What We Can Learn from Other s Cybersecurity Failures. Keith Price BBus, MSc, CGEIT, CISM, CISSP

Transcription

1 What We Can Learn from Other s Cybersecurity Failures Keith Price BBus, MSc, CGEIT, CISM, CISSP 1

2 Agenda A (very) brief modern history of cyber Scale of the cyber problem Clarifying cyber risk through attackers, vulnerabilities, & consequences Thoughts about cybersecurity Cybersecurity assessment 2

3 Origins of cyber Cybernetics is a book written by mathematician Norbert Wiener in The cyberpunk movement emerged in the 1980 s with these examples: Movie based on Philip K. Dick s novel Do Androids Dream of Electric Sheep (1968) The title Blade Runner is taken from a science fiction novella by William S. Burroughs (1979) Images: Google Images Introduces the phrase cyberspace 3

4 Cyborg Cybernetic Organism Images: Google Images 4

5 Images: Google Images 5

6 What do we mean by cybersecurity Cyber is derived from cybernetics, the study of communication and control systems in living beings and machines. Cyber can be added to (almost) any word to create an Internet reference (cybersecurity, cyberspace, cybercrime, cybersex, cyberwar, cyberart, cyberati, cyberbludging, cyberboarding, cyberbegging ). Cybersecurity has emerged as a single catch-all word meaning trying to stop cyber bad guys attacking your IT systems to steal information. Image: Google Images 6

7 Scale of the problem Image: Google Images 7

8 What creates a cyber risk? Risk = ƒ (threat, vulnerabilities, consequences) Attacker Intent Attacker Capability Inherent Operationally Introduced Recoverable Fatal Deter Disrupt Degrade Deceive Delay Divert Prevent Deny Detect Defend Contain Discard Shorten Recover Informed from US Department of Defense 8

9 Cyberattackers Risk = ƒ (threat, vulnerabilities, consequences) Attacker Intent Attacker Capability Inherent Operationally Introduced Recoverable Fatal Deter Disrupt Degrade Deceive Delay Divert Prevent Deny Detect Defend Contain Discard Shorten Recover Responding to today s cyberattacks requires understanding your attackers through counterintelligence 9

10 Cyberattackers Organised cybercriminals Hacker entrepreneurs Employee unintentional Employee malicious Nation-states Radical activists 3 rd party provider unintentional For each threat agent, analyse: Motivation Capability Assets of interest Vulnerabilities to exploit Likelihood of attempt Likelihood of exploit Existing controls Consequences Image: Google Images Actor Cybercriminals Hacktivists Nation states Insiders Motivation Money Intellectual Property Social, Political, and Environmental Geopolitical Malicious and Accidental 10

11 Cyberattacker threat assessment Source: Keith Price 11

12 Vulnerabilities Risk = ƒ (threat, vulnerabilities, consequences) Attacker Intent Attacker Capability Inherent Operationally Introduced Recoverable Fatal Deter Disrupt Degrade Deceive Delay Divert Prevent Deny Detect Defend Contain Discard Shorten Recover The primary cybersecurity weaknesses are technology & people vulnerabilities 12

13 Where we re vulnerable Zero Day Vulnerabilities 13

14 Where we re vulnerable Source: Verizon 2016 Data Breach Investigations Report 14

15 Consequences Source: Forrester - Vulnerability Management Trends In APAC, May16 15

16 Image: Google Images 16

17 Image: Google Images 17

18 Image: Google Images 18

19 Source: General Motors Corporation for a People magazine ad "If I had an hour to solve a problem, I'd spend 55 minutes thinking about the problem and 5 minutes thinking about solutions - Albert Einstein

20 The cyber risk problem Senior management thinks it s an IT problem Every company is under constant attack, certainly by chance, other times a direct target. We are predictable because they know human weaknesses and the technologies we use. Offence is easier and less expensive than defence. Offence just has to get lucky once. Defence must be lucky always. We are not the cat! Leadership is the single most important factor in cybersecurity protection (knowing your current cyber risk is 2 nd ). Image: Google Images 20

21 Cyber risk is a board risk Cyberattack 100,000 customers left and a financial loss of 60M 29% of Australian CEOs indicated that information security is the risk they are most concerned about Source: KPMP

22 Where to start 22

23 Benefits of security frameworks Source: PWC Global State of Information Security Survey

24 Cybersecurity protection lifecycle Five functions: 1. Identifying data, systems, services, and risk strategy 2. Protecting information and systems to ensure delivery of mission critical services. 3. Detecting a cybersecurity event 4. Responding to a cybersecurity event 5. Maintaining resilience and recovering quickly to restore the services Source: US NIST Cybersecurity Framework, 24

25 Cybersecurity assessment Source: US NIST Cybersecurity Framework, 25

26 Cybersecurity assessment 26

27 Cybersecurity assessment 27

28 Cybersecurity assessment 28

29 Cybersecurity assessment 29

30 Cybersecurity assessment 30

31 Security Through Obscurity Least Privilege Defence in Depth Simplicity Diversity of Defence Fail-safe Stance Security Strategies Systems Segmentation Weakest Link Dedicated Functionality Hardening Choke Point Universal Participation Source: Keith Price 31

32 Security architecture & the cyber kill chain Security Zone Model External to company Internal to company Secure Administration DMZ Business Logic Secure Data Storage Internal Users and Systems Dev/Test/ PoC External Controlled (business partners) Business Logic Secure Data Storage DMZ for Service Presentation External Uncontrolled (Internet and wireless) Internal Users and Systems Dev/Test/ PoC Denotes security device(s) Increased trust into company Source: Keith Price Cyber Kill Chain Source: E&Y/ISACA Responding-to-Targeted-Cyberattacks 2013.pdf 32

33 Insider threat Source: Trustwave Security Survival ebook Jun16 Insider motive Source: Cybercrime infographic CSO Magazine May16 % of breaches by threat actor Source: Verizon Data Breach Investigations Report 2016 Source: Verizon Data Breach Investigations Report

34 Why cybersecurity fails Senior management views it as an IT problem A comprehensive enterprisewide framework is not used Inadequate enterprise security architecture Inadequate staff training Image: Google Images X X X X 34

35 Advice Accept that your organisation is a target. Because every organisation is a target. Accept that there are no trivial systems in your network. Attackers will exploit any opening to break in, then move laterally compromising other systems & applications. Accept that it s not possible to protect everything. Identify & protect your most critical information and systems. Accept that cyberattackers & malware are going to get in. Advise your management to focus resources on detecting and responding to attacks as early as possible to minimise the damage. 35

36 Advice Use a cybersecurity assessment to inform which controls are needed to provide the greatest cyber risk reduction. Protect the rest of your network from compromised desktops, laptops, and Internet-facing web services by segmenting the network. Offense informs defence: Use knowledge of actual attacks to continually improve your cyber defences. Key takeaway: cyber risk management is NOT an IT problem 36

37 37