Embed Size (px)
Citation preview
Modern infosec for the CFO
FEI Brisbane Lunch Event00110010001100000011000100110110001011010011000000110010001011010011001000
110011
Is it really that bad?
384
375 155
Reported vulnerabilities
Unreportedvulnerabilities
Is it really that bad?
It’s pretty bad.
384
375 155
Why?
Money (mainly) but each player has their own agenda
The main players
Hacktivists
Contract/lonewolf hackers
Hacker groups
Organised crime syndicates
Government/intelligence agencies
Breakdown
Partner
InternalCollusionExternal
100%
80%
60%
40%
20%
0%2010 2011 2012 2013 2014
Courtesy Verizon 2016 Data Breach Investigations Reporthttp://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_Insiders_en_xg.pdf
2015
Common attack methods
Phishing and social engineering
Weak web-based services
Physical
Deep web information gathering
Poor authentication and system controls
Common attack tools
Metasploit
Hardware plants
Wireless interceptors
Powershell
Veil-evasion
Common attack tools
Metasploit
Hardware plants
Wireless interceptors
Powershell
Veil-evasion
Cracking the perimeter
Very determined attacker developed a customised exploit to compromise a perimeter system, allowing access to the internal network
Unconfirmed, but likely a web-based vulnerability, allowing full access to the corporate network
While complete details aren’t available, reports of physical intrusions into a company facility support the timeline and analysis of the breach at Sony
Cracking the perimeter
State-sponsored attackers gained a foothold within the OPMM network via a carefully targeted phishing email containing an infected Office document
Not sure how exactly the breach occurred, but sources indicate that it was state-sponsored attack by China
Defence
Enterprise-level protections have limitations
Interconnected requirements of the digital economy
Attackers regularly use native tools
New vulnerabilities found daily
Patching large organisations takes time
We’re just not good enough.
The CFO
Key player when it comes to the protection of the business
Knows how money is made, where the core assets lie and what the business simply cannot proceed without
Has knowledge of longer term initiatives and emerging business opportunities
Can influence culture
Security challenges
Identifying value for money when it comes to security spend can be difficult
Many modern security solutions require multiple FTE to operate, and only address part of the security problem
Knowing what data to protect as a priority can be difficult to identify for security teams
Security challenges
Too many organisations still pursue tightly scoped security testing engagements
Effectively planning future security spends requires foresight of upcoming business changes
Major business changes can attract significant attention from criminal elements
How you can help
Highlight core business processes/services/systems directly to the CIO/CISO to ensure they attract the lions share of focus
‘Encouraging’ the CIO/CISO to regularly review IT security spend against effectiveness will help identify infective or deprecated systems and services
Helping to ensure spend is even distributed across prevent and detect puts the business in the best possible position
How you can help
Insist on being a key stakeholder for any penetration test or security assessment
Support the concept of an unscoped testing approach with appropriate protections
Share plans on critical projects and initiatives as early as possible
Build a strong relationship with your lead security contact
Your business is valuable , and you have things that attackers want
Spending on cyber security can be justified and should be measurable – you can help
Supporting a ‘no-rules’ approach to penetration testing delivers the most value
The focus should be on fast response to an attack, not an attempt to prevent all possible breaches
Summary
