IT Security Essentials

- 1 -

WELCOME!

IT Security Essentials

Linkedin.com/company/skoda-minotti

Twitter.com/SkodaMinotti

Facebook.com/SkodaMinotti

IT Security EssentialsJoseph Compton, CISSP, CISA, QSA

Gregory Skoda, Jr., CISA

November 9, 2015

- 3 -

• Threat landscape

• Understanding your risks

• Implementing a data security program

• Testing your data security program

AGENDA

- 4 -

DATA BREACHES

- 5 -

DATA BREACHES

- 6 -

DATA BREACHES

- 7 -

DATA BREACHES

- 8 -

DATA BREACHES

- 9 -

DATA BREACHES

- 10 -

DATA BREACHES

- 11 -

DATA BREACHES

- 12 -

DATA SECURITY CONCERNS Access Controls (both Physical and Logical) Data Jurisdiction Data Backup, Recovery and Destruction (Exit Strategy) eDiscovery and Legal Hold issues Audit frequency and responsibilities Co-mingling of data Insecure interfaces and APIs (application development) Insufficient due diligence by cloud provider Shared technology vulnerabilities (Denial of Service attacks) Data breach response and forensics Poor or no encryption of sensitive data Account or service hijacking Readiness for cloud services - every cloud service is different, each

one must be evaluated individually

- 13 -

LEGAL CONCERNSCOMPLIANCE Application ownership can be unclear Regulatory controls for cloud (HITECT, PCI, GLBA, FERPA, HIPAA) Data return/destruction at the end of contracts Lack of SLA’s – slow or no service Lack of recourse for lost data Jurisdictional issues (data stored across multiple states or countries) e-Discovery and legal hold issues (data stored across multiple servers) Breach notification timeframes and forensics in a shared environment Client vs. Cloud Provider responsibilities Subcontracting and third parties

- 14 -

Source: Verizon 2015 Data Breach Investigation Report

THREAT ACTIONS

- 15 -

THREAT ACTIONS

Source: Verizon 2015 Data Breach Investigation Report

- 16 -

BREACH DISCOVERY

Source: Verizon 2015 Data Breach Investigation Report

- 17 -

DATA BREACHES• SnapChat – 4.5 million compromised names and phone

numbers

• Kickstarter – 5.6 million victims

• Korean Telecom – One of the year’s largest breaches affected 12 million customers

• Heartbleed – First of three open-source vulnerabilities in 2014

• eBay – Database of 145 million customers compromised

- 18 -

• PF Chang’s

• Energetic Bear – Cyber spying operation targeted the energy industry

• Cybervor – 1.2 billion compromised credentials

• iCloud – Celebrity accounts hacked

• Sandword – Attached a Windows vulnerability

• Sony Pictures Entertainment – Highest-profile hack of the year

• Inception Framework – Cyber-Espionage attached targeted the public sector

DATA BREACHES

- 19 -

• 75% say their organizations are as or more vulnerable to malicious code attacks and security breaches compared with a year ago. And in the face of a crushing skills shortage, 40% subsist on no more than 5% of the IT budget.

• "Managing the complexity of security" reclaimed the No. 1 spot among 10 challenges facing the respondents to our security survey, all from organizations with 100 or more employees

INSIDER THREAT

Source: InformationWeek 2014 Strategic Security Survey

- 20 -

• 58% see an infected personal device connecting to the corporate network as a top endpoint security concern, making it the No. 1 response, ahead of phishing and lost devices

• 56% say cyber-criminals pose the greatest threat to their organizations this year, the top answer, ahead of authorized users and employees at 49%

• 23% have experienced a security breach or espionage in the past year

INSIDER THREAT

Source: InformationWeek 2014 Strategic Security Survey

- 21 -

Source: SpectorSoft Insider Threat Survey Report

INSIDER THREAT SURVEY53% of enterprise respondents have discovered that employees use company-issued devices to send company information to personal email and cloud-based file-sharing accounts such as Yahoo! or Gmail and cloud-based file sharing accounts such as Box, DropBox or Hightail (419 enterprise respondents)

23% of end-user employee respondents reported that they transfer corporate information using Box, DropBox or Hightail (200 end-user employee respondents)

- 22 -

INSIDER THREAT SURVEY

Source: SpectorSoft Insider Threat Survey Report

33% of end-user employee respondents reported that they transfer corporate information via personal Yahoo! and Gmail accounts (200 end-user employee respondents)

49% of enterprise respondents have discovered that employees are copying corporate data to USB flash storage devices (419 enterprise respondents)

- 23 -

MANAGER ISSUESCURRENT RISK• 55% of risk managers feel they have not dedicated enough

resources to combat the evolution of hacking techniques• 76% of risk managers feel the biggest risk of cloud technology

is the loss of confidentiality of information

Source: The Hartford Steam Boiler Inspection and Insurance Company (HSB) Cyber Risk Survey

- 24 -

SMALL BUSINESSESTHREATS TOSmall businesses can be forced to close down due to a data breach

Four common company weak points:

1. Intrusion detection software

2. Encryption of private data

3. Patch management

4. Vendor mismanagement

Source: PropertyCasualty360.com

- 25 -

WHERE DO I START?

- 26 -

COMPLIANCE LIFE CYCLE

- 27 -

RISK ASSESSMENT

- 28 -

RISK ASSESSMENTUnderstand organizational risks Key risk prioritization Identify high risk areas

• Gain an understanding of the high risk areas and underlying rationales by conducting interviews with members of Senior Management, Legal and your Trust Advisors

• Identify key risks based on the threats and vulnerabilities relevant to the organization and ranked these items based upon on their overall impact (environment, system and technical analysis) and expected likelihood of occurrence.

• Identified the top risks to the Company based on inherent risk ranking.

Threat Categories A B C D E

External attack 2 3

Internal misuse and abuse 6 2

Theft 2

System malfunction 2 1

Service interruption 1 5

Customer 4

Information Risk Ratings: A-Verify High, B-High, C-Medium, D-Low, E-Very Low

- 29 -

CONTROL FRAMEWORKS• CSA Star – Cloud Security Alliance

• COBIT – Control Objectives for Information and Related Technology

• FEDRAMP – Federal Risk and Authorization Management Program

• FISMA – Federal Information Security Management Act

• HIPAA – Health Insurance Portability and Accountability Act

• ISO – International Organization for Standardization

• ITIL – Information Technology Infrastructure Library

• PCI DSS – Payment Card Industry Data Security Standard

• NIST – National Institute of Standards and Technology

• SOC 2 (AT 101) – Service Organization Control Reports

- 30 -

SECURITY STANDARDSPCI DATA

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs6. Develop and maintain secure systems and applications

- 31 -

SECURITY STANDARDSPCI DATA

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

- 32 -

VALIDATEIndependent auditor assessments and attestations• Review of policies and administrative procedures

• Inspection of configurations and settings

• Testing of manual procedures

• Observation of control activities

- 33 -

Security Testing

• Vulnerability Assessments Internal and external testing

• Internal and external penetration testingNetwork penetration testingWeb application testingSocial engineering

VALIDATE

- 34 -

WHAT CAN I DO FIRST?• 40% of the

controls determined to be most effective against data breaches fall into the “Quick Win” Category

Source: Verizon 2015 Data Breach Investigation Report

- 35 -

CONTACTJoe Compton, CISSP, CISA, QSA(440) 605-7252jcompton@skodaminotti.com

Greg Skoda, Jr., CISA(440) 605-7176gskodajr@skodaminotti.com