Why Enterprise Security Fails in Cyber Space and What You Can Do

About It?

ISACA

Allen Zhang

02/19/2015

Me & this Presentation

• << than 30 years of IT experience in infrastructure & development

• <<15 years in info security & privacy

• Educated in Chinamerica and got bunch of certs for job security

• Enterprise security model

• What went wrong

• Cyber security framework

• What may work for you

Black Swan Events

C-Suite & BoD (NACD) Woke Up?

Pure Bad Luck?Johns Hopkins Kimmel Cancer Center –2/3 caused by random mutation in the tissue cells during the ordinary process of stem cell division. 1/3, genetic inheritance and lifestyles the journal Science. Friday 2 January 2015

• A Matter of When, Not If – weakest link, hacker’s proficiency & ROI

• From natural disasters to likely event and a risk factor in planning

• The first or the last? Sensational? or Delicious? and How much?

Why/How Did They Fail?

Budget for security ?

Staffs?

Skillsets?

Security tools?

Management support?

Wrong projects?

Low priorities?

Root CauseInherent Flaws of Enterprise Security Doctrines

Design Issues in Current Practices

• Designed for compliance of regulations and requirements

• Measured by process executions

• A fortress with inside-out lenses

• Policy & process driven

• Focus on program and its structured, planned, & organized operations

• For peace time, maybe conventional war for script-kids, not cyber warfare

Cybersecurity's Maginot Line

The Placebo Effect of the Defense-in-Depth Model One million of things done right is breached by one thing done wrong!

To Err Is Human!http://www.saferoutesinfo.org/ Why are pedestrian push buttons used at traffic signals?

Then how do you protect a user -from himself or herself?

Possible To Keep Up With Cyber Adversaries?

Enterprise Security

Cyber Hackers

Cybercrime InfrastructureFrom Proofpoint

Better than the cyber defense capability in probably 150+ countries

Want Revenge?

1) Become one of them

2) Get into their minds, forums and networks

3) Learn their skills and keep up with it

4) Join bounty program

5) Practice day & nite

6) Hit back

Or Something Else?

Turn This Around?

Adopt Cyber Security Framework

Identify – Every Piece of IT

• Total network device visibility

• Hardware/software inventory and compliance without chocking innovation and productivity

• Apps hosted outside of your marked territory

• Data – identity/credit card $1, with phi complete record up to $1000

• 2015 – year of health care hack -started with anthem, fraud not detectable as card transaction

• Encryption, de-identification, privileged access, usage patterns

You can not manage what you don’t know

Protect – Game of Elimination & Exponential Factor

Detect – Find it Yourself, BFF or from Media

Considering 24X7 Vigilance and Incident Response?

Respond & RecoverBreached, now what?

cyber insurance, credit monitoring, incident/forensics retainer, mock drills …

ABC - Cyber Security Structure

• Chain of command, cyber security committee, incident response team

• Work scope: your network, your cloud apps, your vendors’ apps, links to your vendors

• Communications and reporting

• Strategy, plan, projects, tasks

Do

Make Sure

Think

Measuring Effectiveness

• Show that you can do it, ready to do it any time, and do it very quickly –readiness, capability, capacity, response time, sustainability

• Keep records and trail of due diligence to protect yourself in an event of a breach

MVS - Lean Security Model

• Lean – capital, resource, time – no waste

• Compliance (Minimum) – baseline compliance (risk:))

• Viable – top cyber risks, weakest link, sustainable, and survival of the fittest

• Dependency – defense on your own feet

What is the right budget for cyber defense?

Maturity Levels

Compliance • regulations,

industrial, audits, other compliance, p+p+t

cyber risks • your presences,

your partners, your premises

productivity • mobile, work any

time/place/device, home office, cloud apps, outsourced apps, services now

services/ products integrated • cheaper w/o s&p,

fda, ftc mobile app reviews

Will you pay 1 ¢ more at Target for better security?

Take Away

• Gloomy for current state – Bad guys are winning, totally ….

• Feel better over time and in near term – we learn how to deal with it and live with it

• Optimistic about getting better for long term -> 50+ years

allen_zhang@hmsa.com 808-777-9895