Embed Size (px)
Citation preview
What’s Wrong with Information Security Today?
You are looking in the wrong places for the wrong things….
AGENDA
• Current State of Information Security • Data Breach Statics
• Data Breach Case Studies
• Why current security controls are not working
• Solutions for securing company data in 2014
2
CURRENT STATE OF INFORMATION SECURITY
3
CURRENT STATE OF INFORMATION SECURITY
4
Grade your current Information Security Program ….
A
B
C D F
CURRENT INFORMATION SECURITY CONTROLS
• Firewall • Keep the bad guys out
• Anti-Virus • Stop viruses from running
• SPAM Filtering • Stop viruses in email
• Web Filtering • Stop viruses from web sites
5
CURRENT INFORMATION SECURITY STRATEGY
• We have spent (or planning to spend) significant budget on:
• MDM
• NAC
• WAF
• DLP
• IAM
• IDS
• IPS
• SIEM
6
DATA BREACH STATICS
7
HOW DO BREACHES OCCUR?
8
2012 2013
Verizon Business 2013 Data Breach Report
SOURCE OF DATA BREACHES
9 Verizon Business 2013 Data Breach Report
THREAT PROFILE ORGANIZED
CRIME STATE-
AFFILIATED ACTIVISTS
VICTIM INDUSTRY • Finance • Retail • Food
• Manufacturing • Professional • Transportation
• Information • Public • Other Services
REGION OF OPERATION
• Eastern Europe • North America
• East Asia (China)
• Western Europe • North America
COMMON ACTIONS
• Tampering • Brute force • Spyware • Adminware • RAM Scraper
• Backdoor • Phishing • Export data • Password
dumper • Stolen creds
• SQLi • Stolen creds • Brute force • Backdoor
DESIRED DATA • Payment cards • Credentials • Bank account
information
• Credentials • Internal data • Trade secrets
• Personal info • Credentials • Internal data
10
Verizon Business 2013 Data Breach Report
ARE YOU A TARGET OR JUST LUCKY?
11
Difficulty of Compromise
Attack Targeting
WHO IDENTIFIES DATA BREACHES
12
Verizon Business 2013 Data Breach Report
Only 3% of breaches were detected with common security controls
TIMESCALES OF DATA BREACHES
• In 84% of cases, the initial compromise took hours to minutes • In 66% of cases, the breach wasn’t discovered for months to
years • In 22% of cases, it took months to contain the breach
13
Verizon Business 2013 Data Breach Report
DATA BREACH CASE STUDIES
“Those who do not learn from history are doomed to repeat it” - George Santayana
14
CASE STUDY #1 - HACK
15
HTTP
RDP
FTP Data
Log-in w/Creds
Exploit Vulnerability
Identify Data
CASE STUDY #2 – SOCIAL ENGINEERING
16
HTTPS
Log-in w/Creds
FTP Data
Exploit Vulnerability
Encrypt Laptop and demand $
CASE STUDY #3 - SPEAR PHISHING
17 Keystroke Logger Captures Login Credentials
HTTPS
Bank account emptied with stolen login
HTTPS
CASE STUDY #4 – CREDIT CARD HACK
18
Exploit Vulnerability
Exploit Vulnerability
Install Ram Scraper
Upload & Encrypt Card Data
Upload to Hacker
WHY CURRENT SECURITY CONTROLS ARE NOT WORKING
19
WHY CURRENT SECURITY CONTROLS ARE NOT WORKING
1. False sense of security • “We have never been hacked” – How do you know? J
2. Limited operational budgets vs capital budgets • Easier to purchase security appliances then people
3. Weak ( or no ) security awareness programs • People are your weakest link
4. Lack of a vulnerability management program to identify, risk rank and patch vulnerabilities
• Stop trying to hide vulnerabilities with other security controls
5. A focus on preventive controls and a lack of detective controls • Please realize that you cannot prevent 100% of attacks – See #1
20
WHY CURRENT SECURITY CONTROLS ARE NOT WORKING
6. Lack of configuration standards to properly harden systems • Default credentials are one of largest sources of breaches
7. Weak ( or no ) information security policies and procedures • You have to build security into IT and business operations
8. Over reliance on signature based detective controls • IDS, A/V and SIEM are marginally effective in detecting a breach
9. Lack of an incident response plan, tools and staff • You must be able to detect, respond and contain a breach
10. Not understanding where sensitive data is stored or how it flows through the organization
• Unknown storage of sensitive data is very dangerous!
21
SOLUTIONS FOR SECURING COMPANY DATA IN 2014
22
STEP 1 – NON-TECHNICAL SOLUTIONS
• Develop an Information Security Strategy • Focus on how to protect the business and its data
• Invest in operational expenses such as staff and training
• Develop and implement policies, procedures and configuration standards
• Develop and implement a security awareness training program • Train IT staff • Train end users • Train management
23
STEP 2 – TECHNICAL SOLUTIONS
• Implement solutions that have a balance of prevention, detection and response capabilities • Prevention: Focus on removing vulnerabilities that could lead to a
malware infection and secure your network from authorized access
• Detection: Implement solutions to specifically detect malware (other than A/V) and monitor systems for malicious activity
• Response: Develop an Incident Response Plan and the staff to respond to security incidents. Invest in the appropriate training and tools or outsource.
• Only implement hardware and software products when you have the staff and training to support the solution
• Use the SANs 20 Critical Security Controls as a guideline in developing your technical information security program
24
SANS 20 CRITICAL SECURITY CONTROLS
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
4. Continuous Vulnerability Assessment and Remediation
5. Malware Defenses 6. Application Software Security 7. Wireless Device Control 8. Data Recovery Capability 9. Security Skills Assessment and
Appropriate Training to Fill Gaps 10. Secure Configurations for
Network Devices such as Firewalls, Routers, and Switches
11. Limitation and Control of Network Ports, Protocols, and Services
12. Controlled Use of Administrative Privileges
13. Boundary Defense 14. Maintenance, Monitoring, and
Analysis of Audit Logs 15. Controlled Access Based on the Need
to Know 16. Account Monitoring and Control 17. Data Loss Prevention 18. Incident Response and Management 19. Secure Network Engineering 20. Penetration Tests and Red Team
Exercises
25
QUESTIONS
26
