Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken...
Transcript of Cyber Security for Wisconsin Government Finance Office ......OWASP Top 10 A1 Injection A2 Broken...
The Wild, Wild InternetCyber Security for
Wisconsin Government Finance Office Association
Mark Wilson, CISSP, ITIL, CBCP, CCMDirector of Information Risk Management
Agenda• Sikich Information• Is the Threat Real?• Statistical Information• Is this True?• What is Security?• Why Are Things So
Bad?• Executive
Management’s Role• Moving Forward
Sikich Information
About Sikich» Multi-disciplinary: An accounting,
advisory, investment banking, technology and managed services firm with clients in the U.S. and internationally.
» Excellent reputation: With a reputation for professional excellence, Sikich provides unsurpassed client service as well as timely and cost effective services.
» Strong talent: We employ more than 500 talented people including 91 partners, all of whom devote their careers to a focused area.
» Award winning: Accounting Today ranks the Firm 40th nationally among the top 100 accounting firms and 11th in the top 100 VARs.
$97M in revenue in 2013
6,976 public and private sector clients
8,635 individual clients
500+ total personnel
91 partners
1 collaborative and positive culture
Sikich Service Lines
Securities are offered through Sikich Corporate Finance LLC, a registered broker dealer with the Securities Exchange Commission and a member of FINRA/SIPC. Advisory services offered through Sikich Financial, a Registered Investment Advisor. General securities offered through Triad Advisors, Member FINRA/SIPC.
Accounting, Audit & Tax
Financial ReportingEmployee Benefit Plan Audit
Accounting ServicesTax Planning
Advisory
Business ValuationDispute Advisory
Human ResourcesInsurance Services
Marketing & Public RelationsRetirement Plan Services
Risk AdvisorySupply Chain
Wealth Management
Investment Banking
Acquisitions AdvisorySales AdvisoryCapital Raises
Strategic Advisory
Technology
Accounting & ERP SoftwareCRM Software
IT InfrastructureCloud & Hosting Solutions
Strategic IT PlanningCommunication & Collaboration
IT Consulting
Managed Services
Outsourced Accounting
Managed IT
Outsourced Human Resources
Outsourced Marketing & Public Relations
Industry Expertise, Tailored Approach» Agriculture» Manufacturing & Distribution» Construction» Professional Services» Real Estate » Retail» Government» Non Profit» Healthcare» Higher Education
Deep industry experience and longevity.
Deep industry experience and longevity.
Cross sectional teams with a depth and breadth of experience to handle
the complete solution.
Cross sectional teams with a depth and breadth of experience to handle
the complete solution.
Solution centric and product agnostic.
Solution centric and product agnostic.
Is The Threat Real?
SC Magazine 03.21.2014
securitycurrent 03.20.2014
200,000,000US consumers
Attack uses162,000 WordPress Sites
$120,000,000,000Security IndustrySpend
Ever Seen One of These?
1,200,000Problem devices
Target Breach…John J. Mulligan, executive Vice President and Chief Financial Office of the Target Corporation, listens on Capitol Hill in Washington, Tuesday, Feb. 4, 2014, while testifying before the Senate Judiciary Committee hearing on data breaches and combating cybercrime .
Mulligan disagreed, telling Franken that the company has spent “hundreds of millions of dollars” on a multilayered consumer protection protocol.
Sen. Sheldon Whitehouse, D-R.I., said that when a company as large as Target “can be hacked without knowing it, it is not to say that Target did something wrong,” but that everyone is vulnerable.
Klobuchar agreed, saying, “This can happen to anyone.”
Target Security too weak… Conclusion …
http://www.startribune.com/politics/statelocal/243508791.html
Target Breach…
Is This the Current State of the Internet?
Is This the Current State of the Internet?
Security experts say that OperationUSA, a coordinated online attack against banking and government websites slated for May 7, is a serious threat. As a result, organizations should be upping their distributed-denial-of-service attackmitigation strategies to guard against the attacks, which are being coordinated by the hacktivist group Anonymous
Is This the Current State of the Internet?
… plus the problems we create
Statistical Information
Global Consumer Losses - 20132
01
3N
or
to
nR
ep
or
t
Global Consumer Losses - 20132
01
3N
or
to
nR
ep
or
t
Dollars Spent on Security
$120,000,000,000Defending againstCyber-attacks
Breaches, Malware cost $491 B$491,000,000,000
Hackmadeddon.com – Aug. 2013
Hackmadeddon.com – Aug. 2013
Hackmadeddon.com – Aug. 2013
Current Statistics
The Current Threat Landscape
The Current Threat Landscape
…Information from Virus Total
The Current Threat Landscape
…Information from Virus Total
The Current Threat Landscape
…Information from Virus Total
Kaspersky Lab Statistics
Organizations on Average Hit Every Three Minutes with Malware
… threatpost.com
Is This True?
Internet Privacy
Internet Privacy
The Internet Privacy
A Helpful Venn Diagram…
Mozilla - Lightbeam
Who’s asking for information about me?
Who’s Tracking Me?
Who’s Tracking Me?
There’s no such thing as a free website…
Google, Bing, Yahoo, etc.
Google, Bing, Yahoo, etc.Files containing 360 million credentials, 1.25 billion email addresses, located on Deep Web
February 28, 2014SC Magazine
US Population = 313.9 M (2012)
The Darknet
FTP – File Transfer Protocol
Hackers circulate thousands of FTP credentials, New York Times among those hit
February 13, 2014PC World
Outlaw FTP and Telnet in your organization !!!
The New Normal… (krebsonsecurity)
200-400 Gbps DDoS Attacks
HTTP Cookies• Stored on User PC• Sent to Website• “Remembers” State
Information• User Activities• Tracking Cookies• Authentication
Cookies• Reduces information
passed in URL
What’s an LSO – Local Shared Object
• Adobe Flash Origin• Stores User
Preferences• Stored in a “Common
Folder / Directory”• Privacy Concerns
How Many O/S’s in a Mobile Phone?
• IOS• Android• Windows
…security researcher Ralf-Philipp Weinmann of the University of Luxembourg set out to reverse engineer the baseband processor software of both Qualcomm and Infineon, and he easily spotted loads and loads of bugs, scattered all over the place, each and every one of which could lead to exploits…
Android Security
Serious Vulnerabilities Found in Popular Home Wireless Routers
Threatpost.com
300,000 Compromised Routers Redirecting Traffic to Attacker Sites
ZMAP – Map the Internet in 45 Minutes
Isn’t Backup and Monitoring Simple???• Backup
• Block• File• Image• Incremental• Differential• Full• CDP• CoW – copy on write (Synchronous)• CRW – copy redirect on write
(Asynchronous)• Deduplication• Encryption (key mgmt)• Data residency laws• Frequency• Retention levels• Image consistent• Application consistent (database aware)• Open file handling• VM’s
• Recovery• File• Image• System• Point-in-time
• Monitoring / Alerting / Warnings• Network• Access Control• Log Files• Signature Comparisons• Heuristic / Behavior based controls• Database Access• Baselines• Trends• 4 Phase Alerts• Multiphase Alerts
Wireless Connectivity
What is Security?
Three Security Pillars
CONFIDENTIALITY
INTEGRITY
AVAILABILITY
SECURITY – C.I.A.
Security – another perspective
(ISC)2
InternationalInformationSystemsSecurityCertificationConsortium
“Security Transcends Technology”“Security Transcends Technology”
High Level Security Controls
Physical
AdministrativeLogical(technical)
LocksLightsFences
FirewallPasswordsMotion Detectors
PoliciesAuditsTraining
Preventive – Detective – Corrective - Compensatory
High Level Security Controls
Preventive – Detective – Corrective - Compensatory
Adm
inistrative
Triad of Security Controls
Why are Things So Bad?
What’s Wrong with Security?Security includes People, Process, and Technology but… It’s Not Part of our Organizational DNA
#1. It’s NOT fundamental to our organizations.
Security must be part of thefabric of our organizations
#2. It’s not important… enoughRisk < Reward
… Business Problems
Deleting Information?• Computers
• Memory• Files
0111101000100100 in use
0111101000100100 deleted
• Backups• Archives• Cloud backups
…is it ever really gone?…and we are still building computers this way!
… System Design Problems
Cyber Crime Innovations
Cyber Crime Innovations• Huge Rewards• Growing Market• Recruit Smart &
Clever Staff• Nations State
Protection• Mobile & Remote
Access• Old Software• Old Systems
SC Magazine
Krebs on Security (krebsonsecurity.com)
What’s it Cost?
Unhackable Networks?Classified NetworkUnclassified Network
Unhackable Networks?Classified NetworkUnclassified Network
Hacker
Unhackable Networks?Classified NetworkUnclassified Network
Hacker Favorite Hacker Tool
Executive / Senior Management Role
Hard Questions…What Does the Organization Require?
• Security• Recovery• Resiliency• Insource vs Outsource• Cloud
Organizational Changes…How Shall We Then Live?
Francis Schaeffer
• Cultural Changes• Business Mindset
These are NOT Additional Initiatives!!!
• Security• Recovery• Resiliency• Insource vs Outsource• Cloud
Organizational Changes…
TodayHow Shall We Then Live?• Cultural Changes• Business Mindset
These are NOT Optional Initiatives!!!
ü Securityü Recoveryü Resiliencyü Insource vs Outsourceü Cloud
Tomorrow• Senior Management• Finance• Human Resources• Purchasing• IT
Cloud Expectations…
Contract Language…
Business Transfers
Cloud vendor XXXXXX may sell, transfer, or otherwise share some or all of its business or assets, including your Personal Information and Non-Identifying Information in connection with a merger, acquisition, reorganization or sale of assets or in the event of bankruptcy.
What Can We Do About This?
Passwords – don’t forget the simple stuff
Passwords, office / whiteboard hygiene, lock file cabinets, change locks, monitor etc…
Partner in the Absence of Expertise
Augment Core Competencies
W3C - http://validator.w3.org/unicorn/(World Wide Web Consortium)
Top 20 Critical Security Controls - Version 5
11. Limitation and Control of Network Ports, Protocols, and Services12. Controlled Use of Administrative Privileges13. Boundary Defense14. Maintenance, Monitoring, and Analysis of Audit Logs15. Controlled Access Based on the Need to Know16. Account Monitoring and Control17. Data Protection18. Incident Response and Management19. Secure Network Engineering20. Penetration Tests and Red Team Exercises
SANS Institute
Top 20 Critical Security Controls - Version 5
1. Inventory of Authorized and Unauthorized Devices2. Inventory of Authorized and Unauthorized Software3. Secure Configurations for Hardware and Software on Mobile
Devices, Laptops, Workstations, and Servers4. Continuous Vulnerability Assessment and Remediation5. Malware Defenses6. Application Software Security7. Wireless Access Control8. Data Recovery Capability9. Security Skills Assessment and Appropriate Training to Fill Gaps10. Secure Configurations for Network Devices such as Firewalls,
Routers, and Switches
SANS Institute
OWASP Top 10A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS)A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data ExposureA7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Invalidated Redirects and Forwards
Open Web Application Security Project
www.us-cert.govUS Computer Emergency Readiness Team
Current Activity -
• Cisco UCS Director Default Credentials Vulnerability
Published Friday, February 21, 2014
• Cisco has released a security advisory to address a vulnerability in Cisco Unified Computing System (UCS) Director. This vulnerability could allow an unauthenticated, remote attacker to take complete control of the affected device due to a default root user account created during installation. Successful exploitation of this vulnerability would provide the attacker with full administrative rights to the system
nvd.nist.govNational Institute of Standards and TechnologyNational Vulnerabilities Database
Resource Status
NVD contains:• 60,611 CVE – Common Vulnerabilities & Exposures• 230 Checklists – (Security Checklists)• 248 US-CERT Alerts - (Computer Emergency Readiness Team)• 2,827 US-CERT Vulnerabilities Notes• 10,286 OVAL Queries (Open Vulnerability and Assessment Language)
• Last updated: 02/21/14
CVE Publication rate:17 vulnerabilities / day
Moving Forward
Now What?Big Ideas:
• Everything Changes at Scale
• Change requires Change
Plugging into the internet joined your organization to a very large community of constructive and destructive users…
What to Do Next?Awareness: We will not be ignorant
Mindset: Security is NOT an option
Can’t be all things to all people
• Focus on things that matter to your constituents• Consider trusted 3rd parties for the rest
…no risk free environments
1
2
3
Thank You