cyber security for wisconsin government finance office ......owasp top 10 a1 injection a2 broken...
TRANSCRIPT
![Page 1: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/1.jpg)
The Wild, Wild InternetCyber Security for
Wisconsin Government Finance Office Association
Mark Wilson, CISSP, ITIL, CBCP, CCMDirector of Information Risk Management
![Page 2: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/2.jpg)
Agenda• Sikich Information• Is the Threat Real?• Statistical Information• Is this True?• What is Security?• Why Are Things So
Bad?• Executive
Management’s Role• Moving Forward
![Page 3: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/3.jpg)
Sikich Information
![Page 4: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/4.jpg)
About Sikich» Multi-disciplinary: An accounting,
advisory, investment banking, technology and managed services firm with clients in the U.S. and internationally.
» Excellent reputation: With a reputation for professional excellence, Sikich provides unsurpassed client service as well as timely and cost effective services.
» Strong talent: We employ more than 500 talented people including 91 partners, all of whom devote their careers to a focused area.
» Award winning: Accounting Today ranks the Firm 40th nationally among the top 100 accounting firms and 11th in the top 100 VARs.
$97M in revenue in 2013
6,976 public and private sector clients
8,635 individual clients
500+ total personnel
91 partners
1 collaborative and positive culture
![Page 5: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/5.jpg)
Sikich Service Lines
Securities are offered through Sikich Corporate Finance LLC, a registered broker dealer with the Securities Exchange Commission and a member of FINRA/SIPC. Advisory services offered through Sikich Financial, a Registered Investment Advisor. General securities offered through Triad Advisors, Member FINRA/SIPC.
Accounting, Audit & Tax
Financial ReportingEmployee Benefit Plan Audit
Accounting ServicesTax Planning
Advisory
Business ValuationDispute Advisory
Human ResourcesInsurance Services
Marketing & Public RelationsRetirement Plan Services
Risk AdvisorySupply Chain
Wealth Management
Investment Banking
Acquisitions AdvisorySales AdvisoryCapital Raises
Strategic Advisory
Technology
Accounting & ERP SoftwareCRM Software
IT InfrastructureCloud & Hosting Solutions
Strategic IT PlanningCommunication & Collaboration
IT Consulting
Managed Services
Outsourced Accounting
Managed IT
Outsourced Human Resources
Outsourced Marketing & Public Relations
![Page 6: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/6.jpg)
Industry Expertise, Tailored Approach» Agriculture» Manufacturing & Distribution» Construction» Professional Services» Real Estate » Retail» Government» Non Profit» Healthcare» Higher Education
Deep industry experience and longevity.
Deep industry experience and longevity.
Cross sectional teams with a depth and breadth of experience to handle
the complete solution.
Cross sectional teams with a depth and breadth of experience to handle
the complete solution.
Solution centric and product agnostic.
Solution centric and product agnostic.
![Page 7: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/7.jpg)
Is The Threat Real?
![Page 8: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/8.jpg)
SC Magazine 03.21.2014
![Page 9: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/9.jpg)
securitycurrent 03.20.2014
200,000,000US consumers
Attack uses162,000 WordPress Sites
$120,000,000,000Security IndustrySpend
![Page 10: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/10.jpg)
Ever Seen One of These?
1,200,000Problem devices
![Page 11: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/11.jpg)
Target Breach…John J. Mulligan, executive Vice President and Chief Financial Office of the Target Corporation, listens on Capitol Hill in Washington, Tuesday, Feb. 4, 2014, while testifying before the Senate Judiciary Committee hearing on data breaches and combating cybercrime .
Mulligan disagreed, telling Franken that the company has spent “hundreds of millions of dollars” on a multilayered consumer protection protocol.
Sen. Sheldon Whitehouse, D-R.I., said that when a company as large as Target “can be hacked without knowing it, it is not to say that Target did something wrong,” but that everyone is vulnerable.
Klobuchar agreed, saying, “This can happen to anyone.”
Target Security too weak… Conclusion …
http://www.startribune.com/politics/statelocal/243508791.html
![Page 12: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/12.jpg)
Target Breach…
![Page 13: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/13.jpg)
Is This the Current State of the Internet?
![Page 14: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/14.jpg)
Is This the Current State of the Internet?
Security experts say that OperationUSA, a coordinated online attack against banking and government websites slated for May 7, is a serious threat. As a result, organizations should be upping their distributed-denial-of-service attackmitigation strategies to guard against the attacks, which are being coordinated by the hacktivist group Anonymous
![Page 15: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/15.jpg)
Is This the Current State of the Internet?
![Page 16: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/16.jpg)
… plus the problems we create
![Page 17: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/17.jpg)
Statistical Information
![Page 18: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/18.jpg)
Global Consumer Losses - 20132
01
3N
or
to
nR
ep
or
t
![Page 19: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/19.jpg)
Global Consumer Losses - 20132
01
3N
or
to
nR
ep
or
t
![Page 20: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/20.jpg)
Dollars Spent on Security
$120,000,000,000Defending againstCyber-attacks
![Page 21: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/21.jpg)
Breaches, Malware cost $491 B$491,000,000,000
![Page 22: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/22.jpg)
Hackmadeddon.com – Aug. 2013
![Page 23: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/23.jpg)
Hackmadeddon.com – Aug. 2013
![Page 24: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/24.jpg)
Hackmadeddon.com – Aug. 2013
![Page 25: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/25.jpg)
Current Statistics
![Page 26: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/26.jpg)
The Current Threat Landscape
![Page 27: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/27.jpg)
The Current Threat Landscape
…Information from Virus Total
![Page 28: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/28.jpg)
The Current Threat Landscape
…Information from Virus Total
![Page 29: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/29.jpg)
The Current Threat Landscape
…Information from Virus Total
![Page 30: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/30.jpg)
Kaspersky Lab Statistics
![Page 31: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/31.jpg)
Organizations on Average Hit Every Three Minutes with Malware
… threatpost.com
![Page 32: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/32.jpg)
Is This True?
![Page 33: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/33.jpg)
Internet Privacy
![Page 34: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/34.jpg)
Internet Privacy
The Internet Privacy
A Helpful Venn Diagram…
![Page 35: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/35.jpg)
Mozilla - Lightbeam
Who’s asking for information about me?
![Page 36: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/36.jpg)
Who’s Tracking Me?
![Page 37: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/37.jpg)
Who’s Tracking Me?
There’s no such thing as a free website…
![Page 38: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/38.jpg)
Google, Bing, Yahoo, etc.
![Page 39: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/39.jpg)
Google, Bing, Yahoo, etc.Files containing 360 million credentials, 1.25 billion email addresses, located on Deep Web
February 28, 2014SC Magazine
US Population = 313.9 M (2012)
![Page 40: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/40.jpg)
The Darknet
![Page 41: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/41.jpg)
FTP – File Transfer Protocol
Hackers circulate thousands of FTP credentials, New York Times among those hit
February 13, 2014PC World
Outlaw FTP and Telnet in your organization !!!
![Page 42: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/42.jpg)
The New Normal… (krebsonsecurity)
200-400 Gbps DDoS Attacks
![Page 43: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/43.jpg)
HTTP Cookies• Stored on User PC• Sent to Website• “Remembers” State
Information• User Activities• Tracking Cookies• Authentication
Cookies• Reduces information
passed in URL
![Page 44: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/44.jpg)
What’s an LSO – Local Shared Object
• Adobe Flash Origin• Stores User
Preferences• Stored in a “Common
Folder / Directory”• Privacy Concerns
![Page 45: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/45.jpg)
How Many O/S’s in a Mobile Phone?
• IOS• Android• Windows
…security researcher Ralf-Philipp Weinmann of the University of Luxembourg set out to reverse engineer the baseband processor software of both Qualcomm and Infineon, and he easily spotted loads and loads of bugs, scattered all over the place, each and every one of which could lead to exploits…
![Page 46: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/46.jpg)
Android Security
![Page 47: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/47.jpg)
Serious Vulnerabilities Found in Popular Home Wireless Routers
Threatpost.com
![Page 48: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/48.jpg)
300,000 Compromised Routers Redirecting Traffic to Attacker Sites
![Page 49: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/49.jpg)
ZMAP – Map the Internet in 45 Minutes
![Page 50: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/50.jpg)
Isn’t Backup and Monitoring Simple???• Backup
• Block• File• Image• Incremental• Differential• Full• CDP• CoW – copy on write (Synchronous)• CRW – copy redirect on write
(Asynchronous)• Deduplication• Encryption (key mgmt)• Data residency laws• Frequency• Retention levels• Image consistent• Application consistent (database aware)• Open file handling• VM’s
• Recovery• File• Image• System• Point-in-time
• Monitoring / Alerting / Warnings• Network• Access Control• Log Files• Signature Comparisons• Heuristic / Behavior based controls• Database Access• Baselines• Trends• 4 Phase Alerts• Multiphase Alerts
![Page 51: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/51.jpg)
Wireless Connectivity
![Page 52: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/52.jpg)
What is Security?
![Page 53: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/53.jpg)
Three Security Pillars
CONFIDENTIALITY
INTEGRITY
AVAILABILITY
SECURITY – C.I.A.
![Page 54: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/54.jpg)
Security – another perspective
(ISC)2
InternationalInformationSystemsSecurityCertificationConsortium
“Security Transcends Technology”“Security Transcends Technology”
![Page 55: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/55.jpg)
High Level Security Controls
Physical
AdministrativeLogical(technical)
LocksLightsFences
FirewallPasswordsMotion Detectors
PoliciesAuditsTraining
Preventive – Detective – Corrective - Compensatory
![Page 56: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/56.jpg)
High Level Security Controls
Preventive – Detective – Corrective - Compensatory
Adm
inistrative
Triad of Security Controls
![Page 57: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/57.jpg)
Why are Things So Bad?
![Page 58: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/58.jpg)
What’s Wrong with Security?Security includes People, Process, and Technology but… It’s Not Part of our Organizational DNA
#1. It’s NOT fundamental to our organizations.
Security must be part of thefabric of our organizations
#2. It’s not important… enoughRisk < Reward
… Business Problems
![Page 59: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/59.jpg)
Deleting Information?• Computers
• Memory• Files
0111101000100100 in use
0111101000100100 deleted
• Backups• Archives• Cloud backups
…is it ever really gone?…and we are still building computers this way!
… System Design Problems
![Page 60: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/60.jpg)
Cyber Crime Innovations
![Page 61: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/61.jpg)
Cyber Crime Innovations• Huge Rewards• Growing Market• Recruit Smart &
Clever Staff• Nations State
Protection• Mobile & Remote
Access• Old Software• Old Systems
![Page 62: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/62.jpg)
SC Magazine
![Page 63: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/63.jpg)
Krebs on Security (krebsonsecurity.com)
![Page 64: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/64.jpg)
What’s it Cost?
![Page 65: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/65.jpg)
Unhackable Networks?Classified NetworkUnclassified Network
![Page 66: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/66.jpg)
Unhackable Networks?Classified NetworkUnclassified Network
Hacker
![Page 67: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/67.jpg)
Unhackable Networks?Classified NetworkUnclassified Network
Hacker Favorite Hacker Tool
![Page 68: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/68.jpg)
Executive / Senior Management Role
![Page 69: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/69.jpg)
Hard Questions…What Does the Organization Require?
• Security• Recovery• Resiliency• Insource vs Outsource• Cloud
![Page 70: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/70.jpg)
Organizational Changes…How Shall We Then Live?
Francis Schaeffer
• Cultural Changes• Business Mindset
These are NOT Additional Initiatives!!!
• Security• Recovery• Resiliency• Insource vs Outsource• Cloud
![Page 71: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/71.jpg)
Organizational Changes…
TodayHow Shall We Then Live?• Cultural Changes• Business Mindset
These are NOT Optional Initiatives!!!
ü Securityü Recoveryü Resiliencyü Insource vs Outsourceü Cloud
Tomorrow• Senior Management• Finance• Human Resources• Purchasing• IT
![Page 72: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/72.jpg)
Cloud Expectations…
Contract Language…
Business Transfers
Cloud vendor XXXXXX may sell, transfer, or otherwise share some or all of its business or assets, including your Personal Information and Non-Identifying Information in connection with a merger, acquisition, reorganization or sale of assets or in the event of bankruptcy.
![Page 73: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/73.jpg)
What Can We Do About This?
![Page 74: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/74.jpg)
Passwords – don’t forget the simple stuff
Passwords, office / whiteboard hygiene, lock file cabinets, change locks, monitor etc…
![Page 75: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/75.jpg)
Partner in the Absence of Expertise
Augment Core Competencies
![Page 76: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/76.jpg)
W3C - http://validator.w3.org/unicorn/(World Wide Web Consortium)
![Page 77: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/77.jpg)
Top 20 Critical Security Controls - Version 5
11. Limitation and Control of Network Ports, Protocols, and Services12. Controlled Use of Administrative Privileges13. Boundary Defense14. Maintenance, Monitoring, and Analysis of Audit Logs15. Controlled Access Based on the Need to Know16. Account Monitoring and Control17. Data Protection18. Incident Response and Management19. Secure Network Engineering20. Penetration Tests and Red Team Exercises
SANS Institute
![Page 78: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/78.jpg)
Top 20 Critical Security Controls - Version 5
1. Inventory of Authorized and Unauthorized Devices2. Inventory of Authorized and Unauthorized Software3. Secure Configurations for Hardware and Software on Mobile
Devices, Laptops, Workstations, and Servers4. Continuous Vulnerability Assessment and Remediation5. Malware Defenses6. Application Software Security7. Wireless Access Control8. Data Recovery Capability9. Security Skills Assessment and Appropriate Training to Fill Gaps10. Secure Configurations for Network Devices such as Firewalls,
Routers, and Switches
SANS Institute
![Page 79: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/79.jpg)
OWASP Top 10A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS)A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data ExposureA7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Invalidated Redirects and Forwards
Open Web Application Security Project
![Page 80: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/80.jpg)
www.us-cert.govUS Computer Emergency Readiness Team
Current Activity -
• Cisco UCS Director Default Credentials Vulnerability
Published Friday, February 21, 2014
• Cisco has released a security advisory to address a vulnerability in Cisco Unified Computing System (UCS) Director. This vulnerability could allow an unauthenticated, remote attacker to take complete control of the affected device due to a default root user account created during installation. Successful exploitation of this vulnerability would provide the attacker with full administrative rights to the system
![Page 81: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/81.jpg)
nvd.nist.govNational Institute of Standards and TechnologyNational Vulnerabilities Database
Resource Status
NVD contains:• 60,611 CVE – Common Vulnerabilities & Exposures• 230 Checklists – (Security Checklists)• 248 US-CERT Alerts - (Computer Emergency Readiness Team)• 2,827 US-CERT Vulnerabilities Notes• 10,286 OVAL Queries (Open Vulnerability and Assessment Language)
• Last updated: 02/21/14
CVE Publication rate:17 vulnerabilities / day
![Page 82: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/82.jpg)
Moving Forward
![Page 83: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/83.jpg)
Now What?Big Ideas:
• Everything Changes at Scale
• Change requires Change
Plugging into the internet joined your organization to a very large community of constructive and destructive users…
![Page 84: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/84.jpg)
What to Do Next?Awareness: We will not be ignorant
Mindset: Security is NOT an option
Can’t be all things to all people
• Focus on things that matter to your constituents• Consider trusted 3rd parties for the rest
…no risk free environments
1
2
3
![Page 86: Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f650185076345537c45943f/html5/thumbnails/86.jpg)
Thank You