1. We are all InfoSec
Michael Swinarski
Director Information Security
2. TOP 5 CYBERSECURITY FACTS FOR 2017
-CSO ONLINE JUNE 2017
1. CYBER CRIME DAMAGE COSTS TO HIT $6 TRILLION ANNUALLY BY 2021.
2. CYBERSECURITY SPENDING TO EXCEED $1 TRILLION FROM 2017 TO 2021.
3. CYBER CRIME WILL MORE THAN TRIPLE THE NUMBER OF UNFILLED CYBERSECURITY JOBS,
WHICH IS PREDICTED TO REACH 3.5 MILLION BY 2021.
4. HUMAN ATTACK SURFACE TO REACH 4 BILLION PEOPLE BY 2020.
5. GLOBAL RANSOMWARE DAMAGE COSTS ARE PREDICTED TO EXCEED $5 BILLION IN 2017.
3. CURRENT EVENTS - MALWARE
THE AV-TEST INSTITUTE REGISTERS OVER
250,000 NEW MALICIOUS PROGRAMS
EVERY DAY.
4. CURRENT EVENTS - RANSOMWARE
1. 250% RISE IN ATTACKS
2. ON TRACK FOR $5 BILLION IN
DAMAGES
1. UP $325 MILLION IN 2015
3. TO NAME A FEW…
1. WANNA CRY
2. PETYA
3. NOTPETYA
5. CURRENT EVENTS – 2017 DATA BREACHES
E-Sports Entertainment Association (ESEA)
Xbox 360 ISO and PSP ISO
InterContinental Hotels Group (IHG)
Arby’s
River City Media
Verifone
Dun & Bradstreet
Saks Fifth Avenue
UNC Health Care
America’s JobLink
FAFSA: IRS Data Retrieval Tool
Chipotle
Sabre Hospitality Solutions
Gmail
Bronx Lebanon Hospital Center
Brooks Brothers
DocuSign
One Login
Kmart
University of Oklahoma
Washington State University
Deep Root Analytics
Blue Cross Blue Shield / Anthem
California Association of Realtors
Verizon
Online Spam bot
TalentPen and TigerSwan
Equifax
U.S. Securities and Exchange Commission (SEC)
SVR Tracking
Deloitte
Sonic
Whole Foods Market
6. WE ARE ALL SECURITY PROFESSIONALS
“THE RISE OF CYBER THREATS MEANS THAT THE PEOPLE
ONCE ASSIGNED TO SETTING UP COMPUTERS AND EMAIL
SERVERS MUST NOW TREAT SECURITY AS TOP PRIORITY”
-CHRISTOPHER MIMS, WALL STREET JOURNAL
7. FOR DEVELOPERS AND TESTERS
• OWASP TOP 10
• MOST CRITICAL WEB APPLICATION
SECURITY RISKS
• HTTPS://WWW.OWASP.ORG
8. OWASP TOP 10 (2017 RC2)
• A1 INJECTION
• A2 BROKEN AUTHENTICATION AND SESSION MANAGEMENT
• A3 CROSS-SITE SCRIPTING (XSS)
• A4 BROKEN ACCESS CONTROL
• A5 SECURITY MISCONFIGURATION
• A6 SENSITIVE DATA EXPOSURE
• A7 INSUFFICIENT ATTACK PROTECTION
• A8 CROSS-SITE REQUEST FORGERY (CSRF)
• A9 USING COMPONENTS WITH KNOWN VULNERABILITIES
• A10 UNDER PROTECTED APIS
Source
9. A1 INJECTION (Since 1998)
INJECTION FLAWS, SUCH AS SQL, OS, AND
LDAP INJECTION OCCUR WHEN UNTRUSTED
DATA IS SENT TO AN INTERPRETER AS PART OF
A COMMAND OR QUERY. THE ATTACKER’S
HOSTILE DATA CAN TRICK THE INTERPRETER
INTO EXECUTING UNINTENDED COMMANDS
OR ACCESSING DATA WITHOUT PROPER
AUTHORIZATION.
Source
11. PREVENT INJECTION
How Do I Prevent Injection? Preventing injection requires keeping data separate from commands and queries.
• The preferred option is to use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface,
or migrate to use ORMs or Entity Framework. NB: When parameterized, stored procedures can still introduce SQL injection if
PL/SQL or T-SQL concatenates queries and data, or executes hostile data with EXECUTE IMMEDIATE or exec().
• Positive or "white list" input validation, but this is not a complete defense as many applications require special characters, such
as text areas or APIs for mobile applications
• For any residual dynamic queries, escape special characters using the specific escape syntax for that interpreter. OWASP's
Java Encoder and similar libraries provide such escaping routines. NB: SQL structure such as table names, column names,
and so on cannot be escaped, and thus user-supplied structure names are dangerous. This is a common issue in report writing
software.
• Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of SQL injection.
Source
12. FOR SYSTEM ENGINEERS/ADMIN/IMPLEMENTERS
• CENTER FOR INTERNET SECURITY (CIS) TOP 20
• SECURE YOUR ENTIRE ORGANIZATION AGAINST TODAY'S MOST PERVASIVE THREATS
• HTTPS://WWW.CISECURITY.ORG
13. CIS TOP 20
1. INVENTORY OF AUTHORIZED AND UNAUTHORIZED DEVICES
2. INVENTORY OF AUTHORIZED AND UNAUTHORIZED SOFTWARE
3. SECURE CONFIGURATIONS FOR HARDWARE AND SOFTWARE
4. CONTINUOUS VULNERABILITY ASSESSMENT AND REMEDIATION
5. CONTROLLED USE OF ADMINISTRATIVE PRIVILEGES
6. MAINTENANCE, MONITORING, AND ANALYSIS OF AUDIT LOGS
7. EMAIL AND WEB BROWSER PROTECTIONS
8. MALWARE DEFENSES
9. LIMITATION AND CONTROL OF NETWORK PORTS
10. DATA RECOVERY CAPABILITY
11. SECURE CONFIGURATIONS FOR NETWORK DEVICES
12. BOUNDARY DEFENSE
13. DATA PROTECTION
14. CONTROLLED ACCESS BASED ON THE NEED TO KNOW
15. WIRELESS ACCESS CONTROL
16. ACCOUNT MONITORING AND CONTROL
17. SECURITY SKILLS ASSESSMENT AND APPROPRIATE TRAINING TO FILL
GAPS
18. APPLICATION SOFTWARE SECURITY
19. INCIDENT RESPONSE AND MANAGEMENT
20. PENETRATION TESTS AND RED TEAM EXERCISES
Source
14. REFERENCES FOR INFOSEC (and others)
• NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST)
• CYBER SECURITY FRAMEWORK
• HTTPS://WWW.NIST.GOV/CYBERFRAMEWORK
• EXAMPLES
• NIST 800-53: A publication that recommends security controls for federal information systems and organizations and documents security controls for information
systems
• NIST 800-50: Building an Information Technology Security Awareness and Training Program
• NIST 800-52: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations
• NIST 800-57: Recommendation provides cryptographic key management guidance
• NIST 800-61: Guidelines for Computer Security Incident Handling
• NIST 800-63: Digital Identity Guidelines. Authentication and Lifecycle Management
15. INFORMATION SECURITY CAREERS
• “'NEGATIVE JOBLESSNESS' IN INFOSEC"
• BANKINFOSECURITY.COM (JULY 2014)
• "ZERO-PERCENT CYBERSECURITY
UNEMPLOYMENT, 1 MILLION JOBS UNFILLED"
• CSOONLINE.COM (SEPT 2016)
• “THE AVERAGE TIME TO FILL AN OPEN POSITION
IN INFORMATION SECURITY IS 130 DAYS”
• CEB ANALYSIS
Salaries according to Dice.com (April 2016)
Application Security Manager $165,000
Cybersecurity Engineer $170,000
Lead Security Engineer $174,375
Cybersecurity Lead $175,000
Director of Security $178,333
Chief Information Security Officer $192,500
IT Security Consultant $198,909
Global Information Security Director $200,000
Chief Security Officer $225,000
Lead Software Security Engineer $233,333
