2. Agenda
• The Challenges
• Why Worry
• Inside Info on Insiders
• Social Engineering Woes
• Costs
• One Approach to Consider
• What Specifically You Can Do
• More Resources
• Q&A
3. Disclaimer
All thoughts and opinions expressed in this presentation, or by Larry
Slobodzian directly, are his own and should not be interpreted as those of
Alexander Open Systems (AOS), or any other organization that might be
mentioned. The mention of any organizations should not be interpreted
as endorsement.
Some material contained herein was obtained and is used with the
express written permission of AOS, and other organizations and may not
be used or reproduced in any way without each of these parties’ express
written consent in advance.
5. Why Partner with AOS
• In business since 1992
• 9 states, a dozen offices, 400 employees
• Awarding winning vendor partner
relationships with providers like CISCO, EMC,
HP, VM-WARE, RSA, and ServiceNow
• Not just a VAR, but a “best of breed”, business
problem solution provider
• Hundreds of references from satisfied customers in
all technologies
6. A SECURITY MANAGEMENT MATURITY MODEL
• Security is
“necessary evil”
• Reactive and de-
centralized monitoring
• Tactical point products
• Proactive and
assessment based
• Collect data needed
to assess risk and
detect advanced
threats
• Some security tools
integrated with
common data and
management
platform
• Strategic Security
Program
• Design Architecture
• Check-box
mentality
• Collect data
needed primarily
for compliance
• Tactical threat
defenses enhanced
with layered
security controls
• Established
Security Team
Level 1:
Defending
Borders
Level 2:
Awareness
Phase
Level 3:
Corrective
Phase
Level 4:
Optimal
• Continuous Process
Improvement
• Security fully
embedded in
enterprise processes
• Data fully integrated
with business content
drives decision-
making
• Security tools
integrated with
business tools
Time
Maturity
*Based on a Gartner Survey – “Where organizations fall short” (2012)
*30%
*50% *15% *5%
ARE YOU HERE?
7. The Business Challenges
• Exponential Growth of Threats
– D&D Insiders
– Outside Hackers (Commercial, Organized Crime, State
Sponsored)
– Competitor Espionage
• Continuously Growing Regulations & Requirements
– Increases are a mandatory cost of doing business
– DIACAP, SOx, HIPAA, PCI, GLBA, Dodd-Frank, NERC, OCC, etc…
– Volume reduction, Fines, and jail time for failure to comply
• Ever increasing expectations for “adequate” safeguards by
consumers, management, shareholders, employees, press,
courts……………….
8. C-Suite’s Top 5 Concerns
Reputational Harm/Brand
Equity
Loss of Company IP
Regulatory
Actions/Compliance Costs
Customer Lawsuits
Shareholder/Investor
Confidence
9. • Increasing pace at which new and varied
technologies must be supported
• More empowered end users
• Consumerization
• Cloud / SaaS / PaaS / IaaS
• Managed Services
• Maintain Legacy Systems
• Mobile Workforce
• BYOD
• And on, and on, and on
Budget Limitations, Staff Challenges (Skill, Availability, Cost, Retention)
Current IT Challenges
10. Information Security, Privacy & IP Protection
Wrongful
Use
Wrongful
Collection
Physical Theft of
Sensitive Information
Non-Electronic
Accidental Disclosure
Electronic
Accidental Disclosure
“Cyber”
Attacks
IP & Privacy Exposure
Information
Security
Exposure
12. Why would strangers want your info?
1. Identity theft for resale or immediate profit
2. Damage reputation of competitor
3. Steal intellectual property
4. Blackmail
5. Cyber Crime/Terrorism –
Its An Epidemic;
The Nation’s Top Cop
Says So
14. 1. Greed / Financial
Need
2. Anger / Revenge
3. Blackmail
4. Ego / Thrill
5. Divided Loyalties
Why would insiders want to compromise you?
15. What behaviors can you look for?
• W/o need and auth – takes work home
• Unusual interests outside their scope
• Unusual remote access times/odd hours
• Disregards corporate acceptable use
• Short trips to foreign countries
• Life crises
• Paranoia
16. What to do about it
1. Educate and regularly train employees on security or
other protocols.
2. Know your sensitive information and ensure it is
protected.
3. Use appropriate screening processes to select new
employees.
4. Segregation of duties.
5. Provide non-threatening, convenient ways for employees
to report suspicions.
6. Routinely monitor computer networks for suspicious
activity.
7. Ensure security (to include computer network security)
personnel have the tools they need.
18. Vendor Management:
Across Your Supply Chain
Vendors = very large % of all breaches
No Vendor too small; take broad view of vendors/data
Confidentiality and data security requirements
Audit rights
Hiring practices
Applies to vendor use of subcontractors & employees
Termination obligations
Data breach notice protocol
19. Employee Training
Weakest Link in Majority of Data
Security Programs
(e.g. lost devices, unapproved
software, weak password)
Highest ROI (“Quick Win”)
Continuously Train All Employees
Training Calibrated on
Access/Roles/Responsibilities
Policy of Least Privilege
20. . . . reminders of why technology
alone isn't enough to keep you secure.
1. Phishing, Whaling, Doxing
2. Trojan horses
3. RSA attack in 2011 – first attack against the
guard of the guards
4. Watering holes
5. Nice person with confidence
6. Social media
7. Charity/Cause Celeb scams
8. Weak third parties/suppliers/partners
Social Engineering . . .
21. COSTS of Doing . . .
• Nothing
• Or just enough, but
• What is that, just enough, anyway?
23. Costs of Not Addressing Technology Risk
• Breach Stats – 2016
– 89% of breaches led to a data compromise
in less than a day
– 79% of breaches took weeks or more to
discover
• Annualized cost of cyber crime:
– $158 per affected record (Avg)
– $355 per Healthcare record
– $80 in public sector
• Bad Headlines
– Per Forrester, if its even possible, rebuilding
trust can be up to 10x the cost of acquiring
in the first place
– Target Corp. breach total cost = $252 million
25. WHAT IS THE FIX?
Incident response
program
Ongoing vendor
assessments
Ongoing end-user
awareness raising
program
Continuous Monitoring
Robust and ongoing Risk,
Vulnerability, & Threat
(RVT) assessments
Strategically plan
ahead and
expect the worst
26. AOS HOLISTIC CONSULTING APPROACH
Evaluate
Analysis
Always start here.
Design
Develop
Implement
Survey Administrative
Controls: Policies,
Procedures, Governance
Survey Technical
Controls: Core AOS
Testing / Define Metrics: ROI on risk
mitigation.
Service Improvement: Ongoing
program support, AOS relationship,
Cloud
Risk Assessment: Those things that cause a significant
business impact.
The ADDIE Model: Instructional Design and Performance Improvement
27. What’s TRM?
• TRM includes:
– IT Security
– BC/DR
– Governance & Compliance
• Companies are ever increasingly more dependent upon
IT to deliver
• TRM is a significant element of operational RM which is
one of the most critical aspects of Enterprise RM
• Either we manage risk, or it WILL manage us!
28. Why you
need TRM
• The nature of the
attacks
– Organized crime
– Zero Day
– APTs
• Forensics
– For operational
interruptions
– In case it is more
serious
29. Here are 8 steps to take right away
1. Insurance
2. Info
3. Culture
4. Risk Register
5. Self-Assessment
6. Incident Response Plan
7. Defense In Depth
8. Get Help
30. 1. List all the realistic bad things that could happen
2. Rank them by likelihood (1-Least to 5-most) and
3. Impact (1-Least to 5-most, $)
4. Plot them in a matrix
5. Concentrate on the 5/5s
5 / 5s
Create a Risk Register & Matrix
31. DREAD
• Damage - how bad would an attack be?
• Reproducibility - how easy is it to reproduce the
attack?
• Exploitability - how much work is it to launch the
attack?
• Affected users - how many people will be impacted?
• Discoverability - how easy is it to discover the threat?
• Use Predefined answers
32. D
Damage Potential
• If a threat exploit occurs, how much damage will be
caused?
– 0 = Nothing
– 5 = Individual user data is compromised or affected.
– 10 = Complete system or data destruction
33. R
Reproducibility
• How easy is it to reproduce the threat exploit?
– 0 = Very hard or impossible, even for administrators of
the application.
– 5 = One or two steps required, may need to be an
authorized user.
– 10 = Just a web browser and the address bar is
sufficient, without authentication.
34. E
Exploitability
• What is needed to exploit this threat?
– 0 = Advanced programming and networking
knowledge, with custom or advanced attack tools.
– 5 = Malware exists on the Internet, or an exploit is
easily performed, using available attack tools.
– 10 = Just a web browser
35. A
Affected Users
• How many users will be affected?
– 0 = None
– 5 = Some users, but not all
– 10 = All users
36. D₂
Discoverability
• How easy is it to discover this threat?
– 0 = Very hard to impossible; requires source code or
administrative access.
– 5 = Can figure it out by guessing or by monitoring
network traces.
– 9 = Details of faults like this are already in the public
domain and can be easily discovered using a search
engine.
– 10 = The information is visible in the web browser
address bar or in a form.
38. STRIDE
• Spoofing of user identity
• Tampering
• Repudiation
• Information disclosure (privacy breach or data
leak)
• Denial of service (D.o.S)
• Elevation of privilege
40. 40
I
M
P
A
C
T
Probability
Low/Remote Moderate High/Certain
Minor
Moderate
Significant
Considerable
management
required
Must manage
and
monitor risks
Extensive
management
essential
Risks may be
worth accepting
with monitoring
Management
effort
worthwhile
Management
effort
required
Accept
risks
Accept, but
monitor risks
Manage and
monitor risks
Sample Frequency (Probability) Scale
1. Remote - 1 in 100 year event
2. Unlikely - 1 in 50-100 year event
3. Possible - 1 in 15-25 year event
4. Likely - 1 in 5-15 year event
5. Certain - 1 in 1-5 year event
Sample Impact (Losses) Scale
1. Low - Less than $250,000
2. Moderate - $250,000 - $1,000,000
3. Significant - $1,000,000 - $5,000,000
4. Serious - $5,000.000 - $25,000,000
5. Severe - Greater than $25,000,000
AN/NZS - ISO 31000 Risk Mapping Impact & Probability Relationship
42. Create an incident response plan (AICPA)
1. Use the risk register list
2. Either create an overarching plan as
guide to every thing on the list or a
plan for each
3. The plan should contain:
1. Who can invoke the plan
2. When to invoke the plan
3. Who does what
4. Alternate roles & responsibilities
5. How to do what
6. What is BAU
4. Don’t forget the post mortem for
lesson learned
You can’t run . . .
or do this !
43. Takeaways
1. Biggest threat is inside—that includes vendors
2. Costs of doing nothing > Costs of security
3. Employee training is low-hanging fruit
4. Vendor Risk Management (3PA) is CRITICAL
5. Know your risks and how you will address them
6. Continuous monitoring
47. Please Contact:
Your local AOS Account Manager
or
Larry Slobodzian, Consulting Sales Lead
Larry.Slobodzian@aos5.com 913-669-9285
Linkedin.com/in/larryslobodzian
For more information
on
AOS Security Consulting
• https://www.linkedin.com/in/larryslobodzian
• https://www.linkedin.com/in/larryslobodzian
• https://www.linkedin.com/in/larryslobodzian
• https://www.linkedin.com/in/larryslobodzian
Notas del editor
On behalf of AOS and myself, I want to thank Northrup Grumman for the opportunity to speak with you today
Collaborative dialogue
Not going to read slides
This is the “You can Quote me, But . . . “ slide
Compliance Checkbox Complacency
Most organizations are at step 2, can hop to step 3 with just a nudge or two
80% of your clients will be somewhere between Level 1 and Level 2.
See how once we place the client on the model we can see their needs for moving forward.
During the assessment phase, remember our 4 step approach, remember that your client can have elements that exist in Level 3 but have missed elements that are vital at Level 1.
D&D – disgruntled and disenfranchised insiders – one of the biggest hidden threats companies can face
Most companies cannot afford to find and keep the expertise level to meet these needs
This was from a 2014 Forrester study and has been echoed as recently as January in the WSJ
Even though cyber security is not just IT’s problem anymore, we are still looked at to help solve/prevent the lion’s share
This area of overlap where policy/process shortcomings meet technology shortcomings is why cyber sec is no longer only an IT issue
Click on Picture for Norse Map
Let’s not forget your compute power
Someone give me an idea of what is the biggest source of cyber incidents…
Let me tell you where the real damage is.
Everyone concentrates on hacking…
The FBI has concluded that as much as 75% of the reported cyber incident sin 2015 had an inside threat actor component
Who are insiders: Problems at home
Failure to be recognized, past over, no raise
Ashley Madison/Adult FriendFinder
Can I get away with – culture to get over on the man
Help the underdog, allegiance to others – company, country , culture
employees, trusted partners, vendors and contractors
Not all these are bad – maybe sign of a go-getter – but perhaps all taken together . . .
Risk factors:
Ineffective management of privileged users.
Inappropriate role and entitlement assignment.
Poor overall identity governance.
Poor information classification and policy enforcement.
Inadequate auditing and analytics.
Audit log complexity.
Reactive response.
No comprehensive written acceptable use policies
Combating insider threats is immensely bigger and far more complex than merely an IT challenge.
Background Checks
Access Controls & Logging reviews
Leadership get smarter
Encrypt what matters, MFA too
End user awareness raising
Fazio Mechanical
Rubbing salt in this wound, according to the 2014 Ponemon study on the Cost of Data Breaches, is the emerging trend that recovery costs for the breached entity are notably higher when perpetrated through a supplier/third party. Facilitated by a malevolent insider, the costs can ramp up even higher and faster.
Every headline making breach you heard about recently is likely to have some component of inadequate vendor management as a contributing or primary factor
Employees are best and worst. Tell the Childrens of AL story
Faked emails that attempt to get you to directly or indirectly divulge or allow access
Program or file that appears harmless, but is, in fact, malicious. If the Trojan Horse weren't such a genius example of a social engineering attack, we'd never have named an entire class of malware after it.
RSA in 2011. What is known is that RSA's parent company, EMC, spent $66 million recovering from the attack, recruitment xl file to two lists of non-high profile folks
Watering holes are more subtle than phishing attacks. Malware is injected into a legitimate website that organizations in the target industry are already likely to visit.
UPS Gal story
Too much info being shared by current and former employees
Nigerian Prince / Prince / Honduran & Japan Earthquakes
Target 40 M CC compromised
Often because it has yet to happen to a company, or at least that they know of, some companies feel like doing nothing is a viable option. That is risk unto itself
Well, how many servers do you have, how many web sites, how many mobiles devices/laptops, how many employees?
Source is Ponemon Institute Cost of Cyber Crime Study 2014
Some organizations’ database contain hundreds of thousands of records – imagine the costs of a breach then
The state in which the resident of the affected record(s) gets to define if a breach occurred!
Need to free up Run and Maintain dollars to fund additional new development; proactive risk management does that
We all know nothing ventured, nothing gained. We must take calculated risks. This approach attempts to make sure there are some contingencies and precautions in place . . .
This 5 step model defines a process.
Analysis: We always start by Assessing the organization.
What is the clients strategy. Jumping directly into what hardware they need without understanding the development strategy does not serve the clients long term needs.
What are the vulnerabilities
What are their administrative security controls
Collecting as much information you can on the level of security / preparedness of the organization
Design: Designing is where we tie in our other offerings to complete a sound strategy.
1. What kinds of mitigation controls do they have; BCP, DR, Scheduled testing, Scheduled exercises.
Develop: Develop or build organizational resiliency. Hardware purchases, Cloud support, what are the consulting needs to move forward.
Implement: Are you listening? The consulting elements will expose and sometimes redirect the corporate strategy- this directly ties to the hardware support to the strategy.;
Example: Penetration testing and consulting can result in the need for new firewalls, IPS/IDS, Identity Access Management, Encryption to name a few.
Evaluation: Review the strategy, constantly monitor and make changes as needed. Annually, address strategy changes or redirection.
TRM defined – Though still to often excluded from the boardroom level, the process seeks to identify technology related risks to a business, assess those risks by determining their potential impact and their likelihood of occurrence, and then to take steps to mitigate the risks to an acceptable level
Confidentiality – only those who need to know can or doIntegrity- info is all there & unaltered w/o authorizationAvailability- readily accessible; from wherever & when neededAgility – done right, a best way to help the business get to “ Y E S ”Should be “baked-in” from start to finish on everything IT does, as well as what the organization does with IT
Zero-day threat detection: New attack vectors and vulnerabilities are discovered every day. Firewalls, IDS/IPS and AV solutions all look for malicious activity at various points within the IT infrastructure, from the perimeter to endpoints. However, many of these solutions are not equipped to detect zero-day attacks. A SIEM can detect activity associated with an attack rather than the attack itself. For instance, a well-crafted spear-phishing attack using a zero-day exploit has a high likelihood of making it through spam filters, firewalls and antivirus software, and being opened by a target user.
A SIEM can be configured to detect activity surrounding such an attack. For example, a PDF exploit generally causes the Adobe Reader process to crash. Shortly thereafter, a new process will launch that either listens for an incoming network connection or initiates an outbound connection to the attacker. Many SIEMs offer enhanced endpoint monitoring capabilities that keep track of processes starting and stopping and network connections opening and closing. By correlating process activity and network connections from host machines a SIEM can detect attacks, without ever having to inspect packets or payloads. While IDS/IPS and AV do what they do well, a SIEM provides a safety net that can catch malicious activities that slip through traditional Forensics: A forensics investigation can be a long, drawn-out process. Not only must a forensics analyst interpret log data to determine what actually happened, the analyst must preserve the data in a way that makes it admissible in a court of law. By storing and protecting historical logs, and providing tools to quickly navigate and correlate the data, SIEM technologies allow for rapid, thorough and court-admissible forensics investigations.
Since log data represents the digital fingerprints of all activity that occurs across IT infrastructures, it can be mined to detect security, operations and regulatory compliance problems. Consequently, SIEM technology, with its ability to automate log monitoring, correlation, pattern recognition, alerting and forensic investigations, is emerging as a central nervous system for gathering and generating IT intelligence.
Do an RVA and map the residual risks onto some kind matrix to make prioritized action plan
It is not getting easier
The stakes are very high for getting it wrong
Doing nothing wont work
Prioritize and plan ahead of need
Get some help