Dirty Dozen

Today’s Top Threats
to Your Data
June
2012
Luncheon Meeting
Gene Scriven
+
The Land of Information Security
+
Gene’s
Dirty Dozen
+
Threats to the Enterprise
June 14, 2011
+
What Will We Talk About?
• Nothing that’s Rocket Science
• Concepts will likely be the same for everyone
•
•
•
•
•
•
•
3
– Details will be different
Enterprise vs. small business vs. personal
A combination of “Soft Stuff” and Technology
Vendor Agnostic (and even Technology Agnostic)
Not a “How To Fix It” presentation
You’ll notice some redundancy – it’s intentional
My personal opinion – your mileage may vary
But First…
But First…
Something to
“Get the Blood Flowing”
4
Three Guys go fishing….
Where’s the EXTRA DOLLAR?
5
Who Is This Guy??
Chief Information Security Officer at Sabre almost 3 years
Prior to Sabre, CISO at The Home Depot
•
30+ years in Information Security
•
Commercial, military, federal government, government
contract
•
Big-Six (and similar) background
•
Coopers, Deloitte, PwC, Trident
Government and US Intelligence Community
•
Programmer, PM, Security Director, Development Director,
Missile Targeting, Electronic Wargames, Federal Agent,
Computer Crime Investigator
Commercial
•
Security Systems Development Director, QA Director, Process
Engineer, Chief Information Security Officer
Not Particularly Related (but far more FUN)
•
Lifeguard, Paramedic, College Professor, Comedian
Why The “Dirty Dozen?”
• Everybody has a list
–
–
–
–
Mitre has the Top 20
SANS Institute Top 10 Cyber Threats
FBI Survey
Open Web Application Security Project (OWASP) has the
Top 10
– “Cyber Security Veterans” Top 10 Security Menaces
– Top 10 Security Risks to University Communities
• A “Dozen” seemed like a great starting point
• Any list….is never enough!
• Contrast Gene’s 1998 Dirty Dozen with today’s
7
#12
Desensitized by Media Saturation
Government Laptop with SSNs
Stolen from Airport
Yet another retailer is
hacked and millions of
CC numbers are stolen
8
Keylogger
Compromises
25,000 Identities
#11
Social Engineering on the Rise Again
- More Sophisticated • People will ALWAYS be the weakest link
• Phishing messages more/most successful
• Embedded Links
• No real technology fix
• Old fashioned social engineering
• Targeting Help Desks
• Targeting those who are evaluated on being helpful
• Actual visits to physical sites
9
#10
Employees who think they know more than IT
•
•
•
“I can get it so much cheaper from Best Buy or eBay!”
“You guys are so slow…and I need it yesterday.”
“But my requirements are different than everyone else’s.”
Not understanding what’s involved in running IT to support a diverse enterprise, often
with thousands of users, causes some to ignore IT, work around it, or cheat the system
10
#9
Lack of understanding of Information Security (and Risk)
“How many incidents did
we have last year?”
Unable to Articulate Risk
~Certain
11
348
444
341
443
194
ce
r
C
on
aj
or
M
368
372
312
362
Possible
1169
81
387
61
114
84
137
196
375
261
397
459
485
229
404
402
356
388
358
266
431
317
39
Unlikely
269
Rare
rC
on
ce
rn
41
in
o
“Why aren’t you making
the company any money?”
Risk has to be
seen through
the eyes of the
Risk-Taker!
379
M
RISK
L
I
K
E
L
I
H
O
O
D
300
178
295
93
321
315
369
507
200
Likely
n
291
64
Insignificant
Department
Minor
Business Unit
Moderate
Major
IMPACT
Catostrophic
#8
Data Leakage
• We don’t know what we don’t know!
• What data is leaving, and how much?
• How is it leaving?
• Thumb drives, email, social media, etc.
• Implementing DLP takes enormous planning and
requires strong processes
• Drinking from the firehose!
• Are you protecting from Social Networks?
• Social Media can be great for business
• But it can also ruin your business
It’s Gonna Blow!!
12
#7
The Next Employee You Lay Off
• Job market is improving, but lay-offs and cuts are still happening
• HR errs on the side of “being nice” to employees during downsizing
• Statistics still indicate that internal threats are on the rise
Most employees/companies have…
• Excessive accesses
• Insufficient access reviews
• “Overlapping trust”
FBI reports, “Nearly 90
percent of such crimes (data
theft) are committed by
employees of the victims.”
13
• Too much emphasis on the perimeter
• False sense of security
• Not enough prosecution
• Confusion between Disgruntled vs.
“Under-Educated”
#6
Outsourced Partner Problems
• Third parties have become a large part of many infrastructures
•
•
•
•
•
• Costs
• Expertise
• Companies now rely heavily on them
Many are trusted with sensitive info
Are they properly evaluated for the right data protections?
Do your contracts hold them equally liable?
Are your SLAs adequate – especially on Incident Response?
What about “The Cloud?”
“Third party organizations accounted for 42% of all data breaches.”
– Ponemon Institute
14
#5
Sophistication of the Bad Guys
• 12-year old script-kiddies working from Mom’s basement are
a thing of the past!
• Attackers are organized, financed, and often state-sponsored
• Microeconomics in its purest form
• Well-run business networks
Attackers are now often
backed by formal
organizations and are
financially motivated
15
#4
Poor Patching
Poor Patching
• “OK…But we’ll have to slip our development
schedule.”
• “What do you mean by ‘Have the systems patched in 10
days?’”
• “But we have so many different platforms…”
• “It’s gonna take at least two months to test that patch.”
• “This is a lot of work….Why can’t you just block the
exploits?”
• “It’s not my job, I just load the base images.”
• “We should be OK…it’s not like we’re the NSA or
something.”
• Need an Iterative process, with Governance, and Required Compliance
• Application Patching as well as OS Patching
16
#3
Shift in attacker focus from OS Vulnerabilities to
Application/Middleware Vulnerabilities
• Most vendors will do the right thing with vulnerabilities and patches
• Many enterprises still focus primarily on OS vulnerabilities
• Attackers taking advantage of the proliferation of applications across the
typical enterprise
• Internally developed applications need attention as well
• Are you frequently scanning your web apps?
• Know what applications your users have
• Address the vulnerabilities that exist in them
Internal
Applications
17
#2
Malware and Spyware are far more sophisticated
(and dangerous)
“Don’t worry about that spyware thing….it’s just someone trying to see
where you’re going on the Internet – you know, for Marketing purposes.”
Interesting Malware Activities
1.
2.
3.
4.
5.
6.
7.
8.
18
Changing network settings
Disabling anti-virus and anti-spyware tools
Turning off Microsoft Security Center and/or other
updates
Installing rogue certificates
Cascading file droppers
Keystroke Logging
URL monitoring, form scraping, and screen
scraping
Turning on the microphone and/or camera
9.
10.
11.
12.
13.
14.
15.
Pretending to be an antispyware or
antivirus tool
Editing search results
Acting as a spam relay
Planting a rootkit - altering the system to
prevent removal
Installing a bot for attacker remote control
Intercepting sensitive documents … or
encrypting them for ransom
Planting a sniffer
Verizon Business Data Breach report (for 2010) indicates
that 38% of compromises were due to Malware
#1
Mobile Devices & BYOD
•
•
•
•
Everyone’s stats agree – Mobile Devices are on the rise in our enterprises
Have you seen your CEO’s iPad on the network? (Not yet??)
Sticking your head in the sand is not an option here
Be aware of the threats of unmanaged mobile devices
•
•
•
•
Non-compliant devices
Jail-broken devices
Zero-day exploits
User savvy at getting around your controls
• BYOD – See the train storming down the tracks!
• Partner with your users – and admit they may know more about this than you do
• Be prepared with a comprehensive Mobile Device Management strategy
19
What’s A CISO To Do?
• Know what you don’t know
• Focus on the Message
– Content is critical
– Delivery is just as important
• Be a Business Person first
– …and a Technician second
– …and a Politician third (build relationships)
• Organize your program based on RISK
• Defense-In-Depth
20
Dirty Dozen – Then vs. Now
1998
#12 - No Security Awareness Program
#11 - Blind Trust of Insiders
#10 - Reliance on Firewalls
#9 - No Business Continuity Plan
#8 - Chiefs Not Listening To “Indians”
#7 - Not Enough Attention To Physical
Security
#6 - Insufficient Security Policies
#5 - Uncontrolled Modems
#4 - Insecure Web Sites \ Pages
#3 - No Verification Of Security
#2 - No Security Monitoring
#1 - Poor Password Practices
21
2012
#12 – Desensitized by Media Saturation
#11 – Social Engineering on the Rise
#10 – Employees who know more than IT
#9 – Understanding of InfoSec & Risk
#8 – Data Leakage
#7 – The Next Employee you Lay Off
#6 – Outsourced Partner Problems
#5 – Sophistication of the Bad Guys
#4 – Poor Patching
#3 – Shift from OS to Application
Vulnerabilities
#2 – More Dangerous Malware & Spyware
#1 – Mobile Devices and BYOD
They only have to get lucky one time, but
we have to be good all the time.
- Mark Weatherford, Deputy Undersecretary for Cybersecurity, Department of Homeland Security
Discussing the advantages the bad guys have over those responsible for defending networks, systems, and data in
today’s Cyber environment
23
Questions?
24