Upload
government-technology
View
44
Download
0
Embed Size (px)
Citation preview
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
Securing Your Enterprise Anatomy of a Breach
Scott Grykowski Director, Public Sector Security Sales Consulting
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. | 3
Mobile Devices
Security
Transformation
Online Services
Mobile Users
Identity Management
Web Services Content Sharing
Exponential Growth of Data
Regulations & Compliance
External Threats
MOST SIGNIFICANT
IN
Cloud Computing
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
California Breach Report – Feb 2016
In the past four years, the CA Attorney General has reported:
• 657 data breaches
• Affecting over 49 million records of Californians
• In 2015, 178 breaches put over 24 million records at risk
– Three in five Californians were victims of a data breach in 2015 alone.
• Malware and hacking presents the greatest threat, both in the number of breaches (365, 54%) and the number of records breached (44.6 million, 90%)
• Physical breaches, resulting from theft or loss of unencrypted data on electronic devices, came in a distant second – 17%of breaches in 2015
• Breaches caused by errors, predominantly misdelivery and inadvertent exposure on the public Internet, were a close third, and have held steady at around 17%
4
Source: https://oag.ca.gov/breachreport2016
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
CA State Auditor: High Risk Update - InfoSec 2015 • Many reporting entities do not have sufficient information security controls
– Most reporting entities that responded to the survey indicated that they had yet to achieve full compliance with the security standards.
• 37 of the 41 reporting entities that self-certified to the technology department that they were in compliance with the security standards in 2014, indicated in our survey that they had not actually achieved full compliance in 2014.
• 40% of the reporting entities certified in 2014 that they were not fully compliant, yet the technology department had not established a process to perform follow-up activities with these entities
• More than half of the entities that responded to our survey indicated that the technology department's guidance for complying with security standards was insufficient
5
Source: https://www.bsa.ca.gov/pdfs/reports/2015-611.pdf
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
Over 700 Million Records Breached in 2015
6
Frequency of incident classification patterns over time across security incidents
Attackers are able to compromise an organization within minutes
81%
More than two-thirds of incidents that comprise the Cyber-Espionage pattern have featured phishing
69%
2016
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. | 7
SECURING PEOPLE, DEVICES & DATA
Excessive Access
External Hacktivists
Stolen Data
Regulatory Compliance
International Espionage
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
Social Engineering
Denial of Service
Sophisticated Attacks
Data Theft
Loss to Business
Impacts Reputation
Privilege Abuse
Curiosity
Leakage
From Mistakes to Malicious
Source: Adapted from Kuppinger Cole Presentation, March 2013
Mistakes
Accidental deletes
Unauthorized disclosures
8
Misuse
Malicious
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
Criminal
Download malware
Phishing attack
XSS or SQL injection attacks
Anatomy of a Data Breach Starts with a phishing scam
Command and control
9
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
Establish multiple backdoors
Dump passwords Domain controller
Anatomy of a Data Breach Establish a foothold
10
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
Anatomy of a Data Breach Identify targets, probe for weaknesses
Attack Databases Usually using valid, Privileged accounts
11
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
Exfiltrate data via staging server
Anywhere in the world
Anatomy of a Data Breach Exfiltrate data and cover tracks
12
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
N
Anatomy of a Data Breach Entry Points for an Attack
13
Network Server Storage Database Backups & Exports Application
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. | 14
PO
LI
CI
ES
A
ND
P
RO
CE
DU
RE
S
PH
YS
IC
AL
S
EC
UR
IT
Y
EN
CR
YP
TI
ON
MA
SK
IN
G
RE
DA
CT
IO
N
AU
DI
TI
NG
CO
NF
IG
UR
AT
IO
N
M
AN
AG
EM
EN
T
PR
IV
IL
EG
ED
U
SE
R
CO
NT
RO
LS
VI
RT
UA
L
SE
PE
RA
TI
ON
MO
BI
LE
C
ON
TA
IN
ER
IZ
AT
IO
N
ID
EN
TI
TY
M
AN
AG
EM
EN
T
DA
TA
BA
SE
F
IR
EW
AL
L
IN
TE
LL
IG
EN
T
MO
NI
TO
RI
NG
Th
reat
path
s
Defense in Depth Security Strategy
data
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
ENTERPRISE MOBILE CLOUD
IDENTITY
MANAGEMENT
DIRECTORY
GOVERNANCE
ACCESS
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
MANAGEMENT
IDENTITY FEDERATION
EXTERNAL AUTHORIZATION
ENTERPRISE & WEB SINGLE
SIGN-ON
MOBILE & SOCIAL SIGN-ON
FRAUD DETECTION
EMPLOYEES CONTRACTORS
& PARTNERS
CUSTOMERS
& PROSPECTS
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
APPS
APPS
GOVERNANCE
APPS
COMMON REPOSITORY
COMPLETE GOVERNANCE
OPERATING
SYSTEMS
DIRECTORY
SERVICES
ENTERPRISE
APPLICATIONs
DATABASES
ACCESS
ENTITLEMENT
CATALOG
Cloud
Applications/
Services
CUSTOMERS
& PROSPECTS
CONTRACTORS
& PARTNERS
ADMINS
EMPLOYEES
PRIVILEGED
SYSTEMS
EMPLOYEES
Automate and Identify Who Has Access to What
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
SERVICES
USER
AUTHENTICATION
LOCATION
DATA
EXTREME
SCALE
LOW
TCO
INTEGRATED
INTEROPERABLE
DEVICE
AUTHN
NAMING
SERVICES
HOST
ACCESS
CONTROL
APP
THOUSANDS MILLIONS BILLIONS 10s of BILLIONS
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal Restricted
Oracle Public Cloud
Apps
Customer Use Case: Cloud SSO
Apps
Customer On-Premise
Oracle IAM or AD
Apps
Synchronized
IDCS
ID Bridge
Cloud applications
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
GOVERNANCE
MANAGEMENT
SERVICES
USER
AUTHENTICATION
LOCATION
DATA
EXTREME
SCALE
LOW
TCO
INTEGRATED
INTEROPERABLE
DEVICE
AUTHN
NAMING
SERVICES
HOST
ACCESS
CONTROL
AP
P
THOUSANDS MILLIONS BILLIONS 10s of BILLIONS
VIRTUAL DIRECTORY
META DIRECTORY
LDAP DIRECTORY
IDENTITY FEDERATION
EXTERNAL AUTHORIZATION
ENTERPRISE & WEB SINGLE
SIGN-ON
MOBILE & SOCIAL SIGN-ON
FRAUD DETECTION
EMPLOYEES CONTRACTORS
& PARTNERS
CUSTOMERS
& PROSPECTS
OPERATING
SYSTEMS
DIRECTORY
SERVICES
A
P
P
S APPLICATIONS
COMMON REPOSITORY
DATABASES SINGLE
USER
VIEW
ACCESS
REQUEST
ENTITLEMENT
CATALOG PRIVILEGED
ACCOUNT
MANAGEMENT
ACCESS
CERTIFICATION
PRIVILIGED ACCOUNTS
USER PROVISIONING
CERTIFICATION REVIEW
ACCESS REQUEST
INTEGRATED PLATFORM
Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |
Critical Security Strategy
• Use Defense-in-Depth for Maximum Security
– Administrative Controls
– Preventive Controls
– Detective Controls
• Don’t let perfection stand in the way of progress
– Look for incremental steps to reduce risk
– Do not accept the status quo – “business as usual” is not an option
21