Phil Agcaoili

April 2, 2013

The Executive Order – Defining the Internet Security Ecosystem

CYBER SECURITY

Cyber what? Defining Cyber• Cyber space is the connected Internet ecosystem• Our daily life, economic vitality, and national security depend on a stable, safe,

and resilient cyber space

• DHS defined 18 Critical Infrastructure Sectors (CIKR)

• Cyber intrusions and attacks have increased dramatically over the last decade, exposing sensitive personal and business information, disrupting critical operations, and imposing high costs on the economy

• Cyber security is protecting our cyber space (critical infrastructure) from attack, damage, misuse, and economic espionage

Food and Agriculture Banking and Finance Chemical

Commercial Facilities Communications Critical Manufacturing

Dams Defense Industrial Base Emergency Services

Energy Government Facilities Healthcare and Public Health

Information Technology National Monuments Nuclear Reactors, Materialsand Icons and Waste

Postal and Transportation WaterShipping Systems

2

3

Source: DHS, "Securing the Nation’s Critical Cyber Infrastructure

Our physical infrastructure has become intertwined and reliant on our cyber infrastructure

4

Why the fear? Cyber Trends - Advanced• StuxNet• Duqu• Gauss• Mahdi • Flame• Wiper• Shamoon - Saudi Aramco• SCADA Network Attacks

Advanced attacks on critical infrastructure

5

Cyber Trends – Not So Advanced

6

• Insulin pumps• Pace makers• Smart TVs• Voting and elections• US drone fleet• SYMC – RSA – VRSN – Bit9• SNE – AMZN – AAPL – YHOO – LNKD• DoE

General Observations on Cyber Trends• Phishing and Email• Exploitable Links and Browsers• Java, Flash, PDF, MS Office• A/V Coverage• Android, iOS, Windows, and MacOS• Air Gaps and Removable Media

• Endpoint Security• Security Awareness• Security Basics

7

A SHIFTIt’s here…

8

Expectations on Critical Infrastructure• S. 21, Cybersecurity and American Cyber

Competitiveness Act of 2013Senators Rockefeller (D-W.Va.), Carper (D-DE), Feinstein (D-CA), Levin (D-MI),

Mikulski (D-MD), Whitehouse (D-RI), and Coons (D-DE)

• H.R. 624, Cyber Intelligence Sharing and Protection Act (CISPA), 2013 Representative Rogers (R-MI) and 111 co-sponsors

It’s unlikely that these will pass in 2013…

9

Fact Sheet: Executive Order on Cybersecurity / Presidential Policy Directive on Critical Infrastructure Security and Resilience

Presidential Executive Order 13,636• New information sharing programs to provide both classified and unclassified

threat and attack information to U.S. companies• The development of a Cybersecurity Framework• Establishes a voluntary program to promote the adoption of the Framework• Calls for a review of existing cybersecurity regulation• Includes strong privacy and civil liberties protections based on the Fair

Information Practice Principles

Presidential Policy Directive 21 (PPD-21)• Directs the government to identify the functional relationships across the

government • Directs the government to develop an efficient situational awareness

capability • Directs the government to address other information sharing priorities• Calls for a comprehensive research and development plan for critical

infrastructure

10

http://www.dhs.gov/news/2013/02/13/fact-sheet-executive-order-cybersecurity-presidential-policy-directive-critical

Highlights of “Down Payment”• EO 13636 and PPD-21 Issued February 12, 2013• Defines Roadmap• Focus Areas for CIKR:

• Information Sharing• US Cybersecurity Framework

• Standards• Identifying Critical Infrastructure

• Supply Chain

• Sector-Specific Agencies and Sector Coordinating Councils • FBI and NCIJTF

11

February 12,

2013

Executive Order

240 Days

October 10

Draft of

US Cybersecurity

Framework

1 Year

February 12,

2014

Final US

Cybersecurity

Framework

3 Year

Agencies report

on critical

infrastructure

“Safe and Resilient Internet”

Highlights of “Down Payment”• “Don’t assume you’re not in scope”

• "Critical infrastructure" covers a lot of economic activity • Covers a lot of technology

• Privacy concerns need to be addressed for “information sharing”

• Department of Commerce, National Institutes of Standards and Technology (NIST), and Cybersecurity Framework• Reduce cyber risks to critical infrastructure within one year, • Incorporate “voluntary consensus standards and industry best practices

to the fullest extent possible.”• Federal Supply Chain

• Partnerships and mandates• Open standards• “Technology neutral”• Risk-based assessments

12

13

The Road Ahead

One Size Does Not Fit All…

Keys to Cyber Security:Information Sharing1. Balance with Privacy

2. One step at a time

Cybersecurity Framework1. Common definitions2. Don’t assume you’re not in scope

(Think Ecosystem)3. Sector specific, Risk-based Framework using Evidence with basic guidelines5. Crawl, Walk, Run

Supply Chain1. Align with Cyber Framework

2. Provide Assurance

14

Security is Everyone’s Responsibility.

Don’t Assume You’re Not in Scope• Everyone with Information Technology is in scope (CIKR)

• Security Basics• Apply Evidence-based Security Model

• Statistics by Sector Exist

• Should Threat Model

15

Think Ecosystem.

Threat ModelYour Role in the Cyber Space Ecosystem

16

Get the Point?

17

What standard are you following?

2012 Top 20 ISO 27001 Mitigating Controls

Ranking ControlNumber of Times Control Mapped to a Real-World Security Breach

1 A.10.9.1 447

2 A.10.9.2 447

3 A.10.9.3 447

4 A.8.2.2 184

5 A.7.2.1 94

6 A.7.2.2 94

7 A.8.1.1 90

8 A.8.1.2 90

9 A.8.1.3 90

10 A.8.2.1 90

11 A.8.3.2 90

12 A.8.3.3 90

13 A.9.2.5 87

14 A.11.7.1 87

15 A.11.7.2 87

16 A.9.1.1 50

17 A.9.1.2 50

18 A.9.2.1 50

19 A.10.8.4 16

20 A.10.8.3 15

Point Security Standards / Controls• PCI DSS

• Protects credit cards• 12 Requirements (Domains)• ~290 controls

• HIPAA / HITECH• Protects health information

• NERC CIP• CSA Cloud Controls Matrix / Open

Certification Framework• SANS 20 Critical Security

Controls / CAG• “International” security standards• 20 controls (Domains)• Mapped to ~150

NIST 800-53 controls

Holistic Security Standard Frameworks• ISO/IEC 27001:2005

• International security standards• 11 Domains• 133 controls

• FISMA• Includes NIST 800-53• US government standard• 22 Control Families (Domains)• ~ 850 controls

• COBIT 5

18

*Based on datalossdb.org andPrivacy Rights Clearinghouse

What Framework?

Consensus Audit Guidelines (CAG)Hardware asset management • Software white listing and asset

management • Vulnerability management • Configuration settings • Anti-virus

*Modified SANS 20 Critical Security Controls 2012 continuous monitoring policy issued by DHS

Simplify to Basic Security Guidelines Based on Evidence and RiskWe have developed the myth that technology can be an effective fortress

You cannot protect all your data

You cannot stop every attack

Therefore,• Don’t protect everything

• Protect most important data and ensure services• Increase focus on closing the detection and response gap

• Establish access norms and monitor for anomalies

• Reduce your attack surface • Don’t store/transmit what you don’t need

• Collapse to cores• Segregrate and protect your most critical data• Protect cores really, really well

• Treat all endpoints as hostile• Make small, targeted investments

• Pass the Red Face Test – Reduce Investments through integration• Antivirus - Forefront• Full Disk Encryption – Bitlocker

• Patch and harden configurations• Change default credentials and restrict/monitor privileged accounts• Secure development through application testing and code reviews• Increase awareness and change culture

• Social engineering and phishing• Destroy and don’t save what you don’t need

• Collect your own metrics and apply security as necessary with available industry evidence

19

Sector-based

Barriers to Implement Basics• 2012 FISMA Report

The top reported cybersecurity challenges were:- Funding the administration’s priority initiatives- Cultural challenges- Upgrading legacy technology- The current budget structure- Acquiring skilled personnel

• Define – Accountability (Vendors and Customers)• Customers are dependent on vendors• Vendors rely on customers

20

Advanced Persistent Threats

EmpoweredEmployees

Elastic Perimeter

Copyright 2012 Trend Micro Inc.

Trend Micro evaluations find over 90% of enterprise networks contain active malicious malware!

Traditional Security is Insufficient

Risk-Based Approach Using Evidence22

The REAL Big Data for Infosec

First, Define Risk• Partnership for Critical Infrastructure Security (PCIS)

• Defined: Risk = Consequence (Impact ONLY!!!) NO!!!

• General Risk EquationRisk = Probability x Impact

• Factor Analysis of Information Risk (FAIR)Risk = The probable frequency and probable magnitude of future loss

• Many other definitions, let’s pick…

• Limitations of risk analysis• Risk analysis is never perfect • All risk analysis models are approximations of reality

• Reality is far too complex to ever model exactly

• Any analysis model will be limited

• Sometimes you have enough information to make an informed decision

~SIRA

• Define: Risk Appetite

23

Prediction is very difficult, especially about the future. ~Niels Bohr

Second, Apply Evidence-Based Security*Abridged Version of Moneysec

• Use industry data (Evidence)• “You’re not a beautiful snowflake.”

• Use with [Moneysec] metrics ~JPfost

• Don’t make emotional decisions• Recognize your bias

• Collect the “right” data• Look for correlations

• Set reasonable criteria for success• Don’t overspend

• You can measure anything! Even intangibles. ~Douglas Hubbard

• You don’t always need to be exact• Reducing uncertainty adds value• Having just some data can go a long way to help a decision maker

• Not all measures are equally important (80/20)• Track and trend performance over time• Benchmark performance vs. self (and peers)• All metrics are worthless – unless you do something with them

24

Mandiant M-Trends 2013 Threat Report25

Mandiant M-Trends 2013 Threat Report

26

27

2012 Verizon Data Breach Investigations Report (DBIR)

• 5th year of public releases– Starting in 2008– 7 total reports (mid-year

supplementals in 2008 and 2009)

• Dataset now contains:– 8 years of data

28

2012 Trustwave Global Security ReportIn those cases in which an external entity was necessary for detection, analysis found that attackers had an average of 173.5 days within the victim’s environment before detection occurred.Conversely, organizations that relied on self-detection were able to identify attackers within their systems an average of 43 days after initial compromise.

2012 Verizon Data Breach Investigations Report (DBIR)

29

2012 Verizon Data Breach Investigations Report (DBIR)

30

Trend - 2011 Verizon Data Breach Investigations Report (DBIR)

31

Who are the (external) bad guys?

• Eastern Europe takes a commanding lead

Trend - 2011 Verizon Data Breach Investigations Report (DBIR)

2012 Federal Information Security Management Act report• Over $13 Billion Spent on Personnel

• Of the $14.6B spent on cybersecurity in 2012, a whopping 90% went to personnel• An increase from 76% in 2011

• Cybersecurity Education Down• Training only accounted for 0.9% of the total spent on cybersecurity, almost 2% lower than 2011

• A Challenging YearThe top reported cybersecurity challenges were:- Funding the administration’s priority initiatives- Cultural challenges- Upgrading legacy technology- The current budget structure- Acquiring skilled personnel

• Top Three Government Cybersecurity SpendersThe organizations who spent the most in 2012 were:- Department of Defense: $12 billion- Department of Homeland Security: $615.5 million- Treasury Department: $404 million

• Security Incidents on the Rise• 49,000 security incidents were reported in 2012, up from 43,889 in 2011• Worth noting that the majority were the result of lost or stolen equipment and data, not unauthorized access

• 2012 FISMA report reflects the major concerns we’ve recently heard in the media: • An increase in successful cyberattacks• A shortage of trained cybersecurity professionals; and • An IT infrastructure too weak to repel sophisticated attacks

• This recent surge in cyberattacks on government systems is the new normal• However, the amount of successful  attacks can and will decrease when agencies invest in security automation

IT, which will decrease personnel costs, freeing the resources needed to properly invest in a fully trained cybersecurity workforce

32

33

Connecting the Dots

Information Leakage• Ex-employees, partners, and customers• Over 1/3 due to negligence• Increasing loss from external collaboration

Percentage cause of data breach

Cost of Data Breach reportPonemon Institute 2010

Estimated sources of data breach

2010 CSOGlobal State of Information Security Survey

Ponemon Study finds:55% of SMBs were breached in 2012

Connecting the Dots

2012 Verizon DBIR

2012 Trustwave GSR

VERIS:(Vocabulary

for Event Recording

and Incident Sharing)

WhatHowWhoWhy

When

2013 Mandiant TR

Third, Add Threat Modeling Supports Risk ModelCyber Kill Chain Model

35

• Intrusions must be studied from the adversary’s perspective – analyzing the “kill chain” to inform actionable security intelligence

• An adversary must progress successfully through each stage of the chain before it can achieve its desired objective

• Just one mitigation disrupts the chain and the adversary

Recon

Weapon

Delivery

Exploi

t

Install

Command and

Control

Actions on Objective

s

Threat Modeling - Countermeasures

36

Recon

Weapo

n

Delivery

Exploi

t

Install

Command and

Control

Actions on Objective

s

• Moving detection and mitigation to earlier phases of the kill chain is essential in defending today’s networks

37

Bring it All Together - Trends in the EvidenceFix what’s broken• Hacks and compromise

• Fix what’s already been hacked at your company• Utilize Cyber Kill Chain Model to focus defense in depth strategy

• Understand security trends for your industry• Small and Medium Business beware• Banks – DDOS, fraud, botnets, and web authentication attacks• Hospitality – Credit cards, point of sale systems, Wifi, and admin accounts• DIB – RSA hack - Adobe/Microsoft 0days, remote access, and phishing• News – NYT/WSJ - phishing, Oracle Java 0days• Retail – Open Wifi, POS• LEA – 0day, social engineering and phishing• Credit card processors – Phishing and egress traffic• Websites – SNE (SQL Injection) and exclusion from core security

• Know your threat landscape to prioritize your treatment strategy based on risk

• In advertising, the best insights are often minor alterations in trends which occur over long periods of time (and take time to see due to their nuanced nature).~Neira Jones

MotivatingEvent

Somebody needs to thoroughly analyze the important industry data by sector.KNOW THE BIAS!!! Adjust from there.

Crawl, Walk, and then Run…• Agree on definitions at each step of this process• Agree on roles in cyber space ecosystem• Need to develop better understanding

• Cyber effect on way of life, economic vitality, and national security• Top threats by sector• Attackers/Adversaries by sector• Evidence of risks by sector

• Agree on countermeasures / controls

38

Inspiration• I’m my father’s son…

• It’s our time.

• <Video> https://www.youtube.com/watch?feature=player_embedded&v=Z2PloBdHeow

39

Conclusion• The time is now for cyber security• Agree on definitions as we proceed to each step• Security is Everyone’s Responsibility• Think Risk• Use the evidence we have

• There is a lot industry data that needs to be analyzed

• Proceed with care, methodically, and by sector• Agree on the basics

• Get it done. We can do it.

40

Cyber Space Ecosystem

41

Questions & Answers

Phil AgcaoiliCISO, Cox Communications, Inc.

Co-Chair, Communication Sector Coordinating Council (CSCC),

Cybersecurity Committee – Technology Sub-Committee

Co-Founder & Board Member, Southern CISO Security Council

Distinguished Fellow and Fellows Chairman, Ponemon Institute

Founding Member, Cloud Security Alliance (CSA)

Inventor & Co-Author, CSA Cloud Controls Matrix, GRC Stack,

Security, Trust and Assurance Registry (STAR), and

Open Certification Framework (OCF)

@hacksec

https://www.linkedin.com/in/philA