CYBER SECURITY: A REPORT FROM THE TRENCHES 2015 AGC NATIONAL & CHAPTER LEADERSHIP CONFERENCE MIKE.ZUSMAN@CARVESYSTEMS.COM

Transcription

1 CYBER SECURITY: A REPORT FROM THE TRENCHES 2015 AGC NATIONAL & CHAPTER LEADERSHIP CONFERENCE SECURITY IS A PROCESS, NOT A STATE CARVE SYSTEMS LLC MIKE.ZUSMAN@CARVESYSTEMS.COM

2 How did I get here? (short story) <1998: Grew up with Dad who tinkered with electronics : Software developer : Security Appliance Vendor : Corporate Application Security : Security Consulting (aka pen testing) Founded Carve Systems

3 Our Clients & Services Fortune 500 and Small/Mid-sized Firms Telecom - Finance - Agriculture - Health Care - ecommerce - SaaS/Cloud Providers - Device Manufactures Risk Assessment - Penetration Testing - Advisory

4 Take Aways Security is mostly a People problem Every organization needs a custom strategy and Technology Risk Management Process Carve s simplified logical asset classification: 1. People - the folks who create, manage, and use applications & infrastructure 2. Applications - the software that governs our business processes 3. Infrastructure - the systems that allow our applications to function

5 Take Aways Vulnerability Scanning IS NOT Penetration Testing

6 Take Aways The Cloud.

7 Recommendations 1. Create an Information Security Office role, and perform Technology-focused Risk Assessment annually 2. Practice Continual Risk Assessment 3. Create a Data Classification Policy and Identify Assets, Vendors 4. Train users and generate awareness 5. Manage your vendors (vendor questionnaires) 6. Look into Data Breach / Cyber Liability insurance

8 2004 vs Software facts credit: Jeff Williams

9 2004 vs

10 2004 vs

11 Is IoT really new? IoT: proliferation of Internet connected software.

12 A case study M2M Internet Gateway Vehicle Trackers

13 The Bad News Producing secure software is REALLY hard. Microsoft has written a number of books on the subject. There is a huge talent gap when it comes to software security. There are more high quality marketing campaigns than there are high quality security products.

14 Top 3 Risks The Top 3 Risks we identify at most clients: 1. Phishing, and spear-phishing 2. Uncontrolled external network perimeter (includes applications, IoT/ M2M) 3. Insufficient internal access control (I m sneaking in a 4th risk) 4. Insufficient security leadership & culture (changing, for the better)

15 Why is security so bad? Faith-based security My programmer used to work at the NSA, and he says we re secure - former client Our nextgen firewalls stop advanced attacks! - security product marketers Willful ignorance We don t do anything for security unless our customers make us. - un-named IOT vendor

16 Why is security so bad? Organizations are rarely compelled to act unless something bad has already happened. Chrystler to customers : We re mailing you a USB drive you know where to stick it!

17 Not everyone is that bad, right? Right. But good security is as much about dealing with successful attacks as it is prevention. We re seeing increased scrutiny in a variety of B2B relationships. Customers ask us for letters of attestation.

18 A case study Hi-Tech engineering firm (~150 people) Manufactures industrial grade telecom appliances Writes cloud software (appliances phone home) Perform hardware installations Engineers, software developers, admin staff High-value Espionage Target Sensitive docs belonging to a Fortune 50 client leaked accidentally

19 A case study Our Engagement Risk Assessment Phishing Simulation Software Assessment ethical hacking aka penetration testing Morning, Day 1 Our consultants arrive Unlocked, empty reception area Blue prints open, on table

20 A case study Phishing Simulation / Assessment

21 A case study Phishing Simulation / Assessment

22 A case study Phishing Simulation / Assessment

23 A case study Penetration Test Results Engineering firm provides a Cloud service Devices in hospitals, power plants, data centers, etc. phone home to cloud portal Software Security flaws lead to complete compromise of portal OWASP Top 10 Risks for Web Apps (since 2004) All customer credentials and IP addresses Engineering firm internal network We connected to the CEO s printer at his desk from the Internet

24 A case study Agricultural firm Thousands of employees Hired us to perform an external penetration test on a few hundred IP addresses We identified a web site vulnerable to SQL Injection A well documented, widely discussed vulnerability

25 A case study These IPs had a Java application and Telnet exposed to the Internet Gateways for IOT devices in the field

26 Security is process, not a state NIST Cybersecurity Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure. IDENTIFY - assets*, threats, obligations, vulnerabilities PROTECT - assets DETECT - incidents (attempted or successful attacks) RESPOND - handle the incident RECOVER - business continuity, client relations, PR,

27 Asset Identification is hard meanwhile, attackers are really good at it. Attack Surface Mapping IoT stands to make Asset Identification even harder. You need to track logical assets, too! Data Classification Policy

28 What does an attacker see?

29 What does an attacker see?

30 What does an attacker see?

31 A case study Publicly traded media and merchandising firm ~300 employees SOX compliant External Penetration Test Year 1: we win via jenkins External Penetration Test Year 2: we win via video conferencing appliance

32 Take Aways Every organization needs a custom strategy and Technology Risk Management Process Know the difference between a Risk Assessment, Penetration Test, and Vulnerability Scanning Carve s simplified attack surface (asset) map: 1. People - the folks who create, manage, and use applications & infrastructure 2. Applications - the software that governs our business processes 3. Infrastructure - the systems that allow our applications to function

33 General Recommendations 1. Create an Information Security Office role, and perform Technology-focused Risk Assessment annually 2. Practice Continual Risk Assessment 3. Create a Data Classification Policy and Identify Assets, Vendors 4. Train users and generate awareness 5. Manage your vendors 6. Look into Data Breach / Cyber Liability insurance

34 No one is immune

35 THANK