DEALING WITH A CYBER FUTURE THAT IS ALREADY HERE Rob Clyde, CISM, ISACA International VP, Board Member 11 February 2015

AGENDA

Introduction

Cloud, Social and Big Data

Mobile and BYOD

The Internet of Things

Cyber Attack Trends

ISACA and A Cyber Security Career

Conclusion

WHAT IS ISACA?

ABOUT ISACA

• Nonprofit association founded in 1969

• Vision and tagline: Trust in, and value from, information systems

• 115,000+ members from 180 countries and 205 chapters from all industry categories. Largest sectors are financial, public accounting, government, and technology.

• 21,000+ Certified Information Security Managers (CISMs)

• At the end of 2013, $91M in assets and $72M in net assets

• 120+ full time staff

• More than 500 volunteers

4 | 2/13/2015

CIO TOP PRIORITIES

1. Make Security Everyone’s Business

2. Cyber Risk = Business Risk

3. Be A Change Agent

4. Business-Centric Vision

5. Anticipate the Cyber 9/11

5 | 2/13/2015 Source: Wall Street Journal, Feb. 10, 2015

86% of CIOs said that the sophistication or pace of attackers will increase more quickly than their own

KEY TRENDS AND DRIVERS OF SECURITY

Consumerization •Mobile devices

•Social media

•Cloud services

• Internet of Things

•Nonstandard

•Security as a Service

Continual Regulatory and Compliance Pressures • SOX, PCI, EU Privacy

• ISO 27001

• Other regulations

Emerging Trends •Decrease in time to exploit

•Targeted attacks

•Advanced persistent threats (APTs)

SIX LARGEST DATA BREACHES

7 | 2/13/2015 Source: USA Today, Feb. 5, 2015

Feb 6, 2015

MOTIVATIONS BEHIND RECENT ATTACKS

8 | 2/13/2015 Source: hackmageddon.com

January 2015

BOARD ROOM ATTENTION TO CYBER SECURITY

9 | 2/13/2015

Threat Sophistication

Terrorists

Hacktivists/ Vigilantes

Commercial Enterprises

Cybercriminals

Nation-States Ca

pabil

ity F

or D

amag

e

Abilit

y To P

rotec

t

…. AND THEY’VE EVOLVED CYBER THREATS

Source: CloudStrike Inc., NACD Master Class Dec. 2014

11 | 2/13/2015

CLOUD, SOCIAL, AND BIG DATA

CLOUD COMPUTING

13 | 2/13/2015

Increased Risk? Decreased Risk?

SOCIAL MEDIA USE

14 | 2/13/2015

EMPLOYEES’ USE OF SOCIAL MEDIA – RISKS AND IMPACTS

15 | 2/13/2015 Source: Social Media: Business Benefits and Security, Governance and Assurance Perspectives, ISACA May 2010

90%

10% 90% of the data in the world today has been created in the last two years alone.

$53.4 billion 2017

2013 $10.2 billion

Expectations for Big Data

Source: Mushroom Networks, The Landscape of Big Data

BIG DATA

1 exabyte = 2 x Web archive at

US Library of Congress

= 900 exabytes All the world’s

digital data 70% of which is created by individuals

Source: Mushroom Networks, The Landscape of Big Data

DATA EXPLOSION

WHAT IS BIG DATA?

Volume of data

Velocity at which data is generated and needs to be processed

Variety of data sets and applications

Veracity or accuracy of the data before and after the result are discovered

Value at which the data can be processed, and the ROI the results delivers the business

Source: Gartner – summarization of their 3 Vs of Big Data (Volume, Velocity and Variety). The Remaining 2 Vs come from industry addition based on Big Data Wiki page.

LEVERAGE YOUR BIG DATA TO GET BIG INSIGHTS

Discover New Opportunities and Reduce Costs While

Accelerating Insights for a

Competitive Advantage

65% of CIOs said “determining

how to get value from data” was a big challenge

– Wall Street Journal Feb. 10, 2015

15%

46%

23%

16%

YesSomewhatNoUnsure

Is your organization effectively managing and governing Big Data? (n = 1,586)

Source: ISACA’s Risk/Reward Barometer, 2014

BIG DATA GOVERNANCE

15%

33%

10% 11%

22%

9% Big Data has already addedsignificant value.Big Data has the potential to addsignificant value.Big Data has caused significantchallenges.Big Data has the potential tocause significant challenges.It is too early to determine thevalue of Big Data.Unsure

Which of the following is most accurate for your enterprise? (n = 1,581)

Source: ISACA’s Risk/Reward Barometer, 2014

BIG DATA VALUE AND CHALLENGE

48% think Big Data has or will add

significant value

21% think Big Data has or could cause

significant challenges

18%

19%

20%

2%

3% 19%

16%

13%

Large-volume data managementand sorageShared ownership with otherdepartmentsLack of analytics capabilites orskillsWe are not facing any challenges

Other

Security threats from outsiders

Security threats from insiders

Compliance requirements

Which of the following do you believe is the biggest challenge posed by Big Data? (n = 1,589)

Source: ISACA’s Risk/Reward Barometer, 2014

BIG DATA CHALLENGES ACCORDING TO ISACA MEMBERS

48% view security or compliance as biggest challenge

Security

Compliance

• What principles, policies and frameworks are we going to establish to support the achievement of business strategy through Big Data?

• Can we trust our sources of Big Data? • What structures and skills do we have to govern and manage IT? • What structures and skills do we have to govern Big Data privacy? • Do we have the right tools to meet our Big Data privacy requirements? • How do we verify the authenticity of the data? • Can we verify how the information will be used? • What decision options do we have regarding Big Data privacy? What is the context for each decision? • Can we simulate the decisions and understand the consequences? • Will we record the consequences and use that information to improve our Big Data information gathering,

context, analysis and decision-making processes? • How will we protect our sources, our processes and our decisions from theft and corruption? • Are we exploiting the insights we get from Big Data? • What information are we collecting without exposing the enterprise to legal and regulatory battles? • What actions are we taking that create trends that can be exploited by our rivals? • What policies are in place to ensure that employees keep stakeholder information confidential during and after

employment?

Source: ISACA white paper, Privacy and Big Data, 2013

QUESTIONS BOARDS SHOULD BE ASKING ABOUT BIG DATA

MOBILE AND BYOD

MOBILE

25 | 2/13/2015

Mobile attacks will continue to grow rapidly as new technologies expand the attack surface and app store abuse goes unchecked.

Source: Intel Security 2015 Threat Predictions

5M+ Mobile Malware Samples

BRING YOUR OWN DEVICE (BYOD) IS ALREADY HERE

26 | 2/13/2015

22%

32% 22%

5%

14%

2% 3%

My organization allows BYOD forall staff

My organization allows BYOD forsome staff

My organization does not allowBYOD, and most employeesfollow the rulesMy organization does not allowBYOD, but most employees do itanywayMy organization does not haveany policy regarding BYOD

unsureother

Which of the following best reflects your organization’s BYOD policy? (n = 1,619)

Source: ISACA’s Risk/Reward Barometer, 2014

BYOD POLICY

54% allow at least some BYOD

ISACA GUIDANCE FOR MOBILE

28 | 2/13/2015

THE INTERNET OF THINGS

THE SMAC STACK WILL ENABLE THE INTERNET OF THINGS

Source: Cognizant

The SMAC stack (Social, Mobile, Analytics/Big Data and Cloud) will power new applications that connect to “things”

“The next master architecture for enterprise IT, and its

magnitude and importance.”

COMPUTERS WILL OUTNUMBER HUMANS 10:1 IN 2020

31 | 2/13/2015 Source: Cognizant

32

INTERNET OF THINGS (IOT)

33 | 2/13/2015 Source: 2014 HP Internet of Things Research Study

HP Test of 10 Popular IoT Devices (IP Cameras, smart meters, healthcare, fitness, SCADA, etc.)

Gartner predicts 26 Billion IoT Devices by 2020

UNPATCHED DEVICES REMAIN A SIGNIFICANT RISK

34 | 2/13/2015

56% of tested devices using OpenSSL had not been updated in over 50 months

Source: 2015 Cisco Annual Security Report

Despite the 2014 publicity surrounding the Heartbleed security flaw in the transport layer, most devices have still not been upgraded.

INTERNET OF THINGS – THE END OF PRIVACY?

35 | 2/13/2015

Introducing more private information about ourselves

Traditional Personally Identifying Information

New IoT Personal Data What? Where? When? Why?

Date of Birth

SSN/Govt. ID Number

Username

Name

Address

Glucose level

Weight

Calories

GPS Location

Heart rate

Sleep

Mood

Surrounding Images

Driving habits

Exercise route Travel route

EVEN OUR EMOTIONS CAN BE TRACKED

36 | 2/13/2015 Source: Wall Street Journal, Jan. 28, 2015

INTERNET OF THINGS – POTENTIAL SECURITY CONCERNS

• Tethering via Bluetooth LE to smart phone (might be sniffed)

• Transmission and storage of information in cloud (might be hacked)

• Sharing of information via social media (likely to become public)

• Man-in-the middle and redirect attacks (similar to mobile devices)

37 | 2/13/2015

IOT – RECOMMENDATIONS FOR USERS

• Use a screen lock or password to prevent unauthorized access to your device

• Do not reuse the same user name and password between different sites

• Use strong passwords

• Turn off Bluetooth when not required

• Be wary of sites and services asking for unnecessary or excessive information

• Be careful when using social sharing features

• Avoid sharing location details on social media

• Avoid apps and services that do not prominently display a privacy policy

• Read and understand the privacy policy

• Install app and OS updates when available

• Use a device-based security solution

• Use full device encryption if available

38 | 2/13/2015 Source: Symantec, “How Safe is Your Quantified Self”

IOT – RECOMMENDATIONS FOR APP DEVELOPERS

• Build security in from the start, not as an afterthought

• Always use secure protocols when transmitting data

• Ensure that the device is not directly or indirectly traceable

• Only collect data that is necessary to provide a service and nothing more

• Require strong passwords for user accounts

• Implement secure session management

• Follow best practices for password handling (only store salted hashes and not the real password)

• Follow secure coding practices

• Provide an easy to understand privacy policy and act within the stated policy

• Pen test system infrastructure to ensure security

• Ensure that backend systems are well protected from intrusion

• Make security testing a part of the product development process

39 | 2/13/2015 Source: Symantec, “How Safe is Your Quantified Self”

IOT – RECOMMENDATIONS FOR ORGANIZATIONS

40 | 2/13/2015

CYBER ATTACK TRENDS

SPEAR-PHISHING ATTACKS

42 | 2/13/2015 Source: 2014 Symantec Internet Security Threat Report

RECENT SPEAR PHISHING ATTACK (CEO→CFO)

From: Robert Clyde [mailto:rclyde@adaptivecomputing.com] Sent: Wednesday, January 14, 2015 9:11 AM Subject: Request Hello Alan, Hope your day is going well. I will need you to make a wire transfer for me today. What would you need to get it done? Thanks Robert A. Clyde

If the attacker received a response, what might come

next?

What clues do you see that this is a phishing attack and not a

legitimate e-mail?

ACTUAL E-MAIL HEADER

Delivered-To: . . . Return-Path: <bolaji@optimalhealthng.com> . . . From: "Robert Clyde " <rclyde@adaptivecomputing.com> X-Sender: bolaji@optimalhealthng.com Reply-To: "Robert Clyde " <c_e_o_private1@outlook.com> To: Subject: Request Date: Wed, 14 Jan 2015 09:11:12 -0700 Mime-Version: 1.0

ON 12 JANUARY 2010 THE WORLD CHANGED… THE ADVANCED PERSISTENT THREAT

Source: http://www.eweek.com/c/a/Security/Google-China-and-the-Anatomy-of-the-Aurora-Attack-255807/

Google disclosed that it had been a victim of modern malware 20+ companies successfully targeted by a well organized and coordinated effort to gain access to sensitive systems and information

Companies targeted spanned the financial, technology and chemical sectors

WHAT IS AN ADVANCED PERSISTENT THREAT?

ADVANCED, STEALTHY AND CHAMELEON-LIKE in its adaptability, APTs were once thought to be limited to attacks on government networks. However, APTs are commonplace and can happen to any enterprise. Repeated pursuit of objectives, adaptation to defenders and persistence differentiate APTs from a typical attack. Primarily, the purpose of the majority of APTs is to extract information from systems—this could be critical research, enterprise intellectual property or government information, among other things.

46 | 2/13/2015

THE APT LIFECYCLE

THE APT LIFE CYCLE

History shows that most sophisticated attackers, regardless of their motives, funding or control, tend to operate in a certain cycle and are extremely effective at attacking their targets.

48 | 2/13/2015

THE WORLD IS CHANGING

49 | 2/13/2015

Today

ADAPTIVE ATTACK VECTORS

The threat landscape will continue to evolve as attackers adapt new and innovative attack methods to existing or adaptive attack vectors while defenders deploy new defense strategies.

50 | 2/13/2015

APT MODUS OPERANDI

APTs have adapted their tactics, techniques and procedures to the typical information security architecture they find deployed. For example…

Traditional Security Practice APT’s Modus Operandi

Network boundary/perimeter devices inspect traffic content.

SSL, custom encryption, and password protected/encrypted container files make packet content inspection difficult or impossible.

Network firewalls monitor and assess traffic metadata. Communication initiated from within the network using standard ports and protocols (HTTP, DNS, SSL, SMTP, etc.).

Host firewalls monitor and assess local traffic metadata. Initial infection tool adds malware to host firewall white list.

Intrusion detection and prevention systems with real-time assessment and alerting running on servers and workstations.

Communications use common ports and protocols – hide in plain site within obvious/allowed traffic.

51 | 2/13/2015

ISACA’S APT SURVEY

1,220 Individuals Globally; Fielded February 2014

Full Report: 11 June 2014

Because the study’s purpose was to measure information security characteristics such as knowledge of advanced persistent threats (APTs), internal controls, internal incidents, policy adherence and management support, the study surveyed those who deal with those issues every day: professionals with information security responsibilities.

Respondents are still using the wrong controls, such as antimalware, antivirus and firewalls, to defend against APTs. These aren’t effective as most of these attacks come from zero-day exploits and the attack vectors are very personalized spear-phishing attacks and now web exploits in the browser. While technology improvements are not clear, behavior is improving, with more organizations making the necessary changes in terms of incident response plans and security awareness training.

52 | 2/13/2015

Source: http://www.isaca.org/Knowledge-Center/Research/Documents/APT-Survey-

Report-2014_whp_Eng_0614.pdf

92% SAY APTS POSE A CREDIBLE THREAT TO NATIONAL SECURITY OR ECONOMIC STABILITY.

1 IN 5 HAVE EXPERIENCED AN APT ATTACK.

66% SAY IT IS LIKELY OR VERY LIKELY THAT THEIR ORGANIZATION WILL EXPERIENCE AN APT ATTACK:

53 | 2/13/2015

METHODS FOR DEFENDING AGAINST THE APT

Many enterprises implement some of the intermediate-level concepts. Because the APT and other advanced, sophisticated attackers have such a high success rate, it is recommended that every enterprise implement all of the basic concepts.

54 | 2/13/2015

YOU NEED TO BE ON THE OFFENSIVE

• Traditional prevention and detection is not enough

• Governments cannot prevent intrusions (but need to do more)

• Data loss is inevitable • Attacks will continue • Companies often breached for years • New approaches required

Source: http://booksonwaraustralia.com/battle-vietnam-history-australian-/180-vietnam-war-

offensive-australia-official-history.html

INCIDENT RESPONSE LIFE CYCLE

56 | 2/13/2015

Source: Cichonski, Paul; Tom Millar; Tim Grance; Karen Scarfone; Computer Security Incident Handing Guide, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61, Revision 2, USA, August 2012.

TRANSFORMING CYBERSECURITY USING COBIT 5

Key Principles: • Understand the potential impact of cybercrime • Understand end users, their cultural values and their behavior

patterns • Establish the business case for cybersecurity and the risk

appetite of your enterprise • Establish Cybersecurity governance – how is this going to be

overseen, what is the role of the Board? • Manage Cybersecurity – projects and Business-as-Usual activity • Obtain assurance – internal audit, external reviews… don’t forget

to include investigative and forensic analysis, as required • Continue the evolvement of Cybersecurity response through

processes and controls

Source: http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pa

ges/Transforming-Cybersecurity-Using-COBIT-5.aspx

MALWARE BEYOND WINDOWS

58 | 2/13/2015

The Shellshock vulnerability will fuel non-Windows malware attacks that will continue for years.

Source: Intel Security 2015 Threat Predictions

RANSOMWARE Ransomware will evolve its methods of propagation, encryption, and targets.

Source: Intel Security 2015 Threat Predictions

RANSOMWARE EXPANSION

Ransomware is profitable • Denying access to data • Grew by over 500% in 2014 • Healthcare is an attractive target

Individuals and organizations can defeat this with the proper backups

However, cloud backups are also being attacked

Will Ransomware be applied to IOT? • Home lockout? • Car lockout? • Pacemaker function?

Source: Lancope, IBM Security

TARGETED EXTORTIONWARE

Extortionware (cyber blackmail) • Much more targeted

Unlike ransomware, data has been exfiltrated and analyzed

• Unless terms are met, attacker will disclose data broadly or to specific target

Source: Lancope, Mashable

RE-AUTHENTICATION WEAKNESSES

Security questions • Mother’s maiden name, pet’s name, favorite movie, etc. • May be guessable or discoverable via social media, public sources, or social

engineering

Hacker attacked Wired’s Mat Honan attack in 2012 (Amazon & Apple) • Called Amazon and provided name, billing address, and e-mail address • Then added a new credit card • Called back to add a new e-mail address and used new credit number to authenticate • Then reset password using new e-mail address and logged in • Got 4 digits of Mat’s credit card from Amazon and used that to authenticate with Apple • Lesson: Breaking into one site may reveal secrets needed to hack into another site

AUTHENTICATION WITH BIOMETRICS

• With new smartphones, fingerprint authentication becomes mainstream

• Biometrics can improve authentication

• Hacking biometrics may be possible

• Multiple authentication still best

• Use at least two of these: • Something you know (e.g., password) • Something you have (e.g., device, card, token) • Something you are (e.g., finger or voice print)

SECURITY (OR INSECURITY) STARTS WITH YOU

64 | 2/13/2015

ISACA AND A CYBER SECURITY CAREER

CYBERSECURITY NEXUS

www.isaca.org/cyber

66 | 2/13/2015

…insights and resources for the cybersecurity professional…

…cutting-edge thought leadership, training and certification programs for professionals...

…knowledge, tools, guidance and connections…

CSX ELEMENTS

67 | 2/13/2015

AVAILABLE NOW Cybersecurity Fundamentals Certificate

and study guide

Cybersecurity training courses

Implementing the NIST Cybersecurity Framework Using COBIT 5

European Cybersecurity Implementation Series

Transforming Cybersecurity Using COBIT 5

Responding to Targeted Cyberattacks

Advanced Persistent Threats: Managing the Risks to Your Business

2014 APT Awareness Study

Cybersecurity webinars and conference tracks (six-part webinar series)

Cybersecurity Knowledge Center community COMING SOON Cybersecurity practitioner-level certification

SCADA guidance

Digital forensics guidance

68 | 2/13/2015

69 | 2/13/2015

ISACA HAS NEARLY 2,000 STUDENT MEMBERS. A MAJORITY OF STUDENT MEMBERS (88%) PLAN TO WORK IN A FIELD REQUIRING CYBERSECURITY KNOWLEDGE

88%

BUT FEWER THAN HALF SAY THEY WILL HAVE ADEQUATE SKILLS FOR THE JOB

DO YOU PLAN TO PURSUE A CYBERSECURITY RELATED CERTIFICATE OR CERTIFICATION?

72 | 2/13/2015

ISACA CERTIFICATIONS

73 | 2/13/2015

EACH CERTIFICATION’S FOCUS

74 | 2/13/2015

CISA CGEIT

CISM CRISC

…provide assurance by conducting audits and

assessments of information systems…

…oversee, direct and manage information security activities…

…define, establish, maintain and manage a

framework of governance over IT…

…identify, evaluate and manage risk through the

development, implementation and maintenance of information

systems controls…

75 | 2/13/2015

ACHIEVEMENTS

75 | 2/13/2015

CISA CGEIT

CISM CRISC

• Established 1978 • 109,000+ certifications earned since

inception • SC Magazine award finalist • ANSI/ISO/IEC 17024 accreditation • Regular recognition for top pay by Foote

Partners and Global Knowledge

• Established 2002 • 25,000+ certifications earned since inception • SC Magazine award finalist four years in a

row • ANSI/ISO/IEC 17024 accreditation • Regular recognition for top pay by Foote

Partners and Global Knowledge

• Established 2007 • 6,000+ certifications earned since

inception • SC Magazine award finalist • ANSI/ISO/IEC 17024 accreditation • Foote Partners recognition for top pay

• Established 2010 • 17,000+ certified • SC Magazine award winner • ANSI/ISO/IEC 17024 accreditation • Regular recognition for top pay by Foote

Partners and Global Knowledge

NEW – CYBERSECURITY FUNDAMENTALS KNOWLEDGE CERTIFICATE

• Knowledge-based exam for those with 0 to 3 years’ experience

• Foundational level covers five domains: 1) Cybersecurity concepts 2) Cybersecurity architecture principles 3) Security of networks, systems, applications and data 4) Incident response 5) Security of evolving technology

The online exam is remotely proctored. Results are shared immediately, and those who pass receive a certificate.

The content aligns with the US NICE framework and the Skills Framework for the Information Age (SFIA) and was developed by a team of cybersecurity professionals from around the world. The team is involved in all areas of development through content contribution and subject matter expert reviews.

www.isaca.org/cybersecuritycertificate

76 | 2/13/2015

CERTIFICATES AND CERTIFICATIONS FOR SECURITY CAREER PATH

0-3 years: Cybersecurity Fundamentals Certificate (no experience required; must pass knowledge-based exam)

3-5 years: Cybersecurity practitioner-level certification (coming in mid- 2015)

• Lab-based training • Performance-based testing

5+ years: Certified Information Security Manager certification (25,000+ professionals certified since inception)

77 | 2/13/2015

CYBER SECURITY CAREERS

IT Side: • Security practitioner • Security analyst • Security manager • Risk management • Chief Information Security Officer (CISO)

Security Product/Vendor side: • Security consultant • Solution or pre-sales engineer or security expert • Sales • Product management or strategy • Executive Management

78 | 2/13/2015

CORE COMPETENCY CAREER MAP

79 | 2/13/2015 Source: ISACA Journal Volume 4, 2013

CONCLUSION

80 | 2/13/2015

“Becoming a successful security practitioner is hard.

Ideal candidates are well-rounded and have a solid foundation in networking, operating systems,

web technologies and incident response, and an understanding of the threat landscape and risk management.”

Darren Van Booven, CISA, CISM, CISSP, CPA

Chief Information Security Officer, U.S. House of Representatives, and ISACA Member

QUESTIONS?

Rob Clyde rob@rclyde.com ISACA 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Email: info@isaca.org Web Site: www.isaca.org