Do it Best Corp. Techapalooza 2013 Presentation
-
Upload
brian-t-ohara-cisa-cism-crisc-ccsp-cissp -
Category
Technology
-
view
261 -
download
0
Transcript of Do it Best Corp. Techapalooza 2013 Presentation
CYBER X
Brian T. O’Hara, CISA
Chief Information Security Officer
The Mako Group, LLC
IT & Information Security Auditing
www.makopro.com
The Mako Group, LLC, Services
• IT & Info Sec Auditing
• IT Risk Assessments
• Security Training
• Vulnerability Assessments
• Social Engineering
• PCI DSS2
• Penetration Testing
• Gap Assessments
• SSAE 16
• SOX 404
• HIPAA
• Virtual CISO
The Mako Group, LLC, Verticals
• Financial
– Banks
– Credit Unions
– Publicly Traded
(SOX 404)
• Credit Card Svc
– PCI DSS2
• Healthcare
– HIPAA
– HITECH
• Manufacturing
– ISO 9000
– ISO 27000
The Problem(s)
“there are 250,000 probes or attacks on US
government networks per hour or 6 million a
day from at least 140 foreign spy
organizations”
Lt. Gen. Keith Alexander at the 2010 G2
Summit
Cyber Espionage
• Espionage:
– the systematic use of spies to obtain secret
information, especially by governments to
discover military or political secrets
“The Chinese “are the world’s most actrive
and persistent perpetrators of economic
espionage,” the report by the Office of the
National Counterintelligence Executive
(NCIX) said, and Russia’s intelligence
services are a second major culprit”
Booze-Hamilton on Cyber Espionage
“China’s economic espionage has
reached an intolerable level and I
believe that the United States and our
allies in Europe and Asia have an
obligation to confront Beijing and
demand that they put a stop to this
piracy.”
U.S. Rep. Mike Rogers, October, 2011
“It is unprofessional and groundless to
accuse the Chinese military of
launching cyber attacks without any
conclusive evidence.”
Chinese Defense Ministry, January, 2013
South Korea on alert after hackers strike
banks, broadcasters
The biggest attack by Pyongyang was a 10-
day denial of service attack in 2011 that
antivirus firm McAfee, part of Intel Corp,
dubbed "Ten Days of Rain" and which it said
was a bid to probe the South's computer
defenses in the event of a real conflict.
SCADA Attacks
• Foreign hackers broke into a water plant
control system in Springfield last week and
damaged a water pump in what may be
the first reported case of a malicious cyber
attack on a critical computer system in the
United States, according to an industry
expert.Nov. 18, 2011 Washington Post
What about the Rhetoric
• Inflammatory
• Escalating
• Sabre Rattling
• Military Industrial Complex
• Sensationalism v Journalism
• 24 hour News Cycle
Bank Attacks
Evidence collected from a website that was
recently used to flood U.S. banks with junk
traffic suggests that the people behind the
ongoing DDoS attack campaign against U.S.
financial institutions -- thought by some to be
the work of Iran -- are using botnets for hire.
Lucian Constantin in Computerowld, January 9, 2013
Bank Attacks
Six leading U.S. banking institutions were hit
by DDoS (distributed-denial-of-service)
attacks on March 12, (2013) the largest
number of institutions to be targeted in a
single day, says security expert Carl
Herberger of Radware.
March 14, 2013 Bankinforsecurity.com
Identity Theft
Approximately 15 million United States
residents have their identities used
fraudulently each year with financial losses
totaling upwards of $50 billion. (Identity
theft.info)
More on Hactivism
• Anonymous Hacks FBI Cybercrime Conference Call
• Symantec Sees pcAnywhere Extortion Shakedown
• Hackers Target U.S. Banks Over Anti-Muslim Film
• Aaron Swartz Suicide
How Are They Getting In?
• Phishing Attacks
• Unpatched Machines
– OS
– Third Party Apps
• Insiders
• IDS/IPS Bypassed
The Security Gap
• The place between where we are and
where the bad guys are.
• How do we narrow the gap?
• What will it cost?
• Can we do it?
Secure Coding
• Develop More Widespread Secure Coding
Practices
– Regression Testing
– Vulnerability Testing
– Security Level Software Certifications
IPv6
• What is the hold up?
• More Secure End to End
• Apps need to begin moving to adopt
• Companies need to embrace
Some of the Good Guys
• Trusted Sec (Dave Kennedy)
– Metasploit Project
– Social Engineering Toolkit
• Bulb Security (Georgia Weidman)
– Smartphone Pentest Framework
• NIST
• US-CERT
Government Intervention
• Where do they fit?
• Statutory or Administrative Authority
• Scope of Powers
AWARENESS
• WAKE UP!
• Get the C-Suite Involved
• Take Responsibility
• Be Part of the Solution, Not the Problem
Order v Chaos
• Governance
• PP&Ps
• Control Mechanisms
• Risk Management
• Testing, Monitoring and Evaluation
• Review and Renew
Summary
• The problems are many and complex
• The solutions are just as much a challenge
• Government only become more involved
• Privacy laws need to be revisited
• Comprehensive legislation must be
passed
RESOURCES
• Bruce Schneier on
Privacy
• US-CERT
• SANS
• ISSA
• ISACA
• NIST
• MS Security Center