Download Information Security - Georgia Libraries Tech Center

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Community informatics wikipedia , lookup

Information security wikipedia , lookup

Security printing wikipedia , lookup

Emerging adulthood and early adulthood wikipedia , lookup

Computer security wikipedia , lookup

Transcript
The State of Cybersecurity
Dr. W. Todd Watson, Sr.
Information Security Officer
Board of Regents of the University System of Georgia
GPLS Technology Bootcamp - April 28, 2016
Agenda
• Introduction
• Emerging Cybersecurity Trends
• Challenges and Opportunities
– People
– Technology
– Processes
• Questions
Dr. W. Todd Watson, Sr.
• Information Security Officer
Board of Regents of the
University System of Georgia
• 30+ year technology
veteran
•
•
•
•
Engineer
IT manager
Chief executive
Consultant
• Experience earned in both
Private and Public Sectors
Doctor
Public Policy and Administration
Master of Science
Computer Science, Information Assurance
Bachelor of Science
Computer Science
Adjunct Professor
Cybersecurity, Technology, and Public
Management
A short InfoSec story
• Engineer: Late 1970s - early1980s
– Hitachi Semiconductor – HM4716-AP3
•
•
•
•
•
16K x 1bit MOS DRAM
Kazumitsu Nakamura
Aha! Let’s bake in “sawdust.”
Pedigree circuits
Call for secure design
A shorter(?) InfoSec story
• Engineer: 1980s
– C-band (3.7GHz) satellite
communications
– I killed these. Almost.
– How?
• Symmetric-key encryption
• In continuous use until June 26, 2014
Current and Emerging Trends in
Cybersecurity
– Malware. And More Malware.
– Phishing, Spearphishing and Whaling
– Multifactor – Effective or Not?
– IoT
– SCADA
– UEFI vs. BIOS – Emerging root variant?
Current and Emerging Trends in
Cybersecurity
Source: TrendMicro
Current and Emerging Trends in
Cybersecurity
Current and Emerging Trends in
Cybersecurity
Source: TrendMicro
Current and Emerging Trends in
Cybersecurity
Ransomware in the news:
February 17, 2016: Presbyterian Medical Center, Los
Angeles: Ransom PAID: $17,000
March 8, 2016: Horry County Schools, South Carolina:
Ransom PAID: $10,000
March 9, 2016: Crawford County Library System,
Arkansas: PAID: Undisclosed
March 23, 2016: Kentucky Methodist Hospital: PAID: $0
March 25, 2016: Baltimore Union Memorial Hospital:
Ransom PAID: $18,500
April 18, 2016: Follett’s library management software
Open to Ransomware Attacks, via JBoss server
Malware rules
• 35% increase in RansomWare in 2016
– Windows, Mac, Linux, Mobile, Watches, TVs
– Why? Because it is profitable!
• Attacker-owned infrastructure
• “Service-oriented” organized crime
– Electronic payment: 1 = $400(+/-)
– Customer Service Help Desk
Phishing, Spearphishing, Whaling
• 400% increase in phishing attempts related to
the tax season in 2016
– Increases in quality of phish
– Seasonal during Thanksgiving, Christmas, Taxes
• Business Email Correspondence (BEC)
attempts - W-2s
– Primarily directed at HR departments
– Social engineering
• Whaling increases in 2015-2016
– Subpoenas
– Customer complaints
Multifactor: Panacea or Pandora?
•
•
•
•
•
Verification Code Forwarding Attack
Man-in-the-middle
Trojan
Segmentation is strength
Weaknesses
– Leverage of OS X Continuity
• synchronization of messages across platforms
– Leverage of Google Play’s remote app
The Internet of Things (IoT)
Cameras, cars, lights, medical devices, etc.
Mass produced
Widely available
Well-known default credentials
Built-in management services (web, ftp, SMTP)
Often constructed with little or no security
controls baked in
• Failure of device designers to recognize risk
•
•
•
•
•
•
The Internet of Things (IoT)
SCADA (Supervisory Control And Data
Acquisition)
•
•
•
•
•
Electrical Substations
Dam Controls
Building Lighting, Cooling
Security Lighting
Nuclear Power plants
UEFI (Unified Extensible Firmware
Interface)
• Replacement to traditional BIOS
• Rootkit deployable via USB drives
– Think about patron computers
• Extraordinarily difficult to expunge
• Emerging…
USG Cybersecurity Challenges and
Opportunities - People
• Challenges
– Training is not
keeping pace
with demand
• 8000 needed
• 54 supplied
– Public vs. Private
Compensation
– Management
recognition of
fulltime focus on
Cybersecurity
• Opportunities
– Increasing
Cybersecurity
education centers
– Increased
awareness of need
for security pros
– Emphasis on
training and skill
building
USG Cybersecurity Challenges and
Opportunities - Technology
• Challenges
– Technological
change is the
constant
– Complexity
increases risks
• Occam’s razor
– Interoperability
breeds
complexity
• Opportunities
– Some developers
are beginning to
understand the
problems
– Better tools and
improved
accuracy for
measuring threats
USG Cybersecurity Challenges and
Opportunities - Process
• Challenges
– Disjointed policies
standards
guidelines
– No clear
framework
– Conflicting
direction
• Opportunities
– New direction
– Adopting NIST
Cybersecurity
framework
– Significantly
increased budget
– Building a Security
Operations Center
– Threat Awareness
Thank You!
Todd Watson
[email protected]