2015 cyber security
TRANSCRIPT
Why Enterprise Security Fails in Cyber Space and What You Can Do
About It?
ISACA
Allen Zhang
02/19/2015
Me & this Presentation
• << than 30 years of IT experience in infrastructure & development
• <<15 years in info security & privacy
• Educated in Chinamerica and got bunch of certs for job security
• Enterprise security model
• What went wrong
• Cyber security framework
• What may work for you
Black Swan Events
C-Suite & BoD (NACD) Woke Up?
Pure Bad Luck?Johns Hopkins Kimmel Cancer Center –2/3 caused by random mutation in the tissue cells during the ordinary process of stem cell division. 1/3, genetic inheritance and lifestyles the journal Science. Friday 2 January 2015
• A Matter of When, Not If – weakest link, hacker’s proficiency & ROI
• From natural disasters to likely event and a risk factor in planning
• The first or the last? Sensational? or Delicious? and How much?
Why/How Did They Fail?
Budget for security ?
Staffs?
Skillsets?
Security tools?
Management support?
Wrong projects?
Low priorities?
Root CauseInherent Flaws of Enterprise Security Doctrines
Design Issues in Current Practices
• Designed for compliance of regulations and requirements
• Measured by process executions
• A fortress with inside-out lenses
• Policy & process driven
• Focus on program and its structured, planned, & organized operations
• For peace time, maybe conventional war for script-kids, not cyber warfare
Cybersecurity's Maginot Line
The Placebo Effect of the Defense-in-Depth Model One million of things done right is breached by one thing done wrong!
To Err Is Human!http://www.saferoutesinfo.org/ Why are pedestrian push buttons used at traffic signals?
Then how do you protect a user -from himself or herself?
Possible To Keep Up With Cyber Adversaries?
Enterprise Security
Cyber Hackers
Cybercrime InfrastructureFrom Proofpoint
Better than the cyber defense capability in probably 150+ countries
Want Revenge?
1) Become one of them
2) Get into their minds, forums and networks
3) Learn their skills and keep up with it
4) Join bounty program
5) Practice day & nite
6) Hit back
Or Something Else?
Turn This Around?
Adopt Cyber Security Framework
Identify – Every Piece of IT
• Total network device visibility
• Hardware/software inventory and compliance without chocking innovation and productivity
• Apps hosted outside of your marked territory
• Data – identity/credit card $1, with phi complete record up to $1000
• 2015 – year of health care hack -started with anthem, fraud not detectable as card transaction
• Encryption, de-identification, privileged access, usage patterns
You can not manage what you don’t know
Protect – Game of Elimination & Exponential Factor
Detect – Find it Yourself, BFF or from Media
Considering 24X7 Vigilance and Incident Response?
Respond & RecoverBreached, now what?
cyber insurance, credit monitoring, incident/forensics retainer, mock drills …
ABC - Cyber Security Structure
• Chain of command, cyber security committee, incident response team
• Work scope: your network, your cloud apps, your vendors’ apps, links to your vendors
• Communications and reporting
• Strategy, plan, projects, tasks
Do
Make Sure
Think
Measuring Effectiveness
• Show that you can do it, ready to do it any time, and do it very quickly –readiness, capability, capacity, response time, sustainability
• Keep records and trail of due diligence to protect yourself in an event of a breach
MVS - Lean Security Model
• Lean – capital, resource, time – no waste
• Compliance (Minimum) – baseline compliance (risk:))
• Viable – top cyber risks, weakest link, sustainable, and survival of the fittest
• Dependency – defense on your own feet
What is the right budget for cyber defense?
Maturity Levels
Compliance • regulations,
industrial, audits, other compliance, p+p+t
cyber risks • your presences,
your partners, your premises
productivity • mobile, work any
time/place/device, home office, cloud apps, outsourced apps, services now
services/ products integrated • cheaper w/o s&p,
fda, ftc mobile app reviews
Will you pay 1 ¢ more at Target for better security?
Take Away
• Gloomy for current state – Bad guys are winning, totally ….
• Feel better over time and in near term – we learn how to deal with it and live with it
• Optimistic about getting better for long term -> 50+ years
[email protected] 808-777-9895