CYBER X

Brian T. O’Hara, CISA

Chief Information Security Officer

The Mako Group, LLC

IT & Information Security Auditing

www.makopro.com

The Mako Group, LLC, Services

• IT & Info Sec Auditing

• IT Risk Assessments

• Security Training

• Vulnerability Assessments

• Social Engineering

• PCI DSS2

• Penetration Testing

• Gap Assessments

• SSAE 16

• SOX 404

• HIPAA

• Virtual CISO

The Mako Group, LLC, Verticals

• Financial

– Banks

– Credit Unions

– Publicly Traded

(SOX 404)

• Credit Card Svc

– PCI DSS2

• Healthcare

– HIPAA

– HITECH

• Manufacturing

– ISO 9000

– ISO 27000

CYBER (X)

Never Have So Few Been

Able to Do So Much Damage

To So Many With So Little

CYBER (X)

“If you have anything of

value, you will be targeted.”

John Stewart, CSO, Cisco Systems

The Problem(s)

• Cyber Espionage

• Cyber Crime

• Cyber Terrorism

• Cyber Activists (Hactivism)

The Problem(s)

“there are 250,000 probes or attacks on US

government networks per hour or 6 million a

day from at least 140 foreign spy

organizations”

Lt. Gen. Keith Alexander at the 2010 G2

Summit

Cyber Espionage

• Espionage:

– the systematic use of spies to obtain secret

information, especially by governments to

discover military or political secrets

Cyber Espionage

• Red October

• Stuxnet

• Flame

“The Chinese “are the world’s most actrive

and persistent perpetrators of economic

espionage,” the report by the Office of the

National Counterintelligence Executive

(NCIX) said, and Russia’s intelligence

services are a second major culprit”

Booze-Hamilton on Cyber Espionage

“China’s economic espionage has

reached an intolerable level and I

believe that the United States and our

allies in Europe and Asia have an

obligation to confront Beijing and

demand that they put a stop to this

piracy.”

U.S. Rep. Mike Rogers, October, 2011

“It is unprofessional and groundless to

accuse the Chinese military of

launching cyber attacks without any

conclusive evidence.”

Chinese Defense Ministry, January, 2013

Cyber Terrorism

• South Korea

• Stuxnet

• Flame

• Shamoon (FLAME derivative)

• SCADA

South Korea on alert after hackers strike

banks, broadcasters

The biggest attack by Pyongyang was a 10-

day denial of service attack in 2011 that

antivirus firm McAfee, part of Intel Corp,

dubbed "Ten Days of Rain" and which it said

was a bid to probe the South's computer

defenses in the event of a real conflict.

SCADA

• Supervisory

• Control

• And

• Data

• Acquisition

SCADA Attacks

• Foreign hackers broke into a water plant

control system in Springfield last week and

damaged a water pump in what may be

the first reported case of a malicious cyber

attack on a critical computer system in the

United States, according to an industry

expert.Nov. 18, 2011 Washington Post

What about the Rhetoric

• Inflammatory

• Escalating

• Sabre Rattling

• Military Industrial Complex

• Sensationalism v Journalism

• 24 hour News Cycle

Cyber Crime

• Bot nets and C&C

• Zeus

• Citadel

• South Korea

Bank Attacks

Evidence collected from a website that was

recently used to flood U.S. banks with junk

traffic suggests that the people behind the

ongoing DDoS attack campaign against U.S.

financial institutions -- thought by some to be

the work of Iran -- are using botnets for hire.

Lucian Constantin in Computerowld, January 9, 2013

Bank Attacks

Six leading U.S. banking institutions were hit

by DDoS (distributed-denial-of-service)

attacks on March 12, (2013) the largest

number of institutions to be targeted in a

single day, says security expert Carl

Herberger of Radware.

March 14, 2013 Bankinforsecurity.com

Identity Theft

Approximately 15 million United States

residents have their identities used

fraudulently each year with financial losses

totaling upwards of $50 billion. (Identity

theft.info)

HACTIVISM

Civil Disobedience

Or

Cyber Crime?

Cyber Activists (Hactivism)

• LulzSec

• Anonymous

• Wiki Leaks

More on Hactivism

• Anonymous Hacks FBI Cybercrime Conference Call

• Symantec Sees pcAnywhere Extortion Shakedown

• Hackers Target U.S. Banks Over Anti-Muslim Film

• Aaron Swartz Suicide

How Are They Getting In?

• Phishing Attacks

• Unpatched Machines

– OS

– Third Party Apps

• Insiders

• IDS/IPS Bypassed

What Can We Do?

• Security Gap

• Awareness

• Technological Solutions

The Security Gap

• The place between where we are and

where the bad guys are.

• How do we narrow the gap?

• What will it cost?

• Can we do it?

Secure Coding

• Develop More Widespread Secure Coding

Practices

– Regression Testing

– Vulnerability Testing

– Security Level Software Certifications

IPv6

• What is the hold up?

• More Secure End to End

• Apps need to begin moving to adopt

• Companies need to embrace

Embrace Encryption

• Data at Rest

• Data in Transit

• Data in Storage

• Data Destruction

Get Better At Fixing

• Detection and Response

• Patch First, Fix Later

• Improve on DR

• Virtuality

Data Classification

• Protect Intellectual Property

• Ensure Proper Resource Allocation

• DLP?

Some of the Good Guys

• Trusted Sec (Dave Kennedy)

– Metasploit Project

– Social Engineering Toolkit

• Bulb Security (Georgia Weidman)

– Smartphone Pentest Framework

• NIST

• US-CERT

Government Intervention

• Where do they fit?

• Statutory or Administrative Authority

• Scope of Powers

AWARENESS

• WAKE UP!

• Get the C-Suite Involved

• Take Responsibility

• Be Part of the Solution, Not the Problem

Training the Up and Comers

• CCDC

• STEM

• Professional Associations

• Mentorship

Order v Chaos

• Governance

• PP&Ps

• Control Mechanisms

• Risk Management

• Testing, Monitoring and Evaluation

• Review and Renew

Summary

• The problems are many and complex

• The solutions are just as much a challenge

• Government only become more involved

• Privacy laws need to be revisited

• Comprehensive legislation must be

passed

THANKS

RESOURCES

• Bruce Schneier on

Privacy

• US-CERT

• SANS

• ISSA

• ISACA

• NIST

• MS Security Center