220 likes | 307 Views
Postcards from the edge cyber-security risk management in an escalating threat environment. threats are escalating at a near exponential rates. Nothing short of game-change innovation can stem this rising tide Seems everything changes, everyday. Pharming > 50% of all PCs compromised
E N D
Postcards from the edge cyber-security risk management in an escalating threat environment
threats are escalating at a near exponential rates • Nothing short of game-change innovation can stem this rising tide • Seems everything changes, everyday • Pharming • > 50% of all PCs compromised • Application Attacks • BotArmies/DDOS2 • Organized Cyber-crime Ecosystem • Hacktivism • Cyber Terrorism • Phishing • Identity Theft • OS Hacking • BotNets/DDOS • Cyber Criminals • Script Kiddies
the US reaction has been weak without a civilian “cyber-czar” named at present
the new Cyber Command is still very young and does not yet have a base of operations Needs a good home
Public awareness is largely absence driven by unconnected and one-off dramatic events. Many in the media lack a thorough understanding of the issues “Estonia Sending Cyber Defense Experts to Georgia” Network World
most security technology providers have a narrow perspective of the cyber-security landscape
Unfortunately the Reality of the cyber security landscape is somewhat larger
summarizing the context • Threats are escalating at an alarming rate • Public policy has generally failed us • Government action has been inadequate • Media/public is at best confused about cyber threats • Technology has provided little more than a band-aid • Many believe cyber-criminals have almost mystical powers
Most Cyber-security conventional wisdom attempts to model our cyber defenses based on traditional defense in depth implementations CalstenFortress c. 1600’s, Marstrand, Sweden
The digital warrior Changing the game A fundamental change in tactics Principles of a Resilient cyber defense
1. It’s too easy too be hard! Where: • 80%+ of all successful cyber-attacks exploit vulnerabilities in four categories; none require rocket science to fix • Input validation, poor coding technique – business logic, authentication and access control, device hardening – patching, secure baselines • Building in security is 60 times less expensive that bolting-on later • Up-level security in SDLC We must develop: • Strong vulnerability management program • Assessment and remediation of legacy code used in operating systems and applications • Assessment and remediation of web site vulnerabilities • This will continue to be the most sought-after attack vectors by criminals to host links to phishing and identity theft code. • Assessment and remediation third party code and widgets • An attractive attack vector • Demonstrated by the “Secret Crush” malware that posed as a Facebook widget to install itself on about 1 million PCs in late 2007 and early 2008
2. Be a really good first responder Where: • Complex systems fail complexly, it is not possible to anticipate all the failure modes • Complexity provides both opportunity and hiding places for attackers • Damping out complexity is impossible when coupled with change, growth and innovation • Security failures are inevitable We Must Develop: • Robust incident management integrating all aspects of business (e.g. communications, development, legal) • Security SME throughout the SDLC • Deploy analytical tools to continually assess the security of development and the infrastructure • Provide security training to development and infrastructure teams
3. Gracefully degrade If: • A successful attack is inevitable Then we must develop: • A thorough understanding of the business, key business assets and critical functionality • Define defensible perimeters • Expanded firewall and IPS footprint • Develop/understanding network choke-points • Bandwidth allocation • Dynamic re-configuration
3a. Diversity…Diversity…Diversity Where: • You can’t live without it! • “Run from monoculture in the name of survivability” – Dan Geer We must develop: • Multiple tools for detection and analysis • Multiple mitigation methods • Segmentation for everything • New thinking – situational awareness – attack simulation…
4. Treat the inside like the outside Where: • Every cyber criminal is our next door neighbor • We can never retreat to a safe neighborhood We must develop: • The ability to defend knowing the current threat profile, generally and specifically to us. • Encryption for everything moving in our networks • Defensive applications coding • More important than ever with 3rd party software
5. It’s the data and the transactions Where: • Cyber criminals are attacking transaction streams • Transaction attacks are extremely difficult to detect We must develop: • Protect data • Protect the transactions • Employee exfiltration blocking
6. Defense is guaranteed to be a losing strategy, play offense whenever possible • May be averting a crises, but not getting in front of the problem
7. Innovate…innovate…innovate • Innovating for impact • Incremental • Sustaining core and context • Radical
8. Know what is happening, know what happened Where: • Attacks are becoming much more subtle • Attacks are using multiple channels
9. Continuously Adapt the strategy – Be agile If you are not moving forward you are falling behind…status quo is unacceptable Nothing is stable Surprise is constant We work at a permanent, structural disadvantage compared to our attackers
Success Now and in the Future:We Are Vigilant and Mindful to the Potential Perils
Remember – 90% of the putts that are short don’t go in. Yogi Berra