The evolving threats and the challenges of the modern CISO

1

The evolving threats

and

the challenges of the modern CISO

Gerasimos MoschonasInformation Security Professional

2ο Forward Thinking Cyber Security Event

(ISC)² Hellenic ChapterMarch 2017



Information Security Topics

Big Data

Internet of Things

Cyber Crime & Attacks

Social Engineering

Mobility

Regulatory Framework

2


(ISC)² Hellenic ChapterMarch 2017 3



World keeps changing

From centralised legacy systems (in premises) todecentralised interconnected systems (in and out of premises)

Outsourcing services

Cloud computing

ΙοΤ

Enterprises become more and more digital, and a serious target for cyber criminals

Attacks and attackers become more smart, aggresive and professionals

Threats are evolving and cyber security is a top priority

4



Incidents keep growing

5

Massive DDoS attack against major DNS service Dyn, affected a huge portion of Internet users in the US, taking down the access to major web services, including Twitter, Amazon, Netflix, PayPal

SWIFT cyber heists (started from the Bank of Bangladesh)

Yahoo had been hacked ..... again and ... again

Hospitals, state and local governments, law enforcement agencies, small & large businesses - these are just some of the entities impacted recently by ransomware

Spam email operator's faulty backup leaks 1.37bn addresses

WikiLeaks Vault 7 : CIA hacking tools revealed



CISO’s role keeps evolving

From the role of the IT security administrator & the IT Security Officer inside the IT Unit to the independent role of CISO who:

Is a decision maker, an influencer

Has the overall responsibility for the Information Security Governance, reporting to the Senior Management

Is Business-oriented and Technology-oriented, talks the business & the technology language as well. Understandsthe business environment, acts as an integrator of people, business processes and technology

“Translates” information security risks to business risks

Is always aware of the evolving threats, the technology trends and the regulatory framework

6



Big Data

Amount of data is increasing daily

Data at rest and in transit, in and out of the perimeter

But, do you know

Where is your data located?

How is your data used and exchanged?

Who has access and for which reason?

The retention period and how is it destructed?

If Cloud services are being used?

Use of cloud services for cost reduction raises several matters to evaluate

Data privacy and compliance

Lack of governance

Appropriate security controls

Contractual terms (e.g. Right to Audit)

7

Employees & Partners 1/2



Big Data

Restrict the user environment (usb media, admin rights)

Use DLP measures for data in transit (at the endpoints and the perimeter)

Enforce Identity & Access Management (staff, partners)

Use of encryption – segregation of duties

Apply a retention and destruction policy for both electronic and physical data

For cloud services

Identity – Evaluate the assets

Perform a risk based assessment

Define the minimum security controls

Be compliant with data privacy

regulations

8

Employees & Partners 2/2



Internet of Things

More than 24 billion IoT devices installed on Earth by 2020

These «things» don’t «look» like traditional computers and aren’t treated like computers

Usually no adequate security measures taken

Could be used as a botnet or as an entry point to a home or corporate network

IoT Botnet ‘Mirai’ targeted vulnerable ‘Smart’ IoT devicesturning them into ‘Bots’, used for DDoS

Implement strong authentication

Ensure the identity of each device

Apply device-to-device secure communication

Minimise the data exchanged, processed and stored

Secure the data stored on the devices

9




10

1/4




Attacks become more aggresive and intelligent

Crime as a Service

Distributed Denial of

Services (DDoS)

Advanced Persistent

Threats (APTs)

0-day attacks (malware unknown to traditional controls)

The era of the RansomwareRansomware attacks against businesses increased threefold in 2016. Kaspersky Lab

recorded one ransomware attack every 40 seconds against companies in September.

ATM attacks (malware, black box)

11

2/4

AKAMAI REPORT Q4 2016




Bypassing the perimeter e.g. a malware is spreaded via a usb / a laptop connected to a workstation / the network

Do you really know if someone or “something” malicious is already inside your network?

How do you monitor the inside behavior to have alerts forany abnormal activity?

What constitutes normal and abnormal activity?

Preventing known threats is not enough : detect and prepare for the Unknown

12

3/4




Threat intelligence for monitoring both the incoming traffic (web & email) and the corporate network, detecting any malicious activity which points to viable threats

Implement centralised Advanced Threat Protection technologies for simulating the behavior of the malicious/suspicious traffic (sandboxing)

Implement multi-layered protection for the endpoints (reputation analysis, advanced machine learning, behavior emulation, memory exploit mitigation)

Sign a Cyber Insurance contract

Educate the incident response team to react accordingly

13

4/4



Social Engineering

Methods of manipulating / tricking people to disclose confidential information, breaking the security procedures

CEO Fraud

Spear Phishing (targeting Companies or

group of people) via email, sms, voice

Social Media masquerade, Fake Apps/Sites:Fraudsters can masquerade your brand - across your digital channels - and bait your customers with scams, phishing and offers for counterfeit products and services (Sony Twitter account hacked)

Educate and train the personnel (and the clients)

Security awareness program - Metrics

Protect your Brand – Internet monitoring

14



Mobility

Mobile apps

m-wallets, m-banking, …

Contactless and NFC payments

Abuse of privacy : where the app has access to?

Mixing of personal and corporate data on the device

Remote working for troubleshooting

Remote access to corporate resources

Emails, Intranet Sites, Documents sharing

Data stored in the cloud (e.g. iCloud)

«Rooted» / «jailbroken» operating systems override the security of the mobile device

15

1/2



Mobility

16

Privacy by design

Application security assessment

BYOD policy – Mobile Data Management

Security policy (password, idle timeout), encryption

Check for “rooted” devices / Remote Wipe

Malware protection

WiFi – Bluetooth not always on

Secure remote access procedure

Guest – WiFi LAN not connected to corporate network

Control each device connected to the corporate network

2/2



Information Security becomes more and more regulated

General Data Protection Regulation (GDPR)

The Directive on security of network and information systems (NIS Directive)

The EU Regulation on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation)

The 2nd Payment Services Directive (PSD2)

Be ahead of the Regulatory Requirements – Act proactively

Inform the Enterprise for the new obligations – Act for being compliant in time

17

Regulatory Framework



Build a understandable and robust (cyber) security strategy

Align security strategy to business strategy, supporting the business success

Engage the Board. “Translate” information security risks to business risks

Reduce information security risks to an acceptable level. Adopt appropriate security measures and procedures

18

The challenges of CISO

1/2



Protect business brand and keep customers’ & shareholders’ confidence high

Be ahead of the Regulatory Requirements – Act proactively

Be prepared for an incident – Assume you’ll be compromised

Educate the personnel – Raise awareness

19

The challenges of CISO

2/2



Managing information security risks while delivering value

to the digital enterprise

The role of CISO is more vital than ever

20

The role of CISO



Q & A

21

The evolving threats and the challenges of the modern CISO

Technology

Transcript of The evolving threats and the challenges of the modern CISO