Keeping First Things First - ISACA First Things First: Maintaining a security focus in a media-driven world First, let’s define our terms…. What concerns us in security? What concerns

Keeping First Things First: Maintaining a security focus in a media-driven world

First, let’s define our

terms….

What concerns us in security?

What concerns us in security?

Keeping sensitive data secure, regardless where it is

stored

System integrity – patches and configuration

Keeping critical systems available

The Principles of good

security haven’t changed in

2,000 years A little history lesson….

Managing the Roman Army

The Imperial Roman Army of AD 30-248 was a standing

professional army

Mostly heavy infantry, also Calvary sailors and marines

At its peak, consisted of over ~400,000 men (c: 3rd century)

The Praetorian Guard

The “special forces” of the Roman Army

Bodyguards of the Roman Emperors

Patrolled the palace and other important buildings

What was important

Confidentiality of messages

"Skytala&EmptyStrip-Shaded". Licensed under CC BY-SA 3.0 via Wikimedia Commons - https://commons.wikimedia.org/wiki/File:Skytala%26EmptyStrip-Shaded.png#/media/File:Skytala%26EmptyStrip-Shaded.png

The scytale transposition cipher

What was important


Accuracy and speed of information

Troop strength

Position

Status of supplies

All roads lead to Rome…

Cursus Publicus

“the public way” δημόσιος δρόμος - dēmósios drómos

Courier service of the Roman Empire

Created by the Emperor Augustus

Used to transport official messages, tax revenues, and

some military communications

What was important


Accuracy and speed of information

Integrity of messages

Seal boxes

Bronze boxes used in combination with wax and a seal

(ring or other device) used to ensure the integrity of a

message

The information security challenges

faced by the Roman Army are the same

challenges we face today…

except…..

….The Romans didn’t have to deal with…

How does the media drive the

security discussion?

Sensationalism….

http://www.pcworld.com/article/2859283/heartbleed-shellshock-and-tor-the-13-biggest-security-stories-of-

2014.html



Sensationalism….

Dramatic predictions….

http://arstechnica.com/security/2014/11/potentially-catastrophic-bug-bites-all-versions-of-windows-patch-

now/of-2014.html



Sensationalism….


http://www.huffingtonpost.com/peter_schwartz/end-of-internet_b_5856168.html



Sensationalism….


http://www.darkreading.com/risk-management/the-(not-quite)-end-of-security-on-the-internet/d/d-

id/1075199?



Sensationalism….


If it bleeds it leads….

http://www.bbc.com/news/technology-269545401075199?

Making tech sound scary…

CVE-2015-1538

CVE-2015-1539, CVE-2015-3824, CVE-2015-3826,

CVE-2015-3827, CVE-2015-3828 and CVE-2015-3829

Android “Stagefright”

Doom and gloom that never

really panned out…

Even at DEFCON (2013)

Even at DEFCON (2013)

Let’s take a trip in the “way

back” machine…

(Some of the)

Top Security Stories of 2014 According to PCWord.com

“The 13 Most Momentous Security Stories of 2014”

Sony Pictures Hack

Probably North Korean hackers

Stole employee data

Another breach of names, SSNs, salary data

General Internet security impact: Low

Heartbleed

Two year old, previously unidentified bug in OpenSSL

Very few confirmed data breaches

“Heartbleed forced millions of people to change their

passwords across a variety of websites.”

(In reality, it forced thousands of security professionals to spend

thousands of hours explaining to server admins why they had to put in a

patch over the weekend)

General Internet security impact: Moderate

Shellshock

Vulnerability in BASH (born again shell)

Fairly serious remote code vulnerability

No significant number of known compromises

General Internet security impact: Moderate

The Death of TrueCrypt

Who cares?

Only security geeks use it

Several other options available (VeraCrypt)

General Internet security impact: Nil

Bad USB

Security researchers discovered a way to re-program USB

firmware

Could turn a UDB drive in to a keylogger or malware delivery

mechanism

Could be bad if someone breaks into Kingston, PNY, SanDisk,

or Lexar

Only my daughter uses a USB drive to store her homework

Oh, wait, ISACA distributes Geek Week presentations on a USB

drive

General Internet security impact: Low

So what should we really care

about?

My Top Five

Software/web app security

“If planes, trains, automobiles were built with the

same quality enterprise applications were built, we’d

all be dead by now.”

Vulnerability testing

Secure coding practices

Baking in security, not bolting on later

The Internet of Things

“Experts estimate that the IoT will consist of almost 50

billion objects by 2020.”

Does Maytag have secure coding practices for their

network-connected refrigerator?

Is Symantec planning on deploying anti-malware

security for your washing machine?

A BotNet of 50 billon is scary!

(Yeah, that’s a little sensational)

Data, data, everywhere

“The interesting thing about cloud computing is that

we’ve redefined cloud computing to include everything

that we already do. I can’t think of anything that isn’t

cloud computing with all of these announcements.” (Larry Ellison)

The traditional perimeter is gone

Security must focus on the protecting the data, not

just the systems

Who has access, when, from where, and what are

they doing?

“We don’t need no stinkin’

patches!”

Patches & configuration management

Application dependencies keeping

upgrades from happening

Poor asset management

Not knowing what you have

and it’s current state

Monitoring, Threat Sharing, and

Indicators of Compromise

What are you doing to detect potential (or actual) data

breaches?

Are you subscribing to threat-intelligence data feeds?

Do you have adequate data and network monitoring

tools?

Do you participate in industry-specific

information sharing?

“75% of attacks spread from Victim 0 to

Victim 1 within one day (24 hours).” (Verizon DBIR 2014)

Monitoring

Source: Verizon DBIR, 2014

How to maintain focus…

Build relationships within a professional network of trusted partners

Subscribe to closed source threat feeds

Use reliable sources for security information, not bloggers or the media

Figure out what threats will affect your business the most and focus on those!

Write them down

Update periodically

Establish a “risk tolerance”

Keep the fundamentals of security in mind

Keeping First Things First - ISACA First Things First: Maintaining a security focus in a media-driven world First, let’s define our terms…. What concerns us in security? What concerns

Documents