Visit www.plusconsulting.com for more information. Organizations are losing the cyber-security battle and most don't know that it is happening (or choose to ignore it). The persistent threat environment means that you have had or will have a breach and may not know about it. Growth in data, applications features, and collaboration makes cyber-security a greater challenge. Complex, clever and continuous threats and security tools in isolation of a continuous security program only delay the inevitable.

1. Cyber-Security
Threats
Why we are losing the battle (and
probably don’t even know it!)
December 12th, 2013

2. “If you know the enemy and know yourself,
you need not fear the result of a hundred
battles. If you know yourself but not the
enemy, for every victory gained you will
also suffer a defeat. If you know neither the
enemy nor yourself, you will succumb in
every battle”
Sun Tzu, The Art of War

3. John Hudson








15 years designing security strategies
Business Process Engineer
Why cyber-security fails – a mission
CISO University of Pittsburgh 35,000+ users
Blocked over 100,000 attacks every day
Experienced Anonymous attacks
Bomb threats/Forensics investigations
Worked in distributed and closed environments

4. Plus Consulting
Cyber-Security Practice helps organizations:






Identify risk and control failures, based on their organization
Cyber-security frameworks
Pen-testing, vulnerability scanning, social engineering
Solve security problems (for example, doing business in highrisk countries)
Compliance readiness
We help organizations plan refine and Implement cybersecurity strategies

5. Premise
 Organizations are losing the cyber-security battle and
most don’t know that it is happening (or choose to
ignore it)
 The persistent threat environment means that:


You have had a breach and may or may not know it
You will have a breach and may or may not know it
 Growth in data, application features, and collaboration
makes cyber-security a greater challenge
 Security tools in isolation of a continuous security
program only delay the inevitable
 Attacks are complex, clever and continuous

6. Outline
 Current threat environment
 Organizational challenges
 Why “they” are winning
 Neutralizing “them” from winning

7. Threat Environment
The more things change,
the more they stay the same...
Alphonse Karr, 1849

8. Acceptance








Attacks are more targeted
Malware is more complex and multi-dimensional
Social engineering is an art
Hactivism is here to stay
Anti-forensics is now the norm
Cyber-attacks are becoming strategic
Nearly all attacks are external (98%)
Hacking tools for sale online (with better SDLC than
most developers)

9. Simple Targeted Attack









Open source intelligence – find entry points
Collect data and profile – website scraping
Build spoof sites – your brand, your people
Email campaign from a ‘known-source”
Phone calls to “known targets”
Scan for vulnerabilities
Exploit with malware or walk through the front door
Keep the door open
Harvest under the radar
5-10% return

10. But...
 Criminals are targeting organizations with sophisticated
attacks, but….
 79% of attacks are still targets of opportunity
 96% of attacks were not difficult
 85% of breaches took weeks to months to discover
(source: Verizon 2012 Data Breach Investigation Report)
 “it won’t happen to us – we are too small” is long gone!

11. We could now talk about the latest and
greatest zero day exploits, security
appliances, or regulations coming down the
pipeline all day long.................
but organizations are not dealing with the
basics...

12. Organizational Challenges

13. Big Data – Big Problem
5 Exabyte's
2013
every 10
minutes
5 Exabyte's
every 2 days
2003
Year 0
2011

14. Asset Value...
 Few organizations know:
 The value of their data
 The value of uptime
 The impact of its loss
 Or the value placed on it by others
 If you don’t know the value and loss impact – how
can you protect?
 Have disaster plans, but ignore the disaster of lost data
 At best, all data is treated as equal

15. The rules have changed...







Privacy is being challenged
Generational mindsets
BYOD/BYON
The Cloud (good or bad?)
Virtualization – paradigm change in deployment
Smartphone is your computer – what next?
Security budgets have not grown in ten years even
though the problem has exploded

16. Extension of Security Boundary =
More Points of Entry

17. Why “they” are winning

18. Organizations Are Abdicating Responsibility
 Boards and Executives do not own the problem




They are not asking the right questions
It is not part of the strategy
They do not drive down security posture
At best, it is seen as an IT problem at the tactical level
 CISO’s report to the wrong people (if they have one)

Potential career-ending decisions if doing job
 Security is not a technical issue


Technology is the output of security, not the input
But security is now a specialist subject

19. Organizations are Abdicating Responsibility
 Audits do not equal security



Checking boxes on flawed controls gives a false sense of
security
Compliance is not security – it has yet to stop an attack
Compliance is confusing and not backed
 The wrong people are held accountable

Breach = ex-CISO
 Policy manuals just kill more trees

20. Result
 No mandate to invest in the right security
 Little backing = no putting the head above the parapet
 Problems are hidden

We are going live tomorrow with ERP, but there's a security
issue – what do you do?
 Identified risk is only important if it does not stop the
operation
 CISOs jump from job to job
 Security staff feel undervalued
 Wrong money spent solving yesterday’s problems

21. So let’s Summarize...








Threats = more complex, faster, multi-dimensional
For most organizations, simple exploits will gain results
State-run attacks and Hactivism is becoming the norm
Organizations are using data in ways unimaginable 10 years
ago, and treat security in the same way
Organizations are not talking about the value of their assets
Security is seen as a low-level technical responsibility
Many Fortune 500 companies do not have a CISO
The biggest disaster an organization may ever face is a
breach

22. Neutralizing “Them”
from winning

23. It’s a Journey
 Until boards and executives own the problem, little will
change
 Appoint board oversight of security
 Identify the value of your assets
 Identify the loss impact of your assets
 Identify what can hurt you
 This forms the security problem

24. It’s a Journey
 Design a continuous security program around the
problem



Create choke-points
Back them
Audit the mitigation strategies
User Desktop
Tablet or Laptop
The Choke
Point
Multi factor Authentication
No Port 80
BI with Scrambling
Encryption
IPS/IDS
Secure Zone
Virtual Servers
Virtual Desktop

25. It’s a Journey
 Segregate Security reporting from IT
 Reward based upon security metrics, not IT metrics
 The board is responsible for security, people are
responsible for negligence
 Build the security response around what is important
 Worry less about the rest (not all assets are equal)
 If you can’t prevent it or flag it – don’t put it in your
security policies
 Acceptable use must have teeth

26. Quick takeaways
Ask this question when you get back to your organization...
If you received an email from a hacker saying we have got
your critical data – how would you know if they really do?
If you don’t know, you don’t have a
comprehensive security program

27. Quick takeaways
If you do nothing else, do these things:
 Application whitelisting
 Acceptable usage policy and mandatory awareness
training
 Business Impact Analysis and Risk and Control
assessment – owned by the board and presented
back to the board
 Love your security professionals 

28. Questions?
John Hudson
Security & Strategy Practice Director
Plus Consulting
John.Hudson@plusconsulting.com
412.206.0160