Introduction and a Look at Security Trends
0 likes477 views
The document outlines emerging trends and critical issues in information security, emphasizing the shift towards compliance, evolving threats, and changing customer expectations. It discusses the economics of security, including attacker motivations and the importance of mitigating risk, while presenting significant questions around measuring and communicating security. Key topics include the impact of cloud computing, the role of regulations, and the challenges posed by cybercrime and technology advancements.
Introduction and a Look at Security Trends
- 1. SESSION ID: #RSAC Hugh Thompson, Ph.D. Introduction and A Look at Security Trends Program Committee, RSA Conference Twitter: @DrHughThompson BAS-M01
- 2. SESSION ID:
- 4. #RSAC Agenda Intro to Information Security Security Trends Economics of Information Security
- 5. #RSAC The Shifting IT Environment (…or why security has become so important)
- 6. #RSAC Shift: Compliance and Consequences The business has to adhere to regulations, guidelines, standards,… SAS 112 and SOX (U.S.) – upped the ante on financial audits (and supporting IT systems) PCI DSS – requirements on companies that process payment cards HIPAA, GLBA, BASEL II, …, many more Audits have changed the economics of risk and create an “impending event” Hackers may attack you but auditors will show up Disclosure laws mean that the consequences of failure have increased Waves of disclosure legislation
- 7. #RSAC Shift: Technology • Many applications/transactions now operate over the web • Cloud is changing our notion of a perimeter • Worker mobility is redefining the IT landscape • Shadow IT is becoming enterprise IT • Majority of web transactions are now encrypted (SSL) • The security model has changed from good people vs. bad people to enabling partial trust – There are more “levels” of access: Extranets, partner access, customer access, identity management, …
- 8. #RSAC Shift: Attackers Cyber criminals are becoming organized and profit-driven An entire underground economy exists to support cybercrime Attackers are shifting their methods to exploit both technical and human weaknesses Attackers after much more than traditional monetizable data (PII, etc.) Hacktivism State-sponsored attacks IP attacks/breaches
- 9. #RSAC Shift: Customer expectations Customers, especially businesses, are using security as a discriminator In many ways security has become a non-negotiable expectation of businesses Security being woven into service level agreements (SLAs) The “average person” is now familiar with security
- 10. #RSAC Big Questions How do you communicate the value of security to the enterprise (and management)? How do you measure security? How do you rank risks? How do you reconcile security and compliance? How can you be proactive and not reactive? What is “security intelligence” and how would you actually consume, act on or share it? What changes are likely in privacy laws, data sovereignty, trust? What about big issues in the news like breaches of very personal data that cannot be reset or revoked? How should/can we adapt what we do based on them? How do you adapt to new paradigms like IoT?
- 11. #RSAC The Economics of Security
- 12. #RSAC Hackernomics (noun) A social science concerned chiefly with description and analysis of attacker motivations, economics, and business risk. Characterized by 5 fundamental immutable laws and 4 corollaries
- 13. #RSAC Law 1 Most attackers aren’t evil or insane; they just want something Corollary 1.a.: We don’t have the budget to protect against evil people but we can protect against people that will look for weaker targets
- 14. #RSAC Law 2 Security isn’t about security. It’s about mitigating risk at some cost. Corollary 2.a.: In the absence of metrics, we tend to over focus on risks that are either familiar or recent.
- 15. #RSAC Law 3 Most costly breaches come from simple failures, not from attacker ingenuity Corollary 3.a.: Bad guys can, however, be VERY creative if properly incentivized.
- 16. #RSAC The CAPTCHA Dilemma Completely Automated Public Turing test to tell Computers and Humans Apart
- 17. #RSAC Law 4 In the absence of security education or experience, people (employees, users, customers, …) naturally make poor security decisions with technology Corollary 4.a.: Systems needs to be easy to use securely and difficult to use insecurely
- 18. #RSAC
- 19. #RSAC Law 5 Attackers usually don’t get in by cracking some impenetrable security control, they look for weak points like trusting employees
- 20. #RSAC A Visual Journey of Security Trends
- 21. 2008
- 22. #RSAC 2015 Submission + Abstract Titles2015 Submission Titles + Quick Abstract 22
- 23. #RSAC 2016 Sbumssion Titles + Abstract016 16 Submission + Abstract Titles2016 Submission Titles + Quick Abstract 23
- 24. #RSAC Some hot areas… Hot topics: Internet of Things (IoT) security Data sovereignty and legislative volatility Cyber Insurance Privacy vs. Security Of particular intrigue Breaches – implications of the theft of persistent PII 24
- 25. #RSAC
- 26. #RSAC Enjoy the rest of the conference!!