Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Cyber Intelligence Briefing
Prepared by:
CISO-In-ResidenceSM
Ask-A-CISOSM
CISO-As-A-ServiceSM
The Virtual CISOSM
CISO Advisory Services
Jason TauleChief Security Officer / Chief Privacy OfficerC|CISO, CDPS, CGEIT, CHSIII, CISM, CRISC, CMC, CPCM, HCISPP, NSA-IAM
Version 2.2September 17, 2016
WELCOME!
Safeguarding Your Business: How to Reduce IT Security
Risks in the Real World
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Introductions
“Coming together is a beginning; keeping together is progress; working together is success.”
Henry Ford
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
What will we be discussing?
Agenda
Introductions
Context
Briefing Topics:
– Understand the case for cyber
– Appreciate new & emerging threats from popular disruptive technologies
– Differentiate between the deep web and the dark web
– Be better able to protect yourself and your company
Summary & Conclusion
Q&A
10/19/2017 5
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
FEi Systems
10/19/2017 6
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Help us tailor the content to your needs…
Briefing Customization
Participant Profile
– C-Suite (i.e., Senior Business and IT Leadership)
– Public/Private Mix
– Industries Represented
– Company Size
Business Drivers:
– Regulation
– Customer Demand
– Internal Compass
– Strategy
Objectives:
– What has to happen to say this was time well spent?
10/19/2017 7
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Context
“The truth does not change according to our ability to stomach it.”
Flannery O’Connor
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
But first, the legal mumbo jumbo…
Disclaimer / Warning
• This presentation is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations.
• These opinions are not meant to defame, purge, humiliate, or injure anyone should you decide to act upon or reuse any information provided.
• All trademarks, service marks, collective marks, design rights, personality rights, copyrights, registered names, mottos, logos, avatars, insignias and marks used are the property of their respective owners.
• I the author of the content found herein assure you that any of the opinions expressed are my own and are the result of the way in which a mind uniquely wired as my own singularly interprets things.
• Do not listen to anything said if you are young, elderly, have a history of heart attack, stroke, or blood clot, are feeling dizzy, lightheaded or nauseated.
• Objects in the mirror may be closer than they appear
• Those of you with the home version, please feel free to follow along
• As Dennis Miller used to say, this is just my opinion, I could be mistaken
• As always, no wagering
• Stay alert as this performance may feature loud noises, pyrotechnics, strobe lights, or indiscriminately thrown air-borne projectiles.
This presentation is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations.
These opinions are not meant to defame, purge, humiliate, or injure anyone should you decide to act upon or reuse any information provided.
All trademarks, service marks, collective marks, design rights, personality rights, copyrights, registered names, mottos, logos, avatars, insignias and marks used are the property of their respective owners.
I the author of the content found herein assure you that any of the opinions expressed are my own and are the result of the way in which a mind uniquely wired as my own singularly interprets things.
Do not listen to anything said if you are young, elderly, have a history of heart attack, stroke, or blood clot, are feeling dizzy, lightheaded or nauseated.
Objects in the mirror may be closer than they appear.
Those of you with the home version, please feel free to follow along.
As Dennis Miller used to say, this is just my opinion, I could be mistaken.
As always, no wagering.
Stay alert as this performance may feature loud noises, pyrotechnics, strobe lights, or indiscriminately thrown air-borne projectiles.
10/19/2017 9
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
MODIFICATION or REPLACEMENT
DESTRUCTION INTERFERENCE
MISREPRESENTATION or REPUDIATION
ACCESS
FAILURE to USE or MISUSE
THEFT or DUPLICATION
OBSERVATION or DISCLOSURE
INFOASSETS
Malware & Spam
SoftwareFailure
PREVENT
DE
TE
CT
CORRECT
RE
FLE
CT
What is this all about?
Context
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
How did we get here?
Security Exposure
11
Time
Security
Postu
re
Mainframe Era PC LAN C/S Internet Virtual
Due
Care
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Discussion Top 1:The Case for Cyber
“The pessimist complains about the wind; the optimist expects it to change; the realist adjusts the sails.”
William Arthur Ward
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Who is responsible for things?
Data Custodianship
10/19/2017 13
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Why do hackers hack?
Value of a Pwned Computer
10/19/2017 14Source: Brian Krebs
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
This really matters…
Consequences
Cyber-risks are a top priority for key stakeholders including your customers, the media, investors, regulators, and legislators – all of whom are increasingly asking, “Where was the board?”
10/19/2017 15
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Participation Time
Candid Conversation
Who believes that they…
– Would know if their computers were being attacked?
– Have allocated sufficient resources to protect their operations?
– Have reduced business risk to an acceptable level?
– Have considered the full breadth of your exposure?
Who is sure?
10/19/2017 16
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
What questions should I be asking?
Management Oversight
1. What was our most significant cybersecurity incident of the past year and what was our response?
2. What was our most significant near miss and how was it discovered?
3. What is our security posture relative to where we’re supposed to be?
4. Do we have relationships with law enforcement and the FBI?
5. What is our process for promptly escalating matters of risk to senior leadership?
10/19/2017 17
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
What is reasonable and appropriate mean?
Executive Summary
What if?
– Unauthorized personnel gain access to data entrusted to you?
– Systems are unavailable for an extended period?
– Data is changed so that it can no longer be trusted?
– Employee failed to exercise proper care?
– Trading partner was breached?
Response?
– All businesses require access to customers and capital.
– Risk must be considered as part of all major business decisions
• Carefully reasoned and defensible
• Industry benchmark (51% test)
– Regulated industries have unique requirements:
• Risk Assessment
• Named Resource
• Adopted Framework
• Core Program or Remediation Plan
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Give me an example of other areas where you can help
Indirect Business Needs
Mergers and Acquisitions:
– Understanding what’s being acquired
– Valuations that reflect target cyber posture
– Systems interconnection and/or boundary segmentation strategy
Cyber Insurance:
– Underwriters
• Input to decision to offer coverage
• Pricing to risk
– Policy Holders
• Posture Improvement
• Premium reductions
Third Party & Vendor Management:
– Ensure trading partner program sufficiency
– Evaluate software before installing it
– Recognizing external provider/partner and supply chain exposures
– Examine non-traditional IP devices before connecting to the network
– Demonstrate sufficiency of our program to customers and partners
19
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Use the right tool for the right job
Match Game
10/19/2017 20
CISO
•Contracts
• Litigation
•Negotiations
• Startups
•Exit Planning
•E&O
•Disputes
•Bookkeeping
•Taxes
•Payroll
• Financial Statements
•Expense Reporting
•Payables & Receivables
•Computer Theft
• Intellectual Property
•Cloud
•Resiliency / Recovery
•Vulnerabilities / Configuration
•Endpoints / Malware / Phishing
•Wi-Fi / Mobile / Portable
•Encryption
•Network Penetration
•User Training
LEGAL RISK FINANCIAL RISK INFORMATION RISK
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Discussion Top 2:Emerging Threats
“The future started yesterday and we’re already late.”
John Legend
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
What are we going to talk about today?
Agenda
Drivers:
– The year that is and was
– The only 3 reasons Hackers Hack
– Predictions.
Disruptive Technologies:
– Artificial Intelligence & Machine Learning
– IOT & Wearables
– Voice Recognition & Always On Devices
– Biometric Data / Facial Recognition
– Regulatory Changes and Legal Precedents
– Government Enforcement
– Geolocation & Global Positioning
– Big Data & Big Brother.
Issues and Answers.
10/19/2017 22
The Law of Unintended Consequences
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
And you know most are NOT secured!!
More Devices than People!
10/19/2017 23
https://d28wbuch0jlv7v.cloudfront.net/images/infografik/normal/chartoftheday_4022_mobile_subscriptions_and_world_population_n.jpg
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Are we over our tips?
Precision Medicine Initiative
Concept
– Long term research initiative involving NIH and many other research centers.
– Determine the best approach to disease prevention and treatment
– Based on genetics and environment
Specifics
– Cohort of 1 Million+ individuals from around the US
– Submit genetic data, biological samples, and other data
Questions:
– Consent?
– What if?
10/19/2017 24
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Audience Participation – What concerns you most?
Disruptive Technologies
10/19/2017 25
Biometric & Facial Recognition
Government Enforcement
Geolocation & GPSBig Data & Big
Brother
AI & Machine Learning
IOT & WearablesVoice Recognition
& Always OnCourt Cases
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Disruptive Technology #1
Artificial Intelligence & Machine Learning
Description:
– AI & Machine learning have amazing potential.
– Enterprises are investing in solutions that collect and analyze data from countless endpoint, network devices and attack sensors across organizations, industries and geographies.
– Civil engineering is bounded by laws of physics and nature
– No such anchors for decisions increasingly being made by computers
Issues:
– Black box machine learning we don’t fully understand, could have built in, legitimately derived, inherent biases without any checks.
– Business decisions being made when we don’t understand why exposes us to legal and regulatory liability.
– Attackers are also beginning to use AI capability:
• To wield highly sophisticated and persistent attacks with malware designed with adaptive, success-based learning to improve the efficacy of attacks.
• The next generation AI-powered attack that will emerge involve customized code that will emulate the behaviors of specific users to fool even skilled security personnel.
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Disruptive Technology #2
IOT & Wearables
Description:
– Internetworking of physical devices, vehicles, buildings, etc. embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data.
– Ponemon 2017 Study on Mobile and IOT Security found 80 percent of IOT apps aren't tested for vulnerabilities and there is still a lack of urgency to address the risk
– Provide innovative and potentially beneficial functionality, but again…
10/19/2017 27
https://media.scmagazine.com/documents/282/2017_study_mobile_and_iot_70394.pdf
Issues:
– Consent: Where and how to give it?
– Not covered by cyber insurance
– Uncertainty over collecting and sharing
– Undisclosed back channels
– Ownership and control of data as different devices connect with one another.
– Access Control – Users often use default, weak, or no passwords
– Misuse of data (i.e., is this where you work?)
– Lack of Policy
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Disruptive Technology #3
Voice Recognition & Always On Devices
Description:
– These “assistant” devices are meant to help by listening for voice commands.
– Data is recorded locally on the devices themselves and data is fed to company servers
Issues:
– To listen for it’s “wake word” it has to be listening ALL the time.
– Recording starts a few seconds before the wake word and for about 60 seconds thereafter.
10/19/2017 28
https://www.theinformation.com/amazon-echo-and-the-hot-tub-murder?eu=JnmYMZlQZHz7uehZk0Lvtg
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Disruptive Technology #5
Biometric Data / Facial Recognition
Description:
– Increasing use of biometrics as access control mechanisms (as well as for other government “purposes”) raise serious questions about the capture, storage, and retention of your unique physical particulars.
– Ghost profiles, Social Media, Cloud Storage augment the problem.
Notable Legal Cases:
– IL & TX only two states to regulate private company use of biometric data
– Shutterfly -- $5m lawsuit for violating permission restrictions
– Facebook – Facial Recognition software violates law
– Google – Unlawful collection of “faceprints”
Issues:
– Your information is being collected, used, and sold
– Same questions prevail with respect to consent
– But also raise questions about third party consent
• What if you get tagged in someone else’s picture
• What if they get it wrong?
10/19/2017 29
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Disruption #4
Regulatory Changes and Legal Precedents
Description:
– Increased involvement of FTC
– Spokeo to pay $800,000 to Settle FTC charges it marketed information to employers and recruiters in violation of FCRA
• Plaintiffs do have to show more than a technical violation of consumer protection law to establish standing, but, in some circumstances, the breach of a “procedural right” amounts to a concrete injury.
• Increase in number of cases proceeding to merits and less cases ending at MTD or SJ.
• https://www.ftc.gov/news-events/press-releases/2012/06/spokeo-pay-800000-settle-ftc-charges-company-allegedly-marketed
– Opperman v. Path Inc., -- How clear does consent language need to be?
• http://www.leagle.com/decision/In%20FDCO%2020150324B42/OPPERMAN%20v.%20PATH,%20INC.
Issues:
– Notions of user consent are shifting to terms of use and privacy policy
– Increase reliance on just-in-time notices (good thing)
– Use of facial recognition for consent (or at least non-repudiation)
– We have historically limited our scope to HIPAA. Need to expand focus to include FERPA, COPPA, and even VPPA.
10/19/2017 30
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Disruption #6
Government Enforcement
Description:
– Annual NIST/OCR HIPAA Conference
– Safeguarding Health Information: Building Assurance through HIPAA Security
– On Capital Hill each October
10/19/2017 31
Issues:
– Ransomware Guidance – P.S. It’s a reportable breach merely by exposure whether or not data was exfiltrated.
– Cloud Computing Clarifying Guidance:
• OCR released guidance clarifying that a CSP is a business associate – and therefore required to comply with applicable HIPAA regulations
• When a CSP stores and/or processes ePHI for a covered entity or business associate, that CSP is a business associate under HIPAA, even if the CSP stores the ePHI in encrypted form and does not have the key.
• CSPs are not likely to be considered “conduits,” because their services typically involve storage of ePHI on more than a temporary basis.
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Disruptive Technology #7
Geolocation & Global Positioning
Issues:
– Enormous dependency on GPS for increasingly important activities.
– No backup to GPS anymore LORAN gone and light houses haven’t been maintained in decades.
– Tracking for both good and nefarious purposes.
– Wave Bubble – GPS Jammer created at MIT to reclaim personal space. Now Illegal in the US because it’s range isn’t small and it can block legitimate GPS receivers.
– GPS Spoofing – Broadcast a fake location
– Laws haven’t even come close to keeping up.
10/19/2017
Description:
– May 2, 2000 – President Clinton switches off GPS Selective Availability.
– Jan 7, 2010 – DHS discontinues LORAN-C operation
– April 25, 2016 – GPS accuracy tested to within 38 mm (14.9 in)
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Disruptive Technology #8
Big Data & Big Brother
10/19/2017 33
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Description:
– In addition to online criminals, hackers, and hacktivists, we need to be concerned about Big Brother, Big Neighbor, Big Company, to say nothing of what we ourselves are posting.
– Facebook, twitter, google, LinkedIn, cell phones, GPS, TVs, foursquare, yelp, travel advisor, EZPass, Speedpass, security cameras, Wikipedia, amazon, credit cards…
Issues:
– What is collected
– What is done with it
– With whom is it shared
– Who get’s to decide
– Even if you consent now, how might this change later
– Once it’s out there it is effectively an electronic tattoo that is harder to remove than a real one.
Disruptive Technology #8
Big Data & Big Brother
10/19/2017 34
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Are there particular products or solutions we should be seriously considering?
Kewl Tools
The Onion Router (Tor) – Anonymous communication software that uses relays to conceal a user’s location and usage from anyone conducting network surveillance or traffic analysis. https://torproject.org/
DuckDuckGo – An Internet search engine that protects searchers' privacy, doesn’t store personal information, and doesn’t filter personalized search results. Does not profile users and shows all users the same search results for a given search term. https://duckduckgo.com/
10/19/2017 35
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Anything else?
More Kewl Tools
Proton Mail – An end-to-end encrypted email service founded in 2013 at the CERN research facility that uses client-side encryption to protect email contents and user data before they are sent to ProtonMail servers. https://protonmail.com/
CuckooSandbox – An advanced, modular, open malware analysis system that can be used to analyze malicious files and websites. https://www.cuckoosandbox.org/
Audience Picks?
10/19/2017 36
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Who are you really?
MFA
Second Factor Authentication:
– Even if someone learns your password they still won’t be able to log in
– Readily added to many online accounts
– Should be used for all privileged accounts
– Should also be used for all remote access
Examples:
– OTP
10/19/2017 37
– U2F
• Offers strong authentication with a simple touch of a button
• No need to re-type passcodes -- replacing SMS texts and authenticator apps
• No client software or drivers needed, no batteries, no moving parts
• Crush- and water-resistant, weighs only 3g, and attaches to your keychain.
• https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-overview-v1.1-id-20160915.pdf
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Could this happen to me?
Maybe it already has
Find out if you’ve been….
– Have I been pwned?
• Check if you have an account that has been compromised in a data breach
• https://haveibeenpwned.com/
– BreachAlarm:
• Service that allows you to check anonymously if your password has been posted online, and sign up for email notifications about future password hacks that affect you
• https://breachalarm.com/
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
And a personal recommendation…
Security Freeze
What is it:
– A security freeze is designed to prevent credit, loans and services from being approved in your name without your consent.
– Freezing your credit report means no one can access it or make changes to it. For example, if you apply for an auto loan, the lender won’t be able to check your credit until you unfreeze your account.
– But it also means no one else can open credit in your name without you knowing about it!
Resources:
– Experian:
• https://www.experian.com/freeze/center.html
– Equifax:
• https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp
– TransUnion:
• https://freeze.transunion.com/sf/securityFreeze/landingPage.jsp
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Now’s when you need that higher math you ignored in the real world.
Encryption
Current Minimum Standard:
– AES-128 encryption and/or whole disk encryption are sufficient to be compliant, but are NO longer enough to be secure and keep data private.
Old School Challenges Still Exist:
– Power State
– Memory Freeze Recovery
– Key Stroke Loggers
– Rainbow Pads
– Wi-Fi Intercepts
New Threats:
– PKI trapdoor function is subject to specialized algorithms that are faster and less compute intensive than the naïve approach to guessing primes
– Quantum Computing
• Millions of computations at once vs. only 1
• Theoretically 100 billion times faster than a single-core CPU.
Response:
– Elliptic Curve Crypto, which provides a significantly more secure foundation than first-generation public key cryptography
10/19/2017 40
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Discussion Top 3:Proactive Threat Hunting
“I have always found that plans are useless, but planning is indispensable.”
Dwight Eisenhower
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Anyone beginning to think what we’re doing is never enough?
The Need Continued
Telling Statistics:
– 53% of breaches use no malware (Verizon 2016 DBIR)
– 65% of breaches happen on endpoints
Where do we need to be looking to identify cyber threats?
– Applications
– Servers
– Endpoints
– Network Devices
– Wireless Infrastructure
– Printers
– Cloud Hosts
– Embedded Systems
– Interconnected IoT Devices
– Smart Phones
10/19/2017 42
✓
✓
✓
✓
✓
???
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
So how’s that working for you?
How We’ve All Responded
NOC
SOC
IOCs
Problem? Lack of actionable threat intel
– Still looking in the past
– Needle in the needle stack
– Even in real time doesn’t afford time to respond
10/19/2017 43
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
EVENTS + INTELLIGENCEEVENTSEVENTS + INTELLIGENCE + RISKEVENTS + INTELLIGENCE + RISK + RELATIONSHIPS
Stop sending me information and start getting me some.
Threat Hunting
Early Detection and effective Incident Response is NOT enough
We must expand detection beyond the moment of compromise
10/19/2017 44
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
First:
– The Hidden Wiki
– Search Engines
• Duck Duck Go
• AHMIA
• Not Evil
• Torch
• GRAMS
Larger Players:
– Dream Market
– AlphaBay*
– Outlaw
– East India
Smaller/Specialty Markets:
– Agora
– Abraxas
– Crypto Market
– TheRealDeal
– RAMP
Where do I even start?
Deep Web Marketplaces
10/19/2017 45
*Along with HANSA taken down by FBI/DEA on July 20, 2017
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
So what do they look like?
Benign Marketplaces
10/19/2017 46
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
No, not all marketplaces are alike…
Dubious Markets
10/19/2017 47
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
But what about hacking sites?
Cyber Markets
10/19/2017 48
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Where else could one look for threat intel?
By Invitation Only
10/19/2017 49
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
But this exploration has a purpose right?
Exploit Identification
MacSpy
– Most sophisticated malware for Mac OS-x to date.
– Hackers are not selling it, they’re giving it away at no cost.
– SW combines with a provided TOR portal to enable users to hack into and obtain surveillance information from targeted MAC computers.
– MacSpy is designed to monitor Apple users, record data on the Mac system and then covertly spin it back to the controller who launched the attacks.
Other capabilities:
– Captures screen images
– Has an embedded keylogger.
– Captures ICloud synced data such as photos
– Provides voice recording surveillance
– Extracts clipboard contents and downloads browser information
10/19/2017 50
Credit: AlienVault
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
How do you put a price on intelligence?
Bad Actors = Bad Activity
The Shadow Brokers (TSB)
– Hacker group who has published several leaks containing tools from the NSA including o-day exploits
– Announced the launch of a monthly subscription model for its data dumps,
– Zero-Day Exploit Subscriptions goes for $21,000 per month.
– First round of exploits distributed to the subscribers of its service
10/19/2017 51
ZEC = Zcash ($291.10); XMR = Monero ($42.29)
TSB “VIP Service”
– For subscribers interested in specific vulnerabilities or intel on a certain organization.
– One-time payment of 400 ZEC (roughly $130,000), and according to the hacker group, there are already members of this exclusive club.
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
And what if you discovered bad actors were making it easy to be bad?
RAAS
Ransomware As A Service
– Simple site for creating ransomware
– Wannabe criminals provide the size of the ransom demand, a Bitcoin address to handle victims’ payments and then they have to solve a CAPTCHA challenge and press a button.
10/19/2017 52
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
And what if you learned that we had an offensive weapons leak?
Early Notification
WikiLeaks:
– International non-profit that publishes secret information provided by anonymous sources.
– Operates a Tor hidden service to access the website
– Released a new batch of documents detailing the CIA tool OutlawCountry used to remotely spy on computers running Linux operating systems.
10/19/2017 53
OutlawCountry loads itself onto a vulnerable system as a Linux kernel module (nf_table_6_64.ko) and then creates a new exemption in the IPtables firewall protocol and then it deletes itself. When all is said and done, the attacker can exploit the system to re-route all traffic to designated CIA servers.
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
And better still, what if you knew how they were going to break in?
Proactive Threat Intelligence
10/19/2017 54
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Conclusion
“In human affairs of danger and delicacy successful conclusion is sharply limited by hurry.”
John Steinbeck, East of Eden
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Summary:– Success is increasingly dependent on earning and keeping investors
confidence and customer trust.
– All organizations are subject to risk
– The consequences of getting this wrong are increasingly severe
– Risk varies but all organizations need a carefully reasoned and defensible response consistent with their own appetite and culture
Who has the first question?
Thank you for your time!
Conclusion
10/19/2017 56
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Who has the first question?
Questions & Answers
Let’s continue the conversation…
Contact Information:
Jason B. Taule C|CISO, CDPS, CGEIT, CHSIII, CISM, CRISC, CMC, CPCM, HCISPP, NSA-IAMChief Security Officer / Chief Privacy Officer
9755 Patuxent Woods Drivep: +1-443.393.2686 | m: +1-410.340.5385 | f: +1-410.715.6538 [email protected] | www.feisystems.com
57
FEI Systems Inc. Copyright 2015-2017 - All Rights Reserved
Jason B. Taule C|CISO, CDPS, CGEIT, CHSIII, CISM, CRISC, CMC, CPCM, HCISPP, NSA-IAM
Reasoned:
– Industry Luminary and 25+ year career information security specialist
– Concentration in Healthcare and Cyber Industries
– Numerous certifications, published, and oft cited by media
– Graduate of the FBI Citizen’s Academy
– BBA College of William & Mary; MS Johns Hopkins University.
Industry Contributor:
– White House Invitee to sit on President’s Precision Medicine Initiative Security Policy Roundtable
– Health IT Standards Committee Transport & Security Workgroup Member
– HITRUST Infosec Security and Privacy Award Winner; Member Leadership Council
– Board Member Howard County Economic Development Authority Technology Council
– Leader of the HTC HACKIT Cyber Affinity Group and Driving force behind the HoCo CISO “CISO-In-Residencesm” program
– Information Security Executive of the Year Finalist
– Member of MD Governor's Internet Privacy Committee; Contributed to MD Data Security & Privacy Law
– Former Member Colorado State Privacy Committee
– National Advisory Council of CSO Executive Network
– DOJ invitee to annual economic crimes & new technology offenses symposium
– Member of the Homeland Security Preparation and Response Team
– Author and lead developer of the Security Maturity Model©.
– Member of ISACA’s National Information Security Metrics Subcommittee
– Field Editor of the IT Unified Compliance Framework
Seasoned:
– Currently serve as Chief Security and Privacy Officer at FEi Systems
– Principal Systems Security Officer for all FEi Medicare & Medicaid Business
– Former CISO and CPO for healthcare business unit of a large Federal Systems Integrator
– Former CISO and CPO for healthcare business unit of a large Federal Defense Contractor
– Former Chief Information Security Officer for State Government
– Former Principal in charge of information security practice of a large international IT consulting firm.
58
System Source & Barracuda:
Barracuda Partner since 2013
Why Barracuda Backup:
Combines onsite & cloud backup
Comprehensive, cost-effective local & offsite backups
DR solutions
Deduplication and compression
Easy deployment and administration
Small, Mid-size and Larger organizations
Security Strategies in the Cloud Era
Presenter:
Brad Pitt
Regional Vice President
Barracuda Networks
October 2017
Today’s topics
- Email Security
- Security in the Public Cloud
- Spear-phishing and Domain Fraud
“90% of intrusions worldwide are started by email.”
Brad Smith
President, Chief Legal Officer
Today’s threat landscape
Email Security Solutions for the Cloud Era
Sentinel
Email Security Gateway
Email Security Service
Global Threat Intelligence
Move to the Public Cloud
“The emergence of public cloud computing has rendered
traditional enterprise WAN architectures to be suboptimal, from a
price and performance perspective.”
Technology Overview for SD-WAN
Our Security Solutions for the Cloud Era
Enable private and public
cloud infrastructures
Spear Phishing: Growing Exponentially
$5BLosses from
spear phishing
2,370%Increase from
2015 to 2016
Source: FBI, 2017
Barracuda Sentinel
Comprehensive Spear Phishing Protection
AI for Real-
Time Spear
Phishing
Prevention
Domain Fraud
Visibility and
Protection
with DMARC
Fraud
Simulation for
High-Risk
Individuals
Moving forward
Ask your Barracuda partner for an Email Threat Scan and Web Application Vulnerability Scan.
If you’re moving to the Public Cloud, bring Barracuda along.
Ask your Barracuda partner for a demo of Sentinel.
Thank You
THANKS!
Evaluations & Door Prizes