Upload
trinhcong
View
216
Download
2
Embed Size (px)
Citation preview
Simon Puleo
Security Global Enablement Manager
2018
Create a Culture of
Cyber Security Leadership
Create a Culture of
Cyber Security Leadership
Without “Us”Security is:
Ecre
ec reS u
Security needs “Us”
“Us” in security…
More specifically these are my colleagues.
Target
List Bill Cruss
Too Rutter
Jane Doey
John Buck
______________
Fullz =
Bill Cruss
1244 E Main
Clevaland, OH
506 650 6500
Facebook account:
B Cruss
Cyber Security 2017 Curve
*Saumil Shah NetSquare
Contributing Factors
Cultural Fabric
Security lacks a top down and
sideways business or
organizational priority.
People & Policy
Policy is one way and employees
are willing to bend security policy
to gain perceived efficiency!
Security is implied and people are
complacent.
Lack of “Talking about” Cyber
Risk Management
Cyber is not part of business
planning.
Future Cyber Security Workforce Enabling FactorsCultural FabricCyber security is integrated into
communications, projects, processes and
leadership top-down, bottom up and
sideways.
People & PolicyPolicy becomes a two-way dialogue as
employees contribute to security policy.
Cyber security is a source of pride and
importance to all!
“Talking about” Cyber Risk
Management
Cyber is a part of the business!
Human
Factor
ExploitsAdversary
2017– Adversary Landscape
• WannaCry
• Kronos
• Yahoo! Hack
• Outsourcing by
Russia
“Unorganized Crime”
Services are exchanged for profit.
Philadelphia – Ransomware aaS
Zues – Malware aaS
Tor’s Hammer – DDoS aaS
Alexsey Belan Marcus Hutchins
"Someone who is in an insider threat, who's seeking to do damage, will do the
damage, once they've made a decision.“William Evanina, head of U.S. CIA counterintelligence
“..the insider is an unwitting accomplice who falls prey to social engineering and
clicks malware in a phishing email. Insiders put value at risk”Admiral Mike McConnell, Former NSA Director
2017 – Hackers go for simplicity..
IoT and Cloud are new Frontier
- CIOs have 1000’s of Cloud Apps
- Shadows IT means even more
- Hackers take advantage of ‘legacy’
cloud apps
Ransomware
- 64% of Americans are willing to
pay $1000 or more*
- Ransomware aaS makes it easy
for more criminals to get in the
game
Email is the Attack Weapon of Choice
- Ease of Use
- PowerShell and Attachments used to
deliver payloads
DDoS
- Mirai Botnet used infected cameras
and poorly secured devices to
create a mass network of denial
* Symantec Security Report
2017 – Human Factor
Verizon 2017 Breach Report
- 66% of Malware was installed via an email attack
- 81% of attacks leveraged stolen or weak passwords
- 1 in 14 users were tricked into following a links or opening an attachment
2017 Blackhat Survey Attendee Survey
- The number one threat is social engineering - phishing, social network
exploits, or other methods
- The weakest link is end users who violate security policy and are too
easily fooled by social engineering attacks.
- A lack of security awareness about phishing and other social engineering
attacks is the most significant threat to the average consumer.
https://infogram.com/dbir-1-in-14-were-tricked-into-following-a-
link-1gqnmxd3q5lqplw
Grizzly Steppe – Perfect Storm
https://www.us-cert.gov/sites/default/files/publications/JAR_16-
20296A_GRIZZLY%20STEPPE-2016-1229.pdf
Human Factor
ExploitsAdversary
Nation StateSpear Phishing
Malware Installation
Data Exfiltration
Unsuspecting Users
Soft “Least Privilege” controls
Soft “Monitoring of Logs”
Cultural Fabric• Strategic: Top down and sideways messages on awareness
• Identifying and protecting IP.
• If in doubt – check it out!
People & Policy• Promote awareness on social engineering: Be suspicious of any request to reset
your password.
• Review polices on password reset and privileged accounts that can install
software.
Controls & Monitoring• Implement risk based authentication and Multi-Factor Authentication in access
management.
• Monitor privileged accounts and implement privileged access management on
accounts that can install software.
Advocating Like a Cyber Security Leader
One in many
Imagine if 1 in 10 were cyber security leaders!
Enabling Cyber Security LeadersTo Change Culture
SDLC
Project ManagementTeam
Meetings
Planning
Discussions
Communications
Financial
Process
Organizational
Culture
Leadership
Principles
Identify Cyber Security Leaders
• Project managers, respected SMEs, LoB, Risk Managers
• Natural influence on process and projects
• Comfortable speaking with others
• Motivated and interested in learning about cybersecurity
• Follow procedure and want to be involved in policy and
control
Identifying Cyber Security Leaders!
Communication Platform
- Right Messages
- Supported Content
- Train others
- Model behavior
- Know the way forward
Toolset/Mindset
- Identity Powers
Experience
- Identity
Governance
- Open-Source
Business Leadership
- Security Principles
- Organizational Policy
- Regulatory Policy
- Cyber Security
Processes
Tools for Cyber Security Leaders
Enabling Trust through Least Privilege
AccessIdentity Insight
Users
Devices
Things
Services
The Micro Focus Platform - Identity Powers Experience
Cloud
On-Premise
Hybrid
AccessIdentity Insight
• Governance
• Provisioning
• Privileged Identity
• Self Service
• Social Registration
• Unified Identity
• Roles
• Analytics
• Data Security
• Risk Based Access
• SSO
• Privileged Access
• Federation
• Multi-Factor
• Mobile
• Social Access
• Analytics
• Data Security
• SIEM
• File Integrity
• Privileged Monitoring
• Configuration Monitoring
• Change Monitoring
• Analytics
• Data Security
Users
Devices
Things
Services
The Micro Focus Platform - Identity Powers Experience
Cloud
On-Premise
Hybrid
Who is responsible for enforcing least privilege?
HR
CFOCEO
CISOCompli
anceSales
CTODev
Ops
Everyone is responsible for leading when it comes to cyber!
Help leaders identify with Identity and Access Review!
Manager Identify Tools Manage Privilege?
Sales Manager SFDC
Quoting Tool
Workforce
…
Yes
No
Yes
Product Management Requirements Tool
Sharepoint
Research
…
Yes
Yes
No
HR
Educate Leaders on Enforcing Least Privilege with
Access Review!
Don’t inflict Governance on your business users.
Engage them at the right time, for the right reasons, and with the right information.
IGA Business Benefits Eliminate Unnecessary Access (Least Privilege)
- Reduce the risk and impact of security breaches
- Reduce the cost of unused licenses or services
Improve Efficiency
- Quick and efficient provisioning/de-provisioning (Movers, Joiners, Leavers)
- Conduct simpler less demanding access reviews and certifications
- Provide self service Identity capabilities including access request and password reset
Improve Agility
- More easily adapt to change.
- Regulation changes
- On-boarding new systems and applications
- Absorbing mergers and acquisitions
Access Certification Preview
Point In Time Identity Governance
Identity
Event
Certification
Review
Secure &
Compliant?
Triggers
Action
Access
Retained
Without a real-time identity store, you’re only checking rules vs. entitlements based on the latest import. Was that last week? Last month…?
?
Real-Time Risks Need Adaptive Identity Governance
Identity
Event
Certification
Review
Secure &
Compliant
Triggers
Action
Access
Revoked
Open Source for Cyber Leaders
Research carefully before using these tools
Phishing Simulators
• Phishing Frenzy (Ruby on Rails – Linux Based)
• Go Phish (Installable EXE)
Stop Think Connect Toolkit from DHS
https://www.dhs.gov/stopthinkconnect-toolkit
Communication Platform
- Right Messages
- Supported Content
- Train others
- Model behavior
- Know the way forward
Tools
- Govern Identity &
Access
- Proactively
manage with
Security Analytics
Business Leadership
- Security Principles
- Organizational Policy
- Regulatory Policy
- Cyber Security
Processes
Enabling Cyber SecurityBusiness Leadership
• Customer Obsession
• Ownership
• Invent and Simplify
• Are Right, A Lot
• Learn and Be Curious
• Hire and Develop the Best
• Insist on the Highest Standards
• Be a Cyber Security Leader
Leadership Principles
• Think Big
• Bias for Action
• Frugality
• Earn Trust
• Dive Deep
• Have Backbone;
Disagree and Commit
• Deliver Results
Leaders start with the customer and work backwards.
They work vigorously to earn and keep customer trust.
Although leaders pay attention to competitors, they
obsess over customers.
Customer Obsession
Cyber Security Leader Principle (fill in the blank)
Leaders always ensure that _____________________
They work vigorously to educate _________________
Although leaders pay attention to_________________
Cyber Security Leadership Principle
Leaders always ensure that the right policies and
controls are in place to support proactive cyber security
in their day to day projects.
They work vigorously to educate their colleagues and
customers on the importance of cyber security to their
business.
Although leaders pay attention to the big picture of
security, they obsess over risk management.
Leaders always ensure that
They work vigorously to
Although leaders pay attention to
Communication Platform
- Right Messages
- Supported Content
- Train others
- Model behavior
- Know the way forward
Tools
- Govern Identity &
Access
- Proactively
manage with
Security Analytics
Business Leadership
- Security Principles
- Organizational Policy
- Regulatory Policy
- Cyber Security
Processes
Enabling Cyber SecurityCommunication Platform
Phishing – Don’t get hooked!
Which one of these emails is a Phish?
1. Check spelling & grammar- Hacker’s their; bad spellars!?
2. Look for time constraints - fraudsters create a call to action by
using time constrains for example “your account will be closed
in 12 hours if you do not act”
3. False authority – hackers use false authority to lead you into
their web of deception. Examples include – “You are under
investigation by the FBI, click this link to learn more…” or “The
CEO is asking that you use your company credit card to
purchase supplies click this link…”
4. Too good to be true – hackers use your public profile to find
out about your interests, offering rewards in exchange for action
– example “Click here for Free yoga classes”
5. Compliance, hackers demand action based on compliance or
false policy for example, “IT policy requires you to change your
password every 90 days, click here.”
How to identify a Phish Tips.
Need to Know
Hackers can disguise the
sender name, URL links
and attachment
extensions to look real
with PunyCode.
Verify any request for
your credentials or
financial information.
Think Like an Ethical Hacker Activity
The following exercise if for ethical hackers.
Can you agree to the following?
1. You will not use what you learn against others.
2. You will share your knowledge to promote good security
practices.
3. While we are not partaking in hacking today, you
understand that computer hacking including identity theft
and digital property theft is against the law in the United
States and other countries.
How an ethical hacker thinks.
"Know thy self, know thy enemy.”
Sun Tzu“Not fear a thousand battles.”
1. Choose a partner at your table.
2. Ask them about their interests
3. Craft a short phishing email that would be directed at
your partner (3-5 minutes)
• Choose a call to action such as:
• Open a document
• Click on a link
• Use at least 2 elements from “how to identify a Phish Tips”
4. Send it to your partner, after they read it, ask them if it
seemed convincing. Share examples with the group.
DIY Phishing Simulation
Thank You!If you would like a copy of these slides
please email me at