Upload
larry-slobodzian
View
8
Download
1
Embed Size (px)
Citation preview
The Threat You Are Not Expecting
Larry Slobodzian – AOS
Agenda
• The Challenges• Why Worry• Inside Info on Insiders• Social Engineering Woes• Costs• One Approach to Consider• What Specifically You Can Do• More Resources• Q&A
Disclaimer
All thoughts and opinions expressed in this presentation, or by Larry Slobodzian directly, are his own and should not be interpreted as those of Alexander Open Systems (AOS), or any other organization that might be mentioned. The mention of any organizations should not be interpreted as endorsement.
Some material contained herein was obtained and is used with the express written permission of AOS, and other organizations and may not be used or reproduced in any way without each of these parties’ express written consent in advance.
Larry SlobodzianAOS Consulting Sales Lead | Security, GRC, IAM, and SRM
Why Partner with AOS
• In business since 1992• 9 states, a dozen offices, 400 employees• Awarding winning vendor partner relationships
with providers like CISCO, EMC, HP, VM-WARE, RSA, and ServiceNow
• Not just a VAR, but a “best of breed”, business problem solution provider
• Hundreds of references from satisfied customers in all technologies
A SECURITY MANAGEMENT MATURITY MODEL
• Security is “necessary evil”
• Reactive and de-centralized monitoring
• Tactical point products
• Proactive and assessment based
• Collect data needed to assess risk and detect advanced threats
• Some security tools integrated with common data and management platform
• Strategic Security Program
• Design Architecture
• Check-box mentality
• Collect data needed primarily for compliance
• Tactical threat defenses enhanced with layered security controls
• Established Security Team
Level 1: Defending
Borders
Level 2: Awareness
Phase
Level 3:Corrective Phase
Level 4: Optimal
• Continuous Process Improvement
• Security fully embedded in enterprise processes
• Data fully integrated with business content drives decision-making
• Security tools integrated with business tools
Time
Mat
urity
*Based on a Gartner Survey – “Where organizations fall short” (2012)
*30% *50% *15% *5%
ARE YOU HERE?
The Business Challenges
• Exponential Growth of Threats– D&D Insiders– Outside Hackers (Commercial, Organized Crime, State Sponsored)– Competitor Espionage
• Continuously Growing Regulations & Requirements– Increases are a mandatory cost of doing business– DIACAP, SOx, HIPAA, PCI, GLBA, Dodd-Frank, NERC, OCC, etc…– Volume reduction, Fines, and jail time for failure to comply
• Ever increasing expectations for “adequate” safeguards by consumers, management, shareholders, employees, press, courts……………….
C-Suite’s Top 5 Concerns
Reputational Harm/Brand Equity
Loss of Company IP Regulatory
Actions/Compliance Costs Customer Lawsuits Shareholder/Investor
Confidence
• Increasing pace at which new and varied technologies must be supported
• More empowered end users• Consumerization• Cloud / SaaS / PaaS / IaaS • Managed Services• Maintain Legacy Systems• Mobile Workforce• BYOD• And on, and on, and on
Budget Limitations, Staff Challenges (Skill, Availability, Cost, Retention)
Current IT Challenges
Information Security, Privacy & IP Protection
WrongfulUse
WrongfulCollection
Physical Theft ofSensitive Information
Non-ElectronicAccidental Disclosure
ElectronicAccidental Disclosure
“Cyber”Attacks
IP & Privacy Exposure
InformationSecurityExposure
Why?
• There are at least 5 reasons, probably more
Why would strangers want your info?
1. Identity theft for resale or immediate profit2. Damage reputation of competitor3. Steal intellectual property4. Blackmail5. Cyber Crime/Terrorism – Its An Epidemic;
The Nation’s Top CopSays So
What’s Your Biggest Exposure?
# 3 Paper
# 1 Employee Negligence
# 2 Hacking
1. Greed / Financial Need
2. Anger / Revenge3. Blackmail4. Ego / Thrill5. Divided Loyalties
Why would insiders want to compromise you?
What behaviors can you look for?
• W/o need and auth – takes work home• Unusual interests outside their scope• Unusual remote access times/odd hours• Disregards corporate acceptable use• Short trips to foreign countries• Life crises• Paranoia
What to do about it
1. Educate and regularly train employees on security or other protocols.
2. Know your sensitive information and ensure it is protected.3. Use appropriate screening processes to select new employees.4. Segregation of duties.5. Provide non-threatening, convenient ways for employees to
report suspicions.6. Routinely monitor computer networks for suspicious activity.7. Ensure security (to include computer network security)
personnel have the tools they need.
Know Your Vendors
Vendor QuestionnaireOutsourcing?
References
Business History
Privacy & Security Policies Security
Certifications or Audits (ISO 27001
or SSAE 16)
Types of Data that will be generated,
processed, stored
Level of Network Access
Vendor Management:Across Your Supply Chain
Vendors = very large % of all breachesNo Vendor too small; take broad view of vendors/dataConfidentiality and data security requirementsAudit rightsHiring practicesApplies to vendor use of subcontractors & employeesTermination obligationsData breach notice protocol
Employee Training
Weakest Link in Majority of Data Security Programs
(e.g. lost devices, unapproved software, weak password)Highest ROI (“Quick Win”)Continuously Train All EmployeesTraining Calibrated on
Access/Roles/ResponsibilitiesPolicy of Least Privilege
. . . reminders of why technology alone isn't enough to keep you secure.1. Phishing, Whaling, Doxing2. Trojan horses3. RSA attack in 2011 – first attack against the guard
of the guards4. Watering holes5. Nice person with confidence6. Social media7. Charity/Cause Celeb scams8. Weak third parties/suppliers/partners
Social Engineering . . .
COSTS of Doing . . .
• Nothing• Or just enough, but• What is that, just enough, anyway?
How Exposed Are We?
Costs of Not Addressing Technology Risk
• Breach Stats – 2016 – 89% of breaches led to a data compromise in
less than a day– 79% of breaches took weeks or more to
discover• Annualized cost of cyber crime:
– $158 per affected record (Avg)– $355 per Healthcare record– $80 in public sector
• Bad Headlines– Per Forrester, if its even possible, rebuilding
trust can be up to 10x the cost of acquiring in the first place
– Target Corp. breach total cost = $252 million
An Approach to Consider
WHAT IS THE FIX?Incident response
program
Ongoing vendor assessments
Ongoing end-user awareness raising
programContinuous Monitoring
Robust and ongoing Risk, Vulnerability,
& Threat (RVT) assessments Strategically
plan ahead and expect the worst
AOS HOLISTIC CONSULTING APPROACH
Evaluate
AnalysisAlways start here.
Design
Develop
Implement
Survey Administrative Controls: Policies,
Procedures, Governance
Survey Technical Controls: Core AOS
Testing / Define Metrics: ROI on risk mitigation.
Service Improvement: Ongoing program support, AOS relationship,
Cloud
Risk Assessment: Those things that cause a significant business impact.
The ADDIE Model: Instructional Design and Performance Improvement
What’s TRM?
• TRM includes:– IT Security– BC/DR– Governance & Compliance
• Companies are ever increasingly more dependent upon IT to deliver
• TRM is a significant element of operational RM which is one of the most critical aspects of Enterprise RM
• Either we manage risk, or it WILL manage us!
Why youneed TRM
• The nature of the attacks– Organized crime– Zero Day– APTs
• Forensics– For operational
interruptions– In case it is more
serious
Here are 8 steps to take right away
1. Insurance2. Info3. Culture4. Risk Register5. Self-Assessment6. Incident Response Plan7. Defense In Depth8. Get Help
1. List all the realistic bad things that could happen2. Rank them by likelihood (1-Least to 5-most) and3. Impact (1-Least to 5-most, $) 4. Plot them in a matrix5. Concentrate on the 5/5s
5 / 5s
Create a Risk Register & Matrix
DREAD
• Damage - how bad would an attack be?• Reproducibility - how easy is it to reproduce the
attack?• Exploitability - how much work is it to launch the
attack?• Affected users - how many people will be impacted?• Discoverability - how easy is it to discover the threat?
• Use Predefined answers
D
Damage Potential• If a threat exploit occurs, how much damage will be
caused?– 0 = Nothing– 5 = Individual user data is compromised or affected.– 10 = Complete system or data destruction
R
Reproducibility• How easy is it to reproduce the threat exploit?– 0 = Very hard or impossible, even for administrators of
the application.– 5 = One or two steps required, may need to be an
authorized user.– 10 = Just a web browser and the address bar is
sufficient, without authentication.
E
Exploitability• What is needed to exploit this threat?– 0 = Advanced programming and networking
knowledge, with custom or advanced attack tools.– 5 = Malware exists on the Internet, or an exploit is
easily performed, using available attack tools.– 10 = Just a web browser
A
Affected Users• How many users will be affected?– 0 = None– 5 = Some users, but not all– 10 = All users
D₂
Discoverability• How easy is it to discover this threat?– 0 = Very hard to impossible; requires source code or
administrative access.– 5 = Can figure it out by guessing or by monitoring network
traces.– 9 = Details of faults like this are already in the public
domain and can be easily discovered using a search engine.– 10 = The information is visible in the web browser address
bar or in a form.
DREAD Impact & Probability
• Damage Potential + Affected Users =Impact• Reproducibility + Exploitability +
Discoverability = Probability.
STRIDE
• Spoofing of user identity• Tampering• Repudiation• Information disclosure (privacy breach or data
leak)• Denial of service (D.o.S)• Elevation of privilege
CIA Triad
• Confidentiality• Integrity• Availability
40
IMPACT
Probability
Low/Remote Moderate High/Certain
Minor
Moderate
Significant Considerable management
required
Must manageand
monitor risks
Extensivemanagement
essential
Risks may beworth acceptingwith monitoring
Managementeffort
worthwhile
Managementeffort
required
Accept risks
Accept, butmonitor risks
Manage andmonitor risks
Sample Frequency (Probability) Scale1. Remote - 1 in 100 year event2. Unlikely - 1 in 50-100 year event3. Possible - 1 in 15-25 year event4. Likely - 1 in 5-15 year event5. Certain - 1 in 1-5 year event
Sample Impact (Losses) Scale1. Low - Less than $250,0002. Moderate - $250,000 - $1,000,0003. Significant - $1,000,000 - $5,000,0004. Serious - $5,000.000 - $25,000,0005. Severe - Greater than $25,000,000
AN/NZS - ISO 31000 Risk Mapping Impact & Probability Relationship
Risk Decisions
• Accept• Transfer• Avoid• Mitigate
Create an incident response plan (AICPA)
1. Use the risk register list
2. Either create an overarching plan as guide to every thing on the list or a plan for each
3. The plan should contain:1. Who can invoke the plan2. When to invoke the plan3. Who does what4. Alternate roles & responsibilities5. How to do what6. What is BAU
4. Don’t forget the post mortem for lesson learned
You can’t run . . . or do this !
Takeaways
1. Biggest threat is inside—that includes vendors2. Costs of doing nothing > Costs of security3. Employee training is low-hanging fruit4. Vendor Risk Management (3PA) is CRITICAL5. Know your risks and how you will address them6. Continuous monitoring
Additional Resources
Ponemon Institutehttp://www.ponemon.org/
Shared Assessments™http://sharedassessments.org/about/
OWASP Threat Risk Modelinghttps://www.owasp.org/index.php/Threat_Risk_Modeling
AOS Security Consultinghttp://www.aos5.com/security/
Questions?
Please Contact:
Your local AOS Account Manager
or
Larry Slobodzian, Consulting Sales [email protected] 913-669-9285
Linkedin.com/in/larryslobodzian
For more information on
AOS Security Consulting
• https://www.linkedin.com/in/larryslobodzian• https://www.linkedin.com/in/larryslobodzian
• https://www.linkedin.com/in/larryslobodzian• https://www.linkedin.com/in/larryslobodzian