GRC Summit London 2016 - THE CYBER CHALLENGE by Jiri Kram

THE CYBER CHALLENGEJiri Kram, Cloud Architect

Why should you care?1.Criminal liability – it’s no longer just an IT problem

(Data Security is on the CEO & COO agenda)

2. Severity – it’s no longer child's play, now the damage can be real (Clinton emails, Sony Hack, Dyn attack…etc.)

3. Compliance – would you pass compliance requirements if your company data is unsecure? (really?)

4.Brand damage – why invest in a brand if its value can be wiped out overnight? (Will you stay / become a TALKTALK customer?)

The TALKTALK hack cost £42 million CEO says

TalkTalk hack: Teen in court on hacking and blackmail charges.19-year-old from Wales allegedly demanded 596 bitcoins

TalkTalk share price plunged twice as deep as Sony, Carphone Warehouse, Barclays and EBay

after cyber attacks

What should you do?1. Compliance is not just about regulations – compliance must work

hand in hand with IT, Enterprise Architecture, and Security teams.

2. An Architect is not a Developer – companies “save” money by hiring a Developer / Architect (means there is no control over the code). This has to stop!

3. Security is not SI responsibility – companies think hiring a System Integrator will solve all problems. It won’t, because they will leave.

4. Beware of Cloud & IoT – don’t believe in myths, if you “save” money on “cheap” cloud & IoT you will be unpleasantly surprised. Very surprised.

On Friday (21 Oct), one of the largest DDoS attacks ever created widespread internet outage affecting services such as Twitter, AWS, Reddit, Netflix, Spotify, CNN, Paypal, NY Times, WSJ, and others.

The attack was directed at Dyn, a domain name service provider, whose servers interpret internet addresses, directing web traffic to the affected companies.

10s of millions of IP addresses and customers of affected sites were unable to access web services for about two hours.

Security firm Flashpoint said it had confirmed that the attack used "botnets" infected with the "Mirai" malware. Many of the devices involved come from Chinese manufacturers, with easy-to-guess usernames and passwords that cannot be changed by the user - a vulnerability that the malware exploited

How secure is Cloud?1. Cloud is secure if done right – if done in the manner of “hey

we’ve done something like this before,” then your risk is very high

2. Don’t believe your AE – many IT deals are done between Sales people (from the vendor and the business). Don’t exclude IT and Security! Ever!

3. API is the doorway to your company – code means danger. Use cloud middleware, don’t use on-premise middleware ”just because you have it”

4. Encryption – if you want to be sure, encrypt. Don’t forget that encryption has three stages (at rest, in transit, in use). Be certain of what you have.

Get the right tools – don’t save money on IT!

Effective tools identify and kill threats

Don’t buy something because it’s cheap to mass produce…

Four golden rules of security1.Don’t trust – think of your data as the key to your

office. Would you allow anyone to get in?

2.Don’t save money – saving money on IT security is equal to not wearing a seat belt.

3. Don’t experiment – you are not Microsoft or Oracle, don’t try to outsmart them by doing it “cheaper your way”

4.Don’t be naive – there is a war out there. You are a target, you just don’t know it yet.

That’s all: THANK YOU & GOOD LUCK

Linkedin: https://www.linkedin.com/in/jirikramTwitter: @jiri_kram