Cyber Security Background and Context Prepared for the CAR MBS

CJ Dietzman, Principal HPE Enterprise Security Services August 3rd, 2016

Agenda Welcome & Introduction

Cyber Security Background & Context Cyber Risk Report 2016 – Key Findings and Observations

Cyber Threat & Risk Analysis

2

CJ Dietzman, CISSP, CISA Principal, Enterprise Security Services

•

Over 15 years front-line experience working in professional services within the domains of Cyber Security, Risk, Compliance, and Control

•

Industry expertise includes Manufacturing, Hi-Tech, Financial Services, Retail, and Consumer Products

[email protected] M +1 203 810 7279

3

Cyber Security climate in today’s business environment

4

Automotive Industry Cyber Threat Universe

Advanced Malware

Supply Chain / Third Parties

Trojans

Phishing

Malicious Insiders

Ransomware

Negligent Employees

Application Attacks

10X

146

44%

56%

46 days

increase in security vulnerabilities

median number of days attackers are present before being detected

of all data breaches involve third-party mistakes

of executives say their response to security is reactive, not proactive

average time it takes to remove an attacker from an environment once discovered 5

HPE Cyber Risk Report 2016

Access the full report here: www.hpe.com/software/cyberrisk 6

2015 – “The Year of Collateral Damage” If 2014 was the Year of the Breach, then 2015 was the Year of Collateral Damage. United States Office of Personnel Management (OPM) • Targets of the breach may be people who never themselves consented to inclusion in the OPM database. Ashley Madison • Personal information easily deduced from revealed data.

These example breaches affected those who never had direct contact with either entity, or whose information resided in their networks only as it related to someone else.

7

Shifting focus of Cyber Attacks For the first time our research looks into the world of incident responders in the enterprise and found that many organizations are: • Not keeping pace with attacker trends, including direct attacks on the systems on which enterprises rely. • Unaware adversaries are taking excellent advantage of technologies enterprises have put in place to serve their customers.

Advanced Malware

Trojans

Ransomware

Application Attacks

Only by learning to treat applications as security entities/devices can defenders hope to adapt to the new adversary landscape. 8

Overreaching regulations push research underground Emerging legislation often incurs unwanted consequences to go along with the intended result. While the intent to protect from attack is apparent, the implications of these rules push legitimate security research underground, available only to those denizens who dwell there. Example:

Wassenaar Arrangement Amendments for Information Security Export Controls for Conventional Arms and Dual-Use Goods and Undesirable consequences Technologies 2013 Amendment from added security systems to the scope – including intrusion software, in Amendment would make much addition to an incredibly broad of today’s defensive set of controls. cybersecurity research untenable—if not criminal— under the revision. The outcry from the community is swaying the decision to implement the amendment.

To be effective, regulations impacting security must protect and encourage research that benefits everyone

9

Political pressures attempt to decouple privacy and security efforts A difficult and violent year on the global scene combined with lingering distrust of tech initiatives: • Revelations by Edward Snowden and other whistleblowers, led to a fraught year for data privacy, encryption, and surveillance worldwide. • Lawmakers in the US, UK, and elsewhere claimed that security was only possible if fundamental rights of privacy and due process were abridged. • This is not the first time that legislators have agitated to abridge privacy rights in the name of “security.”

Those evaluating the security of their enterprises would do well to monitor government efforts such as adding “backdoors” to encryption and other security tools.

10

The industry learned nothing about patching in 2015

Applying patches in an enterprise is not trivial and can be costly—especially when other problems occur as a result. Software vendors must earn back the trust of users to help restore faith in automatic updates. Top 10 vulnerabilities exploited in 2015

The most exploited bug from 2014 happened to be the most exploited bug in 2015 as well -and it’s now over five years old. 11

Evolution of the vulnerability market • White market has had a tremendous positive effect in securing the landscape by bringing researchers and vendors together and setting the standard for coordinated disclosure. • We expect the vulnerability market will continue to evolve as more and more vendors announce their own programs to incentivize research. • We also expect regulations and legislation to impact the nature of disclosure, and not necessarily in a positive manner.

It is in all of our best interest to continue to find and disclose security bugs in popular software so vendors can fix things in a timely manner.

12

Evolution of the vulnerability market (cont’d)

Timeline of notable bug-bounty programs, 1995-2015

Zero Day Initiative core principles

13

Automotive Industry Cyber Security Where to begin? Where to focus? Threat Intelligence

Product Security (Connected Car/IOT)

Security Operations

Advanced Security Architecture

Governance, Risk, and Compliance

Security Strategy

Policies & Standards

Security Awareness & Training

Threat & Vulnerability Management

Third Party Risk Management

Application Security

Cloud Security

Ongoing Security Monitoring and Testing

Data Protection

Identity & Access Management

Security Information & Event Monitoring (SIEM)

Cyber Resilience

Endpoint Protection

All are valid Security endeavors… …but what are the right priorities now for your organization? ANSWER:

It depends…let’s first focus on identifying and assessing your organization’s Cyber Threats & Risks

14

What are the real Cyber Threats facing your organization today? Align your Security Program priorities with the Threats and Risks that are most relevant to your organization Cyber Threats represent significant risks across industry sectors ─ High-profile Cyber Attacks focused on disrupting business operations are driving the need for a more holistic approach to Cyber Resilience ─ Cyber Criminals continue to target Personally Identifiable Information (PII) and other data of value, often leveraging multiple simultaneous attack methods

Cyber Threat & Risk Assessment

─ Rapid adoption of the New Style of Business and IT, including Cloud and Big Data technologies, must be coupled with integrated Security Architecture and Controls in order to mitigate Cyber Risk ─ Government agencies such as the Federal Trade Commission (FTC) and State Attorneys General continue to bring cases and actions against organizations across industry sectors related to Data Breaches that impact Consumer Privacy ─ Boards and Executive Leadership demand effective Security despite constrained resources and budgets

How can Enterprise Security Services help you? HPE’s methodology of proven best practices, including our Cyber Reference Architecture allows us to assist clients in identifying the Cyber Threats that are most relevant to the organization, enabling a more impactful approach to managing and mitigating Cyber Security Risks: ─ Enterprise Threat Assessment, identifying the Cyber Threats most likely to impact the organization ─ Analysis and optimization of current Cyber-capabilities, in the context of organizational Cyber Threats ─ Development and implementation of a holistic Cyber Security Strategy ─ Enhancement of existing Security Architecture and Controls to more effectively manage Cyber Risk ─ Transformation of organizational Cyber Security posture through the effective integration of Security Governance, Policies, Standards, Controls, Awareness, and Tools

15

Conclusion  In the coming years, the complexities of legislation and international events will have a greater impact in the realms of security and privacy.  Network defenders need to understand the complexities of privacy issues as thoroughly as they understand the impact of security vulnerabilities.  Instead of symmetric responses to threats, tomorrow’s network defender must understand how to respond asymmetrically to threats through automated analysis, wide-reaching fixes, and a community-based defense.  While the threat of cyberattack is unlikely to go away, thoughtful planning can continue to increase both the physical and intellectual price an attacker must pay to successfully exploit an enterprise. Start by using the information in the 2016 Cyber Risk Report to better understand the threat landscape, and to best deploy your resources to minimize security risk. Access the full report here: www.hpe.com/software/cyberrisk 16

Thank You CJ Dietzman, CISSP, CISA Principal, Security Consulting, Americas Enterprise Security Services [email protected] M +1 203 810 7279 Hewlett Packard Enterprise

17