My half of a tag team presentation for the Edmonton, Alberta, Canada ISACA chapter with renderman (http://www.renderlab.net), dealing with what is wrong with information security today. I, of course, was the suit. It looks like SlideShare bungled some of my slides. Click the download link to get the PowerPoint version.

1. hackers
vs suits
what's wrong with security
today?

2. agenda
the suit
the hacker
questions?

3. the suit
http://www.flickr.com/photos/23912576@N05/

4. experimen
t
“playing card data loss”

5. T1: Sleight of hand T4: The pair is together
C1: Don't let the attacker handle C4: Deal into two piles
the cards
T5: If the location of one card is
T2: Marked cards known in one pack, the other card
C2: Keep the attacker at a will be in a similar location in the
distance where he cannot see other pack
small marks C5: Mix both packs
T3: The approximate location of
the pair is known
C3: Cut deck while attacker is not
looking
countermeasure

6. T1: Sleight of hand
C1: Don't let the attacker
handle the cards
T2: Marked cards
C2: Keep the attacker at a
distance where he cannot see
small marks
T3: The approximate location of
the pair is known
C3: Cut deck while attacker is
not looking
T4: The pair is together
C4: Deal into two piles
T5: If the location of one card is
known in one pack, the other
card will be in a similar location
in the other pack
C5: Mix both packs
Model Source: taosecurity.blogspot.com

7. an
experimen
(unfortunately)
t

8. 3 March 2011: A brief phishing attack began which targeted
RSA staff with no unusual privileges
6 April 2011, US defense contractors Lockheed Martin and L-
3 had been attacked via cloned RSA SecurIDs
6 June 2011, RSA partially admitted that something bad had
happened in March and offered to replace current customers'
SecurIDs at no cost
Sources
• http://www.wired.com/threatlevel/2011/08/how-rsa-got-hacked/
• http://blogs.rsa.com/rivner/anatomy-of-an-attack/
• http://www.wired.com/threatlevel/2011/06/rsa-replaces-securid-tokens/
• http://www.wired.com/threatlevel/2011/05/l-3/
• http://www.rsa.com/node.aspx?id=3891

9. T1: Direct attacks from Internet T4: Malicious activity may go
C1: State of the art perimeter unnoticed
defenses C4: State of the art monitoring
T2: User authentication attacks T5: Sensitive data could exit the
against Internet exposed services network
C2: State of the art authentication C5: State of the art data loss
controls prevention (DLP) technology
T3: Malware T6: Social engineering
C3: State of the art end-point C6: State of the art security
controls awareness program
countermeasure

10. T1: Direct attacks from Internet
C1: State of the art perimeter
defenses
T2: User authentication attacks
against Internet exposed
services
C2: State of the art
authentication controls
T3: Malware
C3: State of the art end-point
controls
T4: Malicious activity may go
unnoticed
C4: State of the art monitoring
T5: Sensitive data could exit
the network
C5: State of the art data loss
prevention (DLP) technology
T6: Social engineering
C6: State of the art security
awareness program
Model Source: taosecurity.blogspot.com

11. http://blogs.rsa.com/rivner/anatomy-of-an-
“Recently the UK payment council
announced that in 2010 online banking
fraud declined 22%, despite phishing levels
increasing 21%. This is turning the tide. It
took the financial sector 7 years to build
a new defense doctrine against social
engineering attacks like Phishing and
Trojans. I was part of this gargantuan
effort, and I think we’ve learned a thing or
two that can help us build a new defense
doctrine against APTs much faster. Already
we’re learning fast, and every organization
hit by an APT is much more prepared
against the next one; I’m confident it will
take us far less than 7 years to say we’ve
turned the tide on APTs.”

12. good idea
but...

13. new threats
our current approach
Identifying and cataloging new threats
Standardizing countermeasures
Adding these to vendor product lines
When will we see the first APT-no-more product from a major
vendor?
Entrenching into the standards canon

14. All too often we only change our defensive doctrine
when:
• We get hit badly
• Compliance standards change
• When new products become available
• When the new fiscal cycle starts
The attackers we face change their offensive doctrine
much more frequently
we are too slow to adapt

15. John Boyd (1927-1997)
a.k.a
Forty Second Boyd
.:
Genghis John
The Mad Major
The Ghetto Colonel
Photo credit: Wikipedia

16. The adversaries that we
are defending against are
continually producing Boyd
novelty (there will be
something else after APT)
“Now, in order to thrive and
novelt
on
grow in such a world we
must match our thinking
and doing, hence our
orientation, with that
y
emerging novelty”
Winning in inherently
dynamic environments
involves running through
flexible decision making
cycles faster than your

17. All major advances in science and
engineering were born of the
you are realization that current models -
here or orientations, in Boyd's terms -
were mismatched with reality
our challenge
How can we gain the ability to traverse the
observe, orient, decide, act cycle as rapidly or more rapidly than our
opponents?
a possible answer?
We need to change our information security doctrine from compliance
and product-centred to innovation and human-centred

18. Chris Hammond-Thrasher
CISSP
Associate Director, Consulting
Security, Privacy and Compliance
Founder, Fujitsu Edmonton Security Lab
FUJITSU CANADA
chris.hammond-thrasher@ca.fujitsu.com
7809178426