The Future of Cybersecurity The Future of Cybersecurity
Transcription
The Future of Cybersecurity The Future of Cybersecurity
The Future of Cybersecurity ISSA Italy Chapter Conference Rome, Italy 28 October 2010 Things we already know… •• Our Our web web applications applications are are still still broken… broken… –– with with the the same same problems problems (mostly)… (mostly)… •• In In 2009, 2009, over over 143 143 million million records records were were reported reported as as inadvertently inadvertently disclosed disclosed •• Several Several thousand thousand active active botnets botnets (and (and several several million million systems) systems) are are being being tracked, tracked, monitored, monitored, and and battled battled within within our our enterprises enterprises •• Process Process and and business business unit unit outsourcing outsourcing and and offshoring offshoring are are moving moving assets assets beyond beyond our our practical practical control control •• Data Data is is just just about about everywhere everywhere •• Budgets Budgets and and staffing staffing are are shrinking shrinking •• We’re We’re being being told… told… –– Improve Improve time time to to market market –– Lower Lower costs costs –– Competitive Competitive advantage advantage The Future of Cybersecurity… Cybersecurity Challenge #1 Challenge #1 – The Ever-Changing Landscape • No definable perimeter • Data on the move • Data and critical business processes outsourced, off-shored, or “stuffed” into the cloud • Computing power portability is changing the way we work Cybersecurity Challenge #2 Challenge #2 – The Attackers Are More Nimble… •• Google Google attack/Aurora, attack/Aurora, Zeus-delivered Zeus-delivered attacks attacks are are just just examples examples of of the the next next generation generation of of cyber cyber attackers attackers –– The The attackers attackers are are aggressive, aggressive, talented, talented, and and motivated motivated •• Botnets Botnets and and zero-day zero-day attacks attacks are are big big business business –– Significant Significant money money to to be be had had –– Attracting Attracting world world class class technology technology talent talent –– Seem Seem to to have have unlimited unlimited resources resources •• We’ve We’ve increased increased the the attack attack landscape landscape to to potential potential attacks, attacks, and and are are struggling struggling to to fix fix known known problems problems –– –– More More web web services services Mobile Mobile devices devices •• Achieving Achieving compliance compliance is is no no longer longer helping helping security security •• The The technologies technologies that that are are deployed deployed are are not not as as effective effective as as management management expects expects An Errant “B”… Cybersecurity Challenge #3 Challenge #3 – The Federation of Trust •• The The future future of of cybersecurity cybersecurity is is predicated predicated on on trust trust –– Online, Online, social social networking, networking, and and e-commerce e-commerce sites sites –– 33rdrd parties parties and and outsourcers outsourcers –– Crossing Crossing industries industries •• Healthcare, Healthcare, Financial Financial Services, Services, Utilities, Utilities, Transportation, Transportation, Public Public Sector Sector •• Competing Competing approaches approaches to to “presenting” “presenting” trust trust –– ISO27001/BS7799-2, ISO27001/BS7799-2, SAS70/CICA-5900, SAS70/CICA-5900, PCI, PCI, BITS, BITS, “Security “Security Seals”, Seals”, etc. etc. •• As As aa profession, profession, we we have have aa significant significant challenge challenge with with trust trust –– Standards Standards and and compliance compliance can can be be too too general general –– Professional Professional skepticism skepticism –– Accountability Accountability Cybersecurity Challenge #4 Challenge #4 – Growing Gap Between Infosec and ERM Is there a communication problem? Is the budget for data protection adequate? In the last 12 months, how often has your organization’s data been attacked? Source: Ponemon Institute© Research - Business Case for Data Protection CEO % NonCEO % Yes 64% 55% No 36% 45% Two Worlds Separated by a Common Language Infosec Infosec •• Buffer Buffer overflow overflow Business Business •• •• •• Inventory Inventory turns turns XSS XSS p@wn’d p@wn’d •• IDS, IDS, IPS, IPS, WAF, WAF, OWASP, OWASP, SSL SSL VPN, VPN, 22O22A* IAM, DLP, PII, SDLC – WCMA IAM, DLP, PII, SDLC – WCMA O A* (*we (*we can can make make an an acronym acronym out out of of anything) anything) •• Discussion Discussion is is oftentimes oftentimes based based on on vulnerabilities, not risk vulnerabilities, not risk •• When When we we do do talk talk risk risk (or (or think think we we are are talking talking risk)… risk)… –– Low, Low, Medium/Moderate, Medium/Moderate, High High –– Appeared Appeared Secure, Secure, Potentially Potentially Vulnerable, Vulnerable, Vulnerable, Vulnerable, Severely Severely Vulnerable, Compromised Vulnerable, Compromised •• Liquidity Liquidity •• Capital Capital on on hand hand •• Market Market risk risk •• Supply Supply chain chain •• Audit/Compliance Audit/Compliance –– –– –– Materiality Materiality Significant Significant deficiency deficiency Material Material weakness weakness Two Worlds Separated by a Common Language Infosec Infosec •• Buffer Buffer overflow overflow Business Business •• •• •• Inventory Inventory turns turns XSS XSS p@wn’d p@wn’d •• IDS, IDS, IPS, IPS, WAF, WAF, OWASP, OWASP, SSL SSL VPN, VPN, 22O22A* IAM, DLP, PII, SDLC – WCMA IAM, DLP, PII, SDLC – WCMA O A* (*we (*we can can make make an an acronym acronym out out of of anything) anything) •• Discussion Discussion is is oftentimes oftentimes based based on on vulnerabilities, not risk vulnerabilities, not risk •• When When we we do do talk talk risk risk (or (or think think we we are are talking talking risk)… risk)… –– Low, Low, Medium/Moderate, Medium/Moderate, High High –– Appeared Appeared Secure, Secure, Potentially Potentially Vulnerable, Vulnerable, Vulnerable, Vulnerable, Severely Severely Vulnerable, Compromised Vulnerable, Compromised •• Liquidity Liquidity •• Capital Capital on on hand hand •• Market Market risk risk •• Supply Supply chain chain •• Audit/Compliance Audit/Compliance –– –– –– Materiality Materiality Significant Significant deficiency deficiency Material Material weakness weakness Cybersecurity Challenge #5 Challenge #5 – The Way People Think Has Changed Cybersecurity Challenge #6 Challenge #6 – Educating the Next Generation • Our children • College graduates • New hires Thank You! Kevin Richards, CISSP President, ISSA International 773-269-6350 kevin.richards@issa.org