Today I attended Security Focuses: The Science of Cybersecurity. Here’s my inexpert summary of the event.
The costs and risks of security are increasing
- 90% of large businesses had a security breach last year.
- Security breaches are becoming more expensive: £1.15 million in 2014; £3.14 million in 2015
- 1,000,000 new pieces of malware are created each day.
- 14x increase in infections year on year.
- When Target was hacked, its CEO and CIO resigned. So directors’ jobs are more vulnerable to security risk.
Basic framework for cybersecurity
- Assess
- Detect
- Protect
- Respond
A more holistic approach to assess, detect, protect, respond #sf2015 pic.twitter.com/DvxJ0pS2En
— Martin Lugton (@martinlugton) November 12, 2015
Reactive approaches to security aren’t good enough. We need a proactive approach, with a broader vision
Talk Talk only noticed they were hacked because their website slowed down. So they probably aren’t an exemplar of best practice.
Threat Inteligence allows us to:
- identify and resolve internal and external threats.
- understand how attackers think and behave, and select appropriate countermeasures
- focus our security resources in the most important areas
We need a broader approach to cybersecurity:
- Holistic view of systems needed, not a silo approach (e.g. via end-to-end cloud systems, rather than having server security separate to firewall)
- of external threat environment (e.g. via a threat exchange)
The future of cybersecurity
The future of cybersecurity? Inc. better use of data, more collaboration, security as a designed-in service #sf2015 pic.twitter.com/kCkllUTUdP
— Martin Lugton (@martinlugton) November 12, 2015
Analytical detection is more sophisticated than signature detection
A signature approach is the most basic; rules are a bit more sophisticated, correlations are better still, but an analytical approach is strongest for identifying security issues.
Increasing levels of abstraction for identifying attacks #sf2015 pic.twitter.com/C4ZTbpG5E3
— Martin Lugton (@martinlugton) November 12, 2015
Footprinting
Your internal understanding of your network estate is different to how external attackers will see it. So it’s useful to carry out external footprinting.
Hackers can use less well-defended elements of an organisation’s web presence to successively break in to other areas.
e.g. lots of the 2011 Sony hacks were on smaller, national sites. The hackers had a better understanding of Sony’s footprint and vulnerabilities than Sony did.
The commoditization of exploits
Charl van der Walt’s excellent presentation was my highlight of the day.
Zerodium recently paid a bounty for jailbreaking iOS9:
Our iOS #0day bounty has expired & we have one winning team who made a remote browser-based iOS 9.1/9.2b #jailbreak (untethered). Congrats!
— Zerodium (@Zerodium) November 2, 2015
Zerodium can now sell knowledge of this exploit to clients.
Because Apple doesn’t know what the exploit is, these clients can reliably use this exploit to attack people.
Government security services want reliable exploits like these, which leads to this commoditization of the exploit market. It also leads to the industrial use of these purchased exploits as they are employed at scale. This is in contrast to the more patient, research- and expertise-led footprinting carried out by other attackers, which presumably requires much more resource for a given output.
I found the day an interesting overview of the cybersecurity space. The biggest single improvement I’d recommend for next year is including female speakers – the keynotes were entirely presented by men.