Upload
iftach-ian-amit
View
2.168
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
"Cyber" security - all good, no need to worry?
Ian Amit Director of Services, IOActive
¡Hola
Source: datalossdb.org
Incidents by Business Type - All Time
Biz Gov Med Edu
Source: datalossdb.org
Incidents by Business Type - All Time
Biz Gov Med Edu
52%
Source: datalossdb.org
Incidents by Business Type - All Time
Biz Gov Med Edu
18%
52%
Source: datalossdb.org
Incidents by Business Type - All Time
Biz Gov Med Edu
16%
18%
52%
Source: datalossdb.org
Incidents by Business Type - All Time
Biz Gov Med Edu
14%
16%
18%
52%
Source: datalossdb.org
Source: datalossdb.org
Source: datalossdb.org
Incidents by Vector - All Time
Outside Inside - Accidental Inside - Malicious UnknownInside
Source: datalossdb.org
Incidents by Vector - All Time
Outside Inside - Accidental Inside - Malicious UnknownInside
57%
Source: datalossdb.org
Incidents by Vector - All Time
Outside Inside - Accidental Inside - Malicious UnknownInside
20%
57%
Source: datalossdb.org
Incidents by Vector - All Time
Outside Inside - Accidental Inside - Malicious UnknownInside
10%
20%
57%
Source: datalossdb.org
Incidents by Vector - All Time
Outside Inside - Accidental Inside - Malicious UnknownInside
7%
10%
20%
57%
Source: datalossdb.org
Incidents by Vector - All Time
Outside Inside - Accidental Inside - Malicious UnknownInside
6%7%
10%
20%
57%
DataLossDB.org Incidents Over Time
0
450
900
1350
1800
2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
695
1621
1091
829728
1048
775
644
157
43
Problem ✓
Problem ✓
Solution?
What would CISO do?
What would CISO do?
WTF?
RISK MANAGEMENT
We need to get back to BASICS
insert crowd pic here
Prioritize !
Based on risk, impact,
potential cost, and cost of remediation
Summary1. Stop throwing money on products
2. Identify assets, processes, technology, threats.
3. Assess your current posture. Identify gaps.
4. Address gaps based on priority and relevance. Consider cost (of impact, of fixing).
5. Test effectiveness.
6. Back to 2.
REMEMBER!
• You are not fighting off pentesters. You are fighting off actual adversaries.
• You are not fighting off auditors. You keep your organization working.
• You are not fighting off regulators. You are trying to keep yourself out of jail.