The Future of Cybersecurity The Future of Cybersecurity

The Future
of Cybersecurity
ISSA Italy Chapter Conference
Rome, Italy
28 October 2010
Things we already know…
•• Our
Our web
web applications
applications are
are still
still broken…
broken…
–– with
with the
the same
same problems
problems (mostly)…
(mostly)…
•• In
In 2009,
2009, over
over 143
143 million
million records
records were
were reported
reported as
as inadvertently
inadvertently disclosed
disclosed
•• Several
Several thousand
thousand active
active botnets
botnets (and
(and several
several million
million systems)
systems) are
are being
being
tracked,
tracked, monitored,
monitored, and
and battled
battled within
within our
our enterprises
enterprises
•• Process
Process and
and business
business unit
unit outsourcing
outsourcing and
and offshoring
offshoring are
are moving
moving assets
assets
beyond
beyond our
our practical
practical control
control
•• Data
Data is
is just
just about
about everywhere
everywhere
•• Budgets
Budgets and
and staffing
staffing are
are shrinking
shrinking
•• We’re
We’re being
being told…
told…
–– Improve
Improve time
time to
to market
market
–– Lower
Lower costs
costs
–– Competitive
Competitive advantage
advantage
The Future of Cybersecurity…
Cybersecurity Challenge #1
Challenge #1 – The Ever-Changing Landscape
• No definable perimeter
• Data on the move
• Data and critical business processes
outsourced, off-shored, or “stuffed”
into the cloud
• Computing power portability is
changing the way we work
Cybersecurity Challenge #2
Challenge #2 – The Attackers Are More Nimble…
•• Google
Google attack/Aurora,
attack/Aurora, Zeus-delivered
Zeus-delivered attacks
attacks are
are just
just examples
examples of
of
the
the next
next generation
generation of
of cyber
cyber attackers
attackers
–– The
The attackers
attackers are
are aggressive,
aggressive, talented,
talented, and
and motivated
motivated
•• Botnets
Botnets and
and zero-day
zero-day attacks
attacks are
are big
big business
business
–– Significant
Significant money
money to
to be
be had
had
–– Attracting
Attracting world
world class
class technology
technology talent
talent
–– Seem
Seem to
to have
have unlimited
unlimited resources
resources
•• We’ve
We’ve increased
increased the
the attack
attack landscape
landscape to
to potential
potential
attacks,
attacks, and
and are
are struggling
struggling to
to fix
fix known
known problems
problems
––
––
More
More web
web services
services
Mobile
Mobile devices
devices
•• Achieving
Achieving compliance
compliance is
is no
no longer
longer helping
helping security
security
•• The
The technologies
technologies that
that are
are deployed
deployed are
are not
not as
as effective
effective as
as
management
management expects
expects
An Errant “B”…
Cybersecurity Challenge #3
Challenge #3 – The Federation of Trust
•• The
The future
future of
of cybersecurity
cybersecurity is
is predicated
predicated on
on trust
trust
–– Online,
Online, social
social networking,
networking, and
and e-commerce
e-commerce sites
sites
–– 33rdrd parties
parties and
and outsourcers
outsourcers
–– Crossing
Crossing industries
industries
•• Healthcare,
Healthcare, Financial
Financial Services,
Services, Utilities,
Utilities, Transportation,
Transportation, Public
Public Sector
Sector
•• Competing
Competing approaches
approaches to
to “presenting”
“presenting” trust
trust
–– ISO27001/BS7799-2,
ISO27001/BS7799-2, SAS70/CICA-5900,
SAS70/CICA-5900, PCI,
PCI, BITS,
BITS, “Security
“Security Seals”,
Seals”, etc.
etc.
•• As
As aa profession,
profession, we
we have
have aa significant
significant challenge
challenge with
with trust
trust
–– Standards
Standards and
and compliance
compliance can
can be
be too
too general
general
–– Professional
Professional skepticism
skepticism
–– Accountability
Accountability
Cybersecurity Challenge #4
Challenge #4 – Growing Gap Between Infosec and ERM
Is there a communication problem?
Is the budget for data protection
adequate?
In the last 12 months, how often has your organization’s data been
attacked?
Source: Ponemon Institute© Research - Business Case for Data Protection
CEO %
NonCEO %
Yes
64%
55%
No
36%
45%
Two Worlds Separated by a Common Language
Infosec
Infosec
•• Buffer
Buffer overflow
overflow
Business
Business
••
••
•• Inventory
Inventory turns
turns
XSS
XSS
p@wn’d
p@wn’d
•• IDS,
IDS, IPS,
IPS, WAF,
WAF, OWASP,
OWASP, SSL
SSL VPN,
VPN,
22O22A*
IAM,
DLP,
PII,
SDLC
–
WCMA
IAM, DLP, PII, SDLC – WCMA O A*
(*we
(*we can
can make
make an
an acronym
acronym out
out of
of
anything)
anything)
•• Discussion
Discussion is
is oftentimes
oftentimes based
based on
on
vulnerabilities,
not
risk
vulnerabilities, not risk
•• When
When we
we do
do talk
talk risk
risk (or
(or think
think we
we are
are
talking
talking risk)…
risk)…
–– Low,
Low, Medium/Moderate,
Medium/Moderate, High
High
–– Appeared
Appeared Secure,
Secure, Potentially
Potentially
Vulnerable,
Vulnerable,
Vulnerable, Vulnerable, Severely
Severely
Vulnerable,
Compromised
Vulnerable, Compromised
•• Liquidity
Liquidity
•• Capital
Capital on
on hand
hand
•• Market
Market risk
risk
•• Supply
Supply chain
chain
•• Audit/Compliance
Audit/Compliance
––
––
––
Materiality
Materiality
Significant
Significant deficiency
deficiency
Material
Material weakness
weakness
Two Worlds Separated by a Common Language
Infosec
Infosec
•• Buffer
Buffer overflow
overflow
Business
Business
••
••
•• Inventory
Inventory turns
turns
XSS
XSS
p@wn’d
p@wn’d
•• IDS,
IDS, IPS,
IPS, WAF,
WAF, OWASP,
OWASP, SSL
SSL VPN,
VPN,
22O22A*
IAM,
DLP,
PII,
SDLC
–
WCMA
IAM, DLP, PII, SDLC – WCMA O A*
(*we
(*we can
can make
make an
an acronym
acronym out
out of
of
anything)
anything)
•• Discussion
Discussion is
is oftentimes
oftentimes based
based on
on
vulnerabilities,
not
risk
vulnerabilities, not risk
•• When
When we
we do
do talk
talk risk
risk (or
(or think
think we
we are
are
talking
talking risk)…
risk)…
–– Low,
Low, Medium/Moderate,
Medium/Moderate, High
High
–– Appeared
Appeared Secure,
Secure, Potentially
Potentially
Vulnerable,
Vulnerable,
Vulnerable, Vulnerable, Severely
Severely
Vulnerable,
Compromised
Vulnerable, Compromised
•• Liquidity
Liquidity
•• Capital
Capital on
on hand
hand
•• Market
Market risk
risk
•• Supply
Supply chain
chain
•• Audit/Compliance
Audit/Compliance
––
––
––
Materiality
Materiality
Significant
Significant deficiency
deficiency
Material
Material weakness
weakness
Cybersecurity Challenge #5
Challenge #5 – The Way People Think Has Changed
Cybersecurity Challenge #6
Challenge #6 – Educating the Next Generation
• Our children
• College graduates
• New hires
Thank You!
Kevin Richards, CISSP
President, ISSA International
773-269-6350
[email protected]