csx north america conference report
TRANSCRIPT
FIVE SECURITY INSIGHTS FROM BRIAN KREBS1. If organizations are not pen testing their users on a regular basis, it is a near certainty that the bad guys are.
2. If a device is plugged in and it has an IP address, eventually it’s going to be hacked (this includes toasters!).
3. Organizations need to drill their breach response in advance—or they will likely make a bad situation worse.
4. If people are not actively working toward securing and maintaining their privacy on a continuing basis, they don’t have privacy.
5. IoT is a national security priority—or it should be. The amount of firepower available to attackers is tremendous.
CYBERSECURITY BY THE NUMBERS Brett Kelsey, vice president and CTO-Americas of Intel Security, took the stage at CSX North America to discuss achieving better efficiency in security. Kelsey shared interesting insights into current security numbers. Below is a snapshot:
26 OCTOBER 2016
CSX NORTH AMERICA CONFERENCE REPORT
$10 98DAYS
345 197DAYS
COST TO PURCHASE A HEALTH RECORD ON THE DARK WEB
MEAN TIME TO DETECT A BREACH IN THE FINANCE INDUSTRY
AVERAGE COST PER BREACH
Note: All costs are in US dollars.
ANNUAL COST OF CYBERCRIME GLOBALLY
KNOWN CYBERSECURITY INCIDENTS FROM APRIL-JUNE 2016
MEAN TIME TO DETECT A BREACH IN THE RETAIL INDUSTRY
$$
3.79 MILLION
618.16 BILLION
GLOBAL CISOS SHARE PRIORITIES AT CSXThe CISO Forum at ISACA’s CSX 2016 North America Conference provided chief information security officers the opportunity to share perspectives about many of the most pressing challenges and opportunities shaping today’s security landscape.
The wide-ranging forum included several presentations but was largely centered on interaction among the attendees. Among the day’s many discussion points were:
• Suggestions on how to engender support for security programs from senior management. Leveraging audit reports, identifying control gaps in security programs and providing timely examples of how other organizations have been damaged by high-profile security breaches are among the tactics that can help deliver buy-in.
• The value of industry certifications. David Foote, chief analyst and research officer for Foote Partners LLC shared extensive data portraying an uptick in the value of security certifications in recent months. As a group, ISACA certifications have gained more than 15% in cash market value in the last six months, compared to nearly 8% growth in pay across all security-related certifications.
• The need to embed security in functions throughout an organization.
• The public relations upside of having a robust security program. When positioned properly, a well-executed security program can help organizations differentiate themselves in an environment when security is more commonly a source of anxiety than a point of pride.
• How to handle various use cases regarding data management, such as employees mishandling data, guarding against various forms of malware and the pros and cons of relying upon third-party services
• Striking the appropriate balance between deep technical expertise and “soft skills”—such as communications skills and relationship-building—in evaluating prospective hires
GAINING BOARD AND C-SUITE SUPPORT FOR A SECURITY CULTUREChange organizational mindsets to understand and adapt priorities, policies and programs, now that cyber risk is a pervasive business risk was Phillip Ferraro’s call-to-action during his CSX NA session, “How to Gain Board and C-Suite Support for your Program.”
Ferraro, Senior Vice President and Global CISO for The Nielson Co., noted that mindsets and organizational alignment to a “security culture” must shift as technology and business professionals conduct executive education efforts, and build business cases for initial and sustained investment in the platforms and people to thwart cyberattacks.
Effective communications that “leave the techno-babble behind” and turning return-on-investment questions from board members and senior executives into “cost-avoidance conversations” are tactics to gain attention, influence and buy-in, Ferraro said. Among the factors Ferraro listed to calculate the cost of breach impact were: value of actual data and IP lost, reputation and brand damages, shareholder and stock value impact, current and ongoing revenue lost, and regulatory fines and sanctions.
2
GUIDE TO CONTAINERIZATION: WHAT YOU NEED TO KNOW NOW Application containers can bring tremendous utility and business value, albeit while posing substantial security challenges, according to a presentation delivered at ISACA’s CSX North America conference.
“Containerization Security: What Security Pros Need to Know,” presented by Ed Moyle, ISACA director of Thought Leadership and Research, and Diana Kelley, executive security advisor with IBM Security, highlighted both the risks and rewards of containers—mechanisms used to isolate applications from each other within the context of a running operating system instance.
Kelley and Moyle contended that containers are redefining the tech landscape in the data center and among development teams. Containers are easy to update, can move from machine to machine and can decrease development time due to migration of containers between environments.
Several of the security challenges presented by containerization are reminiscent of challenges that have been overcome in the world of virtualization. Security professionals can mitigate some of the potential risks associated with containerization on the front end by reading guidance on the topic, including a new pair of white papers released by ISACA.
“There are some things that security pros really should know about, and that message really hasn’t gotten out there in terms of the mainstream security community,” Moyle said.
FIRMWARE: THE FORGOTTEN SECURITY CONTROLFirmware, or embedded software in connected devices, is “low-hanging fruit” for attackers, according to keynote Justine Bone, CEO of MedSec. ISACA conducted a study on firmware security, and the results are presented in the infographic here. A key finding: organizations are not sufficiently prepared, and firmware is highly vulnerable.
3
INSIGHTS FROM JUSTINE BONE
“We are seeing more and more that firmware security is no longer a theoretical problem. The evidence is showing us that attackers are targeting firmware—many breaches and vulnerability discoveries these days can be attributed to firmware problems. Solutions are emerging, but most enterprise environments remain unprepared. While it’s clear that knowledge is power in this instance, it’s also evident from this research that company culture and overall attitude to security is a major contribution to vulnerability.”
SECURING THE INTERNET OF THINGSApplication containers can bring tremendous utility and business value, albeit while posing substantial security challenges, according to a presentation delivered at ISACA’s CSX North America conference.
That was among the thought-provoking questions posed by presenters Mike Krajecki, Director, Emerging Technology and Risk Services, KMPG LLP, and Milan Patel, Program Director, IoT Security, IBM, during the “Connecting the Risks: Securing the Internet of Things” presentation at CSX North America.
Patel noted that as challenging as it has been to secure data and applications in the traditional IT environment, the anticipated proliferation of tens of billions IoT devices will call for even greater resourcefulness from security professionals.
Among the many security risks associated with IoT are the large number of new network endpoints, the mobility and vulnerability ofdevices, the privacy and security of data generated by the devices and compromised network access points.
The complexity of IoT security results in what Patel described as a “protocol zoo” that poses challenges for security professionals.
The session emphasized that security and privacy must be embedded into the strategy and design of a connected device program and that full life-cycle protection must be emphasized. Security specific to each category of device—including strong authentication and access control, data privacy protection and robust application security—also is recommended.
WHAT IS YOUR TOP TIP FOR WOMEN ENTERING THE CYBERSECURITY FIELD?
“ Find a mentor who supports you and gives you guidance, and be a source of information—whether it is networking with other people or referring to various standards that you might need for some of the work that you are doing.”
Christina Cruz, CISA New York, NY
“ Do not get discouraged when you feel like you are in the minority. We need women in this field. We look at things in a different viewpoint, sometimes, than our male counter- parts. So with that, stay focused and get to your goal.
Amanda Prince, CISM, CRISC Tampa, FL
“ Women need to own their space and not be afraid to be fierce and have a voice. So, if you are considering going into cybersecurity, learn what is out there that you can teach yourself—and be bold about it because that is what it takes to run with a demographic where it is 10% women.”
Michelle Covert, CISA East Lansing, MI
Connecting Women Leaders in Technology
ENGAGE. EMPOWER. ELEVATE.
WISDOM FROM HACKER AND INVENTOR PABLOS HOLMAN
“ You will never get anything new by reading the directions.”
“ Vision without action is a daydream. Action without vision is a nightmare.”
“ There is a really important job to do that is not being done: figuring out how to take care of humans.”
4
MITIGATING MALWARE’S THREAT TO CRITICAL INFRASTRUCTURE
The shift from isolated systems to open protocols, the evolution of modern equipment and ever-expanding business pressures are creating a major cybersecurity challenge impacting major infrastructure across the globe.
Ed Cabrera, chief cybersecurity officer with Trend Micro, highlighted those dynamics during his “Malware’s Threat to Critical Infrastructure” presentation at CSX North America.
Citing examples of attacks aimed at the Ukrainian electric grid and mining and rail companies, Cabrera outlined the far-reaching scope of threats to infrastructure.
Improved alignment between IT and operational technology functions and a layered defense program can help stave
off these potentially devastating attacks. Cabrera also noted that tapping into behavior analytics can be highly beneficial.
“Behavior analytics has to become an accepted strategy to go from being the hunted to the hunter, to go after and try to find this activity on the business side and the operational side,” Cabrera said.
He said that all aspects of an components of an organization—including Human Resources—has a part to play to attain increased vigilance, and that includes keeping closer tabs on the security risks of employees.
“There has to be much more of a process-oriented approach to insider threats,” Cabrera said.
WHAT DO YOU THINK SHOULD BE THE BIGGEST CYBER SECURITY PRIORITY FOR ORGANIZATIONS IN 2017? “ Right now, perennially at the top of the list is APT.”
William Westwater, CISA, CGEIT, CRISC Redmond, WA
“ I think organizations should focus on cyber resilience more so than just the security aspect. A lot of organizations are only focusing on the protection/ cyber security piece, and not necessarily the sustaining piece because attacks are increasing at a significant rate. They should focus on a resilient strategy that looks at both protection and sustaining.”
Andrew Hoover, CISA, CRISC Arlington, VA
“ All organizations are working on preventive security. The reality is the weakest link within organizations is people. So, if your security awareness programs are not up to snuff, if they’re not robust, if they’re not focused on people, you’re going to lose in the end.”
Scott Newman, CISA Tacoma, WA
“ Securing the company’s data while using mobile apps has been a challenge, and it’s going to be a bigger challenge going forward.”
Denise Calvert, CISA, CISM Oklahoma City, OK
CSX attendees had the opportunity toparticipate in a network assessment and network defense competition, where they competed for control of common resources and services. Congratulations to the Cyber Challenge winners!
ESSENTIAL LEVEL
Annie ChengBank of San Francisco
ADVANCED LEVEL
1ST PLACEMarcelle Lee, CSXP, Fractal Security Group LLC
2ND PLACEJed Santiago, CISA, CISSP, Visa Inc.
3RD PLACEEduard Delgado Yparraguirre,CISA, CISM, CRISC, CISSP, CEH, PMP, TD Bank
CONGRATULATIONS TO THE CYBER CHALLENGE WINNERS!
5
SOCIAL MEDIA ROUNDUP
SECURITY FOR THE MILLENNIAL AGECreating a positive security culture, devising security solutions that are as straightforward as possible and strategic prioritization of risk appetite are key pillars of an effective security program, according to the “Security for the Millennial Age” session at CSX North America.
Session presenter Dominic Vogel, chief security strategist at Cyber SC, contended that relationship-building is critical on several levels – not only between security professionals and their CIO or CISO, but also with other employees, auditors and top business leaders.
Vogel said it is important to treat security mistakes made by employees as a learning opportunity rather than being too heavy-handed, or employees might not feel comfortable bringing issues to light in the future.
Security teams sometimes make the mistake of taking a knee-jerk approach to the “threat du jour,” rather than sticking to a holistic approach to problem-solving and focusing on building resilience within their people, processes and technology.
Vogel also warned against overly ambitious security programs, saying that that the attempt to protect everything often is counterproductive. Effective risk prioritization is critical.
Conquering complexity is another practical consideration in today’s security landscape. If security processes are deemed too complex by the stakeholders, chances are they will be ignored.
Vogel said the benefits to an upbeat and strategic security culture that is embraced by all ages and levels include better collaboration, improved business efficiency and greater value for security dollars.
6