Transcription
Cybersecurity Myths & FallaciesJohn Gomez
About Sensato2013Sensato is founded by John Gomez, ex-CTO/President of AllScripts and CTO of WebMD.2014Sensato launches its Risk Assessment Workshop program and NIST based Vulnerability Assessment programs.2015Sensato creates the first healthcare industry conference on cybersecurity - Hacking Healthcare.Sensato named one of the Top-500 Most Innovative Cybersecurity Companies in the World2016Sensato forms Medical Device Cybersecurity Task ForceSensato Announces the Sensato Cybersecurity Tactical Operations Center – CTOCOnce again named Top-500Frost and Sullivan Visionary Leader 2016
Average Password Change Policy Requirement
5 25 63 135
More Myths“Changing passwords reduces attackers ability to ”“If that was encrypted.”“We passed our audits.so we are.”“We did an asessement last year.””We follow .(NIST, PCI, ISO, DoD)””We are certified.”
New World Order
Hackers vs. Attackers
CriminalsSpiesTerrorists
Attacker MotivationsAttacker TypeMotivationObjectivesCyber CriminalProfit – Purely Profit (EAS, TheftRAS)Cyber SpyNation state – highlysophisticated – highlyresourced – think JamesBondTheftCyber TerroristIdeologyDeath
The Attacker nerabilityAssessmentInfiltrationAttack ModelingExploitationExfiltrationMissionReview
Learning from Anthem
Commonly believed to be part of a broaderChinese Intelligence GroupPossibly separate, but some evidence suggests itis also known as Axiom, Shell Crew or Group 72.CrowdStrike security team created the name“Deep Panda” Highly Polished Organization Mature Tactics, Techniques, Practices (TTP) Five Year Attack Plan Targeting Key Sectors andOrganizations Not Financially Motivated Possible Human Intelligence Gathering MissionAttribution
November 2014 CrowdStrike publishes a snapshot of the Deep Panda attackframework – known as “Scanbox”Scanbox is an extremely intelligent piece of malware that canutilize different payloads.Scanbox is executed in a web browser and thereforebypasses detection.Scanbox has various plug-ins: Software ReconBrowser PluginFlash ReconSharePoint ReconPDF ReconChrome SecurityJava ReconInternal UP ReconJavaScript Key Logger****Deep Panda may have authored Derusbi Provides back door accessRemote Command and Control
April 2014
sophisticationThe attacker displayed TTP that is common withhighly skilled intelligence agencies.If this is part of the attack strategy, then we suspectthat they were targeting Anthem well before theattacks launched.The Anthem name-change may have created atriggering event to stage the attacks.Also registered: ix.we11point.com
Citrix Connection extcitrix.we11point.com Citrix provides remote access via VPN to employees and supply chain partners.Registered April 22, 2014Certificate signed by DTOPToolZ Co. - Deep Panda21
discoveryAnthem discovered the breach inadvertently.An IT team member noticed someone was logged in with their account at thesame time they were logged in it wasn’t technology that detected the breach!
Cyber-Terrorism
Cyber levels the worldwide battlefield we have the largest military - and nocitizen will have access to thoseresources - but access to cybertechnologies does provide the samepower to the common person as to thatof the largest military.
MilwareMilware is a standardized and systemic approach to developing malware. Notall Milware is a weapon - although it can be a weapon. Weaponized code is stillin it's infancy and is very immature at this point.The big issue is that Milware ends up in the wild and hence it becomes a muchbroader problem, while beyond the targets of the nation state.
Milware In the WildThere is evidence that Russia is providing legal-protection for illegal cybercriminals inexchange for early access to zero-day exclusivity and advanced penetration tools.Polymorphic payloads are becoming more powerful and critical. This is a very seriousthreat and very hard to detect.
ISIS: Hello!“Put down the chicken bro and join the jihad!”
ISIS & Social MediaMonthly Accounts Establish – 27,500 – 45,000Private CommPrivate SiteTweets Sent Per Day – 90,000 on averageRecruitSocial MediaWorldwide Distribution NetworkPasteBin for Battlefield SummariesEmbraceConnectAsk.FM for Interviews and OutreachJust-In-Time CommSoundCloud for MediaReal-Time Comm
What To Do
ISIS IT StaffCyber-Caliphate Chief Newly Appointed2014 380 team members2015 3500 team membersDedicated Cybersecurity TeamDedicated Cyber Caliphate TeamSyrian Electronic ArmyAjax Security TeamClear Access to Medical DevicesIdeology is not Restricted by International Law or Convention
Keep This In MindPoliciesProcedures PracticesYou must have relevant, timely IT Security andPrivacy policies that are supportive of thecurrent threat landscapeYou must be able to demonstrate that youhave procedures in place that are based onyour policies.You must be able to provide evidence that youpractice your procedures.
Keep This In MindPolicies ProceduresPractices The lack of governance calls into question your abilityto show relevance, demonstrate process or provideevidence of practice.IT Security governance vastly reduces risks, improvesreadiness and in many ways reduces costs.Governance need not be complicated – the simpler thebetter – but it must be: Specific to IT SecurityCross-FunctionalEducatedDemonstrable
Level I ReadinessContinuous MonitoringInfrastructure ControlSecurity Operations CenterIncident ResponseContainmentContinuous IntelligenceTimely & SpecificActionableActed UponContinuous EvaluationRisk Assessments (yearly)Testing (six months)ContinuousMonitoring (CE)
Level II ReadinessImperativeAppropriate Access & ControlsAppropriate Qualified ITSecurity TeamSensato StrategicImperativesPartner ManagementEducation StandardsExecutive IntimacyThe top-10 strategic imperatives aredesigned as a universal score-card.These may not be the ten mostimportant items for your organization,but they are the ten most items we findto be critical to addressing the NISTrequirements.Incident Response ReadinessMonitoringOld Technology UtilizationPatch ManagementRelevant Practices
IT Security Organization ModelIT SecurityDirectorSecurityOperations (4)Blue TeamSecurityInfrastructureSecurity ProgramMgmt.(2)Business LiasonMarketing &EducationSecurityGovernance (1)DDSManagementCompliance &PolicySecurityEngineering mentation
Level III ReadinessCybersecurity Strategic Plan1 & 3 Year PlanMission – Values – Critical Success FactorsRelevant to Current ThreatsROI BasedAcknowledge/Address Weakness & JustifyDEPLOY NIST!!!!Cybersecurity Data-Driven Security ProgramEstablish MeasurementsEstablish Review and Evolution ProcessCybersecurity CultureView Cybersecurity HolisticallyMarketing & TrainingCommitment to Defense
Sensato Coordinated Risk Scoring (CRS)Impact to Lives10ThreatVulnerabilityIssueAgreed UponAction0Impact to Workflow
They have one job – to scream.Deploy Honey PotsAttackers Hate ThesePretty low tech – pretty high return.They temp and EnticeToo Good to Be True If you must then.Leave to the End of an attackWatch for other traffic and activity.
John GomezJohn.gomez@sensato.coMike 6.7286
Sensato is founded by John Gomez, ex-CTO/President of AllScripts and CTO of WebMD. 2014 Sensato launches its Risk Assessment Workshop program and NIST based Vulnerability Assessment programs. 2015 Sensato creates the first healthcare industry conference on cybersecurity - Hacking Healthcare.
