Cyber Security Statistical Consulting...Patch and Update All Software and Systems - Min 30 days -...
Transcript of Cyber Security Statistical Consulting...Patch and Update All Software and Systems - Min 30 days -...
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
Kristofer Laxdal , Director Info and Cyber Security – Prophix Software Inc
November 13th, 2018
Cyber Security
| 2© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
Overview
▪ Introduction
▪ Everything “Old Is New Again”
▪ Myth Busting
▪ What is Cyber Security
▪ Containment Strategies
▪ Top Five Predictions for 2017 -2018 How did I do ?
| 3© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
Introduction
| 4
Introduction – About Me
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
▪ Kristofer Laxdal , Director
Information and Cyber Security
Prophix Software Inc.
▪ Prophix is a leading FP&A SaaS
provider - as well as on prem-
http://www.prophix.com/
▪ Previously held Executive Cyber
Security roles within CanDeal, IBM
Hewlett Packard, Hbc and many
more .
| 5
‘Everything Old is New Again’
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
In 2017, the world saw more data breaches
than any year prior.
On December 20th, the Identity Theft Resource Center
(ITRC) reported that there were 1,293 total data
breaches, compromising more than 174 million records
• Yet before the web, before the computer, before
the phone, even before Morse code, there
was… “le systeme Chappe”
• Comprised 534 stations covering more than
5,000km (3,106 miles) !
• The record was 60 minutes for a message
travelling from Paris to Strasbourg.
| 6
‘Everything Old is New Again ’
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
What the heck does this have to do with
Cyber Security ?
• The network was reserved for government use
but in 1834 two bankers, François and Joseph
Blanc, devised a way to subvert it to their own
ends.
• The Blanc brothers traded government bonds at
the exchange in the city of Bordeaux and
information about market movements took
several days to arrive from Paris
Just like today.
Data + Speed = Money $$$
| 7
‘Everything Old is New Again ’
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
The brothers bribed a telegraph operator
in the city of Tours to introduce deliberate
errors into routine coded messages being
sent over the network
• The system included a “backspace” symbol
that instructed the transcriber to ignore the
previous character.
• Added a character indicating the direction of
the previous day’s market movement, followed
by a backspace,
• Message being sent was unaffected when it
was written out for delivery at the end of the
line.
| 8
‘Everything Old is New Again ’
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
Extra character could be seen by
another accomplice:
A former telegraph operator who
observed the telegraph tower outside
Bordeaux with a telescope, and then
passed on the news to the Blancs.
Caught and arrested in 1836
The Blanc brothers were put on trial, though they
could not be convicted because there was no
law against misuse of data networks
Hacking of the data network arguably qualifies
as the world’s first cyber-attack.
| 9
Everything Old is New Again
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
1. Network intrusions - can and do -
go unnoticed
2. Cyber Security is like a chain - we
are always the weakest link.
3. Network attacks do not just pre-date
modern electronic networks – they
are as old as networks themselves
4. Most attacks aren’t sophisticated !
“Sooner or later, everything old is new again.”
― Stephen King, The Colorado Kid
| 10© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved
www.scorestat.com
Myth Busting
Myth #1: All Cyber Attacks are Sophisticated and Complex.
The next time you hear about a complex cyber-attack on a business, there is a better chance that it the attack succeeded not because it was conducted by a nation-state or clever attacker, simply individuals taking advantage of bad cybersecurity hygiene
| 11© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved
www.scorestat.com
Myth Busting
Myth #2: Throw Money At The Problem
JPMorgan was on the receiving end of a successful cyber-attack despite having spent close to U.S. $250 million on cybersecurity in 2014.
| 12© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved
www.scorestat.com
Myth Busting
Myth #3: The Threats are on the Outside
Regardless of the origin of the attacker, internal or external, most regular and complex attacks need the privileges or the access rights of an insider to succeed. ( Think Phishing )
| 13© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved
www.scorestat.com
Myth Busting
Myth #4:Nothing Could Prevent the Attack
Most companies do not have the proper cybersecurity controls in place such as logging, layering of security controls, alerts established to detect an intruder, not filtering malicious traffic, lack of security awareness training
| 14© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
These Breach Announcements Are Getting Old
| 15
No Mysterious ‘Sophistication’
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
Saks, Lord & Taylor ( Hbc )
Date disclosed: April 3, 2018 - 5 million records breached
• JokerStash hacking syndicate offering five million stolen credit and debit cards up for sale.
Breach period occurred from March 2017 to March 2018
• Class Action alleges “failed to comply with security standards and allowed its customers’
financial information and other private information to be compromised by cutting corners on
security measures that could have prevented or mitigated the security breach
• 2nd time on my hit list in less than a year !
Ticketfly
Date disclosed: June 7, 2018 - 27 million records breached
• The hacker behind the attack had reportedly warned Ticketfly of a vulnerability and
demanded a ransom to fix it. When the company refused, the hacker hijacked the Ticketfly
website, replaced its homepage, and made off with a large directory of customer and
employee data, including names addresses, email addresses, and phone numbers
| 16
No Mysterious ‘Sophistication’
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
Panera
Date disclosed: April 2, 2018 - 37 million records breached
• Company initially downplaying the severity of the breach and indicating fewer than 10,000
customers had been affected, the true number is believed to be as high as 37 million.
• Had been advised by a Security Researcher – company ignored the warning
Exactis
Date disclosed: June 26, 2018 - 340 million records breached
• Exacts, a marketing and data aggregation firm based in Florida, had left a database exposed
on a publicly accessible server.
• The database contained two terabytes of information that included the personal details of
hundreds of millions of Americans and businesses.
| 17
No Mysterious ‘Sophistication’
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
Sears
Date Disclosed April 4th, 2018 – 100,000
• A "security incident" with an online support partner [24]7.ai that resulted in up to 100,000
people having their credit-card information stolen.
| 18© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
What Is Cyber Security ?
| 19
What is Cyber Security ?
▪ Cyber security is the body of
technologies, processes and
practices designed to protect
networks, computers,
programs and data from
attack.
▪ This includes damage or
unauthorized access - as
well as - disruption or
misdirection of the services
they provide
▪ Wow ! That covers a lot of
ground .
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
| 20
Cyber Security Domains
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
| 21© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
2018 Breach Profile
| 22
The Cyber Breach Profile
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
Statistics from the Verizon Data Breach Investigation Report 2018
This year we have over 53,000 incidents and 2,216 data breaches.
| 23
The Cyber Breach Profile
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
Statistics from the Verizon Data Breach Investigation Report 2018
| 24© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
Cyber Strategies
| 25
Cyber Strategies
Implementing a formal information
security governance approach
Establish and maintain a framework
that provides assurance information
security strategies are aligned with
and support the business - a great
starting point –
When selecting one of these
methods, ensure your program
provides the ability to employ a risk-
based approach and enables your
teams to detect incidents
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
| 26
Cyber Strategies
Stop Data Loss
Most enterprises rely on employee
trust, but that won’t stop data from
leaving the company.
Now, more than ever, it is
extremely important to control
access, monitor vendors and
contractors as well as employees,
and know what your users are
doing with company data.
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
| 27
Cyber Strategies
Detect Those Insider Threats
Your biggest asset is also your
biggest risk.
While well trained users can be
your security front line, you still
need technology as your last
line of defense.
UEBA allows you to detect
unauthorized behavior and
verify user actions are not
violating security policy.
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
| 28
Containment Strategies
Back Up Data, Rinse ,
Repeat
It is crucial for organization
to have a full ,tested and
working back up of all of
data - not only from a basic
security hygiene
prospective, but also to
combat emerging attacks
( Ransomware )
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
| 29
Containment Strategies
Beware of Social Engineering
The technology and IT security
policies you implement doesn’t
replace the need for common
sense or eliminate human error.
Remember most hacks are
‘credentialed hacks’
Attempts may come from
phone, email (phishing) or
other communications with your
users.
The best defense is to…
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
| 30
Containment Strategies
Educate and Train Your Users
Users will always be the weakest
link when it comes to information
security.
Training should include how to:
recognize a phishing email, create
and maintain strong passwords,
avoid dangerous applications,
ensure valuable information is not
taken out of the company in
addition to other relevant user
security risks is critical
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
| 31
Containment Strategies
Patch and Update All Software and
Systems - Min 30 days -
With cyber-criminals constantly
inventing new techniques and looking
for new vulnerabilities, an optimized
cyber security is only optimized for so
long.
Make sure your software and
hardware is up to date with the latest
and greatest within a minimum of 30
days of a patch release - immediately
if critical / zero day
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
| 32
Containment Strategies
Create an Incident Response Plan
No matter how well you follow these
best practices, you will still get
breached – it’s not an if – it is a
when
Having a tested response plan laid
out ahead of time will allow you to
close any vulnerabilities, limit the
damage of a breach, and allow you
to remediate nimbly and effectively
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
| 33
Containment Strategies
Maintain Your Compliance
Regulations like HIPAA, PCI
DSS and ISO offer standards
for how your business should
conduct and measure its
security posture .
More than a hassle which
you need to prepare audit
logs for, compliance can help
guide your business.
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
| 34© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
Top Five 2017 -2018 Cyber
Security Predictions
| 35
2017-2018 Cyber Security Predictions
Increase in Supply Chain
Attacks Though 2018
In a nutshell, a “supply chain
attack” refers to the
compromise of a particular
asset, e.g. a software
provider’s infrastructure and
commercial software, with the
aim to indirectly damage a
certain target or targets, e.g.
the software provider’s clients.
.
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
Used as a stepping stone for
further exploitation, once
foothold is gained to the target
system or systems
| 36
2017-2018 Cyber Security Predictions
Increase in Supply Chain
Attacks Though 2018
In a nutshell, a “supply chain
attack” refers to the
compromise of a particular
asset, e.g. a software
provider’s infrastructure and
commercial software, with the
aim to indirectly damage a
certain target or targets, e.g.
the software provider’s clients.
.
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
Used as a stepping stone for
further exploitation, once
foothold is gained to the target
system or systems
| 37
2017-2018 Cyber Security Predictions
IoT – Continued serious
attacks
DDoS / Credential Stealing
Gartner estimates that there
are 6.4 billion connected things
worldwide in use this year, a
number expected to reach 20.8
billion by 2020.
That’s a lot of targets. ( most
aren’t or cannot be patched
easily )
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
| 38
2017-2018 Cyber Security Predictions
IoT – Continued serious
attacks
DDoS / Credential Stealing
Gartner estimates that there
are 6.4 billion connected things
worldwide in use this year, a
number expected to reach 20.8
billion by 2020.
That’s a lot of targets. ( most
aren’t or cannot be patched
easily )
© Copyright 2009 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
| 39
2017-2018 Cyber Security Predictions
Ransomware
▪ If you thought 2016
was bad for
ransomware then
2017 – 2018 will be
worse.
▪ Expect to see a higher
attack volume, using
more sophisticated
technologies and
continue an upward
trajectory in 2017 and
2018
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
What you need to consider:▪ When was the last time you tested and
verified the backup?
▪ Have you applied basic file blocking to
prevent threats from entering your
organization?
▪ Certain file types can be a risk to your
organization. Ask yourself, “Should we
allow all files or should we manage the
risk by not allowing malicious files types
that may cause an issue?”
| 40
2017-2018 Cyber Security Predictions
Ransomware
▪ If you thought 2016
was bad for
ransomware then
2017 – 2018 will be
worse.
▪ Expect to see a higher
attack volume, using
more sophisticated
technologies and
continue an upward
trajectory in 2017 and
2018
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
What you need to consider:▪ When was the last time you tested and
verified the backup?
▪ Have you applied basic file blocking to
prevent threats from entering your
organization?
▪ Certain file types can be a risk to your
organization. Ask yourself, “Should we
allow all files or should we manage the
risk by not allowing malicious files types
that may cause an issue?”
| 41
2017-2018 Cyber Security Predictions
Blockchain Technology
Blockchain technology
vulnerabilities will be
discovered by malicious
actors who will exploit
them in an effort to
compromise the security
and confidentiality of
financial transactions in
2017 -2018.
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
| 42
2017-2018 Cyber Security Predictions
Blockchain Technology
Blockchain technology
vulnerabilities will be
discovered by malicious
actors who will exploit
them in an effort to
compromise the security
and confidentiality of
financial transactions in
2017 -2018.
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
| 43
2017-2018 Cyber Security Predictions
Exchange: Coincheck
Amount: $534,800,000
Exchange: BitGrail
Amount: $195,000,000
Exchange :CoinSecure
Amount: $3,300,000
Exchange: Coinrail
Amount: $40,000,000
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
Exchange: Zaif
Amount: $60,000,000
Exchange: MapleChange
Amount: $6,000,000
$839,100,000 Electronic theft
| 44
2017-2018 Cyber Security Predictions
Rise of artificial intelligence and machine
learning-driven security
These frameworks will be leveraged by
Cyber Security teams for implementing
predictive security analytics across public,
private and SaaS cloud infrastructures by
leveraging externally sourced threat data
and using it for self-configuring / self-healing
based on organization-specific needs
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
| 45
2017-2018 Cyber Security Predictions
Rise of artificial intelligence and machine
learning-driven security
These frameworks will be leveraged by
Cyber Security teams for implementing
predictive security analytics across public,
private and SaaS cloud infrastructures by
leveraging externally sourced threat data
and using it for self-configuring / self-healing
based on organization-specific needs
© Copyright 2018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
© Copyright 20018 SCORE Statistical Consulting Inc.™ All Rights Reserved www.scorestat.com
Thank you