Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Destaque
Destaque (20)
Semelhante a The State Of Information and Cyber Security in 2016
Semelhante a The State Of Information and Cyber Security in 2016 (20)
Último
Último (20)
The State Of Information and Cyber Security in 2016
- 1. 2016 Security: Are You Prepared?
- 2. 2 Shannon Glass Practice Director, Information Security and Compliance Brian Boyce Senior Leadership, Business Development Dustin Werden Practice Director, Project Management Services
- 3. 3 AfidenceIT Overview State Of Security Culture Of Awareness Why Should You Care? Shannon’s Top 10 Agenda
- 4. 4 AfidenceIT Services STRATEGY PROJECT MANAGEMENT IT SUPPORT SHAREPOINT SECURITY/COMPLIANCE NEW! CO-SOURCING
- 5. 5 AfidenceIT Differentiators Knowledge Transfer PeopleNo ContractsTruly Objective “To be recognized as the most trusted leader in business and technology.”
- 6. 6 Shannon Glass Practice Director, Information Security And Compliance • Certifications: PCIP, CPISM, MCPM • BS In Organizational Communication & Management • MBA 2016 • 15 Years Of IT, Information Security And Compliance • Security, Compliance, Outsourcing/Right Sourcing, Acquisition Integration, Program Management • Clients: Healthcare, Financial & Retail
- 7. 7 Dustin Werden Practice Director, Project Management Services • Certifications: MCITP, CISSP, PMP, Security+ • BA In IS & Management • MBA 2016 • 14 Years Of Enterprise & Large Scale IT Project Management Experience And Technology Deployment And Integration • Clients: Aerospace, Public Utilities, DoD, Manufacturing, Family Foundations.
- 8. State Of The Union? No, Just Security.
- 9. 9 State of the Security Industry 1. Protecting Assets 2. Emerging Technologies 3. Risk Framework http://idgknowledgehub.com/2015/10/23/2016-global-state-of-information-security-survey-research-results/ Playing Catch Up Leveraging Technology 1. Cloud 2. Big Data 3. Internet Of Things The Human Factor 1. Executive Oversight 2. Security Awareness 3. Increased Budget
- 10. 10 Changing Security Mindset Produces Results You Get Results 1. 49% Identify Risks 2. 47% Detect And Mitigate Quicker 3. 37% Know Gaps Threat Intelligence Cultural Changes 1. Collaboration 2. Actionable 3. Size Matters 1. Executive Sponsorship 2. Culture Awareness 3. Aligning Security, Risk And Business
- 11. 11 Effects Of Board Participation 40% 42% 36% 30% 25% 46% 45% 41% 37% 32% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Security Budget 2014 2015 Security Policy Security Technology Review RisksOverall Strategy
- 12. 12 Dark Web Rising • Nation States • The Dark Web • Hacktivists
- 13. Creating A Culture Of Awareness
- 14. 14 Know the Marketplace 1. Security Spending ~ $80 Billion in 2015* 2. 47% Will Hire 1-10 Security Employees in 2016** 3. Security Awareness Training: - Must Be Measurable - Understand Your Audience - Train Based On Risk Tolerance *Gartner 2015 Report **www.cio.com December 17, 2015: The hottest security certifications, most in-demand skills.
- 15. 15 5 Questions Every CEO Should Ask 1. Business Impact Of Security? 2. Plan To Address Risks? 3. Using Industry Best Practices? 4. Velocity And Vectors For Security Incidents & Threats? 5. Do We Have An Incident Response Plan?
- 16. 16 Good vs. Bad Passwords Based on AD Accounts Length > Complexity Good Passwords Bad Passwords WhineyRunawayGiant201 password1234 2Blue-eyedPrimVictorians qwerty910 MaternalMatchboxElectrician8qazxsw8! MyKidsDontLetMeSleep! lKjuIo8# Bad because the keys are consecutive on a keyboard!
- 17. 17 Hacking By The Numbers Password Length U/L Case, Special, Alpha Numeric U/L Case, Alpha Numeric U/L Case Only Lowercase 6 1.67 Seconds 7 98 Seconds 8 52 Hours 93 Minutes 26 Minutes 6 Seconds 10 286 days 14 61 Years 16 45 Billion Years 41 Thousand Years Length Of Time It Takes To Crack A Password: Red = Bad Green = Good
- 18. 18 Trending Threat Vectors • Retail • Medical • Ransomware • Browser Plug Ins • Bootkits
- 19. Why You Should Care Everything Is Vulnerable Anything Can Be Hacked Because Security Is Everyone’s Responsibility Hackers Are Not Going To Stop, So Neither Can We
- 20. 20 Get Hacked in 10 Easy Steps! 1. Don't Patch Anything 2. Run Unhardened Applications 3. Log On Everywhere As “Domain Admin" 4. Open Lots Of Holes In The Firewall 5. Allow Unrestricted Internal Traffic 6. Allow All Outbound Traffic 7. Don't Harden Servers At All 8. Use Lame Passwords 9. Use Service Accounts In Multiple Places 10. Assume Everything Is OK Source: Jesper Johansson, 2004
- 21. 21 Shannon’s Top 10 1. Security Awareness Training 2. Malware Detection 3. Policy And Procedures 4. Patching And Vulnerabilities 5. Securing Cloud Infrastructure 6. Segment Your Network 7. Protect The Perimeter 8. Log, Monitor And Understand 9. Protect Your End Points: IoT 10. Continuous Compliance
- 22. 22 Best Practice Approach 1. Conduct A Security Assessment 2. Understand The Threat Landscape 3. Test And Scan Network 4. Use A Risk Based Approach 5. Follow A Control Framework 6. Build A Security Program 7. Continuous Compliance
- 23. Building On A Budget
- 24. Join The Conversation #LeadWithTrust 24 Twitter: @Afidence Facebook: /Afidence LinkedIn: /company/Afidence
- 26. 26 INFORMATION SECURITY & COMPLIANCE NEW FOR 2016!
- 27. 27 Resources • 1. Global IT Security Risks Survey. (2015). Retrieved December 17, 2015, from http://media.kaspersky.com/en/business- security/it-security-risks-survey-2015.pdf • 2. Moore, S. (2014, August 22). Gartner Says Worldwide Information Security Spending Will Grow Almost 8 Percent in 2014 as Organizations Become More Threat-Aware. Retrieved December 17, 2015, from http://www.gartner.com/newsroom/id/2828722 • http://www.natlawreview.com/article/2016-data-breach-predictions-hackers-more-active-ever#sthash.jfXPPLZ8.dpuf • http://www.foxnews.com/tech/2016/01/09/3-biggest-security-threats-2016.html • http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/ • http://searchenterprisedesktop.techtarget.com/news/1002600/Get-your-network-hacked-in-10-easy-steps • http://www.healthslide.com/simple-security-through-better-password-practices-2/
Notas do Editor
- BOYCE to speak to
- BOYCE
- Brian – can you speak here about a couple of customers we’ve helped so the audience can get an idea of our breadth and depth? Just some high level examples is all we need.
- Brian Boyce to speak to
- BOYCE to intro this
- BOYCE to intro this slide
- SHANNON
- Security is top 3 focus for 95% of CIO’s. Playing Catch Up - Protecting assets - Emerging trends are forcing businesses to embrace this risk, and connect security to their overall goals and objectives of growth - 91% of C-Suite in have adopted a risk-based cybersecurity framework – Most use NIST of ISO 27001 according to The Global State of Security Survey Why does using a Framework matter?? Because you GET MEASURABLE RESULTS. Leveraging Technology: Companies are making considerable investments in cloud-managed services to develop new network infrastructure capabilities 70% use cloud-based security services for: - cybersecurity tools for a broad range of critical services, real-time monitoring and analytics (56%), threat intelligence (47%), end-point protection (44%), advanced authentication (55%), identity and access management (48%) 51% of companies will employ big data analytics to model for and identify information security incidents. 45% are implementing or plan to implement IoT in the next 12 months. Sounds great- but is it? With an increased use of the IoT, it expands the attack surface for companies, which allows for greater exploits. Mobile devices, Embedded devices, operational systems and consumer technologies, more than doubled this year – from 34% in 2014 to 86% in 2015. Even with the increase in exploits, companies are bolstering the strategy to address these specific things. Turning the focus to the human side of security: - 73% of senior execs are actively communicating the importance of security - 38% improvement in security awareness posture overall , - 37% increased their budget to identify and communicate key risks Enterprise organizations continue to be more impacted by security incidents than SMBs. In the last 12 months: 9,156 is the average number of detected security incidents for large companies compared to 3,577 on average for SMB organizations.
- The Global State of Security Survey this year, (in it’s 18th year by PWC), includes responses from over 10,000 C- Suite members, VPs in 127 countries. You Get Results 32% communicating better 45% say data is more secure Threat Intel - 65% of respondents said they collaborate to improve security and reduce cyber risks (that’s significantly up from 50% in 2013.) - Collaboration allows for action and quicker access to information from industry peers, which allow companies to respond quicker to threats. - A common misnomer is that security threats differ by industry. They do not. Threats INCREASE based on a company’s size alone. Executive Involvement - 45% participate in the overall security strategy for their company. - This allowed companies to justify a 24% increase in budget - Helps to foster an organizational culture shift in security. I - Paving the way for companies to open the channels of communication and align Information Security, Risk and Business goals.
- More reasons to care…. Security Budget Overall Strategy Security Policy Security Technology Review of Risks Senior level involvement, works! Positive trends give us measurable information that the industry as a whole is catching on to the importance of Board level oversight. The lifts from 2014 to 2015 are relatively small, but as we continue to educate on the importance of Overall Security Awareness, I suspect you will see these numbers jump significantly in the next 3 yrs. But wait….it’s not all rainbow tables and bubble gum…
- NATION STATES A group of people who share the same history, traditions, or language that live in a particular area under one government. In 2016, we’ll continue to see nation-states move their conflicts and espionage efforts to the digital world, we will likely see more incidents aimed at stealing corporate and government secrets or disrupting military operations. – Office of Personnel Management One of the largest thefts of government data in June 2015. OPM was breached leaking 5.6 million fingerprints of current and former employees, and other personal information of 21.5 million individuals is reported to have been leaked as well.. Suspected the Chinese government played a role. HACKTIVISTS Resurging their activities to cause reputational damage to a company or cause in lieu of financial gain. (iPhone hack) Ashley Madison The controversial extramarital dating site was targeted specifically by cybercriminals on account of their moral disagreement with the site and its cancellation policies. The hackers made the information public revealing user names, hashed passwords for 33 million accounts; partial credit card data, street names, and phone numbers for huge numbers of users; records documenting 9.6 million transactions, and 36 million email addresses. Hacked by “Impact Team.” "Nobody was watching," Impact team told the publication. "No security. Only thing they had was a segmented network. You could use Pass1234 from the internet to VPN to root on all servers.“ The Dark Web The Real Deal - Their focus is private exploits, source code, DNM products and hardware. Agora – one of the better known on this slide. They’ve been around since 2013 with one of the better reputations on the deep web. They’re currently on ‘downtime’ upgrading their security. You must be referred to their site. Anonymous – most recently challenged ISIS Sony IRS Hotel chains StuxNet Outlaw - Outlaw is a relatively new market that is growing quite rapidly. They’re hot on security with features such as: PGP login, automatic message encryption and no internal wallets meaning that user’s funds cannot be stolen!
- We’ve talked about the State of Security, and the positive changes, but we also know the threats are still very real. SO WHAT NOW? Question: How many of you currently allocate budget to train your staff? ***USE MY LAST WORK EXAMPLE**** then contrast with ***THE OTHER COMPANY*** ***If anyone raises their hand, ask them to share their story ***If anyone doesn’t raise their hand, pick someone and ask, why not?
- While companies seek to hire, it’s becoming increasingly difficult to locate and hire knowledgeable and skilled Security staff. Large need for compliance and remediation services in the industry Medium and small businesses have increasing needs to stay compliant as fines for non- compliance are getting passed down
- Threshold for notifying leadership
- Chart above is based on AD accounts. 3 things can give you stronger passwords: 1. Length 2. Width 3. Depth Don’t use old passwords, personally identifiable words
- Even though the minimum recommended password is 8 characters, you will get far greater protection with a longer password.
- As retailers make it harder to compromise information due to the roll out of EMV, hackers will slowly move on to easier targets. In 2015, more than 100 million patient records were exposed, the majority coming from the Anthem Insurance hack early in the year. Ransomware encrypts your files so you can't open them without paying a ransom. It’s been a growing concern since a virus called CryptoLocker arrived at the end of 2013. Fortunately, it isn't all doom and gloom. Ransomware still needs you to install it. Avoid falling for phishing emails with malicious links or downloads Backing up your files regularly. People are spending more time browsing online, so they are becoming a hot focus for hackers. They look for vulnerabilities in your browser, lure you to a website and then release the virus in your system. Adobe Flash was the biggest victim in 2015. Bootkits area virus, which are incredibly hard to detect and remove and have started showing up in hacker toolkits. They are deployed through phishing attacks
- Jesper Johansson from Microsoft in 2004. Once a hacker is in your network, you have three options: 1. You can update your resume. 2. Hope the hacker does a good job running the network 3. Drain the network The latter is really your only option once they’re in.
- 1. Conduct a security risk assessment. Identify the scope of your systems and focus on where confidential and restricted information is stored, processed, or transmitted. 2. Understand the threat landscape and the vulnerabilities that can be exploited AND Estimate the impact of a vulnerability if it was exploited using a classification matrix to identify the level of impact. 4. Determine the risk using a risk matrix that identifies the likelihood of a threat, magnitude of impact, and adequacy of existing controls around the risk. Not everything must be fixed! 5. Identify controls or control framework that could reduce or eliminate the risk.
- If I’m a company of 500 people, what % should I spend on Security? How important are your trade secrets? What are you willing to do to protect it If your curious on how to do this, we will be sharing on our blog via articles and LinkedIn/Twitter. Encourage them to join the conversation @Twitter and Afidence.com. #LeadWithTrust