top threats wg co-chair jon-michael brook. agenda about our top threats polling the industry call...
TRANSCRIPT
![Page 1: Top Threats WG Co-Chair Jon-Michael Brook. Agenda About our Top Threats Polling the industry Call for participation Categorizing our Top Threats](https://reader036.vdocuments.net/reader036/viewer/2022083005/56649f135503460f94c27d82/html5/thumbnails/1.jpg)
Top Threats WG
Co-Chair Jon-Michael Brook
![Page 2: Top Threats WG Co-Chair Jon-Michael Brook. Agenda About our Top Threats Polling the industry Call for participation Categorizing our Top Threats](https://reader036.vdocuments.net/reader036/viewer/2022083005/56649f135503460f94c27d82/html5/thumbnails/2.jpg)
Agenda
• About our Top Threats
• Polling the industry
• Call for participation
• Categorizing our Top Threats
![Page 3: Top Threats WG Co-Chair Jon-Michael Brook. Agenda About our Top Threats Polling the industry Call for participation Categorizing our Top Threats](https://reader036.vdocuments.net/reader036/viewer/2022083005/56649f135503460f94c27d82/html5/thumbnails/3.jpg)
About the Top Threats Report• This report is capturing the Top Concerns– As reported by industry practitioners and stakeholders
• Threats, Vulnerabilities, Risks– Will be defined and correctly identified for each
• Template– Follows previous Top Threats release documents– Will include proper semantic clarification– Mitigation and security references
![Page 4: Top Threats WG Co-Chair Jon-Michael Brook. Agenda About our Top Threats Polling the industry Call for participation Categorizing our Top Threats](https://reader036.vdocuments.net/reader036/viewer/2022083005/56649f135503460f94c27d82/html5/thumbnails/4.jpg)
Threat Definitions and Discussion• Data Breaches
– Definition: A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.
– Source: searchsecurity.techtarget.com/definition/data-breach
• Data Loss– Definition: Data loss is an error condition in information systems in which information
is destroyed by failures or neglect in storage, transmission, or processing. Information systems implement backup and disaster recovery equipment and processes to prevent data loss or restore lost data.
– Source: https://www.bostoncomputing.net/consultation/databackup/dataloss/• https://en.wikipedia.org/wiki/Data_loss
– Notes: consider merging Data breaches and Data loss with new label to encompass both
![Page 5: Top Threats WG Co-Chair Jon-Michael Brook. Agenda About our Top Threats Polling the industry Call for participation Categorizing our Top Threats](https://reader036.vdocuments.net/reader036/viewer/2022083005/56649f135503460f94c27d82/html5/thumbnails/5.jpg)
• Abuse and nefarious use of Cloud Services– Definition: Weak fraud detection capabilities opens cloud computing models
such as IaaS and PaaS to malicious attacks by criminals who can leverage those technologies and target cloud providers. Most cloud providers do not enforce strong registration processes where any person with a valid credit card can register to receive cloud services
– Source: http://www.ijceronline.com/papers/Vol3_issue6/part%204/D0364022027.pdf
– https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
• Insufficient due diligence– Definition: Businesses and their lawyers often have limited time and
resources to devote to cloud due diligence, developing a good roadmap and checklist for due diligence on a CSP is essential. Due diligence should involve a team approach, IT, legal, compliance and the appropriate business unit of the company.
– Source: http://www.insidecounsel.com/2013/12/06/technology-a-lack-of-due-diligence-still-a-top-thr
![Page 6: Top Threats WG Co-Chair Jon-Michael Brook. Agenda About our Top Threats Polling the industry Call for participation Categorizing our Top Threats](https://reader036.vdocuments.net/reader036/viewer/2022083005/56649f135503460f94c27d82/html5/thumbnails/6.jpg)
![Page 7: Top Threats WG Co-Chair Jon-Michael Brook. Agenda About our Top Threats Polling the industry Call for participation Categorizing our Top Threats](https://reader036.vdocuments.net/reader036/viewer/2022083005/56649f135503460f94c27d82/html5/thumbnails/7.jpg)
![Page 8: Top Threats WG Co-Chair Jon-Michael Brook. Agenda About our Top Threats Polling the industry Call for participation Categorizing our Top Threats](https://reader036.vdocuments.net/reader036/viewer/2022083005/56649f135503460f94c27d82/html5/thumbnails/8.jpg)
• https://cloudsecurityalliance.org/group/top-threats/
• Download the 2013 Notorious Nine• Take the new survey for 2016
– LinkedIn– Twitter– Email campaigns– CSA News
Visit the Top Threats WG website
![Page 9: Top Threats WG Co-Chair Jon-Michael Brook. Agenda About our Top Threats Polling the industry Call for participation Categorizing our Top Threats](https://reader036.vdocuments.net/reader036/viewer/2022083005/56649f135503460f94c27d82/html5/thumbnails/9.jpg)
• Develop content for the different sections based on template• Categories
– Abuse and Nefarious Use of Cloud Services (Scott Field)– Shared Technology Issues (Jon-Michael)– Misaligned or Missing Cloud Strategy (Michael Roza)– Weak Identity, Credential Access Management (Scott Field)– Denial of Service– Data Loss – Malicious Insiders (Jon-Michael)– Insufficient Due Diligence (Michael Roza)– Advanced Persistent Threats (Vic Hargrave)– Insecure APIs (Jon-Michael)– Data Breaches – System Application Vulnerabilities (Vic Hargrave)– Account Hijacking
Call for participation
![Page 10: Top Threats WG Co-Chair Jon-Michael Brook. Agenda About our Top Threats Polling the industry Call for participation Categorizing our Top Threats](https://reader036.vdocuments.net/reader036/viewer/2022083005/56649f135503460f94c27d82/html5/thumbnails/10.jpg)
THANK YOU!Co-Chair Jon-Michael BrookCo-Chair Dave Shackelford
Co-Chair Scott Field
Top Threats Working Group