The Wild, Wild InternetCyber Security for

Wisconsin Government Finance Office Association

Mark Wilson, CISSP, ITIL, CBCP, CCMDirector of Information Risk Management

Agenda• Sikich Information• Is the Threat Real?• Statistical Information• Is this True?• What is Security?• Why Are Things So

Bad?• Executive

Management’s Role• Moving Forward

Sikich Information

About Sikich» Multi-disciplinary: An accounting,

advisory, investment banking, technology and managed services firm with clients in the U.S. and internationally.

» Excellent reputation: With a reputation for professional excellence, Sikich provides unsurpassed client service as well as timely and cost effective services.

» Strong talent: We employ more than 500 talented people including 91 partners, all of whom devote their careers to a focused area.

» Award winning: Accounting Today ranks the Firm 40th nationally among the top 100 accounting firms and 11th in the top 100 VARs.

$97M in revenue in 2013

6,976 public and private sector clients

8,635 individual clients

500+ total personnel

91 partners

1 collaborative and positive culture

Sikich Service Lines

Securities are offered through Sikich Corporate Finance LLC, a registered broker dealer with the Securities Exchange Commission and a member of FINRA/SIPC. Advisory services offered through Sikich Financial, a Registered Investment Advisor. General securities offered through Triad Advisors, Member FINRA/SIPC.

Accounting, Audit & Tax

Financial ReportingEmployee Benefit Plan Audit

Accounting ServicesTax Planning

Advisory

Business ValuationDispute Advisory

Human ResourcesInsurance Services

Marketing & Public RelationsRetirement Plan Services

Risk AdvisorySupply Chain

Wealth Management

Investment Banking

Acquisitions AdvisorySales AdvisoryCapital Raises

Strategic Advisory

Technology

Accounting & ERP SoftwareCRM Software

IT InfrastructureCloud & Hosting Solutions

Strategic IT PlanningCommunication & Collaboration

IT Consulting

Managed Services

Outsourced Accounting

Managed IT

Outsourced Human Resources

Outsourced Marketing & Public Relations

Industry Expertise, Tailored Approach» Agriculture» Manufacturing & Distribution» Construction» Professional Services» Real Estate » Retail» Government» Non Profit» Healthcare» Higher Education

Deep industry experience and longevity.

Deep industry experience and longevity.

Cross sectional teams with a depth and breadth of experience to handle

the complete solution.

Cross sectional teams with a depth and breadth of experience to handle

the complete solution.

Solution centric and product agnostic.

Solution centric and product agnostic.

Is The Threat Real?

SC Magazine 03.21.2014

securitycurrent 03.20.2014

200,000,000US consumers

Attack uses162,000 WordPress Sites

$120,000,000,000Security IndustrySpend

Ever Seen One of These?

1,200,000Problem devices

Target Breach…John J. Mulligan, executive Vice President and Chief Financial Office of the Target Corporation, listens on Capitol Hill in Washington, Tuesday, Feb. 4, 2014, while testifying before the Senate Judiciary Committee hearing on data breaches and combating cybercrime .

Mulligan disagreed, telling Franken that the company has spent “hundreds of millions of dollars” on a multilayered consumer protection protocol.

Sen. Sheldon Whitehouse, D-R.I., said that when a company as large as Target “can be hacked without knowing it, it is not to say that Target did something wrong,” but that everyone is vulnerable.

Klobuchar agreed, saying, “This can happen to anyone.”

Target Security too weak… Conclusion …

http://www.startribune.com/politics/statelocal/243508791.html

Target Breach…

Is This the Current State of the Internet?

Is This the Current State of the Internet?

Security experts say that OperationUSA, a coordinated online attack against banking and government websites slated for May 7, is a serious threat. As a result, organizations should be upping their distributed-denial-of-service attackmitigation strategies to guard against the attacks, which are being coordinated by the hacktivist group Anonymous

Is This the Current State of the Internet?

… plus the problems we create

Statistical Information

Global Consumer Losses - 20132

01

3N

or

to

nR

ep

or

t

Global Consumer Losses - 20132

01

3N

or

to

nR

ep

or

t

Dollars Spent on Security

$120,000,000,000Defending againstCyber-attacks

Breaches, Malware cost $491 B$491,000,000,000

Hackmadeddon.com – Aug. 2013

Hackmadeddon.com – Aug. 2013

Hackmadeddon.com – Aug. 2013

Current Statistics

The Current Threat Landscape

The Current Threat Landscape

…Information from Virus Total

The Current Threat Landscape

…Information from Virus Total

The Current Threat Landscape

…Information from Virus Total

Kaspersky Lab Statistics

Organizations on Average Hit Every Three Minutes with Malware

… threatpost.com

Is This True?

Internet Privacy

Internet Privacy

The Internet Privacy

A Helpful Venn Diagram…

Mozilla - Lightbeam

Who’s asking for information about me?

Who’s Tracking Me?

Who’s Tracking Me?

There’s no such thing as a free website…

Google, Bing, Yahoo, etc.

Google, Bing, Yahoo, etc.Files containing 360 million credentials, 1.25 billion email addresses, located on Deep Web

February 28, 2014SC Magazine

US Population = 313.9 M (2012)

The Darknet

FTP – File Transfer Protocol

Hackers circulate thousands of FTP credentials, New York Times among those hit

February 13, 2014PC World

Outlaw FTP and Telnet in your organization !!!

The New Normal… (krebsonsecurity)

200-400 Gbps DDoS Attacks

HTTP Cookies• Stored on User PC• Sent to Website• “Remembers” State

Information• User Activities• Tracking Cookies• Authentication

Cookies• Reduces information

passed in URL

What’s an LSO – Local Shared Object

• Adobe Flash Origin• Stores User

Preferences• Stored in a “Common

Folder / Directory”• Privacy Concerns

How Many O/S’s in a Mobile Phone?

• IOS• Android• Windows

…security researcher Ralf-Philipp Weinmann of the University of Luxembourg set out to reverse engineer the baseband processor software of both Qualcomm and Infineon, and he easily spotted loads and loads of bugs, scattered all over the place, each and every one of which could lead to exploits…

Android Security

Serious Vulnerabilities Found in Popular Home Wireless Routers

Threatpost.com

300,000 Compromised Routers Redirecting Traffic to Attacker Sites

ZMAP – Map the Internet in 45 Minutes

Isn’t Backup and Monitoring Simple???• Backup

• Block• File• Image• Incremental• Differential• Full• CDP• CoW – copy on write (Synchronous)• CRW – copy redirect on write

(Asynchronous)• Deduplication• Encryption (key mgmt)• Data residency laws• Frequency• Retention levels• Image consistent• Application consistent (database aware)• Open file handling• VM’s

• Recovery• File• Image• System• Point-in-time

• Monitoring / Alerting / Warnings• Network• Access Control• Log Files• Signature Comparisons• Heuristic / Behavior based controls• Database Access• Baselines• Trends• 4 Phase Alerts• Multiphase Alerts

Wireless Connectivity

What is Security?

Three Security Pillars

CONFIDENTIALITY

INTEGRITY

AVAILABILITY

SECURITY – C.I.A.

Security – another perspective

(ISC)2

InternationalInformationSystemsSecurityCertificationConsortium

“Security Transcends Technology”“Security Transcends Technology”

High Level Security Controls

Physical

AdministrativeLogical(technical)

LocksLightsFences

FirewallPasswordsMotion Detectors

PoliciesAuditsTraining

Preventive – Detective – Corrective - Compensatory

High Level Security Controls

Preventive – Detective – Corrective - Compensatory

Adm

inistrative

Triad of Security Controls

Why are Things So Bad?

What’s Wrong with Security?Security includes People, Process, and Technology but… It’s Not Part of our Organizational DNA

#1. It’s NOT fundamental to our organizations.

Security must be part of thefabric of our organizations

#2. It’s not important… enoughRisk < Reward

… Business Problems

Deleting Information?• Computers

• Memory• Files

0111101000100100 in use

0111101000100100 deleted

• Backups• Archives• Cloud backups

…is it ever really gone?…and we are still building computers this way!

… System Design Problems

Cyber Crime Innovations

Cyber Crime Innovations• Huge Rewards• Growing Market• Recruit Smart &

Clever Staff• Nations State

Protection• Mobile & Remote

Access• Old Software• Old Systems

SC Magazine

Krebs on Security (krebsonsecurity.com)

What’s it Cost?

Unhackable Networks?Classified NetworkUnclassified Network

Unhackable Networks?Classified NetworkUnclassified Network

Hacker

Unhackable Networks?Classified NetworkUnclassified Network

Hacker Favorite Hacker Tool

Executive / Senior Management Role

Hard Questions…What Does the Organization Require?

• Security• Recovery• Resiliency• Insource vs Outsource• Cloud

Organizational Changes…How Shall We Then Live?

Francis Schaeffer

• Cultural Changes• Business Mindset

These are NOT Additional Initiatives!!!

• Security• Recovery• Resiliency• Insource vs Outsource• Cloud

Organizational Changes…

TodayHow Shall We Then Live?• Cultural Changes• Business Mindset

These are NOT Optional Initiatives!!!

ü Securityü Recoveryü Resiliencyü Insource vs Outsourceü Cloud

Tomorrow• Senior Management• Finance• Human Resources• Purchasing• IT

Cloud Expectations…

Contract Language…

Business Transfers

Cloud vendor XXXXXX may sell, transfer, or otherwise share some or all of its business or assets, including your Personal Information and Non-Identifying Information in connection with a merger, acquisition, reorganization or sale of assets or in the event of bankruptcy.

What Can We Do About This?

Passwords – don’t forget the simple stuff

Passwords, office / whiteboard hygiene, lock file cabinets, change locks, monitor etc…

Partner in the Absence of Expertise

Augment Core Competencies

W3C - http://validator.w3.org/unicorn/(World Wide Web Consortium)

Top 20 Critical Security Controls - Version 5

11. Limitation and Control of Network Ports, Protocols, and Services12. Controlled Use of Administrative Privileges13. Boundary Defense14. Maintenance, Monitoring, and Analysis of Audit Logs15. Controlled Access Based on the Need to Know16. Account Monitoring and Control17. Data Protection18. Incident Response and Management19. Secure Network Engineering20. Penetration Tests and Red Team Exercises

SANS Institute

Top 20 Critical Security Controls - Version 5

1. Inventory of Authorized and Unauthorized Devices2. Inventory of Authorized and Unauthorized Software3. Secure Configurations for Hardware and Software on Mobile

Devices, Laptops, Workstations, and Servers4. Continuous Vulnerability Assessment and Remediation5. Malware Defenses6. Application Software Security7. Wireless Access Control8. Data Recovery Capability9. Security Skills Assessment and Appropriate Training to Fill Gaps10. Secure Configurations for Network Devices such as Firewalls,

Routers, and Switches

SANS Institute

OWASP Top 10A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS)A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data ExposureA7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Invalidated Redirects and Forwards

Open Web Application Security Project

www.us-cert.govUS Computer Emergency Readiness Team

Current Activity -

• Cisco UCS Director Default Credentials Vulnerability

Published Friday, February 21, 2014

• Cisco has released a security advisory to address a vulnerability in Cisco Unified Computing System (UCS) Director. This vulnerability could allow an unauthenticated, remote attacker to take complete control of the affected device due to a default root user account created during installation. Successful exploitation of this vulnerability would provide the attacker with full administrative rights to the system

nvd.nist.govNational Institute of Standards and TechnologyNational Vulnerabilities Database

Resource Status

NVD contains:• 60,611 CVE – Common Vulnerabilities & Exposures• 230 Checklists – (Security Checklists)• 248 US-CERT Alerts - (Computer Emergency Readiness Team)• 2,827 US-CERT Vulnerabilities Notes• 10,286 OVAL Queries (Open Vulnerability and Assessment Language)

• Last updated: 02/21/14

CVE Publication rate:17 vulnerabilities / day

Moving Forward

Now What?Big Ideas:

• Everything Changes at Scale

• Change requires Change

Plugging into the internet joined your organization to a very large community of constructive and destructive users…

What to Do Next?Awareness: We will not be ignorant

Mindset: Security is NOT an option

Can’t be all things to all people

• Focus on things that matter to your constituents• Consider trusted 3rd parties for the rest

…no risk free environments

1

2

3

Questions?Mark Wilson

mwilson@sikich.com

www.sikich.com

Thank You