Friday, April 8, 2011

ISACA-WNY: Control and Compliance 2011 - 4/5 - Marcus Ranum Key Note Presentation Notes

"why do we keep working so hard and accomplishing so little"

Budgets are going up, why aren't penetrations going down?

If we stopped spending, things would get immeasurably worse

Firewalls don't work?  You're installing it wrong.  If you're allowing everything through port 80, don't blame the firewall. 

Threat landscape is changing so quickly, battefield is shifting

The problem is complex, by the time that we understand it
 things change

In '90s, installing patches and a/v would solve security.  Now, Microsoft Patch Tuesday and a/v is still a focus, but good software development practices and configuration management is less so

Systems need internet access to be patched and then are exploited by bagel worm

Ranum uses unpatched Office 97 because it works

Game Over - In '00s, security was in the news and became expensive
Security professionals cried wolf too many times and became identified as a cost center despite trying to sell ROI

Cloud computing paradigm is now attractive as a result of '00s expensive security infrastructure build-outs and administration requirements

Use of thumb drives added complexity to finding data and ensuring its handling

Cloud computing builds dependency, will cost increase after dependency exists? 
Unix/Linux crushed Mainframes and then price increased
Suggestion: Do projection on cost savings and perform EOY analysis to see what is realized

2010s - Regulation and Advanced Persistent Threat (APT)

Cyberwar was fought and US lost to China without knowing it was happening

Compliance monitoring and auditing adds complexities to administration and redundancies to security operations

If A trusts B and B trust C, A trusts C and does not know it

APT is frequently malware and intelligence gathering

iPads and smart phones are "gift" to next generation of security pros, "toxic love canal", executives walking around with equivalent of "h-bomb on their hip:

Advanced Threat Management operation is needed to manage organizational data threats regardless of Cloud

Tabletop risk management drill can be useful to understanding threat response.  What would you do if your customer database was on eBay?

"Security is an expense that you pay to avoid a much bigger expense"

Southwest grounded all of their planes to save law suit expense and identified several other affected planes

No comments:

Post a Comment