What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Transcription

1 What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

2 AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current security controls are not working Solutions for securing company data in

3 CURRENT STATE OF INFORMATION SECURITY 3

4 CURRENT STATE OF INFORMATION SECURITY Grade your current Information Security Program. A B C D F 4

5 CURRENT INFORMATION SECURITY CONTROLS Firewall Keep the bad guys out Anti-Virus Stop viruses from running SPAM Filtering Stop viruses in Web Filtering Stop viruses from web sites 5

6 CURRENT INFORMATION SECURITY STRATEGY We have spent (or planning to spend) significant budget on: MDM NAC WAF DLP IAM IDS IPS 6 SIEM

7 DATA BREACH STATICS 7

8 HOW DO BREACHES OCCUR? Verizon Business 2013 Data Breach Report 8

9 SOURCE OF DATA BREACHES Verizon Business 2013 Data Breach Report 9

10 THREAT PROFILE ORGANIZED CRIME VICTIM INDUSTRY Finance Retail Food STATE- AFFILIATED Manufacturing Professional Transportation ACTIVISTS Information Public Other Services REGION OF OPERATION Eastern Europe North America East Asia (China) Western Europe North America COMMON ACTIONS Tampering Brute force Spyware Adminware RAM Scraper DESIRED DATA Payment cards Credentials Bank account information Backdoor Phishing Export data Password dumper Stolen creds Credentials Internal data Trade secrets SQLi Stolen creds Brute force Backdoor Personal info Credentials Internal data Verizon Business 2013 Data Breach Report 10

11 ARE YOU A TARGET OR JUST LUCKY? Attack Targeting Difficulty of Compromise 11

12 WHO IDENTIFIES DATA BREACHES Only 3% of breaches were detected with common security controls Verizon Business 2013 Data Breach Report 12

13 TIMESCALES OF DATA BREACHES In 84% of cases, the initial compromise took hours to minutes In 66% of cases, the breach wasn t discovered for months to years In 22% of cases, it took months to contain the breach Verizon Business 2013 Data Breach Report 13

14 DATA BREACH CASE STUDIES Those who do not learn from history are doomed to repeat it - George Santayana 14

15 CASE STUDY #1 - HACK HTTP RDP FTP Data Identify Data Log-in w/ Creds Exploit Vulnerability 15

16 CASE STUDY #2 SOCIAL ENGINEERING HTTPS FTP Data Encrypt Laptop and demand $ Exploit Vulnerability 16 Log-in w/ Creds

17 CASE STUDY #3 - SPEAR PHISHING HTTPS HTTPS Keystroke Logger Captures Login Credentials 17 Bank account emptied with stolen login

18 CASE STUDY #4 CREDIT CARD HACK Exploit Vulnerability Upload to Hacker Upload & Encrypt Card Data Exploit Vulnerability Install Ram Scraper 18

19 WHY CURRENT SECURITY CONTROLS ARE NOT WORKING 19

20 WHY CURRENT SECURITY CONTROLS ARE NOT WORKING 1. False sense of security We have never been hacked How do you know? J 2. Limited operational budgets vs capital budgets Easier to purchase security appliances then people 3. Weak ( or no ) security awareness programs People are your weakest link 4. Lack of a vulnerability management program to identify, risk rank and patch vulnerabilities Stop trying to hide vulnerabilities with other security controls 5. A focus on preventive controls and a lack of detective controls Please realize that you cannot prevent 100% of attacks See #1 20

21 WHY CURRENT SECURITY CONTROLS ARE NOT WORKING 6. Lack of configuration standards to properly harden systems Default credentials are one of largest sources of breaches 7. Weak ( or no ) information security policies and procedures You have to build security into IT and business operations 8. Over reliance on signature based detective controls IDS, A/V and SIEM are marginally effective in detecting a breach 9. Lack of an incident response plan, tools and staff You must be able to detect, respond and contain a breach 10. Not understanding where sensitive data is stored or how it flows through the organization Unknown storage of sensitive data is very dangerous! 21

22 SOLUTIONS FOR SECURING COMPANY DATA IN

23 STEP 1 NON-TECHNICAL SOLUTIONS Develop an Information Security Strategy Focus on how to protect the business and its data Invest in operational expenses such as staff and training Develop and implement policies, procedures and configuration standards Develop and implement a security awareness training program Train IT staff Train end users Train management 23

24 STEP 2 TECHNICAL SOLUTIONS Implement solutions that have a balance of prevention, detection and response capabilities Prevention: Focus on removing vulnerabilities that could lead to a malware infection and secure your network from authorized access Detection: Implement solutions to specifically detect malware (other than A/V) and monitor systems for malicious activity Response: Develop an Incident Response Plan and the staff to respond to security incidents. Invest in the appropriate training and tools or outsource. Only implement hardware and software products when you have the staff and training to support the solution Use the SANs 20 Critical Security Controls as a guideline in developing your technical information security program 24

25 SANS 20 CRITICAL SECURITY CONTROLS 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4. Continuous Vulnerability Assessment and Remediation 5. Malware Defenses 6. Application Software Security 7. Wireless Device Control 8. Data Recovery Capability 9. Security Skills Assessment and Appropriate Training to Fill Gaps 10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 11. Limitation and Control of Network Ports, Protocols, and Services 12. Controlled Use of Administrative Privileges 13. Boundary Defense 14. Maintenance, Monitoring, and Analysis of Audit Logs 15. Controlled Access Based on the Need to Know 16. Account Monitoring and Control 17. Data Loss Prevention 18. Incident Response and Management 19. Secure Network Engineering 20. Penetration Tests and Red Team Exercises 25

26 QUESTIONS 26