cyber presentation
TRANSCRIPT
America Under Attack: Cybersecurity PanelTampa, FLMay 13th, 2015
© 2014 McGladrey LLP. All Rights Reserved.
0
Agenda
Introduction - Moderator Setting the Stage
- Misconceptions- Threats
Introductions – Panel- Rules of EngagementRules of Engagement- Panelists
© 2014 McGladrey LLP. All Rights Reserved.
1
Introduction - Moderator
Daimon Geopfert, McGladrey LLP National Leader, Security and Privacy Consulting Located in Detroit, MI I am not an auditor but I play one on your network
Penetration Testing Vulnerability Assessment Security Monitoring Incident Response Forensics & Investigations
Former DoD, AFOSI-CCI, AIA I like standardized tests
GCIH, GREM, CEH, CISSP, CISA, CISM
© 2014 McGladrey LLP. All Rights Reserved.
2
Misconceptions
© 2014 McGladrey LLP. All Rights Reserved.
Misconceptions
Compliant ↔ Secure- Compliance = You’ve built the foundation to get secure
Wrong Industry ↔ Unexpected Monetization- “Nobody is looking for us We have nothing that they want ”Nobody is looking for us. We have nothing that they want.- Almost everything you have can be monetized by someone- CC, PII, PHI, corporate bank accounts, IP, systems
Wrong Size ↔ More Susceptible- Being small does not equate to being hidden- Nor does not equate to being a less desirable targetNor does not equate to being a less desirable target- Smaller targets are now being “farmed”
© 2014 McGladrey LLP. All Rights Reserved.
4
Misconceptions
Targeted ↔Target of Opportunity- Targeted attacks get the publicity- Targeted attacks get the publicity- Targets of opportunity are the VAST majority of incidents- Old Model:
- New Model: Bounties and Auctions
Aware Unaware Aware ↔ Unaware- Breaches detected in first 24 hours: 1%-2%- Breaches undetected for 2 years or more: >14%
© 2014 McGladrey LLP. All Rights Reserved.
5
Threats
© 2014 McGladrey LLP. All Rights Reserved.
Threat Overview - Methods
1. Hacking • “Traditional” hacking is used post-breach not as the original entry pointCurrent methods focus on web apps and browser plug ins• Current methods focus on web apps and browser plug-ins
2. Malware • Finding and purchasing non-detectable malware in the underground market is trivial
• Modern anti-virus is an 80-20 proposition at best
3. SocialEngineering
• Why bother to do all the heavy lifting involved with “hacking” when you can just ask someone to do something for you?g g y j g y
• While there is a technical component the attack is against human nature
Major Point: Attackers have moved away from traditional hacking methods in favor of hidden, non-obvious methods of compromise- Allows for long-term, persistent, hidden compromise rather than “smash and
grab” style break ins
© 2014 McGladrey LLP. All Rights Reserved.
7
grab style break-ins
Case-In-PointMobile
What happens if your system or credentials get compromised while you’re on the road?while you re on the road?- Is the attacker polite enough to say, “Oh, they went back to work, I better
shut down that backdoor. It is the only civilized thing to do.”?
Many controls are designed with the assumption that other y g psecurity controls in the environment are protecting you
When on the road there is little, or nothing, covering you- aka. You’re on your own, bub. y ,
Hotels, coffee shops, airports, etc. Kiosks and hotel work areas
- Really? Does this strike anyone as a good idea?Really? Does this strike anyone as a good idea?
New and Snazzy! Charging station attacks!- aka. Juice-Jacking
© 2014 McGladrey LLP. All Rights Reserved.
8
Case-In-PointMobile
How much do you trust that free wi-fi?- Good answer.
Now how much do you trust that known wi-fi?- Good question. Wait, why is my home wireless in this hotel?
I’m looking for Bob’s wireless
I’m looking for Alice’s wireless
And here are those web pages you asked for
I am Alice’s wirelessOh.. And
Bob’s wireless
asked forAnd don’t worry
about that firewall alert or
certificate errors
© 2014 McGladrey LLP. All Rights Reserved.
9
Case-In-PointMobile
Meet the Wifi Pineapple- aka. Jasager (“Yes man”)
© 2014 McGladrey LLP. All Rights Reserved.
10
Introduction - Panel
© 2014 McGladrey LLP. All Rights Reserved.
Rules of Engagement
We’ve selected questions submitted by the We ve selected questions submitted by the audience
We’ve added in some of our own Moderator will direct initial question after which
panelists are allowed to contribute as they see fit Microphones are available for follow-up questions
from the audience We have 1hr 15m to work withWe have 1hr 15m to work with…
- It’ll go quickly
© 2014 McGladrey LLP. All Rights Reserved.
12
Panelists
John Peterson John Peterson- Cyber Risk National Practice Leader, Aon Risk Solutions
Scott Arnold- CIO, Tampa General Hospital
M. Darren TraubP t Ak LLP- Partner, Akerman LLP
Jim Milford- Vice President, Global Security and Military Affairs, ce es de t, G oba Secu ty a d ta y a s,
JPMorgan Chase
© 2014 McGladrey LLP. All Rights Reserved.
13
This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute assurance, tax, consulting, business, financial, investment, legal or other professional advice, and Daimon Geopfert
G
This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute assurance, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. McGladrey LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person.
McGladrey LLP is an Iowa limited liability partnership and the U.S. member firm of RSM International, a global network of independent accounting, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party.
McGladrey®, the McGladrey logo, the McGladrey Classic logo, The power of being understood®, Power comes from being understood®, and Experience the power of being understood® are registered trademarks of McGladrey LLP.
McGladrey LLP
One South Wacker, Suite 800Chicago, IL
800.274.3978
you should consult a qualified professional advisor before taking any action based on the information herein. McGladrey LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person.
McGladrey LLP is an Iowa limited liability partnership and the U.S. member firm of RSM International, a global network of independent accounting, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party.
McGladrey®, the McGladrey logo, the McGladrey Classic logo, The power of being understood®, Power comes from being understood®, and Experience the power of being understood® are registered trademarks of McGladrey LLP.
© 2014 McGladrey LLP. All Rights Reserved.www.mcgladrey.com
© 2015 McGladrey LLP. All Rights Reserved.
© 2014 McGladrey LLP. All Rights Reserved.