Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Trends in Cyber Security
Transcript of Trends in Cyber Security
and non-IT people
are starting to pay
attention... Need to shift the mindset from prevent & detect Bit9 provides a list of 'trusted applications' that security applications rely on for identifying potentially malicious software (i.e., whitelisting).
Its database of trusted applications was compromised, resulting in companies trusting malware instead of quarantining it. RSA Security provides the most widely-used technology for establishing secure remote access via their SecurID technology. The database that stores the security token values was stolen to attack defense contractors (and others) Maker of one of the most popular anti-virus and endpoint protection suites had the source code stolen to some of their past generation products Source: 2013 Data Breach Investigations Report, Verizon Business
n =47,000+ incidents, 621 breaches “78% of intrusions require no special skills or resources” “84% of compromises take minutes or hours” “Only 13% of breaches are discovered by the affected company” “66% of breaches lie undiscovered for months” The company responsible for securing browser-based web traffic had their root certificate compromised Complicate Respond Detect Prevention is not possible, so look to implement controls that provide deterrence
- Remove local administrator on workstations (typical for 80+% of malware in an environment to come from workstations where users are local Administrators)
- Implement multi-factor authentication to establish a control perimeter
- Focus on patching commercial software, especially Microsoft, Adobe, Java and Databases
- Limit the number of Domain Administrators to take the 'skeleton key' out of the attackers hand; force them to cycle through a set of individual door keys In contrast to Complicate & Detect, which have heavier reliance on technology, success in Response is driven by having capable people following a clear, consistent process - Have we been the victim of a successful attack? If so, when was the last time it happened?
- Why would anyone want to attack us?
- Can we sue the attackers?
- Should we buy cyber insurance?
- How does my information security program compare with other companies? Industry competitors?
- How much is it going cost to ‘fix’ it?
- What does cloud computing mean?
- Do we have the right people and skillsets?
- Are we spending on the right information security priorities? So what should my company be doing? Forrester considered Ernst & Young the top-ranked information security consulting provider for its “strong service offering and exceptional strategy”
EY had the highest score (4.90 our of 5.00) of all of the consulting providers in the evaluation for its strategy which includes its value proposition and future direction.
Gartner has ranked Ernst & Young as having the second largest revenue and market share worldwide in security consulting services for calendar year 2012:
- Security consulting service revenue: $966m
- Revenue growth: 16.9%
- Market share: 8.9% The Forrester Wave is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphical representation of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.
Gartner Market Share: Security Consulting Services Worldwide, 2012. 26 April 2013 ID: G00245585. All statements in this report attributable to Gartner represent Ernst & Young's interpretation of data, research opinion or viewpoints published as part of a syndicated subscription service by Gartner, Inc., and have not been reviewed by Gartner. Each Gartner publication speaks as of its original publication date (and not as of the date of this proposal). The opinions expressed in Gartner publications are not representations of fact, and are subject to change without notice. Thank you for your time!
Principal, Ernst & Young LLP
Information Security Center of Excellence
(612) 371-6344 What questions are Boards asking? What the analysts are saying about Ernst & Young's Information Security practice Recent EY Information Security-related publications Detection practices have evolved significantly closely matching the evolving threat landscape.
Key drivers include:
- Managed Security Services
- Commercial Threat Intelligence
- Emerging Big Data techniques
- Enhanced Security Analytics. Governance impacts everything:
- Only 38% align their information security strategy to their organization’s
risk appetite and risk tolerance.
- 46% of companies almost never (> annually) or never discuss
information security with the Board of Directors Information security is not getting the job done:
- Only 16% indicated that their function fully meets their needs
- 70% say that the function only partially meets their needs Incidents & threats on the rise:
- 31% see increases in security incidents, and only 10% saw a decrease; 77% saw an increase in external attacks. Response to emerging risks is slow:
- Almost half of companies allow “Bring Your Own Device” but fewer than 25% have made appropriate policy adjustments
- The number of cloud adopters has doubled to 60% since 2010, yet few companies have taken measures to address related risks.
- Likewise, fewer than 40% of companies have formally addressed the risks associated with social media - Align your talent with the areas with highest impact - Understand your risks in context of your business processes, not your technology footprint - Consider using scenario analysis (e.g., theft of trade secrets, unauthorized access to pre-release financials) for maximum relevancy - Become a risk reporter rather than a risk taker - Outline the existing risk exposures to management and company directors, leveraging business impact results from scenario testing
- Bring management (and even directors) into accountability via increased awareness and decisions made - Consider adopting the ‘Complicate, Detect and Respond’ mindset Ernst & Young Information Security services SEC Disclosure Requirements Cyber Security Executive Order President Obama issued an executive order on February 21, 2013
- Enhanced public/private intelligence sharing
- Cyber Security Framework, with volunatry adoption
- Privacy protection
- Identification of Critical Infrastructure “This guidance fundamentally changes the way companies will address cybersecurity … It will allow the market to evaluate companies in part based on their ability to keep their networks secure.”
— Chairman John D. Rockefeller IV, US Senate Committee on Commerce, Science and Transportation