{"id":10524,"date":"2014-05-29T10:30:23","date_gmt":"2014-05-29T08:30:23","guid":{"rendered":"https:\/\/www.corelan.be\/?p=10524"},"modified":"2014-05-29T10:30:23","modified_gmt":"2014-05-29T08:30:23","slug":"hitb2014ams-day-1-keynote-2-building-a-strategic-defense-against-the-global-threat-landscape","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2014\/05\/29\/hitb2014ams-day-1-keynote-2-building-a-strategic-defense-against-the-global-threat-landscape\/","title":{"rendered":"HITB2014AMS - Day 1 - Keynote 2: Building a Strategic Defense Against the Global Threat Landscape"},"content":{"rendered":"

Kristin starts her keynote by explaining that she has been in the business about 22 years ago and used to be in public services. \u00a0A long time ago, she married a husband who was in the military and ran a program for spouses to meet\/connect while their husbands were deployed. During one of the meetings, they discovered \"FTP\", which allowed them to write letters and send them to the marines. \u00a0 She was intrigued and started learning how TCP\/IP works, and helped connecting systems. \u00a0At a later stage, she got involved with connecting routers and implementing access lists... \u00a0that was 23 years ago.Later, she joined TrueSecure (which became CyberTrust, later Verizon) and became a pentester\/ethical hacker. Even today, she still uses her iPad to show CISO's if it's still possible to get inside networks and convince them that things may not be as secure as they think it is.<\/p>\n

\"DSC<\/p>\n

IBM runs the IT environment for thousands of customers, Kristin explains. \u00a0That also means that they have seen every single type of security incident possible, which allowed her to learn a lot and draw important lessons.<\/p>\n

As a CISO, you should learn how ot use small worlds and be humble. \u00a0Speaking to executives is like speaking to babies, which is also why women make great CISO's, Kristin continues.<\/p>\n

Lesson 1: You can't stop the business from innovating.<\/h4>\n

To be succesful at security, you need to understand your audience.\u00a0 \u00a0The security world is being shaped by a few dynamics: \u00a0Globalization, Internet enabled mobile devices, the Internet of Things, Analytics and Cloud computing a just a few examples of these dynamics, driven by an increasing desire and need to be mobile.<\/p>\n

\"DSC<\/p>\n

Businesses need to be mobile, explore new geographical markets and areas, or open production facilities in countries that have a lower labor cost . \u00a0Businesses need to act in a global fashion and, as a result, use mobile applications and tools to attact customers and to support business growth. \u00a0Unfortunately, these applications are not built by the Security dept, but by the Marketing Officer. \u00a0 Kristin even expects the IT budgets for marketing departments to increase and thus their influence will also increase. \u00a0Guess what, who's writing the apps? \u00a0Right, \"cousin Chuck\" has experience with writing apps for iTunes, let's ask him. \u00a0And will it be written with security in mind? \u00a0The cloud makes it possible to deploy new applications and delivery of new business services. \u00a0 The reality is that businesses need to interact with \"new consumers\", using new technology. You can't stop that.<\/p>\n

Kristin states \"for me, the biggest unknown is regulation\". \u00a0All of the aforementioned is subject to radical change if the right to anonymity is instantiated.<\/p>\n

Lesson 2: Like any biological system, we are all infected.<\/h4>\n

In a room with 300 people\/executives, at least 30 people have been compromised. In most cases, people don't believe that. \u00a0People forget that \"anything that is connected to the Internet can be hacked\". \u00a0At the same time, we are connecting \"Everything\" to the internet. \u00a0 The internet of things is a reality, and there's a fair possibility that much of it has been compromised already. \u00a0At the same time, only 1 out of 100 security compromises are ever detected. \u00a0The IBM CyberSecurity Intelligence Team estimates that about 3% of all incidents analyzed by IBM Response Services could be considered \"noteworthy\" ( = potentially material of significant impact). \u00a0 An average organization (of 15K employees), she continues, sees about 1.7 million probes per week, both internally and externally. \u00a0Of course, not all of these probes are malicious. \u00a0About 324 of them represent actual attacks, but without proper tools to detect and manage this, it's extremely difficult to detect these attacks. \u00a0Isolating attacks from noise is important and, at the same time, extremely difficult.<\/p>\n

About 56% of the attacks come from outsiders, 17% is caused by malicious insiders, Kristin says. \u00a0A majority of the 17% insiders are privileged users (administrators, etc). \u00a0IT people typically don't like to work within the security boundaries and structures. \u00a0The people that do the most harm from the inside, are \"hard-wired\" to do the harm, with high privileges.\u00a0<\/p>\n

Lesson 3: The \"Bad Guys\" rely on our stupidity, ignorance, or just plain dumb mistakes to get in.<\/h4>\n

People will click stuff. They will double-click stuff. \u00a0But it's not the only reason why hackers get in. Companies use vulnerable software, fail to install patches, use AV. They fail to report lost\/stolen devices, allow people to connect their devices to insecure networks (WiFI hotspot at Starbucks), use weak passwords or share business passwords for general use, give passwords over the phone etc etc. From an infrastructure point of view, systems are not hardened the way they should be. \u00a0Test systems are connected to the Internet with default configuration & settings; patches are not deployed on a regular\/timing basis; networks are not segmented, no tools are in place to detect incidents, legacy software\/OSes are still being used in a lot of places.\u00a0<\/p>\n

Lesson 4: Getting ahead of the threat requires you to know how to disrupt the attack chain.<\/h4>\n

Not every person in an organization is made equally. Different people have different risk profiles, which means you need different protection techniques. \u00a0Kristin explains that segmenting your user base (IT people, \"VIP\" users, general population, etc), and applying different security profiles may be a good approach. She explains that this concept has been implemented at IBM and people were given disposable hardened Linux images to minimize the impact of incidents. \u00a0<\/p>\n

Typically, an attack has 5 stages. \u00a0In other words, you can try to implement mechanisms to disrupt an attacker in each of those 5 stages: \u00a0Break-in, Latch-on, Expand, Gather, Exfiltrate.<\/p>\n

\"DSC<\/p>\n

Lesson 5: It also means knowing how to communicate effectively with senior executives.<\/h4>\n

Use small words. \u00a0Don't make things complicated. Don't use big ISO standards, but use analogies management understands. \u00a0For example: \"Implementing security is like building a house\". \u00a0Some things are mandatory ( = basic security), some things \"should\" be done and others can be done to be better than the rest. \u00a0If you're serious about security, and want to improve security at your company, you should<\/p>\n