The Threat You Are Not Expecting

Larry Slobodzian – AOS

Agenda

• The Challenges• Why Worry• Inside Info on Insiders• Social Engineering Woes• Costs• One Approach to Consider• What Specifically You Can Do• More Resources• Q&A

Disclaimer

All thoughts and opinions expressed in this presentation, or by Larry Slobodzian directly, are his own and should not be interpreted as those of Alexander Open Systems (AOS), or any other organization that might be mentioned. The mention of any organizations should not be interpreted as endorsement.

Some material contained herein was obtained and is used with the express written permission of AOS, and other organizations and may not be used or reproduced in any way without each of these parties’ express written consent in advance.

Larry SlobodzianAOS Consulting Sales Lead | Security, GRC, IAM, and SRM

Why Partner with AOS

• In business since 1992• 9 states, a dozen offices, 400 employees• Awarding winning vendor partner relationships

with providers like CISCO, EMC, HP, VM-WARE, RSA, and ServiceNow

• Not just a VAR, but a “best of breed”, business problem solution provider

• Hundreds of references from satisfied customers in all technologies

A SECURITY MANAGEMENT MATURITY MODEL

• Security is “necessary evil”

• Reactive and de-centralized monitoring

• Tactical point products

• Proactive and assessment based

• Collect data needed to assess risk and detect advanced threats

• Some security tools integrated with common data and management platform

• Strategic Security Program

• Design Architecture

• Check-box mentality

• Collect data needed primarily for compliance

• Tactical threat defenses enhanced with layered security controls

• Established Security Team

Level 1: Defending

Borders

Level 2: Awareness

Phase

Level 3:Corrective Phase

Level 4: Optimal

• Continuous Process Improvement

• Security fully embedded in enterprise processes

• Data fully integrated with business content drives decision-making

• Security tools integrated with business tools

Time

Mat

urity

*Based on a Gartner Survey – “Where organizations fall short” (2012)

*30% *50% *15% *5%

ARE YOU HERE?

The Business Challenges

• Exponential Growth of Threats– D&D Insiders– Outside Hackers (Commercial, Organized Crime, State Sponsored)– Competitor Espionage

• Continuously Growing Regulations & Requirements– Increases are a mandatory cost of doing business– DIACAP, SOx, HIPAA, PCI, GLBA, Dodd-Frank, NERC, OCC, etc…– Volume reduction, Fines, and jail time for failure to comply

• Ever increasing expectations for “adequate” safeguards by consumers, management, shareholders, employees, press, courts……………….

C-Suite’s Top 5 Concerns

Reputational Harm/Brand Equity

Loss of Company IP Regulatory

Actions/Compliance Costs Customer Lawsuits Shareholder/Investor

Confidence

• Increasing pace at which new and varied technologies must be supported

• More empowered end users• Consumerization• Cloud / SaaS / PaaS / IaaS • Managed Services• Maintain Legacy Systems• Mobile Workforce• BYOD• And on, and on, and on

Budget Limitations, Staff Challenges (Skill, Availability, Cost, Retention)

Current IT Challenges

Information Security, Privacy & IP Protection

WrongfulUse

WrongfulCollection

Physical Theft ofSensitive Information

Non-ElectronicAccidental Disclosure

ElectronicAccidental Disclosure

“Cyber”Attacks

IP & Privacy Exposure

InformationSecurityExposure

Why?

• There are at least 5 reasons, probably more

Why would strangers want your info?

1. Identity theft for resale or immediate profit2. Damage reputation of competitor3. Steal intellectual property4. Blackmail5. Cyber Crime/Terrorism – Its An Epidemic;

The Nation’s Top CopSays So

What’s Your Biggest Exposure?

# 3 Paper

# 1 Employee Negligence

# 2 Hacking

1. Greed / Financial Need

2. Anger / Revenge3. Blackmail4. Ego / Thrill5. Divided Loyalties

Why would insiders want to compromise you?

What behaviors can you look for?

• W/o need and auth – takes work home• Unusual interests outside their scope• Unusual remote access times/odd hours• Disregards corporate acceptable use• Short trips to foreign countries• Life crises• Paranoia

What to do about it

1. Educate and regularly train employees on security or other protocols.

2. Know your sensitive information and ensure it is protected.3. Use appropriate screening processes to select new employees.4. Segregation of duties.5. Provide non-threatening, convenient ways for employees to

report suspicions.6. Routinely monitor computer networks for suspicious activity.7. Ensure security (to include computer network security)

personnel have the tools they need.

Know Your Vendors

Vendor QuestionnaireOutsourcing?

References

Business History

Privacy & Security Policies Security

Certifications or Audits (ISO 27001

or SSAE 16)

Types of Data that will be generated,

processed, stored

Level of Network Access

Vendor Management:Across Your Supply Chain

Vendors = very large % of all breachesNo Vendor too small; take broad view of vendors/dataConfidentiality and data security requirementsAudit rightsHiring practicesApplies to vendor use of subcontractors & employeesTermination obligationsData breach notice protocol

Employee Training

Weakest Link in Majority of Data Security Programs

(e.g. lost devices, unapproved software, weak password)Highest ROI (“Quick Win”)Continuously Train All EmployeesTraining Calibrated on

Access/Roles/ResponsibilitiesPolicy of Least Privilege

. . . reminders of why technology alone isn't enough to keep you secure.1. Phishing, Whaling, Doxing2. Trojan horses3. RSA attack in 2011 – first attack against the guard

of the guards4. Watering holes5. Nice person with confidence6. Social media7. Charity/Cause Celeb scams8. Weak third parties/suppliers/partners

Social Engineering . . .

COSTS of Doing . . .

• Nothing• Or just enough, but• What is that, just enough, anyway?

How Exposed Are We?

Costs of Not Addressing Technology Risk

• Breach Stats – 2016 – 89% of breaches led to a data compromise in

less than a day– 79% of breaches took weeks or more to

discover• Annualized cost of cyber crime:

– $158 per affected record (Avg)– $355 per Healthcare record– $80 in public sector

• Bad Headlines– Per Forrester, if its even possible, rebuilding

trust can be up to 10x the cost of acquiring in the first place

– Target Corp. breach total cost = $252 million

An Approach to Consider

WHAT IS THE FIX?Incident response

program

Ongoing vendor assessments

Ongoing end-user awareness raising

programContinuous Monitoring

Robust and ongoing Risk, Vulnerability,

& Threat (RVT) assessments Strategically

plan ahead and expect the worst

AOS HOLISTIC CONSULTING APPROACH

Evaluate

AnalysisAlways start here.

Design

Develop

Implement

Survey Administrative Controls: Policies,

Procedures, Governance

Survey Technical Controls: Core AOS

Testing / Define Metrics: ROI on risk mitigation.

Service Improvement: Ongoing program support, AOS relationship,

Cloud

Risk Assessment: Those things that cause a significant business impact.

The ADDIE Model: Instructional Design and Performance Improvement

What’s TRM?

• TRM includes:– IT Security– BC/DR– Governance & Compliance

• Companies are ever increasingly more dependent upon IT to deliver

• TRM is a significant element of operational RM which is one of the most critical aspects of Enterprise RM

• Either we manage risk, or it WILL manage us!

Why youneed TRM

• The nature of the attacks– Organized crime– Zero Day– APTs

• Forensics– For operational

interruptions– In case it is more

serious

Here are 8 steps to take right away

1. Insurance2. Info3. Culture4. Risk Register5. Self-Assessment6. Incident Response Plan7. Defense In Depth8. Get Help

1. List all the realistic bad things that could happen2. Rank them by likelihood (1-Least to 5-most) and3. Impact (1-Least to 5-most, $) 4. Plot them in a matrix5. Concentrate on the 5/5s

5 / 5s

Create a Risk Register & Matrix

DREAD

• Damage - how bad would an attack be?• Reproducibility - how easy is it to reproduce the

attack?• Exploitability - how much work is it to launch the

attack?• Affected users - how many people will be impacted?• Discoverability - how easy is it to discover the threat?

• Use Predefined answers

D

Damage Potential• If a threat exploit occurs, how much damage will be

caused?– 0 = Nothing– 5 = Individual user data is compromised or affected.– 10 = Complete system or data destruction

R

Reproducibility• How easy is it to reproduce the threat exploit?– 0 = Very hard or impossible, even for administrators of

the application.– 5 = One or two steps required, may need to be an

authorized user.– 10 = Just a web browser and the address bar is

sufficient, without authentication.

E

Exploitability• What is needed to exploit this threat?– 0 = Advanced programming and networking

knowledge, with custom or advanced attack tools.– 5 = Malware exists on the Internet, or an exploit is

easily performed, using available attack tools.– 10 = Just a web browser

A

Affected Users• How many users will be affected?– 0 = None– 5 = Some users, but not all– 10 = All users

D₂

Discoverability• How easy is it to discover this threat?– 0 = Very hard to impossible; requires source code or

administrative access.– 5 = Can figure it out by guessing or by monitoring network

traces.– 9 = Details of faults like this are already in the public

domain and can be easily discovered using a search engine.– 10 = The information is visible in the web browser address

bar or in a form.

DREAD Impact & Probability

• Damage Potential + Affected Users =Impact• Reproducibility + Exploitability +

Discoverability = Probability.

STRIDE

• Spoofing of user identity• Tampering• Repudiation• Information disclosure (privacy breach or data

leak)• Denial of service (D.o.S)• Elevation of privilege

CIA Triad

• Confidentiality• Integrity• Availability

40

IMPACT

Probability

Low/Remote Moderate High/Certain

Minor

Moderate

Significant Considerable management

required

Must manageand

monitor risks

Extensivemanagement

essential

Risks may beworth acceptingwith monitoring

Managementeffort

worthwhile

Managementeffort

required

Accept risks

Accept, butmonitor risks

Manage andmonitor risks

Sample Frequency (Probability) Scale1. Remote - 1 in 100 year event2. Unlikely - 1 in 50-100 year event3. Possible - 1 in 15-25 year event4. Likely - 1 in 5-15 year event5. Certain - 1 in 1-5 year event

Sample Impact (Losses) Scale1. Low - Less than $250,0002. Moderate - $250,000 - $1,000,0003. Significant - $1,000,000 - $5,000,0004. Serious - $5,000.000 - $25,000,0005. Severe - Greater than $25,000,000

AN/NZS - ISO 31000 Risk Mapping Impact & Probability Relationship

Risk Decisions

• Accept• Transfer• Avoid• Mitigate

Create an incident response plan (AICPA)

1. Use the risk register list

2. Either create an overarching plan as guide to every thing on the list or a plan for each

3. The plan should contain:1. Who can invoke the plan2. When to invoke the plan3. Who does what4. Alternate roles & responsibilities5. How to do what6. What is BAU

4. Don’t forget the post mortem for lesson learned

You can’t run . . . or do this !

Takeaways

1. Biggest threat is inside—that includes vendors2. Costs of doing nothing > Costs of security3. Employee training is low-hanging fruit4. Vendor Risk Management (3PA) is CRITICAL5. Know your risks and how you will address them6. Continuous monitoring

Additional Resources

Ponemon Institutehttp://www.ponemon.org/

Shared Assessments™http://sharedassessments.org/about/

OWASP Threat Risk Modelinghttps://www.owasp.org/index.php/Threat_Risk_Modeling

AOS Security Consultinghttp://www.aos5.com/security/

Questions?

Please Contact:

Your local AOS Account Manager

or

Larry Slobodzian, Consulting Sales LeadLarry.Slobodzian@aos5.com 913-669-9285

Linkedin.com/in/larryslobodzian

For more information on

AOS Security Consulting

• https://www.linkedin.com/in/larryslobodzian• https://www.linkedin.com/in/larryslobodzian

• https://www.linkedin.com/in/larryslobodzian• https://www.linkedin.com/in/larryslobodzian