SlideShare a Scribd company logo

Secure Iowa Oct 2016

Download as PPTX, PDF
Larry Slobodzian, profile picture
Larry Slobodzian

The document discusses insider threats and cybersecurity. It notes that the biggest threat companies face is from insiders like employees and vendors. While doing nothing on cybersecurity risks costly data breaches and fines, companies should implement regular employee training, vet vendors thoroughly, and create a risk management plan to address vulnerabilities. The presentation provides tools to assess risks like DREAD and STRIDE models and recommends prioritizing the highest impact risks with mitigation strategies and an incident response plan.

1 of 48
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
The Threat You Are Not Expecting Larry Slobodzian – AOS
Agenda • The Challenges • Why Worry • Inside Info on Insiders • Social Engineering Woes • Costs • One Approach to Consider • What Specifically You Can Do • More Resources • Q&A
Disclaimer  All thoughts and opinions expressed in this presentation, or by Larry Slobodzian directly, are his own and should not be interpreted as those of Alexander Open Systems (AOS), or any other organization that might be mentioned. The mention of any organizations should not be interpreted as endorsement.  Some material contained herein was obtained and is used with the express written permission of AOS, and other organizations and may not be used or reproduced in any way without each of these parties’ express written consent in advance.
Larry Slobodzian AOS Consulting Sales Lead | Security, GRC, IAM, and SRM
Why Partner with AOS • In business since 1992 • 9 states, a dozen offices, 400 employees • Awarding winning vendor partner relationships with providers like CISCO, EMC, HP, VM-WARE, RSA, and ServiceNow • Not just a VAR, but a “best of breed”, business problem solution provider • Hundreds of references from satisfied customers in all technologies
A SECURITY MANAGEMENT MATURITY MODEL • Security is “necessary evil” • Reactive and de- centralized monitoring • Tactical point products • Proactive and assessment based • Collect data needed to assess risk and detect advanced threats • Some security tools integrated with common data and management platform • Strategic Security Program • Design Architecture • Check-box mentality • Collect data needed primarily for compliance • Tactical threat defenses enhanced with layered security controls • Established Security Team Level 1: Defending Borders Level 2: Awareness Phase Level 3: Corrective Phase Level 4: Optimal • Continuous Process Improvement • Security fully embedded in enterprise processes • Data fully integrated with business content drives decision- making • Security tools integrated with business tools Time Maturity *Based on a Gartner Survey – “Where organizations fall short” (2012) *30% *50% *15% *5% ARE YOU HERE?
The Business Challenges • Exponential Growth of Threats – D&D Insiders – Outside Hackers (Commercial, Organized Crime, State Sponsored) – Competitor Espionage • Continuously Growing Regulations & Requirements – Increases are a mandatory cost of doing business – DIACAP, SOx, HIPAA, PCI, GLBA, Dodd-Frank, NERC, OCC, etc… – Volume reduction, Fines, and jail time for failure to comply • Ever increasing expectations for “adequate” safeguards by consumers, management, shareholders, employees, press, courts……………….
C-Suite’s Top 5 Concerns  Reputational Harm/Brand Equity  Loss of Company IP  Regulatory Actions/Compliance Costs  Customer Lawsuits  Shareholder/Investor Confidence
• Increasing pace at which new and varied technologies must be supported • More empowered end users • Consumerization • Cloud / SaaS / PaaS / IaaS • Managed Services • Maintain Legacy Systems • Mobile Workforce • BYOD • And on, and on, and on Budget Limitations, Staff Challenges (Skill, Availability, Cost, Retention) Current IT Challenges
Information Security, Privacy & IP Protection Wrongful Use Wrongful Collection Physical Theft of Sensitive Information Non-Electronic Accidental Disclosure Electronic Accidental Disclosure “Cyber” Attacks IP & Privacy Exposure Information Security Exposure
Why? • There are at least 5 reasons, probably more
Why would strangers want your info? 1. Identity theft for resale or immediate profit 2. Damage reputation of competitor 3. Steal intellectual property 4. Blackmail 5. Cyber Crime/Terrorism – Its An Epidemic; The Nation’s Top Cop Says So
What’s Your Biggest Exposure? # 3 Paper # 1 Employee Negligence # 2 Hacking
1. Greed / Financial Need 2. Anger / Revenge 3. Blackmail 4. Ego / Thrill 5. Divided Loyalties Why would insiders want to compromise you?
What behaviors can you look for? • W/o need and auth – takes work home • Unusual interests outside their scope • Unusual remote access times/odd hours • Disregards corporate acceptable use • Short trips to foreign countries • Life crises • Paranoia
What to do about it 1. Educate and regularly train employees on security or other protocols. 2. Know your sensitive information and ensure it is protected. 3. Use appropriate screening processes to select new employees. 4. Segregation of duties. 5. Provide non-threatening, convenient ways for employees to report suspicions. 6. Routinely monitor computer networks for suspicious activity. 7. Ensure security (to include computer network security) personnel have the tools they need.
Know Your Vendors Vendor Questionnaire Outsourcing? References Business History Privacy & Security Policies Security Certifications or Audits (ISO 27001 or SSAE 16) Types of Data that will be generated, processed, stored Level of Network Access
Vendor Management: Across Your Supply Chain Vendors = very large % of all breaches No Vendor too small; take broad view of vendors/data Confidentiality and data security requirements Audit rights Hiring practices Applies to vendor use of subcontractors & employees Termination obligations Data breach notice protocol
Employee Training Weakest Link in Majority of Data Security Programs (e.g. lost devices, unapproved software, weak password) Highest ROI (“Quick Win”) Continuously Train All Employees Training Calibrated on Access/Roles/Responsibilities Policy of Least Privilege
. . . reminders of why technology alone isn't enough to keep you secure. 1. Phishing, Whaling, Doxing 2. Trojan horses 3. RSA attack in 2011 – first attack against the guard of the guards 4. Watering holes 5. Nice person with confidence 6. Social media 7. Charity/Cause Celeb scams 8. Weak third parties/suppliers/partners Social Engineering . . .
COSTS of Doing . . . • Nothing • Or just enough, but • What is that, just enough, anyway?
How Exposed Are We?
Costs of Not Addressing Technology Risk • Breach Stats – 2016 – 89% of breaches led to a data compromise in less than a day – 79% of breaches took weeks or more to discover • Annualized cost of cyber crime: – $158 per affected record (Avg) – $355 per Healthcare record – $80 in public sector • Bad Headlines – Per Forrester, if its even possible, rebuilding trust can be up to 10x the cost of acquiring in the first place – Target Corp. breach total cost = $252 million
An Approach to Consider
WHAT IS THE FIX? Incident response program Ongoing vendor assessments Ongoing end-user awareness raising program Continuous Monitoring Robust and ongoing Risk, Vulnerability, & Threat (RVT) assessments Strategically plan ahead and expect the worst
AOS HOLISTIC CONSULTING APPROACH Evaluate Analysis Always start here. Design Develop Implement Survey Administrative Controls: Policies, Procedures, Governance Survey Technical Controls: Core AOS Testing / Define Metrics: ROI on risk mitigation. Service Improvement: Ongoing program support, AOS relationship, Cloud Risk Assessment: Those things that cause a significant business impact. The ADDIE Model: Instructional Design and Performance Improvement
What’s TRM? • TRM includes: – IT Security – BC/DR – Governance & Compliance • Companies are ever increasingly more dependent upon IT to deliver • TRM is a significant element of operational RM which is one of the most critical aspects of Enterprise RM • Either we manage risk, or it WILL manage us!
Why you need TRM • The nature of the attacks – Organized crime – Zero Day – APTs • Forensics – For operational interruptions – In case it is more serious
Here are 8 steps to take right away 1. Insurance 2. Info 3. Culture 4. Risk Register 5. Self-Assessment 6. Incident Response Plan 7. Defense In Depth 8. Get Help
1. List all the realistic bad things that could happen 2. Rank them by likelihood (1-Least to 5-most) and 3. Impact (1-Least to 5-most, $) 4. Plot them in a matrix 5. Concentrate on the 5/5s 5 / 5s Create a Risk Register & Matrix
DREAD • Damage - how bad would an attack be? • Reproducibility - how easy is it to reproduce the attack? • Exploitability - how much work is it to launch the attack? • Affected users - how many people will be impacted? • Discoverability - how easy is it to discover the threat? • Use Predefined answers
D Damage Potential • If a threat exploit occurs, how much damage will be caused? – 0 = Nothing – 5 = Individual user data is compromised or affected. – 10 = Complete system or data destruction
R Reproducibility • How easy is it to reproduce the threat exploit? – 0 = Very hard or impossible, even for administrators of the application. – 5 = One or two steps required, may need to be an authorized user. – 10 = Just a web browser and the address bar is sufficient, without authentication.
E Exploitability • What is needed to exploit this threat? – 0 = Advanced programming and networking knowledge, with custom or advanced attack tools. – 5 = Malware exists on the Internet, or an exploit is easily performed, using available attack tools. – 10 = Just a web browser
A Affected Users • How many users will be affected? – 0 = None – 5 = Some users, but not all – 10 = All users
D₂ Discoverability • How easy is it to discover this threat? – 0 = Very hard to impossible; requires source code or administrative access. – 5 = Can figure it out by guessing or by monitoring network traces. – 9 = Details of faults like this are already in the public domain and can be easily discovered using a search engine. – 10 = The information is visible in the web browser address bar or in a form.
DREAD Impact & Probability • Damage Potential + Affected Users =Impact • Reproducibility + Exploitability + Discoverability = Probability.
STRIDE • Spoofing of user identity • Tampering • Repudiation • Information disclosure (privacy breach or data leak) • Denial of service (D.o.S) • Elevation of privilege
CIA Triad • Confidentiality • Integrity • Availability
40 I M P A C T Probability Low/Remote Moderate High/Certain Minor Moderate Significant Considerable management required Must manage and monitor risks Extensive management essential Risks may be worth accepting with monitoring Management effort worthwhile Management effort required Accept risks Accept, but monitor risks Manage and monitor risks Sample Frequency (Probability) Scale 1. Remote - 1 in 100 year event 2. Unlikely - 1 in 50-100 year event 3. Possible - 1 in 15-25 year event 4. Likely - 1 in 5-15 year event 5. Certain - 1 in 1-5 year event Sample Impact (Losses) Scale 1. Low - Less than $250,000 2. Moderate - $250,000 - $1,000,000 3. Significant - $1,000,000 - $5,000,000 4. Serious - $5,000.000 - $25,000,000 5. Severe - Greater than $25,000,000 AN/NZS - ISO 31000 Risk Mapping Impact & Probability Relationship
Risk Decisions • Accept • Transfer • Avoid • Mitigate
Create an incident response plan (AICPA) 1. Use the risk register list 2. Either create an overarching plan as guide to every thing on the list or a plan for each 3. The plan should contain: 1. Who can invoke the plan 2. When to invoke the plan 3. Who does what 4. Alternate roles & responsibilities 5. How to do what 6. What is BAU 4. Don’t forget the post mortem for lesson learned You can’t run . . . or do this !
Takeaways 1. Biggest threat is inside—that includes vendors 2. Costs of doing nothing > Costs of security 3. Employee training is low-hanging fruit 4. Vendor Risk Management (3PA) is CRITICAL 5. Know your risks and how you will address them 6. Continuous monitoring
Additional Resources  Ponemon Institute http://www.ponemon.org/  Shared Assessments™ http://sharedassessments.org/about/  OWASP Threat Risk Modeling https://www.owasp.org/index.php/Thre at_Risk_Modeling  AOS Security Consulting http://www.aos5.com/security/
Secure Iowa Oct 2016
Questions?
Please Contact: Your local AOS Account Manager or Larry Slobodzian, Consulting Sales Lead Larry.Slobodzian@aos5.com 913-669-9285 Linkedin.com/in/larryslobodzian For more information on AOS Security Consulting • https://www.linkedin.com/in/larryslobodzian • https://www.linkedin.com/in/larryslobodzian • https://www.linkedin.com/in/larryslobodzian • https://www.linkedin.com/in/larryslobodzian
Secure Iowa Oct 2016

More Related Content

PDF
Ruben Melendez - Economically Justifying IT Security Initiatives
centralohioissa
 
PPTX
How To Become An IT Security Risk Analyst
Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
PPTX
CISO's first 100 days
MichaelSadeghiPhDABD
 
PDF
How To Present Cyber Security To Senior Management Complete Deck
SlideTeam
 
PPTX
CIO Summit: Data Security in a Mobile World
iMIS
 
PDF
Rapid Risk Assessment: A New Approach to Risk Management
EnergySec
 
KEY
Application Security Done Right
pvanwoud
 
PDF
Infocon Bangladesh 2016
Prime Infoserv
 
Ruben Melendez - Economically Justifying IT Security Initiatives
centralohioissa
 
How To Become An IT Security Risk Analyst
Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
CISO's first 100 days
MichaelSadeghiPhDABD
 
How To Present Cyber Security To Senior Management Complete Deck
SlideTeam
 
CIO Summit: Data Security in a Mobile World
iMIS
 
Rapid Risk Assessment: A New Approach to Risk Management
EnergySec
 
Application Security Done Right
pvanwoud
 
Infocon Bangladesh 2016
Prime Infoserv
 

What's hot (20)

PPTX
Keith Fricke - CISO for an Hour
centralohioissa
 
PPTX
BSIDES DETROIT 2015: Data breaches cost of doing business
Joel Cardella
 
PPTX
Retail Security: Closing the Threat Gap
Tripwire
 
PPSX
Retail security-services--client-presentation
Joseph Schorr
 
PPTX
Identifying Your Agency's Vulnerabilities
Emily2014
 
PPTX
Cybertopic_1security
Anne Starr
 
PPTX
BREACHED: Data Centric Security for SAP
UL Transaction Security
 
PDF
Information Security Strategic Management
Marcelo Martins
 
PPTX
IIA August Briefing_15AUG2015
Robert Baldi
 
PDF
"Thinking diffrent" about your information security strategy
Jason Clark
 
PDF
Integrating Cyber Security Alerts into the Operator Display
EnergySec
 
PPTX
New CISO - The First 90 Days
Resilient Systems
 
PDF
State of Security Operations 2016 report of capabilities and maturity of cybe...
at MicroFocus Italy ❖✔
 
PDF
Cybersecurity solution-guide
AdilsonSuende
 
PPTX
IT Security Management -- People, Procedures and Tools
Andrew S. Baker (ASB)
 
PDF
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
EnterpriseGRC Solutions, Inc.
 
PPTX
INFRAGARD 2014: Back to basics security
Joel Cardella
 
PPT
Digital Outsourcing: Risks, Pitfalls, and Security Considerations
Peter1020
 
PDF
The Insider's Guide to the Insider Threat
Imperva
 
PPT
Info Sec2007 End Point Final
Ben Rothke
 
Keith Fricke - CISO for an Hour
centralohioissa
 
BSIDES DETROIT 2015: Data breaches cost of doing business
Joel Cardella
 
Retail Security: Closing the Threat Gap
Tripwire
 
Retail security-services--client-presentation
Joseph Schorr
 
Identifying Your Agency's Vulnerabilities
Emily2014
 
Cybertopic_1security
Anne Starr
 
BREACHED: Data Centric Security for SAP
UL Transaction Security
 
Information Security Strategic Management
Marcelo Martins
 
IIA August Briefing_15AUG2015
Robert Baldi
 
"Thinking diffrent" about your information security strategy
Jason Clark
 
Integrating Cyber Security Alerts into the Operator Display
EnergySec
 
New CISO - The First 90 Days
Resilient Systems
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
at MicroFocus Italy ❖✔
 
Cybersecurity solution-guide
AdilsonSuende
 
IT Security Management -- People, Procedures and Tools
Andrew S. Baker (ASB)
 
Virtualization and cloud impact overview auditor spin enterprise gr-cv3
EnterpriseGRC Solutions, Inc.
 
INFRAGARD 2014: Back to basics security
Joel Cardella
 
Digital Outsourcing: Risks, Pitfalls, and Security Considerations
Peter1020
 
The Insider's Guide to the Insider Threat
Imperva
 
Info Sec2007 End Point Final
Ben Rothke
 
Ad

Viewers also liked (12)

DOCX
gabriela mistral ,carcterizacion
Margareth Diaz
 
PDF
Prezicreativecommons
Eva Rivas Ojanguren
 
PPTX
Yuanjian zheng hardware
Yuanjian Zheng
 
PDF
Akhil Bansal ,Project on CFinal year BCA ,Dezyne E'cole College
dezyneecole
 
PDF
H0011502+advertencias+de+constancias+electronicas
Hugo Estavillo
 
PPT
урок 60 складне синтаксичне ціле і абзац
Vitaliy Babak
 
PPTX
Globofinal
LouJardin26
 
PPT
урок 46 синоміка складених речень із сполучниками
Vitaliy Babak
 
PPTX
Італія в 20-30-х роках ХХ ст.
pv01com
 
PPTX
США в 20 30-х роках ХХ століття
pv01com
 
PPTX
Румунія 1918-1939 рр.
pv01com
 
PPTX
Чехословаччина в 1918 – 1939рр.
pv01com
 
gabriela mistral ,carcterizacion
Margareth Diaz
 
Prezicreativecommons
Eva Rivas Ojanguren
 
Yuanjian zheng hardware
Yuanjian Zheng
 
Akhil Bansal ,Project on CFinal year BCA ,Dezyne E'cole College
dezyneecole
 
H0011502+advertencias+de+constancias+electronicas
Hugo Estavillo
 
урок 60 складне синтаксичне ціле і абзац
Vitaliy Babak
 
Globofinal
LouJardin26
 
урок 46 синоміка складених речень із сполучниками
Vitaliy Babak
 
Італія в 20-30-х роках ХХ ст.
pv01com
 
США в 20 30-х роках ХХ століття
pv01com
 
Румунія 1918-1939 рр.
pv01com
 
Чехословаччина в 1918 – 1939рр.
pv01com
 
Ad

Similar to Secure Iowa Oct 2016 (20)

PPTX
Web Application Security: Beyond PEN Testing
Robert Grupe, CSSLP CISSP PE PMP
 
PPTX
CIO Summit: Data Security in a Mobile World
iMIS
 
PDF
Building a business case & selecting an ehs mis platform
ProcessMAP Corporation
 
PPTX
External-WB Foundational Security 1.4.pptx
SattarKiani
 
PPTX
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
AkramAlqadasi1
 
PPTX
How to Make Your Enterprise Cyber Resilient
Accenture Operations
 
PPTX
Enterprise under attack dealing with security threats and compliance
SPAN Infotech (India) Pvt Ltd
 
PDF
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern
 
PDF
Endpoint Security & Why It Matters!
Net at Work
 
PPTX
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
EC-Council
 
PPTX
Aligning Application Security to Compliance
Security Innovation
 
PPTX
Cyber Risk in e-Discovery: What You Need to Know
kCura_Relativity
 
PPTX
Cyber Security # Lec 3
Kabul Education University
 
PDF
Information Security
divyeshkharade
 
PPTX
ISS CAPSTONE TEAM
Jonathan Fuller
 
PDF
MT 70 The New Era of Incident Response Planning
Dell EMC World
 
PDF
Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...
Net at Work
 
PPTX
Application Hackers Have A Handbook. Why Shouldn't You?
London School of Cyber Security
 
PDF
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
JustinBrown267905
 
PDF
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
North Texas Chapter of the ISSA
 
Web Application Security: Beyond PEN Testing
Robert Grupe, CSSLP CISSP PE PMP
 
CIO Summit: Data Security in a Mobile World
iMIS
 
Building a business case & selecting an ehs mis platform
ProcessMAP Corporation
 
External-WB Foundational Security 1.4.pptx
SattarKiani
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
AkramAlqadasi1
 
How to Make Your Enterprise Cyber Resilient
Accenture Operations
 
Enterprise under attack dealing with security threats and compliance
SPAN Infotech (India) Pvt Ltd
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern
 
Endpoint Security & Why It Matters!
Net at Work
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
EC-Council
 
Aligning Application Security to Compliance
Security Innovation
 
Cyber Risk in e-Discovery: What You Need to Know
kCura_Relativity
 
Cyber Security # Lec 3
Kabul Education University
 
Information Security
divyeshkharade
 
ISS CAPSTONE TEAM
Jonathan Fuller
 
MT 70 The New Era of Incident Response Planning
Dell EMC World
 
Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...
Net at Work
 
Application Hackers Have A Handbook. Why Shouldn't You?
London School of Cyber Security
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
JustinBrown267905
 
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
North Texas Chapter of the ISSA
 

Secure Iowa Oct 2016

  • 1. The Threat You Are Not Expecting Larry Slobodzian – AOS
  • 2. Agenda • The Challenges • Why Worry • Inside Info on Insiders • Social Engineering Woes • Costs • One Approach to Consider • What Specifically You Can Do • More Resources • Q&A
  • 3. Disclaimer  All thoughts and opinions expressed in this presentation, or by Larry Slobodzian directly, are his own and should not be interpreted as those of Alexander Open Systems (AOS), or any other organization that might be mentioned. The mention of any organizations should not be interpreted as endorsement.  Some material contained herein was obtained and is used with the express written permission of AOS, and other organizations and may not be used or reproduced in any way without each of these parties’ express written consent in advance.
  • 4. Larry Slobodzian AOS Consulting Sales Lead | Security, GRC, IAM, and SRM
  • 5. Why Partner with AOS • In business since 1992 • 9 states, a dozen offices, 400 employees • Awarding winning vendor partner relationships with providers like CISCO, EMC, HP, VM-WARE, RSA, and ServiceNow • Not just a VAR, but a “best of breed”, business problem solution provider • Hundreds of references from satisfied customers in all technologies
  • 6. A SECURITY MANAGEMENT MATURITY MODEL • Security is “necessary evil” • Reactive and de- centralized monitoring • Tactical point products • Proactive and assessment based • Collect data needed to assess risk and detect advanced threats • Some security tools integrated with common data and management platform • Strategic Security Program • Design Architecture • Check-box mentality • Collect data needed primarily for compliance • Tactical threat defenses enhanced with layered security controls • Established Security Team Level 1: Defending Borders Level 2: Awareness Phase Level 3: Corrective Phase Level 4: Optimal • Continuous Process Improvement • Security fully embedded in enterprise processes • Data fully integrated with business content drives decision- making • Security tools integrated with business tools Time Maturity *Based on a Gartner Survey – “Where organizations fall short” (2012) *30% *50% *15% *5% ARE YOU HERE?
  • 7. The Business Challenges • Exponential Growth of Threats – D&D Insiders – Outside Hackers (Commercial, Organized Crime, State Sponsored) – Competitor Espionage • Continuously Growing Regulations & Requirements – Increases are a mandatory cost of doing business – DIACAP, SOx, HIPAA, PCI, GLBA, Dodd-Frank, NERC, OCC, etc… – Volume reduction, Fines, and jail time for failure to comply • Ever increasing expectations for “adequate” safeguards by consumers, management, shareholders, employees, press, courts……………….
  • 8. C-Suite’s Top 5 Concerns  Reputational Harm/Brand Equity  Loss of Company IP  Regulatory Actions/Compliance Costs  Customer Lawsuits  Shareholder/Investor Confidence
  • 9. • Increasing pace at which new and varied technologies must be supported • More empowered end users • Consumerization • Cloud / SaaS / PaaS / IaaS • Managed Services • Maintain Legacy Systems • Mobile Workforce • BYOD • And on, and on, and on Budget Limitations, Staff Challenges (Skill, Availability, Cost, Retention) Current IT Challenges
  • 10. Information Security, Privacy & IP Protection Wrongful Use Wrongful Collection Physical Theft of Sensitive Information Non-Electronic Accidental Disclosure Electronic Accidental Disclosure “Cyber” Attacks IP & Privacy Exposure Information Security Exposure
  • 11. Why? • There are at least 5 reasons, probably more
  • 12. Why would strangers want your info? 1. Identity theft for resale or immediate profit 2. Damage reputation of competitor 3. Steal intellectual property 4. Blackmail 5. Cyber Crime/Terrorism – Its An Epidemic; The Nation’s Top Cop Says So
  • 13. What’s Your Biggest Exposure? # 3 Paper # 1 Employee Negligence # 2 Hacking
  • 14. 1. Greed / Financial Need 2. Anger / Revenge 3. Blackmail 4. Ego / Thrill 5. Divided Loyalties Why would insiders want to compromise you?
  • 15. What behaviors can you look for? • W/o need and auth – takes work home • Unusual interests outside their scope • Unusual remote access times/odd hours • Disregards corporate acceptable use • Short trips to foreign countries • Life crises • Paranoia
  • 16. What to do about it 1. Educate and regularly train employees on security or other protocols. 2. Know your sensitive information and ensure it is protected. 3. Use appropriate screening processes to select new employees. 4. Segregation of duties. 5. Provide non-threatening, convenient ways for employees to report suspicions. 6. Routinely monitor computer networks for suspicious activity. 7. Ensure security (to include computer network security) personnel have the tools they need.
  • 17. Know Your Vendors Vendor Questionnaire Outsourcing? References Business History Privacy & Security Policies Security Certifications or Audits (ISO 27001 or SSAE 16) Types of Data that will be generated, processed, stored Level of Network Access
  • 18. Vendor Management: Across Your Supply Chain Vendors = very large % of all breaches No Vendor too small; take broad view of vendors/data Confidentiality and data security requirements Audit rights Hiring practices Applies to vendor use of subcontractors & employees Termination obligations Data breach notice protocol
  • 19. Employee Training Weakest Link in Majority of Data Security Programs (e.g. lost devices, unapproved software, weak password) Highest ROI (“Quick Win”) Continuously Train All Employees Training Calibrated on Access/Roles/Responsibilities Policy of Least Privilege
  • 20. . . . reminders of why technology alone isn't enough to keep you secure. 1. Phishing, Whaling, Doxing 2. Trojan horses 3. RSA attack in 2011 – first attack against the guard of the guards 4. Watering holes 5. Nice person with confidence 6. Social media 7. Charity/Cause Celeb scams 8. Weak third parties/suppliers/partners Social Engineering . . .
  • 21. COSTS of Doing . . . • Nothing • Or just enough, but • What is that, just enough, anyway?
  • 23. Costs of Not Addressing Technology Risk • Breach Stats – 2016 – 89% of breaches led to a data compromise in less than a day – 79% of breaches took weeks or more to discover • Annualized cost of cyber crime: – $158 per affected record (Avg) – $355 per Healthcare record – $80 in public sector • Bad Headlines – Per Forrester, if its even possible, rebuilding trust can be up to 10x the cost of acquiring in the first place – Target Corp. breach total cost = $252 million
  • 24. An Approach to Consider
  • 25. WHAT IS THE FIX? Incident response program Ongoing vendor assessments Ongoing end-user awareness raising program Continuous Monitoring Robust and ongoing Risk, Vulnerability, & Threat (RVT) assessments Strategically plan ahead and expect the worst
  • 26. AOS HOLISTIC CONSULTING APPROACH Evaluate Analysis Always start here. Design Develop Implement Survey Administrative Controls: Policies, Procedures, Governance Survey Technical Controls: Core AOS Testing / Define Metrics: ROI on risk mitigation. Service Improvement: Ongoing program support, AOS relationship, Cloud Risk Assessment: Those things that cause a significant business impact. The ADDIE Model: Instructional Design and Performance Improvement
  • 27. What’s TRM? • TRM includes: – IT Security – BC/DR – Governance & Compliance • Companies are ever increasingly more dependent upon IT to deliver • TRM is a significant element of operational RM which is one of the most critical aspects of Enterprise RM • Either we manage risk, or it WILL manage us!
  • 28. Why you need TRM • The nature of the attacks – Organized crime – Zero Day – APTs • Forensics – For operational interruptions – In case it is more serious
  • 29. Here are 8 steps to take right away 1. Insurance 2. Info 3. Culture 4. Risk Register 5. Self-Assessment 6. Incident Response Plan 7. Defense In Depth 8. Get Help
  • 30. 1. List all the realistic bad things that could happen 2. Rank them by likelihood (1-Least to 5-most) and 3. Impact (1-Least to 5-most, $) 4. Plot them in a matrix 5. Concentrate on the 5/5s 5 / 5s Create a Risk Register & Matrix
  • 31. DREAD • Damage - how bad would an attack be? • Reproducibility - how easy is it to reproduce the attack? • Exploitability - how much work is it to launch the attack? • Affected users - how many people will be impacted? • Discoverability - how easy is it to discover the threat? • Use Predefined answers
  • 32. D Damage Potential • If a threat exploit occurs, how much damage will be caused? – 0 = Nothing – 5 = Individual user data is compromised or affected. – 10 = Complete system or data destruction
  • 33. R Reproducibility • How easy is it to reproduce the threat exploit? – 0 = Very hard or impossible, even for administrators of the application. – 5 = One or two steps required, may need to be an authorized user. – 10 = Just a web browser and the address bar is sufficient, without authentication.
  • 34. E Exploitability • What is needed to exploit this threat? – 0 = Advanced programming and networking knowledge, with custom or advanced attack tools. – 5 = Malware exists on the Internet, or an exploit is easily performed, using available attack tools. – 10 = Just a web browser
  • 35. A Affected Users • How many users will be affected? – 0 = None – 5 = Some users, but not all – 10 = All users
  • 36. D₂ Discoverability • How easy is it to discover this threat? – 0 = Very hard to impossible; requires source code or administrative access. – 5 = Can figure it out by guessing or by monitoring network traces. – 9 = Details of faults like this are already in the public domain and can be easily discovered using a search engine. – 10 = The information is visible in the web browser address bar or in a form.
  • 37. DREAD Impact & Probability • Damage Potential + Affected Users =Impact • Reproducibility + Exploitability + Discoverability = Probability.
  • 38. STRIDE • Spoofing of user identity • Tampering • Repudiation • Information disclosure (privacy breach or data leak) • Denial of service (D.o.S) • Elevation of privilege
  • 39. CIA Triad • Confidentiality • Integrity • Availability
  • 40. 40 I M P A C T Probability Low/Remote Moderate High/Certain Minor Moderate Significant Considerable management required Must manage and monitor risks Extensive management essential Risks may be worth accepting with monitoring Management effort worthwhile Management effort required Accept risks Accept, but monitor risks Manage and monitor risks Sample Frequency (Probability) Scale 1. Remote - 1 in 100 year event 2. Unlikely - 1 in 50-100 year event 3. Possible - 1 in 15-25 year event 4. Likely - 1 in 5-15 year event 5. Certain - 1 in 1-5 year event Sample Impact (Losses) Scale 1. Low - Less than $250,000 2. Moderate - $250,000 - $1,000,000 3. Significant - $1,000,000 - $5,000,000 4. Serious - $5,000.000 - $25,000,000 5. Severe - Greater than $25,000,000 AN/NZS - ISO 31000 Risk Mapping Impact & Probability Relationship
  • 41. Risk Decisions • Accept • Transfer • Avoid • Mitigate
  • 42. Create an incident response plan (AICPA) 1. Use the risk register list 2. Either create an overarching plan as guide to every thing on the list or a plan for each 3. The plan should contain: 1. Who can invoke the plan 2. When to invoke the plan 3. Who does what 4. Alternate roles & responsibilities 5. How to do what 6. What is BAU 4. Don’t forget the post mortem for lesson learned You can’t run . . . or do this !
  • 43. Takeaways 1. Biggest threat is inside—that includes vendors 2. Costs of doing nothing > Costs of security 3. Employee training is low-hanging fruit 4. Vendor Risk Management (3PA) is CRITICAL 5. Know your risks and how you will address them 6. Continuous monitoring
  • 44. Additional Resources  Ponemon Institute http://www.ponemon.org/  Shared Assessments™ http://sharedassessments.org/about/  OWASP Threat Risk Modeling https://www.owasp.org/index.php/Thre at_Risk_Modeling  AOS Security Consulting http://www.aos5.com/security/
  • 47. Please Contact: Your local AOS Account Manager or Larry Slobodzian, Consulting Sales Lead Larry.Slobodzian@aos5.com 913-669-9285 Linkedin.com/in/larryslobodzian For more information on AOS Security Consulting • https://www.linkedin.com/in/larryslobodzian • https://www.linkedin.com/in/larryslobodzian • https://www.linkedin.com/in/larryslobodzian • https://www.linkedin.com/in/larryslobodzian

Editor's Notes

  • #2: On behalf of AOS and myself, I want to thank Northrup Grumman for the opportunity to speak with you today Collaborative dialogue Not going to read slides
  • #4: This is the “You can Quote me, But . . . “ slide
  • #7: Compliance Checkbox Complacency Most organizations are at step 2, can hop to step 3 with just a nudge or two 80% of your clients will be somewhere between Level 1 and Level 2. See how once we place the client on the model we can see their needs for moving forward. During the assessment phase, remember our 4 step approach, remember that your client can have elements that exist in Level 3 but have missed elements that are vital at Level 1.
  • #8: D&D – disgruntled and disenfranchised insiders – one of the biggest hidden threats companies can face Most companies cannot afford to find and keep the expertise level to meet these needs
  • #9: This was from a 2014 Forrester study and has been echoed as recently as January in the WSJ
  • #10: Even though cyber security is not just IT’s problem anymore, we are still looked at to help solve/prevent the lion’s share
  • #11: This area of overlap where policy/process shortcomings meet technology shortcomings is why cyber sec is no longer only an IT issue
  • #13: Click on Picture for Norse Map  Let’s not forget your compute power
  • #14: Someone give me an idea of what is the biggest source of cyber incidents… Let me tell you where the real damage is. Everyone concentrates on hacking…
  • #15: The FBI has concluded that as much as 75% of the reported cyber incident sin 2015 had an inside threat actor component Who are insiders: Problems at home Failure to be recognized, past over, no raise Ashley Madison/Adult FriendFinder Can I get away with – culture to get over on the man Help the underdog, allegiance to others – company, country , culture employees, trusted partners, vendors and contractors
  • #16: Not all these are bad – maybe sign of a go-getter – but perhaps all taken together . . . Risk factors: Ineffective management of privileged users. Inappropriate role and entitlement assignment. Poor overall identity governance. Poor information classification and policy enforcement. Inadequate auditing and analytics. Audit log complexity. Reactive response. No comprehensive written acceptable use policies
  • #17: Combating insider threats is immensely bigger and far more complex than merely an IT challenge.  Background Checks Access Controls & Logging reviews Leadership get smarter Encrypt what matters, MFA too End user awareness raising
  • #18: Fazio Mechanical Rubbing salt in this wound, according to the 2014 Ponemon study on the Cost of Data Breaches, is the emerging trend that recovery costs for the breached entity are notably higher when perpetrated through a supplier/third party. Facilitated by a malevolent insider, the costs can ramp up even higher and faster.
  • #19: Every headline making breach you heard about recently is likely to have some component of inadequate vendor management as a contributing or primary factor
  • #20: Employees are best and worst. Tell the Childrens of AL story
  • #21: Faked emails that attempt to get you to directly or indirectly divulge or allow access Program or file that appears harmless, but is, in fact, malicious. If the Trojan Horse weren't such a genius example of a social engineering attack, we'd never have named an entire class of malware after it. RSA in 2011. What is known is that RSA's parent company, EMC, spent $66 million recovering from the attack, recruitment xl file to two lists of non-high profile folks Watering holes are more subtle than phishing attacks. Malware is injected into a legitimate website that organizations in the target industry are already likely to visit.  UPS Gal story Too much info being shared by current and former employees Nigerian Prince / Prince / Honduran & Japan Earthquakes Target 40 M CC compromised
  • #22: Often because it has yet to happen to a company, or at least that they know of, some companies feel like doing nothing is a viable option. That is risk unto itself
  • #23: Well, how many servers do you have, how many web sites, how many mobiles devices/laptops, how many employees?
  • #24: Source is Ponemon Institute Cost of Cyber Crime Study 2014 Some organizations’ database contain hundreds of thousands of records – imagine the costs of a breach then The state in which the resident of the affected record(s) gets to define if a breach occurred! Need to free up Run and Maintain dollars to fund additional new development; proactive risk management does that
  • #25: We all know nothing ventured, nothing gained. We must take calculated risks. This approach attempts to make sure there are some contingencies and precautions in place . . .
  • #27: This 5 step model defines a process. Analysis: We always start by Assessing the organization. What is the clients strategy. Jumping directly into what hardware they need without understanding the development strategy does not serve the clients long term needs. What are the vulnerabilities What are their administrative security controls Collecting as much information you can on the level of security / preparedness of the organization Design: Designing is where we tie in our other offerings to complete a sound strategy. 1. What kinds of mitigation controls do they have; BCP, DR, Scheduled testing, Scheduled exercises. Develop: Develop or build organizational resiliency. Hardware purchases, Cloud support, what are the consulting needs to move forward. Implement: Are you listening? The consulting elements will expose and sometimes redirect the corporate strategy- this directly ties to the hardware support to the strategy.; Example: Penetration testing and consulting can result in the need for new firewalls, IPS/IDS, Identity Access Management, Encryption to name a few. Evaluation: Review the strategy, constantly monitor and make changes as needed. Annually, address strategy changes or redirection.
  • #28: TRM defined – Though still to often excluded from the boardroom level, the process seeks to identify technology related risks to a business, assess those risks by determining their potential impact and their likelihood of occurrence, and then to take steps to mitigate the risks to an acceptable level Confidentiality – only those who need to know can or do Integrity- info is all there & unaltered w/o authorization Availability- readily accessible; from wherever & when needed Agility – done right, a best way to help the business get to “ Y E S ” Should be “baked-in” from start to finish on everything IT does, as well as what the organization does with IT
  • #29: Zero-day threat detection: New attack vectors and vulnerabilities are discovered every day. Firewalls, IDS/IPS and AV solutions all look for malicious activity at various points within the IT infrastructure, from the perimeter to endpoints. However, many of these solutions are not equipped to detect zero-day attacks. A SIEM can detect activity associated with an attack rather than the attack itself. For instance, a well-crafted spear-phishing attack using a zero-day exploit has a high likelihood of making it through spam filters, firewalls and antivirus software, and being opened by a target user. A SIEM can be configured to detect activity surrounding such an attack. For example, a PDF exploit generally causes the Adobe Reader process to crash. Shortly thereafter, a new process will launch that either listens for an incoming network connection or initiates an outbound connection to the attacker. Many SIEMs offer enhanced endpoint monitoring capabilities that keep track of processes starting and stopping and network connections opening and closing. By correlating process activity and network connections from host machines a SIEM can detect attacks, without ever having to inspect packets or payloads. While IDS/IPS and AV do what they do well, a SIEM provides a safety net that can catch malicious activities that slip through traditional Forensics: A forensics investigation can be a long, drawn-out process. Not only must a forensics analyst interpret log data to determine what actually happened, the analyst must preserve the data in a way that makes it admissible in a court of law. By storing and protecting historical logs, and providing tools to quickly navigate and correlate the data, SIEM technologies allow for rapid, thorough and court-admissible forensics investigations. Since log data represents the digital fingerprints of all activity that occurs across IT infrastructures, it can be mined to detect security, operations and regulatory compliance problems. Consequently, SIEM technology, with its ability to automate log monitoring, correlation, pattern recognition, alerting and forensic investigations, is emerging as a central nervous system for gathering and generating IT intelligence.
  • #41: Do an RVA and map the residual risks onto some kind matrix to make prioritized action plan
  • #44: It is not getting easier The stakes are very high for getting it wrong Doing nothing wont work Prioritize and plan ahead of need Get some help