What keep the CIO up at Night Managing Security Nightmares

Size: px

Start display at page:

Download "What keep the CIO up at Night Managing Security Nightmares"

Nathaniel Carpenter
8 years ago
Views:

3 What is CIOs real NIGHTMARES? Security Threats Advance Persistence Threats (APT) It is a long term multi-phase ongoing targeted attack inside out

4 The Emerging Threat Landscape New Unique Threats per Hour (worldwide estimate*) 2500 NEW Dangerous Risks Avoiding Detection Threats Found in Enterprises DANGER Skyrocketing Volume (Real-world data from 150+ assessments*) Network Worms Threat Every Data-Stealing Malware 1.5 Seconds 56% IRC Bots A virtual denial of service attack on security! 77% Active Malware COMPLEXITY % One data breach can steal your data and erode your brand forever! Conventional content security is failing to keep up with threats. New threat landscape requires a new approach *Source Trend Micro 4 100%

6 Verizon: Top Breach Methods

7 Top Security Nightmares Web Threats Cybercrime Data breach Phishing, Pharming Botnet Social Engineering Malicious Software Malware Vulnerability exposure

8 2010 Review: 10 Most Remarkable Malware 04/27/ Copyright Trend Micro Inc.

9 The Victims 04/27/ Copyright Trend Micro Inc.

10 07/05/11 10

11 APT Attack Using Phishing/Social Engineering method 04/27/ Copyright Trend Micro Inc.

12 Recent Cyber Attack 12

13 Recent Cyber Attack 13

15 Understand Your Enemy Mafia style organized groups They invest in crime Expected pay-off is Millions of US$ Professionals

16 Targeted Attacks Sequential Attack Variance Malicious Sites Malicious Internet Sites Attacker Customer Environment Attackers inject malware known as Downloaders into an IT environment as soon as users open or browse a Web site. Outbreak1!!! Outbreak2!!! These Downloaders slip through antivirus software detection methods and initiate a variety of other malware downloads into the IT environment. Their behavior and propagation schemes are very different from traditional outbreak events

17 How does Web Threat work? Steal info users Malicious websites (botnet) Download data Access websites SQL inj ection Legitimate websites Criminals 1. Attack website vulnerability 2. I nj ect redirection Transparent redirection 4. Run malicious codes 5. infect machine & steal info

18 Challenge of IT Security Today Treats type: Increasing attack Vectors Profiteering Low cost Computer / Peripherals: Infection model probability increased High Growth Internet Connectivity:3G,Wi-Fi: Breach of corporate Model gateway security Complex Model Increase in Branch office USB Increase in Mobile user 0 Web 8 Mobile 0 0 Botnets Mobile Population 6 Spyware devices 0 Anchored Desktop 4 Spam Worm 0 23G s Complex High1 Growth % Penetration Profiteering Change in Corp. Operation: Enterprise Mobile Device Market Penetration Over Time Source: The 451 Group Copyright 2011Trend Micro Inc. and Infolock

19 The Do s Improve IT Security Programs Set up a Security Risk Management Team Determine the risk profile of your organization blend the technical skills and knowledge of the threat landscape with business critical thinking and social skills Employee compliance education User Awareness on security best practices and policies. Implement a Real time Management and Responding The goal is to minimize the impact of threat by blocking when possible and detecting and containing when not. Employ vulnerability assessment tools/devices, endpoint protection, data lost prevention solution (since information is often the targeted asset), network scanning/management (since the attack tool needs to communicate with its owner) Stay informed on news about malwares that exploit vulnerabilities Always backup sensitive information

20 TDA Sample Report

21 The Don ts Organizations should not be thinking in terms of single counter measure or even adding more layers to a layered security strategies rather they should be thinking of processes that can block when possible and detect and contain breaches in other cases.

22 Typical Security Threat Requirements From ISO / IEC 27001:2005 perspective ISO Framework Security Governance, Risk Management and Compliance (Security policy, Org, Human resource, Incident Response, BC, Compliance) 3rd party audit (SAS 70, ISO27001, PCI) SLA Visibility into change, incident, image management Effective incident report for tenants Client access to tenant-specific log and audit data Support for forensics and ediscovery Access Control Coordinating authentication and authorization with enterprise or 3rd party systems Standard-based SSO Data Security Data segregation Cloud-wide data classification Client control over geographic location of data (Identity & Access Mgmt) Information Systems Acquisition Development & Maintenance Application image security Compliance with secure development (Application and Process) Communications & Operations Management (Network, Server, Storage) Physical and Environment Security Isolation between tenant domains Policy-based security zones/trusted virtual domains Built-in intrusion detection and prevention Vulnerability Management Threat Management Monitoring and control of physical access Privileged user monitoring, including logging activities, physical monitoring and background checking

23 Security Threat Scope ISO / IEC 27001:2005 IaaS IaaS PaaS PaaS SaaS SaaS Physical and Environmental Security Communications and Operations Management Human Resources Security IaaS IaaS IaaS PaaS PaaS PaaS Communications and Operations Management Access control Physical and Environmental Security SaaS SaaS SaaS IaaS PaaS SaaS IaaS PaaS SaaS Access control Security Policy Organization of Information Security Information Security Incident Management Information System Acquisition, Development & Maintenance Security Policy Compliance Information Security Incident Management Business Continuity Management Information Security Incident Management

24 IT Security Management Portfolio Protect resources Protect data Infrastructure Security Data Security Application Security Governance, Risk & Compliance Management Provide validation

25 Conclusion Many organizations fail to realize that there can be no privacy without security - Gartner The threat onslaught is creating a denial of service on conventional security, creating: Unacceptable Risk & Intolerable Overhead Awareness and Education are key. Remember anyone can be anyone on the internet Copyright 2011 Trend Micro Inc.

26 THANK YOU

27 THE END

Cloud Security - Risiken und Chancen

Cloud Security - Risiken und Chancen Dr. Matthias Schunter, MBA IBM Research Zürich, mts@zurich.ibm.com, http://www.schunter.org Simple Questions Today s Data Center Tomorrow s Public Cloud We Have Control It s located at X. It s stored in