hackers vs suits

18
hackers what's wrong with security today? vs suits

Upload: chris-hammond-thrasher

Post on 11-Nov-2014

936 views

Category:

Technology


0 download

DESCRIPTION

My half of a tag team presentation for the Edmonton, Alberta, Canada ISACA chapter with renderman (http://www.renderlab.net), dealing with what is wrong with information security today. I, of course, was the suit. It looks like SlideShare bungled some of my slides. Click the download link to get the PowerPoint version.

TRANSCRIPT

Page 1: hackers vs suits

hackerswhat's wrong with security

today?

vs suits

Page 2: hackers vs suits

agenda

the suitthe hackerquestions?

Page 3: hackers vs suits

the suit

http://www.flickr.com/photos/23912576@N05/

Page 4: hackers vs suits

experiment

“playing card data loss”

Page 5: hackers vs suits

countermeasuresthreats

T1: Sleight of handC1: Don't let the attacker handle the cards

T2: Marked cardsC2: Keep the attacker at a distance where he cannot see small marks

T3: The approximate location of the pair is knownC3: Cut deck while attacker is not looking

T4: The pair is together C4: Deal into two piles

T5: If the location of one card is known in one pack, the other card will be in a similar location in the other packC5: Mix both packs

Page 6: hackers vs suits

Model Source: taosecurity.blogspot.com

T1: Sleight of handC1: Don't let the attacker handle the cards

T2: Marked cardsC2: Keep the attacker at a distance where he cannot see small marks

T3: The approximate location of the pair is knownC3: Cut deck while attacker is not looking T4: The pair is together C4: Deal into two piles

T5: If the location of one card is known in one pack, the other card will be in a similar location in the other packC5: Mix both packs

Page 7: hackers vs suits

experiment

not(unfortunately)

an

Page 8: hackers vs suits

Sources• http://www.wired.com/threatlevel/2011/08/how-rsa-got-hacked/• http://blogs.rsa.com/rivner/anatomy-of-an-attack/• http://www.wired.com/threatlevel/2011/06/rsa-replaces-securid-tokens/• http://www.wired.com/threatlevel/2011/05/l-3/• http://www.rsa.com/node.aspx?id=3891

3 March 2011: A brief phishing attack began which targeted RSA staff with no unusual privileges

6 April 2011, US defense contractors Lockheed Martin and L-3 had been attacked via cloned RSA SecurIDs

6 June 2011, RSA partially admitted that something bad had happened in March and offered to replace current customers' SecurIDs at no cost

Page 9: hackers vs suits

T1: Direct attacks from Internet C1: State of the art perimeter defenses

T2: User authentication attacks against Internet exposed services C2: State of the art authentication controls

T3: MalwareC3: State of the art end-point controls

T4: Malicious activity may go unnoticed  C4: State of the art monitoring

T5: Sensitive data could exit the networkC5: State of the art data loss prevention (DLP) technology

T6: Social engineeringC6: State of the art security awareness program

countermeasuresthreats

Page 10: hackers vs suits

Model Source: taosecurity.blogspot.com

T1: Direct attacks from Internet C1: State of the art perimeter defenses

T2: User authentication attacks against Internet exposed services C2: State of the art authentication controls

T3: MalwareC3: State of the art end-point controls T4: Malicious activity may go unnoticed  C4: State of the art monitoring

T5: Sensitive data could exit the networkC5: State of the art data loss prevention (DLP) technology

T6: Social engineeringC6: State of the art security awareness program

Page 11: hackers vs suits

“Recently the UK payment council announced that in 2010 online banking fraud declined 22%, despite phishing levels increasing 21%. This is turning the tide. It took the financial sector 7 years to build a new defense doctrine against social engineering attacks like Phishing and Trojans. I was part of this gargantuan effort, and I think we’ve learned a thing or two that can help us build a new defense doctrine against APTs much faster. Already we’re learning fast, and every organization hit by an APT is much more prepared against the next one; I’m confident it will take us far less than 7 years to say we’ve turned the tide on APTs.”

- Uri Rivner, RSA

http

://bl

ogs.

rsa.

com

/riv

ner/

anat

omy-

of-a

n-at

tack

/

Page 12: hackers vs suits

good idea but...

Page 13: hackers vs suits

Identifying and cataloging new threats

Standardizing countermeasures

Adding these to vendor product lines

Entrenching into the standards canon

When will we see the first APT-no-more product from a major vendor?

our current approachnew threats

Page 14: hackers vs suits

All too often we only change our defensive doctrine when:

• We get hit badly• Compliance standards change• When new products become available• When the new fiscal cycle starts

The attackers we face change their offensive doctrine much more frequently

we are too slow to adapt

Page 15: hackers vs suits

John Boyd (1927-1997)

Photo credit: Wikipedia

a.k.a.:Forty Second BoydGenghis JohnThe Mad MajorThe Ghetto Colonel

Page 16: hackers vs suits

Boyd on

The adversaries that we are defending against are continually producing novelty (there will be something else after APT)

“Now, in order to thrive and grow in such a world we must match our thinking and doing, hence our orientation, with that emerging novelty”

Winning in inherently dynamic environments involves running through flexible decision making cycles faster than your opponent

novelty

Page 17: hackers vs suits

How can we gain the ability to  traverse the observe, orient, decide, act cycle as rapidly or more rapidly than our opponents?

our challenge

you are

here

All major advances in science and engineering were born of the realization that current models - or orientations, in Boyd's terms - were mismatched with reality

We need to change our information security doctrine from compliance and product-centred to innovation and human-centred

a possible answer?

Page 18: hackers vs suits

Chris Hammond-Thrasher CISSPAssociate Director, ConsultingSecurity, Privacy and ComplianceFounder, Fujitsu Edmonton Security LabFUJITSU [email protected]

* All John Boyd quotations are taken from his Discourse On Winning and Losing http://dnipogo.org/john-r-boyd/