso in 2012, new Smart TV technology was exploited upon launchSmart TVs run AndroidGained access to the device’s built-in camera and microphones remotelyAllows an intruder to watch everything you doIn 2013, authorities have confirmed tor the first time everUsed well known security issues (that have existed for a decade) on online voting systems Hackers attempted and almost succeeded at rigging a Miami primary vote last AugustRequests for over 2,500 phantom absentee ballots flooded the Miami Dade voter registration siteDetected through audit process (People and Process)Symc, rsa, vrsn, and Bit9 were all simple, not advanced and caused collateral damageSne, amzn, appl, yhoo, and lnkd were all simple and exploited basic security controls known for a long time2012 Dept of Energy Hacked- Report published in 2012 by the U.S. China Economic and Security Review Commission- “In 2012, Chinese state-sponsored actors continued to exploit U.S. government, military, industrial, and nongovernmental computer systems,” It’s a continuing storyhttp://securityaffairs.co/wordpress/12188/cyber-crime/us-department-of-energy-hit-by-a-sophisticated-cyber-attack.html
  6. Bottom line is that cyber-adversaries are getting increasingly more sophisticated at their targets and attacks. We need to ensure that basic security is done to even begin to deal with advanced offensives.
  7. - Cybersecurity was a big issue in the 112th Congress- But there was little progressDemocrats and Republicans deadlocked over whether to give lead authority to the Department of Homeland Security (DHS), a civilian agency, or the National Security Agency (NSA), a military agency. Meanwhile evidence of threats to the nation&apos;s infrastructure increased.
  8. http://www.dhs.gov/news/2013/02/13/fact-sheet-executive-order-cybersecurity-presidential-policy-directive-critical
  9. The President could have issued this executive order at any time, but chose the State of the Union to emphasize the importance of the issue. Timeline
  10. &quot;Critical infrastructure&quot; covers a lot of economic activity One of the 18 critical infrastructure sectors is Information Technology- Threat detection and prevention is key for effective cybersecurity, Presently no clear rules exist about how to collect and share informationBusinesses are concerned about the disclosure of confidential informationGovernments have classified data, and data sharing has privacy implications for Internet usersThe executive order sets out a framework to collect and gather information about cybersecurity where currently none existsThe Commerce Department, a civilian agency, thru NIST leads the Cybersecurity Framework, not NSA- [EPIC] A clear victory for open government and academic freedomPartnerships and mandates – WH is trying to ensure private sector support for better cybersecurity standards without imposing actual requirements To describe cybersecurity policy as &quot;technology neutral&quot; is important to almost all of the players in the cybersecurity debate. The concern is that government will mandate a standard that becomes outdated. On Voluntary - The White House wants to leave no doubt that it is not forcing anyone to do anything. Since 9/11, the US has moved toward risk-based assessments to decide how to allocate security resourcesThis is the reason travelers go through body scanners at airports and not at bus stations. But identifying high-priority critical infrastructure is more difficult. Systems are interconnected. There are multiple operators, some outside the US.
  11. This down payment is to begin to mobile people, companies, and the gov’t to actTo secure cyber spaceTo develop how to secure cyber space
  12. Cyber security is all about coming to agreement on MANY definitionsWhat is cyber?What does safe mean?Water quality and safety in the US vsMexcioCorrelating infrastructure security of water treatment plantsOne size does not fit allRisk-based security using evidence moves information security and physical security (cyber security) from art to scienceWe need to start with basics (crawl, walk, run methodology)Security is Everyone’s Responsibility. Stop. Think. Connect. (DHS)Discuss Keys to cyberFire is a great example of thisGives everyone a roleFairly clear that it needs to be dealt withMinimum fire safety protocols in placeWho to callYour role and responsibilityRole of companiesAnother example is seat belt safety
  13. Everyone with Information Technology is in scope You are CIKRSKIP to NEXT SLIDE – COME BACKThink Security BasicsApply Evidence-based Security ModelStatistics by Sector ExistShould Threat ModelStart by asking does this have a computer inside? Mobile phones countTablets, etc…Does it have an IP?You are accountable in the cyber ecosystem – cyber space.Use Verizon VERIS model to think about What? Who? Why? How? When? Where? You can be attacked.Threat ModelingLook up your industry to assess how your industry is being attacked…We’ll show more in the Evidence section how to look at this
  14. All I did was remove the words from page 4, 5, and 6Need to think how you affect the other 17 sectorsThink insulin pump or pace maker examplesSmart TVMust add economic espionage conceptWhat IP do you have that can arm hostile nation states thinking long term ill will towards the US?Counterfeit chips in space, war ships, etc. ?Next gen designs?What happened to Nortel? They no longer exist.
  15. You are either part of the solution or part of the problem
  16. 2 frameworks have emerged as the most relevant to Cyber Security:1- the standards often used by Federal agencies to meet the Federal Information Security Management Act (FISMA) of 2002 requirements that havebeen developed by NIST (11 yrs old) and2- the standards developed internationally that are published by ISO/IEC and adopted by many global commercial organizations in the ISO/IEC 27000 series (BS 7799 1995 and 18 yrs old).Both of these standards provide a general framework for managing IT securityISO/IEC 27001 standard focuses on making sure that an organization has a management system that is capable of managing informationSecurityStandards included in the ISO/IEC 27000 family include:⚫ ISO/IEC 27000 Fundamentals and principles⚫ ISO/IEC 27001 ISMS requirements⚫ ISO/IEC 27002 Security controls (Code of Practice for Information Security Management)⚫ ISO/IEC 27003 ISMS implementation guidance⚫ ISO/IEC 27004 Information security management metrics and measurements⚫ ISO/IEC 27005 ISMS risk managementFISMA standards include a risk assessment methodology (Special Publication 199) a detailed controls list (SP 800-53), and has Objective assessment criteria (SP 800-53A)The focus of the framework is on the Information Technology systems, and On their certification and accreditation to operate.Other standards such as the Payment Card Industry Data Security Standard (PCI DSS) focus on particular information assets (credit card security) So in practice must be integrated with another general frameworks in order to meet the real-world requirements of an organization needing to protect ALL of their assetsBest put:ISO 270001 and FISM – Ensures you’re secureITIL – Ensures you’re operating efficientlyCOBIT – Ensures you’re aligned with your businessCOBIT 5 also recently releasedEvaluate, Direct, and Monitor: ISO/IEC 38500 &amp; ISO 31000Align, Plan, and Organize: TOGAF, Prince2, and CMMIISO/IEC 2700 – Straddles:Align, Plan, and Organize Build, Acquire, and ImplementMonitor, Evaluate, and AssessBuild, Acquire, and Implement: ITIL v3We have struggled as an industry to set standardsWe have standards for each vertical right nowWe built one for cloud at CSA using common controls from HITRUST for multi-tenant cloud service providersAs mentioned earlier, Cyber for most sectors right now is about the basicsEach sector needs to figure this out and work with their Sector Specific Agency (SSA) and NIST to come up with their basics
  17. We have developed the myth that technology can be an effective fortress – we can have securityPeople, Process, and TechnologyIn that order…Some basics – Slide speaks for itself…A new of defending
  18. Same issues highlighted in 2 different reports.FundingCultureLegacy technology/deploymentsBudget (funding again)Lack of SkillsWe need to expect more from our ecosystem1- Ourselves2- VendorsGlasshouses?We need to understand our limitations-Technology is ahead of SecurityWe live in a Information Technology ecosystemSecurity is Everyone’s Responsibility.
  19. The game has changed as well with AVWith CloudWith Mobile – BYODBasics firstAddress evolution next Again, Tech is ahead of SecurityWe’ll deal with advanced NEXTCrawl, Walk, and then RunThe next iteration of our security is to apply evidence that we have.Industry security evidence exists, but mostly ignored.We need to use this evidence to better:invest in basicsFocus on the most critical data and ensure resilience By sectorBy attacker
  20. Isn’t it spooky that the same old information keeps cropping up everywhere?The Moneysec approach says to look at the correlations.Notable bias in AV vendor reportsNotable bias in security service provider reportsTraining company bias towards training or their philosophy…Mandiant reports bias towards APT/Nation State attackersVZ DBIR and TW GSR bias towards credit card and PIIPrivacy Rights Clearing House towards privacyAnd so on…But these reports, stitched together alaMoneysec tell us some thingsAnd there’s a wealth of information out thereThis is our BIG DATA I’m waiting for it to be holistically analyzed- I’m an amatuer- Bias extractedVendors need to fix their bias…come onThis is how we will identify trends in the futureBe more nimble as defendersWe need to apply what we’re learning as an overlay to basics that are WORKING
  21. Now that we have this data.Need to prioritize what needs to be secured firstRisk Management gives this to us.There’s a lot of define and come to agreement on when it comes to risk managementPCIS – Sector meetingDefined risk as consequence (as impact only) by $$$NO!!!Basic definitionRisk = Probability x ImpactFactor Analysis of Information Risk (FAIR)Risk = The probable frequency and probable magnitude of future lossFAIR provides a reasoned and logical framework for answering these questions:‣ A taxonomy of the factors that make up information risk. This taxonomy provides a foundational understanding of information risk, without which we couldn’t reasonably do the rest. It also provides a set of standard definitions for our terms.‣ A method for measuring the factors that drive information risk, including threat event frequency, vulnerability, and loss.‣ A computational engine that derives risk by mathematically simulating the relationships between the measured factors.‣ A simulation model that allows us to apply the taxonomy, measurement method, and computational engine to build and analyze risk scenarios of virtually any size or complexity.All of this is used to make informed decisions and act accordinglyAll of this is subject to error, but it’s informed.
  22. Moneysec ideas borrowed from:Jared Pfost, Chief Executive Officer, Third DefenseBrian Keefer, Security Architect, Leading SaaS Security CompanyWhat are your measures of success?
  23. Median time an attacker was present on a victim network is 243 days Down from 416 days in 2011- Worse case, it took 4 years and 10 months to detect APTNot goodOnly 1/3 detected their compromise2/3 were told by an external entity (LEA or service provider)Not goodWhere Information Sharing may be beneficialThe bad guys share… Why don’t we?Industries being TargetedYour network is only as secure as your outsourced service provider.Make sure your organization understands the security posture of these providers, and apply as stringent policies to their access as you would to your own employees. Once a target always a target
  24. Information about your networks, systems, and organization provide a road map for attackers to quickly find what they are searching for. Apply the appropriate data classifications to such information and secure it accordingly. Attackers with an objective of economic espionage have specific goalsand will return until their mission is complete. Treat incident detection and response as a consistent business process — not just something you do reactively. Constant vigilance and rapid response is necessary to keep an organization secure. Exploiting Web servers used to be indicative of crimes of opportunity rather than targeted, pre-meditated attacks. However, in 2012, Mandiant witnessed compromised Web servers being used as an initial means of access to conduct economic espionage6.5 Terabytes was stolen from a single organizationRemember the bias is nation states, APT, and cybercrime for Mandiant reportsConducting economic espionageStealing IPDisrupting and intercepting services
  25. VZ DBIR bias is towards PCI / credit cards and Cyber crimecorporate and SMB attacks
  26. Over $13 Billion Spent on PersonnelThe most revealing figure to come out of the report is the increase in personnel expenses. Of the $14.6 billion spent on cybersecurity in 2012 a whopping 90% went to personnel, an increase from 76% in 2011. Although IT security software and hardware is growing more sophisticated and automated, it only accounted for 5% of spending. Cybersecurity Education DownCyber protection is a bottom up process now. It’s been A Challenging YearThe top reported cybersecurity challenges were:- Funding the administration’s priority initiatives- Cultural challenges- Upgrading legacy technology- The current budget structure- Acquiring skilled personnel Top Three Government Cybersecurity Spenders in 2012 were:- Department of Defense: $12 billion- Department of Homeland Security: $615.5 million- Treasury Department: $404 million Security Incidents on the Rise49,000 security incidents were reported in 2012, Up from 43,889 in 2011. Majority of incidents were the result of lost or stolen equipment and data, not unauthorized access
  27. Ponemon and CSO Studies show trends.We also saw these results in the Mandiant reportWe’ve heard these words with the DoE compromiseWe’ve seen that SMBs are being heavily targeted right now
  28. We see trends in the Trustwave GSR, Mandiant Threat Report, and VZ DBIRVZ’s Vocabulary for Event Recording and Incident Sharing (VERIS) is a way to tie incident sharing and event recording togetherWe all need to adopt it or parts of itWe need to figure out how/if to make it light weight to follow itWe need to use public sources:DatalossDB.orgPrivacy Rights ClearinghouseThe Security IndexAll of these reports…Do we have anything else?
  29. We also need to leverage forms of threat modeling that allowsOffense to Inform Defense how to better secure -- The Cyber Kill ChainJust one mitigation disrupts the chain and the adversary
  30. Moving response and countermeasures to earlier phases of the kill chain is essential in defending today’s networks
  31. Some trends that I’ve seen…Phishing and EmailExploitable Links and BrowsersJava, Flash, PDF, MS OfficeA/V CoverageAndroid, iOS, Windows, and MacOSAir Gaps and Removable MediaEndpoint SecuritySecurity AwarenessSecurity BasicsWe’re back here
  32. Take our timeDo this right
  33. I’m my father’s son…It’s our time.We need thisThis is what winning looks and feels like