Information Security in Today’s Age:

Presented by:

Dr. Chuck Wood, Ph.D., CISSP

Duquesne University

Presented to the Western PA American Payroll Association

…and What We Can Learn from Them

…from an Accounting Perspective

• Expenses and Revenue

• Cost Benefit

• Audit and Control

• Some Compliance

• Career Viewpoints

Many security problems come from incorrect accounting or management practices!

About Me…• Chuck Wood

• Prof at Duquesne• Data Analytics (Data Science / Big Data)• InfoSec• IT Infrastructure• Development

• Consultant / Analyst• Data Scientist / Predictive Analytics• Security• Infrastructure• Database and Development

• Some Credentials• Ph.D. (Information and Decision Science)• CISSP (Top Security Certification)• Developer/DB certifications too• MBA• Undergrad

• Finance • Computer Science

So what is the problem?• Businesses generate

terabytes of information• Increasing analysis• Increasing demands by

regulators • Increasing compliance• Increasing security controls

verification• Increasing notifications

from the SIEM / IDS / IPS systems

• Increasing staff size? Guess again!

• SIEM (Security Information and Event Management) systems overloaded

• 2010 – Yahoo and Google hit by Chinese Military Hackers.• Google disclosed• Yahoo didn’t (!)

• 2013 –Yahoo easy target –Snowden Wiki dump• Yahoo does nothing

• Users Affected by Breaches:• 2013 (announced 2016) – 500K• 2014 (announced 2016) – 1 - 3 billion• 2015-2016-2017 (announced a

couple weeks ago) – Cookie hack (# of users not released (!!!) )

• It’s an accounting issue!• Security not worth it!• Now lawsuits, government, etc.• Killing Verizon $4.8Bil buyout by

$250Mil plus legal so far

You’re probably wondering what a slum has to do with Yahoo’s accounting and InfoSec, right?

What Yahoo Has Taught Us• Accounting measures

might need to be adjusted for security infrastructure investment• Potential Loss• Probabilistic Loss• The amount saved will

not come out of the existing expenses

• You, hopefully, will never find out how much you saved• Never Any Justification

• InfoSec Management needs to be from the top-down(!!!)• How many times do we

have to learn this!• InfoSec is a managerial

issue, not a technicalissue.

• If you don’t support your security, your breaches will be worse• Is that OK? Ethically,

probably not. From a cost/bene perspective, maybe!

The cost-benefit analysis is hugely problematic, and security cuts across areas. Where do your numbers come from?

• Russian Mafia• 25 major criminal orgs• Nation-state hacking• Installed RAM Scraper on Registers• Stole Credit Card Info

• Accessed through HVAC• Fazio Mechanical Services

• Don’t need password (!!!) • The IP address gets you in!

• Detected by Fire Eye and Symantec, but ignored (?)• Rumors say overworked employees• Rumors say limited funding• Employees forced to triage?• Limited resources cause perimeter

to shrink!

• Narrow perimeter issues

• Breach costs $148 million• Over 90 lawsuits• US Households dropped from

43% to 33% for Christmas• $90 mil in class action• Stock dropped

• $1.40 in one day, ultimately down 4.4%

• EPS from $.85 to $.78

• Lost Jobs• CEO, CIO• 475 employees

• Preventative investment would have been worth it• Increase in InfoSec - $61 mil• Implement Chip-and-PIN cards

($100 mil)• Increased Staffing

– Sad Times

Sure, we can figure out how much they should have invested. Now, anyway. But hindsight is 20/20

What Target Has Taught Us• Accounting

• It’s difficult to value InfoSec staff appropriately• So what staffing is

appropriate?

• How much do you spend?

• You simply can’t respond to every incident without unlimited funds

• Management

• Cutting staff also cuts what they can do

• Misclassifying a perimeter can lead to crazy things

• Pay attention to escalating warnings

• You can’t replace people with tech

“If you think InfoSec problems can be solved with technology, then you don’t understand the technology and you don’t understand the

problems” – Unknown, but maybe Bruce Schneier

DNC – Does Not Compute(Does Not Compute Well, at any rate. Maybe I should have titled it “DNC –Gone Phishing”)

• Emails stolen• Russian Government

• Forensics• Spy vs. Spy info

• WikiLeaked

• Phishing• John Podesta clicked on

an email – after beingtold not to!!!

• Victims• DNC Director – Fired• Podesta / Clinton relationship – Compromised• Strangely, no emails to or from Clinton on the WikiDump

• What did the DNC teach us? That we need training!!!• How do you control for who is not trained and audit it?• What’s the recurring cost? • The “Do you give up Wyoming?” accounting question.• What’s the policy / reward / punishment for not training?

Rumor has it that the RNC was hacked as well, but not released.

OPM Hack, Cylance, and AI

• Office of Personnel Management Hack• China? Probably.• 18 million individuals affected• All applicants for Top Secret clearance• All medical / psychological visits• SSNs• Fingerprints (!)• Director and CIO “retired”(!)

• Detected by Cylance• Uses AI and Machine Learning• Detects based upon patterns• Always evolving• Maybe stops Zero Day?

PWC says 23% are starting to use AI/ML in their security systems in 2016

We are all OPM (maybe)!

Many of you…of us…RIGHT NOW… are being hacked. (COMMUNICATE THAT!)Can Big Data / AI / Machine Learning / Predictive Analytics solve our problem? MAYBE!

AI / Machine Learning• Old Way – React with No AI/ML

• Track the way bad guys work • Constantly adapt to new techniques• Monitor

• Signatures / Bad Site Lists• Traffic / IP Addresses• Storage / File Size / File Date / Checksum

• New Way – React Better with AI/ ML!• Still do the Old Way stuff!• Track the way good guys work• Figure out deviations from the good guys

• Unknown (and unknowable) patterns• Stats / AI / Expert Systems / Neural Networks

• Old and New Way – Plan, Protect, and Assume that the disaster will happen … because it will happen!

We try to anticipate, but make no mistake – Security is reactive

BUT… Here’s anAccounting Valuation Issue

• Shortage of Security BUT…• Security

• Tied to expenses• Salaries depressed

• Analytics • Tied to revenue• You pay more for analytics (but often worth it!)

• So Using Analytics to Augment Security…• Will be more expensive• May catch new threats sooner / immediately• It might be cost effective

Information Security Jobs

20k-55k

55k-80k

80k-100k

100k+

Data Science Jobs

20k-55k

55k-80k

80k-100k

100k+

Collected from Indeed.com for Pittsburgh

RansomWare

Hacker’s Process:1. International hackers

gain access2. Hacker encrypts hard

drive3. Hacker demands

bitcoin for passcode4. Company pays! (Oh

yes they do!) • Haggling reduces fee on

average by 29%

5. Hackers give passcode to companies

Do you pay? FBI says no, don’t do it! Survey says yes, do it! (Sorry, FBI)

RansomWare• Hollywood Presbyterian

Medical Center -- $17k• University of Calgary --

$16k• MedStar -- $17k• Crylocker had over 8000

victims in 2 weeks in September!

• Targeting is going from individuals to big business

• Businesses keep very quiet about it

From 2005-2016, IC3 reports over 7,700 ransomware complaints and over $57 mil. Personal ransom is $200 to $10,000

Ransomware spiked 6000% in 2016!

CEO Spoofs!• The FBI reports CEO

Spoofs:• $2.3 billion from

2013-2016• 270% increase since

2015

Spoofing a CEO email is very simple!

• You definitely need some policies for responding to emails!

RansomWare Prevention• Separate Storage

• Secure, off line backups• Careful of continuous or cloud

based backups• Physically separate business units

• Training• Quit Clicking on emails!

• Patching• IDS / IPS• Watch out for IoT!• Least Privilege• Don’t run weird software

• No Macros• Software Restriction Policies

(SRPs)• Restrict

AppData/LocalAppData folder• Restrict temporary storage• Whitelisting

• Use Virtualized Environment

Dyn and DDoS

• DDoS is a Distributed Denial of Service attack• Lots of computers

request info from your server

• Your server can’t keep up

• Your server can’t process other clients

• Gaming sector most often hit

• Often RansomWare is involved

Dyn and DDoS• Dyn provides the Web to you

• When you type in “www”, Dyn tells your computer where the server computer is.

• On October 16, 2016, Dyn was shut down.• IoT attack (security cameras, baby

monitors, and routers, mainly)• Mirai Malware was used

• Investigated by Brain Krebs• …who implicated Paras Jha as the author• …who worked under the direction of

Christopher “CJ” Sculti• …and who, allegedly, released the Mirai

code on the Dark Web to ensure plausible deniability

• Broke the Internet on the East Coast• Who did it?

• First we said the Russians• Then, on Politico, hacktivists took credit:

• SpainSquad, Anonymous, New World Hackers

• Cited Ecuador turning off Assange’s Internet

• But it turned out that it was probably the work of Script Kiddies using the Mirai code

Brian Krebs

Paras Jha

Christopher “CJ” Sculti

Steps to DDoS Mitigation1. Identify Attack Early

• Increased Network Traffic• Strange IP Addresses

2. Overprovision Bandwidth3. Defend at the Network

Perimeter• Rate limit your router• Filter your router• Aggressively timeout• Drop spoofed packets• Set lower SYN, ICMP, and

UPDP threshholds

4. Call your hoster5. Call a specialist6. Make A Plan First (!!!)

Abusing Ukraine’s Power Grid• Spear Phishing to gain access• Hackers spent months in the

system• Rewrote Firmware• Used KillDisk malware to erase

hard drive files, then break drive

• Did a TDoS (Telephone Denial of Service) attack

• Disabled UPS to keep workers in the dark, just for fun

• Hijacked VPN • Took over computer• Turn everything off• Reset Admin password

• Ukraine actually had a good firewall subsystem infrastructure• Gave some protection• Let us track exactly what

happened

• Probably Russia did the attack

Other Nation State Attacks• Aurora Generator Test

• U.S. Test in 2007• Causes a diesel generator to

explode• Requires 21 lines of code!

• Stuxnet• Breaks centrifuges• Took down Iran’s nuclear

capabilities for about a decade

• Resulted in New standards • NERC-CIP (North American

Electric Reliability Corporation Critical Infrastructure Protection)

Continuous NERC-CIP Compliance for all Utilities still is a problem!

CIA – We need Q to come up with more tools!• Leak on March 3• All the methods for electronic

surveillance leaked.• Who leaked?• WikiLeaks says insider• Rumors – some insiders say

otherwise• Russia?• White House/FBI/NSA vs. CIA?

• CIA always could hack• Phones• Smart TVs• Vehicles

• If the CIA can hack you, so can EVERYBODY!

BYOD – It’s a huge risk• BYOD Risk:• Easily lost or stolen phones

• Remote attacks

• 40% of the Fortune 500 do nothing

• 50% of the Fortune 500 have no budget (!)

• 33% don’t test their security apps!

• Often Undetectable!• Corporate apps are unmanaged

• Personal apps are allowed

• You can detect intrusions into your DMZ, but you probably cannot detect phone hacks!!!

Imagine the press release … “We have no idea how the Russian Mafia got that data!”From a recent IBM / Ponemon study

CIA and BYOD Lessons Learned

• It depends, right?• If insider

• Least Privilege• Audit procedures• No removable data / No BYOD• Treat tools as companies treat

intellectual capital• (I thought they were doing all

of this already.)

• If Russia• Updated IDS/IPS/SIEM• Close monitoring of traffic• Close auditing of individuals

• If Competing Governmental Organization• Accountability • Log access• Chain of Evidence rules

What About the Cloud?• A lot more cloud IT

services:• Scalable

• Flexible

• Cost effective

• …with a lot more security• Responsive to threats at scale

• On-premise infrastructure usually can’t compete:• Storage Limits

• Processor Limits

• Scalability Limits

• The more anyone’s attack is mitigated, the stronger everyone becomes

• Threat Management Tools• Used by 62% of the

companies• Authentication, identity

and access management

• Real-time monitoring

• Analytics

• Threat intelligence

So, seriously, what happened to the other 50ish percent?

Thanks!•Questions?

•Comments?

•Experiences?