RETHINKING CYBER SECURITY Changing the Business Conversation

RETHINKING CYBER SECURITY Changing the Business Conversation October 2015 Introduction: Diane Smith Michigan Delegate Higher Education Conference Speaker Board Member 2 1

1. Historical Review Agenda 2. General 2015 Overview and Update 3. The Role of the Board and Executives 4. Borderless Technology The Cloud 5. Redefining and Clarifying the Problem Statement 6. Summary & Key Takeaways 3 History can be a great teacher 4 2

What do all of them have in common? They have been hacked. 5 In the News 6 May 2014 6 3

Top Ten Historical Cyber Crimes 7 Cybercrime and Hacktivism Definitions Cybercrime = A crime in which a computer is the object of the crime (hacking, phishing, spamming, viruses, denial of service attacks) or is used as a tool to commit an offence (cyberstalking, fraud, identity theft, child pornography, hate crimes). Source Hacktivism [hacking + activism] = The use of legal and/or illegal digital tools in pursuit of political ends (web site defacements, denial-of-service attacks, information theft, web site parodies etc.). Source 8 4

CYBERCRIME AND HACKTIVISM EXAMPLES ( Which of the following represent the greatest Cyber Crime threats for your organization? International Cyber Security Protection Alliance, 2013) 9 Cybercrime and Hacktivism Impact Loss of proprietary and sensitive information Loss of revenues Potentially long-term service interruptions Loss of clientele Diminished brand/ reputation Inefficiency and decline in productivity 10 5

Cybercrime and Hacktivism Facts and Statistics Cybercrime has no borders. (Interpol, 2013) No business, government, nongovernmental, or other organization of whatever size is invulnerable to cyber attacks. On average, cybercrime costs $8.9 million per incident and takes 24 days to resolve. (Ponemon Institute, 2012) Somebody s identity is stolen every 3 seconds as a result of cybercrime. 69% of organizations are hit by cybercrime (and many don t even know it). (International Cyber Crime Protection Alliance, 2013) One minute of downtime can cost organizations $22,000. Bottom line: Cyber security is a hot topic that is not going away. 11 Global Security Challenges Customer Records Lost* 145,00 76,000 70,000 0,000 56,000,000 45,000,000 38,000,000 20,000,000 GLOBAL IMPACT 2,400,,000 USD$3 TRILLION 1,160,,000 600,00 000 000 76,0000 2.5 BILLION 117,339 43% Number of Records Exposed As A Result of a Data Breach in the Past 5 Years Average Number of Cyber Attacks per Day Increase in Number of Cyber Attacks in 2014 from 2013 * Select losses greater than 30,000 records. 12 6

Security Executives Top Concerns Unauthorized systems access Audit ability/compliance concerns Customer data breaches Sabotage (internal and external) Theft of intellectual property Lack for Security Specialized Expertise Cost of administration 13 Top Five Cyber Crimes on the Rise in 2015 14 7

2014 2015 Cyber Crimes 1. State sponsored attacks 2. Targeted attacks and smart spam 3. Selective targeting of banks and healthcare companies 4. Ransomware 5. Mobile payment systems 90% of successful cyber attacks are coming from KNOWN malware/attack methods 15 One Example Hackers Remotely Kill a Jeep 16 8

Are Hillary's Emails in The Hands of a Hacker? Sloppy Users and Shadow IT A hacker, claiming to be in possession of former US Secretary of State Hillary Clinton's secret emails, plans to auction them off, hoping to make at least $500,000 from the sale. The unnamed computer specialist told USbased entertainment publication RadarOnline that 32,000 emails from Clinton's private server are on offer to the highest bidder. However, the whole claim is weakly substantiated. The hacker shared a sample of subject lines of emails of "what appear to be legitimate messages" with RadarOnline, according to reports. 17 Ashley Madison CEO Steps Down 18 9

19 Unprecedented Use Case Harvesting records for more than a year Terabytes of data leaked into the public domain: PII, financial, HR and healthcare Business models Revenue generating assets To be released movies leaked 20 10

JP MORGAN Single Entry Point 83 million August 2014 21 The state of security today is not for a lack of security controls. UTM Firewalls WAF IDS/IPS SIEM 22 11

Existing controls produce a lot of items to investigate, but rarely are these actual threats. 23 Cyber Crime Costs Are Increasing Cost in Millions Difference of $2.7 Million = 30% Increase 2012 2013 * According to Ponemon Institute s 2013 Cost of Cyber Crime Study 24 12

Loss Severity is also increasing. Corporate Board Member magazine, May Issue 25 outranked only by high taxation and loss of customers. Cybersecuritybusiness.com 26 13

Cybersecurity risk is increasing in every measurable dimension. Observed attack traffic in the United States increased from 11% in the third quarter of 2012 to 19% in fourth quarter 2013. According to Akamai Technologies 27 The Role of The Board 28 14

Challenges for your Board s oversight of IT risk? 29 Other Internal Risk Factors 30 15

Risks to consider Compliance with Regulatory Requirements Reputational Damage Information Leakage Loss of Intellectual Property Malware Attacks Copyright Infringement Privacy Breaches SANS 2012 Report 31 The Cloud Borderless Technology Environment Cloud based apps Mobile Workforce Web Apps VoIP 32 16

Gartner Report Cloud Adoption Growing In 2016 Cloud will increase to become the bulk of new IT spend A defining year for cloud o Private cloud begins to give way to hybrid cloud o Nearly half of large enterprises will have hybrid cloud deployments by the end of 2017 33 The IT Landscape Has Dramatically Shifted Everyone is on the road and connected everywhere Your data is moving to Cloud Applications Mobile Devices / BYOD are always on and rarely controlled The Internet of Things Is becoming real 34 Security should be moved to the edge of the Internet 34 17

It is too complex, expensive and slow to stack appliances at every Internet gateway 28 PAC File 1 Web Filter Sandbox SSL Aggregation firewall 2 27 SSL Client - side SSL tunnel Load balancers 26 10 3 15, 16 SSL Server side SSL tunnel Flow management 11 Content Inspection Edge firewall Log files Source: Global 1000 network security diagram, August 2014 Expensive to purchase and to operate, complexity introduces security gaps 35 The Hybrid Cloud Challenge Standards are still in flux Building now and adding security later is NOT a plan On prem deployments and cloud deployments require distinctly different security strategies Identity is the new perimeter 36 18

10/15/2015 Information Week s Cloud Security and Risk Survey states 75% of those using public cloud services have engaged SaaS providers, up from 66% in our June 2012 survey. 35% using or considering cloud runs or will run at least one mission critical application with a public provider, and 24% allow or will allow some sensitive data to reside in the cloud. 53% of those using or considering cloud services classify their organizations as very or somewhat risk averse. 37 Secure in the Cloud? Clients are STILL responsible for the privacy of their data regardless of where it is held. Clearly understand the security the Cloud providers have deployed and request documentation. 38 19

The Staffing Challenge October 15 39 Redefining the Problem Current Cyber Security Technologies AETs are increasing Enemies are well funded Internal staffing challenge Borderless Technology Environment Board of Directors Must Engage 40 20

10/15/2015 Clarifying the Problem Statement CHALLENGES: 1. Developing methodologies to better understand your client s attack surface. 2. Shifting from reactive to proactive planning. 3. Impact of cyber security on the entirety of business. Theory Practice 41 Summary & Key Takeaways 42 21

Finding a Unified Solution Inside your own organization jointly identify common security gaps: During Before After 43 The Full Cycle: Where are the gaps? POLICY FORENSICS BASED PROTECTION RISK ASSESSMENT HOST & SERVER BASED AGENTS PERIMETER SECURITY NETWORK SECURITY 44 22

SUGGESTED OBJECTIVES TO ADOPT IN PRACTICE 1. Identify blind spots of your client s current security posture and the security solutions in the marketplace. 2. Pinpoint areas of breach s impact on the business. 3. Articulate security life cycles and their impact to business owners. 45 Where Do We Go From Here? Some Practical Thoughts 1. Enterprise Security Architecture Review 2. Technical Vulnerability Assessment 3. Understanding Your Cloud Infrastructure 4. Develop Prioritized Remediation Plan 5. Continuous Monitoring 24x7 6. Update and Adjust Security Policy Regularly 7. Incident Response Plan 8. User Awareness Training 46 23

Thank You 47 24