understanding and managing your threat landscapesfisaca.org/images/fc15_presentations/e11.pdf ·...
TRANSCRIPT
CRISC
CGEIT
CISM
CISA2013 Fall Conference – “Sail to Success”
Understanding and Managing Your Threat Landscape
Eric Kurnie, SVP, Wells FargoCybersecurity Essentials – E11
11/8/2015 2
CRISC
CGEIT
CISM
CISA2013 Fall Conference – “Sail to Success”
CHANGING RISK LANDSCAPE
2
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
Cyber History
3
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
Cyber Current
4
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
World’s biggest data breaches: 2004 - 2005
5
accidentally published
hacked
inside job
lost / stolen computer
lost / stolen media
poor security
METHOD OF LEAK
Source: www.informationisbeautiful.net. World’s Biggest Data Breaches
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
World’s biggest data breaches: 2013 - 2015
6
accidentally published
hacked
inside job
lost / stolen computer
lost / stolen media
poor security
METHOD OF LEAK
Source: www.informationisbeautiful.net. World’s Biggest Data Breaches
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
Who, Why, How, What, Impacts…
7
WHO: Threat Actors
• Cyber Terrorist
• Hacktivists
• Nation State
• Financially Motivated
• Insider
WHY:Goals
• Disruption / Reputation
• Attention
• Espionage
• Theft
• Monetary
• ID
• Revenge
HOW: Vectors
• DDoS-Distributed Denial of Service
• Malware
• Direct Hack
• Phishing
• Social Engineering
What: Vulnerability
•Missing Patches
•Code Vulnerability
•Zero Day vulnerabilities
•“Un-patchable” and End of Life Assets
•Data Back up and Recovery
•Lack of Encryption
•Human issues•ID and Access Mgmt•PasswordMgmt
Impacts:
• Reputational
• Lost Business / Unavailable Services
• Regulatory
• Fraud Losses
11/8/2015 8
CRISC
CGEIT
CISM
CISA2013 Fall Conference – “Sail to Success”
THREATS
8
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
Threat Landscape
9
Cyber-
war
Cyber-
espionage
Cyber agitation
Cybercrime
Geopolitical Conflict
Traditional Domain of Opportunistic Hackers
Highly Motivated (More Detrimental
to Operations)
Opportunistic (Less Detrimental to
Operations)
Examples Targeted Assets
Estonia Internet backboneGeorgia Government sitesStuxnet Nuclear facility
Dupont Trade SecretsNight Dragon Source codeOperation Aurora Intellectual propertyRio Tinto Strategic legal docsShady RAT Bidding plans
Anonymous Sensitive data ,variousChevron Public reputationHBGary Federal Sensitive emailsSony Executive’s detailsScientology DDoS, reputationWikiLeaks Classified documents
JPMC Account informationTarget/HD Credit card dataEpsilon Email addressesSony Player accountsSpyEye and Zeus Login credentials, PIN
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
10
Opportunistic Hackers
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
11
Cybercrime
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
Cyber Agitation
12
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
Cyber Espionage
13
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
14
Cyber War
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
Today’s Financial Industry Security Threat Landscape
15
Business growth drives more systems in the environment
‒ Massive complexity and asset intimacy
‒ Harder to understand all technical risks
Requires more complex application / system development
Attack surface has expanded significantly (mobile, wireless, cloud)
Evolved Ecosystem
More attackers, characterized as:
‒ Sophisticated
‒ Better resourced than their targets
‒ Monetized incented attacks
‒ Security controls also targets (e.g. tokens)
Targets no longer limited to certain industry sectors
Emergence of social engineering
External Threat Landscape
Increase
d Targetin
g of
Info
rmatio
nal A
ssets fo
r Mo
netary G
ain
Shifting Threat LandscapeAdds to Defense in Depth
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
The price of a data breach
16
Scottrade Stock Trading Service Hacked
possibly affecting 4.6 million customers- October 2015
Anthem Hacked
Nearly 80 million Anthem members impacted
- February 2015
JP Morgan Chase Cyberattack affected 76
million households- July 2014
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
Miscellaneous Errors
17
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
Crimeware
18
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
Insider Misuse
19
11/8/2015 20
CRISC
CGEIT
CISM
CISA2013 Fall Conference – “Sail to Success”
VULNERABILITIES
20
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
Don’t be a… (video)
https://www.youtube.com/watch?v=nPR131wMKEo
21
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
Passwords
22
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
Password1?
23
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
$m=gC+M&cH
24
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
Passwords – additional controls
25
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
26
Social Engineering
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
Published Vulnerabilities
27
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
83 percent+ of compromises go undetected for long periods of time
28
5%
62%
16%
8%
9%
0%
0%
0% 10% 20% 30% 40% 50% 60% 70%
Years
Months
Weeks
Days
Hours
Minutes
Seconds
Discovery Timeline Cyber-Espionage
Source: Verizon 2014 Data Breach Investigations Report
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
Zero-Day Vulnerabilities
29
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
Attackers moving at an increasing speed
30
Botnets Armed forAttacks
Code Developed toExploit
Scanning forVulnerability
In five months, the attacker’s average timeto exploit was reduced by almost two-thirds
HeartbleedApril 2014
BashbugSept 2014
24 hrs.
6 hrs.
48 hrs.
12 hrs.
7 days
48 hrs.
* Data points compiled from several public sources
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
Managed evolution results in effective risk management
31
A v o i d M i t i g a t e A c c e p t T r a n s f e r
Regulatory Risks ThreatsKEEP IT SIMPLE
Effective Risk Management
Focus on the current state of risk and the impact that the evolving
risk landscape, new technologies, and business processes present
during this journey.
2015 Fall Conference – “CyberSizeIT”November 9 – 11, 2015
Conclusion
32
11/8/2015 33
CRISC
CGEIT
CISM
CISA2013 Fall Conference – “Sail to Success”
QUESTIONS? COMMENTS?
CONTACT INFORMATION:ERIC KURNIE
(650) [email protected]
33