Download - 2015 Cyber Security
![Page 1: 2015 Cyber Security](https://reader031.vdocuments.mx/reader031/viewer/2022030318/58ee6e0f1a28abd6488b4577/html5/thumbnails/1.jpg)
Why Enterprise Security Fails in Cyber Space and What You Can Do
About It?
ISACA
Allen Zhang
02/19/2015
![Page 2: 2015 Cyber Security](https://reader031.vdocuments.mx/reader031/viewer/2022030318/58ee6e0f1a28abd6488b4577/html5/thumbnails/2.jpg)
Me & this Presentation
• << than 30 years of IT experience in infrastructure & development
• <<15 years in info security & privacy
• Educated in Chinamerica and got bunch of certs for job security
• Enterprise security model
• What went wrong
• Cyber security framework
• What may work for you
![Page 3: 2015 Cyber Security](https://reader031.vdocuments.mx/reader031/viewer/2022030318/58ee6e0f1a28abd6488b4577/html5/thumbnails/3.jpg)
Black Swan Events
![Page 4: 2015 Cyber Security](https://reader031.vdocuments.mx/reader031/viewer/2022030318/58ee6e0f1a28abd6488b4577/html5/thumbnails/4.jpg)
C-Suite & BoD (NACD) Woke Up?
![Page 5: 2015 Cyber Security](https://reader031.vdocuments.mx/reader031/viewer/2022030318/58ee6e0f1a28abd6488b4577/html5/thumbnails/5.jpg)
Pure Bad Luck?Johns Hopkins Kimmel Cancer Center –2/3 caused by random mutation in the tissue cells during the ordinary process of stem cell division. 1/3, genetic inheritance and lifestyles the journal Science. Friday 2 January 2015
• A Matter of When, Not If – weakest link, hacker’s proficiency & ROI
• From natural disasters to likely event and a risk factor in planning
• The first or the last? Sensational? or Delicious? and How much?
![Page 6: 2015 Cyber Security](https://reader031.vdocuments.mx/reader031/viewer/2022030318/58ee6e0f1a28abd6488b4577/html5/thumbnails/6.jpg)
Why/How Did They Fail?
Budget for security ?
Staffs?
Skillsets?
Security tools?
Management support?
Wrong projects?
Low priorities?
![Page 7: 2015 Cyber Security](https://reader031.vdocuments.mx/reader031/viewer/2022030318/58ee6e0f1a28abd6488b4577/html5/thumbnails/7.jpg)
Root CauseInherent Flaws of Enterprise Security Doctrines
![Page 8: 2015 Cyber Security](https://reader031.vdocuments.mx/reader031/viewer/2022030318/58ee6e0f1a28abd6488b4577/html5/thumbnails/8.jpg)
Design Issues in Current Practices
• Designed for compliance of regulations and requirements
• Measured by process executions
• A fortress with inside-out lenses
• Policy & process driven
• Focus on program and its structured, planned, & organized operations
• For peace time, maybe conventional war for script-kids, not cyber warfare
![Page 9: 2015 Cyber Security](https://reader031.vdocuments.mx/reader031/viewer/2022030318/58ee6e0f1a28abd6488b4577/html5/thumbnails/9.jpg)
Cybersecurity's Maginot Line
The Placebo Effect of the Defense-in-Depth Model One million of things done right is breached by one thing done wrong!
![Page 10: 2015 Cyber Security](https://reader031.vdocuments.mx/reader031/viewer/2022030318/58ee6e0f1a28abd6488b4577/html5/thumbnails/10.jpg)
To Err Is Human!http://www.saferoutesinfo.org/ Why are pedestrian push buttons used at traffic signals?
Then how do you protect a user -from himself or herself?
![Page 11: 2015 Cyber Security](https://reader031.vdocuments.mx/reader031/viewer/2022030318/58ee6e0f1a28abd6488b4577/html5/thumbnails/11.jpg)
Possible To Keep Up With Cyber Adversaries?
Enterprise Security
Cyber Hackers
![Page 12: 2015 Cyber Security](https://reader031.vdocuments.mx/reader031/viewer/2022030318/58ee6e0f1a28abd6488b4577/html5/thumbnails/12.jpg)
Cybercrime InfrastructureFrom Proofpoint
Better than the cyber defense capability in probably 150+ countries
![Page 13: 2015 Cyber Security](https://reader031.vdocuments.mx/reader031/viewer/2022030318/58ee6e0f1a28abd6488b4577/html5/thumbnails/13.jpg)
Want Revenge?
1) Become one of them
2) Get into their minds, forums and networks
3) Learn their skills and keep up with it
4) Join bounty program
5) Practice day & nite
6) Hit back
Or Something Else?
![Page 14: 2015 Cyber Security](https://reader031.vdocuments.mx/reader031/viewer/2022030318/58ee6e0f1a28abd6488b4577/html5/thumbnails/14.jpg)
Turn This Around?
Adopt Cyber Security Framework
![Page 15: 2015 Cyber Security](https://reader031.vdocuments.mx/reader031/viewer/2022030318/58ee6e0f1a28abd6488b4577/html5/thumbnails/15.jpg)
Identify – Every Piece of IT
• Total network device visibility
• Hardware/software inventory and compliance without chocking innovation and productivity
• Apps hosted outside of your marked territory
• Data – identity/credit card $1, with phi complete record up to $1000
• 2015 – year of health care hack -started with anthem, fraud not detectable as card transaction
• Encryption, de-identification, privileged access, usage patterns
You can not manage what you don’t know
![Page 16: 2015 Cyber Security](https://reader031.vdocuments.mx/reader031/viewer/2022030318/58ee6e0f1a28abd6488b4577/html5/thumbnails/16.jpg)
Protect – Game of Elimination & Exponential Factor
![Page 17: 2015 Cyber Security](https://reader031.vdocuments.mx/reader031/viewer/2022030318/58ee6e0f1a28abd6488b4577/html5/thumbnails/17.jpg)
Detect – Find it Yourself, BFF or from Media
Considering 24X7 Vigilance and Incident Response?
![Page 18: 2015 Cyber Security](https://reader031.vdocuments.mx/reader031/viewer/2022030318/58ee6e0f1a28abd6488b4577/html5/thumbnails/18.jpg)
Respond & RecoverBreached, now what?
cyber insurance, credit monitoring, incident/forensics retainer, mock drills …
![Page 19: 2015 Cyber Security](https://reader031.vdocuments.mx/reader031/viewer/2022030318/58ee6e0f1a28abd6488b4577/html5/thumbnails/19.jpg)
ABC - Cyber Security Structure
• Chain of command, cyber security committee, incident response team
• Work scope: your network, your cloud apps, your vendors’ apps, links to your vendors
• Communications and reporting
• Strategy, plan, projects, tasks
Do
Make Sure
Think
![Page 20: 2015 Cyber Security](https://reader031.vdocuments.mx/reader031/viewer/2022030318/58ee6e0f1a28abd6488b4577/html5/thumbnails/20.jpg)
Measuring Effectiveness
• Show that you can do it, ready to do it any time, and do it very quickly –readiness, capability, capacity, response time, sustainability
• Keep records and trail of due diligence to protect yourself in an event of a breach
![Page 21: 2015 Cyber Security](https://reader031.vdocuments.mx/reader031/viewer/2022030318/58ee6e0f1a28abd6488b4577/html5/thumbnails/21.jpg)
MVS - Lean Security Model
• Lean – capital, resource, time – no waste
• Compliance (Minimum) – baseline compliance (risk:))
• Viable – top cyber risks, weakest link, sustainable, and survival of the fittest
• Dependency – defense on your own feet
What is the right budget for cyber defense?
![Page 22: 2015 Cyber Security](https://reader031.vdocuments.mx/reader031/viewer/2022030318/58ee6e0f1a28abd6488b4577/html5/thumbnails/22.jpg)
Maturity Levels
Compliance • regulations,
industrial, audits, other compliance, p+p+t
cyber risks • your presences,
your partners, your premises
productivity • mobile, work any
time/place/device, home office, cloud apps, outsourced apps, services now
services/ products integrated • cheaper w/o s&p,
fda, ftc mobile app reviews
Will you pay 1 ¢ more at Target for better security?
![Page 23: 2015 Cyber Security](https://reader031.vdocuments.mx/reader031/viewer/2022030318/58ee6e0f1a28abd6488b4577/html5/thumbnails/23.jpg)
Take Away
• Gloomy for current state – Bad guys are winning, totally ….
• Feel better over time and in near term – we learn how to deal with it and live with it
• Optimistic about getting better for long term -> 50+ years
![Page 24: 2015 Cyber Security](https://reader031.vdocuments.mx/reader031/viewer/2022030318/58ee6e0f1a28abd6488b4577/html5/thumbnails/24.jpg)
[email protected] 808-777-9895