1 / 22

Postcards from the edge cyber-security risk management in an escalating threat environment

Postcards from the edge cyber-security risk management in an escalating threat environment. threats are escalating at a near exponential rates. Nothing short of game-change innovation can stem this rising tide Seems everything changes, everyday. Pharming > 50% of all PCs compromised

deo
Download Presentation

Postcards from the edge cyber-security risk management in an escalating threat environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Postcards from the edge cyber-security risk management in an escalating threat environment

  2. threats are escalating at a near exponential rates • Nothing short of game-change innovation can stem this rising tide • Seems everything changes, everyday • Pharming • > 50% of all PCs compromised • Application Attacks • BotArmies/DDOS2 • Organized Cyber-crime Ecosystem • Hacktivism • Cyber Terrorism • Phishing • Identity Theft • OS Hacking • BotNets/DDOS • Cyber Criminals • Script Kiddies

  3. the US reaction has been weak without a civilian “cyber-czar” named at present

  4. the new Cyber Command is still very young and does not yet have a base of operations Needs a good home

  5. Public awareness is largely absence driven by unconnected and one-off dramatic events. Many in the media lack a thorough understanding of the issues “Estonia Sending Cyber Defense Experts to Georgia” Network World

  6. most security technology providers have a narrow perspective of the cyber-security landscape

  7. Unfortunately the Reality of the cyber security landscape is somewhat larger

  8. summarizing the context • Threats are escalating at an alarming rate • Public policy has generally failed us • Government action has been inadequate • Media/public is at best confused about cyber threats • Technology has provided little more than a band-aid • Many believe cyber-criminals have almost mystical powers

  9. Most Cyber-security conventional wisdom attempts to model our cyber defenses based on traditional defense in depth implementations CalstenFortress c. 1600’s, Marstrand, Sweden

  10. The digital warrior Changing the game A fundamental change in tactics Principles of a Resilient cyber defense

  11. 1. It’s too easy too be hard! Where: • 80%+ of all successful cyber-attacks exploit vulnerabilities in four categories; none require rocket science to fix • Input validation, poor coding technique – business logic, authentication and access control, device hardening – patching, secure baselines • Building in security is 60 times less expensive that bolting-on later • Up-level security in SDLC We must develop: • Strong vulnerability management program • Assessment and remediation of legacy code used in operating systems and applications • Assessment and remediation of web site vulnerabilities • This will continue to be the most sought-after attack vectors by criminals to host links to phishing and identity theft code. • Assessment and remediation third party code and widgets • An attractive attack vector • Demonstrated by the “Secret Crush” malware that posed as a Facebook widget to install itself on about 1 million PCs in late 2007 and early 2008

  12. 2. Be a really good first responder Where: • Complex systems fail complexly, it is not possible to anticipate all the failure modes • Complexity provides both opportunity and hiding places for attackers • Damping out complexity is impossible when coupled with change, growth and innovation • Security failures are inevitable We Must Develop: • Robust incident management integrating all aspects of business (e.g. communications, development, legal) • Security SME throughout the SDLC • Deploy analytical tools to continually assess the security of development and the infrastructure • Provide security training to development and infrastructure teams

  13. 3. Gracefully degrade If: • A successful attack is inevitable Then we must develop: • A thorough understanding of the business, key business assets and critical functionality • Define defensible perimeters • Expanded firewall and IPS footprint • Develop/understanding network choke-points • Bandwidth allocation • Dynamic re-configuration

  14. 3a. Diversity…Diversity…Diversity Where: • You can’t live without it! • “Run from monoculture in the name of survivability” – Dan Geer We must develop: • Multiple tools for detection and analysis • Multiple mitigation methods • Segmentation for everything • New thinking – situational awareness – attack simulation…

  15. 4. Treat the inside like the outside Where: • Every cyber criminal is our next door neighbor • We can never retreat to a safe neighborhood We must develop: • The ability to defend knowing the current threat profile, generally and specifically to us. • Encryption for everything moving in our networks • Defensive applications coding • More important than ever with 3rd party software

  16. 5. It’s the data and the transactions Where: • Cyber criminals are attacking transaction streams • Transaction attacks are extremely difficult to detect We must develop: • Protect data • Protect the transactions • Employee exfiltration blocking

  17. 6. Defense is guaranteed to be a losing strategy, play offense whenever possible • May be averting a crises, but not getting in front of the problem

  18. 7. Innovate…innovate…innovate • Innovating for impact • Incremental • Sustaining core and context • Radical

  19. 8. Know what is happening, know what happened Where: • Attacks are becoming much more subtle • Attacks are using multiple channels

  20. 9. Continuously Adapt the strategy – Be agile If you are not moving forward you are falling behind…status quo is unacceptable Nothing is stable Surprise is constant We work at a permanent, structural disadvantage compared to our attackers

  21. Success Now and in the Future:We Are Vigilant and Mindful to the Potential Perils

  22. Remember – 90% of the putts that are short don’t go in. Yogi Berra

More Related