Did You Hear That Alarm? The impacts of hitting the information
security snooze button
Slide 2
Case Study: 1.Procurement representative receives an email
2.Workstation security alerts are generated 3.Malware detection
alerts are generated on a production server 4.Large increase in
network connections to a domain in another country 5.Federal
authorities notify company about data being sold on black
market
Slide 3
Anatomy of an Attack Spear phishing attack targets employee
Recipient interacts with the malicious email content Exploit
payload installs on workstation Compromised workstation sets up
command and control and acts as pivot point Attacker traverses
network and compromises production servers Full data compromise and
exfiltration
Slide 4
How Did This Happen?: Security Training? Effective controls and
patching? Event monitoring and response?
Slide 5
Threat Sources: National Governments Terrorists Industrial
Spies Organizational Crime Groups Hactivists Insider Threat Source:
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
Do not worry about the why
Slide 6
Industry Threat Data *Data taken from the Verizon 2014 Data
Breach Investigation report 2013 Top Five Threat Actions Use of
stolen credentials (Hacking) Export Data (Malware) Phishing (Social
Engineering) Ram Scraper (Malware) Backdoor (Malware) 2013 Data
Breach Trends 4% increase in Financial Services industry breaches
67% of breaches were notified by external entities 100% of retail
Point-of-Sale system breaches occurred in Payment Card
Industry-compliant environments *Data taken from the 2014 Mandiant
Mtrends Breach report
Slide 7
Risk Equation R = f(T,V,A) RISK is the PROBABILITY that a
THREAT will exploit a VULNERABILITY to cause harm to an ASSET
Classical, yes, but has its limitations
Slide 8
Risk Equation Threats and vulnerabilities change rapidly;
virtually unknowable Data as an asset Classical risk equation does
not account for controls Subjectivity can skew results and
corresponding action plans
Slide 9
Ok, now what?: Risk assessments are a baseline Constant
vigilance in assessing risk variables Establish risk tolerance
Enhance approaches by leveraging compliance and industry
standards
Slide 10
Due Diligence: Utilize control frameworks Intelligence
gathering Attack path threat modeling Vulnerability testing
Analysis, Monitoring, Treatment, and Reporting
Slide 11
Employee error Malicious insiders Malicious outsiders System
errors What Causes a Breach
Slide 12
Direct costs Credit monitoring Mailing costs Indirect Costs
Time/Resources Productivity Opportunity Costs Brand and Reputation
Cost of a breach
Slide 13
Defending Against Threat You should expect us Know your data
Understand what threat is Threat should drive security control
prioritization Enhance control strength and reduce attack surface
Manage to risk tolerance
Slide 14
Know what applies to your business Educate your workforce
Documented and tested Breach Response Plan Communication plan
Engage business partners Practice and hold lessons learned sessions
Preparing for a Breach