www.commnexus.org
Upcoming MarketLink Technology Requirements:
M bilit
March 13 14 2012
•Mobility
•E-Health
•SecurityMarch 13 – 14, 2012
Accepting Applications til
y
•Social media for enterprises
•Video, Conferencing, Virtual Reality/ Augmented Realitynow until
February 24, 2012Augmented Reality
(For a full list with details, please visit www.commnexus.org)Apply at www.CommNexus.org
www.commnexus.org
g)Apply at www.CommNexus.org
THANKS TO OUR SIG CO CHAIRS!THANKS TO OUR SIG CO-CHAIRS!
Bill Unrue, CEO, AnonymizerBill Unrue, CEO, Anonymizer
Matt Stamper, Vice President of Services, redIT
Bruce Roberts, Senior Vice President of Security Programs, Cubic Corporation
In Loving Memory of
MILES HALEMILES HALEMILES HALEMILES HALEFormerly:
Principal Systems Engineer, SAICand devoted SIG Co-Chair
www.commnexus.org
and devoted SIG Co-Chair
THANKS TO OUR HOST & SPONSOR!THANKS TO OUR HOST & SPONSOR!
www.commnexus.org
Emerging threat vectors t b it t lto cyber security, et al
(where common protections are needed for ALL)
CommNexus SD Feb 1, 2012
Mike Davismike@sciap org
,
[email protected]/MSEE, CISSP, SysEngr
ISSA / TSN / SOeC and IEEE / SPAWAR / et al
www.commnexus.org
M bil d i d i l l di t d t lif t i 2012
Threat Vectors of Interest• Mobile devices … and wireless always predicted, yet proliferates in 2012
– Start with BYOD, Android Trojans, digital wallets, USER provided network services!– Wireless security issues expand (besides 802.11 & WiMAX, to Zigbee, WirelessHART,
Z-Wave etc ) ARM hacking increasesZ Wave, etc.) … ARM hacking increases
• Cyber crime: easy money, minimal downside and growing– Illicit cyber revenues has essentially equaled all illegal drug trafficking $$$
• Nation-sponsored hacking: When APT meets industrialization• Nation-sponsored hacking: When APT meets industrialization – More targeted custom malware (Stuxnet -> Duqu is but one example)
• The insider threat is much more than you had imagined– Coming from employees partners clients and compromised services and computing– Coming from employees, partners, clients and compromised services and computing
devices of all kinds. With Improved social engineering attack– social media critical data leaks / malware distribution
• Misanthropes and anti-socials / hacktivism growsp g– Privacy vs. security (and trust) in social networks. Radical group’s DDOS attack can be
effective on small businesses!
… mobile devices and cloud infrastructure hacking are potentially
www.commnexus.org6
g p ythe two of the biggest rising stars in cyber crime in 2012…
Threat Vectors of Interest (Cont.)• SSL/XML/web (HTML5)/browser vulnerabilities will proliferate
– Browsers remain a major threat vector (and bypasses the IA suite)
• Hackers feeling the heat (the easy vulnerabilities are diminishing)• Hackers feeling the heat… (the easy vulnerabilities are diminishing)– they need to invest in better attack techniques and detection evasion….
• Cyber security becomes a business process…– focused on data security no longer a niche Industry– focused on data security, no longer a niche Industry….
• Convergence of data security and privacy regulation worldwide..– Compliance even more so (PCI DSS, HIPAA, etc) .. What is “good enough” security?– Data security goes to the cloud - where security due diligence is more than SLAs!Data security goes to the cloud where security due diligence is more than SLAs!– IPv6 transition will provide threat opportunities… Data Loss Prevention is STILL key…
• Containment is the new prevention (folks now get the "resilience" aspect...)
• Full time incident responders needed versus only virtual• Full time incident responders needed, versus only virtual– Monitoring and analysis capability increase, but not enough (re: near real-time forensics
&“chain of custody” evidence)…. “continuous monitoring” is KEY… (re: NIST docs)
www.commnexus.org7
… there is MUCH to consider in the “threat” equation…
So what “really” matters in Cyber?OS / f• OSD / federal•Distributed Trust •Resilient Architectures
R d C b MIt’s NOT all about expensive new “cyber toys”•Response and Cyber Maneuver
•Visualization and Decision Support•Component Trust•Detection and Autonomic Response
new cyber toys
but more about the SoS / I&I“glue” (profiles, common EA,•Detection and Autonomic Response
•Recovery and Reconstitution
• NSA / agency
glue (profiles, common EA, SoPs, standards, etc)
– Mobility, wireless, & secure mobile services– Platform integrity / compliance assurance– End client security
C ber indications and arning (I&W)
Along with: (1) enforced cyber hygiene, (2) effective access control,
– Cyber indications and warning (I&W)– Mitigation engineering (affordability)– Massive data – (date centric security)– Advanced technology (targeted)
(3) defense in depth IA / security suite and (4) continuous monitoring
www.commnexus.org8
Advanced technology…. (targeted)– Virtualization – secure capabilities
San Diego FBI has two Cyber Squads:San Diego FBI has two Cyber Squads:
The Criminal Squad works child pornography, criminal intrusions, Internet fraud, identity theft, and more.
The National Security Squad worksThe National Security Squad works cyber threats from foreign entities.
Our criminal squad will help you preserve evidence, prosecute the “bad guys”, and clean-up your network.Our national security squad will “share” informationOur national security squad will “share” information and help you secure your network.
InfraGard: www infragard netInfraGard: www.infragard.netInformation sharing between the FBI, business, private individuals and other Government agencies.
www.ic3.gov
hEmerging Threat VectorsVectors
Matt Stamper MS MPIA CISAMatt Stamper, MS, MPIA, CISAVice President of Managed &
Professional [email protected]
858.836.0224
The Simple Complexity RiskThe Simple Complexity Risk
As we are discussing today, security threats come from a variety of sources, fromorganized crime to malicious insiders This threat landscape creates the perfect storm fororganized crime to malicious insiders. This threat landscape creates the perfect storm forsecurity breaches where IT is now perceived as being as simple as point and click.Simplicity comes at a cost!
Complexity of IT is masked by the ease of access (“There’s an app for that!”)
Complexity of business relationships (“Where’s the perimeter?”)
Complexity of underlying infrastructure (Code, servers, network, etc.)
Domain expertise & related competencies
Economic & Reputational RiskEconomic & Reputational Risk
Breach disclosure, coupled with state, national, and international privacy laws, requirenew thinking about security The often discussed issue of brand exposure should nownew thinking about security. The often‐discussed issue of brand exposure should nowbe front‐and‐center to security planning.
SEC (CF Disclosure Guidance: Topic No. 2 – October 13, 2011) + Regulation S‐K Item 503(c) –Analysis of Risk FactorsAnalysis of Risk Factors Disclosure for potential impairment to goodwill, intangible assets, etc. More rigorous disclosure control requirements (pervasive nature of IT general controls)
More rigorous disclosure control requirements State Privacy Laws State Privacy Laws
California: SB‐1386 Nevada: SB‐227 Massachusetts: 201 CMR 17
Most organizations are simply ill‐equipped to address the growing technical andMost organizations are simply ill‐equipped to address the growing technical andregulatory complexity in an effective manner. This tension will increase throughout2012.
Top Related