SlideShare ist ein Scribd-Unternehmen logo

Adjusting Your Security Controls: It’s the New Normal

Priyanka Aash
Priyanka Aash

Most of us learned cybersecurity practices based on the application of controls that were part of a framework. Once the framework was implemented then the controls didn’t change often. It’s time to adjust our thinking and recognize that on-going adjustment of controls may be a better indicator of cyber-maturity than adherence to any framework. (Source: RSA USA 2016-San Francisco)

Technologie
1 von 25
Downloaden Sie, um offline zu lesen
SESSION ID: #RSAC Jim Routh Adjusting Your Security Controls: It’s The New Normal STR-T09R CSO Aetna @jimrouth1
#RSAC © 2016 Aetna Inc. We Were Taught to Adopt a Framework of Controls 2 1. Adopt a framework for controls 2. Document control objectives 3. Document control procedures 4. Implement control standards 5. Measure practices aligned with control procedures Security 101
#RSAC © 2016 Aetna Inc. Control Frameworks Implemented 3 NIST Cyber Security Framework NIST 800-53 PCI-DSS 3.0 Shared Assessments SIG Shared Assessments AUP SOC 1 & 2 BSIMM Changing controls due to the evolving threat landscape is the new “normal” Top Key Control Test Results BitSight Vulnerability Review Security Scorecard Vulnerability Review Synack Pen Test Results (crowdsourced) Vulnerability Management Software Security Program Mobile Security Program Identity & Access Management Security Data Analytics Adaptive Enablement (DLP) BYOD Controls Federated Identity Management Cloud Security Controls Cyber Threat Intelligence Policy Management (eGRC) Education & Communication Security Steering Committee Threat, Vulnerability Assessment Asset Inventory Prioritized by Risk Information Classification Policy Configuration Management 3rd Party Governance Incident Response Behavioral Based Authentication CORE
#RSAC © 2016 Aetna Inc. Control Compliance is Easily Measured 4 Self Assessment or 3rd Party Assessment NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations JOINT TASK FORCE TRANSFORMATION INITIATIVE This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-53r4
#RSAC © 2016 Aetna Inc. Privacy Relationship to Information Security 5 Privacy Federal State Local External Threat Internal Threat Vulnerability Assessment Info Sec
#RSAC © 2016 Aetna Inc. Compliance-Driven Info Sec 6 Event Committee Legislative Awareness Law Rules Enforcement -- Regulatory --
#RSAC © 2016 Aetna Inc. Frameworks Are Good…and Not Sufficient 7 +/w%K4)*}/Z@9s$v#H~={^0q< Critical Security Controls for Effective Cyber Defense In cryptography, encryption is the process of encoding messages or information in such a way that only authorized parties can read it. Encryption is Good…and Not Sufficient 800-53 Cyber Security Framework
#RSAC © 2016 Aetna Inc. Dynamic Diversity of Threats 8 1. Customer Service Rep uses a web- based translation service 2. Site vulnerability is exploited and malware loaded into the browser 3. New session opens and sophisticated malware is installed- interrogates the workstation 4. Attempts to capture claim information to use for phishing attacks on aerospace companies 1. Large cache of stolen credentials released publicly via Pastebin 2. Some of the released credentials used for 3rd party sites and enterprise log ins 3. A few of the credentials are from privilege users 1. Spanish company selling hacking tools is hacked releasing source code identifying 4 exploits of Adobe Flash 2. Adobe releases patches 3. Threat actor based in China sends phishing emails to senior executives encouraging them to click to install the Adobe patch The cyber threat landscape is changing too quickly for frameworks to respond to
#RSAC © 2016 Aetna Inc. The Cyber Threat Landscape Changes Quickly 9
#RSAC © 2016 Aetna Inc. Macro Economic Analysis Applied to Cyber 10 2013 2015 A bull black market The black market of health care data from a cyber economic perspective
#RSAC © 2016 Aetna Inc. A Bull Black Market 11  In 2014, PHI sold for $3-$50 per record. In 2015, $5-$700.  The most valuable fields within a data set are SSN, name, and DOB.  Hackers haven’t realized the real market value of health care data due to information asymmetries.  Unlike traditional supply and demand economic model, the price of health care data is dependent on the threat actor’s use of the stolen data, not the volume of the data stolen.  Health care data has a long shelf life on the black market.  Health care data provides fuller data set than the financial sector (e.g., SSN, medical history, employee information). The supply of data on the black market is misleading due to dueling black markets *U.S. Department of Health and Human Services **2015 data is through October There are two black markets: one for common traders and one for nation states and organized crime syndicates. The two markets rarely interact and have different market dynamics.  Amount of data stored across the industry.  Interactions with health care providers.  Total cybersecurity incidents targeting this industry. Maintaining value Change in price behavior Increasing supply 0 50 100 150 200 250 300 2009 2010 2011 2012 2013 2014 **2015 0 20 40 60 80 100 120 2009 2010 2011 2012 2013 2014 **2015 Millions Total records breached* Total breaches*
#RSAC © 2016 Aetna Inc. What Have Nation States Learned? 12 You are! “It’s a walk in the park.” • Search capability • Mail account with free storage • Maps and navigation • Docs • And more … Who is their product? … One million gigs of data processed each day Who is their customer? It’s not you!
#RSAC © 2016 Aetna Inc. The Mobile Device is Our New Appendage 13 There are now more cell phones on the planet than there are people 90% of 19-29 year-olds in the U.S. sleep with their cell phones 65% of survey respondents said mobile phones make them better parents 75% of survey respondents bring their phones to the bathroom Apple Siri captures everything you say to her for 6 months and aggregates it for 18 months Social media apps have the ability to use your phone’s microphone to listen to your dialog You did! What is the most commonly used mobile app? Source: Qualcomm, Slick Text Surveys Who authorized this potential invasion of privacy?
#RSAC © 2016 Aetna Inc. Terms of Service - ToS 14 The average American encounters 1,462 privacy policies a year with an average length of 2,518 words. The privacy policy for one of the world’s largest online payment systems is 36,275 words … more than Shakespeare’s Hamlet! “You grant … a nonexclusive, irrevocable, worldwide, perpetual, unlimited, assignable, sublicenseable, fully paid up and royalty-free right to us to copy, prepare derivative works of, improve, distribute, publish, remove, retain, add, process, analyze, use and commercialize, in any way now known or in the future discovered, any information you provide, directly or indirectly to … including, but not limited to, any user generated content, ideas, concepts, techniques and/or data to the services, you submit to … without any further consent, notice and/or compensation to you or your any third parties. Any information you submit to us is at your own risk of loss.” … Source: Carnegie Mellon University study I agree with the Terms of Service.
#RSAC © 2016 Aetna Inc. Walks in the Park Are No Longer Free … 15 In the U.S., social networks are considered public spaces … this means that you should have no expectations of privacy in the data collected. • 81% of divorce attorneys admit to searching social media for evidence • 70% of HR professionals have rejected a candidate based on information uncovered in an online search • 86.1% of police departments now routinely include social media searches as part of criminal investigations Sources: IACP Center for Social Media survey and Microsoft Your social content from the “Park” Phishing eMailHey John, It was great seeing you last week at the reunion. I’m sure you didn’t recognize me since I lost over 75 pounds from our college days. BTW- you look great and I enjoyed meeting your wife. Here is a picture from the reunion that you’ll get a kick out of! All the best, Jane Credentials to Employer site 1. John Doe, IluvWk2ay 2. John deColleague Sysadmin 1
#RSAC © 2016 Aetna Inc. The Most Popular Threat Vector is… 16 "One of the most effective ways you can minimize the phishing threat is through awareness and training." —Lance Spitzner, Training Director, SANS Securing The Human 23% of recipients now open phishing messages and 11% click on attachments  Phishing was associated with 95% of incidents attributed to state-sponsored threat actors  Over 100 million phishing messages arrive in our inboxes every day Nearly 50% open emails and click on phishing links within the first hour  The median time-to-first-click came in at one minute and 22 seconds across all campaigns According to the 2015 Verizon Data Breach Investigations Report (VDBIR): What can we do? 1. New email gateway payload inspection and filters 2. Sinkhole all new domains for 48 hours 3. Enforce inbound filtering (DMARC)  Improve education/awareness  Consider unconventional controls
#RSAC © 2016 Aetna Inc. Apply Unconventional Controls 17 1. Sinkhole new domains 2. Heuristic filtering on in-bound using DMARC 3. Next Generation Authentication
#RSAC © 2016 Aetna Inc. Sinkhole Newly Established Domains 18 A sinkhole, also known as a cenote, sink, sink-hole,[1] shakehole,[2] swallet, swallow hole, or doline (the different terms for sinkholes are often used interchangeably[3]), is a depression or hole in the ground caused by some form of collapse of the surface layer Enterprise DNS Sinkhole Threat Actor bad_actor.com Cyber Security Intelligence Data Feeds New domains (48 hrs) eMail Gateway 1 FROM: igor@bad_actor.com 2 DNS Request SPF TXT Record 3 Custom SPF Response 4 SPF Header Added to email 5 BLOCK Rule Check for “192.0.2.1” 6 Redirect email to CSI 7
#RSAC © 2016 Aetna Inc. Protect In-Bound Email with Domain Protection 19 Using email traffic data, the system learns the unique fingerprint of all email senders into your enterprise This durable identity trust model is used to stop all messages that do not prove they should be trusted 29,231 servers sent email for an enterprise on a single day 312 servers for the enterprise 4,641 servers owned by service providers 9,732 benign email forwarders 14,526 malicious senders
#RSAC © 2016 Aetna Inc. Design an Authentication Hub 20 One framework Multiple authentication tools Change controls without changing applications Across mobile and web Policy-driven authentication model
#RSAC © 2016 Aetna Inc. Next Generation Authentication 21 Binary authentication is obsolete Behavioral- based model is key Innovation applied to the interface Authentication Hub LOA Advanced Analytics Risk Score API Dynamic LOA API Backend Analytics & Risk Engine Prevent @ Inception RT Push+TouchID iWatch & Sign Out Wearables + T/Haptic Spatiotemporal + Real-Time (RT) Authorization SWIPE + Contextual SWIPE + TAP Advanced Contextual Cognitive & Device Biometrics FIDO UAF 1.0 FIDO 2.0 When Available Decentralized Authentication
#RSAC © 2016 Aetna Inc. Automated vs. Normal Behavior 22 https://member.aetna.com/appConfig/login/login.fccShifterCustomers Attackers Legitimate traffic encounters no barriers Automated traffic can no longer send valid requests • Scripts • Content Scraping • Botnets • dDOS
#RSAC © 2016 Aetna Inc. Recommendations 23 Adopt and implement practices aligned with regulatory framework of choice Measure the effectiveness of the controls aligned with the framework Identify the enterprise’s top threats/risks Apply control design skills to top threats/risks and consider innovation opportunities
#RSAC © 2016 Aetna Inc. Which Statement Gives You More Assurance? 24 Aetna conforms to the NIST Cyber Security Framework and 800-53 Adjusting Controls Aetna makes 30 changes to controls each month 1. 2. OR … it’s the New Normal!
#RSAC routhj@aetna.com 860 273-7488 Chairman National Health Information Sharing & Analysis Center Board member FS-ISAC ISE Award winner 2014 Healthcare

Empfohlen

The Internet Is a Dog-Eat-Dog World, and Your App Is Clad in Milk-Bone Underwear
The Internet Is a Dog-Eat-Dog World, and Your App Is Clad in Milk-Bone UnderwearThe Internet Is a Dog-Eat-Dog World, and Your App Is Clad in Milk-Bone Underwear
The Internet Is a Dog-Eat-Dog World, and Your App Is Clad in Milk-Bone UnderwearBob Wall
 
Why cyber-criminals target Healthcare - Panda Security
Why cyber-criminals target Healthcare - Panda Security Why cyber-criminals target Healthcare - Panda Security
Why cyber-criminals target Healthcare - Panda Security Panda Security
 
A Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDCA Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDCMicrosoft Asia
 
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...Symantec
 
Symantec Security Refresh Webinar
Symantec Security Refresh WebinarSymantec Security Refresh Webinar
Symantec Security Refresh WebinarArrow ECS UK
 
Symantec Internet Security Threat Report 2014 - Volume 19
Symantec Internet Security Threat Report 2014 - Volume 19Symantec Internet Security Threat Report 2014 - Volume 19
Symantec Internet Security Threat Report 2014 - Volume 19Symantec
 
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government SectorSymantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government SectorSymantec
 
Ey giss-under-cyber-attack
Ey giss-under-cyber-attackEy giss-under-cyber-attack
Ey giss-under-cyber-attackКомсс Файквэе
 

Empfohlen

The Internet Is a Dog-Eat-Dog World, and Your App Is Clad in Milk-Bone Underwear
The Internet Is a Dog-Eat-Dog World, and Your App Is Clad in Milk-Bone UnderwearThe Internet Is a Dog-Eat-Dog World, and Your App Is Clad in Milk-Bone Underwear
The Internet Is a Dog-Eat-Dog World, and Your App Is Clad in Milk-Bone UnderwearBob Wall
 
Why cyber-criminals target Healthcare - Panda Security
Why cyber-criminals target Healthcare - Panda Security Why cyber-criminals target Healthcare - Panda Security
Why cyber-criminals target Healthcare - Panda Security Panda Security
 
A Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDCA Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDCMicrosoft Asia
 
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...
Internet Security Threat Report 2014 :: Volume 19 Appendices - The hardcore n...Symantec
 
Symantec Security Refresh Webinar
Symantec Security Refresh WebinarSymantec Security Refresh Webinar
Symantec Security Refresh WebinarArrow ECS UK
 
Symantec Internet Security Threat Report 2014 - Volume 19
Symantec Internet Security Threat Report 2014 - Volume 19Symantec Internet Security Threat Report 2014 - Volume 19
Symantec Internet Security Threat Report 2014 - Volume 19Symantec
 
Symantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government SectorSymantec's Internet Security Threat Report for the Government Sector
Symantec's Internet Security Threat Report for the Government SectorSymantec
 
Ey giss-under-cyber-attack
Ey giss-under-cyber-attackEy giss-under-cyber-attack
Ey giss-under-cyber-attackКомсс Файквэе
 
Cyber Security index
Cyber Security indexCyber Security index
Cyber Security indexsukiennong.vn
 
ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019- Mark - Fullbright
 
BLURRING BOUNDARIES
BLURRING BOUNDARIESBLURRING BOUNDARIES
BLURRING BOUNDARIES- Mark - Fullbright
 
Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021 Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021 Roen Branham
 
How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...Ulf Mattsson
 
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security ProtectionShawn Crimson
 
Enabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMSEnabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMSPaul Walsh
 
Breach level index_report_2017_gemalto
Breach level index_report_2017_gemaltoBreach level index_report_2017_gemalto
Breach level index_report_2017_gemaltoJonas Mercier
 
Symantec Website Security Threat Report 2014 - RapidSSLOnline
Symantec Website Security Threat Report 2014 - RapidSSLOnlineSymantec Website Security Threat Report 2014 - RapidSSLOnline
Symantec Website Security Threat Report 2014 - RapidSSLOnlineRapidSSLOnline.com
 
Mobile threat report_q3_2013
Mobile threat report_q3_2013Mobile threat report_q3_2013
Mobile threat report_q3_2013Комсс Файквэе
 
Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016Dan L. Dodson
 
Fraudsters Hackers & Thieves!
Fraudsters Hackers & Thieves!Fraudsters Hackers & Thieves!
Fraudsters Hackers & Thieves!Echoworx
 
2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)- Mark - Fullbright
 
IC3 2019 Internet Crime Report
IC3 2019 Internet Crime ReportIC3 2019 Internet Crime Report
IC3 2019 Internet Crime Report- Mark - Fullbright
 
Why is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyWhy is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyMark Albala
 
Data Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus PandemicData Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus PandemicUlf Mattsson
 
Implementing security on android application
Implementing security on android applicationImplementing security on android application
Implementing security on android applicationIAEME Publication
 
Dealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In TechnologyDealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In TechnologyCSCJournals
 
Mobile malware and enterprise security v 1.2_0
Mobile malware and enterprise security v 1.2_0Mobile malware and enterprise security v 1.2_0
Mobile malware and enterprise security v 1.2_0Javier Gonzalez
 
Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet IJECEIAES
 
лекция Alua
лекция Aluaлекция Alua
лекция Aluasamal nassabekova
 
Cardio1
Cardio1Cardio1
Cardio1felicitos_ulsa
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cyber Security index
Cyber Security indexCyber Security index
Cyber Security indexsukiennong.vn
 
ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019- Mark - Fullbright
 
Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021 Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021 Roen Branham
 
How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...Ulf Mattsson
 
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security ProtectionShawn Crimson
 
Enabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMSEnabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMSPaul Walsh
 
Breach level index_report_2017_gemalto
Breach level index_report_2017_gemaltoBreach level index_report_2017_gemalto
Breach level index_report_2017_gemaltoJonas Mercier
 
Symantec Website Security Threat Report 2014 - RapidSSLOnline
Symantec Website Security Threat Report 2014 - RapidSSLOnlineSymantec Website Security Threat Report 2014 - RapidSSLOnline
Symantec Website Security Threat Report 2014 - RapidSSLOnlineRapidSSLOnline.com
 
Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016Dan L. Dodson
 
Fraudsters Hackers & Thieves!
Fraudsters Hackers & Thieves!Fraudsters Hackers & Thieves!
Fraudsters Hackers & Thieves!Echoworx
 
2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)- Mark - Fullbright
 
Why is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyWhy is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyMark Albala
 
Data Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus PandemicData Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus PandemicUlf Mattsson
 
Implementing security on android application
Implementing security on android applicationImplementing security on android application
Implementing security on android applicationIAEME Publication
 
Dealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In TechnologyDealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In TechnologyCSCJournals
 
Mobile malware and enterprise security v 1.2_0
Mobile malware and enterprise security v 1.2_0Mobile malware and enterprise security v 1.2_0
Mobile malware and enterprise security v 1.2_0Javier Gonzalez
 
Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet IJECEIAES
 

Was ist angesagt? (20)

Cyber Security index
Cyber Security indexCyber Security index
Cyber Security index
 
ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019
 
BLURRING BOUNDARIES
BLURRING BOUNDARIESBLURRING BOUNDARIES
BLURRING BOUNDARIES
 
Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021 Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021
 
How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...
 
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security Protection
 
Enabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMSEnabling a Zero Trust strategy for SMS
Enabling a Zero Trust strategy for SMS
 
Breach level index_report_2017_gemalto
Breach level index_report_2017_gemaltoBreach level index_report_2017_gemalto
Breach level index_report_2017_gemalto
 
Symantec Website Security Threat Report 2014 - RapidSSLOnline
Symantec Website Security Threat Report 2014 - RapidSSLOnlineSymantec Website Security Threat Report 2014 - RapidSSLOnline
Symantec Website Security Threat Report 2014 - RapidSSLOnline
 
Mobile threat report_q3_2013
Mobile threat report_q3_2013Mobile threat report_q3_2013
Mobile threat report_q3_2013
 
Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016
 
Fraudsters Hackers & Thieves!
Fraudsters Hackers & Thieves!Fraudsters Hackers & Thieves!
Fraudsters Hackers & Thieves!
 
2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)2020 Data Breach Investigations Report (DBIR)
2020 Data Breach Investigations Report (DBIR)
 
IC3 2019 Internet Crime Report
IC3 2019 Internet Crime ReportIC3 2019 Internet Crime Report
IC3 2019 Internet Crime Report
 
Why is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyWhy is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economy
 
Data Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus PandemicData Protection & Privacy During the Coronavirus Pandemic
Data Protection & Privacy During the Coronavirus Pandemic
 
Implementing security on android application
Implementing security on android applicationImplementing security on android application
Implementing security on android application
 
Dealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In TechnologyDealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In Technology
 
Mobile malware and enterprise security v 1.2_0
Mobile malware and enterprise security v 1.2_0Mobile malware and enterprise security v 1.2_0
Mobile malware and enterprise security v 1.2_0
 
Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet
 

Andere mochten auch

Aggregate Demand and the Slowdown of Brazilian Economic Growth from 2011 - ...
Aggregate Demand and the Slowdown of Brazilian Economic Growth from 2011 - ...Aggregate Demand and the Slowdown of Brazilian Economic Growth from 2011 - ...
Aggregate Demand and the Slowdown of Brazilian Economic Growth from 2011 - ...Grupo de Economia Política IE-UFRJ
 
Creating an eportfolio using Microsoft Powerpoint - Rosie Mackay
Creating an eportfolio using Microsoft Powerpoint - Rosie Mackay Creating an eportfolio using Microsoft Powerpoint - Rosie Mackay
Creating an eportfolio using Microsoft Powerpoint - Rosie Mackay ePortfolios Australia
 
DEMANDA EFETIVA NO LONGO PRAZO E NO PROCESSO DE ACUMULAÇÃO: ORIGEM E DESENVOL...
DEMANDA EFETIVA NO LONGO PRAZO E NO PROCESSO DE ACUMULAÇÃO: ORIGEM E DESENVOL...DEMANDA EFETIVA NO LONGO PRAZO E NO PROCESSO DE ACUMULAÇÃO: ORIGEM E DESENVOL...
DEMANDA EFETIVA NO LONGO PRAZO E NO PROCESSO DE ACUMULAÇÃO: ORIGEM E DESENVOL...Grupo de Economia Política IE-UFRJ
 
InfluxDB and Grafana: An Introduction to Time-Based Data Storage and Visualiz...
InfluxDB and Grafana: An Introduction to Time-Based Data Storage and Visualiz...InfluxDB and Grafana: An Introduction to Time-Based Data Storage and Visualiz...
InfluxDB and Grafana: An Introduction to Time-Based Data Storage and Visualiz...Caner Ünal
 
Anna_Marie_Garrett_Final_Reflection_Paper_Week_8
Anna_Marie_Garrett_Final_Reflection_Paper_Week_8Anna_Marie_Garrett_Final_Reflection_Paper_Week_8
Anna_Marie_Garrett_Final_Reflection_Paper_Week_8Anna Marie Garrett
 
My critical period hypothesis (cph)
My critical period hypothesis (cph)My critical period hypothesis (cph)
My critical period hypothesis (cph)CB Khatri
 

Andere mochten auch (11)

лекция Alua
лекция Aluaлекция Alua
лекция Alua
 
Cardio1
Cardio1Cardio1
Cardio1
 
Facebook
FacebookFacebook
Facebook
 
Isibaya supplement
Isibaya supplementIsibaya supplement
Isibaya supplement
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Aggregate Demand and the Slowdown of Brazilian Economic Growth from 2011 - ...
Aggregate Demand and the Slowdown of Brazilian Economic Growth from 2011 - ...Aggregate Demand and the Slowdown of Brazilian Economic Growth from 2011 - ...
Aggregate Demand and the Slowdown of Brazilian Economic Growth from 2011 - ...
 
Creating an eportfolio using Microsoft Powerpoint - Rosie Mackay
Creating an eportfolio using Microsoft Powerpoint - Rosie Mackay Creating an eportfolio using Microsoft Powerpoint - Rosie Mackay
Creating an eportfolio using Microsoft Powerpoint - Rosie Mackay
 
DEMANDA EFETIVA NO LONGO PRAZO E NO PROCESSO DE ACUMULAÇÃO: ORIGEM E DESENVOL...
DEMANDA EFETIVA NO LONGO PRAZO E NO PROCESSO DE ACUMULAÇÃO: ORIGEM E DESENVOL...DEMANDA EFETIVA NO LONGO PRAZO E NO PROCESSO DE ACUMULAÇÃO: ORIGEM E DESENVOL...
DEMANDA EFETIVA NO LONGO PRAZO E NO PROCESSO DE ACUMULAÇÃO: ORIGEM E DESENVOL...
 
InfluxDB and Grafana: An Introduction to Time-Based Data Storage and Visualiz...
InfluxDB and Grafana: An Introduction to Time-Based Data Storage and Visualiz...InfluxDB and Grafana: An Introduction to Time-Based Data Storage and Visualiz...
InfluxDB and Grafana: An Introduction to Time-Based Data Storage and Visualiz...
 
Anna_Marie_Garrett_Final_Reflection_Paper_Week_8
Anna_Marie_Garrett_Final_Reflection_Paper_Week_8Anna_Marie_Garrett_Final_Reflection_Paper_Week_8
Anna_Marie_Garrett_Final_Reflection_Paper_Week_8
 
My critical period hypothesis (cph)
My critical period hypothesis (cph)My critical period hypothesis (cph)
My critical period hypothesis (cph)
 

Ähnlich wie Adjusting Your Security Controls: It’s the New Normal

The State of Data Security
The State of Data SecurityThe State of Data Security
The State of Data SecurityRazor Technology
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of securityMatthew Pascucci
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Rishi Singh
 
Intro to Information AssuranceModule 3Chaston Carter0417.docx
Intro to Information AssuranceModule 3Chaston Carter0417.docxIntro to Information AssuranceModule 3Chaston Carter0417.docx
Intro to Information AssuranceModule 3Chaston Carter0417.docxnormanibarber20063
 
Whitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationWhitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationNexon Asia Pacific
 
Fall2015SecurityShow
Fall2015SecurityShowFall2015SecurityShow
Fall2015SecurityShowAdam Heller
 
Updated Cyber Security and Fraud Prevention Tools Tactics
Updated Cyber Security and Fraud Prevention Tools TacticsUpdated Cyber Security and Fraud Prevention Tools Tactics
Updated Cyber Security and Fraud Prevention Tools TacticsBen Graybar
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planCameron Forbes Over
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planCameron Forbes Over
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselCasey Ellis
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counselbugcrowd
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...Casey Ellis
 
Windstream Cloud Security Checklist
Windstream Cloud Security Checklist Windstream Cloud Security Checklist
Windstream Cloud Security Checklist Ideba
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141sraina2
 
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...Invincea, Inc.
 
Who is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattssonWho is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattssonUlf Mattsson
 
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017SurfWatch Labs
 

Ähnlich wie Adjusting Your Security Controls: It’s the New Normal (20)

The State of Data Security
The State of Data SecurityThe State of Data Security
The State of Data Security
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
 
Intro to Information AssuranceModule 3Chaston Carter0417.docx
Intro to Information AssuranceModule 3Chaston Carter0417.docxIntro to Information AssuranceModule 3Chaston Carter0417.docx
Intro to Information AssuranceModule 3Chaston Carter0417.docx
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam Maccherola
 
Whitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationWhitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformation
 
Fall2015SecurityShow
Fall2015SecurityShowFall2015SecurityShow
Fall2015SecurityShow
 
Updated Cyber Security and Fraud Prevention Tools Tactics
Updated Cyber Security and Fraud Prevention Tools TacticsUpdated Cyber Security and Fraud Prevention Tools Tactics
Updated Cyber Security and Fraud Prevention Tools Tactics
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
 
Security Industry Overview
Security Industry OverviewSecurity Industry Overview
Security Industry Overview
 
Windstream Cloud Security Checklist
Windstream Cloud Security Checklist Windstream Cloud Security Checklist
Windstream Cloud Security Checklist
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141
 
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
White Paper :- Spear-phishing, watering hole and drive-by attacks :- The New ...
 
Who is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattssonWho is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattsson
 
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017
 
Get Prepared
Get PreparedGet Prepared
Get Prepared
 

Mehr von Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

Mehr von Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Kürzlich hochgeladen

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 

Kürzlich hochgeladen (20)

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 

Adjusting Your Security Controls: It’s the New Normal

  • 1. SESSION ID: #RSAC Jim Routh Adjusting Your Security Controls: It’s The New Normal STR-T09R CSO Aetna @jimrouth1
  • 2. #RSAC © 2016 Aetna Inc. We Were Taught to Adopt a Framework of Controls 2 1. Adopt a framework for controls 2. Document control objectives 3. Document control procedures 4. Implement control standards 5. Measure practices aligned with control procedures Security 101
  • 3. #RSAC © 2016 Aetna Inc. Control Frameworks Implemented 3 NIST Cyber Security Framework NIST 800-53 PCI-DSS 3.0 Shared Assessments SIG Shared Assessments AUP SOC 1 & 2 BSIMM Changing controls due to the evolving threat landscape is the new “normal” Top Key Control Test Results BitSight Vulnerability Review Security Scorecard Vulnerability Review Synack Pen Test Results (crowdsourced) Vulnerability Management Software Security Program Mobile Security Program Identity & Access Management Security Data Analytics Adaptive Enablement (DLP) BYOD Controls Federated Identity Management Cloud Security Controls Cyber Threat Intelligence Policy Management (eGRC) Education & Communication Security Steering Committee Threat, Vulnerability Assessment Asset Inventory Prioritized by Risk Information Classification Policy Configuration Management 3rd Party Governance Incident Response Behavioral Based Authentication CORE
  • 4. #RSAC © 2016 Aetna Inc. Control Compliance is Easily Measured 4 Self Assessment or 3rd Party Assessment NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations JOINT TASK FORCE TRANSFORMATION INITIATIVE This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-53r4
  • 5. #RSAC © 2016 Aetna Inc. Privacy Relationship to Information Security 5 Privacy Federal State Local External Threat Internal Threat Vulnerability Assessment Info Sec
  • 6. #RSAC © 2016 Aetna Inc. Compliance-Driven Info Sec 6 Event Committee Legislative Awareness Law Rules Enforcement -- Regulatory --
  • 7. #RSAC © 2016 Aetna Inc. Frameworks Are Good…and Not Sufficient 7 +/w%K4)*}/Z@9s$v#H~={^0q< Critical Security Controls for Effective Cyber Defense In cryptography, encryption is the process of encoding messages or information in such a way that only authorized parties can read it. Encryption is Good…and Not Sufficient 800-53 Cyber Security Framework
  • 8. #RSAC © 2016 Aetna Inc. Dynamic Diversity of Threats 8 1. Customer Service Rep uses a web- based translation service 2. Site vulnerability is exploited and malware loaded into the browser 3. New session opens and sophisticated malware is installed- interrogates the workstation 4. Attempts to capture claim information to use for phishing attacks on aerospace companies 1. Large cache of stolen credentials released publicly via Pastebin 2. Some of the released credentials used for 3rd party sites and enterprise log ins 3. A few of the credentials are from privilege users 1. Spanish company selling hacking tools is hacked releasing source code identifying 4 exploits of Adobe Flash 2. Adobe releases patches 3. Threat actor based in China sends phishing emails to senior executives encouraging them to click to install the Adobe patch The cyber threat landscape is changing too quickly for frameworks to respond to
  • 9. #RSAC © 2016 Aetna Inc. The Cyber Threat Landscape Changes Quickly 9
  • 10. #RSAC © 2016 Aetna Inc. Macro Economic Analysis Applied to Cyber 10 2013 2015 A bull black market The black market of health care data from a cyber economic perspective
  • 11. #RSAC © 2016 Aetna Inc. A Bull Black Market 11  In 2014, PHI sold for $3-$50 per record. In 2015, $5-$700.  The most valuable fields within a data set are SSN, name, and DOB.  Hackers haven’t realized the real market value of health care data due to information asymmetries.  Unlike traditional supply and demand economic model, the price of health care data is dependent on the threat actor’s use of the stolen data, not the volume of the data stolen.  Health care data has a long shelf life on the black market.  Health care data provides fuller data set than the financial sector (e.g., SSN, medical history, employee information). The supply of data on the black market is misleading due to dueling black markets *U.S. Department of Health and Human Services **2015 data is through October There are two black markets: one for common traders and one for nation states and organized crime syndicates. The two markets rarely interact and have different market dynamics.  Amount of data stored across the industry.  Interactions with health care providers.  Total cybersecurity incidents targeting this industry. Maintaining value Change in price behavior Increasing supply 0 50 100 150 200 250 300 2009 2010 2011 2012 2013 2014 **2015 0 20 40 60 80 100 120 2009 2010 2011 2012 2013 2014 **2015 Millions Total records breached* Total breaches*
  • 12. #RSAC © 2016 Aetna Inc. What Have Nation States Learned? 12 You are! “It’s a walk in the park.” • Search capability • Mail account with free storage • Maps and navigation • Docs • And more … Who is their product? … One million gigs of data processed each day Who is their customer? It’s not you!
  • 13. #RSAC © 2016 Aetna Inc. The Mobile Device is Our New Appendage 13 There are now more cell phones on the planet than there are people 90% of 19-29 year-olds in the U.S. sleep with their cell phones 65% of survey respondents said mobile phones make them better parents 75% of survey respondents bring their phones to the bathroom Apple Siri captures everything you say to her for 6 months and aggregates it for 18 months Social media apps have the ability to use your phone’s microphone to listen to your dialog You did! What is the most commonly used mobile app? Source: Qualcomm, Slick Text Surveys Who authorized this potential invasion of privacy?
  • 14. #RSAC © 2016 Aetna Inc. Terms of Service - ToS 14 The average American encounters 1,462 privacy policies a year with an average length of 2,518 words. The privacy policy for one of the world’s largest online payment systems is 36,275 words … more than Shakespeare’s Hamlet! “You grant … a nonexclusive, irrevocable, worldwide, perpetual, unlimited, assignable, sublicenseable, fully paid up and royalty-free right to us to copy, prepare derivative works of, improve, distribute, publish, remove, retain, add, process, analyze, use and commercialize, in any way now known or in the future discovered, any information you provide, directly or indirectly to … including, but not limited to, any user generated content, ideas, concepts, techniques and/or data to the services, you submit to … without any further consent, notice and/or compensation to you or your any third parties. Any information you submit to us is at your own risk of loss.” … Source: Carnegie Mellon University study I agree with the Terms of Service.
  • 15. #RSAC © 2016 Aetna Inc. Walks in the Park Are No Longer Free … 15 In the U.S., social networks are considered public spaces … this means that you should have no expectations of privacy in the data collected. • 81% of divorce attorneys admit to searching social media for evidence • 70% of HR professionals have rejected a candidate based on information uncovered in an online search • 86.1% of police departments now routinely include social media searches as part of criminal investigations Sources: IACP Center for Social Media survey and Microsoft Your social content from the “Park” Phishing eMailHey John, It was great seeing you last week at the reunion. I’m sure you didn’t recognize me since I lost over 75 pounds from our college days. BTW- you look great and I enjoyed meeting your wife. Here is a picture from the reunion that you’ll get a kick out of! All the best, Jane Credentials to Employer site 1. John Doe, IluvWk2ay 2. John deColleague Sysadmin 1
  • 16. #RSAC © 2016 Aetna Inc. The Most Popular Threat Vector is… 16 "One of the most effective ways you can minimize the phishing threat is through awareness and training." —Lance Spitzner, Training Director, SANS Securing The Human 23% of recipients now open phishing messages and 11% click on attachments  Phishing was associated with 95% of incidents attributed to state-sponsored threat actors  Over 100 million phishing messages arrive in our inboxes every day Nearly 50% open emails and click on phishing links within the first hour  The median time-to-first-click came in at one minute and 22 seconds across all campaigns According to the 2015 Verizon Data Breach Investigations Report (VDBIR): What can we do? 1. New email gateway payload inspection and filters 2. Sinkhole all new domains for 48 hours 3. Enforce inbound filtering (DMARC)  Improve education/awareness  Consider unconventional controls
  • 17. #RSAC © 2016 Aetna Inc. Apply Unconventional Controls 17 1. Sinkhole new domains 2. Heuristic filtering on in-bound using DMARC 3. Next Generation Authentication
  • 18. #RSAC © 2016 Aetna Inc. Sinkhole Newly Established Domains 18 A sinkhole, also known as a cenote, sink, sink-hole,[1] shakehole,[2] swallet, swallow hole, or doline (the different terms for sinkholes are often used interchangeably[3]), is a depression or hole in the ground caused by some form of collapse of the surface layer Enterprise DNS Sinkhole Threat Actor bad_actor.com Cyber Security Intelligence Data Feeds New domains (48 hrs) eMail Gateway 1 FROM: igor@bad_actor.com 2 DNS Request SPF TXT Record 3 Custom SPF Response 4 SPF Header Added to email 5 BLOCK Rule Check for “192.0.2.1” 6 Redirect email to CSI 7
  • 19. #RSAC © 2016 Aetna Inc. Protect In-Bound Email with Domain Protection 19 Using email traffic data, the system learns the unique fingerprint of all email senders into your enterprise This durable identity trust model is used to stop all messages that do not prove they should be trusted 29,231 servers sent email for an enterprise on a single day 312 servers for the enterprise 4,641 servers owned by service providers 9,732 benign email forwarders 14,526 malicious senders
  • 20. #RSAC © 2016 Aetna Inc. Design an Authentication Hub 20 One framework Multiple authentication tools Change controls without changing applications Across mobile and web Policy-driven authentication model
  • 21. #RSAC © 2016 Aetna Inc. Next Generation Authentication 21 Binary authentication is obsolete Behavioral- based model is key Innovation applied to the interface Authentication Hub LOA Advanced Analytics Risk Score API Dynamic LOA API Backend Analytics & Risk Engine Prevent @ Inception RT Push+TouchID iWatch & Sign Out Wearables + T/Haptic Spatiotemporal + Real-Time (RT) Authorization SWIPE + Contextual SWIPE + TAP Advanced Contextual Cognitive & Device Biometrics FIDO UAF 1.0 FIDO 2.0 When Available Decentralized Authentication
  • 22. #RSAC © 2016 Aetna Inc. Automated vs. Normal Behavior 22 https://member.aetna.com/appConfig/login/login.fccShifterCustomers Attackers Legitimate traffic encounters no barriers Automated traffic can no longer send valid requests • Scripts • Content Scraping • Botnets • dDOS
  • 23. #RSAC © 2016 Aetna Inc. Recommendations 23 Adopt and implement practices aligned with regulatory framework of choice Measure the effectiveness of the controls aligned with the framework Identify the enterprise’s top threats/risks Apply control design skills to top threats/risks and consider innovation opportunities
  • 24. #RSAC © 2016 Aetna Inc. Which Statement Gives You More Assurance? 24 Aetna conforms to the NIST Cyber Security Framework and 800-53 Adjusting Controls Aetna makes 30 changes to controls each month 1. 2. OR … it’s the New Normal!
  • 25. #RSAC routhj@aetna.com 860 273-7488 Chairman National Health Information Sharing & Analysis Center Board member FS-ISAC ISE Award winner 2014 Healthcare