Upload
rishi-singh
View
173
Download
5
Embed Size (px)
Citation preview
@MATTHEWPASCUCCIWWW.FRONTLINESENTINEL.COM
The State of Cyber Security 2016
The Year in Review
Agenda Year in Review The major risks of the year Where we’ve succeeded Emerging Trends
Notable Hacks of 2015 - 2016
Politicians Are Waking Up
CISA (Computer Information Sharing Bill)Prime Minister David Cameron looking to
pass anti-terror bill to allow GCHQ to decrypt communications
Constant talks with China about espionageFBI fighting for an encrypted backdoorThe OPM hack was the last strawThe NSA in the news dailyApple San Bernardino caseCyberWar? What is it?
Where Have All The Good Guys Gone?
The lack of Cyber security talent is scary: 451 Research stated: 34.5% of project delays due to
lack of staff How can we get students educated in Cyber
Security? NSA/DHS created “Centers of Excellence” with
scholarships Why isn’t this drawing people in?
How can we entice people to our industry: Stats that people would be interested, but know
nothing about The Executive Women’s Forum (EWF) at RSA this year Colleges doing a better job? Remove the stigma of “hacker lifestyle”
Privacy in the New Security
Privacy jobs are starting to explode CIPP certifications are in great demand
Companies over the next couple years will see a wave of new privacy law hit them The EU laws are slowly making their way across the Atlantic Safe Harbor laws
Technology vendors are now using privacy as a selling point Apple, Twitter, etc.
Everyone from Grandma to CEO is concernedEff.org (Electronic Frontier Foundation)
Edward Snowden gets a Twitter Account
Find a Happy Place
Phishing is Still Killing Us
Educate, Educate, EducateTest your users with fake phishingRun competitions and make it fun
What to look for? Review real phishing emails, etc.
Keep metrics and show improvementsMake sure executive admins are awareInvest in a strong mail filterNot just email anymore, SMS, social media, etc.This is your biggest threat right now. Fix it.
Phishing Stats
According to Verizon: 95% of espionage attacks involve phishing. Nearly 80% of all malware attacks come from
phishing Almost 50% of recipients open emails and click on
phishing links within the first hour. There’s a 71% chance that phishing links are clicked
on a Windows machine. Technical emails are the most common messages to be
clicked on with a 21.3% click rate. iOS devices have a 16% click through rate, highest
amongst mobile devices.
Don’t DDoS me, bro!
This is still a problem. It’s not going away.Protonmail just got hit with a DDoS
Needed upstream providers and DDoS equipment to defend
Are you ready for a DDoS attack?How would you react to a DDoS ransom?DDoS comes in many different flavors.
Volumetric Application Hybrid
DDoS smoke screens - Beware of pickpockets!
Coding Standards Need To Change
When will we follow the “OWASP Top 10”?Jim Manico, Manicode Security, says he needs $4
billion dollars to fix the state of application security.
SDLC’s being followed? Are they even there?Are you using proper release management?Constant vulnerability scanning
Static Analysis Dynamic Analysis
Mobile apps are a threat. Let’s not let history repeat itself.
Vulnerabilities on the Rise
Vulnerabilities are everywhere! Critical infrastructure Homes (IoT) Business
Companies selling zero days and researches finding them Double edged sword
Bug Bounties are usefulSSL is dead: Heartbleed, POODLE, FREAK, BEAST, DROWNRemediation plan? How long? What’s your risk appetite? Legacy systems still can’t get updatedPatches? We don’t need no stinking patches.
Mobile is Here to Stay
Do you “BYOD”? How are corporate apps being developed? Used?
Deployed?Steps to lock down a mobile device
Encryption Container DLP
Mobile OWASP Top 10 We’re moving down the path of this being the biggest
threat Everyone wants this data, just ask Apple.
How do you “Incident Response”?
Red team drills Determine what your worst nightmare is and live it.
Runbooks Recording the steps to remediate your worst
nightmares.SWAT Teams
Getting a team of talented people to run the incident.Relationships with law enforcement
If you don’t have this already you’re wasting time.
Third Party Vendors = Weakest Link
Huge risk, just ask TargetLower the risk by performing third party risk
reviewsCreate policy and forms to have vendors fill
outThis is your data and environment. In order
to do business with them they need to be assessed Creation of legal contracts
When are you notified of a breach? Indemnification
Review of vendors internal workings How do they perform security
Do You Know Where Your Data Is?
Sensitive Data Do you know where your sensitive data is? What is sensitive data?
Data Loss Prevention (DLP) Network Endpoint Honeyfiles
Insider threats The Edward Snowden Effect (for better or worse) This is dangerous because you’re giving them access,
they don’t need to break in!
Privileged Attack Hacks On The Rise
CyberArk recently put out a survey saying 88% of all companies are susceptible to privileged attack hacks.
Windows environments are at greater risk, but there are Linux concerns too.
Randomization of accounts, including local and service accounts, is key to stopping abuse.
Session management and jump boxes are needed.
Once an internal account is taken, it’s a matter of time before things go south.
What We Get Right
The Boardroom is Noticing
Funding is growing (hopefully you see it too) There has been an increase funding all round Exponential jump from 5 years ago
Cyber threats have become topic of concern Management is asking questions that they didn’t 5
years ago This is no longer compliance related People are realizing this could effect their wallets
Security Mentality Is Growing
The Media Media hype draws attention (for better or worse) It’s all around us and it’s soaking into our culture
The education of the normal user is growing. It might not seem like that, but it’s on everyone’s mind.
We have to harness this curiosity and mold it. This is the “Golden Age of Security Awareness”.
Up and Coming Trends
Managed Security Services Providers (MSSP)
Why aren’t we doing this more? Who has a fully staffed team monitoring 24x7? Who doesn’t? Would you consider this?
Trust is a risk, but so is not doing anything. Acquire additional services, or limit to in-house only? Create retainers for services on demand:
Malware reverse engineer Digital Forensics Etc.
Deception in Depth
Hackers don’t play fair. Neither should you!Start using deception as a defense technique
Concerned with prevention only, not detection Sea change in managements thinking Honeypots Honeytokens Darknet alerting Sinkholes
Many new vendors coming out with deception tools An area I hope grows in the future
Cloud Based Security on the Rise
Cloud based security tools Two-factor authentication DDoS protection Identity management SIEM Endpoint protection
Cloud Security Alliance Star Registry
Secure Hosting Amazon has made considerable advances in security
services (WAF, Security Assessment, HSM, firewall, etc.)
Cyber Insurance
This is on the rise and you need it.It’s used for homes, cars and businesses. Why not
cyber attacks? Target was given $90 million from insurance and paid $162
million out of pocket Understand the legal nuisances of cyber insurance
Timeframes Logs Etc.
Run through a dry run of contacting insurance Who are you going to call? Who needs to be involved (insurance, law enforcement, etc.)
Determine who you’ll be working with Know if you need to bring something to the table
“Threat Intel” or “Sharing is Caring”
Threat intelligence has grown over the past year
The use of STIX/TAXII as a frameworkMultiple vendors creating vendor related
intel Trusted circles Situational awareness Companies
ISAC’s (Information Sharing and Analysis Centers) are being established: FS-ISAC (Financial Services ISAC) NH-ISAC (National Health ISAC) E-ISAC (Electricity ISAC)
Machine Learning and Behavioral Analysis
Signatures have failed. Long live Behavioral Analysis.
Next Generation anti-malware/virus Basing attacks off certain analysis, not signatures.
Limited set of instructions and less updating. Prevention with limited updating is key.
Machine Learning network based systems Determines how attacks work and alerts on risk. Profiling of users normal activity. Review of what is considered out of the norm between
east-west traffic.
Questions?
I know you have some. Lets hear them.
THIRD PARTY CYBER RISKA PIVOTAL PILLAR IN YOUR INFOSEC PROGRAM
RISHI SINGH, CISSP@singhonsecurity
AGENDA• What is Third Party Risk Management “TPRM”• Business Justifications – Why do TPRM?• Third Party Breach Metrics• The Interconnected IT/Data Supply Chain• Third Party Breaches – Notable Events• Regulations – Third Party Breaches• Key Steps for Effective Vendor Risk Management• Approaches for dealing with Suppliers
WHAT IS THIRD PARTY RISK MANAGEMENT (TPRM)
• Third Party Risk Management (TPRM) is the process of analyzing and controlling risks presented to your company, your data, your operations and your finances by parties OTHER than your own company.
• Due Diligence is the investigative process by which a company or other third party is reviewed to determine its suitability for a given task. Due diligence is an ongoing activity, including review, monitoring, and management communication over the entire vendor lifecycle.
• There is no universally-accepted framework like CObIT or COSO for TPRM but there are some standard assessment questionnaires.
BUSINESS JUSTIFICATIONS – WHY DO TPRM?• Reduce likelihood of data breach costs• Reduce likelihood of costly operational failures• Reduce likelihood of vendor bankruptcy• Regulatory mandates may require it• Prudent due diligence – ethical obligation
WHAT’S ADVERTISED SaaS ”R” Us
Internet connectivity is so ubiquitous, your data can be hosted in a variety of places some of which would never pass muster. Iaas/Saas/PaaS/DaaS vendors come in all shapes and sizes
THIRD PARTY BREACH METRICS
• 41% TO 63% OF BREACHES INVOLVED THIRD PARTIES• PER-RECORD COSTS OF A 3RD PARTY BREACH HIGHER - $231
VS. $188• 71% OF COMPANIES FAILED TO ADEQUATELY MANAGE RISK OF
THIRD PARTIES• 90% OF ANTI-CORRUPTION ACTIONS BY DOJ INVOLVED 3RD
PARTIES
INTERCONNECTED IT/DATA SUPPLY CHAIN
DO YOU KNOW WHAT RISKS YOU ARE ACCEPTING?
SaaS HRIS/Payroll, Benefits
Marketing AgenciesCustomer Analytics
NOCs/SOCsHelpdesks
EDI/B2B Networks
CRM
Financial InstitutionsPayment Processors/Banks
Iaas/PaAS/SaaSProviders
Critical vendors, not based on just connectivity and level of access but also storage of PII/ IP.
Consulting AgenciesData Storage
APIs/Interfaces
VPN / Direct Connect
Web Access
C&C traversalCredential theft
Data lossData remanence
Malware
THIRD PARTY BREACHES - NOTABLE EVENTS
A medical transcription vendor that was engaged to transcribe physician care notes suffered a security lapse when patient data was inadvertently stored insecurely on a publically accessible website. The data was from 32,000 patients.
A driver safety firm suffered a breach when it unintentionally backed up data to an unsecured internet-facing server, exposing personal information of current and former Lowe’s drivers. The potentially exposed information included names, addresses, dates of birth, SSNs, driver's license numbers, and other driving record information.
August, 2013
May, 2014
Hackers gained entry into Target’s network via stolen credentials from a third-party HVAC vendor, which had an external connection with Target for electronic billing, contract submission, and project management. As a result, around 40 million credit and debit card accounts were stolen.
December, 2013
Hackers used stolen credentials from a third-party vendor to gain access to Home Depot’s network, where they purportedly exploited an unpatched vulnerability in the system to gain access to point-of-sale data. As a result, around 56 million payment cards accounts and 53 million email addresses were stolen.
September, 2014
?Unnamed vendor
REGULATIONS & CERTIFICATIONSA COMPLEX AREA BUT OF CRITICAL IMPORTANCE IN THIRD PARTY VENDOR VALIDATION
New, stricter standards and increased scrutiny by the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB), as well as the Federal Deposit Insurance Corporation (FDIC) and the Federal Financial Institutions Examination Council (FFIEC), mean financial institutions now have
the same responsibilities for in-house and out-of-house services.
For many banks and non-banks, this will mean reevaluating vendor relationships and instituting increased safeguards and oversight to meet these new, stricter standards.
Default starting points – by no means comprehensive.
Oct, 2015: Struck down by European Courts
Feb, 2016: The European Commission has published details of its transatlantic "Privacy Shield" agreement, which is designed to ensure that personal information of citizens is protected to EU standards when it is sent to the US—even though it would appear that the NSA will continue to carry out bulk collection of data under the new pact.
KEY STEPS FOR EFFECTIVE VENDOR RISK MANAGEMENT
ESTABLISHING THE PROGRAM
Seek management support & examine the business processes of how contracts enter the company and are executed.• Form a hard state gate where no contract involving data transfer, IT services/hosting
etc. gets approved without InfoSec review/vetting.• Establish a DDQ (due diligence questionnaire) that is at the right level for the amount
of risk you are willing to accept. Update it regularly, there is a lot of material out there. • NIST 800-39 Managing Information Security Risk• ISO/IEC 27005/31000: Information Security Risk Management Standard• SIG (or SIG LITE) – Standardized Information Gathering Questionnaire
• $5.5k for SIG package.• $1.5k for VRMMM – Vendor Risk Management Maturity Model (Good foundational model for assessing
improvement areas in managing vendor risk).• Invest in toolkits from sharedassessments.org
• Form a strong alliance with your vendor management office/procurement person and legal department.
DEALING WITH THE SUPPLIER(S)
Ask the tough questions and do not be complacent• We have a top of the line security and requisite controls. GOOD, PROVE IT.
• Request a redacted org chart – where does InfoSec live and report to in the org? Shared function? System or network engineering playing the security role? This tells so much.
• Run third party assessment scans, leverage companies like BitSight.• If they have a CISO, ask for a conversation with them.• Answers with everything YES on your DDQs with no substantiating details should be a red
flag. Firms that have real security will be confident to put some details behind their answers in order to win your business.
• If they are missing foundational security controls, ask why – their answers will reveal a lot about how they “culturally view” security. Ask when will those controls be implemented. Make it a part of the contract for renewal, if those controls are not there, seek insurance/more indemnification etc.
• How will they inform you of a breach? Do they have an incident response process/program in place?
• Is all your data solely with them or are they data-subbing to other providers you aren’t aware of? Is it crossing borders without Safe Harbor controls?
• Ask for a right to audit clause in the contract• What can their insurance cover? Do they have Cyber Security Insurance?
TRINKETS FROM MY RISK MGMT JOURNEYACTUAL STATEMENTS
THE SECURITY DILUTION TACTICS• “Our website has two factor but not our VPN because we don’t allow any employees to work from home”
(Their engineers were using SSL based VPN to maintain systems).
• “Data at rest is not encrypted, based on our other security controls (firewall only) the risk is mitigated (They were running MS-SQL with TDE capability but never activated it)
• “We do not allow vulnerability scans even with ROE and prior notification because it has crashed our systems in the past” (An attacker was targeting them – we provided high level guidance to assist them in cleaning it up.
• “We cannot provide any policies even in redacted form. Our SOC-1 [Service Org Control Report) is confidential and cannot be released. (Usually this means InfoSec policies were never sanctioned/supported or signed by upper management or distributed to employees.. SOC-1 audit letters contain no risk to be released, you’re not asking for the findings report. Typically you’ll find they cannot provide a bridge letter to cover period audit end hence the reluctance for disclosure.
THE FINANCIAL/LEGAL JEWELS• “We cannot indemnify or offer damages for a breach because it would make us insolvent” (recommended they upped
their insurance and/or assign cybersecurity insurance coverage)
• Never accept less liability coverage than would be required to address the breach - we‘ve used liability caps as middle ground negotiation points. (costs of remediation (mailings etc.), costs of replacement, costs of notification - esp in PII breaches, media to recover company reputation)
• The larger companies that use the "can't afford“ position will negotiate a cap or much broader coverage- after much pushing and sometimes cutting off talks for a time.
• Note: Look for specific “carveout” language stating data breaches are not covered and/or a data breach would result in a refund of X amount of months of service. Ensure that is enough capital to cover breach and remediation costs.
• Regarding carve outs, an additional paragraph on liability can be added "not withstanding all other clauses herein, Vendor will reimburse Company for any and all losses arising out of any breach, disclosure, publication and/ to unauthorized access to Company's data "
• Losses are defined as all claims, costs, damages, demands, judgments, and expenses (including reasonable attorneys’ fees) – Modify as needed based on nature of engagements.
Q&A SESSION