DEALING WITH A CYBER FUTURE THAT IS ALREADY HERE€¦ · CIO TOP PRIORITIES 1. Make Security...
Transcript of DEALING WITH A CYBER FUTURE THAT IS ALREADY HERE€¦ · CIO TOP PRIORITIES 1. Make Security...
DEALING WITH A CYBER FUTURE THAT IS ALREADY HERE Rob Clyde, CISM, ISACA International VP, Board Member 11 February 2015
AGENDA
Introduction
Cloud, Social and Big Data
Mobile and BYOD
The Internet of Things
Cyber Attack Trends
ISACA and A Cyber Security Career
Conclusion
WHAT IS ISACA?
ABOUT ISACA
• Nonprofit association founded in 1969
• Vision and tagline: Trust in, and value from, information systems
• 115,000+ members from 180 countries and 205 chapters from all industry categories. Largest sectors are financial, public accounting, government, and technology.
• 21,000+ Certified Information Security Managers (CISMs)
• At the end of 2013, $91M in assets and $72M in net assets
• 120+ full time staff
• More than 500 volunteers
4 | 2/13/2015
CIO TOP PRIORITIES
1. Make Security Everyone’s Business
2. Cyber Risk = Business Risk
3. Be A Change Agent
4. Business-Centric Vision
5. Anticipate the Cyber 9/11
5 | 2/13/2015 Source: Wall Street Journal, Feb. 10, 2015
86% of CIOs said that the sophistication or pace of attackers will increase more quickly than their own
KEY TRENDS AND DRIVERS OF SECURITY
Consumerization •Mobile devices
•Social media
•Cloud services
• Internet of Things
•Nonstandard
•Security as a Service
Continual Regulatory and Compliance Pressures • SOX, PCI, EU Privacy
• ISO 27001
• Other regulations
Emerging Trends •Decrease in time to exploit
•Targeted attacks
•Advanced persistent threats (APTs)
SIX LARGEST DATA BREACHES
7 | 2/13/2015 Source: USA Today, Feb. 5, 2015
Feb 6, 2015
MOTIVATIONS BEHIND RECENT ATTACKS
8 | 2/13/2015 Source: hackmageddon.com
January 2015
BOARD ROOM ATTENTION TO CYBER SECURITY
9 | 2/13/2015
Threat Sophistication
Terrorists
Hacktivists/ Vigilantes
Commercial Enterprises
Cybercriminals
Nation-States Ca
pabil
ity F
or D
amag
e
Abilit
y To P
rotec
t
…. AND THEY’VE EVOLVED CYBER THREATS
Source: CloudStrike Inc., NACD Master Class Dec. 2014
11 | 2/13/2015
CLOUD COMPUTING
13 | 2/13/2015
Increased Risk? Decreased Risk?
SOCIAL MEDIA USE
14 | 2/13/2015
EMPLOYEES’ USE OF SOCIAL MEDIA – RISKS AND IMPACTS
15 | 2/13/2015 Source: Social Media: Business Benefits and Security, Governance and Assurance Perspectives, ISACA May 2010
90%
10% 90% of the data in the world today has been created in the last two years alone.
$53.4 billion 2017
2013 $10.2 billion
Expectations for Big Data
Source: Mushroom Networks, The Landscape of Big Data
BIG DATA
1 exabyte = 2 x Web archive at
US Library of Congress
= 900 exabytes All the world’s
digital data 70% of which is created by individuals
Source: Mushroom Networks, The Landscape of Big Data
DATA EXPLOSION
WHAT IS BIG DATA?
Volume of data
Velocity at which data is generated and needs to be processed
Variety of data sets and applications
Veracity or accuracy of the data before and after the result are discovered
Value at which the data can be processed, and the ROI the results delivers the business
Source: Gartner – summarization of their 3 Vs of Big Data (Volume, Velocity and Variety). The Remaining 2 Vs come from industry addition based on Big Data Wiki page.
LEVERAGE YOUR BIG DATA TO GET BIG INSIGHTS
Discover New Opportunities and Reduce Costs While
Accelerating Insights for a
Competitive Advantage
65% of CIOs said “determining
how to get value from data” was a big challenge
– Wall Street Journal Feb. 10, 2015
15%
46%
23%
16%
YesSomewhatNoUnsure
Is your organization effectively managing and governing Big Data? (n = 1,586)
Source: ISACA’s Risk/Reward Barometer, 2014
BIG DATA GOVERNANCE
15%
33%
10% 11%
22%
9% Big Data has already addedsignificant value.Big Data has the potential to addsignificant value.Big Data has caused significantchallenges.Big Data has the potential tocause significant challenges.It is too early to determine thevalue of Big Data.Unsure
Which of the following is most accurate for your enterprise? (n = 1,581)
Source: ISACA’s Risk/Reward Barometer, 2014
BIG DATA VALUE AND CHALLENGE
48% think Big Data has or will add
significant value
21% think Big Data has or could cause
significant challenges
18%
19%
20%
2%
3% 19%
16%
13%
Large-volume data managementand sorageShared ownership with otherdepartmentsLack of analytics capabilites orskillsWe are not facing any challenges
Other
Security threats from outsiders
Security threats from insiders
Compliance requirements
Which of the following do you believe is the biggest challenge posed by Big Data? (n = 1,589)
Source: ISACA’s Risk/Reward Barometer, 2014
BIG DATA CHALLENGES ACCORDING TO ISACA MEMBERS
48% view security or compliance as biggest challenge
Security
Compliance
• What principles, policies and frameworks are we going to establish to support the achievement of business strategy through Big Data?
• Can we trust our sources of Big Data? • What structures and skills do we have to govern and manage IT? • What structures and skills do we have to govern Big Data privacy? • Do we have the right tools to meet our Big Data privacy requirements? • How do we verify the authenticity of the data? • Can we verify how the information will be used? • What decision options do we have regarding Big Data privacy? What is the context for each decision? • Can we simulate the decisions and understand the consequences? • Will we record the consequences and use that information to improve our Big Data information gathering,
context, analysis and decision-making processes? • How will we protect our sources, our processes and our decisions from theft and corruption? • Are we exploiting the insights we get from Big Data? • What information are we collecting without exposing the enterprise to legal and regulatory battles? • What actions are we taking that create trends that can be exploited by our rivals? • What policies are in place to ensure that employees keep stakeholder information confidential during and after
employment?
Source: ISACA white paper, Privacy and Big Data, 2013
QUESTIONS BOARDS SHOULD BE ASKING ABOUT BIG DATA
MOBILE AND BYOD
MOBILE
25 | 2/13/2015
Mobile attacks will continue to grow rapidly as new technologies expand the attack surface and app store abuse goes unchecked.
Source: Intel Security 2015 Threat Predictions
5M+ Mobile Malware Samples
BRING YOUR OWN DEVICE (BYOD) IS ALREADY HERE
26 | 2/13/2015
22%
32% 22%
5%
14%
2% 3%
My organization allows BYOD forall staff
My organization allows BYOD forsome staff
My organization does not allowBYOD, and most employeesfollow the rulesMy organization does not allowBYOD, but most employees do itanywayMy organization does not haveany policy regarding BYOD
unsureother
Which of the following best reflects your organization’s BYOD policy? (n = 1,619)
Source: ISACA’s Risk/Reward Barometer, 2014
BYOD POLICY
54% allow at least some BYOD
ISACA GUIDANCE FOR MOBILE
28 | 2/13/2015
THE SMAC STACK WILL ENABLE THE INTERNET OF THINGS
Source: Cognizant
The SMAC stack (Social, Mobile, Analytics/Big Data and Cloud) will power new applications that connect to “things”
“The next master architecture for enterprise IT, and its
magnitude and importance.”
COMPUTERS WILL OUTNUMBER HUMANS 10:1 IN 2020
31 | 2/13/2015 Source: Cognizant
32
INTERNET OF THINGS (IOT)
33 | 2/13/2015 Source: 2014 HP Internet of Things Research Study
HP Test of 10 Popular IoT Devices (IP Cameras, smart meters, healthcare, fitness, SCADA, etc.)
Gartner predicts 26 Billion IoT Devices by 2020
UNPATCHED DEVICES REMAIN A SIGNIFICANT RISK
34 | 2/13/2015
56% of tested devices using OpenSSL had not been updated in over 50 months
Source: 2015 Cisco Annual Security Report
Despite the 2014 publicity surrounding the Heartbleed security flaw in the transport layer, most devices have still not been upgraded.
INTERNET OF THINGS – THE END OF PRIVACY?
35 | 2/13/2015
Introducing more private information about ourselves
Traditional Personally Identifying Information
New IoT Personal Data What? Where? When? Why?
Date of Birth
SSN/Govt. ID Number
Username
Name
Address
Glucose level
Weight
Calories
GPS Location
Heart rate
Sleep
Mood
Surrounding Images
Driving habits
Exercise route Travel route
EVEN OUR EMOTIONS CAN BE TRACKED
36 | 2/13/2015 Source: Wall Street Journal, Jan. 28, 2015
INTERNET OF THINGS – POTENTIAL SECURITY CONCERNS
• Tethering via Bluetooth LE to smart phone (might be sniffed)
• Transmission and storage of information in cloud (might be hacked)
• Sharing of information via social media (likely to become public)
• Man-in-the middle and redirect attacks (similar to mobile devices)
37 | 2/13/2015
IOT – RECOMMENDATIONS FOR USERS
• Use a screen lock or password to prevent unauthorized access to your device
• Do not reuse the same user name and password between different sites
• Use strong passwords
• Turn off Bluetooth when not required
• Be wary of sites and services asking for unnecessary or excessive information
• Be careful when using social sharing features
• Avoid sharing location details on social media
• Avoid apps and services that do not prominently display a privacy policy
• Read and understand the privacy policy
• Install app and OS updates when available
• Use a device-based security solution
• Use full device encryption if available
38 | 2/13/2015 Source: Symantec, “How Safe is Your Quantified Self”
IOT – RECOMMENDATIONS FOR APP DEVELOPERS
• Build security in from the start, not as an afterthought
• Always use secure protocols when transmitting data
• Ensure that the device is not directly or indirectly traceable
• Only collect data that is necessary to provide a service and nothing more
• Require strong passwords for user accounts
• Implement secure session management
• Follow best practices for password handling (only store salted hashes and not the real password)
• Follow secure coding practices
• Provide an easy to understand privacy policy and act within the stated policy
• Pen test system infrastructure to ensure security
• Ensure that backend systems are well protected from intrusion
• Make security testing a part of the product development process
39 | 2/13/2015 Source: Symantec, “How Safe is Your Quantified Self”
IOT – RECOMMENDATIONS FOR ORGANIZATIONS
40 | 2/13/2015
SPEAR-PHISHING ATTACKS
42 | 2/13/2015 Source: 2014 Symantec Internet Security Threat Report
RECENT SPEAR PHISHING ATTACK (CEO→CFO)
From: Robert Clyde [mailto:[email protected]] Sent: Wednesday, January 14, 2015 9:11 AM Subject: Request Hello Alan, Hope your day is going well. I will need you to make a wire transfer for me today. What would you need to get it done? Thanks Robert A. Clyde
If the attacker received a response, what might come
next?
What clues do you see that this is a phishing attack and not a
legitimate e-mail?
ACTUAL E-MAIL HEADER
Delivered-To: . . . Return-Path: <[email protected]> . . . From: "Robert Clyde " <[email protected]> X-Sender: [email protected] Reply-To: "Robert Clyde " <[email protected]> To: Subject: Request Date: Wed, 14 Jan 2015 09:11:12 -0700 Mime-Version: 1.0
ON 12 JANUARY 2010 THE WORLD CHANGED… THE ADVANCED PERSISTENT THREAT
Source: http://www.eweek.com/c/a/Security/Google-China-and-the-Anatomy-of-the-Aurora-Attack-255807/
Google disclosed that it had been a victim of modern malware 20+ companies successfully targeted by a well organized and coordinated effort to gain access to sensitive systems and information
Companies targeted spanned the financial, technology and chemical sectors
WHAT IS AN ADVANCED PERSISTENT THREAT?
ADVANCED, STEALTHY AND CHAMELEON-LIKE in its adaptability, APTs were once thought to be limited to attacks on government networks. However, APTs are commonplace and can happen to any enterprise. Repeated pursuit of objectives, adaptation to defenders and persistence differentiate APTs from a typical attack. Primarily, the purpose of the majority of APTs is to extract information from systems—this could be critical research, enterprise intellectual property or government information, among other things.
46 | 2/13/2015
THE APT LIFECYCLE
THE APT LIFE CYCLE
History shows that most sophisticated attackers, regardless of their motives, funding or control, tend to operate in a certain cycle and are extremely effective at attacking their targets.
48 | 2/13/2015
THE WORLD IS CHANGING
49 | 2/13/2015
Today
ADAPTIVE ATTACK VECTORS
The threat landscape will continue to evolve as attackers adapt new and innovative attack methods to existing or adaptive attack vectors while defenders deploy new defense strategies.
50 | 2/13/2015
APT MODUS OPERANDI
APTs have adapted their tactics, techniques and procedures to the typical information security architecture they find deployed. For example…
Traditional Security Practice APT’s Modus Operandi
Network boundary/perimeter devices inspect traffic content.
SSL, custom encryption, and password protected/encrypted container files make packet content inspection difficult or impossible.
Network firewalls monitor and assess traffic metadata. Communication initiated from within the network using standard ports and protocols (HTTP, DNS, SSL, SMTP, etc.).
Host firewalls monitor and assess local traffic metadata. Initial infection tool adds malware to host firewall white list.
Intrusion detection and prevention systems with real-time assessment and alerting running on servers and workstations.
Communications use common ports and protocols – hide in plain site within obvious/allowed traffic.
51 | 2/13/2015
ISACA’S APT SURVEY
1,220 Individuals Globally; Fielded February 2014
Full Report: 11 June 2014
Because the study’s purpose was to measure information security characteristics such as knowledge of advanced persistent threats (APTs), internal controls, internal incidents, policy adherence and management support, the study surveyed those who deal with those issues every day: professionals with information security responsibilities.
Respondents are still using the wrong controls, such as antimalware, antivirus and firewalls, to defend against APTs. These aren’t effective as most of these attacks come from zero-day exploits and the attack vectors are very personalized spear-phishing attacks and now web exploits in the browser. While technology improvements are not clear, behavior is improving, with more organizations making the necessary changes in terms of incident response plans and security awareness training.
52 | 2/13/2015
Source: http://www.isaca.org/Knowledge-Center/Research/Documents/APT-Survey-
Report-2014_whp_Eng_0614.pdf
92% SAY APTS POSE A CREDIBLE THREAT TO NATIONAL SECURITY OR ECONOMIC STABILITY.
1 IN 5 HAVE EXPERIENCED AN APT ATTACK.
66% SAY IT IS LIKELY OR VERY LIKELY THAT THEIR ORGANIZATION WILL EXPERIENCE AN APT ATTACK:
53 | 2/13/2015
METHODS FOR DEFENDING AGAINST THE APT
Many enterprises implement some of the intermediate-level concepts. Because the APT and other advanced, sophisticated attackers have such a high success rate, it is recommended that every enterprise implement all of the basic concepts.
54 | 2/13/2015
YOU NEED TO BE ON THE OFFENSIVE
• Traditional prevention and detection is not enough
• Governments cannot prevent intrusions (but need to do more)
• Data loss is inevitable • Attacks will continue • Companies often breached for years • New approaches required
Source: http://booksonwaraustralia.com/battle-vietnam-history-australian-/180-vietnam-war-
offensive-australia-official-history.html
INCIDENT RESPONSE LIFE CYCLE
56 | 2/13/2015
Source: Cichonski, Paul; Tom Millar; Tim Grance; Karen Scarfone; Computer Security Incident Handing Guide, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61, Revision 2, USA, August 2012.
TRANSFORMING CYBERSECURITY USING COBIT 5
Key Principles: • Understand the potential impact of cybercrime • Understand end users, their cultural values and their behavior
patterns • Establish the business case for cybersecurity and the risk
appetite of your enterprise • Establish Cybersecurity governance – how is this going to be
overseen, what is the role of the Board? • Manage Cybersecurity – projects and Business-as-Usual activity • Obtain assurance – internal audit, external reviews… don’t forget
to include investigative and forensic analysis, as required • Continue the evolvement of Cybersecurity response through
processes and controls
Source: http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pa
ges/Transforming-Cybersecurity-Using-COBIT-5.aspx
MALWARE BEYOND WINDOWS
58 | 2/13/2015
The Shellshock vulnerability will fuel non-Windows malware attacks that will continue for years.
Source: Intel Security 2015 Threat Predictions
RANSOMWARE Ransomware will evolve its methods of propagation, encryption, and targets.
Source: Intel Security 2015 Threat Predictions
RANSOMWARE EXPANSION
Ransomware is profitable • Denying access to data • Grew by over 500% in 2014 • Healthcare is an attractive target
Individuals and organizations can defeat this with the proper backups
However, cloud backups are also being attacked
Will Ransomware be applied to IOT? • Home lockout? • Car lockout? • Pacemaker function?
Source: Lancope, IBM Security
TARGETED EXTORTIONWARE
Extortionware (cyber blackmail) • Much more targeted
Unlike ransomware, data has been exfiltrated and analyzed
• Unless terms are met, attacker will disclose data broadly or to specific target
Source: Lancope, Mashable
RE-AUTHENTICATION WEAKNESSES
Security questions • Mother’s maiden name, pet’s name, favorite movie, etc. • May be guessable or discoverable via social media, public sources, or social
engineering
Hacker attacked Wired’s Mat Honan attack in 2012 (Amazon & Apple) • Called Amazon and provided name, billing address, and e-mail address • Then added a new credit card • Called back to add a new e-mail address and used new credit number to authenticate • Then reset password using new e-mail address and logged in • Got 4 digits of Mat’s credit card from Amazon and used that to authenticate with Apple • Lesson: Breaking into one site may reveal secrets needed to hack into another site
AUTHENTICATION WITH BIOMETRICS
• With new smartphones, fingerprint authentication becomes mainstream
• Biometrics can improve authentication
• Hacking biometrics may be possible
• Multiple authentication still best
• Use at least two of these: • Something you know (e.g., password) • Something you have (e.g., device, card, token) • Something you are (e.g., finger or voice print)
SECURITY (OR INSECURITY) STARTS WITH YOU
64 | 2/13/2015
ISACA AND A CYBER SECURITY CAREER
CYBERSECURITY NEXUS
www.isaca.org/cyber
66 | 2/13/2015
…insights and resources for the cybersecurity professional…
…cutting-edge thought leadership, training and certification programs for professionals...
…knowledge, tools, guidance and connections…
CSX ELEMENTS
67 | 2/13/2015
AVAILABLE NOW Cybersecurity Fundamentals Certificate
and study guide
Cybersecurity training courses
Implementing the NIST Cybersecurity Framework Using COBIT 5
European Cybersecurity Implementation Series
Transforming Cybersecurity Using COBIT 5
Responding to Targeted Cyberattacks
Advanced Persistent Threats: Managing the Risks to Your Business
2014 APT Awareness Study
Cybersecurity webinars and conference tracks (six-part webinar series)
Cybersecurity Knowledge Center community COMING SOON Cybersecurity practitioner-level certification
SCADA guidance
Digital forensics guidance
68 | 2/13/2015
69 | 2/13/2015
ISACA HAS NEARLY 2,000 STUDENT MEMBERS. A MAJORITY OF STUDENT MEMBERS (88%) PLAN TO WORK IN A FIELD REQUIRING CYBERSECURITY KNOWLEDGE
88%
BUT FEWER THAN HALF SAY THEY WILL HAVE ADEQUATE SKILLS FOR THE JOB
DO YOU PLAN TO PURSUE A CYBERSECURITY RELATED CERTIFICATE OR CERTIFICATION?
72 | 2/13/2015
ISACA CERTIFICATIONS
73 | 2/13/2015
EACH CERTIFICATION’S FOCUS
74 | 2/13/2015
CISA CGEIT
CISM CRISC
…provide assurance by conducting audits and
assessments of information systems…
…oversee, direct and manage information security activities…
…define, establish, maintain and manage a
framework of governance over IT…
…identify, evaluate and manage risk through the
development, implementation and maintenance of information
systems controls…
75 | 2/13/2015
ACHIEVEMENTS
75 | 2/13/2015
CISA CGEIT
CISM CRISC
• Established 1978 • 109,000+ certifications earned since
inception • SC Magazine award finalist • ANSI/ISO/IEC 17024 accreditation • Regular recognition for top pay by Foote
Partners and Global Knowledge
• Established 2002 • 25,000+ certifications earned since inception • SC Magazine award finalist four years in a
row • ANSI/ISO/IEC 17024 accreditation • Regular recognition for top pay by Foote
Partners and Global Knowledge
• Established 2007 • 6,000+ certifications earned since
inception • SC Magazine award finalist • ANSI/ISO/IEC 17024 accreditation • Foote Partners recognition for top pay
• Established 2010 • 17,000+ certified • SC Magazine award winner • ANSI/ISO/IEC 17024 accreditation • Regular recognition for top pay by Foote
Partners and Global Knowledge
NEW – CYBERSECURITY FUNDAMENTALS KNOWLEDGE CERTIFICATE
• Knowledge-based exam for those with 0 to 3 years’ experience
• Foundational level covers five domains: 1) Cybersecurity concepts 2) Cybersecurity architecture principles 3) Security of networks, systems, applications and data 4) Incident response 5) Security of evolving technology
The online exam is remotely proctored. Results are shared immediately, and those who pass receive a certificate.
The content aligns with the US NICE framework and the Skills Framework for the Information Age (SFIA) and was developed by a team of cybersecurity professionals from around the world. The team is involved in all areas of development through content contribution and subject matter expert reviews.
www.isaca.org/cybersecuritycertificate
76 | 2/13/2015
CERTIFICATES AND CERTIFICATIONS FOR SECURITY CAREER PATH
0-3 years: Cybersecurity Fundamentals Certificate (no experience required; must pass knowledge-based exam)
3-5 years: Cybersecurity practitioner-level certification (coming in mid- 2015)
• Lab-based training • Performance-based testing
5+ years: Certified Information Security Manager certification (25,000+ professionals certified since inception)
77 | 2/13/2015
CYBER SECURITY CAREERS
IT Side: • Security practitioner • Security analyst • Security manager • Risk management • Chief Information Security Officer (CISO)
Security Product/Vendor side: • Security consultant • Solution or pre-sales engineer or security expert • Sales • Product management or strategy • Executive Management
78 | 2/13/2015
CORE COMPETENCY CAREER MAP
79 | 2/13/2015 Source: ISACA Journal Volume 4, 2013
CONCLUSION
80 | 2/13/2015
“Becoming a successful security practitioner is hard.
Ideal candidates are well-rounded and have a solid foundation in networking, operating systems,
web technologies and incident response, and an understanding of the threat landscape and risk management.”
Darren Van Booven, CISA, CISM, CISSP, CPA
Chief Information Security Officer, U.S. House of Representatives, and ISACA Member
QUESTIONS?
Rob Clyde [email protected] ISACA 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Email: [email protected] Web Site: www.isaca.org