Patrick Gray Principal Security Strategist

DATA SECURITY CHALLENGES IN THE ALL TOO PUBLIC AND NOT SO PRIVATE SECTORS

I want you to take home four points
 Understand  Educate  Collaborate  Prepare

It’s a great to be in Milford today, but uh, do you know where your data is right now?
 It’s all about data, your data  The confidentiality  The integrity  The availability

It’s hard to protect that which we have no idea as to its whereabouts
 So, where is your data today?  On any device  Any place  Any time  When “aren’t” we working anymore?

When do we call it a day?

We don’t, do we?

Today, it’s about mobility…
 In the past few years we

shifted our lives to the PC and the Internet  Now, it’s all about being mobile  A PC in your pocket  Our mobile work force is growing and expanding

Where?
 Where does work happen?

It happens wherever we are!
 No longer does business take place solely behind network walls  The critical work is happening increasingly on social networks, on handheld devices, in the field,

and at local cafes

Diminishing Border
 The traditional corporate perimeter, with clearly identifiable boundaries, has diminished  In its place, a network with limitless

potential is rising  One where agencies, companies, their customers, and their partners demand access to information whenever and wherever they need it

New Considerations
 It is information technology’s role to ensure that the appropriate people, using the correct devices, are accessing the proper resources while having a highly secure yet positive user

experience within your networks

A blurring of activities
 In addition, it is common for workers to blend business and personal communications on these social networks, further blurring the network perimeter

“The future ain’t what it used to be.”

Some bone-jarring statistics
 50% of Facebook active users log on to Facebook on any given day  More than 60 million users update their status daily

 People spend over 500 billion minutes per month on Facebook

Billions
 More than 3 billion photos uploaded to the site each month  More than 5 billion pieces

of content (web links, news stories, blog posts, notes, photo albums, etc.) shared each week

The involvement is viral
 Millions of local businesses have active Pages on Facebook  More than 20 million people become fans of Pages each day

 Pages have created more than 5.9 billion fans

Mobility
 There are more than 200 million active users currently accessing Facebook through their mobile devices

I just have to check…
 Just last month, 57 million Americans visited social networking sites from a work computer  Checking your Facebook account has become the default Water Cooler

 It's the most commonly visited website at the workplace, twice as popular as Google and three times as popular as Yahoo

Cisco on Facebook

Cisco on Twitter

Cisco on be

Cisco on be

Connecticut Computer Services, Inc.

Owl Computing

Proton Energy Systems

CT Post 14

This is viral
 Overall, 43 percent of Americans said they keep in touch via social networking websites such as Facebook and LinkedIn

Connecticut Facebook users
There are almost two million Facebook users in The Nutmeg State

There is a human element to all of this, an element that is more often than not, overlooked…

It’s no longer just close relationships
 Our employees are going places they’ve never gone before and are touching technology daily  That which they are touching is touching our networks as well

5 Reasons Cisco embraces Social Media
 Attracting and retaining the best employees  Innovation and knowledge creation

 Operational efficiency
 Talent development  Employee engagement

That being said…
 There are things we really need to be aware of  The bad guys know what we’re doing, where we’re going and want to make the trip a wee bit more difficult

With Web 2.0
 A new breed of malware is evolving  Google Mashups, RSS feeds, search, all of these can be misused by hackers to distribute malware, attack Web surfers and communicate with botnets

Risk – it's everywhere
 And no one knows that better than IT security

professionals  Disgruntled employees, students, fired employees, clueless employees who succumb to social engineering, passwords left on Post-it notes, wideopen instant messaging and increasingly powerful hacker tools in the hands of teenagers, Web Mobs and Organized Crime targeting Social Media sites

Objective?
 The key objective, of course, is to recognize risk,

safeguard your reputation and not reveal sensitive or confidential information that may prove quite harmful

Malware
 Historically, malware has plagued e-mail, hidden in malicious attachments  While that's still happening, more malware writers are putting their efforts into malicious Web sites

Constant Mutation
 The goal in developing malware is not to simply

infect as many systems as possible but to specifically steal usage information and other data from compromised systems  Use of polymorphic code that constantly mutates

Bad Statistic

Two biggest vectors for Malware
 Email  Web-based

The Human Firewall – an invaluable tool
 A good human firewall employee is one who filters good security practices and rejects any others— much like a network firewall only allows authorized traffic and rejects any other  The only way to build a good human firewall is to

raise people’s awareness; to teach them good habits, to make them recognize bad practices and change them into good practices  Your cyber security is only as good as the people who manage it and those who use it

So Patrick, why do we really need that Human Firewall?

Because, ‘Friend’ has become a verb
 Social media users believe there is protection in being part of a community of people they know  Criminals are happy to prove this notion wrong

Causation
 The threats and security issues that come with

social media aren’t usually caused by vulnerabilities in software

The “herd” mentality
 More commonly, these threats originate from individuals who place an unwarranted amount of “transitive trust” in the safety of these communities

Remember…
 On social sites –  Your privacy is history  They don't have your best interests in mind  Social engineering attacks are getting more targeted

Trust?
 Users will trust something or someone because a

user they know has also expressed trust in that person or subject  We trust because we are curious and curiosity…

Curious? This is why! Out of date???

They want to send us somewhere else…

The unknown… DO NOT TOUCH THIS!!!

This is what our users are up against… Malware popping up out of nowhere !
 Don’t go there!  Stay on the path that you know well!  Okay to trust but please verify  So, have fun! But monitor  Be a bit more vigilant  And manage appropriately

But what does all this mean?
 I am just a user and am not an engineer or a

technician or a programmer or a geek!  I’m just sitting at my desk, talking to friends and all sorts of people  How in the world am I threatening our network???

2 Reasons…
 You probably do not understand policies, procedures, best practices and standards  If you do understand them, they are violated because there are no consequences – the policies

are not enforced  Who, me?

Education is Critical
 Few executives grasp the case for investing in

safeguards against hackers, malware, and the like  Education starts at the top and works its way down the food chain throughout the entire business  Before any employee puts their fingers on the keyboard they must understand that it is not their computer

The Seven Deadly Sins of Network Security
1. 2. 3. 4. 5. 6. 7.

Not measuring risk Thinking compliance equals security Overlooking the people Lax patching procedures Lax logging, monitoring Spurning the K.I.S.S. Too much access for too many

Did I mention the Insider?

The Opposing Team
     

The Hackers Disgruntled Insiders Clueless employees Competitors Foreign Governments Terror organizations

Biggest Players in the Global Black Market
 Russia

 China
 Brazil  Israel

 U.S.

North Korea in the fray

Krews
 HangUp Team

 CNHonker
 Russian Business Network  Rock Phish  76Service  MAAS  Hoff is Thirsty

Their Motivation?

Great Effort

Top 8 Perceived Threats
       

System penetration Sabotage of data Theft of proprietary information Denial of service Viruses and Worms Unauthorized insider access Laptop theft Insider abuse of the Internet

System Penetration
 It is an unfortunate reality that you will suffer a breach of security at some point  To bypass security, an attacker only has to find one vulnerable system within the entire network  But to guarantee security, you have to make

sure that 100 percent of your systems are invulnerable -- 100 percent of the time

Data Leakage: How many breaches in 2010?
 760 Breaches  222,477,043

records exposed  How were you impacted?  278 Breaches in 2011

It’s inevitable, so be prepared

Not good…
 But Patrick! It won’t happen to us!

Whether you get hacked depends…
 Do you assume the posture of, “It can’t happen here.”  Do you hear, “We haven’t heard of any worm outbreaks  


and all seems quiet. Why upgrade those devices?” “We have no budget.” “We’re just hanging out in Connecticut!” “They’re only going after the Government and those really big banks.” Then my question is, “Can you really afford to give up data today?

You can’t afford to give up data, so be prepared and alert…
 Every man has a plan until he gets hit!  Have a robust Computer Security Incident Response Plan 1. Test it

2. Update it both in terms of technology and personnel
3. Include Legal and HR in those plans

So, what are they really after?
 Your data  Your assets  Your employee’s data  Your personal data  Your paycheck  Your friends  Your family

You are the last line of Defense! Step up!
 Understand

 Educate
 Collaborate  Prepare

Thank You!

pagray@cisco.com