www.commnexus.org

Upcoming MarketLink Technology Requirements:

M bilit

March 13 14 2012

•Mobility

•E-Health

•SecurityMarch 13 – 14, 2012

Accepting Applications til

y

•Social media for enterprises

•Video, Conferencing, Virtual Reality/ Augmented Realitynow until

February 24, 2012Augmented Reality

(For a full list with details, please visit www.commnexus.org)Apply at www.CommNexus.org

www.commnexus.org

g)Apply at www.CommNexus.org

THANKS TO OUR SIG CO CHAIRS!THANKS TO OUR SIG CO-CHAIRS!

Bill Unrue, CEO, AnonymizerBill Unrue, CEO, Anonymizer

Matt Stamper, Vice President of Services, redIT

Bruce Roberts, Senior Vice President of Security Programs, Cubic Corporation

In Loving Memory of

MILES HALEMILES HALEMILES HALEMILES HALEFormerly:

Principal Systems Engineer, SAICand devoted SIG Co-Chair

www.commnexus.org

and devoted SIG Co-Chair

THANKS TO OUR HOST & SPONSOR!THANKS TO OUR HOST & SPONSOR!

www.commnexus.org

Emerging threat vectors t b it t lto cyber security, et al

(where common protections are needed for ALL)

CommNexus SD Feb 1, 2012

Mike Davismike@sciap org

,

mike@sciap.orgEE/MSEE, CISSP, SysEngr

ISSA / TSN / SOeC and IEEE / SPAWAR / et al

www.commnexus.org

M bil d i d i l l di t d t lif t i 2012

Threat Vectors of Interest• Mobile devices … and wireless always predicted, yet proliferates in 2012

– Start with BYOD, Android Trojans, digital wallets, USER provided network services!– Wireless security issues expand (besides 802.11 & WiMAX, to Zigbee, WirelessHART,

Z-Wave etc ) ARM hacking increasesZ Wave, etc.) … ARM hacking increases

• Cyber crime: easy money, minimal downside and growing– Illicit cyber revenues has essentially equaled all illegal drug trafficking $$$

• Nation-sponsored hacking: When APT meets industrialization• Nation-sponsored hacking: When APT meets industrialization – More targeted custom malware (Stuxnet -> Duqu is but one example)

• The insider threat is much more than you had imagined– Coming from employees partners clients and compromised services and computing– Coming from employees, partners, clients and compromised services and computing

devices of all kinds. With Improved social engineering attack– social media critical data leaks / malware distribution

• Misanthropes and anti-socials / hacktivism growsp g– Privacy vs. security (and trust) in social networks. Radical group’s DDOS attack can be

effective on small businesses!

… mobile devices and cloud infrastructure hacking are potentially

www.commnexus.org6

g p ythe two of the biggest rising stars in cyber crime in 2012…

Threat Vectors of Interest (Cont.)• SSL/XML/web (HTML5)/browser vulnerabilities will proliferate

– Browsers remain a major threat vector (and bypasses the IA suite)

• Hackers feeling the heat (the easy vulnerabilities are diminishing)• Hackers feeling the heat… (the easy vulnerabilities are diminishing)– they need to invest in better attack techniques and detection evasion….

• Cyber security becomes a business process…– focused on data security no longer a niche Industry– focused on data security, no longer a niche Industry….

• Convergence of data security and privacy regulation worldwide..– Compliance even more so (PCI DSS, HIPAA, etc) .. What is “good enough” security?– Data security goes to the cloud - where security due diligence is more than SLAs!Data security goes to the cloud where security due diligence is more than SLAs!– IPv6 transition will provide threat opportunities… Data Loss Prevention is STILL key…

• Containment is the new prevention (folks now get the "resilience" aspect...)

• Full time incident responders needed versus only virtual• Full time incident responders needed, versus only virtual– Monitoring and analysis capability increase, but not enough (re: near real-time forensics

&“chain of custody” evidence)…. “continuous monitoring” is KEY… (re: NIST docs)

www.commnexus.org7

… there is MUCH to consider in the “threat” equation…

So what “really” matters in Cyber?OS / f• OSD / federal•Distributed Trust •Resilient Architectures

R d C b MIt’s NOT all about expensive new “cyber toys”•Response and Cyber Maneuver

•Visualization and Decision Support•Component Trust•Detection and Autonomic Response

new cyber toys

but more about the SoS / I&I“glue” (profiles, common EA,•Detection and Autonomic Response

•Recovery and Reconstitution

• NSA / agency

glue (profiles, common EA, SoPs, standards, etc)

– Mobility, wireless, & secure mobile services– Platform integrity / compliance assurance– End client security

C ber indications and arning (I&W)

Along with: (1) enforced cyber hygiene, (2) effective access control,

– Cyber indications and warning (I&W)– Mitigation engineering (affordability)– Massive data – (date centric security)– Advanced technology (targeted)

(3) defense in depth IA / security suite and (4) continuous monitoring

www.commnexus.org8

Advanced technology…. (targeted)– Virtualization – secure capabilities

FBI San DiegoThreats To Cyber Security

Special Agent Chris Nelsonchris.nelson@ic.fbi.gov

(858) 565-1255

San Diego FBI has two Cyber Squads:San Diego FBI has two Cyber Squads:

The Criminal Squad works child pornography, criminal intrusions, Internet fraud, identity theft, and more.

The National Security Squad worksThe National Security Squad works cyber threats from foreign entities.

Our criminal squad will help you preserve evidence, prosecute the “bad guys”, and clean-up your network.Our national security squad will “share” informationOur national security squad will “share” information and help you secure your network.

InfraGard: www infragard netInfraGard: www.infragard.netInformation sharing between the FBI, business, private individuals and other Government agencies.

www.ic3.gov

hEmerging Threat VectorsVectors

Matt Stamper MS MPIA CISAMatt Stamper, MS, MPIA, CISAVice President of Managed & 

Professional Servicesmatt.stamper@redit.comp

858.836.0224

The Simple Complexity RiskThe Simple Complexity Risk

As we are discussing today, security threats come from a variety of sources, fromorganized crime to malicious insiders This threat landscape creates the perfect storm fororganized crime to malicious insiders. This threat landscape creates the perfect storm forsecurity breaches where IT is now perceived as being as simple as point and click.Simplicity comes at a cost!

Complexity of IT is masked by the ease of access (“There’s an app for that!”)

Complexity of business relationships (“Where’s the perimeter?”)

Complexity of underlying infrastructure (Code, servers, network, etc.)

Domain expertise & related competencies

Economic & Reputational RiskEconomic & Reputational Risk

Breach disclosure, coupled with state, national, and international privacy laws, requirenew thinking about security The often discussed issue of brand exposure should nownew thinking about security. The often‐discussed issue of brand exposure should nowbe front‐and‐center to security planning.

SEC (CF Disclosure Guidance: Topic No. 2 – October 13, 2011) + Regulation S‐K Item 503(c) –Analysis of Risk FactorsAnalysis of Risk Factors Disclosure for potential impairment to goodwill, intangible assets, etc. More rigorous disclosure control requirements (pervasive nature of IT general controls)

More rigorous disclosure control requirements State Privacy Laws State Privacy Laws

California: SB‐1386 Nevada: SB‐227 Massachusetts: 201 CMR 17

Most organizations are simply ill‐equipped to address the growing technical andMost organizations are simply ill‐equipped to address the growing technical andregulatory complexity in an effective manner. This tension will increase throughout2012.