Presented by Joe LoBianco CISSP 1 2 There are only two types of companies those that have been hacked and those that will be Robert Mueller FBI Director 2012 The Threat Landscape Continues to Evolve ID: 654561
Download Presentation The PPT/PDF document "Cyber Security: State of the Nation" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Cyber Security:State of the Nation
Presented by: Joe LoBianco, CISSP
1Slide2
2
“There are only two types of companies:
those that have been hacked
and those that will be.”
Robert Mueller
FBI Director, 2012Slide3
The Threat Landscape Continues to EvolveWhich actors should I be worried about?3
State-sponsored
Cyber Warfare
Organized Crime
Source: Deloitte
?
2016+Slide4
Threats…What is going on out there?4
Progress works both ways…
Leading to Advancements in…
Attack Methods
Sophistication/Organization of criminals
Types of Targets (Perimeter
Highly Protected)
Information
Security
Capabilities
Threat
Actor
C
apabilities
Attackers are continuing recent trends, mirroring macro technology trendsSlide5
1. Attack MethodsEconomics in action: “cheaper and better” lowers barrier to entry5
Cost
Quality
More commoditized
Attacks-as-a-Service:
Malware,
DDoS
, Ransomware
Malware is more sophisticated
Evades detection
More modular:
M
ix and match attack tools
Increasing attack
frequency
and
impact.
Can’t be sure who the enemy actually is anymore. Slide6
2. Attacker Sophistication6
This is
not
just about Nation States
Cheaper, better and more accessible attack methods are enabling all types of criminals by narrowing the sophistication gap
Level of Sophistication
Time
High
Low
Nation States
Thieves,
Small-scale criminals
Organized Crime
A rising tide lifts all foes Slide7
3. Types of TargetsThieves are using better capabilities to eye higher value targets7
We’ve moved beyond worrying about
“Smash and Grab”
…
Via DDoS, Perimeter Web Systems, Customer Fraud (small loss per account)
…to worrying about
high impact targets
(customer, business)
Via internal systems compromise, APTs
, Ransomware (destructive malware
) targeting organizationsSlide8
8
“If you think technology can solve your security problems,
then you don’t understand the problems and you don’t understand the technology.”
Bruce
Schneier
Cryptographer, Computer Security and Privacy SpecialistSlide9
3. Types of TargetsPeople and process are now integral to successful attacks9
Attacks target
all dimensions
of your organization…
PEOPLE
PROCESS
TECHNOLOGY
Social engineering, Insider threats
Learn your processes and supply chain to exploit weaknesses
Exploit vulnerabilities, attack highly protected assets – not just perimeter targetsSlide10
Challenges for Security ProfessionalsThe bad guys only need to be successful once10
Key Factors
Key Questions
Usually measured by the strength of our mature, well-known controls (
DDoS
, AV, IPS, etc.)
The people that evaluate us (
eg
. regulators, auditors, etc.) are typically not evaluating the maturity of threat and risk-based programs
Do we think these controls will protect us from the new attacks?
Do we even know what controls we need to deal with the newest threats?
How do we balance “hygiene” of old controls and implementation of improved controls?
The challenge is the same as always:
Protect against both old and new attacksSlide11
Advice on Staying AheadActions you can take today…11
Threat Simulation
Scenario-based continuous re-evaluation
Table-top methods and real-world simulated attacks
Simulations are not just for your CIRT, but effective as risk assessment and awareness exercises too
Intelligence in your processes
External threat intelligence data
Internal incident data
Adapt your education and awareness as threats evolve
To inform risk assessments
Educate the Board
Senior level engagement goes to CEO
and
Board
Security must be on their agenda (not optional!)
Start with education and not metrics, and don’t tell them that everything is OK
Increasing your
Information
Security
c
apabilities
1
2
3Slide12
A Cyber-Resilient OrganizationBalancing investment in several types of defenses12
Too much focus in one area can leave you exposed on another…