Designing a Cyber Risk Strategy for the Human Operating System · 2018-09-26 · people (Verizon...

Designing a Cyber Risk Strategy for the Human Operating SystemSession: 4232

Universal Studios Orlando parking lot example• What does this have to do with cybersecurity?

Let’s begin with a familiar story…

Start w/ story…wire transfer

• Humans are weakest link…3 elements….FBI…wire transfer…

Source: Centrify

Universal Studios Orlando parking lot example• What does this have to do with cybersecurity?

Why did the VP of Finance fall for it?

• Trust

Source: Proofpoint Protecting People (Summer 2018)

• Trust

• Authority

Source: Proofpoint Protecting People (Summer 2018)

• Trust

• Authority

Source: Proofpoint Protecting People (Summer 2018)

• Oversharing (TMI)

• Trust – 90% of attacks use some form of display name spoofing

• Authority – 48% of email fraud scams include “payment,” “request,” and/or “urgent” in the subject line

• Oversharing – 30% increase in phishing links via social media platforms

Source: Proofpoint Protecting People (Summer 2018)

“Humans are the weakest link”

Universal Studios Orlando parking lot example• What does this have to do with cybersecurity?

Human Operating System

(HumanOS)

• Operating System – a software that controls and manages a computer’s hardware resources

• Operating System – a software that controls and manages a computer’s hardware resources

• Human Operating System – the composition of how a human senses, processes, and transfers information, telling us how to work and driving our actions and behavior

Universal Studios Orlando parking lot example• What does this have to do with cybersecurity?

Why does the HumanOSneed to be considered in

cybersecurity?

Our current approach to cybersecurity…

Our current approach to cybersecurity…

• Operational Perspective – focus on building cyber defenses

Our current approach to cybersecurity…

• Operational Perspective – focus on building cyber defenses

• Attack Perspective – understanding attack target (computer system) and vector/method (e.g., RAT, ransomware, DDOS)

Universal Studios Orlando parking lot example• What does this have to do with cybersecurity?

How effective has this approach been?

Prykarpattia

Prykarpattia

In each of these breaches, there existed at least one human touchpoint that was used to

penetrate and exploit networks and systems. 93% of all breaches are attacks targeting

people (Verizon 2018 DBIR).

Universal Studios Orlando parking lot example• What does this have to do with cybersecurity?

Why is there such a disconnect?

How we look at our architecture

Source: VMware vSphere

Source: VMware vSphere

Network, 62%Endpoint,

18%

Email, 8%

Web, 12%

Source: Gartner (2017)

IT Security Investments

Our current Defense-in-Depth strategy

Network

System

Application

Data

How they look at our architecture

Sophie Hart

Sophie HartAction Officer for Global EVP, Equinox

I’m a supply chain exec connecting customers with

innovative products to enhance their fitness lifestyle

Sophie Hart

Sophie HartAction Officer for Global EVP, Equinox

I’m a supply chain exec connecting customers with

innovative products to enhance their fitness lifestyle

• Twitter:

@F1tnessD1va

• Instagram:

@ F1tnessD1va

• Pet Name:

Chloe (Siberian

husky)

• Hobbies:

Cooking south

Asian food;

SoulCycle;

Horoscope

geek

• Volunteer:

Youth mentor at

La Jolla YMCA

• Favorite

Hangout:

Grass Skirt

• Personality

Traits:

Extrovert;

Fashionista

• High School:

San Marcos

Knights

Sophie Hart: A Divulger of Too Much Info

Email Inbox

Traffic:

~423 emails

…And a Victim of TMIAlways on:

Phone is first and

last look

LinkedIn

Connections:

1,753 (LION)

Conferences

Attended:

20 in 2018

Speaking

Engagements:

8 in 2018

Project Teams:

leads 1

participates in 5

Mailing Lists:

fitness/fashion - 5

motivational - 2

learning - 3

Universal Studios Orlando parking lot example• What does this have to do with cybersecurity?

How should we reframe our approach?

A modified (human-centric) Defense-in-Depth strategy

HumanOS

What does Defense-in-Depth look like for the HumanOS?

• Incorporate the HumanOS into cyber risk management

initiatives

ꟷ Critical assets and most vulnerable assets

What does Defense-in-Depth look like for the HumanOS?

• Incorporate the HumanOS into cyber risk management

initiatives

ꟷ Critical assets and most vulnerable assets

• Curate technical and operation controls for the HumanOS

ꟷ Human Defense

ꟷ Machine Defense

ꟷ Behavior Monitoring

What does Defense-in-Depth look like for the HumanOS?

• Incorporate the HumanOS into cyber risk management

initiatives

ꟷ Critical assets and most vulnerable assets

• Curate technical and operation controls for the HumanOS

ꟷ Human Defense

ꟷ Machine Defense

ꟷ Behavior Monitoring

• Change behavior and culture

ꟷ Education and continued learning

ꟷ Communications plan

• Trust

• Authority

Source: Proofpoint Protecting People (Summer 2018)

• Oversharing (TMI)

You have more influence over the HumanOS than you think

Source: VMware vSphere Source: Gartner (2017)

Future IT Security Investments*

HumanOS

Network

Endpoint

Web

Email

*: Percentage is for illustrative purpose only

Let’s continue the conversation…

Masseh Tahiry | Risk Strategist

Caitlin Durkovich | Director

https://www.tofflerassociates.com/contact/

Building a Resilient HumanOS