Shannon Glass, Practice Director from AfidenceIT talks about the State of Information and Cyber Security in 2016. She covers the importance of creating a culture of security awareness within an organization, threats to look out for on the landscape, and why you should care about protecting your data assets.
2. 2
Shannon Glass
Practice Director, Information Security and Compliance
Brian Boyce
Senior Leadership, Business Development
Dustin Werden
Practice Director, Project Management Services
6. 6
Shannon Glass
Practice Director,
Information Security
And Compliance
• Certifications: PCIP, CPISM, MCPM
• BS In Organizational Communication &
Management
• MBA 2016
• 15 Years Of IT, Information Security And
Compliance
• Security, Compliance, Outsourcing/Right
Sourcing, Acquisition Integration,
Program Management
• Clients: Healthcare, Financial & Retail
7. 7
Dustin Werden
Practice Director,
Project Management
Services
• Certifications: MCITP, CISSP, PMP, Security+
• BA In IS & Management
• MBA 2016
• 14 Years Of Enterprise & Large Scale IT
Project Management Experience And
Technology Deployment And Integration
• Clients: Aerospace, Public Utilities, DoD,
Manufacturing, Family Foundations.
9. 9
State of the Security Industry
1. Protecting Assets
2. Emerging
Technologies
3. Risk Framework
http://idgknowledgehub.com/2015/10/23/2016-global-state-of-information-security-survey-research-results/
Playing Catch Up
Leveraging
Technology
1. Cloud
2. Big Data
3. Internet Of
Things
The Human
Factor
1. Executive
Oversight
2. Security Awareness
3. Increased Budget
10. 10
Changing Security Mindset Produces Results
You Get Results
1. 49% Identify Risks
2. 47% Detect And
Mitigate Quicker
3. 37% Know Gaps
Threat Intelligence Cultural Changes
1. Collaboration
2. Actionable
3. Size Matters
1. Executive
Sponsorship
2. Culture Awareness
3. Aligning Security,
Risk And Business
14. 14
Know the Marketplace
1. Security Spending ~ $80 Billion in 2015*
2. 47% Will Hire 1-10 Security Employees
in 2016**
3. Security Awareness Training:
- Must Be Measurable
- Understand Your Audience
- Train Based On Risk Tolerance
*Gartner 2015 Report
**www.cio.com December 17, 2015: The hottest security certifications, most in-demand skills.
15. 15
5 Questions
Every CEO
Should Ask
1. Business Impact Of Security?
2. Plan To Address Risks?
3. Using Industry Best Practices?
4. Velocity And Vectors For
Security Incidents & Threats?
5. Do We Have An Incident
Response Plan?
16. 16
Good vs. Bad Passwords
Based on AD Accounts
Length > Complexity
Good Passwords
Bad
Passwords
WhineyRunawayGiant201 password1234
2Blue-eyedPrimVictorians qwerty910
MaternalMatchboxElectrician8qazxsw8!
MyKidsDontLetMeSleep! lKjuIo8#
Bad because the keys are consecutive on a keyboard!
17. 17
Hacking By The Numbers
Password
Length
U/L Case,
Special,
Alpha
Numeric
U/L Case,
Alpha
Numeric U/L Case
Only
Lowercase
6
1.67
Seconds
7 98 Seconds
8 52 Hours 93 Minutes 26 Minutes 6 Seconds
10 286 days
14 61 Years
16
45 Billion
Years
41
Thousand
Years
Length Of Time It
Takes To Crack A
Password:
Red = Bad
Green = Good
19. Why You Should Care
Everything Is Vulnerable
Anything Can Be Hacked
Because Security Is Everyone’s Responsibility
Hackers Are Not Going To Stop, So Neither Can We
20. 20
Get Hacked in 10 Easy Steps!
1. Don't Patch Anything
2. Run Unhardened Applications
3. Log On Everywhere As “Domain Admin"
4. Open Lots Of Holes In The Firewall
5. Allow Unrestricted Internal Traffic
6. Allow All Outbound Traffic
7. Don't Harden Servers At All
8. Use Lame Passwords
9. Use Service Accounts In Multiple Places
10. Assume Everything Is OK
Source: Jesper Johansson, 2004
21. 21
Shannon’s Top 10
1. Security Awareness Training
2. Malware Detection
3. Policy And Procedures
4. Patching And Vulnerabilities
5. Securing Cloud Infrastructure
6. Segment Your Network
7. Protect The Perimeter
8. Log, Monitor And Understand
9. Protect Your End Points: IoT
10. Continuous Compliance
22. 22
Best Practice Approach
1. Conduct A Security Assessment
2. Understand The Threat Landscape
3. Test And Scan Network
4. Use A Risk Based Approach
5. Follow A Control Framework
6. Build A Security Program
7. Continuous Compliance
27. 27
Resources
• 1. Global IT Security Risks Survey. (2015). Retrieved December 17, 2015, from http://media.kaspersky.com/en/business-
security/it-security-risks-survey-2015.pdf
• 2. Moore, S. (2014, August 22). Gartner Says Worldwide Information Security Spending Will Grow Almost 8 Percent in 2014 as
Organizations Become More Threat-Aware. Retrieved December 17, 2015, from
http://www.gartner.com/newsroom/id/2828722
• http://www.natlawreview.com/article/2016-data-breach-predictions-hackers-more-active-ever#sthash.jfXPPLZ8.dpuf
• http://www.foxnews.com/tech/2016/01/09/3-biggest-security-threats-2016.html
• http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/
• http://searchenterprisedesktop.techtarget.com/news/1002600/Get-your-network-hacked-in-10-easy-steps
• http://www.healthslide.com/simple-security-through-better-password-practices-2/
Notas do Editor
BOYCE to speak to
BOYCE
Brian – can you speak here about a couple of customers we’ve helped so the audience can get an idea of our breadth and depth? Just some high level examples is all we need.
Brian Boyce to speak to
BOYCE to intro this
BOYCE to intro this slide
SHANNON
Security is top 3 focus for 95% of CIO’s.
Playing Catch Up
- Protecting assets
- Emerging trends are forcing businesses to embrace this risk, and connect security to their overall goals and objectives of growth
- 91% of C-Suite in have adopted a risk-based cybersecurity framework –
Most use NIST of ISO 27001 according to The Global State of Security Survey
Why does using a Framework matter?? Because you GET MEASURABLE RESULTS.
Leveraging Technology:
Companies are making considerable investments in cloud-managed services to develop new network infrastructure capabilities
70% use cloud-based security services for:
- cybersecurity tools for a broad range of critical services,
real-time monitoring and analytics (56%),
threat intelligence (47%),
end-point protection (44%),
advanced authentication (55%),
identity and access management (48%)
51% of companies will employ big data analytics to model for and identify information security incidents.
45% are implementing or plan to implement IoT in the next 12 months.
Sounds great- but is it? With an increased use of the IoT, it expands the attack surface for companies, which allows for greater exploits. Mobile devices, Embedded devices, operational systems and consumer technologies, more than doubled this year – from 34% in 2014 to 86% in 2015.
Even with the increase in exploits, companies are bolstering the strategy to address these specific things.
Turning the focus to the human side of security:
- 73% of senior execs are actively communicating the importance of security
- 38% improvement in security awareness posture overall
, - 37% increased their budget to identify and communicate key risks
Enterprise organizations continue to be more impacted by security incidents than SMBs.
In the last 12 months: 9,156 is the average number of detected security incidents for large companies compared to 3,577 on average for SMB organizations.
The Global State of Security Survey this year, (in it’s 18th year by PWC), includes responses from over 10,000 C- Suite members, VPs in 127 countries.
You Get Results
32% communicating better
45% say data is more secure
Threat Intel
- 65% of respondents said they collaborate to improve security and reduce cyber risks (that’s significantly up from 50% in 2013.)
- Collaboration allows for action and quicker access to information from industry peers, which allow companies to respond quicker to threats.
- A common misnomer is that security threats differ by industry. They do not. Threats INCREASE based on a company’s size alone.
Executive Involvement
- 45% participate in the overall security strategy for their company.
- This allowed companies to justify a 24% increase in budget
- Helps to foster an organizational culture shift in security. I
- Paving the way for companies to open the channels of communication and align Information Security, Risk and Business goals.
More reasons to care….
Security Budget
Overall Strategy
Security Policy
Security Technology
Review of Risks
Senior level involvement, works! Positive trends give us measurable information that the industry as a whole is catching on to the importance of Board level oversight. The lifts from 2014 to 2015 are relatively small, but as we continue to educate on the importance of Overall Security Awareness, I suspect you will see these numbers jump significantly in the next 3 yrs.
But wait….it’s not all rainbow tables and bubble gum…
NATION STATES
A group of people who share the same history, traditions, or language that live in a particular area under one government. In 2016, we’ll continue to see nation-states move their conflicts and espionage efforts to the digital world, we will likely see more incidents aimed at stealing corporate and government secrets or disrupting military operations. –
Office of Personnel Management
One of the largest thefts of government data in June 2015. OPM was breached leaking 5.6 million fingerprints of current and former employees, and other personal information of 21.5 million individuals is reported to have been leaked as well.. Suspected the Chinese government played a role.
HACKTIVISTS
Resurging their activities to cause reputational damage to a company or cause in lieu of financial gain. (iPhone hack)
Ashley Madison
The controversial extramarital dating site was targeted specifically by cybercriminals on account of their moral disagreement with the site and its cancellation policies. The hackers made the information public revealing user names, hashed passwords for 33 million accounts; partial credit card data, street names, and phone numbers for huge numbers of users; records documenting 9.6 million transactions, and 36 million email addresses.
Hacked by “Impact Team.”
"Nobody was watching," Impact team told the publication. "No security. Only thing they had was a segmented network. You could use Pass1234 from the internet to VPN to root on all servers.“
The Dark Web
The Real Deal - Their focus is private exploits, source code, DNM products and hardware.
Agora – one of the better known on this slide. They’ve been around since 2013 with one of the better reputations on the deep web. They’re currently on ‘downtime’ upgrading their security. You must be referred to their site.
Anonymous – most recently challenged ISIS
Sony
IRS
Hotel chains
StuxNet
Outlaw - Outlaw is a relatively new market that is growing quite rapidly. They’re hot on security with features such as: PGP login, automatic message encryption and no internal wallets meaning that user’s funds cannot be stolen!
We’ve talked about the State of Security, and the positive changes, but we also know the threats are still very real. SO WHAT NOW?
Question: How many of you currently allocate budget to train your staff?
***USE MY LAST WORK EXAMPLE**** then contrast with ***THE OTHER COMPANY***
***If anyone raises their hand, ask them to share their story
***If anyone doesn’t raise their hand, pick someone and ask, why not?
While companies seek to hire, it’s becoming increasingly difficult to locate and hire knowledgeable and skilled Security staff.
Large need for compliance and remediation services in the industry
Medium and small businesses have increasing needs to stay compliant as fines for non- compliance are getting passed down
Threshold for notifying leadership
Chart above is based on AD accounts.
3 things can give you stronger passwords:
1. Length
2. Width
3. Depth
Don’t use old passwords, personally identifiable words
Even though the minimum recommended password is 8 characters, you will get far greater protection with a longer password.
As retailers make it harder to compromise information due to the roll out of EMV, hackers will slowly move on to easier targets.
In 2015, more than 100 million patient records were exposed, the majority coming from the Anthem Insurance hack early in the year.
Ransomware encrypts your files so you can't open them without paying a ransom. It’s been a growing concern since a virus called CryptoLocker arrived at the end of 2013.
Fortunately, it isn't all doom and gloom.
Ransomware still needs you to install it.
Avoid falling for phishing emails with malicious links or downloads
Backing up your files regularly.
People are spending more time browsing online, so they are becoming a hot focus for hackers. They look for vulnerabilities in your browser, lure you to a website and then release the virus in your system. Adobe Flash was the biggest victim in 2015.
Bootkits area virus, which are incredibly hard to detect and remove and have started showing up in hacker toolkits.
They are deployed through phishing attacks
Jesper Johansson from Microsoft in 2004.
Once a hacker is in your network, you have three options:
1. You can update your resume.
2. Hope the hacker does a good job running the network
3. Drain the network
The latter is really your only option once they’re in.
1. Conduct a security risk assessment. Identify the scope of your systems and focus on where confidential and restricted information is stored, processed, or transmitted.
2. Understand the threat landscape and the vulnerabilities that can be exploited AND Estimate the impact of a vulnerability if it was exploited using a classification matrix to identify the level of impact.
4. Determine the risk using a risk matrix that identifies the likelihood of a threat, magnitude of impact, and adequacy of existing controls around the risk. Not everything must be fixed!
5. Identify controls or control framework that could reduce or eliminate the risk.
If I’m a company of 500 people, what % should I spend on Security?
How important are your trade secrets?
What are you willing to do to protect it
If your curious on how to do this, we will be sharing on our blog via articles and LinkedIn/Twitter. Encourage them to join the conversation @Twitter and Afidence.com. #LeadWithTrust