don t lose sight of the extended enterprise
play

Don't Lose Sight of the Extended Enterprise Rod Rasmussen - PowerPoint PPT Presentation

Aug 24, 2023 •249 likes •704 views

Don't Lose Sight of the Extended Enterprise Rod Rasmussen President/CTO Internet Identity 2011 Annual FIRST Conference Vienna, Austria Presenter: Rod Rasmussen Rod.Rasmussen<at>InternetIdentity.com President & CTO

  1. Don't Lose Sight of the Extended Enterprise Rod Rasmussen President/CTO – Internet Identity 2011 Annual FIRST Conference Vienna, Austria

  2. Presenter: Rod Rasmussen • Rod.Rasmussen<at>InternetIdentity.com • President & CTO Internet Identity (IID) • Co-Chair APWG Internet Policy Committee • Member of multiple ICANN working groups • Active member MAAWG, DNS-OARC, Digital Phish-Net, RISG, OTA • And of course, IID ’ s FIRST representative

  3. E-crime Then & Now Then (and still today) - Threats attack victims and organizations directly • Hacking – attacking infrastructure directly • Wide-scale Spam/Phishing • Viruses/Worms/Malware – sent to you or on your network

  4. E-crime Then & Now Now – ADD – Indirect attacks that allow circumventing defenses • Go after softer targets to gain access to data or controls • Attack your partners, vendors, customers • Target personnel with access to ancillary systems • Get on the network first – then traverse • Get the targeted data from your partners ’ systems • Subvert the infrastructure – then redirect

  5. Get the User, Then the Data • Techniques du jour • Spear phishing • Malvertising and exploited websites • Social networks and webs of trust

  6. Today ’ s Biggest Enemies • Unencrypted data in partners ’ hands • Password re-use • Access to automated systems – subvert yours • Control of your infrastructure

  7. Everything is Being Targeted

  8. Motives are Evolving Direct Theft $$$$ Intellectual Property Theft National Obtain Infrastructure Interests Data Resale

  9. The Extended Enterprise Paradigm • The “ Extended Enterprise ” includes relationships with partners, vendors, suppliers and key customers that enable enterprises to succeed • To whom do you routinely send PII and other sensitive data about personnel, financials, or customers? • Who do you transact with regularly and automatically? • The Internet has changed commerce, communications, and life forever with instant connections and mash-ups

  10. The Extended Enterprise HR/Legal/ Accounting Suppliers SaaS/Cloud Marketing Partners Financial Partners Mobile Customers Workforce

  11. EE Infrastructure • The infrastructure you communicate with all of these partners is outside your control • With “ Cloud Computing ” even your physical enterprise assets are extended outside your perimeter of control • Social networks are now communications channels • Will regulation push enterprises to patrol their EE?

  12. Some EE Events: 2011 Notable Affected Targets EE Partners • Lockheed-Martin • InfraGard Atlanta • Sony • RSA • Unveillence • Epsilon and other ESPs • PBS • Wordpress • Voice of America • MySQL • European (and Australian) Parliaments, EU Commission, Canadian Government • TripAdvisor.com • NASDAQ • HBGary

  13. The EE Quandary • The Internet-connected world demands you provide direct web- enabled services to customers and instant data exchanges with partners and vendors • You have little or no control over the security posture of these external entities • You have no direct ability to change physical security throughout your EE • You have limited visibility into events occurring on your EE • You are STILL responsible for your data – wherever it is

  14. Some Numbers • Ponemon/PGP 2010 corporate data breach study: • Average was $3.4 million = $142 per customer. • 35% involved outsourced data provided to third parties • There are over X (1, 3, 5, 10, 50, ??) million Conficker infected machines right now • Zeus lives everywhere, steals everything • Sony lost $X billion in market cap in wake of breaches – estimates breaches will cost at least $170 million profit hit

  15. What Data IS Sensitive? • Obvious stuff • Customer PII, account info, financial history • Access credentials • Compliance related information • Your own company plans, financials, legal papers, contracts, personnel information • Your partners ’ confidential information

  16. Data Storage Risks HR/Legal/ Accounting Suppliers SaaS/Cloud Marketing Partners Financial Major Partners Customers Mobile Workforce

  17. Communication and Infrastructure Risks HR/Legal/ Accounting Suppliers SaaS/Cloud Marketing Partners Financial Mobile Partners Workforce Major Customers

  18. EE Members Cook, Books & Hyde Ac Accountants

  19. Mapping your EE • Internal intel • External info • Legal contracts • IP & domain whois data • Mail server/ firewall/DNS logs • Netflow • Mail/contact • Open source info databases • CRM platform

  20. From Data to a Plan • Evaluate types and content of data exchanged and business/compliance risks • Assess data transactions and potential holes back into your systems • Plan to secure the most important and have contingencies for the rest

  21. Data Storage in the E.E.

  22. So Have you Heard of Zeus? • You may be clean, but what about your EE? • Hey, it ’ s open source now! • Not just Zeus – lots of data exfiltration, keyloggers, and “ sniffing ” malware • Need to know where it ’ s safe to send/share data • Can ’ t block your key partners like you can spam sources or infection points

  23. Overhyped Security Term • Attackers are putting “ stealthy ” malware on networks and trying to surreptitiously exfiltrate date over time • Not really new, but WOW is this happening a lot now! • Devastating data losses from well-known, very secure organizations • Includes many of your EE partners and providers • People who provide your security and DB products • Likely regulatory ramifications due to high publicity

  24. EE Member Reputation • In the real world you get DUNS reports, credit reports or other objective business reputation “ scores ” to assess risk – why not online? • Use that EE map to review reputation of your EE • IP reputation of netblocks • Domain/DNS reputation of data-transfer domains plus main domains • Open source tools and commercial services • Hard to get data on EE though – Arbor, Cymru, etc. don’t “ tattle ” • Shut-off processes/data flow when red-flags show up – get them to fix breach asap

  25. The “ Cloud ” • Storage of your data, at some undisclosed location in the world, on an unknown hardware platform, with a third party in control of security…

  26. Cloud Services • So beyond the obvious, what do you have to worry about? • Your neighbors on the service • What are data retention and divulgence policies? • What jurisdictions have access? • Risk management is the key • Understand the lay of the land • What can you actually place there reasonably?

  27. Cloud Providers & Security • Ponemon/CA Study in April 2011 – 127 service providers • The majority of cloud providers believe it is their customer ’ s responsibility to secure the cloud and not their responsibility. • On average, providers of cloud computing technologies allocate 10 percent or less of their operational resources to security and most do not have confidence that customers ’ security requirements are being met. • The majority of cloud providers in the study admit they do not have dedicated security personnel to oversee the security of cloud applications, infrastructure or platforms.

  28. Webmail and E-mail Outsourcing • Google/G-Mail attacks continue • Phishing targeting webmail providers • Exposure to XSS and other vulnerabilities • Bottom line: Are the apparent low-cost and features worth the data exposure risk?

  29. Outsourced CRM • Sensitive data on your personnel, customers, and partners • Big phishing and data extraction target • Epsilon and other ESP ’ s targets of determined gang • Bad guys going after your contacts • Phishing/malware/spam • Use Your name for multi-level attack • Insist on strong authentication and data encryption

  30. Content Delivery Systems • Includes your website, online banking, outsourced web services that are customer facing • In-house, outsourced, or platform? • If outside your control – this is your top EE partner! • Learn everything about what they do and how • Monitor everything you can • Not just SLA – but Security SLA!

  31. Social Networks • Have become a major communications channel • Customer interactions • Contact data storage • NOT designed for security • Attacks include spoofing, impersonation, account take- over • Good venue for phishing and malware too

  32. Dealing with Social Networks • Set policies for usage • Monitor for sensitive data leakage • Block dangerous content • Work with social network site security teams

  33. DNS, BGP, and Other Protocols Not a Very Secure Foundation… All the “ security ” in the world doesn ’ t matter if your underlying infrastructure foundation is full of holes or can easily be taken out altogether. Everything based on the Internet has these fundamental problems.

  34. DNS Infrastructure Vulnerabilities • Protected at almost all levels with just a user/pass • Authoritative nameservers can be p0wned • Successful penetrations at registrars and registries • Highly vulnerable (Kaminsky bug) at many ISPs • Malware and p0wned WiFi routers control many endpoints • DNSSEC only a partial solution (cache poisoning)

Recommend

unless you have the courage to lose sight of the shore. European Computer Science Summit

unless you have the courage to lose sight of the shore. European Computer Science Summit

You cannot discover new oceans unless you have the courage to lose sight of the shore. European Computer Science Summit Implementation Strategy of New Technologies for Dennis Gabor College Sarolta ZRDA rector Milano 2011' 2 Introducing

235 views • 23 slides
7 LESSONS LEARNED MENTAL HEALTH CASES 1 DONT LOSE SIGHT OF THE BIG PICTURE PEOPLE WITH

7 LESSONS LEARNED MENTAL HEALTH CASES 1 DONT LOSE SIGHT OF THE BIG PICTURE PEOPLE WITH

7 LESSONS LEARNED MENTAL HEALTH CASES 1 DONT LOSE SIGHT OF THE BIG PICTURE PEOPLE WITH MENTAL ILLNESSES PEOPLE WITH MENTAL ILLNESSES SUBSTANTIAL RISK OF SERIOUS HARM REQUIRE IMMEDIATE RESTRAINT 2 ITS ALL THE SAME GUY THE

254 views • 13 slides
What Are We Doing? Covered a lot of ground! Easy to lose sight of the big picture. CSE 505:

What Are We Doing? Covered a lot of ground! Easy to lose sight of the big picture. CSE 505:

What Are We Doing? Covered a lot of ground! Easy to lose sight of the big picture. CSE 505: Programming Languages Lecture 10 Types Zach Tatlock Fall 2013 Zach Tatlock CSE 505 Fall 2013, Lecture 10 2 The Big Picture Types Building

295 views • 7 slides
Enterprise Architecture: The Next 20 Years Dr. John Gtze Enterprise Architecture? A

Enterprise Architecture: The Next 20 Years Dr. John Gtze Enterprise Architecture? A

Enterprise Architecture: The Next 20 Years Dr. John Gtze Enterprise Architecture? A discipline A profession A mindset EA s purpose: Line of sight Strategy Technology Business 4 EA = The analysis and documentation of an enterprise

607 views • 60 slides
TO SIGHT-READ OR NOT . . . THERE IS NO QUESTION! What YOU think they think of sight-reading.

TO SIGHT-READ OR NOT . . . THERE IS NO QUESTION! What YOU think they think of sight-reading.

TO SIGHT-READ OR NOT . . . THERE IS NO QUESTION! What YOU think they think of sight-reading. What they REALLY think. REASONS THEY HATE IT: I cant do it. Its too difficult. Im not good at it. Why bother

427 views • 29 slides
An Extended Enterprise Architecture for a Netw ork- Enabled, Effects-based Approach for National

An Extended Enterprise Architecture for a Netw ork- Enabled, Effects-based Approach for National

An Extended Enterprise Architecture for a Netw ork- Enabled, Effects-based Approach for National Park Protection Transitioning Military Paradigms Tod M. Schuck Stevens Institute of Technology Lockheed Martin MS2 14 th ICCRTS June 15-17

326 views • 13 slides
Oracle and Hyperion Acquisition The New, Extended Oracle BI: A System for Enterprise Performance

Oracle and Hyperion Acquisition The New, Extended Oracle BI: A System for Enterprise Performance

Oracle and Hyperion Acquisition The New, Extended Oracle BI: A System for Enterprise Performance Management April 19, 2007 What We Are Announcing Oracle has acquired Hyperion Cash tender offer of $52.00 per share Approximately $3.3

485 views • 11 slides
Adit Enterprise. Adit Enterprise. Adit Enterprise. Adit Enterprise. ADIT Enterprise is a

Adit Enterprise. Adit Enterprise. Adit Enterprise. Adit Enterprise. ADIT Enterprise is a

Adit Enterprise. Adit Enterprise. Adit Enterprise. Adit Enterprise. ADIT Enterprise is a wholesale distribution business providing complete range of Electronic Security Systems Kamlesh 093232 51184 Adit Enterprise Adit Enterprise Adit

619 views • 29 slides
Sight Words Use the correct sight word in each box to complete the sentences. get come made

Sight Words Use the correct sight word in each box to complete the sentences. get come made

Sight Words Use the correct sight word in each box to complete the sentences. get come made may part Spelling for this Week! seat eat Repeat cream bean Each beach steam Word peach 2 treat Times clean meat chpea bchea

389 views • 8 slides
PRODUCT PRESENTATION 2019 OUTLINE SIGHT GLASS POD (CMP) HUB COLUMN BOWL THE

PRODUCT PRESENTATION 2019 OUTLINE SIGHT GLASS POD (CMP) HUB COLUMN BOWL THE

PRODUCT PRESENTATION 2019 OUTLINE SIGHT GLASS POD (CMP) HUB COLUMN BOWL THE LUNETA SIGHT GLASS FEATURES THE LUNETA SIGHT Etched Hex for Easy GLASS Cross Hair Wrench Installation Eye-Lets Stop using those old,

733 views • 25 slides
Hows Your Sight Seeing? Help keep your eyes and vision healthy with these top tips Eat Well

Hows Your Sight Seeing? Help keep your eyes and vision healthy with these top tips Eat Well

Hows Your Sight Seeing? Help keep your eyes and vision healthy with these top tips Eat Well Nutrients found in many fruit and vegetables and fatty acids derived from fish, nuts and oils may help protect your sight Quit Smoking

362 views • 8 slides
Enterprise Applications Enterprise Systems Enterprise Systems Also called enterprise

Enterprise Applications Enterprise Systems Enterprise Systems Also called enterprise

9/20/2012 Enterprise Applications Enterprise Systems Enterprise Systems Also called enterprise resource planning (ERP) systems Suite of integrated software modules and a common central database Collects data from many

460 views • 16 slides
ASSISTANTS My T op T en Tips for successful implementation TOP TIP 1 : KNOW THE RESEARCH AND

ASSISTANTS My T op T en Tips for successful implementation TOP TIP 1 : KNOW THE RESEARCH AND

MAKING BEST USE OF TEACHING ASSISTANTS My T op T en Tips for successful implementation TOP TIP 1 : KNOW THE RESEARCH AND TRUST THE RESEARCH! TOP TIP 2 : DONT LOSE SIGHT OF THE FACT THAT IMPLEMENTING THE EVIDENCE IS ABOUT CHANGE

405 views • 24 slides
20/20 Hindsight Series Commemorating 20th Anniversary of Booze It and Lose It Heather

20/20 Hindsight Series Commemorating 20th Anniversary of Booze It and Lose It Heather

20/20 Hindsight Series Commemorating 20th Anniversary of Booze It and Lose It Heather Jeffreys, Marketing Specialist January 9, 2015 20 th Anniversary of Booze It &amp; Lose It &quot;Booze It &amp; Lose It&quot; was launched in 1994

164 views • 15 slides
For whoever wants to save their life will lose it, but whoever loses their life for me will

For whoever wants to save their life will lose it, but whoever loses their life for me will

For whoever wants to save their life will lose it, but whoever loses their life for me will save it. What good is it for someone to gain the whole world, and yet lose or forfeit their very self? Luke 9:24-25 Kto by si chcel

691 views • 14 slides
Extended Project Qualification Introduction What is an Extended Project? What does an

Extended Project Qualification Introduction What is an Extended Project? What does an

Extended Project Qualification Introduction What is an Extended Project? What does an Extended Project involve? What value does the Extended Project have? How does the Extended Project operate at St Aidans? What sort of

296 views • 17 slides
D-Sight The right decision-making software for your business. Index Content Overview 1 Who

D-Sight The right decision-making software for your business. Index Content Overview 1 Who

D-Sight The right decision-making software for your business. Index Content Overview 1 Who are we? How do we help businesses? 2 3 Who are our customers? 4 A case study 5 Contact information About D-Sight The most innovative

589 views • 12 slides
Presenter Theres a lot to lose Logo when shredding your Here hard drives Neil

Presenter Theres a lot to lose Logo when shredding your Here hard drives Neil

B R IN GIN G YO UR B US IN ES S IN TO FO CUS Presenter Theres a lot to lose Logo when shredding your Here hard drives Neil Peters-Michaud, CEO Cascade Asset Management Theres a lot to lose . . . from shredding Speaker Bio Agenda

1.02k views • 34 slides
No Time to Lose: How U.S. States Will Answer the Energy &amp; Climate Challenges of the 21 st

No Time to Lose: How U.S. States Will Answer the Energy &amp; Climate Challenges of the 21 st

No Time to Lose: How U.S. States Will Answer the Energy &amp; Climate Challenges of the 21 st Century Briefing for Minnesota Policy Makers by Terry Tamminen, Energy and Environmental Policy Advisor January 15, 2008 No Time to Lose Presented

468 views • 22 slides
Isthisa roll2,3,4:lose$1 fairgame? roll5,4,6:win $1 roll5,4,5:win $2

Isthisa roll2,3,4:lose$1 fairgame? roll5,4,6:win $1 roll5,4,5:win $2

CarnivalDice MathematicsforComputerScience MIT6.042J/18.062J Chooseanumberfrom1to6, Great thenroll3fairdice: Expectations win$1foreachmatch lose$1ifnomatch AlbertRMeyer, AlbertRMeyer, expect_intro.1

666 views • 9 slides
LIVE RIGHT, SAVE SIGHT: Tools to Help Prevent Diabetic Eye Disease The nation's leading volunteer

LIVE RIGHT, SAVE SIGHT: Tools to Help Prevent Diabetic Eye Disease The nation's leading volunteer

LIVE RIGHT, SAVE SIGHT: Tools to Help Prevent Diabetic Eye Disease The nation's leading volunteer eye health and safety organization dedicated to fighting blindness and saving sight. Focused on promoting a continuum of vision care, Prevent

246 views • 11 slides
Skilling India No Time To Lose Release of the Report NCAER, New Delhi 30 October 2018 Skilling

Skilling India No Time To Lose Release of the Report NCAER, New Delhi 30 October 2018 Skilling

Skilling India No Time To Lose Release of the Report NCAER, New Delhi 30 October 2018 Skilling India No Time To Lose We have no time to lose, and having no time we must scramble for a chance. Rabindranath Tagore Previewing Skilling

844 views • 39 slides
TensorFlow Extended (TFX) An End-to-End ML Platform Clemens Mewald TensorFlow Extended (TFX): An

TensorFlow Extended (TFX) An End-to-End ML Platform Clemens Mewald TensorFlow Extended (TFX): An

TensorFlow Extended (TFX) An End-to-End ML Platform Clemens Mewald TensorFlow Extended (TFX): An End-to-End ML Platform Integrated Frontend for Job Management, Monitoring, Debugging, Data/Model/Evaluation Visualization Shared Configuration

1.83k views • 129 slides
The Extended Essay What is it? The Extended Essay is a required essay for all IB diploma

The Extended Essay What is it? The Extended Essay is a required essay for all IB diploma

The Extended Essay What is it? The Extended Essay is a required essay for all IB diploma students externally assessed an assignment which contributes up to three points toward the total score for the IB diploma in combination with

429 views • 16 slides

More recommend