@MATTHEWPASCUCCIWWW.FRONTLINESENTINEL.COM

The State of Cyber Security 2016

The Year in Review

Agenda Year in Review The major risks of the year Where we’ve succeeded Emerging Trends

Notable Hacks of 2015 - 2016

Politicians Are Waking Up

CISA (Computer Information Sharing Bill)Prime Minister David Cameron looking to

pass anti-terror bill to allow GCHQ to decrypt communications

Constant talks with China about espionageFBI fighting for an encrypted backdoorThe OPM hack was the last strawThe NSA in the news dailyApple San Bernardino caseCyberWar? What is it?

Where Have All The Good Guys Gone?

The lack of Cyber security talent is scary: 451 Research stated: 34.5% of project delays due to

lack of staff How can we get students educated in Cyber

Security? NSA/DHS created “Centers of Excellence” with

scholarships Why isn’t this drawing people in?

How can we entice people to our industry: Stats that people would be interested, but know

nothing about The Executive Women’s Forum (EWF) at RSA this year Colleges doing a better job? Remove the stigma of “hacker lifestyle”

Privacy in the New Security

Privacy jobs are starting to explode CIPP certifications are in great demand

Companies over the next couple years will see a wave of new privacy law hit them The EU laws are slowly making their way across the Atlantic Safe Harbor laws

Technology vendors are now using privacy as a selling point Apple, Twitter, etc.

Everyone from Grandma to CEO is concernedEff.org (Electronic Frontier Foundation)

Edward Snowden gets a Twitter Account

Find a Happy Place

Phishing is Still Killing Us

Educate, Educate, EducateTest your users with fake phishingRun competitions and make it fun

What to look for? Review real phishing emails, etc.

Keep metrics and show improvementsMake sure executive admins are awareInvest in a strong mail filterNot just email anymore, SMS, social media, etc.This is your biggest threat right now. Fix it.

Phishing Stats

According to Verizon: 95% of espionage attacks involve phishing. Nearly 80% of all malware attacks come from

phishing Almost 50% of recipients open emails and click on

phishing links within the first hour. There’s a 71% chance that phishing links are clicked

on a Windows machine. Technical emails are the most common messages to be

clicked on with a 21.3% click rate. iOS devices have a 16% click through rate, highest

amongst mobile devices.

Don’t DDoS me, bro!

This is still a problem. It’s not going away.Protonmail just got hit with a DDoS

Needed upstream providers and DDoS equipment to defend

Are you ready for a DDoS attack?How would you react to a DDoS ransom?DDoS comes in many different flavors.

Volumetric Application Hybrid

DDoS smoke screens - Beware of pickpockets!

Coding Standards Need To Change

When will we follow the “OWASP Top 10”?Jim Manico, Manicode Security, says he needs $4

billion dollars to fix the state of application security.

SDLC’s being followed? Are they even there?Are you using proper release management?Constant vulnerability scanning

Static Analysis Dynamic Analysis

Mobile apps are a threat. Let’s not let history repeat itself.

Vulnerabilities on the Rise

Vulnerabilities are everywhere! Critical infrastructure Homes (IoT) Business

Companies selling zero days and researches finding them Double edged sword

Bug Bounties are usefulSSL is dead: Heartbleed, POODLE, FREAK, BEAST, DROWNRemediation plan? How long? What’s your risk appetite? Legacy systems still can’t get updatedPatches? We don’t need no stinking patches.

Mobile is Here to Stay

Do you “BYOD”? How are corporate apps being developed? Used?

Deployed?Steps to lock down a mobile device

Encryption Container DLP

Mobile OWASP Top 10 We’re moving down the path of this being the biggest

threat Everyone wants this data, just ask Apple.

How do you “Incident Response”?

Red team drills Determine what your worst nightmare is and live it.

Runbooks Recording the steps to remediate your worst

nightmares.SWAT Teams

Getting a team of talented people to run the incident.Relationships with law enforcement

If you don’t have this already you’re wasting time.

Third Party Vendors = Weakest Link

Huge risk, just ask TargetLower the risk by performing third party risk

reviewsCreate policy and forms to have vendors fill

outThis is your data and environment. In order

to do business with them they need to be assessed Creation of legal contracts

When are you notified of a breach? Indemnification

Review of vendors internal workings How do they perform security

Do You Know Where Your Data Is?

Sensitive Data Do you know where your sensitive data is? What is sensitive data?

Data Loss Prevention (DLP) Network Endpoint Honeyfiles

Insider threats The Edward Snowden Effect (for better or worse) This is dangerous because you’re giving them access,

they don’t need to break in!

Privileged Attack Hacks On The Rise

CyberArk recently put out a survey saying 88% of all companies are susceptible to privileged attack hacks.

Windows environments are at greater risk, but there are Linux concerns too.

Randomization of accounts, including local and service accounts, is key to stopping abuse.

Session management and jump boxes are needed.

Once an internal account is taken, it’s a matter of time before things go south.

What We Get Right

The Boardroom is Noticing

Funding is growing (hopefully you see it too) There has been an increase funding all round Exponential jump from 5 years ago

Cyber threats have become topic of concern Management is asking questions that they didn’t 5

years ago This is no longer compliance related People are realizing this could effect their wallets

Security Mentality Is Growing

The Media Media hype draws attention (for better or worse) It’s all around us and it’s soaking into our culture

The education of the normal user is growing. It might not seem like that, but it’s on everyone’s mind.

We have to harness this curiosity and mold it. This is the “Golden Age of Security Awareness”.

Up and Coming Trends

Managed Security Services Providers (MSSP)

Why aren’t we doing this more? Who has a fully staffed team monitoring 24x7? Who doesn’t? Would you consider this?

Trust is a risk, but so is not doing anything. Acquire additional services, or limit to in-house only? Create retainers for services on demand:

Malware reverse engineer Digital Forensics Etc.

Deception in Depth

Hackers don’t play fair. Neither should you!Start using deception as a defense technique

Concerned with prevention only, not detection Sea change in managements thinking Honeypots Honeytokens Darknet alerting Sinkholes

Many new vendors coming out with deception tools An area I hope grows in the future

Cloud Based Security on the Rise

Cloud based security tools Two-factor authentication DDoS protection Identity management SIEM Endpoint protection

Cloud Security Alliance Star Registry

Secure Hosting Amazon has made considerable advances in security

services (WAF, Security Assessment, HSM, firewall, etc.)

Cyber Insurance

This is on the rise and you need it.It’s used for homes, cars and businesses. Why not

cyber attacks? Target was given $90 million from insurance and paid $162

million out of pocket Understand the legal nuisances of cyber insurance

Timeframes Logs Etc.

Run through a dry run of contacting insurance Who are you going to call? Who needs to be involved (insurance, law enforcement, etc.)

Determine who you’ll be working with Know if you need to bring something to the table

“Threat Intel” or “Sharing is Caring”

Threat intelligence has grown over the past year

The use of STIX/TAXII as a frameworkMultiple vendors creating vendor related

intel Trusted circles Situational awareness Companies

ISAC’s (Information Sharing and Analysis Centers) are being established: FS-ISAC (Financial Services ISAC) NH-ISAC (National Health ISAC) E-ISAC (Electricity ISAC)

Machine Learning and Behavioral Analysis

Signatures have failed. Long live Behavioral Analysis.

Next Generation anti-malware/virus Basing attacks off certain analysis, not signatures.

Limited set of instructions and less updating. Prevention with limited updating is key.

Machine Learning network based systems Determines how attacks work and alerts on risk. Profiling of users normal activity. Review of what is considered out of the norm between

east-west traffic.

Questions?

I know you have some. Lets hear them.

THIRD PARTY CYBER RISKA PIVOTAL PILLAR IN YOUR INFOSEC PROGRAM

RISHI SINGH, CISSP@singhonsecurity

AGENDA• What is Third Party Risk Management “TPRM”• Business Justifications – Why do TPRM?• Third Party Breach Metrics• The Interconnected IT/Data Supply Chain• Third Party Breaches – Notable Events• Regulations – Third Party Breaches• Key Steps for Effective Vendor Risk Management• Approaches for dealing with Suppliers

WHAT IS THIRD PARTY RISK MANAGEMENT (TPRM)

• Third Party Risk Management (TPRM) is the process of analyzing and controlling risks presented to your company, your data, your operations and your finances by parties OTHER than your own company.

• Due Diligence is the investigative process by which a company or other third party is reviewed to determine its suitability for a given task. Due diligence is an ongoing activity, including review, monitoring, and management communication over the entire vendor lifecycle.

• There is no universally-accepted framework like CObIT or COSO for TPRM but there are some standard assessment questionnaires.

BUSINESS JUSTIFICATIONS – WHY DO TPRM?• Reduce likelihood of data breach costs• Reduce likelihood of costly operational failures• Reduce likelihood of vendor bankruptcy• Regulatory mandates may require it• Prudent due diligence – ethical obligation

WHAT’S ADVERTISED SaaS ”R” Us

Internet connectivity is so ubiquitous, your data can be hosted in a variety of places some of which would never pass muster. Iaas/Saas/PaaS/DaaS vendors come in all shapes and sizes

THIRD PARTY BREACH METRICS

• 41% TO 63% OF BREACHES INVOLVED THIRD PARTIES• PER-RECORD COSTS OF A 3RD PARTY BREACH HIGHER - $231

VS. $188• 71% OF COMPANIES FAILED TO ADEQUATELY MANAGE RISK OF

THIRD PARTIES• 90% OF ANTI-CORRUPTION ACTIONS BY DOJ INVOLVED 3RD

PARTIES

INTERCONNECTED IT/DATA SUPPLY CHAIN

DO YOU KNOW WHAT RISKS YOU ARE ACCEPTING?

SaaS HRIS/Payroll, Benefits

Marketing AgenciesCustomer Analytics

NOCs/SOCsHelpdesks

EDI/B2B Networks

CRM

Financial InstitutionsPayment Processors/Banks

Iaas/PaAS/SaaSProviders

Critical vendors, not based on just connectivity and level of access but also storage of PII/ IP.

Consulting AgenciesData Storage

APIs/Interfaces

VPN / Direct Connect

Web Access

C&C traversalCredential theft

Data lossData remanence

Malware

THIRD PARTY BREACHES - NOTABLE EVENTS

A medical transcription vendor that was engaged to transcribe physician care notes suffered a security lapse when patient data was inadvertently stored insecurely on a publically accessible website. The data was from 32,000 patients.

A driver safety firm suffered a breach when it unintentionally backed up data to an unsecured internet-facing server, exposing personal information of current and former Lowe’s drivers. The potentially exposed information included names, addresses, dates of birth, SSNs, driver's license numbers, and other driving record information.

August, 2013

May, 2014

Hackers gained entry into Target’s network via stolen credentials from a third-party HVAC vendor, which had an external connection with Target for electronic billing, contract submission, and project management. As a result, around 40 million credit and debit card accounts were stolen.

December, 2013

Hackers used stolen credentials from a third-party vendor to gain access to Home Depot’s network, where they purportedly exploited an unpatched vulnerability in the system to gain access to point-of-sale data. As a result, around 56 million payment cards accounts and 53 million email addresses were stolen.

September, 2014

?Unnamed vendor

REGULATIONS & CERTIFICATIONSA COMPLEX AREA BUT OF CRITICAL IMPORTANCE IN THIRD PARTY VENDOR VALIDATION

New, stricter standards and increased scrutiny by the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB), as well as the Federal Deposit Insurance Corporation (FDIC) and the Federal Financial Institutions Examination Council (FFIEC), mean financial institutions now have

the same responsibilities for in-house and out-of-house services.

For many banks and non-banks, this will mean reevaluating vendor relationships and instituting increased safeguards and oversight to meet these new, stricter standards.

Default starting points – by no means comprehensive.

Oct, 2015: Struck down by European Courts

Feb, 2016: The European Commission has published details of its transatlantic "Privacy Shield" agreement, which is designed to ensure that personal information of citizens is protected to EU standards when it is sent to the US—even though it would appear that the NSA will continue to carry out bulk collection of data under the new pact.

KEY STEPS FOR EFFECTIVE VENDOR RISK MANAGEMENT

ESTABLISHING THE PROGRAM

Seek management support & examine the business processes of how contracts enter the company and are executed.• Form a hard state gate where no contract involving data transfer, IT services/hosting

etc. gets approved without InfoSec review/vetting.• Establish a DDQ (due diligence questionnaire) that is at the right level for the amount

of risk you are willing to accept. Update it regularly, there is a lot of material out there. • NIST 800-39 Managing Information Security Risk• ISO/IEC 27005/31000: Information Security Risk Management Standard• SIG (or SIG LITE) – Standardized Information Gathering Questionnaire

• $5.5k for SIG package.• $1.5k for VRMMM – Vendor Risk Management Maturity Model (Good foundational model for assessing

improvement areas in managing vendor risk).• Invest in toolkits from sharedassessments.org

• Form a strong alliance with your vendor management office/procurement person and legal department.

DEALING WITH THE SUPPLIER(S)

Ask the tough questions and do not be complacent• We have a top of the line security and requisite controls. GOOD, PROVE IT.

• Request a redacted org chart – where does InfoSec live and report to in the org? Shared function? System or network engineering playing the security role? This tells so much.

• Run third party assessment scans, leverage companies like BitSight.• If they have a CISO, ask for a conversation with them.• Answers with everything YES on your DDQs with no substantiating details should be a red

flag. Firms that have real security will be confident to put some details behind their answers in order to win your business.

• If they are missing foundational security controls, ask why – their answers will reveal a lot about how they “culturally view” security. Ask when will those controls be implemented. Make it a part of the contract for renewal, if those controls are not there, seek insurance/more indemnification etc.

• How will they inform you of a breach? Do they have an incident response process/program in place?

• Is all your data solely with them or are they data-subbing to other providers you aren’t aware of? Is it crossing borders without Safe Harbor controls?

• Ask for a right to audit clause in the contract• What can their insurance cover? Do they have Cyber Security Insurance?

TRINKETS FROM MY RISK MGMT JOURNEYACTUAL STATEMENTS

THE SECURITY DILUTION TACTICS• “Our website has two factor but not our VPN because we don’t allow any employees to work from home”

(Their engineers were using SSL based VPN to maintain systems).

• “Data at rest is not encrypted, based on our other security controls (firewall only) the risk is mitigated (They were running MS-SQL with TDE capability but never activated it)

• “We do not allow vulnerability scans even with ROE and prior notification because it has crashed our systems in the past” (An attacker was targeting them – we provided high level guidance to assist them in cleaning it up.

• “We cannot provide any policies even in redacted form. Our SOC-1 [Service Org Control Report) is confidential and cannot be released. (Usually this means InfoSec policies were never sanctioned/supported or signed by upper management or distributed to employees.. SOC-1 audit letters contain no risk to be released, you’re not asking for the findings report. Typically you’ll find they cannot provide a bridge letter to cover period audit end hence the reluctance for disclosure.

THE FINANCIAL/LEGAL JEWELS• “We cannot indemnify or offer damages for a breach because it would make us insolvent” (recommended they upped

their insurance and/or assign cybersecurity insurance coverage)

• Never accept less liability coverage than would be required to address the breach - we‘ve used liability caps as middle ground negotiation points.  (costs of remediation (mailings etc.), costs of replacement, costs of notification - esp in PII breaches, media to recover company reputation) 

• The larger companies that use the "can't afford“ position will negotiate a cap or much broader coverage- after much pushing and sometimes cutting off talks for a time. 

• Note: Look for specific “carveout” language stating data breaches are not covered and/or a data breach would result in a refund of X amount of months of service. Ensure that is enough capital to cover breach and remediation costs.

• Regarding carve outs, an additional paragraph on liability can be added "not withstanding all other clauses herein,  Vendor will reimburse Company for any and all losses arising out of any breach, disclosure, publication and/ to unauthorized access to Company's data "  

• Losses are defined as all claims, costs, damages, demands, judgments, and expenses (including reasonable attorneys’ fees) – Modify as needed based on nature of engagements.  

Q&A SESSION