Simon Puleo

Security Global Enablement Manager

2018

Create a Culture of

Cyber Security Leadership

Create a Culture of

Cyber Security Leadership

Without “Us”Security is:

Ecre

ec reS u

Security needs “Us”

“Us” in security…

More specifically these are my colleagues.

Target

List Bill Cruss

Too Rutter

Jane Doey

John Buck

______________

Fullz =

Bill Cruss

1244 E Main

Clevaland, OH

Bcruss@th4.com

506 650 6500

Facebook account:

B Cruss

Cyber Security 2017 Curve

*Saumil Shah NetSquare

Contributing Factors

Cultural Fabric

Security lacks a top down and

sideways business or

organizational priority.

People & Policy

Policy is one way and employees

are willing to bend security policy

to gain perceived efficiency!

Security is implied and people are

complacent.

Lack of “Talking about” Cyber

Risk Management

Cyber is not part of business

planning.

Future Cyber Security Workforce Enabling FactorsCultural FabricCyber security is integrated into

communications, projects, processes and

leadership top-down, bottom up and

sideways.

People & PolicyPolicy becomes a two-way dialogue as

employees contribute to security policy.

Cyber security is a source of pride and

importance to all!

“Talking about” Cyber Risk

Management

Cyber is a part of the business!

Human

Factor

ExploitsAdversary

2017– Adversary Landscape

• WannaCry

• Kronos

• Yahoo! Hack

• Outsourcing by

Russia

“Unorganized Crime”

Services are exchanged for profit.

Philadelphia – Ransomware aaS

Zues – Malware aaS

Tor’s Hammer – DDoS aaS

Alexsey Belan Marcus Hutchins

"Someone who is in an insider threat, who's seeking to do damage, will do the

damage, once they've made a decision.“William Evanina, head of U.S. CIA counterintelligence

“..the insider is an unwitting accomplice who falls prey to social engineering and

clicks malware in a phishing email. Insiders put value at risk”Admiral Mike McConnell, Former NSA Director

2017 – Hackers go for simplicity..

IoT and Cloud are new Frontier

- CIOs have 1000’s of Cloud Apps

- Shadows IT means even more

- Hackers take advantage of ‘legacy’

cloud apps

Ransomware

- 64% of Americans are willing to

pay $1000 or more*

- Ransomware aaS makes it easy

for more criminals to get in the

game

Email is the Attack Weapon of Choice

- Ease of Use

- PowerShell and Attachments used to

deliver payloads

DDoS

- Mirai Botnet used infected cameras

and poorly secured devices to

create a mass network of denial

* Symantec Security Report

2017 – Human Factor

Verizon 2017 Breach Report

- 66% of Malware was installed via an email attack

- 81% of attacks leveraged stolen or weak passwords

- 1 in 14 users were tricked into following a links or opening an attachment

2017 Blackhat Survey Attendee Survey

- The number one threat is social engineering - phishing, social network

exploits, or other methods

- The weakest link is end users who violate security policy and are too

easily fooled by social engineering attacks.

- A lack of security awareness about phishing and other social engineering

attacks is the most significant threat to the average consumer.

https://infogram.com/dbir-1-in-14-were-tricked-into-following-a-

link-1gqnmxd3q5lqplw

Grizzly Steppe – Perfect Storm

https://www.us-cert.gov/sites/default/files/publications/JAR_16-

20296A_GRIZZLY%20STEPPE-2016-1229.pdf

Human Factor

ExploitsAdversary

Nation StateSpear Phishing

Malware Installation

Data Exfiltration

Unsuspecting Users

Soft “Least Privilege” controls

Soft “Monitoring of Logs”

Cultural Fabric• Strategic: Top down and sideways messages on awareness

• Identifying and protecting IP.

• If in doubt – check it out!

People & Policy• Promote awareness on social engineering: Be suspicious of any request to reset

your password.

• Review polices on password reset and privileged accounts that can install

software.

Controls & Monitoring• Implement risk based authentication and Multi-Factor Authentication in access

management.

• Monitor privileged accounts and implement privileged access management on

accounts that can install software.

Advocating Like a Cyber Security Leader

One in many

Imagine if 1 in 10 were cyber security leaders!

Enabling Cyber Security LeadersTo Change Culture

SDLC

Project ManagementTeam

Meetings

Planning

Discussions

Communications

Financial

Process

Organizational

Culture

Leadership

Principles

Identify Cyber Security Leaders

• Project managers, respected SMEs, LoB, Risk Managers

• Natural influence on process and projects

• Comfortable speaking with others

• Motivated and interested in learning about cybersecurity

• Follow procedure and want to be involved in policy and

control

Identifying Cyber Security Leaders!

Communication Platform

- Right Messages

- Supported Content

- Train others

- Model behavior

- Know the way forward

Toolset/Mindset

- Identity Powers

Experience

- Identity

Governance

- Open-Source

Business Leadership

- Security Principles

- Organizational Policy

- Regulatory Policy

- Cyber Security

Processes

Tools for Cyber Security Leaders

Enabling Trust through Least Privilege

AccessIdentity Insight

Users

Devices

Things

Services

The Micro Focus Platform - Identity Powers Experience

Cloud

On-Premise

Hybrid

AccessIdentity Insight

• Governance

• Provisioning

• Privileged Identity

• Self Service

• Social Registration

• Unified Identity

• Roles

• Analytics

• Data Security

• Risk Based Access

• SSO

• Privileged Access

• Federation

• Multi-Factor

• Mobile

• Social Access

• Analytics

• Data Security

• SIEM

• File Integrity

• Privileged Monitoring

• Configuration Monitoring

• Change Monitoring

• Analytics

• Data Security

Users

Devices

Things

Services

The Micro Focus Platform - Identity Powers Experience

Cloud

On-Premise

Hybrid

Who is responsible for enforcing least privilege?

HR

CFOCEO

CISOCompli

anceSales

CTODev

Ops

Everyone is responsible for leading when it comes to cyber!

Help leaders identify with Identity and Access Review!

Manager Identify Tools Manage Privilege?

Sales Manager SFDC

Quoting Tool

Workforce

…

Yes

No

Yes

Product Management Requirements Tool

Sharepoint

Research

…

Yes

Yes

No

HR

Educate Leaders on Enforcing Least Privilege with

Access Review!

Don’t inflict Governance on your business users.

Engage them at the right time, for the right reasons, and with the right information.

IGA Business Benefits Eliminate Unnecessary Access (Least Privilege)

- Reduce the risk and impact of security breaches

- Reduce the cost of unused licenses or services

Improve Efficiency

- Quick and efficient provisioning/de-provisioning (Movers, Joiners, Leavers)

- Conduct simpler less demanding access reviews and certifications

- Provide self service Identity capabilities including access request and password reset

Improve Agility

- More easily adapt to change.

- Regulation changes

- On-boarding new systems and applications

- Absorbing mergers and acquisitions

Access Certification Preview

Point In Time Identity Governance

Identity

Event

Certification

Review

Secure &

Compliant?

Triggers

Action

Access

Retained

Without a real-time identity store, you’re only checking rules vs. entitlements based on the latest import. Was that last week? Last month…?

?

Real-Time Risks Need Adaptive Identity Governance

Identity

Event

Certification

Review

Secure &

Compliant

Triggers

Action

Access

Revoked

Open Source for Cyber Leaders

Research carefully before using these tools

Phishing Simulators

• Phishing Frenzy (Ruby on Rails – Linux Based)

• Go Phish (Installable EXE)

Stop Think Connect Toolkit from DHS

https://www.dhs.gov/stopthinkconnect-toolkit

Communication Platform

- Right Messages

- Supported Content

- Train others

- Model behavior

- Know the way forward

Tools

- Govern Identity &

Access

- Proactively

manage with

Security Analytics

Business Leadership

- Security Principles

- Organizational Policy

- Regulatory Policy

- Cyber Security

Processes

Enabling Cyber SecurityBusiness Leadership

• Customer Obsession

• Ownership

• Invent and Simplify

• Are Right, A Lot

• Learn and Be Curious

• Hire and Develop the Best

• Insist on the Highest Standards

• Be a Cyber Security Leader

Leadership Principles

• Think Big

• Bias for Action

• Frugality

• Earn Trust

• Dive Deep

• Have Backbone;

Disagree and Commit

• Deliver Results

Leaders start with the customer and work backwards.

They work vigorously to earn and keep customer trust.

Although leaders pay attention to competitors, they

obsess over customers.

Customer Obsession

Cyber Security Leader Principle (fill in the blank)

Leaders always ensure that _____________________

They work vigorously to educate _________________

Although leaders pay attention to_________________

Cyber Security Leadership Principle

Leaders always ensure that the right policies and

controls are in place to support proactive cyber security

in their day to day projects.

They work vigorously to educate their colleagues and

customers on the importance of cyber security to their

business.

Although leaders pay attention to the big picture of

security, they obsess over risk management.

Leaders always ensure that

They work vigorously to

Although leaders pay attention to

Communication Platform

- Right Messages

- Supported Content

- Train others

- Model behavior

- Know the way forward

Tools

- Govern Identity &

Access

- Proactively

manage with

Security Analytics

Business Leadership

- Security Principles

- Organizational Policy

- Regulatory Policy

- Cyber Security

Processes

Enabling Cyber SecurityCommunication Platform

Phishing – Don’t get hooked!

Which one of these emails is a Phish?

1. Check spelling & grammar- Hacker’s their; bad spellars!?

2. Look for time constraints - fraudsters create a call to action by

using time constrains for example “your account will be closed

in 12 hours if you do not act”

3. False authority – hackers use false authority to lead you into

their web of deception. Examples include – “You are under

investigation by the FBI, click this link to learn more…” or “The

CEO is asking that you use your company credit card to

purchase supplies click this link…”

4. Too good to be true – hackers use your public profile to find

out about your interests, offering rewards in exchange for action

– example “Click here for Free yoga classes”

5. Compliance, hackers demand action based on compliance or

false policy for example, “IT policy requires you to change your

password every 90 days, click here.”

How to identify a Phish Tips.

Need to Know

Hackers can disguise the

sender name, URL links

and attachment

extensions to look real

with PunyCode.

Verify any request for

your credentials or

financial information.

Think Like an Ethical Hacker Activity

The following exercise if for ethical hackers.

Can you agree to the following?

1. You will not use what you learn against others.

2. You will share your knowledge to promote good security

practices.

3. While we are not partaking in hacking today, you

understand that computer hacking including identity theft

and digital property theft is against the law in the United

States and other countries.

How an ethical hacker thinks.

"Know thy self, know thy enemy.”

Sun Tzu“Not fear a thousand battles.”

1. Choose a partner at your table.

2. Ask them about their interests

3. Craft a short phishing email that would be directed at

your partner (3-5 minutes)

• Choose a call to action such as:

• Open a document

• Click on a link

• Use at least 2 elements from “how to identify a Phish Tips”

4. Send it to your partner, after they read it, ask them if it

seemed convincing. Share examples with the group.

DIY Phishing Simulation

Thank You!If you would like a copy of these slides

please email me at

Simon.puleo@microfocus.com

Simon Puleo

Simon.puleo@microfocus.com

Thank you