Date post: | 13-May-2018 |
Category: |
Documents |
Upload: | phungquynh |
View: | 223 times |
Download: | 1 times |
About the Speaker – SnoopWall’s CEO
I’m Gary S. Miliefsky, CEO, SnoopWall, Inc.Inventor. Entrepreneur. Founding Member, DHS.govCyberSecurity Expert. Breach Prevention Pioneer.
My bio is online at: http://www.snoopwall.com/media/
Miliefsky’s Cyber Dictionary Malware – Not very nice software. Malicious in nature.
DDoS – Distributed Denial of Service Attack – many computers or internet devices (including IoT) that are secretly infected and accessed remotely by the cyber hackers to send tons of packets (usually 500mb/sec to 1GB/sec) at a target (such as an online retailer or website or gaming network) to temporarily take it down.
IoT – Internet of Things
Ransomware – Encryption Malware Charging Ransom
Virus – old fashioned name for malware.
Spyware – malware that spies on your keyboard and/or other hardware ports like webcam and microphone
Remote Access Trojan (RAT) – malware that remotely spies on you. Allows hackers to take control of your computer remotely over the internet without you even noticing
Spear Phishing Attack – an Email (or SMS message) that looks like it came from someone you trust with a malicious (malware) attachment that usually is a RAT or Ransomware.
PII – Personally Identifiable Information..stolen by cyber criminals using malware
Gary S. Miliefsky | www.snoopwall.comJune 7, 2017 5
45% of breaches in the private sector are of companies with less than 1,000 employees
Source: Verizon Breach Investigations Report
Are You A Target? YES!
Gary S. Miliefsky | www.snoopwall.comJune 7, 2017 7
Breaches are on an Exponential Rise…1. Last year, according to World Bank, Cybercrime
reached $600B, that’s $100B more than Drug Crime.
2. Cybercrime is now the #1 form of criminal activity globally.
3. I predict 2017 will be a One Trillion Dollar Year for Cyber Criminals.
Gary S. Miliefsky | www.snoopwall.comJune 7, 2017 8
The Average Cost of a Breach?It’s over $3M…this could put you out of business.
Loss of current and future customersTarnished brand and reputationLawsuit/legal feesFines and PenaltiesSignificant Administrative & Remediation Costs
If it’s a ransomware breach, add “Paying Ransom” to the list…
Gary S. Miliefsky | www.snoopwall.comJune 7, 2017 9
Why are Breaches So Frequent?It’s easy when there is NO SECURITY BY DESIGN:Backdoors…Late Patches…Poor Configuration Management…ExploitableVulnerabilities… Innovative Threats…Easily Exploited People… Infrequent Backups…Little to No Strong Encryption (and proper key management)…
Gary S. Miliefsky | www.snoopwall.comJune 7, 2017 10
Everything running the TCP/IP Stack (internet protocols) is INSECURE by DESIGN…
Autonomous Delivery Drones (Amazon) crashes into property or a person and harms them Autonomous Cars (Google, Uber, etc.) crashes into another vehicle and harms people Internet of Things (Apple, Google, Samsung, Microsoft, LG, etc.)
– Smart Phones – receives ransomware over SMS – pay or your phone becomes a brick– Smart TVs – used to eavesdrop on the consumer by companies, governments and hackers– Smart Watches – remotely accessed to steal personal information, wireless car & hotel keys, etc.– Smart Doorbells – lets burglars know when you are not home, backdoor to home wifi– Smart Refrigerators – receives ransomware over internet – pay or your food is spoiled– Smart Climate Controls (Nest) – receives ransomware – pay or your house freezes in the winter
Internet Entertainment Centers– In our cars – remotely exploited to take control of the car – speed it up, slow it down, crash it– On our trains - remotely exploited to take control of the train – speed it up, slow it down, crash it– In the passenger cabin of airlines – exploited to hijack a plane – cause panic and fear
Gary S. Miliefsky | www.snoopwall.comJune 7, 2017 11
YOUR SMART REFRIGERATOR RECEIVES RANSOMWARE
You purchased the LG Unitthat has a safety lock tokeep your young childrenout…when suddenly itreceives ransomwareover the internet (wifi)
Gary S. Miliefsky | www.snoopwall.comJune 7, 2017 12
So How About Security By Design?– Threats exploit Vulnerabilities– Vulnerabilities are Holes or Weaknesses– The latest threats take advantage of the inherent weaknesses in the Internet protocols– The Internet protocols are used to create home, business and government networks– These protocols enable devices to communicate with each other– These protocols allow Threat actors anywhere in the world to attempt to exploit any
Internet connected device (Car, Phone, TV, Computer, etc.)– Threats leveraging the Internet include…
• Denial of service attacks• Remote Access Trojans• Spear Phishing Attacks• Ransomware
Gary S. Miliefsky | www.snoopwall.comJune 7, 2017 13
So How About Security By Design?– Hardware and software is developed with backdoors for ‘remote access’ – many claim
this is for support teams to help customers remotely:
• Look at the new Samsung Smartphone, it’s running an SSH server (remote access server) and if you have the keys at Samsung, you can remotely access any of these new phones. If a hacker gets these keys, so can they.
– Software is developed with inherent coding flaws (buffer overflow, hard coded passwords and other exploitable bugs)
– Some vulnerabilities can be closed:• Patches that work.• Reconfiguration that work around the hole.• Turning off vulnerable services or features until a fix is available.
Gary S. Miliefsky | www.snoopwall.comJune 7, 2017 14
So How About Security By Design?Demand the following of market leaders…
– NO BACKDOORS– STRONG ENCRYPTION– HARDWARE DESIGN SECURITY AUDITS– SOFTWARE SOURCE CODE SECURITY AUDITS– PRE-RELEASE PENETRATION & VULNERABILITY TESTING OF END PRODUCTS– SECURITY PATCH UPDATES BAKED INTO THE DESIGN– WRITTEN POLICIES AND PROCEDURES FOR SECURITY PATCH UPDATES– RAPIDLY DEPLOYED, WELL TESTED SECURITY PATCH UPDATES– WELL DOCUMENTED PRIVACY POLICIES
– PUBLICLY NOTICED - PAID AND OPEN BUG BOUNTY PROGRAM
Gary S. Miliefsky | www.snoopwall.comJune 7, 2017 15
Short Intermission…Let’s all play…
Lifeline: http://tinyurl.com/snoopwall-breaches
Gary S. Miliefsky | www.snoopwall.comJune 7, 2017 16
How Vulnerable is Sensitive Data?
Source: Vormetric 2017 Global Data Threat Report
of Sensitive Data is Very Vulnerable, Overall
Gary S. Miliefsky | www.snoopwall.comJune 7, 2017 17
Are Insider Threats Really That Serious?
Source: Insider Threat Report of 2017, by Crowd Research Partners
Gary S. Miliefsky | www.snoopwall.comJune 7, 2017 21
7 SECRETS OF OFFENSIVE SECURITY
SECRET #1:YOU HAVE REASONABLE PHYSICAL
SECURITY AGAINST UNWANTED VISITORS…YET YOU HAVE INCREDIBLY POOR
NETWORK SECURITY BEHIND THOSE CLOSED DOORS…
Gary S. Miliefsky | www.snoopwall.comJune 7, 2017 22
SECRET #2:YOU BELIEVE FIREWALLS AND ANTIVIRUS WILL PROTECT YOU
THEY WON’T. IN FACT: 95% of BREACHES Including Sony Pictures
Entertainment and YAHOO! happen behind firewalls on systems protected by Anti-virus software.
7 SECRETS OF OFFENSIVE SECURITY
Gary S. Miliefsky | www.snoopwall.comJune 7, 2017 23
SECRET #3:YOU NEED TO FOCUS ON WHERE MOST
ATTACKS HAPPEN…ON TRUSTED “PROTECTED” ASSETS
SPEAR PHISHING ATTACKS & REMOTE ACCESS TROJANS (RATS) ARE THE TOP
FORM OF SUCCESSFUL ATTACKS AGAINST ANY NETWORK.
7 SECRETS OF OFFENSIVE SECURITY
Gary S. Miliefsky | www.snoopwall.comJune 7, 2017 24
SECRET #4:RANSOMWARE IS COSTING US MILLIONS BUT
THERE’S A SIMPLE WAY TO AVOID IT…
FREQUENT, TESTED, DAILY BACKUPS.IF YOU COULD ISOLATE THE RANSOMWARE AND REBUILD THE
INFECTED SYSTEM QUICKLY, THE DAMAGE IS NEAR ZERO.
7 SECRETS OF OFFENSIVE SECURITY
Gary S. Miliefsky | www.snoopwall.comJune 7, 2017 25
SECRET #5:DATA THEFT (ex. 4TB of SONY PICTURES
ENTERTAINMENT MOVIES AND EMAILS) IS USELESS IF….
YOU ALWAYS ENCRYPT THE DATA.IF YOU COULD ALWAYS ENCRYPT THE DATA (AT REST AND IN TRANSIT) AND MANAGE THE KEYS, WELL, THEN THE CYBER
CRIMINALS GET NOTHING OF VALUE!!!
7 SECRETS OF OFFENSIVE SECURITY
Gary S. Miliefsky | www.snoopwall.comJune 7, 2017 26
SECRET #6:DON’T RISK BEING A VICTIM AS TIME IS AGAINST YOU…
NOW IS THE TIME TO GET PROACTIVE AND GO ON THE OFFENSE
FIND A RISK MANAGEMENT OR INTRUSION PREVENTION SYSTEM OR BREACH PREVENTION SOLUTION THAT HELPS YOU BEHINDYOUR CORPORATE FIREWALL AND FOCUSES ON THE WORST
THREATS, HELPS YOU FIND AND FIX YOUR VULNERABILITIES AND PROTECT YOUR NETWORK ASSETS. IT MAY TAKE A
COMBINATION OF POLICIES, PROCESSES, PRODUCTS AND SERVICES.
7 SECRETS OF OFFENSIVE SECURITY
Gary S. Miliefsky | www.snoopwall.comJune 7, 2017 27
SECRET #7:YOU NEED TO MANAGE AND REDUCE RISKS, DAILY, BEHIND YOUR CORPORATE FIREWALLLEARN AND UTILIZE THE RISK FORMULA (BIG SECRET)
R = T X V X ARisk = Threats (strength of each) x Vulnerabilities (exploitability) x
Assets (value of each)
7 SECRETS OF OFFENSIVE SECURITY
Gary S. Miliefsky | www.snoopwall.comJune 7, 2017 28
IN SUMMARY…
1. FIX YOUR INTERNAL NETWORK SECURITY – ITS VERY WEAK!2. MOST BREACHES ARE INTERNAL, BEHIND FIREWALL & AV3. FOCUS ON STOPPING SPEAR PHISHING & RATS4. PERFORM FREQUENT, DAILY BACKUPS – AND TEST THEM!5. ENCRYPT THE DATA, ALWAYS. W/ STRONG KEY MANAGEMENT6. GO ON THE OFFENSE, GET PROACTIVE. RISK MANAGEMENT.7. LEARN AND UTILIZE THE RISK FORMULA
Do this and you’ll be an INFOSEC ROCK STAR…
7 SECRETS OF OFFENSIVE SECURITY
Gary S. Miliefsky | www.snoopwall.comJune 7, 2017 29
Q & A FOLLOWED BY LOUD
MANDATORY APPLAUSE (OK, OK, ACTUALLY THE QUESTIONS ARE OPTIONAL)
Gary S. [email protected] 731-1800 If you ever need help, we stop
breaches… so call me anytime…
Gary S. Miliefsky | www.snoopwall.comJune 7, 2017 30
BEFORE MY PRESENTATION YOU WERE AN INFOSEC TALENT…
NOW THAT YOU KNOW
THE SEVEN SECRETS OF OFFENSIVE SECURITY
YOUR ARE AN INFOSEC ROCK STAR…