Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
www.eidebai l ly.com
Calvin Weeks EnCE, CEDS, CRISC, CISSP, CISM
Computer Forensics Manager
Data Breaches, Credit Card Fraud, Front Page News …Are You Next?
1
www.eidebai l ly.com
Home Depot Breach
• CBS News • 2,200 stores compromised • Up to 60 million customers
• Only 10% to 15% will see fraud activity • As much as $3 billion in bogus purchases
• Krebs on Security • Variant of the code from the Target attack • Compromised CC #’s were first sold on Ukraine
website
2
www.eidebai l ly.com
Lawsuits / Lawyers and Settlements
• Retailers not prepared for hack attacks
• Companies breached include UPS, Goodwill, P.F. Chang’s, Sally Beauty, Michael’s and Neiman Marcus
• Solak et al v. The Home Depot, Inc., Case No. 1:2014-cv-02856, filed September 4, 2014 at The Eleventh Circuit, Georgia Northern District Court
3
www.eidebai l ly.com
How did the Breach occur?
• All compromises were a direct result of human failure at all levels
• Not one compromise has been attributed to hardware, operating system or application failures
4
www.eidebai l ly.com
Complaints with Loss Statistics
106079
114908
115903
100000 102000 104000 106000 108000 110000 112000 114000 116000 118000
COMPLAINTS WITH LOSS
Complaints with Financial Loss FBI Internet Crime Report
2011 2012 2013
5
www.eidebai l ly.com
Total Loss Statistics
$574
$525
$485
$440 $460 $480 $500 $520 $540 $560 $580 $600
TOTAL LOSS IN MILLIONS
Total Financial Loss FBI Internet Crime Report
2011 2012 2013
6
www.eidebai l ly.com
Why is Data Security Important?
The DATA has VALUE
• Many organizations feel they have nothing worth stealing or they are too small and invisible.
• Your data has value to an attacker.
• 40M records X $2/record = $80M attacker profit.
7
www.eidebai l ly.com
All Data Has Value
Recent Breaches • Goodwill (Sept. 2014 – 330 stores in 20 states) • Home Depot (Sept. 2014 – 56,000,000 cards) • P.F. Chang (pre-June, 2014 – 33 locations) • Sally Beauty Supply (March 2014 – 25,000 records) • Target (2013 – 70,000,000 customers’ data) • Sony (2011 – 100,000,000 customers’ data) • Heartland Payment Systems (2009 – 130,000,000
accounts) • TJX (2007 – 90,000,000 accounts) • Card Systems (2005 – 40,000,000 accounts)
8
www.eidebai l ly.com
Data Value
9
www.eidebai l ly.com
Frameworks
• PCI • Build and Maintain a Secure
Network • Firewall • No vendor-supplied defaults
(passwords/parameters) • Protect CHD
• Stored (at rest) • Encrypted transmission across
open, public networks • Maintain Vulnerability
Management Program • Protect against malware, update
AV • Develop/maintain secure systems
and applications
• Implement Strong Access Control Measures • Restrict access to CHD by need-
to-know • Identify/authenticate access to
system components • Restrict physical access
• Regularly Monitor and Test Networks • Track/monitor all access to
network resources and CHD • Regularly test security systems
and processes • Maintain Information Security
Policy • Address information security for
all personnel
10
www.eidebai l ly.com
Other Frameworks - NIST Critical Infrastructure Cybersecurity
Table 1: Function and Category Unique Identifiers
Function Unique
Identifier Function
Category Unique
Identifier Category
ID Identify
ID.AM Asset Management ID.BE Business Environment ID.GV Governance ID.RA Risk Assessment ID.RM Risk Management Strategy
PR Protect
PR.AC Access Control PR.AT Awareness and Training PR.DS Data Security
PR.IP Information Protection Processes and Procedures
PR.MA Maintenance PR.PT Protective Technology
DE Detect DE.AE Anomalies and Events DE.CM Security Continuous Monitoring DE.DP Detection Processes
RS Respond
RS.RP Response Planning RS.CO Communications RS.AN Analysis RS.MI Mitigation RS.IM Improvements
RC Recover RC.RP Recovery Planning RC.IM Improvements RC.CO Communications
11
Preventative
Detective
Corrective
www.eidebai l ly.com
How about Compliance?
• Being compliant does not mean you're secure, and being secure does not mean you're complaint
• The Truth About Home Depot's Security Breach: Hacking Was Easy - By Jason Abbruzzese Sep 10, 2014
12
www.eidebai l ly.com
Established Standards
• Security standards began in the 50’s with the launch of the Russian Sputnik satellite
• In October 1967 a computer security task force was created
• The results of the task force was published in 1970 and was named the Rand 609 report
• The Rand R-609-1 report was reissued on October 1979
• The standards established are still the same today even as technology advances regularly
13
www.eidebai l ly.com
Further Established Standards
• Manufacturer established standards for specific products
• After 2001 the National Institute of Standards and Technology (NIST) expanded special publications for technology standards
• NIST established Information Systems Management and Operational Standards for executives
14
www.eidebai l ly.com
Basic Security Concept
Cyber Security Operations • Prevent • Monitor/Detect • Respond
15
www.eidebai l ly.com
Prevent
• Establish budgets
• Follow best practices • National Institute of Standards and Technology (NIST)
• Obtain advance training
• Employ appropriate expertise
• Strategize to prevent every ATTEMPT
16
www.eidebai l ly.com
Monitor & Detect
• Establish centralized logging
• Collect logs from all systems, networks, applications and all reported issues
• Correlate and aggregate all logs
• Setup rules and signature databases for alarms and alerts
• Collection should have no filters
• Establish robust search, filtering and reporting capability
• Strategize to detect every ATTEMPT
17
www.eidebai l ly.com
Respond
• Establish a response capability
• Include members from executive, IT, HR, security, legal, public relations and others as appropriate
• Review reports from monitoring activities
• Meet regularly to make informed decisions
• Strategize to respond to every ISSUE
• Making an informed decision to do nothing is acceptable
18
www.eidebai l ly.com
IT/Security Operational Model
19
www.eidebai l ly.com
IT/Security Operational Model
20
www.eidebai l ly.com
Security & Risk Assessments
• Vulnerability Assessments and Penetration Testing are technical options, but do not go far enough
• Just because you are vulnerable and your system and networks can be compromised does not address the business question of what is the priority
• A properly performed security & risk assessment will help you set priorities that match business goals and objectives
21
www.eidebai l ly.com
The Experts
• IT Professionals will help keep your systems and networks up and running
• Security Professionals will help keep your systems and networks protected
• Computer Forensics Professionals will help respond and investigate issues involving technology for HR, Legal and executive purposes
22
www.eidebai l ly.com
IT Professional vs. Forensic Examiner
• IT Professional training does not include handling of evidence
• Primary focus is keeping system up and running • Can be witness on system, network, internet
operations • Not trained or prepared to testify as an expert
• Forensic Examiner understands the rules of evidence
• Primary focus are collecting, preserving and examining relevant data
• Can provide assistance with technical legal strategies • Trained and prepared to testify as an expert
23
www.eidebai l ly.com
Examples
IT Professional vs. Forensic Examiner • A police officer’s daily work involves knowing,
understanding and applying laws, but that does not make them an attorney.
• A bookkeeper knows the accounting of their books and how to apply accounting practices everyday, but this does not make them a CPA.
• An IT Professional knows how to setup, operate and
maintain computer and network systems, but this does not make them qualified to investigate and testify, nor should they.
24
www.eidebai l ly.com
Computer Forensics vs E-Discovery
e-Discovery is Electronic Discovery • Production of known responsive info for litigation • Indexed database searching and filtering • Provides data statistics • Also refers to Federal Rules of Civil Procedures, Process
or Service
Computer Forensics • Investigation and recovery of relevant info • Provides the details in context • Provides transactional details • Scientifically supports or disputes statements made by
parties • Identifies and demonstrates facts about the activities found
on a computer or electronic device
25
www.eidebai l ly.com
Example:
Business Sale Made-up
• A business owner discussed the sale of his business over public internet e-mail. An offer to sell was made in the amount of $1,000,000. After several months without a deal, the purchaser sued and as evidence produced a “PRINTED” copy of a reply e-mail from the seller asking to sell the business in the amount of $100,000.
26
www.eidebai l ly.com
Example:
Employee Non-Compete
Our client had purchased a business and agreed to employ the previous owner as a sales executive. After a year the CEO suspected that the sales executive was funneling clients and work to a competing business, but had no proof. The difficulty was that as the sales executive it was their job to contact clients and nothing was in her company e-mails showing any suspicious activity.
27
www.eidebai l ly.com
Example:
Classified Restrictions
• Our client was in civil litigation for misappropriation of federal funds of more than $1.5 million by the CEO and spouse that was the CFO of a public/private/research program. Attorneys needed all of the e-mails and files collected to review for financial activities and communications.
28
www.eidebai l ly.com
Classified Experience
• Designed, engineered and implemented systems, networks and applications in a Top Secret Classified DoD facility
• Applying concepts and standards introduced in the presentations met with 100% security compliance
• Responsible for 35 systems
• Part of a team of 8 engineers
• Project consisted of 35 professionals in one facility and another 15 in another location
29
www.eidebai l ly.com
My Classified Experience
• In two years, two attempts were made to compromise Top Secret Systems.
• If it were not for the established monitoring to detect activity, the attacks would have been successful.
• Not because security was not applied, but because of unknown vulnerabilities of the OS.
• These attempts shutdown all operations of more than 135 people for more than three weeks.
• DoD has the money to sustain this kind of operations, but businesses cannot afford this level of response to compromises, much less only unsuccessful attacks.
30
www.eidebai l ly.com
Lesson Learned
• Once you consider the extremity of operating like a DoD classified facility then other discussions can take place.
• If you can quantify your IT and security operations then a declarative value can be placed on attempts and compromises.
• Insurance companies can now have a third party assess the security compliance and capabilities of organization to begin serious cyber loss coverage.
31
www.eidebai l ly.com
Conclusion
Cyberthreats and cyberattacks have increased dramatically over the past several years. They have exposed sensitive personal and business information, disrupted the critical operations of institutions, and imposed high costs on the economy and business operations. That is why it is imperative that companies stay informed about the continuously changing forms of cyberthreats and develop appropriate, cost-effective controls to safeguard their businesses.
32
www.eidebai l ly.com
This presentation is presented with the understanding that the information contained does not constitute legal, accounting or other professional advice. It is not intended to be responsive to any individual situation or concerns, as the contents of this presentation are intended for general informational purposes only. Viewers are urged not to act upon the information contained in this presentation without first consulting competent legal, accounting or other professional advice regarding implications of a particular factual situation. Questions and additional information can be submitted to your Eide Bailly representative, or to the presenter of this session.
Questions?
33
www.eidebai l ly.com
Calvin Weeks [email protected]
405.858.5591
Data Breaches, Credit Card Fraud, Front Page News …Are You Next?
34