cybersecurity is risk management - the channel company · 2017. 8. 14. · cybersecurity is risk...
TRANSCRIPT
Cybersecurity is Risk Management MICHAEL A. ECHOLS
CEO International Association of Certified ISAOs
& Max Cybersecurity LLC
2
Clear and Present Danger
• Cyber attacks and security breaches are increasing in
frequency and sophistication, with discovery after the fact,
if at all.
• Targeting of organizations and individuals with malware
and anonymization techniques that can evade current
controls.
• Current perimeter-intrusion detection, signature-based
malware, and anti-virus solutions are providing little
defense and are rapidly becoming obsolete—Use
encryption technology to avoid detection.
• Criminals are leveraging innovation and moving at a
pace and security vendors cannot possibly match.
“It's one of the most serious economic and national security challenges we face as a nation. Foreign governments, criminals, and hackers probe America’s computer networks every single day.”
President Obama also noted that protecting thenation’s critical infrastructure is essential to publichealth and safety stating that,
3
“Neither government, nor the private sector can
defend the nation alone. It’s going to have to be a
shared mission — government and industry working
hand in hand, as partners.”
President Barack Obama:
National Security Issue
Concerns for Control Systems
Testimony to House Select Intelligence Committee –
“There shouldn’t be any doubt in our minds that there are nation-states and groups out there that have the capability to enter industrial control systems and to shut down [and] forestall our ability to operate our basic infrastructure.”
4
“All of that leads me to believe it is only a matter of the ‘when,’ not the ‘if’ that we
are going to see something dramatic.”
NSA Director, Michael Rogers
5
A Hub of Information Sharing
Trusted Relationships
8
Modern security challenges are too complex for any single organization, sector, or nation to confront alone.
To enable greater information sharing and develop a common understanding of malicious activity and mitigation options, we must builds and leverages partnerships across:
• Federal, state, local, tribal, and territorial governments
• Private sector
• Academia
• International community
• OUR WORK FORCE
Th
e P
ath
Fo
rwar
d
Future
▪ Baked in security = fewer
vulnerabilities
▪ Near real-time response with more
automated defenses
▪ Many attacks, but less impact
▪ Information sharing and increasingly
collaborative defenses
▪ Consistent security practices
▪ Unauthorized activity quickly identified
▪ Ability to learn and adapt defenses in
near-real time
Today
▪ Many unknown vulnerabilities
▪ Incidents spread at network speed
and defenses are manual
▪ Many attacks are undetected
▪ Independently defended systems
▪ Inconsistent security policies
▪ Users do not follow best practices
▪ Attacks increasing in number and
virulence
10
Current Trend: Bulk PII Theft
Between July 2014 and March 2016,
US-CERT received numerous reports
of incidents from across the U.S.
Government and private sector
involving the theft of large amounts of
PII.
• Analysis from US-CERT and federal
law enforcement partners indicate that
PII was the primary target in intrusions
• Groups responsible for the intrusions
are leveraging a diverse selection of
tools and techniques including stolen
credentials from previous intrusions
11
Bulk PII Theft
Healthcare Business U.S. Government
Anthem(loss of customer data,
up to 80M records)
Sony Pictures (loss of corporate and
customer data, up 1M records)
IRS(loss of taxpayer data,
up to 100K records)
Premera(loss of customer data,
up to 11M records)
OPM (loss of personnel data,
up to 25M records)
Community Health Services
(loss of patient data, up to 4.5M records)
Bulk PII theft from major U.S. organizations dominated headlines
12
Bulk PII Theft
Other Cyber Incidents
• AshleyMadison.com, up to 37M user’s personal data exposed
• Uber, up to 50K driver data accessed
• Twitch.tv, possible unauthorized access to 10M user accounts
• mSpy, up to 400K personal data leaked
Verizon DBIR
Culture Shift
“It is therefore up to security professionals to help their executives become more cybersecurity literate and thereby assist in framing security considerations as an integral part of any risk/opportunity discussion, as well as a wider enterprise risk management strategy.”
What are the expectations for cyber literacy?
Culture of Cybersecurity
SMB ANALYSISReview of Scalable and Affordable Solutions
• SMBs continue to manage their enterprise-
wide technologies without adequate cyber
security solutions or technical support.
• A potential reason for this SMB apathy is a
lack of understanding about their cyber risk
exposure and negative business
consequences that result from a major data
breaches.
• Reputational Loss
• Loss of Proprietary Data
• Loss of Intellectual Property
• Identity Theft15
The net force on an object is equal to the mass of the object multiplied by the acceleration of the object.
FORCE
Cybersecurity
Top Cyber Threat Attack Vectors
• Spear Phishing / Watering Hole–Organization email, personal webmail
• Web Browsers–Vulnerability exploitation (Adobe, Flash,
Java)
–Application patching
• Web Servers–Application and system patching
• Remote Access–Single factor (password-based)
18
Incident Response
Since announcing their findings in June 2016, CrowdStrike’s Washington, D.C. office has been bustling with business, the number of its million-dollar contracts quintupled from a year ago.
In May 2017, the company became a startup “unicorn,” valued at more than $1 billion after raising $100 million led by return investor Accel Partners.
CROWDSTRIKE
Led the Response to the DNC Hack
WHO IS MANAGING THE BUILD?
Disruptors
Quantum Computing can – in theory – defeat all modern encryption. From secure banking transactions to confidential correspondence to, yes, Blockchain
Breech Reporting – there are different reporting requirements in 47 different States.
Regulation – Sectors such as Financial and Energy are leading the way with regulation, but healthcare is not far behind.
Workforce – WE need a new approach to development and assignment of available resources to support cybersecurity requirements.
Analytics is defined as the scientific process of transforming data into insight for making better decisions.
Data Analytics is critical to meeting the challenge our adversary is launching. We must however, make the data come to life to take advantage of the data.
ANALYTICS
Cyber Education
The Nation’s One Stop Shop for Cybersecurity Careers & Studies!
Resources for everyone –
employees, employers,
students, educators,
parents, policy makers
✓ 5,000+ visitors per
month
✓ 1,500+ training courses
mapped to
the National
Cybersecurity
Workforce Framework
✓ 100+ links to
cybersecurity resources
✓ 15+ tools for managers
✓ 10+ monthly events
✓ 10+ links to customized
job searches
www.niccs.us-cert.gov
National Initiative for Cybersecurity Careers and Studies (NICCS)
The mission of NICE is to energize and promote a robust network and an ecosystem of cybersecurity education, training, and workforce development
NIST
http://csrc.nist.gov/nice/
25
QUESTIONS
Michael Echols International Association of Certified ISAOs
www.certifiedisao.org
[email protected]@maxcybersecurity.com
Connect on LinkedIn