everything is not awesome: the rising threat of cyber-attack and what to do about it
DESCRIPTION
Presentation given to 2014 DC Startup CTO Summit.TRANSCRIPT
![Page 1: Everything is not awesome: The rising threat of Cyber-attack and what to do about it](https://reader035.vdocuments.us/reader035/viewer/2022062514/557d5bc1d8b42ae1438b4b1b/html5/thumbnails/1.jpg)
Everything Is Not
AwesomeThe rising threat of Cyber-attack and
what to do about it
Robi Sen, CSO, Department 13, [email protected]
![Page 2: Everything is not awesome: The rising threat of Cyber-attack and what to do about it](https://reader035.vdocuments.us/reader035/viewer/2022062514/557d5bc1d8b42ae1438b4b1b/html5/thumbnails/2.jpg)
Agenda
• Its all just getting worse• Data breaches more common and larger• Number of attacks in total rapidly increasing• Threats are more sophisticated and hard to stop• Technology is failing us
• Why is it getting worse• High value low risk• Low barrier to entry - Its so easy• As technology gets more complex its harder to secure• Vendors don’t really care
• What can we do• Be realistic and plan for compromise• Focus on security early not after a event• Realize that the best defense is people• What you can do right now
![Page 3: Everything is not awesome: The rising threat of Cyber-attack and what to do about it](https://reader035.vdocuments.us/reader035/viewer/2022062514/557d5bc1d8b42ae1438b4b1b/html5/thumbnails/3.jpg)
Realize security is core to your businessIf you can answer no to any of these questions then your can ignore security.
• Does your brand matter to you?• Do you care about your customers and customer trust?• Do you have important Intellectual Property?• Do you have company secrets?• Do your products, services, or systems effect peoples lives?
![Page 4: Everything is not awesome: The rising threat of Cyber-attack and what to do about it](https://reader035.vdocuments.us/reader035/viewer/2022062514/557d5bc1d8b42ae1438b4b1b/html5/thumbnails/4.jpg)
Its getting worse. Data breaches and attacks are more common
![Page 5: Everything is not awesome: The rising threat of Cyber-attack and what to do about it](https://reader035.vdocuments.us/reader035/viewer/2022062514/557d5bc1d8b42ae1438b4b1b/html5/thumbnails/5.jpg)
Data breaches are getting bigger
![Page 6: Everything is not awesome: The rising threat of Cyber-attack and what to do about it](https://reader035.vdocuments.us/reader035/viewer/2022062514/557d5bc1d8b42ae1438b4b1b/html5/thumbnails/6.jpg)
Technology is failing us; fighting yesterdays battles
82 percent of all malware it detects stays active for a mere hour, and 70 percent of all threats only surface once, as malware authors rapidly change their software to skirt detection from traditional antivirus solutions(3).
(2)Antivirus "is dead," Brian Dye SVP INFOSEC at Symantec(1). "We don't think of antivirus as a moneymaker in any way."
![Page 7: Everything is not awesome: The rising threat of Cyber-attack and what to do about it](https://reader035.vdocuments.us/reader035/viewer/2022062514/557d5bc1d8b42ae1438b4b1b/html5/thumbnails/7.jpg)
Why? Your data is worth a lot
![Page 8: Everything is not awesome: The rising threat of Cyber-attack and what to do about it](https://reader035.vdocuments.us/reader035/viewer/2022062514/557d5bc1d8b42ae1438b4b1b/html5/thumbnails/8.jpg)
Why? Its just to easy• Tools such as Kali are widely • Point and click hacking tools • Hacking and Malware as a service are now wide spread• Most companies don’t even know if their are being hacked• Most companies don’t know how to respond
![Page 9: Everything is not awesome: The rising threat of Cyber-attack and what to do about it](https://reader035.vdocuments.us/reader035/viewer/2022062514/557d5bc1d8b42ae1438b4b1b/html5/thumbnails/9.jpg)
Why? Complexity is the bane of security• Organically grown systems – Bash and Shellshock are a great example
(1)• Systems layered and so complex they are hard to understand (2)• Overly specialized – nonsystem thinking
![Page 10: Everything is not awesome: The rising threat of Cyber-attack and what to do about it](https://reader035.vdocuments.us/reader035/viewer/2022062514/557d5bc1d8b42ae1438b4b1b/html5/thumbnails/10.jpg)
Why? Vendors really don’t care
• Vendors focus on features of their product and services first• Vendors product cycle is vicious allowing little time for security testing
and analysis • Vendors think security is something that should be added latter• Vendors are rarely sued or held responsible for the low quality of
security in their products
![Page 11: Everything is not awesome: The rising threat of Cyber-attack and what to do about it](https://reader035.vdocuments.us/reader035/viewer/2022062514/557d5bc1d8b42ae1438b4b1b/html5/thumbnails/11.jpg)
What can you do?
![Page 12: Everything is not awesome: The rising threat of Cyber-attack and what to do about it](https://reader035.vdocuments.us/reader035/viewer/2022062514/557d5bc1d8b42ae1438b4b1b/html5/thumbnails/12.jpg)
Realize your going to get compromised• Its not if. Its When!• Ask your self… What do you do when your compromised?• How well do you know how you will react? Timing, escalation, and
appropriateness. • Have you made connections with law enforcement, legal, PR, and
your vendors?• Who owns security in your company?• Who are the people who are most likely to attack you?
![Page 13: Everything is not awesome: The rising threat of Cyber-attack and what to do about it](https://reader035.vdocuments.us/reader035/viewer/2022062514/557d5bc1d8b42ae1438b4b1b/html5/thumbnails/13.jpg)
Focus on security early
• Include security in your business plan• Add security to your business model• At the start of a new service, product, or business • Add security as part of your cultural of excellence• Plan for the inevitable and make a response plan
![Page 14: Everything is not awesome: The rising threat of Cyber-attack and what to do about it](https://reader035.vdocuments.us/reader035/viewer/2022062514/557d5bc1d8b42ae1438b4b1b/html5/thumbnails/14.jpg)
Your people are your best security resource• Humans are better identifying modern threats• People are flexible• Humans assisted by technology are better than either • Your people and employees can respond to your needs while vendors
may not
![Page 15: Everything is not awesome: The rising threat of Cyber-attack and what to do about it](https://reader035.vdocuments.us/reader035/viewer/2022062514/557d5bc1d8b42ae1438b4b1b/html5/thumbnails/15.jpg)
What you can do right now
1. Prioritize your assets based on YOUR BUSINESS NEEDS2. Identify your major risks 3. Do a security assessment but make sure it focuses on YOUR BUSINESS NEEDS4. Work internally to understand your current policies and process to see if they
align with one and two5. Clarify and simplify 6. Make a response plan7. Create the ONION – Add your technical, physical, and human security systems8. Game and test9. Lather, Rinse, Repeat!
![Page 16: Everything is not awesome: The rising threat of Cyber-attack and what to do about it](https://reader035.vdocuments.us/reader035/viewer/2022062514/557d5bc1d8b42ae1438b4b1b/html5/thumbnails/16.jpg)
What you can do right now
• Hire a CSO or senior security professional• Invest in training• Empower you security staff• Invest in tools that empower people not replace• Join security groups • Connect with the FBI and local law enforcement• Make a relationship with a security partner• Remember security is a state not a goal
![Page 17: Everything is not awesome: The rising threat of Cyber-attack and what to do about it](https://reader035.vdocuments.us/reader035/viewer/2022062514/557d5bc1d8b42ae1438b4b1b/html5/thumbnails/17.jpg)
Questions?