April 19, 2019 Our stuff keeps your stuff from becoming their stuff CI Security Mike Hamilton Founder and CISO
April 19, 2019 • 2 Surviving 2019 and Beyond SCITDA September 24, 2019
April 19, 2019 Your Presenter • Founder, CI Security • Policy Advisor, Washington State • CISO, City of Seattle • Managing Consultant, VeriSign • Senior Principal Consultant, Guardent • Independent Consultant • CEO, Network Commerce, Inc. • Ocean Scientist, NASA/JPL
April 19, 2019 You Are Here • You will recognize You will recognize • Water • Water • Traffic • Communications • Traffic • Emergency Management • Public Health • Government • Communications And in some cases • Energy • Emergency • Dams • Elections • 9-1-1 Management • Public Health • Government • And in some cases • Energy • Dams • Elections • 9-1-1
April 19, 2019 Meanwhile… What could possibly go wrong?
April 19, 2019 Leaning Into OSINT Trends emerge, which lend themselves to prediction, or at least noticing which way the wind is starting to blow
April 19, 2019 Recent Public Sector Events
April 19, 2019 Ransomware
April 19, 2019 MSPs – A One-Stop Shop (for compromise) https://ci.security/ 9
April 19, 2019
April 19, 2019
April 19, 2019 BEC Toyota Subsidiary Loses $37 Million Due to BEC Scam
April 19, 2019 Phishing Sites are Eclipsing Malware Data from Microsoft “safe browsing” identification of unsafe sites
April 19, 2019 Credential Stuffing
April 19, 2019 Cryptocurrency Mining • Low-Risk for organized crime • Uses existing botnets • Becoming legitimized as an alternative to ads • Operational Continuity Threat • Not as disruptive as ransomware NOTE that the problem waxes and wanes due to the value of the cryptocurrency and power costs
April 19, 2019 SIM Swapping
April 19, 2019 IoT Weaponization ▪ Not secured when deployed ▪ If exposed to the Internet, immediate takeover ▪ Mirai, Reaper, DoubleDoor ▪ Used for DDOS, and TBD
April 19, 2019 Gigantic DDOS Memcached Amplification Attack Breaks New DDoS Record At 1.7 Tb/s Arbor believes that we’ve entered a new era in which Tb/s DDoS attacks will be common, whether it’s through memcached server vulnerabilities or through other vulnerabilities attackers may be able to find later.
April 19, 2019 Nation-State Collateral Damage
April 19, 2019 AI – Friend or Foe?
April 19, 2019 The Third Party Microscope
April 19, 2019 Commercial Malware Companies
April 19, 2019 A Spyware Company Audaciously Offers ‘Cyber Nukes’ “This ability enables an agency to instantly disable or destroy a target. Cyber strike capability is an ‘always online weapon’ that can be fired at any IP connected terminal with power to disable or destroy a target permanently. This weapon is comparable to a Nuclear Strike that can destroy city wide Cyber infrastructure or render a county wide IP communications ineffective,” the brochure adds. source: https://motherboard.vice.com/en_us/article/59weqb/a-spyware-company-audaciously-offers-cyber-nukes
April 19, 2019 Hardware Vulnerabilities Meltdown-Spectre: Now the class action suits against Intel are starting to mount up "One of the problems with Spectre is that it's completely silent," Evtyushkin said. "You don't see anything happening. Compared to traditional attacks, where an application usually crashes and you can see the damage, with microarchitecture attacks you won't see it or know it happened."
April 19, 2019 So… What Should We Do?
April 19, 2019 Outcomes to Avoid, Financial Impacts - Records Disclosure : ~$150/record - Theft : $75K-$1.2M in our region, multiple millions elsewhere - Disruption : Loss of business continuity or operating capacity, loss of life for critical services
April 19, 2019 Assume Breach We now recognize we cannot eliminate the likelihood of security events • Government must manage security as a business risk rather than an IT problem • 20th Century : Prevent compromises and security events • 21st Century : Manage the risk of this foreseeable event 27
April 19, 2019 The Mathematics of Risk R = P(T V ) * I The likelihood , or probability that a threat is realized • Preventive controls reduce that likelihood The impact (usually financial) of that realized threat • Detection and rapid, effective response address the impact term 28
April 19, 2019 R = P(T V ) * I Preventive Controls Detective Controls • Firewall • Intrusion Detection System • Intrusion Prevention System / • SIEM Application Firewall • Log Aggregation and Analysis • URL filtering • Packet capture and analysis • E-mail security • Human investigators • Vulnerability management • Anti-Virus • Employee training https://ci.security/ 29
April 19, 2019 Detection & Response is a gap Most organizations suffer deal with the fallout 69% 89% 205 average days until of victims are notified by a of victims were not compliant compromised asset detected third party such as the FBI with regulatory requirements https://ci.security/ 30
April 19, 2019 Key Metrics Minimize: • The time from initial compromise to detection • The time to reach full recovery after detection • The sum of these two is known as the ‘dwell time’ https://www.armor.com/blog/dwell-time-cyber-security-metric/
April 19, 2019 Improving Detection and Response • Make it IT’s job • Designate authority and set standards to federate incident response • Use the help/service desk • Make use of Interns • Outsource it
April 19, 2019 Not Everything is Bad… We Think AI, ML, and Security Automation
April 19, 2019 Let’s Talk about AI & ML https://www.legalcheek.com/2019/03/40-of-ai-start-ups-dont-use-ai/ https://www.csoonline.com/article/3378201/11-questions-to-ask-before-buying-ai-enabled-security-software.html
April 19, 2019 Intelligence That’s More Than Artificial Threat Intelligence Firms Look to AI, but Still Require Humans Machine learning and artificial intelligence are helping threat-intelligence firms cover a greater area of the darknet, but human analysts will always be necessary, experts say. Threat intelligence firms are racing to expand their machine-learning capabilities to capture more of the un-indexed parts of the internet, but somewhat ironically, human analysts and experts remain critical to the effort . https://www.darkreading.com/risk/threat-intelligence-firms-look-to-ai-but-still-require-humans/d/d-id/1334570 https://www.ttnews.com/articles/ai-will-boost-productivity-needs-human-guidance https://www.extremetech.com/extreme/291952-google-duplex-still-needs-a-lot-of-help-from-humans
April 19, 2019 This Was PRISEM • P ublic • R egional • I nformation • S ecurity • E vent • M onitoring Confidential Information 36
April 19, 2019 Public Infrastructure Security Cyber Education System (PISCES) CI Security Provides the Monitoring Stack, Collectors, and Maintenance Data Access for Cyber Analyst Curriculum 5-year contract for technology and maintenance services Real-Time Network Security Data Technology Hosting Agreement Incident Reporting Curriculum and Response Agreements Data Sharing Agreements City and County Governments The PISCES Nonprofit https://ci.security/ 37
April 19, 2019 Wrapping… You still don't have to run faster than the bear, but you might be collateral damage • Service disruption for the purpose of extortion is the largest emerging threat – monitor , including your control systems (water/waste/traffic/etc.) • Use the Microsoft controls with O365 • Be prepared to rapidly and effectively respond • Hold your vendors to a security standard • Procurement and policy are your best friends
April 19, 2019 I’ll Leave You With This Rescinding the policy of de minimis use can reduce compromises by 40%
April 19, 2019 THANK YOU Mike Hamilton mkh@ci.security @detectrespond – Company Tweets @seattlemkh – Unvarnished Opinions Sign up for the IT Security News Blast https://ci.security/news/daily-news
April 19, 2019 Our stuff keeps your stuff from becoming their stuff CI Security
Recommend
More recommend
