I attended the Rutgers Business School 38th World Continuous Auditing and Reporting Symposium on November 4th & 5th 2016 on the Rutgers campus in Newark, NJ. Here are my takeaways from a cybersecurity presentation.
John Gomez, CEO of Sensato Cybersecurity Solutions, presented, “Cybersecurity Risks: Myths, Fallacies and Facts”. He noted that most breaches go undetected for 265 days on average. The duration of a breach has increased over the years from 15 days. Given a duration of 265 days, internal control procedures like requiring password changes every 90 days obviously doesn’t help. John said that if the attacker figured it out once, they will re-run the same approach to figure it out again…or they moved on and have an administrative password and no longer need a user password.
John went on to indicate that encryption, another internal control, doesn’t matter as much as many compliance professionals think because once the attacker has your credentials, they have the rights you do. Encryption doesn’t matter. Encryption is not an end all be all.
Monitoring data activity to detect breaches is appropriate but John also noted to not take too much comfort that this procedure will detect an attack. Attackers do not take huge amounts of data at once because they know this will lead to detection.
John discussed the disturbing migration from hackers to attackers (well-funded and deadly serious). He classified attackers as follows:
- Criminals – profit motivated, EAS à Espionage As a Service, they post to on-line sites, “we can get this data if anyone wants it” – they then execute a statement of service for those who contract them to obtain the data. It’s ransomware as a business
- Spies – nation states – highly sophisticated and resourced
- Terrorists – most dangerous, based on ideology.
John described the “Attacker Methodology” as follows:
- Mission planning
- Intelligence gathering
- Assess vulnerabilities
- Mission review
He cautioned to bear in mind that attackers do not have a timeline. They have as much time as they decide to devote.
John also advised to look for adjacent domains (similar name misspelled, good idea to register the adjacent domains) to your own and gain control of these. He gave an example of “wellpoint.com” and “we11point.com”.
John reminded us that attackers collaborate by nature. Cyber levels the playing field. A common person with knowledge can have the same capability as the largest military.
John gave the following recommendations:
#attacks #attack #cyberrisk
- You must have relevant, timely data security and privacy policies.
- Executives must understand the risks and support the efforts with needed resources.
- Every organization needs a one to three-year cybersecurity plan.
- Deploy Honeypots in your network. This is a low cost/high return technology to detect/deflect attackers.
#cyberterror #cybersecurity #CyberAttack
#cyberterror #Cyber #ChiefInformationOfficer