Cybersecurity Myth vs Reality 20161120A (Public)
-
Upload
henry-jiang -
Category
Documents
-
view
168 -
download
0
Transcript of Cybersecurity Myth vs Reality 20161120A (Public)
MYTH VS. REALITY
CYBERSECURITY CAREER
Presented by: Henry Jiang | CISSP
MYTH # 1
MYTH # 1 CYBERSECURITY = HACKING Computer Fraud and Abuse Act (CFAA) 18 U.S. Code 1030 states the following: Criminal offenses under the Act:
(a) Whoever —
… “(2) intentionally accesses a computer without authorization or exceeds authorized access….”
Source(s): http://uscode.house.gov/view.xhtml?req=(title:18%20section:1030%20edition:prelim)
MYTH # 1 CYBERSECURITY = HACKING
Passive Defense examples: firewalls, IDP/IDS, anti-virus, sandboxing (more of disruptive in nature)
Offense examples: Stuxnet, DDoS (off-limits to private sectors)
Active Defense: (a new and emerging concept)
“Active defense is a term that captures a spectrum of proactive cybersecurity measures that fall between traditional passive defense and offense.”
Source: George Washington University’s Center for Cyber and Homeland Security (CCHS) https://cchs.gwu.edu/sites/cchs.gwu.edu/files/downloads/CCHS-ActiveDefenseReportFINAL.pdf
MYTH # 1 CYBERSECURITY = HACKING Cybersecurity is all about CIA: Confidentially, Integrity and Availability and, managing the risk: Risk = Threats x Vulnerability x Impact Or (Risk = Threats x Vulnerability x Impact / Countermeasures) R=TVI/C
MYTH # 2
Yes and no.
A typical DDoS attack network traffic monitor view DynDNS attack outage map on Oct 21, 2016
MYTH # 2 (CONT.)
MYTH # 2 (CONT.)
Perimeter attacks are noisy and ineffective Insider threats are a real problem facing most of organizations
A typical SIEM view
Many of threats are internal, and they are not always associated with malicious intend.
You could spend a LOTS of time dealing with ITs, compliances officers and auditors.
MYTH # 2 (CONT.)
MYTH # 3
MYTH # 3 CYBERSECURITY REQUIRES GOOD COMPUTER PROGRAMMING OR OTHER HARD TECHNICAL SKILLS
• Analytical • Very detail oriented • Ability to explain complex problems in clear and concise manners
• Communication skills • Inter-personal skills
Top cyber (soft) skills:
• Data networking (TCP/IP, etc.) • Programming / application development • System administrations • SIEM platforms (Splunk, ArcSight, Sumologic, etc.) • Technical: MSCE, CCNA/CCNP, Linux+ • Cyber: CISSP, CISM, CISA, C|EH, Security+ just to list few…
Useful technical skills and certifications:
MYTH # 3 CYBERSECURITY REQUIRES GOOD COMPUTER PROGRAMMING OR OTHER HARD TECHNICAL SKILLS
Kevin Mitnick used mostly social engineering skills to hack into computer systems.
MYTH # 3 CYBERSECURITY REQUIRES GOOD COMPUTER PROGRAMMING OR OTHER HARD TECHNICAL SKILLS
The World of Cyber Security: by Gary Hayslip CISSP, CISA, CRISC, CCSK CISO, City of San Diego, CA
(PDF copy available upon request.)
MYTH # 3 CYBERSECURITY REQUIRES GOOD COMPUTER PROGRAMMING OR OTHER HARD TECHNICAL SKILLS
MYTH # 4 BRUTE FORCE ATTACKS ARE SUCCEEDING
MYTH # 4 BRUTE FORCE ATTACKS ARE SUCCEEDING
- Not true. Brute force attacks could take a lots of resources and time.
For example, AES-256 encryption with latest GPU (2 billon calculations per sec); will take 9.1732631e50 years to exhaust half of AES-256 key space.
- NIST: 128bit key sufficient beyond 2031.
A screenshot of an online bank’s HTTS/TLS 1.2 encryption strength
MYTH # 4 BRUTE FORCE ATTACKS ARE SUCCEEDING
MYTH # 5 – THREATS ARE EXTERNAL
Data breaches (by the count of occurrences) are often results of external
hacks done by the adversaries.
Reality: Inside threats is one of most common vectors of data breach. People
are unaware or do not have the right skills/tools to protect their information.
MYTH # 5 - THREATS ARE EXTERNAL Corporations need to focus on other controls such as:
- Administrative controls (policy, standard, and procedure)
- Detective and preventative controls:
* DLP (data leak prevention), IPS/IDS (intrusion prevention/detection systems), End-point-protection systems, DDoS remediation, encryption technologies, UEBA (user/entity behavior analysis) tools etc.
- Hot areas: machine learning, micro controls (micro VM, micro segmentation etc.), automation, threat intelligence.
MYTH # 6 – LAW MAKERS KNOW WHAT CYBER CONTROL IS ABOUT
MYTH # 6 – LAW MAKERS KNOW WHAT CYBER CONTROL IS ABOUT Have you read SEC’s Regulation S-P, or GLBA?
https://www.sec.gov/rules/final/34-42974.htm
From REG-SP, CFR 248.30(a): (1) Insure the security and confidentiality of customer records and information;
(2) Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
(3) Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
MYTH # 6 – LAW MAKERS KNOW WHAT CYBER CONTROL IS ABOUT
Insecure Email Example:
MYTH # 7
Reality: APT (advanced persistent threat) often exploits the weakest link in a “kill-chain.”
Reference: The New York Times: The RSA Hack: How They Did It By RIVA RICHMOND APRIL 2, 2011
MYTH # 7
Source: http://blog.marketo.com/2014/06/how-marketers-can-learn-to-speak-it.html
MYTH # 8
Reality: With awareness and training, online world is an extremely secure and efficient ways of conduct business and improve our lives.
- Never use jailbreak devices - Always download apps from official app stores (i.e. Apple, Google) - Always use encryptions (data-at-rest, and data-in-transit) - Use MFA (multi-factor authentication) wherever is available (i.e. Amazon, Gmail, Yahoo mail, your online banks etc.) - Beware of scams and social engineering
THANK YOU!