DEALING WITH A CYBER FUTURE THAT IS ALREADY HERE. Rob Clyde, CISM, ISACA International VP, Board Member April 2015

Transcription

1 DEALING WITH A CYBER FUTURE THAT IS ALREADY HERE Rob Clyde, CISM, ISACA International VP, Board Member April 2015

2 THE WORLD BECOMES INCREASINGLY MORE INTERCONNECTED 2 Source: Digital, Social and Mobile in 2015 report, wearesocial.sg

3 AGENDA Introduction Cloud, Social and Big Data Mobile and BYOD The Internet of Things Cyber Attack Trends ISACA and A Cyber Security Career Conclusion

4 Capability For Damage Ability To Protect CYBER. AND THREATS THEY VE EVOLVED Nation-States Cybercriminals Terrorists Hacktivists/ Vigilantes Commercial Enterprises Threat Sophistication Source: CloudStrike Inc., NACD Master Class Dec. 2014

5 CLOUD, SOCIAL, AND BIG DATA

6 CLOUD BENEFITS What benefits have you received from your cloud deployment? 6 4/14/2015 Source: Cloud Security Spotlight Report, Crowd Research Partners, LinkedIn Group Partner, Information Security, March 2015

7 HYBRID CLOUD INCREASINGLY PROMINENT Are you considering hybrid application delivery where application and data connectivity is necessary between public and private solutions? Use of public cloud for at least 20% of operations dropped from 18% in 2012 to 14% in /14/2015 Source: 2014 Open Data Center Alliance Cloud Adoption Report

8 WHAT LIMITS CLOUD ADOPTION? What factors are limiting your adoption of virtual/private, community and public clouds today? What to do? Encryption helps, but key management is critical Regulatory, sensitivity and privacy issues may require that some data is restricted to certain physical locations Restrict sensitive workloads (e.g., PCI) to trusted hardware and software server stack Only allow certain virtual servers to run on hardware in approved physical location Only allow certain virtual server data to be decrypted in approved physical location Cloud solutions require a combination of capabilities to achieve "defense in depth" and compliance readiness 8 4/14/2015 Source: 2014 Open Data Center Alliance Cloud Adoption Report

9 SOFTWARE DEFINED DATA CENTER (SDDC) Likely to leverage cloud, especially hybrid cloud Virtualization is (and will continue to be) a key enabler to SDDC Gives tremendous power and flexibility Quickly deploy and manage application environments However, there is also a dark side to this power 9 4/14/2015

10 SECURITY REMAINS #1 CLOUD CONCERN Top Security Concerns 10 4/14/2015 Source: Cloud Security Spotlight Report, Crowd Research Partners, LinkedIn Group Partner, Information Security, March 2015

11 DARK SIDE TO CLOUD AND SDDC INFRASTRUCTURE Infrastructure, especially cloud and virtual administrative access, is a target and concern Underlying virtual machines are just files that can be copied, moved or deleted (10s to 1000s at a time) Accidental mistakes or malicious damage have the ability to quickly impact an entire operation While audit logs may be detailed at the application and OS level, they often lack sufficient actionable data and granularity at the hypervisor level Compliance with many regulations and policies requires that virtual and cloud administrative access be controlled and monitored with sufficient audit logs at the hypervisor level Virtual Admins 11 4/14/2015 VM

12 EMPLOYEES USE OF SOCIAL MEDIA RISKS AND IMPACTS 12 4/14/2015 Source: Social Media: Business Benefits and Security, Governance and Assurance Perspectives, ISACA May 2010

13 LEVERAGE YOUR BIG DATA TO GET BIG INSIGHTS 90% of the data in the world today has been created in the last two years alone. 10% 65% of CIOs said determining how to get value from data was a big challenge Wall Street Journal Feb. 10, % Expectations for Big Data 2017 $53.4 billion 2013 $10.2 billion Source: Mushroom Networks, The Landscape of Big Data

14 BIG DATA CHALLENGES ACCORDING TO ISACA MEMBERS Which of the following do you believe is the biggest challenge posed by Big Data? (n = 1,589) 13% Large-volume data management and sorage Shared ownership with other departments 48% view security or compliance as biggest challenge Security 16% Compliance 18% 19% Lack of analytics capabilites or skills We are not facing any challenges Other 19% 3% 20% Security threats from outsiders Security threats from insiders 2% Compliance requirements Source: ISACA s Risk/Reward Barometer, 2014

15 MOBILE AND BYOD

16 MOBILE Mobile attacks will continue to grow rapidly as new technologies expand the attack surface and app store abuse goes unchecked. 5M+ Mobile Malware Samples 16 4/14/2015 Source: Intel Security 2015 Threat Predictions

17 BRING YOUR OWN DEVICE (BYOD) IS ALREADY HERE 54% allow at least some BYOD 17 4/14/2015 Source: ISACA s Risk/Reward Barometer, 2014

18 ISACA GUIDANCE FOR MOBILE 18 4/14/2015

19 THE INTERNET OF THINGS

20 THE SMAC STACK WILL ENABLE THE INTERNET OF THINGS The SMAC stack (Social, Mobile, Analytics/Big Data and Cloud) will power new applications that connect to things The next master architecture for enterprise IT, and its magnitude and importance. Source: Cognizant

21 COMPUTERS WILL OUTNUMBER HUMANS 10:1 IN /14/2015 Source: Cognizant

22 22

23 INTERNET OF THINGS (IOT) HP Test of 10 Popular IoT Devices (IP Cameras, smart meters, healthcare, fitness, SCADA, etc.) Gartner predicts 26 Billion IoT Devices by /14/2015 Source: 2014 HP Internet of Things Research Study

24 INTERNET OF THINGS THE END OF PRIVACY? Introducing more private information about ourselves Traditional Personally Identifying Information New IoT Personal Data What? Where? When? Why? Name Address Date of Birth SSN/Govt. ID Number Username GPS Location Heart rate Glucose level Weight Calories Exercise route Sleep Mood Surrounding Images Driving habits Travel route 24 4/14/2015

25 EVEN OUR EMOTIONS CAN BE TRACKED 25 4/14/2015 Source: Wall Street Journal, Jan. 28, 2015

26 INTERNET OF THINGS POTENTIAL SECURITY CONCERNS Tethering via Bluetooth LE to smart phone (might be sniffed) Transmission and storage of information in cloud (might be hacked) Sharing of information via social media (likely to become public) Man-in-the middle and redirect attacks (similar to mobile devices) 26 4/14/2015

27 APPLE WATCH SECURITY Uses Bluetooth or WiFi to tether to iphone for Cellular, GPS, etc. Relies on iphone and cloud for much of security Similar concerns as with other tethered wearables Consider visibility of messages on screen to others Apple Pay security (protection against theft of watch) Sensors can detect when watch is taken off wrist and put back on Use opt-in PIN so when taken off it has to be re-authenticated when put back on Payment only functions when on wrist and authenticated Underlying payment cards are stored and managed on cloud not on watch 27 4/14/2015

28 IOT RECOMMENDATIONS FOR USERS Use a screen lock or password to prevent unauthorized access to your device Do not reuse the same user name and password between different sites Use strong passwords Turn off Bluetooth when not required Be wary of sites and services asking for unnecessary or excessive information Be careful when using social sharing features Avoid sharing location details on social media Avoid apps and services that do not prominently display a privacy policy Read and understand the privacy policy Install app and OS updates when available Use a device-based security solution Use full device encryption if available 28 4/14/2015 Source: Symantec, How Safe is Your Quantified Self

29 IOT RECOMMENDATIONS FOR ORGANIZATIONS 56% of tested devices using OpenSSL had not been updated in over 50 months Cisco Annual Security Report 29 4/14/2015

30 CYBER ATTACK TRENDS

31 RECENT SPEAR PHISHING ATTACK (CEO CFO) From: Robert Clyde Sent: Wednesday, January 14, :11 AM Subject: Request Phishing prevalent annually* Nearly half of large Enterprises 20% of small companies Hello Alan, Hope your day is going well. I will need you to make a wire transfer for me today. What would you need to get it done? Thanks Robert A. Clyde If the attacker received a response, what might come next? What clues do you see that this is a phishing attack and not a legitimate ? *2014 Symantec Internet Security Threat Report

32 ACTUAL HEADER Delivered-To:... Return-Path: From: "Robert Clyde " X-Sender: Reply-To: "Robert Clyde " To: Subject: Request Date: Wed, 14 Jan :11: Mime-Version: 1.0

33 RANSOMWARE EXPANSION Ransomware is profitable Denying access to data 2 Million samples of Ransomware Grew by over 500% in 2014 Healthcare is an attractive target Individuals and organizations can defeat this with the proper backups However, cloud backups and storage are also being attacked Will Ransomware be applied to IOT? Home lockout? Car lockout? Pacemaker function? Source: Lancope, IBM Security, Intel/McAfee

34 TARGETED EXTORTIONWARE Extortionware (cyber blackmail) Much more targeted Unlike ransomware, data has been exfiltrated and analyzed Unless terms are met, attacker will disclose data broadly or to specific target Source: Lancope, Mashable

35 WHAT IS AN ADVANCED PERSISTENT THREAT? ADVANCED, STEALTHY AND CHAMELEON-LIKE in its adaptability No longer limited to attacks on government networks Commonplace and can happen to any enterprise Differentiated from typical attacks by repeated pursuit of objectives, adaptation to defenders and persistence Typical purpose is to extract information from systems this includes critical research, enterprise intellectual property or government information. 35 4/14/2015

36 THE APT LIFE CYCLE Sophisticated attackers tend to operate in a certain cycle and are extremely effective at attacking their targets 1 in 5 have experienced an APT attack 66% say it is likely or very likely that their organization will experience an APT attack Source: Report-2014_whp_Eng_0614.pdf 36 4/14/2015

37 ADAPTIVE ATTACK VECTORS The threat landscape will continue to evolve as attackers adapt new and innovative attack methods to existing or adaptive attack vectors while defenders deploy new defense strategies. 37 4/14/2015

38 METHODS FOR DEFENDING AGAINST THE APT We recommend that every enterprise implement all of the basic concepts since APT and other advanced, sophisticated attackers have such a high success rate Remember privileged accounts are likely targets Many enterprises implement some of the intermediatelevel concepts 38 4/14/2015

39 CONCLUSIONS The situation is only going to get more complex If you have IP, it s not a question of if, but when HUGE industry skills shortage This is not yesterday s security Have a plan and perfect it with experience over time ISACA effective controls and assurance are critical in this Digital Age!

40 QUESTIONS?

41 Rob Clyde Web Site: