Dear CEO, Evolve or Die - A Primer to Information Assurance

running the event like Contracting with the companies and stuff like that you call me Captain I have a decent amount of certs I'm a horror Lake cam the company pays for it I'll get it so I have like mcsc's and cmps that I don't use anymore um I've worked in these fields Consulting manufacturing Auto industry and I currently work in healthcare um I'm a information security engineer and like I said I found gercon with Chris I also a little joke here I put a different logo on the bottom here it's actually a since there's enough marketing here about gurkhan I'm actually starting up a site called securityconferences.org It's just in the beginning phase it has a listing of all

the security conferences coming up so people can view them make it easier instead of having to search all around for conferences in your area so what do I love to do I love to hack break in the um this is my display on iPhone so why are we here is it because of these guys the hackers or these guys CEOs that are failing that's great George Friedman Stratford founder or this guy um this is a previous CEO CEO of Sony who effectively stepped down after all the Sony stuff going on obviously so um so first I want to give my props out to the evil guys as you'll see in this presentation I think they're changing the industry

and they're making it better for Information Security Professionals in general so first off has anyone um practiced or seen a company practice information assurance probably not very few okay um so we'll go into that a little bit too now the CEOs can protect um so why why are we praising um the bad guys as you would say they have raised our awareness in our industry to a whole another level um you guys know this because you guys are in the industry but every second you look online it's heck this hack this you know the site's been dossed you know blah blah um you know so and I see these articles on the front page of new sites and

you've never you never saw that 10 years ago you know we were you know pushed to the side you know no one cares about us but now that everything's on the internet and people make most of their money online now it's a big thing so um so the CEO um sea level awareness is an all-time high um so you CEOs are presenting at conferences about security and um they're talking about security which has never been done before okay and so can you see more jobs out of out of all this for us as professionals you'll see tons of jobs everywhere if you're really good at what you do you can get a job and security

um so all this type of awareness is bringing on this and people are starting to realize that you know hacking groups in general are good for security cyber security needs to be a top priority for CEOs this is just a couple days ago you know and um CEOs are attending cyber security events like since when would that happen you know would you see GE CEO attending a cyber security event probably not but you know it's starting to be um coming around in the future so I would say like in 20 to 30 years from now you know this will be commonplace for CEOs yeah yeah yeah um yeah so uh as far as hacking evil hackers you would

say bad hackers um so you may not agree with their methods and you may not want to do it for the lulls thank you or enjoy cracking their password dumps or believe in their cause so bottom line you like that companies are being compromised whether it's the bad guys or the good guys or who knows and information is being released to the public and as a CEO you are the owner of all your information within your organization so I'm not here to pick on any companies CEOs need to evolve or die or they will be the next Target in security so where does that bring us today let's start with the basics Straight From the Source Wikipedia

um basically the whole point of the slide is I wanted to say that information assurance um is a the practice of both not in digital but analog and physical form of information security so a lot of times as Information Security Professionals all we care about is securing the digital side and we never take into account for oh look at the paper over there that has all the social security numbers on it or look at all the um you know the the HR people talking about the water cooler about how there's massive layoffs coming you know that stuff that as a security professional you're always going to be thinking of and that's what information assurance is all about

so physical form who still writes by the way spoken like I said water cooler and digital like my little flame malware um so these uh three forms of information Encompass information assurance so so now you should know that information is power if if you control and secure all your information with the organization um then you'll um obviously your risk bubbles will be down but we'll go over some of that so current industry challenges organizations expect everyone to be rock stars I listed out some of the skills you need um it's just the information security feel you like that um look at all these areas and so you're expected to to know every single area and be an

expert in everyone well it's it's impossible you know I mean I mean I could spend 80 hours a week being an awesome web app pen tester and not and not do all their stuff so organizational structures are horrible so these are this is an example of a company I work for um I was here information security um man I reported to the manager director VP of it Global VP VP and controller business unit president then CEO yeah yeah foreign so to communicate a message across to any one of these guys well if I talk to the architecture manager well he needs to talk to his boss before anything's okay well then he needs to talk to him

and maybe these guys meet once a week so you get one two three four five five weeks before you before you actually get decision and same thing here um information security manager director of security VP of it CIO CFO CEO so we're buried in I.T um current state I would say anyone want to say does anyone not report to IET where do you report we'll report this yet but there's an entire organization solely dedicated security okay the one over of the VP of security is the CEO of the company okay that's good yep so let's go on to a little bit of why it's bad to report to it and it's called value so the CEO

um tells this guy the CIO to spend cash and then on value so for example server firms on network storage equipment Network equipment IP telephony mobile Computing app development so all these type of things are bringing value to organizations by purchasing them not on mitigating risk so for example if if you can anyone ask answer this question if I give you a million dollars million dollar budget for your company and you're the manager how do you justify that to your your management to the CEO how do you bring value

no one can answer okay so can you say a conflict of interest you like that Chuck Norris attorney and he every I represent injured people

security typically gets the ax a lot of times so here you got this million dollar budget in it let's say 500 000 goes to network infrastructure you know Network equipment equipment IP telephony um server Farms Sands whatever you want 250 000 goes to app development web development you know all these different areas and then here you are in the security department saying oh you know pick me pick me I want a couple hundred thousand dollars but well I need to protect our infrastructure um I don't know why I need to spend two hundred thousand dollars but I need to get a sim I need to get IDs I need to do all this stuff but you know I don't know

why I don't yeah yeah so we also have uh communication barriers within um our uh information security in general um some companies don't even want you talking to the business I've worked at a few companies where it's frowned upon as an I.T security professional to actually talk to the business this is a larger organization Fortune 50 but um basically they have business Liaisons inside of it that only talk to the business so here is a security professional you can't even talk to the business and learn how the business Works how are you how are you supposed to protect it you basically just do all I.T security and hope you know that you're covering all the bases

oftentimes they don't even listen um so we know what happens with those companies um finally top downers where has anyone heard of the top down approach to information security or information assurance it's where the CEO actually cares and security actually security actually flows down the organization instead of up you know picture that um seven um seven jobs you know before the CEO imagine me at the bottom and I'm trying to push security all the way up you know as me I only have so much influence up the organization maybe to the second or third level of of that so yes yes exactly yeah then you're fired then yes you have a resume generating event yeah RG

so where do we go from here um we evolve even if the CEO doesn't want to um sometimes this is tough sometimes this is a matter of having to find a better opportunity um we'll go on from there but so we drive I into the business information assurance so we start learning the business becoming involved in projects becoming part of the the main core of the business so here is my approach to information assurance with three core security groups information assurance should report to the CEO so why who cares who cares about security as a CEO right you know they don't care about o day they don't care about flame they don't care about you

know malware um the CEO and the board of directors in an organization set acceptable risk levels for your organization so what as an information assurance professional you must find the risks with inside the organization and then bring that risk down to that acceptable level so you're not going to go to the CEO and say well you know I you know I um mitigated this threat today by updating our av you know like no yeah av's worthless so yeah um but these guys have the power to say this is what what level we were okay with anything above this level we need to spend money or put controls into place that will reduce the risk to that

level and at that point you know as a whether it's a ciso or whatever position they give you title wise you now have the power to go in and put security controls in place on on behalf of the business and make the organization more secure so why has this not been done before you know I asked everyone here you know do you guys have you guys seen an organization that um practices information assurance or do you work for one um we're protecting companies most valuable assets the information you know I think I read a long time ago it was a company can lose 75 percent of their employees and still survive you can just go you

can go on higher higher massive hiring who cares you know you might have a little bit information loss you know you'll still recover but if if you say you're a company and lose half or 75 percent of your information well you're screwed you're out of business if you're a insurance provider if you're Healthcare if you're let's say you're in manufacturing and you lost 75 percent of your CAD drawings and you can no longer manufacture you know you know so the mindset of that needs to be in place so why are we not equal with human resources Finance legal Marketing sales why aren't we at the Round Table so main functions of information assurance to drive value information

asset identification does anyone perform information asset identification or work for a company that you know someone else does this and this is basically knowing how much value your information on your network is worth knowing where it's all at and um you know signing a risk level or priority to it does anyone do this you know like for example your HR uh data or anything like that no so this is important because you can't do proper risk management unless you don't know where the what value the information is worth for example if I'm spending 50 000 a year uh with the IDS or firewall on information that is just logging data that I don't even care about then you're wasting tons

of company money so risk management is another function of information assurance projects being a part of projects teams mergers and Acquisitions procurement Etc so you're involved in an actual business part of it you're you're there when a merger or acquisition happens and you're dealing with actual security of our information and of the company's information when they merge business continuity planning something that I don't see happening very much when it comes to security but the process of taking a business process in a system let's say let's say the HR hiring process so when the HR hires someone interviews and um starts paying a person gets them all in there so driving Security in all those stages of the process

another example would be you know making widgets um for example if you um if you let's say you make car parts somewhere in Detroit here so um I worked for a company that made car parts and so the business process would be getting the cad drawings making the the plastic molding going from each stage of the um the process until you get the finished product where you ship it out and get paid for it so having those entire entire business process mapped and then having security at each layer is where business continuity planning comes in and it's critical because then you can go to the CEO and say I know we can make widgets we have tons of contingency plans in

place and this is our business continuity plan for it and that's what drives value in the organization and security awareness um at that level you have the Power reporting to the CEO that you have the power to have information security flow down in the organization Enterprise security policy so you set Global security policy standards for the entire organization these would be non-technical standards you leave that up to other teams I'll show you security governance so these functions will help Drive security into the business along with justifying security expenditures via risk management so here you are you got you know you can justify actually purchasing security equipment or putting controls in place information security so we have first we had information

insurance and now we have information security group reports to the CIO incident handling so these guys the information Security Professionals are probably all of us in the room we're technical people that can do incident handling vulnerability management we advise to I.T security information Insurance teams Trends we may um go to the developers and say this is how you should secure your application or this is how to do secure coding right ICT IIT security policies and procedures Drive security into it projects and fourth standards assist with compliance matters relating to and this is this can be either way I mean you can have information assurance do some compliance but this is more of a technical side

making sure your systems are compliant penetration testing everyone knows this web web application and network penetration management of IDs and IPS so and then finally the it Security Group it reports to various management within it security mostly handles the operational aspects of security including well it's based on your environment the AV server management yeah malware scans and removal so you wouldn't have like information security typically won't in bigger organizations won't do this as all separate and so I.T Security will do most of this stuff then they report to different various units account provisioning access management firewall management you are a filtering desktop and server patching so we put it all together and so here you got I.T security

and and you'll know that a lot of smaller organizations like you know 100 people or less you know you might have one security guy that does all this and oftentimes the security guy will not be able to do this and part of this because he's so busy with this um but this is more geared towards larger larger organizations that can afford a bigger security budget or have a CEO that is knowledgeable um in information assurance so I.T security can report to any type of group I've seen this report to help desk I've seen infrastructure Unix teams they all have a security hat you know firewall admins report to network infrastructure usually you know it's not usually a security

function to and we'll put you know ACLS and stuff and information security this is just an example job titles infrasec infosec manager VP of infosec um and there's the functions and then information assurance the ciso

so preparing for the future we must change our mindset as Information Security Professionals I'm a firm believer that we can't just be pen testers and do all the cool you know we gotta we gotta be in front of the in front of the business um you know it's fun to pop boxes but you need to know risk management you need to know the business side you need to know how your company makes money you need to be able to speak in front of everyone go to meetings learn how business processes work learn the business learn and communicate information assurance you need to tell people about it you need to tell people that you're assessing the

risk of the the business process or the application that they want to purchase um you have to stay current with security so this is this was back to my previous point that you got to try to be a rock star in every category of security but and that's why I'm proposing a three-tiered approach but it's very difficult to be awesome at information assurance and risk management but then be able to heck for a living you know what I mean so this whole slide is all about if your information security professional or I.T security professional always stay current with current topics and don't be afraid to communicate with the business I see a lot of people

that will not talk to anyone else they would love it if they can just send it from the computer in their cubicle nine to five go home and not talk to anyone you know polish off your soft skills learn how to read read yeah write emails learn how to talk to people learn how to communicate so in conclusion the hackers are forcing the CEOs of the world to evolve or die and information assurance will be a way of the future so prepare yourself or your company will be the next so any questions you've been able to get any uh information from some

sometimes if their organizational behavior yeah I mean I I don't have any contacts and like a lot of these but I know it's usually drastic like yeah okay yeah

have affected your yeah unfortunately

that's on your map right yeah before yes yes that would be nice yeah I mean yeah space um because guess what they're in the house guys and now you need to know where they're moving and what they're doing and it's and it's changed their entire you know organizational structure and like I said I just I like your map and I'd like to see like the before and after yeah yeah I think that would be interesting to see yeah I'm you know like like you said you know people will change drastically and um what I'm finding out you know as as more and more of the stuff happens I think in the future years coming we're

going to see a lot of this where organizations will proactively change you know I mean

the handling of incidents okay I haven't seen that yet it's not done yet okay do we know if Sony's really made a change of Charlie because at the end of the day we sit back and look now they got tons of press on it tons of attention did they really suffer from what happened yeah a lot of people say that um it's actually a good thing because I mean yeah stock went up yeah so the yeah no bad publicity yeah even though you know dumped tons of oil in the ocean yeah still doing great actually I think yeah so yeah um it can I I see it negatively impacting some organizations obviously like if you're like if you're Healthcare or

something where are you yeah yeah yeah that's the example of it going really sideways but you know I really don't think Sony suffered from them yeah yeah because of their sheer size size yeah and how they think a lot of the users so after the Sony root kit incident I banned Sony equipment from my house because these terrify me um so that's I mean that's a impact you know you know like people like you then will affect the bottom line eventually and I mean you might you might say well you know I don't see it going down but over the long term you know you may never purchase a Sony piece of equipment again and then I'll never touch your equipment

again but but I'm looking now so what I saw of course in the whole Zone so I was like so my friends going I'm so smart for not buying a Sony and all they're going is yeah I wonder when the networks come back up so I can play again they just didn't care yeah product development outside of it as you feel like the product they'll probably still buy it and build enough things happen yeah until they get affected or the friend gets affected and then you know it might change your attitude yeah you know if you got you know what it ended up getting breached was just uh what usernames account numbers some cases credit cards and all that but then

you know Well yeah if it's a credit card thing I mean I just had my car somehow my card number got compromised and but you know fortunately they had all the you know controls in place where they ended up you know how this controls in place but this was every illegitimate charge that was attempted and all that and they notified me right away and we took care of that but I mean in the same time they'll you know the the banks will end up eating the chart you know the difference on charge yeah yeah talk to my friend like the friends who you know on the Sony network is like hey your credit card got stolen yeah but do they still

have my gamer score yeah some people don't care about security does it cost people in your credit card 50 bucks Max I mean yeah right okay but the gamer says we spend more time on that than 50 worth of their credit card yeah Modern Warfare is awesome

only if I can hold the company responsible for losing my credit card I mean there is no one answered there wasn't I like getting paid for doing this stuff I don't want it to be easy but I guess this comes back to the question is how did this affect Sony and I guess in the short term well it took a little bit of a hit on the publicity but then just like just like is there such a thing as bad publicity I mean TJ Maxx stock went up right after their huge like two-year breach right just nobody cares yeah if you're a Susie Homemaker do you care that Team Max got breached no you got a new credit card and you

went back but you gotta admit that in that particular instance like the Sony PlayStation Network whatever that there's other you know Xbox right oh yeah

exactly yeah this company's getting hacked I gotta get something else thinking about it it all depends on who gets you know who gets compromised and how it you know affects the interview yeah if it's your bank that gets and all of a sudden you know you've you know somehow thousands of dollars of your personal bank account yeah your money got to leave you get it back unless you're a business yeah a business will get him they won't get it back because personally if I break into your bank so there's still really no accountability but that is related to insurance right or is that a federal law yeah you responsible like fifty dollars

does this reject the charges out right they are you know initially that the the transactions are spotted it takes a couple weeks to dispute or I don't know yeah yeah you don't care I mean grsec right they stole my debit card at the bar and I was buying beer I think they sucked but well I still drink beer there

I didn't buy tickets to or by the insurance so any other questions or I guess there might still be you know from the from the CEO's perspective you know they might think you know the negative publicity is bad yeah yeah where I work if we're in the news you do a wag right yeah that's how you want to fight stuff

or you know three letter agency or something like that yeah a whole different kind of impact when it's your job to do this this realm of activity yeah classified documents being released you know well in some of those places have processes like this in place very good like three letter agencies kind of started with the information sure and thing yeah but you know their employees still end up losing laptops yeah

but in my scenario you know you would you would say that you'd have risk management in place where you say okay if I lost a laptop and it wasn't unencrypted or it was unencrypted then I would lose this information and it could be disclosed so then you put proper controls in place yeah

healthier for the fact that there's serious value to other people who would be impacted and Sony's case nobody cares right yeah the money comes back to everybody who lost it and the people go on and play their next game when it comes out but there are other people who are seriously affected by these incidents and a structural change would be very relevant yeah any other questions that's it thank you

spin the out of you that's right