Secure Iowa Oct 2016

The Threat You Are Not
Expecting
Larry Slobodzian – AOS

Agenda
• The Challenges
• Why Worry
• Inside Info on Insiders
• Social Engineering Woes
• Costs
• One Approach to Consider
• What Specifically You Can Do
• More Resources
• Q&A

Disclaimer
 All thoughts and opinions expressed in this presentation, or by Larry
Slobodzian directly, are his own and should not be interpreted as those of
Alexander Open Systems (AOS), or any other organization that might be
mentioned. The mention of any organizations should not be interpreted
as endorsement.
 Some material contained herein was obtained and is used with the
express written permission of AOS, and other organizations and may not
be used or reproduced in any way without each of these parties’ express
written consent in advance.

Larry Slobodzian
AOS Consulting Sales Lead | Security, GRC, IAM, and SRM

Why Partner with AOS
• In business since 1992
• 9 states, a dozen offices, 400 employees
• Awarding winning vendor partner
relationships with providers like CISCO, EMC,
HP, VM-WARE, RSA, and ServiceNow
• Not just a VAR, but a “best of breed”, business
problem solution provider
• Hundreds of references from satisfied customers in
all technologies

A SECURITY MANAGEMENT MATURITY MODEL
• Security is
“necessary evil”
• Reactive and de-
centralized monitoring
• Tactical point products
• Proactive and
assessment based
• Collect data needed
to assess risk and
detect advanced
threats
• Some security tools
integrated with
common data and
management
platform
• Strategic Security
Program
• Design Architecture
• Check-box
mentality
• Collect data
needed primarily
for compliance
• Tactical threat
defenses enhanced
with layered
security controls
• Established
Security Team
Level 1:
Defending
Borders
Level 2:
Awareness
Phase
Level 3:
Corrective
Phase
Level 4:
Optimal
• Continuous Process
Improvement
• Security fully
embedded in
enterprise processes
• Data fully integrated
with business content
drives decision-
making
• Security tools
integrated with
business tools
Time
Maturity
*Based on a Gartner Survey – “Where organizations fall short” (2012)
*30%
*50% *15% *5%
ARE YOU HERE?

The Business Challenges
• Exponential Growth of Threats
– D&D Insiders
– Outside Hackers (Commercial, Organized Crime, State
Sponsored)
– Competitor Espionage
• Continuously Growing Regulations & Requirements
– Increases are a mandatory cost of doing business
– DIACAP, SOx, HIPAA, PCI, GLBA, Dodd-Frank, NERC, OCC, etc…
– Volume reduction, Fines, and jail time for failure to comply
• Ever increasing expectations for “adequate” safeguards by
consumers, management, shareholders, employees, press,
courts……………….

C-Suite’s Top 5 Concerns
 Reputational Harm/Brand
Equity
 Loss of Company IP
 Regulatory
Actions/Compliance Costs
 Customer Lawsuits
 Shareholder/Investor
Confidence

• Increasing pace at which new and varied
technologies must be supported
• More empowered end users
• Consumerization
• Cloud / SaaS / PaaS / IaaS
• Managed Services
• Maintain Legacy Systems
• Mobile Workforce
• BYOD
• And on, and on, and on
Budget Limitations, Staff Challenges (Skill, Availability, Cost, Retention)
Current IT Challenges

Information Security, Privacy & IP Protection
Wrongful
Use
Wrongful
Collection
Physical Theft of
Sensitive Information
Non-Electronic
Accidental Disclosure
Electronic
Accidental Disclosure
“Cyber”
Attacks
IP & Privacy Exposure
Information
Security
Exposure

Why?
• There are at least 5 reasons, probably more

Why would strangers want your info?
1. Identity theft for resale or immediate profit
2. Damage reputation of competitor
3. Steal intellectual property
4. Blackmail
5. Cyber Crime/Terrorism –
Its An Epidemic;
The Nation’s Top Cop
Says So

What’s Your Biggest Exposure?
# 3 Paper
# 1 Employee
Negligence
# 2 Hacking

1. Greed / Financial
Need
2. Anger / Revenge
3. Blackmail
4. Ego / Thrill
5. Divided Loyalties
Why would insiders want to compromise you?

What behaviors can you look for?
• W/o need and auth – takes work home
• Unusual interests outside their scope
• Unusual remote access times/odd hours
• Disregards corporate acceptable use
• Short trips to foreign countries
• Life crises
• Paranoia

What to do about it
1. Educate and regularly train employees on security or
other protocols.
2. Know your sensitive information and ensure it is
protected.
3. Use appropriate screening processes to select new
employees.
4. Segregation of duties.
5. Provide non-threatening, convenient ways for employees
to report suspicions.
6. Routinely monitor computer networks for suspicious
activity.
7. Ensure security (to include computer network security)
personnel have the tools they need.

Know Your Vendors
Vendor
Questionnaire
Outsourcing?
References
Business History
Privacy & Security
Policies Security
Certifications or
Audits (ISO 27001
or SSAE 16)
Types of Data that
will be generated,
processed, stored
Level of Network
Access

Vendor Management:
Across Your Supply Chain
Vendors = very large % of all breaches
No Vendor too small; take broad view of vendors/data
Confidentiality and data security requirements
Audit rights
Hiring practices
Applies to vendor use of subcontractors & employees
Termination obligations
Data breach notice protocol

Employee Training
Weakest Link in Majority of Data
Security Programs
(e.g. lost devices, unapproved
software, weak password)
Highest ROI (“Quick Win”)
Continuously Train All Employees
Training Calibrated on
Access/Roles/Responsibilities
Policy of Least Privilege

. . . reminders of why technology
alone isn't enough to keep you secure.
1. Phishing, Whaling, Doxing
2. Trojan horses
3. RSA attack in 2011 – first attack against the
guard of the guards
4. Watering holes
5. Nice person with confidence
6. Social media
7. Charity/Cause Celeb scams
8. Weak third parties/suppliers/partners
Social Engineering . . .

COSTS of Doing . . .
• Nothing
• Or just enough, but
• What is that, just enough, anyway?

Costs of Not Addressing Technology Risk
• Breach Stats – 2016
– 89% of breaches led to a data compromise
in less than a day
– 79% of breaches took weeks or more to
discover
• Annualized cost of cyber crime:
– $158 per affected record (Avg)
– $355 per Healthcare record
– $80 in public sector
• Bad Headlines
– Per Forrester, if its even possible, rebuilding
trust can be up to 10x the cost of acquiring
in the first place
– Target Corp. breach total cost = $252 million

WHAT IS THE FIX?
Incident response
program
Ongoing vendor
assessments
Ongoing end-user
awareness raising
program
Continuous Monitoring
Robust and ongoing Risk,
Vulnerability, & Threat
(RVT) assessments
Strategically plan
ahead and
expect the worst

AOS HOLISTIC CONSULTING APPROACH
Evaluate
Analysis
Always start here.
Design
Develop
Implement
Survey Administrative
Controls: Policies,
Procedures, Governance
Survey Technical
Controls: Core AOS
Testing / Define Metrics: ROI on risk
mitigation.
Service Improvement: Ongoing
program support, AOS relationship,
Cloud
Risk Assessment: Those things that cause a significant
business impact.
The ADDIE Model: Instructional Design and Performance Improvement

What’s TRM?
• TRM includes:
– IT Security
– BC/DR
– Governance & Compliance
• Companies are ever increasingly more dependent upon
IT to deliver
• TRM is a significant element of operational RM which is
one of the most critical aspects of Enterprise RM
• Either we manage risk, or it WILL manage us!

Why you
need TRM
• The nature of the
attacks
– Organized crime
– Zero Day
– APTs
• Forensics
– For operational
interruptions
– In case it is more
serious

Here are 8 steps to take right away
1. Insurance
2. Info
3. Culture
4. Risk Register
5. Self-Assessment
6. Incident Response Plan
7. Defense In Depth
8. Get Help

1. List all the realistic bad things that could happen
2. Rank them by likelihood (1-Least to 5-most) and
3. Impact (1-Least to 5-most, $)
4. Plot them in a matrix
5. Concentrate on the 5/5s
5 / 5s
Create a Risk Register & Matrix

DREAD
• Damage - how bad would an attack be?
• Reproducibility - how easy is it to reproduce the
attack?
• Exploitability - how much work is it to launch the
attack?
• Affected users - how many people will be impacted?
• Discoverability - how easy is it to discover the threat?
• Use Predefined answers

D
Damage Potential
• If a threat exploit occurs, how much damage will be
caused?
– 0 = Nothing
– 5 = Individual user data is compromised or affected.
– 10 = Complete system or data destruction

R
Reproducibility
• How easy is it to reproduce the threat exploit?
– 0 = Very hard or impossible, even for administrators of
the application.
– 5 = One or two steps required, may need to be an
authorized user.
– 10 = Just a web browser and the address bar is
sufficient, without authentication.

E
Exploitability
• What is needed to exploit this threat?
– 0 = Advanced programming and networking
knowledge, with custom or advanced attack tools.
– 5 = Malware exists on the Internet, or an exploit is
easily performed, using available attack tools.
– 10 = Just a web browser

A
Affected Users
• How many users will be affected?
– 0 = None
– 5 = Some users, but not all
– 10 = All users

D₂
Discoverability
• How easy is it to discover this threat?
– 0 = Very hard to impossible; requires source code or
administrative access.
– 5 = Can figure it out by guessing or by monitoring
network traces.
– 9 = Details of faults like this are already in the public
domain and can be easily discovered using a search
engine.
– 10 = The information is visible in the web browser
address bar or in a form.

DREAD Impact & Probability
• Damage Potential + Affected Users =Impact
• Reproducibility + Exploitability +
Discoverability = Probability.

STRIDE
• Spoofing of user identity
• Tampering
• Repudiation
• Information disclosure (privacy breach or data
leak)
• Denial of service (D.o.S)
• Elevation of privilege

CIA Triad
• Confidentiality
• Integrity
• Availability

40
I
M
P
A
C
T
Probability
Low/Remote Moderate High/Certain
Minor
Moderate
Significant
Considerable
management
required
Must manage
and
monitor risks
Extensive
management
essential
Risks may be
worth accepting
with monitoring
Management
effort
worthwhile
Management
effort
required
Accept
risks
Accept, but
monitor risks
Manage and
monitor risks
Sample Frequency (Probability) Scale
1. Remote - 1 in 100 year event
2. Unlikely - 1 in 50-100 year event
3. Possible - 1 in 15-25 year event
4. Likely - 1 in 5-15 year event
5. Certain - 1 in 1-5 year event
Sample Impact (Losses) Scale
1. Low - Less than $250,000
2. Moderate - $250,000 - $1,000,000
3. Significant - $1,000,000 - $5,000,000
4. Serious - $5,000.000 - $25,000,000
5. Severe - Greater than $25,000,000
AN/NZS - ISO 31000 Risk Mapping Impact & Probability Relationship

Risk Decisions
• Accept
• Transfer
• Avoid
• Mitigate

Create an incident response plan (AICPA)
1. Use the risk register list
2. Either create an overarching plan as
guide to every thing on the list or a
plan for each
3. The plan should contain:
1. Who can invoke the plan
2. When to invoke the plan
3. Who does what
4. Alternate roles & responsibilities
5. How to do what
6. What is BAU
4. Don’t forget the post mortem for
lesson learned
You can’t run . . .
or do this !

Takeaways
1. Biggest threat is inside—that includes vendors
2. Costs of doing nothing > Costs of security
3. Employee training is low-hanging fruit
4. Vendor Risk Management (3PA) is CRITICAL
5. Know your risks and how you will address them
6. Continuous monitoring

Additional Resources
 Ponemon Institute
http://www.ponemon.org/
 Shared Assessments™
http://sharedassessments.org/about/
 OWASP Threat Risk Modeling
https://www.owasp.org/index.php/Thre
at_Risk_Modeling
 AOS Security Consulting
http://www.aos5.com/security/

Please Contact:
Your local AOS Account Manager
or
Larry Slobodzian, Consulting Sales Lead
Larry.Slobodzian@aos5.com 913-669-9285
Linkedin.com/in/larryslobodzian
For more information
on
AOS Security Consulting
• https://www.linkedin.com/in/larryslobodzian

Secure Iowa Oct 2016

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (12)

Similar a Secure Iowa Oct 2016

Similar a Secure Iowa Oct 2016 (20)

Secure Iowa Oct 2016

Notas del editor