Argyle Executive Forum, profile picture
Uploaded byArgyle Executive Forum
PPTX, PDF851 views

Top 12 Threats to Enterprise

The document outlines the top 12 threats to enterprises in information security as presented by Gene Scriven at the 2015 CIO Leadership Forum. It emphasizes the evolving landscape of cyber threats, including internal risks from laid-off employees, the challenges of cloud readiness, and the dangers posed by sophisticated malware. The presentation indicates that understanding these threats and implementing effective security measures is crucial for safeguarding enterprise data.

Embed presentation

Download to read offline
2015 CHIEF INFORMATION OFFICER LEADERSHIP FORUM WEDNESDAY, MARCH 11, 2015 DALLAS, TX Gene Scriven Top 12 Threats to the Enterprise
The Land of Information Security Threats to the Enterprise + + + + Also Known As… 2
• Nothing that’s Rocket Science • Concepts may very well be the same for everyone – Details will be different • Enterprise or small business or personal • A combination of “Soft Stuff” and Technology • Vendor Agnostic (and even Technology Agnostic) • Not a “How To Fix It” presentation • You’ll notice some overlap – it’s intentional • My personal/professional opinion – Your mileage may vary 3 What Will We Talk About?
Who Is This Guy?? Chief Information Security Officer at Sabre • Prior to Sabre, CISO at The Home Depot 35+ years in Information Security • Commercial, military, federal government, government contract, and the Intelligence Community • Big-Six (and similar) background Government and US Intelligence Community • Programmer, PM, Security Director, Development Director, Missile Targeting, Electronic Wargames, Electronic Countermeasures, Federal Agent, Computer Crime Investigator Commercial • Security Systems Development Director, QA Director, Process Engineer, Consultant to the C Suite, Chief Information Security Officer Not Particularly Related (but far more FUN) • College Professor, Paramedic, Lifeguard, Comedian 4
Why The “Dirty Dozen?” • Everybody has a list…I wanted one too – Mitre has (used to have) the Top 20 – SANS Institute Top 10 Cyber Threats – FBI Survey – Open Web Application Security Project (OWASP) has the Top 10 – “Cyber Security Veterans” Top 10 Security Menaces – Top 10 Security Risks to University Communities • “Top 10” seemed like a great starting point – Quickly morphed to a “Dozen” • Any list….is never enough! • Original list (in 1998) was a work assignment • Contrast Gene’s 1998 Dirty Dozen with today’s 5
#12 The Next Employee You Lay Off • Job market is improving, but lay-offs and cuts are still happening • HR errs on the side of “being nice” to employees during downsizing • Statistics still indicate that internal threats are on the rise FBI reports, “Nearly 90 percent of such crimes (data theft) are committed by employees of the victims.” Most employees/companies have… • Excessive accesses • Insufficient access reviews • “Overlapping trust” • Too much emphasis on the perimeter • False sense of security • Not enough prosecution • Confusion between Disgruntled vs. “Under-Educated” 6
Ponemon Institute’s 2013 Cost of Cyber Crime Study The Next Employees You Lay Off …should not be allowed to become Malicious Insiders AVERAGE DAYS TO RESOLVE AN ATTACK
#11 Desensitized by Media Saturation Government Laptop with SSNs Stolen from Airport Yet another retailer is hacked and millions of CC numbers are stolen Keylogger Compromises 250,000 Identities 8
#10 Your Information is now VALUABLE to Criminals 9 Hacking for FUN and Website Defacement are still common, but motivations now focus on the value of INFORMATION Credit Card Data PII Data Identity Theft & Social Engineering Company Info IP AND seemingly innocent info
Ponemon Institute’s 2013 Cost of Cyber Crime Study PERCENTAGE OF COST FOR EXTERNAL CONSEQUENCES Information Loss/Theft is Leading The Pack
#9 Believing that ENCRYPTION = NIRVANA 11 But Geeeene…we don’t need to spend any more money on security because our data is encrypted! Don’t you remember??? Realize the Encryption is just part of the total solution set Data can be decrypted – Key Management (and Protection) is Critical Encrypted Data remains in-scope for PCI Are you encrypting passwords? It may not be good enough.
#8 Not Prepared for THE CLOUD • Everybody’s rushing to put their data into “The Cloud” • Some of the economic data is compelling • Jumping onto the Bandwagon may be dangerous – have a strategy • Address critical factors • Only put certain classifications of data into the Cloud • Who will own the data? • Who’s liable for data breaches? • Destroying data when finished • What data protection controls are YOU responsible to provide? • Ask Why…if the answer is “because everybody’s doing it,” maybe it’s not for you • The Cloud MAY BE the right answer – But be sure you’re asking the right questions 12
#7 Information Security “Old Fogies” 13 “Younger Workers” who have grown up in the digital age have very different attitudes about security and privacy than older generations People who have grown up with digital devices constantly at their fingertips, collaborating on social media or sharing documents, don’t react well to being told they can no longer function that same way from their workplaces. They will find ways to do what they want! A more competent workforce is changing how employees view workplace technology
#6 Application/Middleware Vulnerabilities • Most vendors will do the right thing with vulnerabilities and patches • Many enterprises still focus primarily on OS vulnerabilities • Attackers taking advantage of the proliferation of applications across the typical enterprise • Internally developed applications need attention as well • Are you frequently scanning your web apps? • Do your require your app teams to do code reviews? • Establish an EFFECTIVE Application Security Program Internal Applications 14 Breaching “The Perimeter” is no longer the Preferred Attack Vector
#5 Failed Understanding of InfoSec and (Cyber) Risk “How manyincidents didyouprevent last year?” “Whyaren’t you makingthe companyanymoney?” Unable to Articulate Risk 41 39 M inorC oncern M ajorC oncern Department Business Unit Insignificant Minor Moderate Major Catostrophic IMPACT Unlikely Rare Possible Likely ~Certain L I K E L I H O O D 61 64 81 84 93 114 137 178 194 196 200 229 261 266 269 295 312 317 321 341 348 356 358 362 368 369 372 375 379 387 388 397 402 404 431 443 444 459 485 507 1169 315 300 291 RISK Risk has to be seen through the eyes of the Risk-Taker! 15
#4 Service Providers become a Vulnerability • Third parties have become a large part of many infrastructures • Costs • Expertise • Companies now rely heavily on them • Many are trusted with sensitive info • Are they properly evaluated for the right data protections? • Do your contracts hold them equally liable? • Are your SLAs adequate – especially on Incident Response? • What about “The Cloud?” “Third party organizations accounted for 42% of all data breaches.” – Ponemon Institute 16
#3 Mobile & BYOD • Everyone’s stats agree – Mobile Devices are on the rise in our enterprises • Have you seen your CEO’s iPad on the network? (Not yet??) • Sticking your head in the sand is not an option here • Be aware of the threats of unmanaged mobile devices • Non-compliant devices • Jail-broken devices • Zero-day exploits • User savvy at getting around your controls • BYOD – See the train storming down the tracks! • Partner with your users – and admit they may know more about this than you • Define what Mobile/BYOD means to you – and be prepared with a comprehensive Mobile Device Management strategy 17
#2 Poor Patching (or…Perpetual Patching) • “OK…But we’ll have to slip our development schedule.” • “What do you mean by ‘Have the systems patched in 10 days?’” • “But we have so many different platforms…” • “It’s gonna take at least two months to test that patch.” • “This is a lot of work….Why can’t you just block the exploits?” • “It’s not my job, I just load the base images.” • “We should be OK…it’s not like we’re the NSA or something.” • Need an Iterative process, with Governance, and Required Compliance • Comprehensive Patching – Applications, OS, Databases, Network Components 18
#1 Sophisticated (and Zero-Day) Malware 1. Changing network settings 2. Disabling anti-virus and anti-spyware tools 3. Turning off Microsoft Security Center and/or other updates 4. Installing rogue certificates 5. Cascading file droppers 6. Keystroke Logging 7. URL monitoring, form scraping, and screen scraping 8. Turning on the microphone and/or camera 9. Pretending to be an antispyware or antivirus tool 10. Editing search results 11. Acting as a spam relay 12. Planting a rootkit - altering the system to prevent removal 13. Installing a bot for attacker remote control 14. Intercepting sensitive documents … or encrypting them for ransom 15. Planting a sniffer Interesting Malware Activities “Don’t worry about that spyware thing….it’s just someone trying to see where you’re going on the Internet – you know, for Marketing purposes.” Verizon Business Data Breach report from just a few years ago indicated that 38% of compromises were due to Malware. Ask yourself how many of the recent breaches involved MALWARE? 19
ATTACK METHODS THE HOME DEPOT (2014) Malware (Believed to be) SALLY BEAUTY (2014) Malware installed by hackers P.F. CHANGS (June 2014) Compromised POS terminals TARGET (2013) Malware installed by hackers NEIMAN MARCUS (2013) Malware installed by hackers EPSILON (2011) Spear phishing NASDAQ (2010) Zero-day Malware (Digital Bomb) installed on several servers TJ MAX (2007) Wireless network hacked HEARTLAND (2008) Access via malicious software source: informationisbeautiful.net
How Your CISO Can Help Him/Herself (CISO=Chief Information Security Officer) • Know what you don’t know • Focus on the Message – Content is critical – Delivery is just as important • Be a Business Person first – …and a Technician second – …and a Politician third (build relationships) • Organize your program based on RISK • Defense-In-Depth • Don’t be afraid to ask for help 21
Dirty Dozen – Then vs. Now #12 - No Security Awareness Program #11 - Blind Trust of Insiders #10 - Reliance on Firewalls #9 - No Business Continuity Plan #8 - Chiefs Not Listening To “Indians” #7 - Not Enough Attention To Physical Security #6 - Insufficient Security Policies #5 - Uncontrolled Modems #4 - Insecure Web Sites Pages #3 - No Verification Of Security #2 - No Security Monitoring #1 - Poor Password Practices 1998 #12 – The Next Employee you Lay Off #11 – Desensitized by Media Saturation #10 – Your Info is Valuable to Criminals #9 – Believing Encryption=Nirvana #8 – Unprepared for the Cloud #7 – Information Security Fogies #6 – App/Middleware Vulnerabilities #5 – Not Understanding InfoSec or Risk #4 – Service Provider Problems #3 – Mobile & BYOD #2 – Poor Patching #1 – Sophisticated (& Zero-Day) Malware 2015 22
They only have to get lucky one time, but we have to be good all the time. - Mark Weatherford, Deputy Undersecretary for Cybersecurity, Department of Homeland Security Discussing the advantages the bad guys have over those responsible for defending networks, systems, and data in today’s Cyber environment 23 Truer Words Were Never Spoken…
24
You Know You’re Spending Too Much Time With Your Information Security Team if…
• You’ve ever written a nasty letter to Barnes & Noble because they didn’t carry this year’s Verizon Data Breach Report • The only vacations your Significant Other will consider are cruises and cave-exploring because “the office” can’t reach you on your cell phone • There are at least three “Two-Factor Tokens” on your keychain • You secretly hope you won’t miss the next big virus outbreak while you’re out on vacation • You’ve got a new car with a built-in GPS and computer and remote start, but you constantly worry about how easy it would be to hack • Your Grandmother has ever called you about the latest phishing message she just received • Your teenagers go to friends’ houses to surf the Internet because they know what you do for a living • You’re so tired of answering people’s security questions that you tell the lady sitting next you on the plane that you’re “just an IT guy.” • Attending a SecureWorld, Argyle, or RSA Conference is like going to your high-school reunion You Know You’re Spending Too Much Time With Your Information Security Team if…
27 Questions?

More Related Content

PPTX
Art Hathaway - Artificial Intelligence - Real Threat Prevention
bycentralohioissa
 
PPTX
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
byRishi Singh
 
PDF
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
byNorth Texas Chapter of the ISSA
 
PPTX
11 19-2015 - iasaca membership conference - the state of security
byMatthew Pascucci
 
PDF
Information Security for Small Business
byJulius Clark, CISSP, CISA
 
PDF
Fall2015SecurityShow
byAdam Heller
 
PPTX
Webinar: Be Cyber Smart – Stories from the Trenches
byWithum
 
PPTX
Mind the gap
byRoger Hagedorn
 
Art Hathaway - Artificial Intelligence - Real Threat Prevention
bycentralohioissa
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
byRishi Singh
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
byNorth Texas Chapter of the ISSA
 
11 19-2015 - iasaca membership conference - the state of security
byMatthew Pascucci
 
Information Security for Small Business
byJulius Clark, CISSP, CISA
 
Fall2015SecurityShow
byAdam Heller
 
Webinar: Be Cyber Smart – Stories from the Trenches
byWithum
 
Mind the gap
byRoger Hagedorn
 

What's hot

PDF
GITA March 2015 Newsletter
byKevin Moore MSIT, MISM
 
PPTX
Top Cybersecurity Challenges Facing Your Business
byNicholas Davis
 
PPT
Cultivating security in the small nonprofit
byRoger Hagedorn
 
PPT
Data Security: What Every Leader Needs to Know
byRoger Hagedorn
 
PDF
Top 6 things_small_businesses_q12015
byanpapathanasiou
 
PDF
Event Presentation: Cyber Security for Industrial Control Systems
byInfonaligy
 
PPTX
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
bycentralohioissa
 
PDF
csxnewsletter
byDominic Vogel
 
PPTX
Open Source Insight: Security Breaches and Cryptocurrency Dominating News
byBlack Duck by Synopsys
 
PPTX
Data Security Breach: The Sony & Staples Story
byInternational Institute for Learning
 
PPTX
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
bycentralohioissa
 
PDF
CYBER THREAT FORCAST 2016
byBolaji James Bankole CCSS,CEH,MCSA,MCSE,MCP,CCNA,
 
PPTX
Information security trends and concerns
byJohn Napier
 
PPTX
Information Security For Small Business
byJulius Clark, CISSP, CISA
 
PDF
10 things you should know about cybersecurity
byUnited Technology Group (UTG)
 
PDF
Modern Adversaries (Amplify Partners)
byAndrew Manoske
 
PDF
Key Findings from the 2015 IBM Cyber Security Intelligence Index
byIBM Security
 
PDF
A Manifesto for Cyber Resilience
bySymantec
 
PDF
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
byCasey Ellis
 
PPTX
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
bycentralohioissa
 
GITA March 2015 Newsletter
byKevin Moore MSIT, MISM
 
Top Cybersecurity Challenges Facing Your Business
byNicholas Davis
 
Cultivating security in the small nonprofit
byRoger Hagedorn
 
Data Security: What Every Leader Needs to Know
byRoger Hagedorn
 
Top 6 things_small_businesses_q12015
byanpapathanasiou
 
Event Presentation: Cyber Security for Industrial Control Systems
byInfonaligy
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
bycentralohioissa
 
csxnewsletter
byDominic Vogel
 
Open Source Insight: Security Breaches and Cryptocurrency Dominating News
byBlack Duck by Synopsys
 
Data Security Breach: The Sony & Staples Story
byInternational Institute for Learning
 
Brian Henger - Psychological Warfare: How Cyber Criminals Mess With Your Mind
bycentralohioissa
 
CYBER THREAT FORCAST 2016
byBolaji James Bankole CCSS,CEH,MCSA,MCSE,MCP,CCNA,
 
Information security trends and concerns
byJohn Napier
 
Information Security For Small Business
byJulius Clark, CISSP, CISA
 
10 things you should know about cybersecurity
byUnited Technology Group (UTG)
 
Modern Adversaries (Amplify Partners)
byAndrew Manoske
 
Key Findings from the 2015 IBM Cyber Security Intelligence Index
byIBM Security
 
A Manifesto for Cyber Resilience
bySymantec
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
byCasey Ellis
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
bycentralohioissa
 

Similar to Top 12 Threats to Enterprise

PPTX
Cyber Security Update: How to Train Your Employees to Prevent Data Breaches
byParsons Behle & Latimer
 
PDF
idg_secops-solutions
byJonny Nässlander
 
PPTX
IT Security Essentials
bySkoda Minotti
 
PDF
20101012 isa larry_clinton
byCIONET
 
PDF
Gus Hunt's Work-Bench Enterprise Security Summit Keynote
byWork-Bench
 
PDF
Cybrary's navigating a security wasteland
byDevendra kashyap
 
PPT
Information security management v2010
byjoevest
 
PDF
The State of Data Security
byRazor Technology
 
PPTX
Information Security: We are all InfoSec (updated for 2018)
byMichael Swinarski
 
PPTX
What is Information Security and why you should care ...
byJames Mulhern
 
PPTX
2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization
byRaffa Learning Community
 
PPTX
SAM05_Barber PW (7-9-15)
byNorm Barber
 
PDF
Microsoft power point closing presentation-greenberg
byISSA LA
 
PPTX
Cybersecurity Presentation 6-11-15
byTurner and Associates, Inc.
 
PPTX
Be More Secure than your Competition: MePush Cyber Security for Small Business
byArt Ocain
 
PPTX
Information security for business majors
byPaul Melson
 
PDF
InformationSecurity_11141
bysraina2
 
PPTX
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
byConnXus
 
PPTX
Secure Iowa Oct 2016
byLarry Slobodzian
 
PPTX
Assessing Your security
byLegal Services National Technology Assistance Project (LSNTAP)
 
Cyber Security Update: How to Train Your Employees to Prevent Data Breaches
byParsons Behle & Latimer
 
idg_secops-solutions
byJonny Nässlander
 
IT Security Essentials
bySkoda Minotti
 
20101012 isa larry_clinton
byCIONET
 
Gus Hunt's Work-Bench Enterprise Security Summit Keynote
byWork-Bench
 
Cybrary's navigating a security wasteland
byDevendra kashyap
 
Information security management v2010
byjoevest
 
The State of Data Security
byRazor Technology
 
Information Security: We are all InfoSec (updated for 2018)
byMichael Swinarski
 
What is Information Security and why you should care ...
byJames Mulhern
 
2017-10-05 Mitigating Cybersecurity and Cyber Fraud risk in Your Organization
byRaffa Learning Community
 
SAM05_Barber PW (7-9-15)
byNorm Barber
 
Microsoft power point closing presentation-greenberg
byISSA LA
 
Cybersecurity Presentation 6-11-15
byTurner and Associates, Inc.
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
byArt Ocain
 
Information security for business majors
byPaul Melson
 
InformationSecurity_11141
bysraina2
 
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
byConnXus
 
Secure Iowa Oct 2016
byLarry Slobodzian
 
Assessing Your security
byLegal Services National Technology Assistance Project (LSNTAP)
 

More from Argyle Executive Forum

PDF
Rethink App Delivery with Workspace as a Service
byArgyle Executive Forum
 
PPTX
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOs
byArgyle Executive Forum
 
PDF
Become the CEO: An Employee Excitement Survey
byArgyle Executive Forum
 
PPTX
Social Support and Total Community
byArgyle Executive Forum
 
PDF
Marketing to the Power of ONE!
byArgyle Executive Forum
 
PPTX
The New Era of Engagement Marketing
byArgyle Executive Forum
 
PDF
Re-Think App Delivery with Workspace as a Service
byArgyle Executive Forum
 
PPTX
Delighting Customers with Information Technology
byArgyle Executive Forum
 
PPTX
9.35am presentation - john landy
byArgyle Executive Forum
 
PPTX
Keeping a Seat at the Table: Remaining Relevant
byArgyle Executive Forum
 
PDF
Succession Matters: Effective Succession Management Planning
byArgyle Executive Forum
 
PDF
It's a Balancing Act
byArgyle Executive Forum
 
PDF
Getting to the Heart of your Customer
byArgyle Executive Forum
 
PPTX
9.35am robert humphrey
byArgyle Executive Forum
 
PPTX
Cloud Securiy: A Vendor Risk Management Perspective
byArgyle Executive Forum
 
PPTX
Deliver any app to any device in 60 minutes
byArgyle Executive Forum
 
PPTX
Enabling Opportunity to Transform Company Culture
byArgyle Executive Forum
 
PPTX
The Future of Work
byArgyle Executive Forum
 
PPTX
The Challenge of Information Self-Service
byArgyle Executive Forum
 
PDF
The Role of the General Counsel in the Boardroom
byArgyle Executive Forum
 
Rethink App Delivery with Workspace as a Service
byArgyle Executive Forum
 
Global Megatrends in Cybersecurity – A Survey of 1,000 CxOs
byArgyle Executive Forum
 
Become the CEO: An Employee Excitement Survey
byArgyle Executive Forum
 
Social Support and Total Community
byArgyle Executive Forum
 
Marketing to the Power of ONE!
byArgyle Executive Forum
 
The New Era of Engagement Marketing
byArgyle Executive Forum
 
Re-Think App Delivery with Workspace as a Service
byArgyle Executive Forum
 
Delighting Customers with Information Technology
byArgyle Executive Forum
 
9.35am presentation - john landy
byArgyle Executive Forum
 
Keeping a Seat at the Table: Remaining Relevant
byArgyle Executive Forum
 
Succession Matters: Effective Succession Management Planning
byArgyle Executive Forum
 
It's a Balancing Act
byArgyle Executive Forum
 
Getting to the Heart of your Customer
byArgyle Executive Forum
 
9.35am robert humphrey
byArgyle Executive Forum
 
Cloud Securiy: A Vendor Risk Management Perspective
byArgyle Executive Forum
 
Deliver any app to any device in 60 minutes
byArgyle Executive Forum
 
Enabling Opportunity to Transform Company Culture
byArgyle Executive Forum
 
The Future of Work
byArgyle Executive Forum
 
The Challenge of Information Self-Service
byArgyle Executive Forum
 
The Role of the General Counsel in the Boardroom
byArgyle Executive Forum
 

Recently uploaded

PPTX
Conserving precious peatland habitats using mobile apps - Esri UK Welsh Confe...
byEsri UK
 
PDF
Sylvester Konadu Worcester MA - An Accomplished IT Analyst
bySylvester Konadu Worcester
 
PDF
Manage Network Security (Firewall) in RHEL - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Why B2B SaaS Firms Should Invest in Data Appending for Marketing List Upgrades
byAndrew Leo
 
PPTX
Standardising and simplifying systems and data management - Esri UK Welsh Con...
byEsri UK
 
PDF
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
PDF
Run Containers in RHEL - RHCSA (RH134).pdf
byLinuxCert Guru
 
PPTX
Building powerful web apps to improve productivity and engagement - Esri UK W...
byEsri UK
 
PDF
What's Driving Growth in the Video Surveillance Market 2025?
byMemoori
 
PPTX
Osmosis webinar presentation Nov 2025:Empowering UK Nursing Education
byJisc
 
PPTX
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
PPTX
Cyber Security Quiz 1st Year CSE CS Students
bynirmalamca
 
PDF
Getting started with Agent Framework.pdf
byNilesh Gule
 
PPTX
How Design Systems and AI Agents Accelerate Product Delivery Sixt
byBoyan Dimitrov
 
PDF
The Future of Database Diagnostics is a Conversation with Oracle AHF Fleet In...
bySandesh Rao
 
PDF
Improve Command Line Productivity - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
PDF
Infuse Intelligence Into your App with Foundry Local
byNilesh Gule
 
PDF
The Accel 2025 Globalscape: Race for compute
byPhilippe Botteri
 
PDF
Flatpak CLI Application Management & Building on RHEL.pdf
byLinuxCert Guru
 
Conserving precious peatland habitats using mobile apps - Esri UK Welsh Confe...
byEsri UK
 
Sylvester Konadu Worcester MA - An Accomplished IT Analyst
bySylvester Konadu Worcester
 
Manage Network Security (Firewall) in RHEL - RHCSA (RH134).pdf
byLinuxCert Guru
 
Why B2B SaaS Firms Should Invest in Data Appending for Marketing List Upgrades
byAndrew Leo
 
Standardising and simplifying systems and data management - Esri UK Welsh Con...
byEsri UK
 
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
Run Containers in RHEL - RHCSA (RH134).pdf
byLinuxCert Guru
 
Building powerful web apps to improve productivity and engagement - Esri UK W...
byEsri UK
 
What's Driving Growth in the Video Surveillance Market 2025?
byMemoori
 
Osmosis webinar presentation Nov 2025:Empowering UK Nursing Education
byJisc
 
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
Cyber Security Quiz 1st Year CSE CS Students
bynirmalamca
 
Getting started with Agent Framework.pdf
byNilesh Gule
 
How Design Systems and AI Agents Accelerate Product Delivery Sixt
byBoyan Dimitrov
 
The Future of Database Diagnostics is a Conversation with Oracle AHF Fleet In...
bySandesh Rao
 
Improve Command Line Productivity - RHCSA (RH134).pdf
byLinuxCert Guru
 
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
Infuse Intelligence Into your App with Foundry Local
byNilesh Gule
 
The Accel 2025 Globalscape: Race for compute
byPhilippe Botteri
 
Flatpak CLI Application Management & Building on RHEL.pdf
byLinuxCert Guru
 

Top 12 Threats to Enterprise

  • 1.
    2015 CHIEF INFORMATIONOFFICER LEADERSHIP FORUM WEDNESDAY, MARCH 11, 2015 DALLAS, TX Gene Scriven Top 12 Threats to the Enterprise
  • 2.
    The Land ofInformation Security Threats to the Enterprise + + + + Also Known As… 2
  • 3.
    • Nothing that’sRocket Science • Concepts may very well be the same for everyone – Details will be different • Enterprise or small business or personal • A combination of “Soft Stuff” and Technology • Vendor Agnostic (and even Technology Agnostic) • Not a “How To Fix It” presentation • You’ll notice some overlap – it’s intentional • My personal/professional opinion – Your mileage may vary 3 What Will We Talk About?
  • 4.
    Who Is ThisGuy?? Chief Information Security Officer at Sabre • Prior to Sabre, CISO at The Home Depot 35+ years in Information Security • Commercial, military, federal government, government contract, and the Intelligence Community • Big-Six (and similar) background Government and US Intelligence Community • Programmer, PM, Security Director, Development Director, Missile Targeting, Electronic Wargames, Electronic Countermeasures, Federal Agent, Computer Crime Investigator Commercial • Security Systems Development Director, QA Director, Process Engineer, Consultant to the C Suite, Chief Information Security Officer Not Particularly Related (but far more FUN) • College Professor, Paramedic, Lifeguard, Comedian 4
  • 5.
    Why The “DirtyDozen?” • Everybody has a list…I wanted one too – Mitre has (used to have) the Top 20 – SANS Institute Top 10 Cyber Threats – FBI Survey – Open Web Application Security Project (OWASP) has the Top 10 – “Cyber Security Veterans” Top 10 Security Menaces – Top 10 Security Risks to University Communities • “Top 10” seemed like a great starting point – Quickly morphed to a “Dozen” • Any list….is never enough! • Original list (in 1998) was a work assignment • Contrast Gene’s 1998 Dirty Dozen with today’s 5
  • 6.
    #12 The Next EmployeeYou Lay Off • Job market is improving, but lay-offs and cuts are still happening • HR errs on the side of “being nice” to employees during downsizing • Statistics still indicate that internal threats are on the rise FBI reports, “Nearly 90 percent of such crimes (data theft) are committed by employees of the victims.” Most employees/companies have… • Excessive accesses • Insufficient access reviews • “Overlapping trust” • Too much emphasis on the perimeter • False sense of security • Not enough prosecution • Confusion between Disgruntled vs. “Under-Educated” 6
  • 7.
    Ponemon Institute’s 2013Cost of Cyber Crime Study The Next Employees You Lay Off …should not be allowed to become Malicious Insiders AVERAGE DAYS TO RESOLVE AN ATTACK
  • 8.
    #11 Desensitized by MediaSaturation Government Laptop with SSNs Stolen from Airport Yet another retailer is hacked and millions of CC numbers are stolen Keylogger Compromises 250,000 Identities 8
  • 9.
    #10 Your Information isnow VALUABLE to Criminals 9 Hacking for FUN and Website Defacement are still common, but motivations now focus on the value of INFORMATION Credit Card Data PII Data Identity Theft & Social Engineering Company Info IP AND seemingly innocent info
  • 10.
    Ponemon Institute’s 2013Cost of Cyber Crime Study PERCENTAGE OF COST FOR EXTERNAL CONSEQUENCES Information Loss/Theft is Leading The Pack
  • 11.
    #9 Believing that ENCRYPTION= NIRVANA 11 But Geeeene…we don’t need to spend any more money on security because our data is encrypted! Don’t you remember??? Realize the Encryption is just part of the total solution set Data can be decrypted – Key Management (and Protection) is Critical Encrypted Data remains in-scope for PCI Are you encrypting passwords? It may not be good enough.
  • 12.
    #8 Not Prepared forTHE CLOUD • Everybody’s rushing to put their data into “The Cloud” • Some of the economic data is compelling • Jumping onto the Bandwagon may be dangerous – have a strategy • Address critical factors • Only put certain classifications of data into the Cloud • Who will own the data? • Who’s liable for data breaches? • Destroying data when finished • What data protection controls are YOU responsible to provide? • Ask Why…if the answer is “because everybody’s doing it,” maybe it’s not for you • The Cloud MAY BE the right answer – But be sure you’re asking the right questions 12
  • 13.
    #7 Information Security “OldFogies” 13 “Younger Workers” who have grown up in the digital age have very different attitudes about security and privacy than older generations People who have grown up with digital devices constantly at their fingertips, collaborating on social media or sharing documents, don’t react well to being told they can no longer function that same way from their workplaces. They will find ways to do what they want! A more competent workforce is changing how employees view workplace technology
  • 14.
    #6 Application/Middleware Vulnerabilities • Mostvendors will do the right thing with vulnerabilities and patches • Many enterprises still focus primarily on OS vulnerabilities • Attackers taking advantage of the proliferation of applications across the typical enterprise • Internally developed applications need attention as well • Are you frequently scanning your web apps? • Do your require your app teams to do code reviews? • Establish an EFFECTIVE Application Security Program Internal Applications 14 Breaching “The Perimeter” is no longer the Preferred Attack Vector
  • 15.
    #5 Failed Understanding ofInfoSec and (Cyber) Risk “How manyincidents didyouprevent last year?” “Whyaren’t you makingthe companyanymoney?” Unable to Articulate Risk 41 39 M inorC oncern M ajorC oncern Department Business Unit Insignificant Minor Moderate Major Catostrophic IMPACT Unlikely Rare Possible Likely ~Certain L I K E L I H O O D 61 64 81 84 93 114 137 178 194 196 200 229 261 266 269 295 312 317 321 341 348 356 358 362 368 369 372 375 379 387 388 397 402 404 431 443 444 459 485 507 1169 315 300 291 RISK Risk has to be seen through the eyes of the Risk-Taker! 15
  • 16.
    #4 Service Providers becomea Vulnerability • Third parties have become a large part of many infrastructures • Costs • Expertise • Companies now rely heavily on them • Many are trusted with sensitive info • Are they properly evaluated for the right data protections? • Do your contracts hold them equally liable? • Are your SLAs adequate – especially on Incident Response? • What about “The Cloud?” “Third party organizations accounted for 42% of all data breaches.” – Ponemon Institute 16
  • 17.
    #3 Mobile & BYOD •Everyone’s stats agree – Mobile Devices are on the rise in our enterprises • Have you seen your CEO’s iPad on the network? (Not yet??) • Sticking your head in the sand is not an option here • Be aware of the threats of unmanaged mobile devices • Non-compliant devices • Jail-broken devices • Zero-day exploits • User savvy at getting around your controls • BYOD – See the train storming down the tracks! • Partner with your users – and admit they may know more about this than you • Define what Mobile/BYOD means to you – and be prepared with a comprehensive Mobile Device Management strategy 17
  • 18.
    #2 Poor Patching (or…Perpetual Patching) •“OK…But we’ll have to slip our development schedule.” • “What do you mean by ‘Have the systems patched in 10 days?’” • “But we have so many different platforms…” • “It’s gonna take at least two months to test that patch.” • “This is a lot of work….Why can’t you just block the exploits?” • “It’s not my job, I just load the base images.” • “We should be OK…it’s not like we’re the NSA or something.” • Need an Iterative process, with Governance, and Required Compliance • Comprehensive Patching – Applications, OS, Databases, Network Components 18
  • 19.
    #1 Sophisticated (and Zero-Day)Malware 1. Changing network settings 2. Disabling anti-virus and anti-spyware tools 3. Turning off Microsoft Security Center and/or other updates 4. Installing rogue certificates 5. Cascading file droppers 6. Keystroke Logging 7. URL monitoring, form scraping, and screen scraping 8. Turning on the microphone and/or camera 9. Pretending to be an antispyware or antivirus tool 10. Editing search results 11. Acting as a spam relay 12. Planting a rootkit - altering the system to prevent removal 13. Installing a bot for attacker remote control 14. Intercepting sensitive documents … or encrypting them for ransom 15. Planting a sniffer Interesting Malware Activities “Don’t worry about that spyware thing….it’s just someone trying to see where you’re going on the Internet – you know, for Marketing purposes.” Verizon Business Data Breach report from just a few years ago indicated that 38% of compromises were due to Malware. Ask yourself how many of the recent breaches involved MALWARE? 19
  • 20.
    ATTACK METHODS THE HOMEDEPOT (2014) Malware (Believed to be) SALLY BEAUTY (2014) Malware installed by hackers P.F. CHANGS (June 2014) Compromised POS terminals TARGET (2013) Malware installed by hackers NEIMAN MARCUS (2013) Malware installed by hackers EPSILON (2011) Spear phishing NASDAQ (2010) Zero-day Malware (Digital Bomb) installed on several servers TJ MAX (2007) Wireless network hacked HEARTLAND (2008) Access via malicious software source: informationisbeautiful.net
  • 21.
    How Your CISOCan Help Him/Herself (CISO=Chief Information Security Officer) • Know what you don’t know • Focus on the Message – Content is critical – Delivery is just as important • Be a Business Person first – …and a Technician second – …and a Politician third (build relationships) • Organize your program based on RISK • Defense-In-Depth • Don’t be afraid to ask for help 21
  • 22.
    Dirty Dozen –Then vs. Now #12 - No Security Awareness Program #11 - Blind Trust of Insiders #10 - Reliance on Firewalls #9 - No Business Continuity Plan #8 - Chiefs Not Listening To “Indians” #7 - Not Enough Attention To Physical Security #6 - Insufficient Security Policies #5 - Uncontrolled Modems #4 - Insecure Web Sites Pages #3 - No Verification Of Security #2 - No Security Monitoring #1 - Poor Password Practices 1998 #12 – The Next Employee you Lay Off #11 – Desensitized by Media Saturation #10 – Your Info is Valuable to Criminals #9 – Believing Encryption=Nirvana #8 – Unprepared for the Cloud #7 – Information Security Fogies #6 – App/Middleware Vulnerabilities #5 – Not Understanding InfoSec or Risk #4 – Service Provider Problems #3 – Mobile & BYOD #2 – Poor Patching #1 – Sophisticated (& Zero-Day) Malware 2015 22
  • 23.
    They only haveto get lucky one time, but we have to be good all the time. - Mark Weatherford, Deputy Undersecretary for Cybersecurity, Department of Homeland Security Discussing the advantages the bad guys have over those responsible for defending networks, systems, and data in today’s Cyber environment 23 Truer Words Were Never Spoken…
  • 24.
  • 25.
    You Know You’reSpending Too Much Time With Your Information Security Team if…
  • 26.
    • You’ve everwritten a nasty letter to Barnes & Noble because they didn’t carry this year’s Verizon Data Breach Report • The only vacations your Significant Other will consider are cruises and cave-exploring because “the office” can’t reach you on your cell phone • There are at least three “Two-Factor Tokens” on your keychain • You secretly hope you won’t miss the next big virus outbreak while you’re out on vacation • You’ve got a new car with a built-in GPS and computer and remote start, but you constantly worry about how easy it would be to hack • Your Grandmother has ever called you about the latest phishing message she just received • Your teenagers go to friends’ houses to surf the Internet because they know what you do for a living • You’re so tired of answering people’s security questions that you tell the lady sitting next you on the plane that you’re “just an IT guy.” • Attending a SecureWorld, Argyle, or RSA Conference is like going to your high-school reunion You Know You’re Spending Too Much Time With Your Information Security Team if…
  • 27.