score statistical consulting security kristofer laxdal final.pdf · | 20 the leaks keep coming ©...

© Copyright 2009 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com

Kristofer Laxdal , Director Info and Cyber Security – Prophix Software Inc

November 14th, 2017

Cyber Security

| 2© Copyright 2009 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com

Overview

▪ Introduction

▪ Data – ‘The New Oil’

▪ ‘Oil Spills’ Continue in 2017

▪ What is Cyber Security

▪ Containment Strategies

▪ Top Five Predictions for 2017 -2018


Introduction

| 4

Introduction – About Me


▪ Kristofer Laxdal , Director

Information and Cyber Security

Prophix Software Inc.

▪ Prophix is a leading FP&A SaaS

provider - as well as on prem-

http://www.prophix.com/

▪ Previously held Cyber Security

roles within CanDeal, IBM ,

Hewlett Packard, Hbc and many

more .

http://www.prophix.com/

| 5

Data Is The ‘New Oil’


| 6



| 7



| 8

Data Is ‘The New Oil’


| 9

Data Is ‘The New Oil’


“Data is the new oil. It’s valuable, but if unrefined

it cannot really be used. It has to be changed into

gas, plastic, chemicals, etc. to create a valuable

entity that drives profitable activity; so must data

be broken down, analyzed for it to have value.”Clive Humby, UK Mathematician and architect of Tesco’s Clubcard, 2006

(widely credited as the first to coin the phrase)

“Information is the oil of the 21st century, and

analytics is the combustion engine.”

Peter Sondergaard, SVP Gartner, 2011:

"I believe that data is the new oil. I am saying it in

this country because I believe that the prosperity

that oil brought in the last 50 years, data will

bring in the next 50, 100 years if you use it the

right way,"

May 2017, Ajay Banga, president and CEO of MasterCard –

Speech in Saudi Arabia

| 10

The Oil Spill


Oil is valuable …

However if

mishandled …

| 11

The Oil Spill


Oil is valuable …

However if

mishandled …

It is toxic and

flammable – spills

can be disastrous


‘Oil Spills’ Continue in 2017

| 13

The Leaks Keep Coming


E-Sports Entertainment Association (ESEA)

January 8, 2017:1,503,707 records

InterContinental Hotels Group (IHG)

February 7, 2017: Malware was found on servers which processed

payments made at on-site restaurants and bars stolen data includes

cardholder names, card numbers, expiration dates, and internal

verification codes

River City Media

March 6, 2017: Database of 1.4 billion email accounts, IP addresses,

full names, and some physical addresses.

Saks Fifth Avenue

March 19, 2017: Customer information posted in plain text via a

specific link on the Saks Fifth Avenue website. The information for tens

of thousands of customers was visible on a page. email addresses,

phone numbers, product codes, and IP addresses

| 14









verification codes

River City Media



Saks Fifth Avenue





| 15









verification codes

River City Media



Saks Fifth Avenue





| 16



America’s JobLink

March 21, 2017: America’s JobLink, revealed its systems were

breached by a hacker who exploited a misconfiguration in the

application code. Personal information of 4.8 million job seekers,

including full names, birth dates, and Social Security numbers.

Gmail

May 3, 2017: Gmail users were targeted in a sophisticated phishing

scam that was seeking to gain access to accounts through a third-party

app - the link led to Google’s real security page where the person was

prompted to allow a fake Google Docs app to manage his or her email

account. Company says they estimate about 1 million users may have

been affected.

DocuSign

May 17, 2017: Customers and users of the electronic signature

provider DocuSign were targeted recently by malware phishing attacks.

DocuSign-branded messages were sent that prompted recipients to

click and download a document that contained malware.

| 17



America’s JobLink





Gmail






been affected.

DocuSign





| 18



America’s JobLink





Gmail






been affected.

DocuSign





| 19



Deloitte

September 25, 2017 The reason behind this one is pretty

embarrassing for a company that was once named the “best

cybersecurity consultant in the world” by Gartner. The firm did not

employ two-factor authentication, so when hackers acquired a single

password from an administrator of the firm’s email account, they were

able to access all areas of the email system.

Yahoo! (Update)

October 9, 2017: In December 2016, it was reported that “more than 1

billion user accounts” may have been impacted by the 2013 Yahoo

breach. Recent news, however, shows it was indeed more than 1

billion—much more. Four months after Verizon acquired Yahoo’s core

internet assets, it was revealed that every single customer account was

impacted by that breach; three billion Yahoo accounts—including email,

Tumblr, Fantasy, and Flickr—were stolen. Even after thorough

investigations, it is still unknown who was behind the 2013 Yahoo

breach.

| 20



Deloitte







Yahoo! (Update)









breach.

| 21



Deloitte







Yahoo! (Update)









breach.


What Is Cyber Security ?

| 23

What is Cyber Security ?

▪ Cyber security is the body of

technologies, processes and

practices designed to protect

networks, computers,

programs and data from

attack.

▪ This includes damage or

unauthorized access - as

well as - disruption or

misdirection of the services

they provide

▪ Wow ! That covers a lot of

ground .


| 24

Cyber Security Domains



2017 Breach Profile

| 26

The Cyber Breach Profile


Statistics from the Verizon Data Breach Investigation Report 2017

| 27

The Cyber Breach Profile



Spill Containment Strategies

| 29

Containment Strategies

Implementing a formal information

security governance approach

Establish and maintain a framework

that provides assurance information

security strategies are aligned with

and support the business - a great

starting point –

When selecting one of these

methods, ensure your program

provides the ability to employ a risk-

based approach and enables your

teams to detect incidents


| 30


Stop Data Loss

Most enterprises rely on employee

trust, but that won’t stop data from

leaving the company.

Now, more than ever, it is

extremely important to control

access, monitor vendors and

contractors as well as employees,

and know what your users are

doing with company data.


| 31


Detect Those Insider Threats

Your biggest asset is also your

biggest risk.

While well trained users can be

your security front line, you still

need technology as your last

line of defense.

UEBA allows you to detect

unauthorized behavior and

verify user actions are not

violating security policy.


| 32


Back Up Data, Rinse ,

Repeat

It is crucial for organization

to have a full ,tested and

working back up of all of

data - not only from a basic

security hygiene

prospective, but also to

combat emerging attacks.


| 33


Beware of Social Engineering

The technology and IT security

policies you implement doesn’t

replace the need for common

sense or eliminate human error.

Remember most hacks are

‘credentialed hacks’

Attempts may come from

phone, email (phishing) or

other communications with your

users.

The best defense is to…


| 34


Educate and Train Your Users

Your users will always be your

weakest link when it comes to

information security.

Training should include how to:

recognize a phishing email, create

and maintain strong passwords,

avoid dangerous applications,

ensure valuable information is not

taken out of the company in

addition to other relevant user

security risks is critical


| 35


Patch and Update All Software and

Systems - Min 30 days -

With cyber-criminals constantly

inventing new techniques and looking

for new vulnerabilities, an optimized

cyber security is only optimized for so

long.

Make sure your software and

hardware is up to date with the latest

and greatest within a minimum of 30

days of a patch release - immediately

if critical / zero day


| 36


Create an Incident Response Plan

No matter how well you follow these

best practices, you will still get

breached – it’s not an if – it is a

when

Having a tested response plan laid

out ahead of time will allow you to

close any vulnerabilities, limit the

damage of a breach, and allow you

to remediate nimbly and effectively


| 37


Maintain Your Compliance

Regulations like HIPAA, PCI

DSS and ISO offer standards

for how your business should

conduct and measure its

security posture .

More than a hassle which

you need to prepare audit

logs for, compliance can help

guide your business.



Top Five 2017 -2018 Cyber

Security Predictions

| 39

2017-2018 Cyber Security Predictions

Increase in Supply Chain

Attacks Though 2018

In a nutshell, a “supply chain

attack” refers to the

compromise of a particular

asset, e.g. a software

provider’s infrastructure and

commercial software, with the

aim to indirectly damage a

certain target or targets, e.g.

the software provider’s clients.

.


Used as a stepping stone for

further exploitation, once

foothold is gained to the target

system or systems

| 40


IoT – Continued serious

attacks

DDoS / Credential Stealing

Gartner estimates that there

are 6.4 billion connected things

worldwide in use this year, a

number expected to reach 20.8

billion by 2020.

That’s a lot of targets. ( most

aren’t or cannot be patched

easily )


| 41


Ransomware

▪ If you thought 2016

was bad for

ransomware then

2017 – 2018 will be

worse.

▪ Expect to see a higher

attack volume, using

more sophisticated

technologies and

continue upward

trajectory in 2017.


What you need to consider:▪ When was the last time you tested and

verified the backup?

▪ Have you applied basic file blocking to

prevent threats from entering your

organization?

▪ Certain file types can be a risk to your

organization. Ask yourself, “Should we allow

all files or should we manage the risk by not

allowing malicious files types that may cause

an issue?”

| 42


Blockchain Technology

Blockchain technology

vulnerabilities will be

discovered by malicious

actors who will exploit

them in an effort to

compromise the security

and confidentiality of

financial transactions in

2017 -2018.


| 43


Rise of artificial intelligence and machine

learning-driven security

These frameworks will be leveraged by

Cyber Security teams for implementing

predictive security analytics across public,

private and SaaS cloud infrastructures by

leveraging externally sourced threat data

and using it for self-configuring / self-healing

based on organization-specific needs



Thank you

score statistical consulting security kristofer laxdal final.pdf · | 20 the leaks keep coming ©...

Documents