"Cyber" security - all good, no need to worry?

"Cyber" security - all good, no need to worry?

Ian Amit Director of Services, IOActive

¡Hola

Source: datalossdb.org

Incidents by Business Type - All Time

Biz Gov Med Edu



Biz Gov Med Edu

52%



Biz Gov Med Edu

18%

52%



Biz Gov Med Edu

16%

18%

52%



Biz Gov Med Edu

14%

16%

18%

52%




Incidents by Vector - All Time

Outside Inside - Accidental Inside - Malicious UnknownInside




57%




20%

57%




10%

20%

57%




7%

10%

20%

57%




6%7%

10%

20%

57%

DataLossDB.org Incidents Over Time

0

450

900

1350

1800

2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

695

1621

1091

829728

1048

775

644

157

43

Problem ✓

Problem ✓

Solution?

What would CISO do?

What would CISO do?

WTF?

RISK MANAGEMENT

We need to get back to BASICS

insert crowd pic here

Prioritize !

Based on risk, impact,

potential cost, and cost of remediation

Summary1. Stop throwing money on products

2. Identify assets, processes, technology, threats.

3. Assess your current posture. Identify gaps.

4. Address gaps based on priority and relevance. Consider cost (of impact, of fixing).

5. Test effectiveness.

6. Back to 2.

REMEMBER!

• You are not fighting off pentesters. You are fighting off actual adversaries.

• You are not fighting off auditors. You keep your organization working.

• You are not fighting off regulators. You are trying to keep yourself out of jail.

Thank You! ¡gracias

Ian Amit Director of Services, IOActive

[email protected] Twitter: @iiamit

mailto:[email protected]

Technology

"Cyber" security - all good, no need to worry?