The CEO’s plain English guide to
cyberspace
1984 Neuromancer
William Gibson
cybersecurity
Digital systems risk
management
BUY MARYLAND CYBER! mdcyber.com






Goals
Cyber environment
Risk management
Cyber best practices
Call to action
Q&A
BUY MARYLAND CYBER! mdcyber.com
 Learn: raise your cQ. be an informed
consumer, director, officer and advisor
 Protect: motivate you to create & execute
a cyber risk management plan
 Buy: Maryland Cyber. Create 10,000 jobs
BUY MARYLAND CYBER! mdcyber.com
Business Equipment
82% website, 87%
desktop, 84% laptop, 74%
smartphone (NSBA)
Online activity
87% purchasing, 83%
banking, 72% pay bills,
59% phone/skype
BUY MARYLAND CYBER! mdcyber.com
Threats & weaknesses
BUY MARYLAND CYBER! mdcyber.com
Proliferation of software
… full of holes
Vulnerability Types (SANS)
2,289 enterprise software
products from 539 vendors
in 2013 review (Secunia)



Insecure interaction
between components
Risky resource
management
Porous defenses
Vulnerabilities Detected


2,130 highly critical
13,073 total
BUY MARYLAND CYBER! mdcyber.com
US computer & electronic manufacturing exported to
Asia to lower costs


Complex networks with many components
Diffused, large & complex manufacturing supply
chains
Every component carries potential for security risk
BUY MARYLAND CYBER! mdcyber.com

Lack of situational
awareness

Limited knowledge of
what to do/not do

Low compliance in
online/offline behavior
BUY MARYLAND CYBER! mdcyber.com
Not concerned yet?
Criminals, terrorists,
hacktivists

Readily available tools

Increasingly adept

Strong economic &
political incentives

Cost advantage

Darknets
BUY MARYLAND CYBER! mdcyber.com




Hacking
Malware
Social
Physical
Ranked in order of # 2013 incidents
BUY MARYLAND CYBER! mdcyber.com






Servers
User devices
Persons
Networks
Kiosks
Media
Ranked highest to lowest # 2013 incidents
BUY MARYLAND CYBER! mdcyber.com

78% “low” & “very low” difficulty tactics &
<1% “high” difficulty



92% of all incidents fit 9 patterns
75% of attacks are opportunistic
76% exploited lost/stolen credentials
Verizon 2013 & 2014 Breach Reports
BUY MARYLAND CYBER! mdcyber.com
2013
# incidents
63,437
 Misc. Errors
 Insider Misuse
Insider Causes
 Crimeware
Total
25%
18%
43%
20%
63%
Incident: security event that compromises the integrity, confidentiality or availability
of an information asset (Verizon)
BUY MARYLAND CYBER! mdcyber.com
2% of incidents result in breaches
71% of Breaches caused by 8% of Incidents
2013
3 Years
# breaches
1,367
2,861
 Web Apps
 Cyber espionage
 POS
Total
35%
22%
14%
21%
15%
31%
71%
67%
Breach: incident that results in the disclosure or potential exposure of
data (Verizon)
BUY MARYLAND CYBER! mdcyber.com

2013: 35% of breaches, 6% of incidents

Method: exploit app weaknesses & stolen credentials
 Phishing to get user credentials
 password guessing (brute force)
 exploit the web application (i.e. WordPress)

Defense: stronger authentication (passwords), patching,
lockout policies, limited outbound connections
BUY MARYLAND CYBER! mdcyber.com
Attacker poses as a
trustworthy company to
steal or install malware
 The scam

 Help desk
 Account deactivation
 Bank
 Prepayment offer
 Email attachment
BUY MARYLAND CYBER! mdcyber.com

The approach
 email, IM & phone

Types
 Spear phishing – targeted to specific people
 Voice phishing – call or email asks you to call a
number & reveal account information
BUY MARYLAND CYBER! mdcyber.com
24/7 relentless
global assault on our valuable
assets

We’ve inadvertently enabled a

$250B- $400B+/year in financial damages
 Funds
 Intellectual property

Attack frequency, variety & sophistication are increasing.
And, we are losing ground.
BUY MARYLAND CYBER! mdcyber.com
Here’s what you should do
Internet Users Perception of Security
(Pew Institute)

23% “very secure”
46% “somewhat secure”
69% don’t get it

31% “not too secure” or “not at all secure.”

BUY MARYLAND CYBER! mdcyber.com

MY business is not a
target

The bad guys are too
effective to stop

Others will solve it

No idea what to do

No affordable solution
This is your company’s
problem!
BUY MARYLAND CYBER! mdcyber.com
Cyberpoint’s CyberVaR value-at-risk calculator
Make informed decisions:
 Evaluating security investments
 Creating mitigation strategies
 Purchasing cyber security insurance
BUY MARYLAND CYBER! mdcyber.com

Identify

Protect (Prevent)

Detect

Respond

Recover
NIST cyber framework
BUY MARYLAND CYBER! mdcyber.com

Determine the right balance of risk & investment
for your business
 Pros/cons of possible solutions subject to
 Constraints (capital, people, time)
Get Subject Matter Expert (SME) help
BUY MARYLAND CYBER! mdcyber.com
Maryland’s cyber industry advice







Make it a boardroom conversation
Put a target on your own back
Create a culture of accountability
Collaborate with your peers
Don’t be frozen by the noise
Products = Security
Consult a professional
BUY MARYLAND CYBER! mdcyber.com

Keep improving
 Adopt new methodologies to address new attacks

Support your security team:
 plan for downtime for testing, implementation & planned outages
 Allow time and budget for new tools and processes to implement
analysis and capture events forensically.

Push for awareness
 Training

CISO appointment
 Dedicated team
BUY MARYLAND CYBER! mdcyber.com

Train personnel by implementing a Cybersecurity
Awareness program

Conduct regular 3rd party security assessments
that include a social engineering exercise to
assess:
 How effective is the security awareness training?
 How effective is our Help Desk security?
 What are the risks that confidential information can
be leaked to unauthorized persons?

Install and maintain anti-virus software, firewalls,
and tune email filters to reduce phishing

Take advantage of anti-phishing features offered
by your email client and web browser
BUY MARYLAND CYBER! mdcyber.com
BUY MARYLAND CYBER! mdcyber.com

Your devices have already been compromised—voice.text.data

Your Wireless Carrier and Hardware Vendor will not protect you.

BYOD adds significant risk to your infrastructure and IP

Segregate corporate mobile apps from personal applications.

Do 2-factor authentication with device & application passwords

Acquire a Mobile Device Management Product like Airwatch, Mobile Iron
or Mobile Space

Install a Mobile Malware Free App from Lookout or McAfee

Buy a Throw Away Phone when you travel internationally
BUY MARYLAND CYBER! mdcyber.com





Educate employees about risks
Have documented social media policy
Passwords: complex, 1 per account, change
Access corporate social media account only from
the corporate network or a VPN
Monitor social networks for fraudulent accounts
mirroring your brand or execs
BUY MARYLAND CYBER! mdcyber.com






Establish access controls to company assets
Conduct periodic security training.
Background screen new employees
Institute stringent access controls and
monitoring policies on privileged users.
Monitor user computer behavior using tools
-Develop formalized insider threat program.
BUY MARYLAND CYBER! mdcyber.com
Protect: create & execute a cyber risk
management plan
 Buy: Maryland Cyber. Create 10,000 jobs
www.mdcyber.com
 Help Maryland: share this presentation &
introduce cyber companies to businesses
BUY MARYLAND CYBER! mdcyber.com