Cyber Risk: An Executive Business Perspective

Transcription

1 13th Annual Privacy and Security Conference Keeping Pace with the Digital Revolution Cyber Risk: An Executive Business Perspective Risk issues, impact on companies and infrastructures February 2011 Risk Management Willie (William) Wong Enterprise Services, IBM Security, Business Continuity/Resiliency & Integrated Communication Services, Canada

2 Agenda Objectives What is IT Risk The Risk landscape Technologies Risk Examples Social Media/Business Mobile Platforms Cloud Top IT Business Risk issues and Pains facing management Simple Risk Strategies/Actions 2 Risk Management

3 Objectives Help organizations to: 1. Understand emerging and latest technologies 2. Understand the associated risk issues 3. Understand how to reduce and manage the risks from a business perspective 3 Risk Management

4 What is IT Risk? Key Concepts 1. Confidentiality of Data (Data Privacy) 2. Integrity of Data 3. Availability of Data 4 Risk Management

5 There are four key business issues driving the significant corporate growth in security investments DATA EXPLOSION Big Data is driving compliance to be a significant challenge, as few customers know where all sensitive data is, let alone who is looking at it. CONSUMERIZATION OF IT The advent of Enterprise 2.0 and social business are enabling significant new business risks to emerge EVERYTHING IS EVERYWHERE New innovative platforms including cloud, virtualization and more are driving even greater challenges in complexity and cost. ATTACK SOPHISTICATION Attacks are now focused on the business itself vs. the IT infrastructure. making security a top concern, from the boardroom down 5 Risk Management

6 Targeted attacks are increasing 2011 Sampling of Security Breaches by Attack Type, Time and Impact Attack Type SQL Injection Bethesda Software URL Tampering Spear Phishing Fox News X-Factor Northrop Grumman IMF Italy PM Site 3 rd Party SW DDoS Citigroup Spanish Nat. Police Sega Secure ID Unknown Epsilon Sony PBS Gmail Accounts PBS SOCA Booz Allen Hamilton Vanguard Defense Size of circle estimates relative impact of breach HB Gary RSA L3 Communications Sony BMG Greece Lockheed Martin Malaysian Gov. Site Peru Special Police Nintendo Brazil Gov. Turkish Government AZ Police Monsanto SK Communications Korea Feb US Senate NATO Mar April May June July Aug IBM Security X-Force 2011 Midyear Trend and Risk Report September Risk Management

7 Evolving challenges: Internal, External & Compliance Regulators Board of Directors / Audit Committee CIO & Team Theft of Client Records Hactavists Business imperatives: Continuity of operations Intellectual Property Theft Theft of State Secrets Protect sensitive client data Protect valuable IP Protect critical infrastructure Protect the Brand Insider Fraud Enable new Business & Technology Models Comply with policy and regulations Contain cost Physical takeover of critical infrastructure 7 Risk Management

8 2010 IBM Global Risk Study- Emerging technology risks Out of five technologies evaluated, social networking, mobile platforms and cloud computing present the highest risk concern Social networking tools Mobile platforms. Cloud computing 15% 21% 19% 24% 27% 35% 42% 54% 64% We are concerned about being able to safely control the flow of data to/from employee mobile devices and safely storing it. Manufacturing, North America Virtualization Service-oriented architecture 26% 31% 25% 34% 43% 42% We are already looking at cloud computing and haven't yet perfected security on our own local networks. Healthcare, North America Extremely risky/risky Somewhat risky Moderately/not at all risky Sources: Q17 (How big a risk are the following technologies and tools to your company?) 8 Risk Management

9 Social Networking Risks 1. Leveraging SPAM, Malware and Phishing using Social Networks as delivery vehicles like Facebook, Linkedin, Twitter etc. are on the rise. 2. Increased source of data leakage. EG. Intellectual capital, used for Advance Persistent Threat (APT), customer information, scandals, Privacy issues etc. 3. Companies struggle to manage Social Media Altimeter Group - 2Q Risk Management

10 Using Social Media engineering for criminal activity Home Robbery and Hacking a company! Following example demonstrates a real life information gathering phase using Social Media tools. Due to sensitivity and to avoid legal issues, a mock scenario, using information gathered, has been created to demonstrate potential impact to a target. Objectives of this example: 1. Short Term Goal Commit a personal robbery 2. Long Term Goal Hack a company using a employee s access 3. Avoid Prosecution - by setting up the employee to take the fall. 10 Risk Management

11 Using Social Media engineering for criminal activity 1. Acquire a target and gather basic personal information Robert is Senior IT Administrator for a Financial Institution (access to userid/passwords), which makes him a Advanced Persistent Threat (APT) target Lives in Richmond Hill, rare spelling of his last name He has 800+ Facebook connections and minimal privacy settings He has over 500 pictures posted in various places (nice layout of his house-alarm) Owns a expensive watch collection, provides his Cell number, house number etc Posts information when he is away on weekends and holidays. Assume he uses a wireless Router Assume he has remote access to company IT assets 11 Risk Management

12 Using Social Media engineering for criminal activity 2. Gather target location information Using 411.ca, we found only 5 last names matching Robert s in Richmond Hill. We are lucky because Robert s home address is listed in 411.ca. Knowing his house number helped data filtering. In addition to his Cell number we now have his home number as well. WHO NEEDS 411? Private Webpages: We also checked some pictures taken with his smartphone which provided GPS co-ordinates just to confirm his home location. Also on Facebook, we didn t see any dogs or surveillance cameras in the home from the 500+ photos he posted for all to see (Always good to know). 12 Risk Management

13 Using Social Media engineering for criminal activity 3. Get a visual of target location and hack the wireless The Google Map Street View feature makes casing a target location relatively easy. Pictures like this yield much information such as thick bushes, houses are far apart, easy access to the backyard. We do some War Driving at Robert s house where we first hack his wireless to gain access to his network to install a recent sniffer to capture his work information. He made his network name his Last Name(easy to find) He used his home phone number for a 11 digit wireless encryption key NOTE: Hacking tool sets can be obtained free or can be bought for as little as $10 or depending on complexity, features etc. 13 Risk Management

14 Using Social Media engineering for criminal activity 1. Home Robbery - RECAP He has a home alarm system (7 minute rule of in and out) Monitor the Facebook page to see when he is away on vacation. The other advantages we have from Social Media networks are: We assume he lives alone except on weekends where his girlfriend sleeps over (From facebook). We know the location of the watches in the house(wall Unit) We know they are stored in red lockbox We can call his home and cell number to check where he is 2. Hacking Robert s Company through Robert - RECAP Once we gain access to Robert s wireless network we install a recently released sniffer or trojan malware to capture key strokes and other information We use this information to gain access to Robert s place of employment Post investigation will point to Robert as the culprit initially 14 Risk Management

15 What can happen after the initial company system breach? Dependent on Attacker s Motivation Basically Anything! Map out the corporate network, data storage, etc Target Senior Executives and other key stakeholders Cyber Extortion Locate Points of Failure and TAKE THEM OUT! Just for fun Etc.. There are MANY USES ONCE WE GET THE DATA.. 15 Risk Management

16 Take away thought. Is your organization s security posture positioned to address this type of breach? 16 Risk Management

17 Mobile Platforms 1. Global smartphone shipments reached more than 302 million Increase of 75% over the number of units shipped in Gartner: by 2014, 90% of organizations will support corporate applications on personal devices. 3. Expect significant increase in malware for smart devices! 17 Risk Management

18 Common Enterprise Mobile Security Issues Many mobile device platforms some have immature security functionality. Mix of business and personal information on the same device Balance between non-ownership of the devices and control on the devices Mobile devices are prone to loss and theft No effective process to certify and provision mobile applications Mobile devices are always on and connected, so are more vulnerable to network attacks. Malware threats are becoming more prevalent Risk Awareness for users is often overlooked. Users only know what they know. 18 Risk Management

19 Mobility Risk: Specific Android example 1.Android Tablet 2.FREE Bluetooth Program Transfers files from Tablet to PC via Bluetooth 3.Asking for a lot of permissions 19 Risk Management

20 Take away thought. Has your organization effectively accessed the risks in the Mobility/BYOD Strategy? * Sources: IBM X-Force Report Mar 2011 and others 20 Risk Management

21 Cloud Computing 1. Cloud technology is the natural evolution of computing. Where software, data access, and storage services do not require end-user knowledge of the physical location and configuration of the system that delivers the services. Analogy: Users on a electrical grid. 2. Security and Availability issues are seen as the #1 inhibitors to leveraging Cloud technologies 3. Cost savings and innovation will be key drivers for leveraging Cloud computing 21 Risk Management

22 Cloud Computing in a nutshell Image from Microsoft Clip Art Traditional Computing = Physical Separation 22 Risk Management

23 Cloud Computing in a nutshell Image from Microsoft Clip Art Virtualization = Shared Building 23 Risk Management

24 Cloud Computing in a nutshell Image from Microsoft Clip Art 24 Risk Management Cloud Computing = Shared public infrastructure

25 Functionality Versus Risk Versus Costs Traditional to Cloud computing IT Risk and Network implications 1. Traditional Computing Physical Separation EG. House Control of services, dataflow and platform Network is manageable Business Continuity measures effective Risk perceived as low 2. Virtualization 3. Cloud Shared Infrastructure EG. Condo Control of services and dataflow Network is manageable Business Continuity measures effective Risk perceived as Low to Medium Shared public Infrastructure EG. Motel/Hotel Limited control of services and dataflow Network Management is limited Security & Business Continuity reliant on provider Risk perceived as High 25 Risk Management

26 Take away thought. Does your organization understand the risks associated with Cloud solutions? * Sources: IBM X-Force Report Mar 2011 and others 26 Risk Management

27 Top IT business Risk issues and Pains facing management 1. Availability of systems and data- Move to Resiliency 2. Meeting compliance standards 3. Protecting critical company and customer data 1. What is the value of my data? 2. Where is my data going? 3. Who is doing what with my data? 4. Reducing costs while maintaining or improving current risk levels 5. Reduce complexity, optimize the network 6. Developing effective long term risk solutions 7. Getting buyin from the Organization 27 Risk Management

28 Manual Automated The Enterprise Risk Journey Basic Organizations employ perimeter protection/disaster recovery, which regulates access and feeds manual reporting Reactive Proactive Optimized Organizations use predictive and automated security analytics to drive toward security intelligence. Focus on Business Resiliency Proficient Security/Business Continuity is layered into the IT fabric and business operations 28 Risk Management

29 Simple strategies to optimize security & resiliency programs 1. Redefine and Simplify Risk and Risk Management Understand where you are, where you need to be Determine if a base, proficient, or optimized model is needed to support the business 2. Understand your Total Infrastructure Framework Take Inventory of current security and resiliency assets and practices Look for ways to take better advantage of what you already have in place today Know where you need to go and how you plan to get there 3. Engage a Global Risk Partner with a business focus A Partner that has experts, solutions and assets Leverages their innovation, integration and global expertise Has broader portfolios IE. Security, Resiliency & Compliance Functionality Versus Risk Versus Costs 29 Risk Management

30 Look for Broader portfolios, expertise, solutions and assets! Proven Risk Framework approaches/methodology Risk approach considers both Security, Resiliency & Compliance perspectives Research Division and large investments in Security patents Security services and products Business Continuity and Resiliency solutions Managed Services capabilities Integrated Mobility and Cloud solutions Technology Agnostic (ability to work with multiple partners) Ability to draw on Local and Global expertise, solutions and assets Project managers, Consultants, IT Architects, IT Specialist, Security Operation Centres, etc. Ability to go beyond risk needs if required (EG. Mobile Device Management) Security Products/Solutions Security Services Business Resiliency Services Application/Web Security Identity and Access Management Security Compliance Manager Real Time Database security Test Data Masking Intrusion Detection/Prevention Message Protection Virtual Server Protection Key Life Cycle Management Security Policy Manager Endpoint Security Manager Etc 30 Risk Management Security and Risk Assessments (Including Penetration Testing, Network, PCI, Cloud etc..) Managed Security Services Data Protection Services Security Architecture Design Compliance Application Security Access Governance, Certificate Mgmt Mobility Security Cloud Security Agnostic Disaster recovery and business continuity planning Business Impact Analysis IT recovery sites (public or private) Managed Backup Cloud Virtual Server Recovery Recovery support services Data and server replication Agnostic

31 Simple strategies to optimize security, resiliency & network programs Stakeholder buy in! It s business. Develop a strategy. 31 Risk Management

32 Getting Buyin - C-suite priorities* WHO should be concerned with WHAT CEO CFO/COO CIO CHRO CMO CxO priority Maintain competitive differentiation Comply with regulations Expand use of mobile devices Enable global labor flexibility Enhance the brand Security risks Misappropriation of intellectual property Misappropriation of business sensitive data Failure to address regulatory requirements Data proliferation Unsecured endpoints and inappropriate access Release of sensitive data Careless insider behavior Stolen personal information from customers or employees Potential impact Loss of market share and reputation Legal exposure Audit failure Fines and criminal charges Financial loss Loss of data confidentiality, integrity and/or availability Violation of employee privacy Loss of customer trust Loss of brand reputation Increasingly, companies are appointing CROs and CISOs with a direct line to the Audit Committee *Source: Discussions with more than 13,000 C-suite executives as part of the IBM C-suite Study Series 32 Risk Management

33 Approach CEO CFO COO CHRO CMO Stakeholders BUY IT services/solutions from the CIO CIO Clearly define the Strategy supporting the Business Objectives Clearly state how the solution components support the strategy Focus on Common Benefits that apply to as many C-Level Peers as possible Identify issues, implications, what you need from them. Ask for input! Always identify actions/timelines/owners A well prepared business case will yield better results 33 Risk Management

34 About Wireless Network Routers for home the average user Security/Management BONUS 1. WEP, WPA, WPA2 Wireless Encryption Feature, relatively easy to use 2. Create a strong Password to login/disable Remote Management 3. Parent Control/Policy Support/Scheduling 4. Guest Networking/Website filtering/blocking 5. Media Access Control Address Filtering (Access via MAC Address) 6. RADIUS Authentication (Dial In, seldom used but ) 7. NAT(hide addresses using 1 IP) and SPI(Detect Traffic patterns) Firewall 8. Syslog/Logs - Read the Manual on how to configure your Router Log files to capture/save/ transactions IE. login attempts 9. Spot Check your Network Access status IE. Who is on your network Other Features you may want: a/b/g/n Mbps+ Max throughput (you may want to stream video in the future) 3. Bandwidth 2.4 or 5 Ghz? Dual Band? 4. QoS Quality of Service 5. LAN Ports 4 are standard 6. USB Ports and Shared resources IE. Printing, Storage 34 Risk Management

35 Review Objectives YOU SHOULD: 1. Understand emerging and latest technologies 2. Understand the associated risk issues 3. Understand how to reduce and manage the risks from a business perspective 35 Risk Management

36 Humor for the day. 36 Risk Management

37 Humor for the day. A Pessimist Is An Optimist With Experience 37 Risk Management

38 Thank you! Please fill out and return the feedback forms Willie (William) Wong Market Manager, ENTERPRISE SERVICES IBM Security, Business Continuity/Resiliency(BCRS) & Integrated Communications 3600 Steeles Ave E., Markham, L3R 9Z7, Canada IBM Global Technology Services Phone: Risk Management

39 Appendix 1: Supporting material 39 Risk Management

40 Speaker Introduction Willie Wong Professional Profile NOT TO BE CONFUSED with Willy Wonka as the fictional character in the 1964 Roald Dahl novel Charlie and the Chocolate Factory Willie Wong is currently the IBM Global Technology Services Market Manager for Security Services, Business Continuity & Resiliency Services and Integrated Communications Services (Networking) for IBM Canada. He has over Twenty five years of information technology experience. During this time, he has worked in many domains including Sales and Marketing, Security Consulting, resource deployment, application development, programming, systems analysis, architecture and design, network services, systems management, systems integration, Bulletin Board Service (BBS) and Internet Service Provider (ISP) services and process re-engineering. Willie holds a Government of Canada(GoC) security clearance level of SECRET (Level II). Professional Experience relevant to seminar While in a previous role as a IBM Security Principal, his focus was on assisting organizations, across all industries(financial, Government, Manufacturing, Retail, Distribution, Communications, Utilities etc.), to address their IT security needs (with Security/Privacy/Identity Management solutions) as it was related to their business strategy and goals. His security consulting experience includes a broad range of security areas: Security Program Development; Security Return On Investment(ROI) Workshops; Security product research, business casing and selection; Security Management (including day to day operations, incident management, processes and standards development, documentation); Risk assessment and mitigation of risk; Security Health Checks (based on ISO17799); Security Awareness Management program development and delivery; Information Classification methodology development; Secure Architecture Risk Analysis (SARA) workshops; Enterprise Privacy Classification Development; Security policy, standards and process, development and documentation; Communicating Security issues effectively to Executive management; Host Vulnerability Assessments (Windows and Unix) using various technical tools. Applied to various types of businesses and organizations; Project Managing Security Engagements; and Enterprise Security Architecture. 40 Risk Management

41 Additional Resources New IBM 2011 Global Risk Study New X-Force Report IBM Events website IBM Risk Resources/Solutions: Security and BCRS BCRS - Security - IBM Security Products ibm.com/security/products/?cm_sp=MTE16345 IBM ISS Quarterly Threat Insight Report ibm.com/services/us/iss/xforce/ IBM ICS - Networking/Mobility Resources/Solutions Integrated Communications (ICS) - services/integrated-communications-services.html?cm_re=masthead-_- itservices-_-communications 41 Risk Management

42 Content Contributors Willie Wong, IBM Canada, Market Manager Security, BCRS & ICS(Networks) 2012 Scott C Van Valkenburgh, Market Manager, IBM Security Solutions 2011 David Puzas, IBM US, World Wide Marketing Executive, Enterprise Services 2011 Tom Vasso, IBM Canada, Market Manager, AIS and Mobile Solutions Practice 2011 David M. Smith, IBM Canada, Marketing Executive, GTS, GBS & Industry Solutions 2011 Jay Safer, IBM Canada, Vice President, General Counsel and Secretary 2011 Suzanne Conner, IBM Canada, Territory Marketing Manager, GBE 2011 Ray Evans, IBM Switzerland, Global Penetration Testing, Apps Assessment Manager 2011 Don Singh, FundSERV, Security Analyst 2011 Heather Young, IBM Canada, Product Owner, Integrated Communications Services 2011 Linda Betz, IBM US, Global Chief Information Security Officer 2011 Bobby Singh, Rogers, Chief Information Security Officer 2010 Stewart Cawthray, IBM Canada, Senior IT Security Strategist/Architect 2010 Maureen Rourke, IBM Canada, Web Editor-in-Chief (Canada) 2010 Gary McIntyre, IBM Canada, Senior Security Architect, Project Executive 42 Risk Management