RETHINKING CYBER SECURITY Changing the Business Conversation

Transcription

1 RETHINKING CYBER SECURITY Changing the Business Conversation October 2015 Introduction: Diane Smith Michigan Delegate Higher Education Conference Speaker Board Member 2 1

2 1. Historical Review Agenda 2. General 2015 Overview and Update 3. The Role of the Board and Executives 4. Borderless Technology The Cloud 5. Redefining and Clarifying the Problem Statement 6. Summary & Key Takeaways 3 History can be a great teacher 4 2

3 What do all of them have in common? They have been hacked. 5 In the News 6 May

4 Top Ten Historical Cyber Crimes 7 Cybercrime and Hacktivism Definitions Cybercrime = A crime in which a computer is the object of the crime (hacking, phishing, spamming, viruses, denial of service attacks) or is used as a tool to commit an offence (cyberstalking, fraud, identity theft, child pornography, hate crimes). Source Hacktivism [hacking + activism] = The use of legal and/or illegal digital tools in pursuit of political ends (web site defacements, denial-of-service attacks, information theft, web site parodies etc.). Source 8 4

5 CYBERCRIME AND HACKTIVISM EXAMPLES ( Which of the following represent the greatest Cyber Crime threats for your organization? International Cyber Security Protection Alliance, 2013) 9 Cybercrime and Hacktivism Impact Loss of proprietary and sensitive information Loss of revenues Potentially long-term service interruptions Loss of clientele Diminished brand/ reputation Inefficiency and decline in productivity 10 5

6 Cybercrime and Hacktivism Facts and Statistics Cybercrime has no borders. (Interpol, 2013) No business, government, nongovernmental, or other organization of whatever size is invulnerable to cyber attacks. On average, cybercrime costs $8.9 million per incident and takes 24 days to resolve. (Ponemon Institute, 2012) Somebody s identity is stolen every 3 seconds as a result of cybercrime. 69% of organizations are hit by cybercrime (and many don t even know it). (International Cyber Crime Protection Alliance, 2013) One minute of downtime can cost organizations $22,000. Bottom line: Cyber security is a hot topic that is not going away. 11 Global Security Challenges Customer Records Lost* 145,00 76,000 70,000 0,000 56,000,000 45,000,000 38,000,000 20,000,000 GLOBAL IMPACT 2,400,,000 USD$3 TRILLION 1,160,, , , BILLION 117,339 43% Number of Records Exposed As A Result of a Data Breach in the Past 5 Years Average Number of Cyber Attacks per Day Increase in Number of Cyber Attacks in 2014 from 2013 * Select losses greater than 30,000 records. 12 6

7 Security Executives Top Concerns Unauthorized systems access Audit ability/compliance concerns Customer data breaches Sabotage (internal and external) Theft of intellectual property Lack for Security Specialized Expertise Cost of administration 13 Top Five Cyber Crimes on the Rise in

8 Cyber Crimes 1. State sponsored attacks 2. Targeted attacks and smart spam 3. Selective targeting of banks and healthcare companies 4. Ransomware 5. Mobile payment systems 90% of successful cyber attacks are coming from KNOWN malware/attack methods 15 One Example Hackers Remotely Kill a Jeep 16 8

9 Are Hillary's s in The Hands of a Hacker? Sloppy Users and Shadow IT A hacker, claiming to be in possession of former US Secretary of State Hillary Clinton's secret s, plans to auction them off, hoping to make at least $500,000 from the sale. The unnamed computer specialist told USbased entertainment publication RadarOnline that 32,000 s from Clinton's private server are on offer to the highest bidder. However, the whole claim is weakly substantiated. The hacker shared a sample of subject lines of s of "what appear to be legitimate messages" with RadarOnline, according to reports. 17 Ashley Madison CEO Steps Down 18 9

10 19 Unprecedented Use Case Harvesting records for more than a year Terabytes of data leaked into the public domain: PII, financial, HR and healthcare Business models Revenue generating assets To be released movies leaked 20 10

11 JP MORGAN Single Entry Point 83 million August The state of security today is not for a lack of security controls. UTM Firewalls WAF IDS/IPS SIEM 22 11

12 Existing controls produce a lot of items to investigate, but rarely are these actual threats. 23 Cyber Crime Costs Are Increasing Cost in Millions Difference of $2.7 Million = 30% Increase * According to Ponemon Institute s 2013 Cost of Cyber Crime Study 24 12

13 Loss Severity is also increasing. Corporate Board Member magazine, May Issue 25 outranked only by high taxation and loss of customers. Cybersecuritybusiness.com 26 13

14 Cybersecurity risk is increasing in every measurable dimension. Observed attack traffic in the United States increased from 11% in the third quarter of 2012 to 19% in fourth quarter According to Akamai Technologies 27 The Role of The Board 28 14

15 Challenges for your Board s oversight of IT risk? 29 Other Internal Risk Factors 30 15

16 Risks to consider Compliance with Regulatory Requirements Reputational Damage Information Leakage Loss of Intellectual Property Malware Attacks Copyright Infringement Privacy Breaches SANS 2012 Report 31 The Cloud Borderless Technology Environment Cloud based apps Mobile Workforce Web Apps VoIP 32 16

17 Gartner Report Cloud Adoption Growing In 2016 Cloud will increase to become the bulk of new IT spend A defining year for cloud o Private cloud begins to give way to hybrid cloud o Nearly half of large enterprises will have hybrid cloud deployments by the end of The IT Landscape Has Dramatically Shifted Everyone is on the road and connected everywhere Your data is moving to Cloud Applications Mobile Devices / BYOD are always on and rarely controlled The Internet of Things Is becoming real 34 Security should be moved to the edge of the Internet 34 17

18 It is too complex, expensive and slow to stack appliances at every Internet gateway 28 PAC File 1 Web Filter Sandbox SSL Aggregation firewall 2 27 SSL Client - side SSL tunnel Load balancers , 16 SSL Server side SSL tunnel Flow management 11 Content Inspection Edge firewall Log files Source: Global 1000 network security diagram, August 2014 Expensive to purchase and to operate, complexity introduces security gaps 35 The Hybrid Cloud Challenge Standards are still in flux Building now and adding security later is NOT a plan On prem deployments and cloud deployments require distinctly different security strategies Identity is the new perimeter 36 18

19 10/15/2015 Information Week s Cloud Security and Risk Survey states 75% of those using public cloud services have engaged SaaS providers, up from 66% in our June 2012 survey. 35% using or considering cloud runs or will run at least one mission critical application with a public provider, and 24% allow or will allow some sensitive data to reside in the cloud. 53% of those using or considering cloud services classify their organizations as very or somewhat risk averse. 37 Secure in the Cloud? Clients are STILL responsible for the privacy of their data regardless of where it is held. Clearly understand the security the Cloud providers have deployed and request documentation

20 The Staffing Challenge October Redefining the Problem Current Cyber Security Technologies AETs are increasing Enemies are well funded Internal staffing challenge Borderless Technology Environment Board of Directors Must Engage 40 20

21 10/15/2015 Clarifying the Problem Statement CHALLENGES: 1. Developing methodologies to better understand your client s attack surface. 2. Shifting from reactive to proactive planning. 3. Impact of cyber security on the entirety of business. Theory Practice 41 Summary & Key Takeaways 42 21

22 Finding a Unified Solution Inside your own organization jointly identify common security gaps: During Before After 43 The Full Cycle: Where are the gaps? POLICY FORENSICS BASED PROTECTION RISK ASSESSMENT HOST & SERVER BASED AGENTS PERIMETER SECURITY NETWORK SECURITY 44 22

23 SUGGESTED OBJECTIVES TO ADOPT IN PRACTICE 1. Identify blind spots of your client s current security posture and the security solutions in the marketplace. 2. Pinpoint areas of breach s impact on the business. 3. Articulate security life cycles and their impact to business owners. 45 Where Do We Go From Here? Some Practical Thoughts 1. Enterprise Security Architecture Review 2. Technical Vulnerability Assessment 3. Understanding Your Cloud Infrastructure 4. Develop Prioritized Remediation Plan 5. Continuous Monitoring 24x7 6. Update and Adjust Security Policy Regularly 7. Incident Response Plan 8. User Awareness Training 46 23

24 Thank You 47 24