THE CYBER FUTURE IS ALREADY HERERobert E Stroud, Immediate Past Chair, ISACA International [email protected] Analyst, Forrester Research March 2016
BOARD ROOM ATTENTION TO CYBER SECURITY
2
MONETIZATION OF CYBER CRIME
Item Cost onblack market
1,000 Stolen Email Addresses $0.50 to $10
Credit Card Details $0.50 to $20
Scans of Real Passports $1 to $2
Stolen Gaming Accounts $10 to $15
Custom Malware $12 to $3500
1,000 Social Network Followers $2 to $12
Stolen Cloud Accounts $7 to $8
1 Million Verified Email Spam Mail-outs $70 to $150
Registered and Activated Russian Mobile Phone SIM Card $100
3 Source: Symantec 2015 Internet Security Threat Report, Volume 20
HONG KONG STOCK EXCHANGE HAS UPGRADED HONG KONG'S CORPORATE GOVERNANCE CODE (EFFECTIVE JANUARY 1, 2016)
• Incorporating risk management into the Code where appropriate
• Defining the roles and responsibilities of the board and management
• Clarifying that the board has an ongoing responsibility to oversee the issuer’s risk management and internal control systems
• Upgrading the following to ‘comply or explain’: (a) that issuers should have an internal audit function and (b) those provisions in relation to the annual review of the effectiveness of the issuer’s risk management and internal control systems, and disclosures in the Corporate Governance Report
4 Source: Mayer Brown JSM, Legal Update, December 30, 2015
15% lack an internal audit function— KPMG/Hong Kong Institute of Chartered
Secretaries survey, Oct. 2015
CLOUD, SOCIAL, AND BIG DATA
CLOUD BENEFITS
6
What benefits have you received from your cloud deployment?
Source: Cloud Security Spotlight Report, Crowd Research Partners, LinkedIn Group Partner, Information Security, March 2015
“Public Cloud and SaaS are giving smaller businessesan asymmetric competitive advantage over larger competitors”–Rob Clyde at National Association of Corporate Directors, April 12, 2015
WHAT LIMITS CLOUD ADOPTION?
What to do?
• Encryption helps, but key management is critical
• Regulatory, sensitivity and privacy issues may require that some data is restricted to certain physical locations
• Restrict sensitive workloads (e.g., PCI) to trusted hardware and software server stack
• Only allow certain workloads to run on hardware in approved physical location
• Only allow certain workload data to be decrypted in approved physical location
• Cloud solutions require a combination of capabilities to achieve "defense in depth" and compliance readiness
7 Source: 2014 Open Data Center Alliance Cloud Adoption Report
What factors are limiting your adoption of virtual/private, community and public clouds today?
DARK SIDE TO CLOUD AND SOFTWARE DEFINED DATACENTER (SDDC) INFRASTRUCTURE• Infrastructure, especially cloud and virtual administrative access, is
a target and concern
• Underlying virtual machines or containers are just files that can be copied, moved or deleted (10s to 1000s at a time)
• Accidental mistakes or malicious damage
• Audit logs etailed at the application and OS level, they often lack sufficient actionable data and granularity at the hypervisor level
• Compliance virtual and cloud administrative access be controlled and monitored with sufficient audit logs at the hypervisor level
8
VM
Virtual Admins
CONTAINERS COMPARED TO VIRTUAL MACHINES
9 Source: Gianluca Costa, Introduction to Docker
Many cloud service providers havethe ability to run containers
DOCKER SECURITY
Security concerns:
Image signatures are not properly verified
If you have root in a container, an attacker can potentially get root on the entire system
Admins or scripts may move containers to a non-compliant environment
Images may not have security patches applied
Security Remedies:
Use signed or trusted images from your private repositories
Don't run containers as root, if possible
Fence things in with VMs
• Run containers on top of VM
• Run VM in container
Use Docker Enhanced Controls
User namespacing: give containers own set of UIDs and GIDs so users are isolated
Apply patches to Docker images10
“Over 30% of Official Images in Docker Hub Contain High Priority
Security Vulnerabilities”— BanyonOps, ZDNet, May 29, 2015
WORKLOADS: THE ATOMIC UNIT OF IT
• What is a workload? Anything.A workload is the amount of processing designated for a specific task, such as:§ A database, web server or application running in a virtual machine § A Docker-style container that runs an application without requiring the user to supply
any infrastructureFundamentally a workload is the smallest building block for an IT environment
• Where will these workloads be found? Everywhere.90%+ of large enterprises will be using hybrid (vs. private only) infrastructure with workloads moving around these hybrid environmentsCreates a significant security and management challenge. For example, a PCI compliant workload might be accidentally moved to a non-PCI compliant environment
• Securing workloads traditionally done with segmentationGenerally results in significant over provisioning and inefficiencyLose flexibility (even in cloud or SDDC environments)
INTELLIGENT WORKLOAD SECURITY
Workload – the smallest unit of IT (the compute processing for a task)
Data – the content of a workload (e.g. a customer name in a database)
Infrastructure – the platform on which the workload will run (e.g. VMware ESX, Docker, etc.)
Management– how the workload is managed (either by machines via APIs or by human admins)
Intelligent Micro Policy – insulates and translates compliance and security rules to both control the workload and allow the workload to make decisions based on external input
Source: HyTrust
KEY ELEMENTS FOR INTELLIGENT WORKLOAD SECURITY
Breach ProtectionPolicy Enforcement
Boundary ControlsCross Platform Policy
Insider ThreatsEasy Auditing
Secondary ApprovalsContinuous Security and Compliance Monitoring
Encryption (and Key Management)
Platform Technology (running Workload)
Admin Controls and Auditing
Flexible and efficient
KEY BENEFITS OF INTELLIGENT WORKLOAD SECURITY
• Reduced complexity. Intelligent Micro Policy approach reduces complexity of rules since workload negotiates with other parties dynamically (admin, data, infrastructure)
• Always on security. Increases security since both parties (workload and other party) must agree on actions – avoids rogue insider threat situation (for example)
• Lower costs. Removes need for inefficient air gapped or micro-segmentation approaches
By Delivering:
• Abstraction. Abstraction for customer from fast changing regulatory (e.g. Safe Harbor) and technology changes (server, network, containers, etc…)
• Any Cloud. Ensures ease of use with Any to Any (from any cloud to any cloud)
• Automation. Removes complexity of compliance in hybrid deployments
SOCIAL MEDIA ATTACKS
15
Manual Sharing – These rely on victims to actually do the work of sharing the scam by presenting them with intriguing videos, fake offers or messages that they share with their friends.
Fake Offering – These scams invite social network users to join a fake event or group with incentives such as free gift cards. Joining often requires the user to share credentials with the attacker or send a text to a premium rate number.
Likejacking – Using fake “Like” buttons, attackers trick users into clicking website buttons that install malware and may post updates on a user’s newsfeed, spreading the attack.
Source: Symantec 2015 Internet Security Threat Report, Volume 20
SOCIAL MEDIA SCAMS
16
• 68 percent of people surveyed will willingly trade in various types of private information for a free app
• Some even send $0.99 to the scammers in order to cover the return postage for a so-called offer. (The offer never arrives, of course)
Source: Symantec 2015 Internet Security Threat Report, Volume 20
EMPLOYEES’ USE OF SOCIAL MEDIA –RISKS AND IMPACTS
17 | 3/14/16 Source: Social Media: Business Benefits and Security, Governance andAssurance Perspectives, ISACA May 2010
90%
10%90% of the data in the world today has been created in the last two years alone
Source: Mushroom Networks, The Landscape of Big Data
LEVERAGE BIG DATA TO GET BIG INSIGHTS65% of CIOs said “determining
how to get value from data” was a big challenge
– Wall Street JournalFeb. 10, 2015
Stored data doubles every 1.2 years!
That’s about 10 TB per person
100 zettabytes by 2025! – the equivalent of
36 billion years of HD video– Virgin Media
BIG DATA AND ANALYTICS APPLICATIONS
19 | 3/14/16
Curing Cancer
Reducing Energy Costs
Predicting Weather
Predicting Consumer behavior
Build Better Cars
Security Intelligenceand Fraud Detetction
USING BIG DATA TO PREDICT CRIME
20 | 3/14/16
Source: NetworkWorld, Sep 20, 2014
Crime Hot Spots in London
Soldiers' suicide risk predictable with Big Data, study says, Patricia Kime, Nov. 12, 2014
What about predicting crime by particular individuals? Will we have predictive
capabilities like those in the movie Minority Report, but through Big Data?
18%
19%
20%
2%
3%19%
16%
13%
Large-volume data management and sorageShared ownership with other departmentsLack of analytics capabilites or skillsWe are not facing any challenges
Other
Security threats from outsiders
Security threats from insiders
Compliance requirements
Which of the following do you believe is the biggest challenge posed by Big Data? (n = 1,589)
Source: ISACA’s Risk/Reward Barometer, 2014
BIG DATA CHALLENGES ACCORDING TO ISACA MEMBERS
48% view security or compliance as biggest challenge
Security
Compliance
BIG DATA PRIVACY CONCERNS
Bigger Data = Bigger Target: the higher concentration of data, the more appealing a target it makes for hackers, and the greater impact of the breach
De-Identifed” Information Can Be “Re-Identified”: data collectors claim that the aggregated information has been “de-identified”, however, it is possible to re-associate “anonymous” data with specific individuals, especially since so much information is linked with smartphones
Possible Deduction of Personally Identifiable Information: non-personal data could be used to make predictions of a sensitive nature, like health condition, financial status, etc.
Data Sovereignty Issues: Many countries or regions (like the EU), may have requirements that certain personal data and the processing of that data remain in the country or region
Right to be forgotten: Some areas like the EU have a “right to be forgotten” that may be challenging to implement in a Big Data environment.
http://www.ftc.gov/public-statements/2012/03/big-data-big-issues
MOBILE
BRING YOUR OWN DEVICE (BYOD) IS ALREADY HERE
24 | 3/14/16
54% allow at least some BYOD
Source: ISACA’s Risk/Reward Barometer, 2014
MOBILE
25 | 3/14/16
Mobile attacks will continue to grow rapidly as new technologies expand the attack surface and app store abuse goes unchecked.
Source: Intel Security 2015 Threat Predictions
5M+ Mobile Malware Samples
MOBILE PAYMENTS• Register credit or debit cards in a mobile wallet using smart phone
camera or manually entry
• The mobile wallet is stored on the cloud and or the device
• Select your default payment method in the mobile wallet
• Use your mobile device to make a payment by placing it near the point of sale (uses near field communication – NFC)
• May need to authorize payment with fingerprint or passcode
• No need to get out or even carry your wallet or credit cards
26
Source: ©iStock.com/tillsonburg
ISACA 2015 Mobile Payment Security Study
23% say mobile payments are secure89% say cash is most secure (only 9% prefer to use it)47% say credit card is secure83% prefer to use a credit or debit card
Mobile Payment Market will be worth $2.8 Trillion by 2020!
Source: Future Market Insights
MORE SECURE THAN CONVENTIONAL PAYMENTS?
Cash seems anonymous, but most retail stores have surveillance equipment
Criminals may make copies of physical cards or card information used at retail outlets
Cybercriminals steal credit card databases or credit card numbers transmitted for transactions
Criminals make duplicate cards and use them at ATMs, online or at retail locations
27 Source: http://www.isaca.org/cyber/cyber-security-articles/Pages/mobile-payments-more-secure-than-conventional-payments.aspx
Any time the actual credit card number is used in a transaction, there is a risk that it will be stolen.
PAYMENT TOKENIZATION
• Tokenization is similar to encryption except the result is in the same format with the same number of characters or digits as the original
• Storage tokenization has been used to secure credit card numbers by merchants and others for many years, generally to meet PCI requirements. A storage token cannot be used for payment in a transaction
• Payment tokens are relatively new and are valid for use in the payment (thanks to cooperation between card issuers, card networks, banks, and mobile payment providers)
• When a card is registered to the mobile wallet, the mobile wallet app communicates with the card network or a Token Service Provider (TSP) which then issues a payment token and stores it along with the actual card number in a token vault
• The mobile wallet app then stores the payment token and perhaps a cryptogram in the mobile wallet, but not the actual card number
28
“At the heart of modern mobile payment systems’ security is the concept of payment tokenization”
Source: http://www.isaca.org/cyber/cyber-security-articles/Pages/mobile-payments-more-secure-than-conventional-payments.aspx
APPLE PAY TRANSACTION FLOW
29 Source: US Federal Reserve Bank of Boston, compiled from various sources
THE INTERNET OF THINGS
THE SMAC STACK WILL ENABLE THE INTERNET OF THINGS
Source: Cognizant
The SMAC stack (Social, Mobile, Analytics/Big Data and Cloud) will power new applications that connect to “things”
“The nextmaster architecture for enterprise IT, and its
magnitude and importance.”
INTERNET OF THINGS (IOT)
32 | 3/14/16 Source: 2014 HP Internet of Things Research Study
HP Test of 10 Popular IoT Devices (IP Cameras, smart meters, healthcare, fitness, SCADA, etc.)
Gartner predicts 26 Billion IoT Devices by 2020
SMART TV SECURITY CONCERNS
Microphone may always be on (for voice commands)
Risk that attacker could turn on webcam
Activity on Smart TV is tracked and may be shared with social media
Like with smartphones, malicious apps could be downloaded
33
Smart TVs in the office:• Consider not connecting to Internet; if you do, connect to a
Guest network• Take care as to which features and apps are enabled• Turn off or disable microphone and webcam• If possible, lockout others from changing TV settings
CONNECTED CARS ARE AT RISK
34
Fiat Chrysler has issued a safety recall affecting 1.4m vehicles in the US, after security researchers showed that one of its cars could be hacked.
On Tuesday, tech magazine Wired reported that hackers had taken control of a Jeep Cherokee via its internet-connected entertainment system
CONNECTED CAR SECURITY CONCERNS
35
• OBD-II port can be used to inject packets into the car’s computer system, allowing control of the brakes, ignition control unit, etc. (requires physical access for attack)
• WiFi devices can be attached to OBD-II port for insurance or other reasons potentially allowing remote access
• Sensors (like tire pressure sensors) could be negatively affected with other devices, potentially causing loss of control
• Websites and mobile apps to control car may have poor authentication (often only use VIN to identify car)
• Standards around vehicle to vehicle (V2V) and vehicle to infrastructure (V2I) are still emerging
• Entertainment system connected to the Internet may allow connection and attack to control systems
• Personal information like navigation, speed, entertainment choices, etc. may be shared with the car manufacturer and third parties
INTERNET OF THINGS – THE END OF PRIVACY?
36 | 3/14/16
Introducing more private information about ourselves
Traditional Personally Identifying Information
New IoT Personal DataWhat? Where? When? Why?
Date of Birth
SSN/Govt. ID Number
Credit Card Number
Name
Address
Glucose level
Weight
Calories
GPS location
Heart rate
Sleep
Mood
Surrounding images
Driving habits
Blood pressureTravel route
Username Exercise route
INSECURE IOT DEVICES AND PRIVACY
37
“All too often for other pieces of major industrial machinery, the controls are sitting there in plain sight or hidden behind the most rudimentary credentials. In 2012, simply attempting to log in as “root” or “admin”, with the password being the same again, was sufficient for another group of anonymous internet explorers to gain access to over 400,000 devices. With the rise of internet-connected devices since this study was conducted, that number is likely to be far higher.”
SHODAN.IO WEBCAM BROWSER
38
USING THE INTERNET OF THINGS TO SPY?
39 | 3/14/16
“In the future, intelligence services might use the internet of things for identification, surveillance, monitoring, location tracking, and targeting for recruitment”, says James Clapper, US director of national intelligence.
Photograph: Alex Brandon/AP
END OF PRIVACY?
40
Social, Mobile, the Internet of Things and Big Data Analytics have profound implications for privacy in the future
Source: ISACA 2014 Risk Reward Barometer
The New Yorker 1993 The New Yorker 2015
“On the Internet, nobody knows you’re a dog.”
INTERNET OF THINGS – POTENTIAL SECURITY CONCERNS
• Tethering via Bluetooth LE to smart phone (might be sniffed)
• Transmission and storage of information in cloud (might be hacked)
• Sharing of information via social media (likely to become public)
• Man-in-the middle and redirect attacks (similar to mobile devices)
41 | 3/14/16
APPLE WATCH SECURITY
Uses Bluetooth or WiFi to tether to iPhone for Cellular, GPS, etc.
Relies on iPhone and cloud for much of security
Similar concerns as with other tethered wearables
Consider visibility of messages on screen to others
Apple Pay security (protection against theft of watch)
• Sensors can detect when watch is taken off wrist and put back on
• Use opt-in PIN so when taken off it has to be re-authenticated when put back on
• Payment only functions when on wrist and authenticated
• No credit card numbers stored on watch – uses payment tokenization
42
IOT – RECOMMENDATIONS FOR USERS
• Use a screen lock or password to prevent unauthorized access to your device
• Do not reuse the same user name and password between different sites
• Use strong passwords
• Turn off Bluetooth when not required
• Be wary of sites and services asking for unnecessary or excessive information
• Be careful when using social sharing features
• Avoid sharing location details on social media
• Avoid apps and services that do not prominently display a privacy policy
• Read and understand the privacy policy
• Install app and OS updates when available
• Use a device-based security solution
• Use full device encryption if available
43 | 3/14/16 Source: Symantec, “How Safe is Your Quantified Self”
IOT – RECOMMENDATIONS FOR ORGANIZATIONS
• Safely embrace Internet of Things devices in the workplace to keep competitive advantage
• Ensure all workplace devices owned by organization are updated regularly with security upgrades
• Ensure default passwords are changed and not easy to guess
• Require all devices be wirelessly connected through the workplace guest network, rather than internal network
• Provide cybersecurity training for all employees to demonstrate their awareness of best practices of cybersecurity and the different types of cyberattacks
• Ensure that IT and security professionals are CSX-certified
44
56% of tested devices using OpenSSL had not been updated in
over 50 months- 2015 Cisco Annual Security Report
WE HAVE A WAYS TO GO….
45 Source: EY’s Global Information Security Survey 2015
Percentage who indicated their level of maturity was “very mature”
CONCLUSIONS
The situation is only going to get more complex
Widening industry skills gap
This is not yesterday’s security
Learn to embrace new technology safely
ISACA – effective controls and assurance are critical in this Digital Age!
www.isaca.org/cyber
QUESTIONS?
Robert E Stroud [email protected]@RobertEStroud
Email: [email protected] Site: www.isaca.org
Top Related