Embed Size (px)
Citation preview
www.commnexus.org
Upcoming MarketLink Technology Requirements:
M bilit
March 13 14 2012
•Mobility
•E-Health
•SecurityMarch 13 – 14, 2012
Accepting Applications til
y
•Social media for enterprises
•Video, Conferencing, Virtual Reality/ Augmented Realitynow until
February 24, 2012Augmented Reality
(For a full list with details, please visit www.commnexus.org)Apply at www.CommNexus.org
www.commnexus.org
g)Apply at www.CommNexus.org
THANKS TO OUR SIG CO CHAIRS!THANKS TO OUR SIG CO-CHAIRS!
Bill Unrue, CEO, AnonymizerBill Unrue, CEO, Anonymizer
Matt Stamper, Vice President of Services, redIT
Bruce Roberts, Senior Vice President of Security Programs, Cubic Corporation
In Loving Memory of
MILES HALEMILES HALEMILES HALEMILES HALEFormerly:
Principal Systems Engineer, SAICand devoted SIG Co-Chair
www.commnexus.org
and devoted SIG Co-Chair
THANKS TO OUR HOST & SPONSOR!THANKS TO OUR HOST & SPONSOR!
www.commnexus.org
Emerging threat vectors t b it t lto cyber security, et al
(where common protections are needed for ALL)
CommNexus SD Feb 1, 2012
Mike Davismike@sciap org
,
[email protected]/MSEE, CISSP, SysEngr
ISSA / TSN / SOeC and IEEE / SPAWAR / et al
www.commnexus.org
Threat Vectors of Interest• Mobile devices … and wireless always predicted, yet proliferates in 2012
– Start with BYOD, Android Trojans, digital wallets, USER provided network services!– Wireless security issues expand (besides 802.11 & WiMAX, to Zigbee, WirelessHART,
Z Wave etc ) ARM hacking increasesZ-Wave, etc.) … ARM hacking increases
• Cyber crime: easy money, minimal downside and growing– Illicit cyber revenues has essentially equaled all illegal drug trafficking $$$
N ti d h ki Wh APT t i d t i li ti• Nation-sponsored hacking: When APT meets industrialization – More targeted custom malware (Stuxnet -> Duqu is but one example)
• The insider threat is much more than you had imaginedC i f l t li t d i d i d ti– Coming from employees, partners, clients and compromised services and computing devices of all kinds. With Improved social engineering attack
– social media critical data leaks / malware distribution
• Misanthropes and anti-socials / hacktivism growsMisanthropes and anti socials / hacktivism grows– Privacy vs. security (and trust) in social networks. Radical group’s DDOS attack can be
effective on small businesses!
mobile devices and cloud infrastructure hacking are potentially
www.commnexus.org6
… mobile devices and cloud infrastructure hacking are potentially the two of the biggest rising stars in cyber crime in 2012…
Threat Vectors of Interest (Cont.)• SSL/XML/web (HTML5)/browser vulnerabilities will proliferate
– Browsers remain a major threat vector (and bypasses the IA suite)
• Hackers feeling the heat (the easy vulnerabilities are diminishing)• Hackers feeling the heat… (the easy vulnerabilities are diminishing)– they need to invest in better attack techniques and detection evasion….
• Cyber security becomes a business process…– focused on data security no longer a niche Industry– focused on data security, no longer a niche Industry….
• Convergence of data security and privacy regulation worldwide..– Compliance even more so (PCI DSS, HIPAA, etc) .. What is “good enough” security?– Data security goes to the cloud - the long IPv6 transition will provide threatData security goes to the cloud the long IPv6 transition will provide threat
opportunities… Data Loss Prevention is STILL key…
• Containment is the new prevention (folks now get the "resilience" aspect...)
• Full time incident responders needed, versus only virtualFull time incident responders needed, versus only virtual– Monitoring and analysis capability increase, but not enough (re: near real-time forensics
&“chain of custody” evidence)…. “continuing monitoring” is KEY… (re: NIST docs)
www.commnexus.org7
… MUCH to consider in the “threat” equation…
So what “really” matters in Cyber?• OSD / federal
•Distributed Trust •Resilient Architectures It’s NOT a lot of
expensive new “cyber•Response and Cyber Maneuver•Visualization and Decision Support•Component TrustD t ti d A t i R
expensive new cyber stuff”
but more SoS / I&I “glue”•Detection and Autonomic Response •Recovery and Reconstitution
• NSA / agency
but more SoS / I&I glue (profiles, common EA, SoPs, standards, etc)
g y– Mobility, wireless and secure mobile services– Platform integrity / compliance assurance– End client security
Along with: (1) enforced cyber hygiene, (2)
– Cyber indications and warning (I&W)– Mitigation engineering (affordability)– Massive data – (date centric security)
Advanced technology (targeted)
effective access control, (3) defense in depth IA / security suite and (4) and contin o s monitoring
www.commnexus.org8
– Advanced technology…. (targeted)– Virtualization – secure capabilities
continuous monitoring
San Diego FBI has two Cyber Squads:San Diego FBI has two Cyber Squads:
The Criminal Squad works child pornography, criminal intrusions, Internet fraud, identity theft, and more.
The National Security Squad worksThe National Security Squad works cyber threats from foreign entities.
Our criminal squad will help you preserve evidence, prosecute the “bad guys”, and clean-up your network.Our national security squad will “share” informationOur national security squad will “share” information and help you secure your network.
InfraGard: www infragard netInfraGard: www.infragard.netInformation sharing between the FBI, business, private individuals and other Government agencies.
www.ic3.gov
hEmerging Threat VectorsVectors
Matt Stamper MS MPIA CISAMatt Stamper, MS, MPIA, CISAVice President of Managed &
Professional [email protected]
858.836.0224
The Simple Complexity RiskThe Simple Complexity Risk
As we are discussing today, security threats come from a variety of sources, fromorganized crime to malicious insiders This threat landscape creates the perfect storm fororganized crime to malicious insiders. This threat landscape creates the perfect storm forsecurity breaches where IT is now perceived as being as simple as point and click.Simplicity comes at a cost!
Complexity of IT is masked by the ease of access (“There’s an app for that!”)
Complexity of business relationships (“Where’s the perimeter?”)
Complexity of underlying infrastructure (Code, servers, network, etc.)
Domain expertise & related competencies
Economic & Reputational RiskEconomic & Reputational Risk
Breach disclosure, coupled with state, national, and international privacy laws, requirenew thinking about security The often discussed issue of brand exposure should nownew thinking about security. The often‐discussed issue of brand exposure should nowbe front‐and‐center to security planning.
SEC (CF Disclosure Guidance: Topic No. 2 – October 13, 2011) + Regulation S‐K Item 503(c) –Analysis of Risk FactorsAnalysis of Risk Factors Disclosure for potential impairment to goodwill, intangible assets, etc. More rigorous disclosure control requirements (pervasive nature of IT general controls)
More rigorous disclosure control requirements State Privacy Laws State Privacy Laws
California: SB‐1386 Nevada: SB‐227 Massachusetts: 201 CMR 17
Most organizations are simply ill‐equipped to address the growing technical andMost organizations are simply ill‐equipped to address the growing technical andregulatory complexity in an effective manner. This tension will increase throughout2012.
Are the threats greater than your preparedness?Are the threats greater than your preparedness?
Rick MoyCEO, NSS Labs
Look who’s testing…Look who s testing…
• Global cybercrime $114B (Symantec)Global cybercrime $114B (Symantec)– Bad guys are testing aggressively
$17B in R&D (assuming15% investment)– $17B in R&D (assuming15% investment)
• Security & Services $55B (Gartner)
• Symantec 2011 revenue $6B
• Bad guys are outspending good guys
Evasion is an industry problemEvasion is an industry problem• Old attacks become new again
• Simple evasion tools disguise ‘detectable’ malware
• Anti‐evasion needs improvement
VendorHTML
ObfuscasionPayload Encoding
File Compression
Exe Compressors
A 43% 40% 80% 40%B 100% 40% 80% 100%B 100% 40% 80% 100%C 100% 40% 80% 80%D 100% 80% 80% 80%E 100% 60% 60% 80%F 43% 20% 80% 40%G 43% 40% 60% 40%H 57% 60% 80% 80%I 100% 40% 60% 60%J 100% 100% 60% 80%
Tune an IPS. NGFW not so much.Tune an IPS. NGFW not so much.
• Time to tune up from default policyp p y
• Do you know what’s on your desktops?
