Top Threats WG

Co-Chair Jon-Michael Brook

Agenda

• About our Top Threats

• Polling the industry

• Call for participation

• Categorizing our Top Threats

About the Top Threats Report• This report is capturing the Top Concerns– As reported by industry practitioners and stakeholders

• Threats, Vulnerabilities, Risks– Will be defined and correctly identified for each

• Template– Follows previous Top Threats release documents– Will include proper semantic clarification– Mitigation and security references

Threat Definitions and Discussion• Data Breaches

– Definition: A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.

– Source: searchsecurity.techtarget.com/definition/data-breach

• Data Loss– Definition: Data loss is an error condition in information systems in which information

is destroyed by failures or neglect in storage, transmission, or processing. Information systems implement backup and disaster recovery equipment and processes to prevent data loss or restore lost data.

– Source: https://www.bostoncomputing.net/consultation/databackup/dataloss/• https://en.wikipedia.org/wiki/Data_loss

– Notes: consider merging Data breaches and Data loss with new label to encompass both

• Abuse and nefarious use of Cloud Services– Definition: Weak fraud detection capabilities opens cloud computing models

such as IaaS and PaaS to malicious attacks by criminals who can leverage those technologies and target cloud providers. Most cloud providers do not enforce strong registration processes where any person with a valid credit card can register to receive cloud services

– Source: http://www.ijceronline.com/papers/Vol3_issue6/part%204/D0364022027.pdf

– https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf

• Insufficient due diligence– Definition: Businesses and their lawyers often have limited time and

resources to devote to cloud due diligence, developing a good roadmap and checklist for due diligence on a CSP is essential. Due diligence should involve a team approach, IT, legal, compliance and the appropriate business unit of the company.

– Source: http://www.insidecounsel.com/2013/12/06/technology-a-lack-of-due-diligence-still-a-top-thr

• https://cloudsecurityalliance.org/group/top-threats/

• Download the 2013 Notorious Nine• Take the new survey for 2016

– LinkedIn– Twitter– Email campaigns– CSA News

Visit the Top Threats WG website

• Develop content for the different sections based on template• Categories

– Abuse and Nefarious Use of Cloud Services (Scott Field)– Shared Technology Issues (Jon-Michael)– Misaligned or Missing Cloud Strategy (Michael Roza)– Weak Identity, Credential Access Management (Scott Field)– Denial of Service– Data Loss – Malicious Insiders (Jon-Michael)– Insufficient Due Diligence (Michael Roza)– Advanced Persistent Threats (Vic Hargrave)– Insecure APIs (Jon-Michael)– Data Breaches – System Application Vulnerabilities (Vic Hargrave)– Account Hijacking

Call for participation

THANK YOU!Co-Chair Jon-Michael BrookCo-Chair Dave Shackelford

Co-Chair Scott Field

Top Threats Working Group