Do it Best Corp. Techapalooza 2013 Presentation
•Als PPTX, PDF herunterladen•
0 gefällt mir•320 views
There is a global war already taking place today. We simply have yet to acknowledge it. Our banks are under attack, our public utilities are at risk and the internet is being used more and more for political purposes, both bad and good. Cybercriminals blazingly brazenly brag their accomplishments and thumb their noses at authorities around the world. Governments are struggling with controls that are either too permissive or too restrictive. Join us in an important discussion of the state of the state of Cyber(x) as we explore issues and peer into the future. Find out what the “bad guys” are up to, and what the future holds.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Do it Best Corp. Techapalooza 2013 Presentation
Ähnlich wie Do it Best Corp. Techapalooza 2013 Presentation (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Do it Best Corp. Techapalooza 2013 Presentation
- 1. CYBER X Brian T. O’Hara, CISA Chief Information Security Officer The Mako Group, LLC IT & Information Security Auditing www.makopro.com
- 2. The Mako Group, LLC, Services • IT & Info Sec Auditing • IT Risk Assessments • Security Training • Vulnerability Assessments • Social Engineering • PCI DSS2 • Penetration Testing • Gap Assessments • SSAE 16 • SOX 404 • HIPAA • Virtual CISO
- 3. The Mako Group, LLC, Verticals • Financial – Banks – Credit Unions – Publicly Traded (SOX 404) • Credit Card Svc – PCI DSS2 • Healthcare – HIPAA – HITECH • Manufacturing – ISO 9000 – ISO 27000
- 4. CYBER (X) Never Have So Few Been Able to Do So Much Damage To So Many With So Little
- 5. CYBER (X) “If you have anything of value, you will be targeted.” John Stewart, CSO, Cisco Systems
- 6. The Problem(s) • Cyber Espionage • Cyber Crime • Cyber Terrorism • Cyber Activists (Hactivism)
- 7. The Problem(s) “there are 250,000 probes or attacks on US government networks per hour or 6 million a day from at least 140 foreign spy organizations” Lt. Gen. Keith Alexander at the 2010 G2 Summit
- 8. Cyber Espionage • Espionage: – the systematic use of spies to obtain secret information, especially by governments to discover military or political secrets
- 9. Cyber Espionage • Red October • Stuxnet • Flame
- 10. “The Chinese “are the world’s most actrive and persistent perpetrators of economic espionage,” the report by the Office of the National Counterintelligence Executive (NCIX) said, and Russia’s intelligence services are a second major culprit” Booze-Hamilton on Cyber Espionage
- 11. “China’s economic espionage has reached an intolerable level and I believe that the United States and our allies in Europe and Asia have an obligation to confront Beijing and demand that they put a stop to this piracy.” U.S. Rep. Mike Rogers, October, 2011
- 12. “It is unprofessional and groundless to accuse the Chinese military of launching cyber attacks without any conclusive evidence.” Chinese Defense Ministry, January, 2013
- 14. Cyber Terrorism • South Korea • Stuxnet • Flame • Shamoon (FLAME derivative) • SCADA
- 15. South Korea on alert after hackers strike banks, broadcasters The biggest attack by Pyongyang was a 10- day denial of service attack in 2011 that antivirus firm McAfee, part of Intel Corp, dubbed "Ten Days of Rain" and which it said was a bid to probe the South's computer defenses in the event of a real conflict.
- 16. SCADA • Supervisory • Control • And • Data • Acquisition
- 17. SCADA Attacks • Foreign hackers broke into a water plant control system in Springfield last week and damaged a water pump in what may be the first reported case of a malicious cyber attack on a critical computer system in the United States, according to an industry expert. Nov. 18, 2011 Washington Post
- 19. What about the Rhetoric • Inflammatory • Escalating • Sabre Rattling • Military Industrial Complex • Sensationalism v Journalism • 24 hour News Cycle
- 20. Cyber Crime • Bot nets and C&C • Zeus • Citadel • South Korea
- 22. Bank Attacks Evidence collected from a website that was recently used to flood U.S. banks with junk traffic suggests that the people behind the ongoing DDoS attack campaign against U.S. financial institutions -- thought by some to be the work of Iran -- are using botnets for hire. Lucian Constantin in Computerowld, January 9, 2013
- 23. Bank Attacks Six leading U.S. banking institutions were hit by DDoS (distributed-denial-of-service) attacks on March 12, (2013) the largest number of institutions to be targeted in a single day, says security expert Carl Herberger of Radware. March 14, 2013 Bankinforsecurity.com
- 24. Identity Theft Approximately 15 million United States residents have their identities used fraudulently each year with financial losses totaling upwards of $50 billion. (Identity theft.info)
- 26. Cyber Activists (Hactivism) • LulzSec • Anonymous • Wiki Leaks
- 28. More on Hactivism • Anonymous Hacks FBI Cybercrime Conference Call • Symantec Sees pcAnywhere Extortion Shakedown • Hackers Target U.S. Banks Over Anti-Muslim Film • Aaron Swartz Suicide
- 29. How Are They Getting In? • Phishing Attacks • Unpatched Machines – OS – Third Party Apps • Insiders • IDS/IPS Bypassed
- 31. What Can We Do? • Security Gap • Awareness • Technological Solutions
- 32. The Security Gap • The place between where we are and where the bad guys are. • How do we narrow the gap? • What will it cost? • Can we do it?
- 33. Secure Coding • Develop More Widespread Secure Coding Practices – Regression Testing – Vulnerability Testing – Security Level Software Certifications
- 34. IPv6 • What is the hold up? • More Secure End to End • Apps need to begin moving to adopt • Companies need to embrace
- 36. Embrace Encryption • Data at Rest • Data in Transit • Data in Storage • Data Destruction
- 37. Get Better At Fixing • Detection and Response • Patch First, Fix Later • Improve on DR • Virtuality
- 39. Data Classification • Protect Intellectual Property • Ensure Proper Resource Allocation • DLP?
- 40. Some of the Good Guys • Trusted Sec (Dave Kennedy) – Metasploit Project – Social Engineering Toolkit • Bulb Security (Georgia Weidman) – Smartphone Pentest Framework • NIST • US-CERT
- 41. Government Intervention • Where do they fit? • Statutory or Administrative Authority • Scope of Powers
- 42. AWARENESS • WAKE UP! • Get the C-Suite Involved • Take Responsibility • Be Part of the Solution, Not the Problem
- 43. Training the Up and Comers • CCDC • STEM • Professional Associations • Mentorship
- 44. Order v Chaos • Governance • PP&Ps • Control Mechanisms • Risk Management • Testing, Monitoring and Evaluation • Review and Renew
- 45. Summary • The problems are many and complex • The solutions are just as much a challenge • Government only become more involved • Privacy laws need to be revisited • Comprehensive legislation must be passed
- 46. THANKS
- 47. RESOURCES • Bruce Schneier on Privacy • US-CERT • SANS • ISSA • ISACA • NIST • MS Security Center
Hinweis der Redaktion
- There is a global war already taking place today. We simply have yet to acknowledge it. Our banks are under attack, our public utilities are at risk and the internet is being used more and more for political purposes, both bad and good. Cybercriminals blazingly brazenly brag their accomplishments and thumb their noses at authorities around the world. Governments are struggling with controls that are either too permissive or too restrictive. Join us in an important discussion of the state of the state of Cyber(x) as we explore issues and peer into the future. Find out what the “bad guys” are up to, and what the future holds.
- The purpose of Espionage is not to inflict damage or shut down systems but to gain inside information from other countries undiscovered and continue to do so into the future. So why would the Chinese want to destroy us any more than the Soviets back in the 80s? This is not new stuff. We act like we are so surprised when we have been involved in this since the beginning. How does this differ than Cold Ware espionage where we and the Soviets constantly tried to open up the other with stolen secrets? What is new is the extent and depth of the penetrations. There are virtually no secrets left. Anything and everything is open to compromise. The Chinese aren’t the only ones involved in this. They are just very good at it.
- One item to discuss here is one that crosses both cybercrime and cyber terrorism lines and that is the recent DDoS attacks against the banking institutions supposedly by Islamist extremists in response to the video on YouTube defaming Allah. While this is on the surface a cyber terrorist attack, it also acts as a great diversion for cyber criminals while they attack and attempt account take overs (ATOs). SCADA, Supervisory Control and Data Acquisition. Basically a control system for servo motors that control: Water Treatment Communications Flood Control Power Grid Transportation Systems Rail Air Shipping
- These are the systems that control millions and millions of small PLCs (programmable logic controllers) used to control everything from pumps to monitoring levels of chemicals.
- Columbia Nuclear Power Plant, Washington State
- Some of this is politically motivated as in disrupting the financial markets as shown byu recent banking DDoS attacks by supposed
- This is a picture of the Carna Botnet from 2012. Instructions on how this botnet was established and it’s purpose was to find unsecured embedded devices on the internet (open to port 23 telnet). Through the use of some special scanning techniques, they were able to scan the entire internet in around an hour. http://internetcensus2012.github.com/InternetCensus2012/paper.html
- Recent events such as the release of the Wiki Leaks documents, penetration of the Feb. 6 hack of the Federal Reserve where 4,000 banker names were published by Anonymous.
- Start utilizing encryption! Use it whenever and wherever practical. And remember the lifecycle. If you don’t need it, don’t store it, destroy it (properly).
- One issue to note is that of the recent DHS US-CERT announced recommendation that users uninstall Java and stop using it. We need to know the boundaries of what the agencies should and should not be doing. These kinds of announcements or endorsements can have wide ranging and possible devastating impacts on business sectors.
- Where do they fit in the picture?
- Take a copy of this presentation to your upper management folks and shake them real hard! I am a child of the 60s. One of our sayings was: If you aren’t part of the solution, you are part of the problem.
- We need to look to the future. By the time we have gotten our heads around these problems, a whole new batch of them will crop up and we need to constantly be grooming our replacements. Let’s make Information Security the next “coolest job”.
- There is a good reason why the Federal Government imposes so many compliance regulations on high security operations. We operate some of the largest, most complex, and valued networks in the world. And as a result we must be the best at protecting those assets. The only way to do that is with a solid plan, procedures and processes that have been tested, found to be reliable, and can be replicated over and over.