The State of Cyber Security Today. Jeffrey Man

Transcription

1 The State of Cyber Security Today Jeffrey Man

2 Tenable provides Continuous Network Monitoring to identify vulnerabilities, reduce risk and ensure compliance.

3 Tenable Product Portfolio

4 Agenda My Background Where We Stand Today Why We Are Failing The Solution What Needs to Change Questions & Answers

5 Presenter Jeffrey Man (former QSA) Cryptanalyst Security Strategist Tenable Network Security M:

6 My Background 30+ years experience in Information Security 13 years with the Department of Defense Certified Cryptanalyst Designed Cryptosystems and Cryptologic Aids Founding Member of Systems & Network Attack Center 20 years of commercial professional services Penetration Testing Vulnerability Assessments Security Architecture 10 years as a PCI Qualified Security Assessor (QSA) Lead Assessor/Assessment Team Member Trusted Advisor

7 DoD Background Cryptanalysis Designed manual cryptosystems for field use (DIA, U.S. Special Forces, USAF) Participated in Desert Shield/Desert Storm Served as a Cryptanalyst in the Operations Directorate Project Manager Fielded the first software encryption system ever produced by NSA Designed, produced, and provided a cryptographic aid that has been used by U.S. Special Forces and Foreign Service for over 20 years Charter member of the Systems & Network Attack Center Developed penetration testing and vulnerability assessment methodologies for review of DoD Classified systems and networks At the request of the Attorney General, and with the cooperation of the National Institute of Standards & Technology (NIST) developed a program for conducting Vulnerability Assessments of Unclassified systems and networks in the DoD and non-dod government agencies Participated in a program to train other Gov t agencies in penetration testing, ethical hacking, vulnerability assessment methodologies, and security program development

8 My 10 Minutes In 1991, while on a trip to the CIA, a group of NSA cryptanalysis interns diligently scribbled all the letters from the sculpture onto sheets of paper and brought them back to the NSA so curious analysts there could take a crack at it. In December 1991 a group of NSA analysts met in a conference room at the NSA to discuss the sculpture and what methods of decryption they might apply, including classified methods used internally by the NSA. (

9 I was one of those Interns!

10 Networked Systems Penetration Testing Vulnerability Assessment Threat Detection Forensics Information Security

11 1995 The year I became a Pen Tester 20 years ago I visited San Antonio AFIWC was the model Penetration Testing Red Teaming Vulnerability Assessment Threat Detection Alerts & Response

12 Private Sector Attack and Penetration Testing Vulnerability Assessments Security Program Development Payment Card Industry (PCI) QSA Trusted Advisor Security Strategist/Evangelist

13 My PCI Customers

14 WHERE DO WE STAND TODAY? Look how far we ve come in twenty years

15 Twenty Years Later Twenty year old vulnerabilities discovered Major breaches Target, Sony, Anthem, OPM Phishing Attacks working Shared passwords and trust relationships Default settings and passwords Missing patches and misconfigurations Malware is rampant Mobile, BYOD, Cloud, Virtual, Outsourced

16 What are today s threats? Threats Disgruntled, former and temporary employees Hackers Industrial espionage The media Criminal activity Natural events and accidents Blunders, errors, omissions Terrorists National intelligence Motives Access to data Disrupt operations Steal $$, products, or services Obtain free use of resources Visibility, publicity, chaos Embarrass target, retribution Thrill, challenge Competitive advantage

17 WHY WE ARE FAILING What are we doing wrong?

18 Too Many Solutions Firewalls IDS/IPS Anti-Virus Whitelisting Access Controls SIEM VPNs Two-Factor Authentication Encryption Scanning Penetration Testing WAFs Password Vaults Cloud

19 What Makes a Network Insecure? No written corporate security policy Lack of commitment to security Awareness Management often in state of denial End user ignorance Resources: people, money, time Decentralized administration lack of coordination Matrixed management means no one is responsible or accountable Responsibility not matched with authority

20 The Need for Security Information and computing resources are vital assets Loss or misuse represents significant risk Potential consequences: Disclosure of sensitive or regulated information Loss of competitive advantage and/or potential revenues Reduction in productivity Lost business due to disruption in operations Bad publicity and/or damage to corporate reputation Liability damages

21 THE SOLUTION What needs to be done

22 Understanding Security The Security Lifecycle

23 The Security Lifecycle Security requires a systematic approach Assess where you are today Document where you want to go Implement a security architecture The policy is the strategy The architecture is the coherent, integrated set of tactics by which the policy is carried out Security without policy is simply technology

24 What is an Information Security Policy? Defines information security objectives and priorities Statement of management expectations (the what ) Defines responsibility for protecting assets Serves as foundation for all security efforts Provides justification for: Controls/products to be implemented $ spent on security Impact imposed on end users Designed to enable business

25 What an Information Security Policy is NOT Burdensome list of irrational restrictions Configuration rules for firewall Cumbersome document collecting dust on shelf Procedures, standards, guidelines: Written to support policy Detailed step-by-step description of how a job is done (the how ) Acceptable use statements: Standards for asset utilization Stress individual responsibility

26 The Business Case Leverages future security investment Focus on critical information assets Protection commensurate with value Raises security awareness among employees Plays critical role in liability abatement Demonstrates due diligence regarding protection of assets Limits liability resulting from employee actions Supports compliance with legal requirements to protect data (i.e., Privacy Act)

27 The Business Case Provides framework for: Consistent, timely, and cost-effective management decisions Selection of security controls and products Defining and empowering acceptable employee behavior Empowering employees to perform their jobs securely Simplifies mergers and acquisitions Technology helps, but You can t solve social problems with software.

28 Policy Pitfalls: Why Policy Efforts Fail Insufficient resources to complete effort Policy is developed in vacuum or by decree Policy does not reflect security needs or risk profile Policy is not supported by senior management or made sufficiently visible Policy is too cumbersome and legalistic Lack of enforcement makes policy meaningless Focus of policy misplaced on technology, not on people

29 Keys to Success Understand the corporate culture: Different levels of Risk tolerance Working within your organizational structure Solicit input from representatives from key business areas Management must lead Walk the talk No sacred cows allowed Policy is clearly defined, realistic, consistent and documented Policy distribution is supported with training

30 Where are you in your Lifecycle? The Security Lifecycle

31 WHAT NEEDS TO CHANGE Or we will keep failing

32 Issues Defining the problem Conflicts of interest Industry built on profit Lack of ownership, understanding, responsibility Nobody cares Too expensive ROI Too hard, too complex Somebody else s problem Silos, stovepipes, not my table

33 What's the solution? Define the problem Education and awareness Shared Ownership everybody is involved Depends on who you ask Too much finger pointing/blame game Being attacked by a nation state is no excuse for sloppy security The industry must take responsibility as well

34 Takeaways Be the change you want to see Understand the business problems Be confident but humble You need to be bilingual Become a teacher Learn to listen

35 More Takeaways Treat security as a puzzle not a game Not the hacking part but the education and awareness part There are often multiple solutions Learn to communicate better Start by listening Ask questions Repeat back what you re hearing Build trust relationships (trust must be earned) Perfect security is not the end game or desired state

36 There are no shortcuts It s a marathon, not a sprint Processes are important Paranoia is required There are no solutions only tools There s no such thing as being secure Detect, prevent, minimize exposure & damage

37 SECURITY IS A VERB Security is not a state to achieve but something you do

38 Truths Never separate compliance efforts from overall data security efforts Find a qualified, trusted security professional that can help you Focus on building a culture of information security It s not good enough to acquire and implement tech/security tools you must understand them and use them to their fullest potential Your security analyst team must be properly trained and should be highly valued Your employees should receive proper awareness training and understand their role in maintaining security to the company Everyone matters everyone is responsible

39 Realities Everybody is selling something Vendors lie (or are equally uninformed) There are no quick, set it and forget it solutions There are no solutions only tools Tools must be wielded by those that know how to use them Traditional views of network security are changing where is the perimeter in virtual/cloud terms?

40 QUESTIONS?

41 Want to keep in touch? I host a PCI Discussion Forum at Tenable where anyone can ask questions related to any and all aspects of PCI security. If your question is a little too sensitive for a public forum, feel free to contact me directly. Jeff Man M: Straight Talk about PCI (Moderator):

42