330 likes | 459 Vues
“Executive Staff Perspectives on Cyber Security”. Information Systems Security Association (ISSA) Central Florida Chapter & InfraGard William H. Miller, Jr. Founder & CEO, Sabal Systems, LLC Crowne Plaza Hotel, Orlando, FL September 15, 2011.
E N D
“Executive Staff Perspectives on Cyber Security” Information Systems Security Association (ISSA) Central Florida Chapter & InfraGard William H. Miller, Jr. Founder & CEO, Sabal Systems, LLC Crowne Plaza Hotel, Orlando, FL September 15, 2011
Security Issues Are Timeless “Better be despised for too anxious apprehensions, than ruined by too confident security.” - Edmund Burke,Irish orator, philosopher, & politician (1729 - 1797) “Security is mostly a superstition. It does not exist in nature.... Life is either a daring adventure or nothing.” - Helen Keller, The Open Door (1957) “To err is human, but to really foul things up requires a computer.” - Farmers' Almanac, 1978
Cyber Headlines ………….. Sony recruits information security boss after hacking Isabel Reynolds, Reuters, September 6, 2011 “(Reuters) - Sony Corp picked a former official at the U.S. Department of Homeland Security for the new post of chief information security officer, months after a massive hacking attack leaked information on 100 million user accounts on its games networks. Philip Reitinger, previously director of the U.S. National Cyber Security Center, will become senior vice president and will report to general counsel Nicole Seligman, the Japanese electronics conglomerate said on Tuesday. "Certainly the network issue was a catalyst for the appointment," a Sony spokesman said. "We are looking to bolster our network security even further." Hackers spied on 300,000 Iranians using fake Google certificate Gregg Keiser, Computerworld, September 6, 2011 “About 300,000 Iranians had their Gmail accounts compromised and their messages read by hackers, according to a forensics firm that has investigated the theft of hundreds of digital certificates from a Dutch company. Although the report did not identify the hacker, or hackers, who may have spied on the Iranian users, security researchers have pointed to Iran's government, which has been linked to other attempts to intercept the communications of activists and protesters…….. Nearly all -- Fox-IT said 99% -- of those IP addresses originated in Iran. Investigators assumed that the google.com certificate was used primarily to spy on Iranians' Gmail accounts.” Phone hacking: James Murdoch 'told of hacking email' Ben Geoghegan, BBC News, September 6, 2011 “Former News of the World legal manager Tom Crone has told MPs he was "certain" he told James Murdoch about an email which indicated phone hacking at the paper went beyond one rogue reporter.Mr. Crone said the email was discussed and "it was the reason that we had to settle the case". In a previous hearing, News Corp bosses Rupert and James Murdoch said they were not told of an email.”
Notable ….. Quotable More insiders snooping into health records, says survey Greg Masters - August 31, 2011 - Breaches into protected health information (PHI) are on the rise, and staffers are responsible for more than a third of the intrusions, a new survey has found. Alleged 'Anonymous 14' plead innocent to PayPal DDoS Angela Moscaritolo September 02, 2011 - Fourteen individuals believed to be part of the hacktivist group Anonymous plead not guilty in federal court in San Jose, Calif on Thursday to charges of participating in an attack against PayPal. Multifunction printers may threaten network security TJD, GMA News, September 06, 2011 - Office workers, beware: the Internet-ready multifunction printer (MFP) may turn out to be the weakest link in your network’s security. In a talk at this summer’s DefCon 19 conference, researcher Deral Heilandsaid vulnerable devices include printers that can scan to a file, scan to email, and fax documents. Over 43,000 Yale Faculty, Staff And Students Hacked Ondrej Krehel, Business Insider, August 24, 2011 - The Ivy League school fell prey to Google hacking, also known as Google dorking, when cybercriminals use Google search functions to access data on the Internet. The practice is becoming more common. The latest victims: More than 43,000 Yale faculty, staff and students, both current and former as of 1999. Dutch Hacking Case Escalates as Man Claims Responsibility for DigiNotar Breach Staff Reporter, International Business Times, September 06, 2011 - A hacking scandal in the Netherlands has escalated, with Dutch government officials investigating whether a hacker who stole online security certificates also stole any sensitive information on Dutch citizens. Last week, DigiNotar, a government security contractor, announced that a hacker had stolen several SSL certificates, which are used to validate the authenticity of Web sites and thus to protect people from hackers impersonating legitimate sites.
Cyber Threat Status: “Red” • Offshore resources are likely targeting your company IP today • Origins of cyber attacks vary greatly (from crime syndicates, to national interest groups, to foreign agencies, to foreign military) • Adversary’s objective is to short-cut R&D dollars …….. and time • Data exfiltration is rarely intended to be highly visible • Barriers to entry for our adversaries are extremely low • Public is vaguely aware but largely ignorant of realities • Attacks come in “gradations of sophistication” • Cyber threats are of great concern to informed company management
Very Real Issues Confront All Sectors Today “Sony’s PlayStation Network was halted for more than a week, disrupting 77 million PSN and Qriocity accounts. The company learned that hackers stole personal information about PSN users as well as more than 24 million Sony Online Entertainment user accounts. Stolen information included names, addresses, email addresses, birth dates and account credentials. The breach also included a database containing more than 12,000 non-U.S. credit and debit card numbers.” Ref: SearchSecurity.com
But Still, Critics Abound From Wikipedia Concerned about human rights, the American Civil Liberties Union (ACLU) warned that there "is evidence that InfraGard may be closer to a corporate TIPS program, turning private-sector corporations — some of which may be in a position to observe the activities of millions of individual customers — into surrogate eyes and ears for the FBI".
Referenced by DEPSECDEF William Lynn: Nasdaq Google Citibank International Monetary Fund Lockheed Martin Oil & Gas Who’s Concerned Today? • Government Agencies • Government Contractors & Aerospace • Chemical Industry/Oil & Gas • Banking and Investment Houses • Transportation Providers • Power Generation & Distribution • Network Carriers • Other Forms of Utilities • High Tech, IP-Generating Firms • Healthcare Concerns • Emerging eBusiness Enterprises • Internet Savvy Companies
DoD DIB – Government Organized DoD DIB =U.S.Department of Defense, Defense Industrial Base; Critical Infrastructure Protection • Comprised of largest U.S. Defense contracting firms • “Contractual Arrangement” with the Federal Government • Focus on “sensitive but unclassified” data • Both Classified & Unclassified components of the program • Focused on sharing of critical information to thwart global threats • U.S. National Interest is at stake • DIB Cyber Pilot with Homeland Security • Practices are leading to additional Federal Acquisition Guidelines • Structural changes in core information flow have been suggested • Committees formed to divide into manageable working groups • Challenges: • International firms participating • Smaller company engagement • Motivate vs. Legislate
Security Policy Guidelines Article By Gary McGraw and Ivan Arce , Nov 24, 2010 – “Software [In]security: Cyber Warmongering and Influence Peddling” • Cyberspace has a completely different physics than any other domain. It is impossible to "take and hold" cyberspace. Cyberspace is a dynamical system that runs at super human speed. • A good offense is NOT a good defense. Instead, a good defense is the ONLY defense. Throwing a better, more accurate rock in a glass house is still throwing a rock. Our systems are so permeated with problems that even an untrained child can exploit them. • Divide and conquer will not work. Civilian, government, and military systems are so deeply entangled that they cannot be separated and protected distinctly. The nature of the entanglement is the people who interact with the systems. • Cyber crime and cyber espionage are more important than cyber war. The (very) bad news is that shiny new cyber weaponry will be repurposed for crime and spycraft — reason enough to take pause before charging ahead with offense. The good news is that fixing the broken stuff will help simultaneously combat crime, war, and espionage. • Public/private partnerships pander politically but they do no real good. As it turns out, security is not a game of ops centers, information sharing, and reacting when the broken stuff is exploited. Instead, it is about building our systems to be secure, resilient, survivable. • No security is perfect and problems will happen. Even if a large portion of taxpayer money and collective know-how is dedicated to the task of building better, more secure systems, mistakes will still be made and systems will still be attacked and compromised. Cyber security policy must be built on the assumption that risk cannot be completely avoided, meaning that systems must continue to function even in sub-optimal conditions. • If it sounds like BS or magic, it's probably not true.
Some Thoughts on Cyber “Good Guys and Bad Guys” • Don’t confuse National Interest with Corporate Objectives • Suppliers to the U.S. DoD are global today and have very complex entity structures and ownership models • Our adversaries may have drastically different “value systems” and are not necessarily bad guysby the traditional definition • Cyber theft is less of an issue of ethics, and more a matter of law and governmental preservation • Offensive and Defensive Cyber Capabilities often grow in the same garden …………….
How Should We Think of National Security? • How American are American Companiestoday? • Commercial executives comply with regulations but shareholders demand return on investments • When does national interest supersede company best interest? • Most large companies are multinational in nature, with foreign born executive staff in many key roles • Complex relationships exist with China and India, for example • How different is exporting skilled jobs and process versus competitive information?
What are Some of Our Key Security Framework Components? • Comprehensive Security Architecture • Security Staffing Plan • Incident Response Plans & Ready Teams • Self Assessment Models • Secure NOC & 7/24/365 ‘Eyes on Target’ • Rational Budgeting Models • Industry Partnering Agreements • Meaningful Metrics and KPI’s • Management Communications Plan • Prioritized Strategy for Incremental Tool Investments • Software Application Code Reviews • “Best Practices” Communiqués to Employees
From the SANS Web Site ……. Application Vulnerabilities Exceed OS Vulnerabilities During the last few years, the number of vulnerabilities being discovered in applications is far greater than the number of vulnerabilities discovered in operating systems. As a result, more exploitation attempts are recorded on application programs. The most "popular" applications for exploitation tend to change over time since the rationale for targeting a particular application often depends on factors like prevalence or the inability to effectively patch. Due to the current trend of converting trusted web sites into malicious servers, browsers and client-side applications that can be invoked by browsers seem to be consistently targeted. (2009 Data) Figure 1: Number of Vulnerabilities in Network, OS and Applications
Security Investment Evolution – Larger Firms Reactive Compliance Proactive Optimized New threats may require additional Investments? Rationalized investment decision Continuous process improvements $ZM Security Investment DOD Measurement processes emerge $YM Enterprise control framework Security Advisory Group Informal policies, procedures SOX – Initial control structure Undefined policies, procedures $XM Virus Script Kiddies Insider Threat APTs Nation State Attacks True Cyber Warfare 2010 2000 2004 2009 2012 2014 2015 16
Security Tools are Expensive and Burdensome …. • DLP/DLM • IPS/IDS • Vulnerability Assessment/Pen Testing • SEIM (Security Event Information Management) • Two Factor Authentication • Web Application Scanners • Patching Capabilities, Ad-Nauseam • SOC Capability • Software Whitelisting …. and only represent part of the solution today
What About Smaller Companies? Smaller firms generally lack resources: • Tight margins and stiff competition • Lack of scale across investments • Need “one of everything” • Small, technical veneer support teams often lack depth • Wanting for maturity and experienced leadership • Tend to be more risk tolerant in general What is your perception of IT support maturity across …. $50M business $500M company $2B corporation $10+B enterprise
Some Current Environmental Challenges in Cyber Space • Not enough “Security Pros” to address the national need • Offshore design & CM relationships continue to expand • Security scales downward poorly to small companies • Dichotomy between Federal and Commercial companies • WikiLeaks era and the national mindset on data protection vs. openness • Wireless, handheld device variants and networks • Dramatic emergence of Cloud Computing • Healthcare Online – EPR/EMR • Zero-Day Vulnerability challenges • Migration from HW to SW • More Web Apps …..
Ten Outcomes That Keep CIOs Up At Night • Threat of notifications by external customers due to breach • Regulatory notifications to external customers due to breach • Company embarrassment if confidential data becomes highly visible • Loss of company-critical Intellectual Property (loss of competitive advantage via copying of ‘false’ products) • Disruption to the business when widespread affects are apparent to the employee base • Additional focus from auditors based upon disclosures • Executive management frustration over disruptions • Loss if IT organizational credibility • Threat to U.S. National Interests • SOX Reporting concerns
What Can, and What Can’t, a CIO, CTO, or CISO Control in Regards to IT Security? Can Control: • Existence of a working/adaptive security architecture • Employment of knowledgeable personnel • Minimally-acceptable set of deployed tools • Rate of adoption of new IT operating environments • Prioritized spend plan • Comprehensive communications across the firm • Atmosphere of vigilance amongst staff members Cannot Control: • Vectors of attack utilized by adversaries • Immediate susceptibility to the latest techniques and malware technologies • Emergence of new and vulnerable IT industry operating environments • Software “deficiencies” and gaps in vendor-supplied products • Unethical behavior of disgruntled employees
A Litany of Tough Executive Management Questions Persist • Has our firm ever lost data or IP due to successful cyber attacks? What should we be doing differently? • How would we know for sure if we had been had? • What’s the right amount of moneyto spend on information security today at our company? • What should we expect to measureto prove success? • Who should our firm partner with, and trust, to achieve the most survivable posture? • What are we doing to ensure that our employees do not become a further source of the problem? • Can we guarantee that we are safe from major cyber compromises in the future? Ambiguity is not popular in the Executive Suite
Behavioral Drivers for the Executive Staff - Mission of CEO, CFO, COO and Others - • Maximize Shareholder Wealth • Sustainable, Profitable Growth of the Firm • Steady, Predictable Economic Results YOY • Minimize Spending on G&A • Maintain Positive Customer Relationships • Maintain Compliance with BOD Directives • Mitigate Various Forms of Risk
These Objectives Translate to ……. • Protecting the Brand at All Costs • Careful Reinvestment in New Products and Services Penetrating New Markets (Adjacent & Geographic) • Perspective that Overhead Costs are Evil • Meet Minimum Standards for Compliance • Ensure “No Surprises!” Note that Security “Issues” Rarely Come with a Perceived Upside in the C-Suite
Executive $$ Investment Priorities • New Product Development/R&D • Sales Force/Sales Channel Optimization • Brand Image and Advertising • Cost Reduction Techniques – Gross Margins and OpEx • Customer Service & Satisfaction Pursuits • Community Relations • Compliance Initiatives $$$ $$ S Sarbanes Oxley Security (Network or Physical) Business Resumption Planning ERM Decreasing Appetite for Company Spend
C-Suite and Director Mindset • There’s little to be gained by sharing information pertaining to company security challenges • Learning of a breach via customercontact* would notresult in a good outcome • Even an ERP eventually settles out, when is this deficiency “going to be fixed”? • Why is this so difficult to address when we already spend so much money annually? • Who do we need to bring in to help? • Is the current team part of the solution or part of the problem? * Government-related business
Implications for the Security Professional • Constant Pressure on CIO, CISO, and Chief of Security • Facts must be readily available to tell the real story • Metrics to show progress must be institutionalized* • Executive “upward communications” must be a priority • This is one of several current topics that will get Board-level visibility multiple times annually • Warning: there may be some responsibilities that are “delegated downward” and there may be little real opportunity to discuss them openly In the C-Suite, Security Concerns = FUD * Offsets the inevitable ‘difficult days’
Important Cyber Security Discussion Questions • How will smaller companies find and retain trained security personnel to protect the enterprise in the midst of extensive government hiring? • How many cyber security tools can the average company afford to invest in, deploy, and subsequently manage? • Can we successfully procure enterprise network protection (buy vs. build)? • And then there’s the log data .......... how much is enough? • As CIO’s/CISO’s, can we safely outsource applications and data from the Cloud? How can we be sure? • How do we keep our Boards apprised of threat levels without panic? • How do we effectively communicate with employees in this very noisy space?
Debate Over “How Much Does This Really Matter”? • Have the outcomes of offensive cyber attacks proven to be materially beneficial in times of conflict? • Since it is impractical to assume all 8,000+ DoD suppliers will “see the light”, what is the grayscale for cyber competencies? • Assessments of real effectiveness of espionage • Access to information never guarantees tactical superiority (ex. Stuxnet) • How will long term relations with China influence this equation? • When is “good enough” truly good enough? Remember that we are principally considering non-classified information and the majority of exfiltrated info is metadata.
Some Additional Observations • External Partners can, unwittingly, make you look bad: • Vulnerability Assessments • New Supplier Product Validations • Agencies and Bureaus Relish the Finding of Weakness • General Managers are familiar with “Risk vs. Reward” decisions, but security is hard to understand in this context • In the Product Portfolio, some offerings succeed and some fail; security is measured by the weakest link • Hiding vulnerabilities from the outside world is wise, but full disclosure is essential within top levels of the firm
And a Few Final Suggestions for Cyber Craftsmen • Every technical advance in the war demands some accompanying good press • Consider as ‘water in the bilge’ – some minor leakage is OK • Educate the workforce mercilessly • Educate the senior leadership on how to think about this problem • Utilize these threats to illustrate organizational competency • - Training • - Awareness • Communications • Prompt Proactive Education Investment Architecture • - Priorities • - Comprehensive • Measurements • - Dollars • - People/Skills • Infrastructure
Some Favorite Computational Quotes “There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.” - C.A.R. Hoare "Cracking the Italian codes was something you did at the pub over a beer. It was both relaxing and enjoyable..."— Peter Hilton, WW2 British Codebreaker. "Daddy, what does FORMATTING DRIVE C mean ?"
And Lest We Ever Forget ….. "In theory, theory and practice are the same. In practice, they are not.“ — Albert Einstein