THE CYBER FUTURE IS ALREADY HERERobert E Stroud, Immediate Past Chair, ISACA International RStroud@Forrester.comPrincipal Analyst, Forrester Research March 2016

BOARD ROOM ATTENTION TO CYBER SECURITY

2

MONETIZATION OF CYBER CRIME

Item Cost onblack market

1,000 Stolen Email Addresses $0.50 to $10

Credit Card Details $0.50 to $20

Scans of Real Passports $1 to $2

Stolen Gaming Accounts $10 to $15

Custom Malware $12 to $3500

1,000 Social Network Followers $2 to $12

Stolen Cloud Accounts $7 to $8

1 Million Verified Email Spam Mail-outs $70 to $150

Registered and Activated Russian Mobile Phone SIM Card $100

3 Source: Symantec 2015 Internet Security Threat Report, Volume 20

HONG KONG STOCK EXCHANGE HAS UPGRADED HONG KONG'S CORPORATE GOVERNANCE CODE (EFFECTIVE JANUARY 1, 2016)

• Incorporating risk management into the Code where appropriate

• Defining the roles and responsibilities of the board and management

• Clarifying that the board has an ongoing responsibility to oversee the issuer’s risk management and internal control systems

• Upgrading the following to ‘comply or explain’: (a) that issuers should have an internal audit function and (b) those provisions in relation to the annual review of the effectiveness of the issuer’s risk management and internal control systems, and disclosures in the Corporate Governance Report

4 Source: Mayer Brown JSM, Legal Update, December 30, 2015

15% lack an internal audit function— KPMG/Hong Kong Institute of Chartered

Secretaries survey, Oct. 2015

CLOUD, SOCIAL, AND BIG DATA

CLOUD BENEFITS

6

What benefits have you received from your cloud deployment?

Source: Cloud Security Spotlight Report, Crowd Research Partners, LinkedIn Group Partner, Information Security, March 2015

“Public Cloud and SaaS are giving smaller businessesan asymmetric competitive advantage over larger competitors”–Rob Clyde at National Association of Corporate Directors, April 12, 2015

WHAT LIMITS CLOUD ADOPTION?

What to do?

• Encryption helps, but key management is critical

• Regulatory, sensitivity and privacy issues may require that some data is restricted to certain physical locations

• Restrict sensitive workloads (e.g., PCI) to trusted hardware and software server stack

• Only allow certain workloads to run on hardware in approved physical location

• Only allow certain workload data to be decrypted in approved physical location

• Cloud solutions require a combination of capabilities to achieve "defense in depth" and compliance readiness

7 Source: 2014 Open Data Center Alliance Cloud Adoption Report

What factors are limiting your adoption of virtual/private, community and public clouds today?

DARK SIDE TO CLOUD AND SOFTWARE DEFINED DATACENTER (SDDC) INFRASTRUCTURE• Infrastructure, especially cloud and virtual administrative access, is

a target and concern

• Underlying virtual machines or containers are just files that can be copied, moved or deleted (10s to 1000s at a time)

• Accidental mistakes or malicious damage

• Audit logs etailed at the application and OS level, they often lack sufficient actionable data and granularity at the hypervisor level

• Compliance virtual and cloud administrative access be controlled and monitored with sufficient audit logs at the hypervisor level

8

VM

Virtual Admins

CONTAINERS COMPARED TO VIRTUAL MACHINES

9 Source: Gianluca Costa, Introduction to Docker

Many cloud service providers havethe ability to run containers

DOCKER SECURITY

Security concerns:

Image signatures are not properly verified

If you have root in a container, an attacker can potentially get root on the entire system

Admins or scripts may move containers to a non-compliant environment

Images may not have security patches applied

Security Remedies:

Use signed or trusted images from your private repositories

Don't run containers as root, if possible

Fence things in with VMs

• Run containers on top of VM

• Run VM in container

Use Docker Enhanced Controls

User namespacing: give containers own set of UIDs and GIDs so users are isolated

Apply patches to Docker images10

“Over 30% of Official Images in Docker Hub Contain High Priority

Security Vulnerabilities”— BanyonOps, ZDNet, May 29, 2015

WORKLOADS: THE ATOMIC UNIT OF IT

• What is a workload? Anything.A workload is the amount of processing designated for a specific task, such as:§ A database, web server or application running in a virtual machine § A Docker-style container that runs an application without requiring the user to supply

any infrastructureFundamentally a workload is the smallest building block for an IT environment

• Where will these workloads be found? Everywhere.90%+ of large enterprises will be using hybrid (vs. private only) infrastructure with workloads moving around these hybrid environmentsCreates a significant security and management challenge. For example, a PCI compliant workload might be accidentally moved to a non-PCI compliant environment

• Securing workloads traditionally done with segmentationGenerally results in significant over provisioning and inefficiencyLose flexibility (even in cloud or SDDC environments)

INTELLIGENT WORKLOAD SECURITY

Workload – the smallest unit of IT (the compute processing for a task)

Data – the content of a workload (e.g. a customer name in a database)

Infrastructure – the platform on which the workload will run (e.g. VMware ESX, Docker, etc.)

Management– how the workload is managed (either by machines via APIs or by human admins)

Intelligent Micro Policy – insulates and translates compliance and security rules to both control the workload and allow the workload to make decisions based on external input

Source: HyTrust

KEY ELEMENTS FOR INTELLIGENT WORKLOAD SECURITY

Breach ProtectionPolicy Enforcement

Boundary ControlsCross Platform Policy

Insider ThreatsEasy Auditing

Secondary ApprovalsContinuous Security and Compliance Monitoring

Encryption (and Key Management)

Platform Technology (running Workload)

Admin Controls and Auditing

Flexible and efficient

KEY BENEFITS OF INTELLIGENT WORKLOAD SECURITY

• Reduced complexity. Intelligent Micro Policy approach reduces complexity of rules since workload negotiates with other parties dynamically (admin, data, infrastructure)

• Always on security. Increases security since both parties (workload and other party) must agree on actions – avoids rogue insider threat situation (for example)

• Lower costs. Removes need for inefficient air gapped or micro-segmentation approaches

By Delivering:

• Abstraction. Abstraction for customer from fast changing regulatory (e.g. Safe Harbor) and technology changes (server, network, containers, etc…)

• Any Cloud. Ensures ease of use with Any to Any (from any cloud to any cloud)

• Automation. Removes complexity of compliance in hybrid deployments

SOCIAL MEDIA ATTACKS

15

Manual Sharing – These rely on victims to actually do the work of sharing the scam by presenting them with intriguing videos, fake offers or messages that they share with their friends.

Fake Offering – These scams invite social network users to join a fake event or group with incentives such as free gift cards. Joining often requires the user to share credentials with the attacker or send a text to a premium rate number.

Likejacking – Using fake “Like” buttons, attackers trick users into clicking website buttons that install malware and may post updates on a user’s newsfeed, spreading the attack.

Source: Symantec 2015 Internet Security Threat Report, Volume 20

SOCIAL MEDIA SCAMS

16

• 68 percent of people surveyed will willingly trade in various types of private information for a free app

• Some even send $0.99 to the scammers in order to cover the return postage for a so-called offer. (The offer never arrives, of course)

Source: Symantec 2015 Internet Security Threat Report, Volume 20

EMPLOYEES’ USE OF SOCIAL MEDIA –RISKS AND IMPACTS

17 | 3/14/16 Source: Social Media: Business Benefits and Security, Governance andAssurance Perspectives, ISACA May 2010

90%

10%90% of the data in the world today has been created in the last two years alone

Source: Mushroom Networks, The Landscape of Big Data

LEVERAGE BIG DATA TO GET BIG INSIGHTS65% of CIOs said “determining

how to get value from data” was a big challenge

– Wall Street JournalFeb. 10, 2015

Stored data doubles every 1.2 years!

That’s about 10 TB per person

100 zettabytes by 2025! – the equivalent of

36 billion years of HD video– Virgin Media

BIG DATA AND ANALYTICS APPLICATIONS

19 | 3/14/16

Curing Cancer

Reducing Energy Costs

Predicting Weather

Predicting Consumer behavior

Build Better Cars

Security Intelligenceand Fraud Detetction

USING BIG DATA TO PREDICT CRIME

20 | 3/14/16

Source: NetworkWorld, Sep 20, 2014

Crime Hot Spots in London

Soldiers' suicide risk predictable with Big Data, study says, Patricia Kime, Nov. 12, 2014

What about predicting crime by particular individuals? Will we have predictive

capabilities like those in the movie Minority Report, but through Big Data?

18%

19%

20%

2%

3%19%

16%

13%

Large-volume data management and sorageShared ownership with other departmentsLack of analytics capabilites or skillsWe are not facing any challenges

Other

Security threats from outsiders

Security threats from insiders

Compliance requirements

Which of the following do you believe is the biggest challenge posed by Big Data? (n = 1,589)

Source: ISACA’s Risk/Reward Barometer, 2014

BIG DATA CHALLENGES ACCORDING TO ISACA MEMBERS

48% view security or compliance as biggest challenge

Security

Compliance

BIG DATA PRIVACY CONCERNS

Bigger Data = Bigger Target: the higher concentration of data, the more appealing a target it makes for hackers, and the greater impact of the breach

De-Identifed” Information Can Be “Re-Identified”: data collectors claim that the aggregated information has been “de-identified”, however, it is possible to re-associate “anonymous” data with specific individuals, especially since so much information is linked with smartphones

Possible Deduction of Personally Identifiable Information: non-personal data could be used to make predictions of a sensitive nature, like health condition, financial status, etc.

Data Sovereignty Issues: Many countries or regions (like the EU), may have requirements that certain personal data and the processing of that data remain in the country or region

Right to be forgotten: Some areas like the EU have a “right to be forgotten” that may be challenging to implement in a Big Data environment.

http://www.ftc.gov/public-statements/2012/03/big-data-big-issues

MOBILE

BRING YOUR OWN DEVICE (BYOD) IS ALREADY HERE

24 | 3/14/16

54% allow at least some BYOD

Source: ISACA’s Risk/Reward Barometer, 2014

MOBILE

25 | 3/14/16

Mobile attacks will continue to grow rapidly as new technologies expand the attack surface and app store abuse goes unchecked.

Source: Intel Security 2015 Threat Predictions

5M+ Mobile Malware Samples

MOBILE PAYMENTS• Register credit or debit cards in a mobile wallet using smart phone

camera or manually entry

• The mobile wallet is stored on the cloud and or the device

• Select your default payment method in the mobile wallet

• Use your mobile device to make a payment by placing it near the point of sale (uses near field communication – NFC)

• May need to authorize payment with fingerprint or passcode

• No need to get out or even carry your wallet or credit cards

26

Source: ©iStock.com/tillsonburg

ISACA 2015 Mobile Payment Security Study

23% say mobile payments are secure89% say cash is most secure (only 9% prefer to use it)47% say credit card is secure83% prefer to use a credit or debit card

Mobile Payment Market will be worth $2.8 Trillion by 2020!

Source: Future Market Insights

MORE SECURE THAN CONVENTIONAL PAYMENTS?

Cash seems anonymous, but most retail stores have surveillance equipment

Criminals may make copies of physical cards or card information used at retail outlets

Cybercriminals steal credit card databases or credit card numbers transmitted for transactions

Criminals make duplicate cards and use them at ATMs, online or at retail locations

27 Source: http://www.isaca.org/cyber/cyber-security-articles/Pages/mobile-payments-more-secure-than-conventional-payments.aspx

Any time the actual credit card number is used in a transaction, there is a risk that it will be stolen.

PAYMENT TOKENIZATION

• Tokenization is similar to encryption except the result is in the same format with the same number of characters or digits as the original

• Storage tokenization has been used to secure credit card numbers by merchants and others for many years, generally to meet PCI requirements. A storage token cannot be used for payment in a transaction

• Payment tokens are relatively new and are valid for use in the payment (thanks to cooperation between card issuers, card networks, banks, and mobile payment providers)

• When a card is registered to the mobile wallet, the mobile wallet app communicates with the card network or a Token Service Provider (TSP) which then issues a payment token and stores it along with the actual card number in a token vault

• The mobile wallet app then stores the payment token and perhaps a cryptogram in the mobile wallet, but not the actual card number

28

“At the heart of modern mobile payment systems’ security is the concept of payment tokenization”

Source: http://www.isaca.org/cyber/cyber-security-articles/Pages/mobile-payments-more-secure-than-conventional-payments.aspx

APPLE PAY TRANSACTION FLOW

29 Source: US Federal Reserve Bank of Boston, compiled from various sources

THE INTERNET OF THINGS

THE SMAC STACK WILL ENABLE THE INTERNET OF THINGS

Source: Cognizant

The SMAC stack (Social, Mobile, Analytics/Big Data and Cloud) will power new applications that connect to “things”

“The nextmaster architecture for enterprise IT, and its

magnitude and importance.”

INTERNET OF THINGS (IOT)

32 | 3/14/16 Source: 2014 HP Internet of Things Research Study

HP Test of 10 Popular IoT Devices (IP Cameras, smart meters, healthcare, fitness, SCADA, etc.)

Gartner predicts 26 Billion IoT Devices by 2020

SMART TV SECURITY CONCERNS

Microphone may always be on (for voice commands)

Risk that attacker could turn on webcam

Activity on Smart TV is tracked and may be shared with social media

Like with smartphones, malicious apps could be downloaded

33

Smart TVs in the office:• Consider not connecting to Internet; if you do, connect to a

Guest network• Take care as to which features and apps are enabled• Turn off or disable microphone and webcam• If possible, lockout others from changing TV settings

CONNECTED CARS ARE AT RISK

34

Fiat Chrysler has issued a safety recall affecting 1.4m vehicles in the US, after security researchers showed that one of its cars could be hacked.

On Tuesday, tech magazine Wired reported that hackers had taken control of a Jeep Cherokee via its internet-connected entertainment system

CONNECTED CAR SECURITY CONCERNS

35

• OBD-II port can be used to inject packets into the car’s computer system, allowing control of the brakes, ignition control unit, etc. (requires physical access for attack)

• WiFi devices can be attached to OBD-II port for insurance or other reasons potentially allowing remote access

• Sensors (like tire pressure sensors) could be negatively affected with other devices, potentially causing loss of control

• Websites and mobile apps to control car may have poor authentication (often only use VIN to identify car)

• Standards around vehicle to vehicle (V2V) and vehicle to infrastructure (V2I) are still emerging

• Entertainment system connected to the Internet may allow connection and attack to control systems

• Personal information like navigation, speed, entertainment choices, etc. may be shared with the car manufacturer and third parties

INTERNET OF THINGS – THE END OF PRIVACY?

36 | 3/14/16

Introducing more private information about ourselves

Traditional Personally Identifying Information

New IoT Personal DataWhat? Where? When? Why?

Date of Birth

SSN/Govt. ID Number

Credit Card Number

Name

Address

Glucose level

Weight

Calories

GPS location

Heart rate

Sleep

Mood

Surrounding images

Driving habits

Blood pressureTravel route

Username Exercise route

INSECURE IOT DEVICES AND PRIVACY

37

“All too often for other pieces of major industrial machinery, the controls are sitting there in plain sight or hidden behind the most rudimentary credentials. In 2012, simply attempting to log in as “root” or “admin”, with the password being the same again, was sufficient for another group of anonymous internet explorers to gain access to over 400,000 devices. With the rise of internet-connected devices since this study was conducted, that number is likely to be far higher.”

SHODAN.IO WEBCAM BROWSER

38

USING THE INTERNET OF THINGS TO SPY?

39 | 3/14/16

“In the future, intelligence services might use the internet of things for identification, surveillance, monitoring, location tracking, and targeting for recruitment”, says James Clapper, US director of national intelligence.

Photograph: Alex Brandon/AP

END OF PRIVACY?

40

Social, Mobile, the Internet of Things and Big Data Analytics have profound implications for privacy in the future

Source: ISACA 2014 Risk Reward Barometer

The New Yorker 1993 The New Yorker 2015

“On the Internet, nobody knows you’re a dog.”

INTERNET OF THINGS – POTENTIAL SECURITY CONCERNS

• Tethering via Bluetooth LE to smart phone (might be sniffed)

• Transmission and storage of information in cloud (might be hacked)

• Sharing of information via social media (likely to become public)

• Man-in-the middle and redirect attacks (similar to mobile devices)

41 | 3/14/16

APPLE WATCH SECURITY

Uses Bluetooth or WiFi to tether to iPhone for Cellular, GPS, etc.

Relies on iPhone and cloud for much of security

Similar concerns as with other tethered wearables

Consider visibility of messages on screen to others

Apple Pay security (protection against theft of watch)

• Sensors can detect when watch is taken off wrist and put back on

• Use opt-in PIN so when taken off it has to be re-authenticated when put back on

• Payment only functions when on wrist and authenticated

• No credit card numbers stored on watch – uses payment tokenization

42

IOT – RECOMMENDATIONS FOR USERS

• Use a screen lock or password to prevent unauthorized access to your device

• Do not reuse the same user name and password between different sites

• Use strong passwords

• Turn off Bluetooth when not required

• Be wary of sites and services asking for unnecessary or excessive information

• Be careful when using social sharing features

• Avoid sharing location details on social media

• Avoid apps and services that do not prominently display a privacy policy

• Read and understand the privacy policy

• Install app and OS updates when available

• Use a device-based security solution

• Use full device encryption if available

43 | 3/14/16 Source: Symantec, “How Safe is Your Quantified Self”

IOT – RECOMMENDATIONS FOR ORGANIZATIONS

• Safely embrace Internet of Things devices in the workplace to keep competitive advantage

• Ensure all workplace devices owned by organization are updated regularly with security upgrades

• Ensure default passwords are changed and not easy to guess

• Require all devices be wirelessly connected through the workplace guest network, rather than internal network

• Provide cybersecurity training for all employees to demonstrate their awareness of best practices of cybersecurity and the different types of cyberattacks

• Ensure that IT and security professionals are CSX-certified

44

56% of tested devices using OpenSSL had not been updated in

over 50 months- 2015 Cisco Annual Security Report

WE HAVE A WAYS TO GO….

45 Source: EY’s Global Information Security Survey 2015

Percentage who indicated their level of maturity was “very mature”

CONCLUSIONS

The situation is only going to get more complex

Widening industry skills gap

This is not yesterday’s security

Learn to embrace new technology safely

ISACA – effective controls and assurance are critical in this Digital Age!

www.isaca.org/cyber

ROBERT E STROUD CGEIT CRISC RSTROUD@FORRESTER.COM

@ROBERTESTROUD

THANK YOU!

QUESTIONS?

Robert E Stroud RStroud@Forrester.com@RobertEStroud

Email: info@isaca.orgWeb Site: www.isaca.org