Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
1
Page 1
Cyber Security Defenses
Key Goals for Successful Cyber Security
Page 2
Cyber Security Defenses Key Goals for Successful Cyber Security
Awareness: Recognizing the security chasm
Budget: Building support
People: Gathering the team
Impact: Long term sustainability
2
Page 3
The security chasm
Page 4
The security chasm
3
Page 5
The security chasm
The chasm
Page 6
The security chasm - formed from below
Ops
CSO
Inc.
Resp < Breach investigation Patch management >
Focused on
Threat & vulnerability
mitigation
Office of the CSO (Intra-CSO)
Techno-operations
Techno-babble
CEO GC BOD
CFO CRO
COO
4
Page 7
The security chasm - formed from above
CEO GC BOD
CFO CRO
COO
IT and security phobia
Focus on traditional
business, financial
and operational
risks
Office of the CEO (Inter-CXO)
CIO
Page 8
The impact of the security chasm
Ops
CEO GC BOD
CFO CRO
COO
CISO
Inc.
Resp
The chasm
CIO
< Breach investigation
Office of the CEO (Inter-CXO)
Office of the CISO (Intra-CISO)
Patch management >
Focused on
Threat & vulnerability
mitigation
Focus on traditional
business, financial
and operational
risks
Inadequate
standard of care
Inadequate
level of
protection
5
Page 9
Building Support
Page 10
Global cybercrime economy: opportunistic threat
Implant Root kit
developer
$10K+
for zero day
$500+ $10K+
for zero day
Exploit
developer
Exploit
pack
$1K+
Wizard
$1,000+
Botnet
vendor
$100 per
1000 infections
Recruiter, 100s of
mules/week
Drop
man
Account
buyer Affiliate
Bot-master ID thief Endpoint
exploiters
~4% of bank
customers
Victims
Retain 10%
Secondary
$50
Forger Cashier, mule
bank broker
Keep
10%
Keep
50%
Bulk accounts
$50 per $5K.
Mico
transfers
ATM
Back office
developer
Rogue ware
developer
Payment
system
developer
specialization, innovation, reuse,
bid/purchase exchanges
6
Page 11
Business risk as a function on cyber threat
Cybercrime
Industrial espionage
Hacktivism
Cyber warfare
Cyber terrorism
Attacker degree of capability
Bu
sin
ess r
isk
Higher
likelihood
Lower
likelihood
Higher
likelihood
Lower
likelihood
Medium
likelihood
Very asset type specific
Increasing less separation
between an attacker and its
motives – the community
cooperates to leverage
each others skills, methods
and technology
Low Medium High
Page 12
Attacks target business information of global energy companies
Sources: Global Energy Cyberattacks: “Night Dragon” by McAfee Foundstone Professional Services and McAfee Labs, February 10, 2011
► Targeted cyber attacks against global oil, energy, and
petrochemical companies in November 2009
► Goal:
steal sensitive
competitive
proprietary
operations and
project-financing
information of oil
and gas field bids
and operations
► Source of attacks identified to be China
7
Page 13
Compromising the technology that secures us
Public Key Infrastructure
2 factor authentication
Security Technology vulnerabilities
► RSA SecurID 2 factor authentication compromised:
RSA states “information could… be used to reduce the
effectiveness of [SecurID]
as part of a broader attack."
► Dutch Certificate Authority
DigiNotar compromised
- 531 fraudulent SSL
certificates issued
► Affected: Yahoo, Skype, Facebook,
Twitter, Microsoft’s Windows Updates,
CIA, MI6, Mossad, Google
► Increasing number of patches are
for vulnerability in security technology
Page 14
State sponsored: advanced threat
► Portions of the Chinese
cyber threat assessment
declassified
► Militarized attack units
► Militarized exfiltration units
► Cooperation with local hacker
communities
8
Page 15
Nothing is beyond their reach
► “Computer spies have broken into the Pentagon's
$300 billion Joint Strike Fighter project
-- the Defense Department's costliest
weapons program ever...
► “the intruders were able to
copy and siphon off several
terabytes of data related to
design and electronics
systems, officials say,
potentially making it easier to defend against the craft.”
http://online.wsj.com/article/SB124027491029837401.html#ixzz1dQEQ283S April 29, 2009
Page 16
Connecting the dots
Adobe flash vulnerability
RSA SecurID 2-factor technology
Lockheed Martin systems
Military
secrets
► "Certain characteristics of the attack on RSA
indicated that the perpetrator's most likely
motive was to obtain an element of
security information that could
be used to target
defense secrets…,"
RSA said
► RSA said it had confirmed information
taken from it in March was used
in the attack on Lockheed Martin
9
Page 17
Standard of due
care - disclosure
Enterprise risk
management - cyber
Acceptable level
of compromise
Cyber
Risk
Mgt
Technology risk management to counter cyber threats
Ops
CEO GC BOD
CFO CRO
COO
CISO
Inc.
Resp
Manage to adequate level
CIO
< Exfiltration prevention
& breach investigation Business assurance >
Cyber legal risk
Cyber financial risk
Cyber operational risk
Protect most valued
assets & critical
business systems
Cyber
Risk
Mgt
$
Page 18
Gathering the team
10
Page 19
Attacker degree of capability
Att
ac
ke
r d
eg
ree
of
ca
pa
bil
ity
Medium DOC
Low DOC
Opportunistic
threat
Advanced
threat
Nuisance
threat
High DOC
► Actor: State sponsored (industrial espionage)
► Assets: IP, business systems, control systems
► Motivation: political, military and economic
► Capability: long-term pattern of targeted
attacks (continue until success is achieved),
sophisticated, well funded, state trained
► Targets: governments, companies & activists
► Actor: Organized crime (personal information)
Hactivist (information deemed embarrassing)
► Motivation: profit, revenge
► Capability: short term pattern of attack
(will move on to softer targets), self trained
► Targets: companies with customer information
► Actor: Individuals
► Motivation: fun, challenge, vandalism
► Capability: limited, readily available tools
► Targets: of personal relevance
Page 20
Security is a degree of difficulty
Att
ac
ke
r d
eg
ree
of
ca
pa
bil
ity
Assets
Medium DOC
Low DOC
High Degree of Capability
Opportunistic
threat
Advanced
threat
Nuisance
threat
Rethinking security
11
Page 21
Characteristic of advanced adversaries
Adversary
APT is a human adversary, unlike botnets
Well resourced, sophisticated, protected
Attacks are customized based on target
Persistent
Formally tasked to accomplish a mission - will not stop until successful
Will maintain access/control over time, anticipating discovery with “cat & mouse” plans
Advanced
Operate across full spectrum of intrusion capabilities
Develop new tools/techniques necessary to succeed
Complex execution requiring 3rd party/technology compromises
Page 22
Characteristics of team
► Operational Knowledge
► EMS/SCADA
► ICS/DCS
► Field Devices
► Technical Knowledge
► Information Protection
► Identity and Access Governance
► Perimeter Security
► Tools
► DLP
► IDM/GRC
► SEIM/IDS/IPS
12
Page 23
Long term sustainability
Page 24
How difficult will it be to succeed
Control
systems
PII
IP
Business
systems
?
What
do they want?
Asset
Why
are you targeted?
Target
Attacker
Capability Level
Who
is attacking you?
Threat agent
How difficult will it
be to exfiltrate?
Security
Rethink security: Stop the intent of the attack, not necessarily the attack
13
Page 25
From prevention to preparedness & response
Before
During
After
Respond Govern Contain
► Preparation and planning is key to minimize damage,
meeting fiduciary responsibilities, and reducing the
impact of SEC cyber risk &
incident disclosures
Emerging focus
Page 26
Effective management of cyber risks
Function (stakeholder)
Technology risk management for cyber risks
Govern (ongoing)
Respond (incident & breach)
Contain (damages & liabilities)
Board/
Audit Committee
► Set standard of due care
► Periodically evaluate cyber
risk governance and review
annual cyber risk assessment
► Issue cyber risk disclosures as
per SEC guidance
► Receive breach notifications
and governance updates
► Re-evaluate cyber risk
governance oversight
► Re-evaluate standard of
due care
► Re-evaluate cyber risk
disclosures
Risk
management (e.g., CRO)
► Define and oversee ongoing
technology risk management
program for cyber risks
► Monitor breach and cyber risk
trends and measure risk
management execution
► Evaluate effectiveness
of cyber breach response and
technology risk management,
improve
Legal (e.g., GC)
► Develop cyber risk legal
response strategy
► Approve cyber breach
response program
► Execute breach
communications plan
► Execute authority/regulator
response plan
► Perform cyber risk liability
control (long lived)
Information
security (including incident
response team)
(e.g., CISO)
► Build threat mitigation program
to plan/protect most critical
assets
► Establish incident,
investigation and forensics
response programs; conduct
tests
► Detect and respond to incident
► Execute investigation plans
including incident forensics
► Assess effectiveness of cyber
incident response
► Execute incident remediation
plan, assess effectiveness
14
Page 27
Execution Cyber Risk Management Analysis Cyber Risk Analysis
Making a sound business decision with respect to managing cyber risks
C-suite Management of Cyber Risks
1 2 3 4 5 6 7
Security/Risk LOB/Risk Legal/Risk Risk/LOB Finance/Risk LOB/Risk All
Cyber
threat agent
analysis
Business
impact
analysis
Legal
impact
analysis
Risk
management
options
Financial
cost/benefit
analysis
Cyber risk
management
decision
Cyber risk
management
execution
► The following cyber risk management process is a life cycle that should be conducted
on a periodic basis
Page 28
Benefits to business management
► Meet the standard of due care:
► Become more cyber risk aware (Cyber Threat Analysis)
► Understand the potential impact cyber risk can have on its
business (Business Impact Analysis, Legal Impact Analysis)
► Understand the possible options available to manage the risk (Risk
Management Options)
► Understand the cost implications on managing the risk
(Financial cost/benefit analysis)
► Determine/refine its risk tolerance
► Ability to execute a sound cyber risk management
program based on its risk tolerance
► In the event of an incident, refute claims of inadequate
standard of due care/level of protection – reduce liability
15
Page 29
Further information
Joshua M. Axelrod | CISSP CISA | Senior Manager
Information Security Practice Lead for Power and Utilities
Advisory Services Center of Excellence
Ernst & Young, LLP
Brewery Block 2, 1120 NW Couch Street, Suite 425
Portland, OR 97209-4125, United States of America
Office: +1 503 414 7961 | Mobile: +1 541 760 8395 |
Website: www.ey.com