cyber presentation

15
America Under Attack: Cybersecurity Panel Tampa, FL May 13 th , 2015 © 2014 McGladrey LLP. All Rights Reserved. 0

Upload: derek-carney

Post on 21-Jan-2018

95 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Cyber Presentation

America Under Attack: Cybersecurity PanelTampa, FLMay 13th, 2015

© 2014 McGladrey LLP. All Rights Reserved.

0

Page 2: Cyber Presentation

Agenda

Introduction - Moderator Setting the Stage

- Misconceptions- Threats

Introductions – Panel- Rules of EngagementRules of Engagement- Panelists

© 2014 McGladrey LLP. All Rights Reserved.

1

Page 3: Cyber Presentation

Introduction - Moderator

Daimon Geopfert, McGladrey LLP National Leader, Security and Privacy Consulting Located in Detroit, MI I am not an auditor but I play one on your network

Penetration Testing Vulnerability Assessment Security Monitoring Incident Response Forensics & Investigations

Former DoD, AFOSI-CCI, AIA I like standardized tests

GCIH, GREM, CEH, CISSP, CISA, CISM

© 2014 McGladrey LLP. All Rights Reserved.

2

Page 4: Cyber Presentation

Misconceptions

© 2014 McGladrey LLP. All Rights Reserved.

Page 5: Cyber Presentation

Misconceptions

Compliant ↔ Secure- Compliance = You’ve built the foundation to get secure

Wrong Industry ↔ Unexpected Monetization- “Nobody is looking for us We have nothing that they want ”Nobody is looking for us. We have nothing that they want.- Almost everything you have can be monetized by someone- CC, PII, PHI, corporate bank accounts, IP, systems

Wrong Size ↔ More Susceptible- Being small does not equate to being hidden- Nor does not equate to being a less desirable targetNor does not equate to being a less desirable target- Smaller targets are now being “farmed”

© 2014 McGladrey LLP. All Rights Reserved.

4

Page 6: Cyber Presentation

Misconceptions

Targeted ↔Target of Opportunity- Targeted attacks get the publicity- Targeted attacks get the publicity- Targets of opportunity are the VAST majority of incidents- Old Model:

- New Model: Bounties and Auctions

Aware Unaware Aware ↔ Unaware- Breaches detected in first 24 hours: 1%-2%- Breaches undetected for 2 years or more: >14%

© 2014 McGladrey LLP. All Rights Reserved.

5

Page 7: Cyber Presentation

Threats

© 2014 McGladrey LLP. All Rights Reserved.

Page 8: Cyber Presentation

Threat Overview - Methods

1. Hacking • “Traditional” hacking is used post-breach not as the original entry pointCurrent methods focus on web apps and browser plug ins• Current methods focus on web apps and browser plug-ins

2. Malware • Finding and purchasing non-detectable malware in the underground market is trivial

• Modern anti-virus is an 80-20 proposition at best

3. SocialEngineering

• Why bother to do all the heavy lifting involved with “hacking” when you can just ask someone to do something for you?g g y j g y

• While there is a technical component the attack is against human nature

Major Point: Attackers have moved away from traditional hacking methods in favor of hidden, non-obvious methods of compromise- Allows for long-term, persistent, hidden compromise rather than “smash and

grab” style break ins

© 2014 McGladrey LLP. All Rights Reserved.

7

grab style break-ins

Page 9: Cyber Presentation

Case-In-PointMobile

What happens if your system or credentials get compromised while you’re on the road?while you re on the road?- Is the attacker polite enough to say, “Oh, they went back to work, I better

shut down that backdoor. It is the only civilized thing to do.”?

Many controls are designed with the assumption that other y g psecurity controls in the environment are protecting you

When on the road there is little, or nothing, covering you- aka. You’re on your own, bub. y ,

Hotels, coffee shops, airports, etc. Kiosks and hotel work areas

- Really? Does this strike anyone as a good idea?Really? Does this strike anyone as a good idea?

New and Snazzy! Charging station attacks!- aka. Juice-Jacking

© 2014 McGladrey LLP. All Rights Reserved.

8

Page 10: Cyber Presentation

Case-In-PointMobile

How much do you trust that free wi-fi?- Good answer.

Now how much do you trust that known wi-fi?- Good question. Wait, why is my home wireless in this hotel?

I’m looking for Bob’s wireless

I’m looking for Alice’s wireless

And here are those web pages you asked for

I am Alice’s wirelessOh.. And

Bob’s wireless

asked forAnd don’t worry

about that firewall alert or

certificate errors

© 2014 McGladrey LLP. All Rights Reserved.

9

Page 11: Cyber Presentation

Case-In-PointMobile

Meet the Wifi Pineapple- aka. Jasager (“Yes man”)

© 2014 McGladrey LLP. All Rights Reserved.

10

Page 12: Cyber Presentation

Introduction - Panel

© 2014 McGladrey LLP. All Rights Reserved.

Page 13: Cyber Presentation

Rules of Engagement

We’ve selected questions submitted by the We ve selected questions submitted by the audience

We’ve added in some of our own Moderator will direct initial question after which

panelists are allowed to contribute as they see fit Microphones are available for follow-up questions

from the audience We have 1hr 15m to work withWe have 1hr 15m to work with…

- It’ll go quickly

© 2014 McGladrey LLP. All Rights Reserved.

12

Page 14: Cyber Presentation

Panelists

John Peterson John Peterson- Cyber Risk National Practice Leader, Aon Risk Solutions

Scott Arnold- CIO, Tampa General Hospital

M. Darren TraubP t Ak LLP- Partner, Akerman LLP

Jim Milford- Vice President, Global Security and Military Affairs, ce es de t, G oba Secu ty a d ta y a s,

JPMorgan Chase

© 2014 McGladrey LLP. All Rights Reserved.

13

Page 15: Cyber Presentation

This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute assurance, tax, consulting, business, financial, investment, legal or other professional advice, and Daimon Geopfert

G

This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute assurance, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. McGladrey LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person.

McGladrey LLP is an Iowa limited liability partnership and the U.S. member firm of RSM International, a global network of independent accounting, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party.

McGladrey®, the McGladrey logo, the McGladrey Classic logo, The power of being understood®, Power comes from being understood®, and Experience the power of being understood® are registered trademarks of McGladrey LLP.

McGladrey LLP

One South Wacker, Suite 800Chicago, IL

[email protected]

800.274.3978

you should consult a qualified professional advisor before taking any action based on the information herein. McGladrey LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person.

McGladrey LLP is an Iowa limited liability partnership and the U.S. member firm of RSM International, a global network of independent accounting, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party.

McGladrey®, the McGladrey logo, the McGladrey Classic logo, The power of being understood®, Power comes from being understood®, and Experience the power of being understood® are registered trademarks of McGladrey LLP.

© 2014 McGladrey LLP. All Rights Reserved.www.mcgladrey.com

© 2015 McGladrey LLP. All Rights Reserved.

© 2014 McGladrey LLP. All Rights Reserved.