Top Ten IT Risks. Top Ten IT Risks Wednesday, September 27, 2006

Transcription

1 Wednesday, Presented by Top Ten IT Risks Presented by: Mark A. Eich, CPA, CISA Principal LarsonAllen Information Security Services Financial Managers Society, Inc. Security = Culture!! Security is a BUSINESS issue, NOT a technical issue!! Administrative Policies / Procedures Physical Access Controls Technical Security Controls 1

2 Wednesday, Top 10 IT Security Risks 1. Weak/Incomplete policies and lack of policy awareness 2. Malicious insider misuse 3. External attack phishing 4. External attack soc eng phone calls 5. External attack website defacement 6. Internal attack social engineering 7. Missing/weak IR policy 8. Patch management 9. Web Application Vulnerabilities 10. IT vendor mgmt Policies and Procedures = Culture Administrative Policies and Procedures Think in terms of Standards This is the foundation that everything else rests on Weaknesses here result in inconsistent or inappropriate application of standards Physical security WILL fail if standards are weak Technical controls WILL fail if standards are weak If employees do not understand standards (policies) security will fail 2

3 Wednesday, A confluence of events Rarely is it a single event or single vulnerability that results in the realization of a risk that leads to a loss. The following examples will highlight how multiple risks are often brought together, resulting in really bad things POLLING QUESTION Has your bank ever experienced a security breach? Yes No Was customer information affected? Yes No 3

4 Wednesday, The Real Estate department at the Bank Story #1 Key IT person takes sudden leave of absence Systems started to fail Consultant discovers side business People (more than one) are fired Law suits Forensics (too late?) Unfavorable settlement Reputational loss? The Real Estate department at the Bank What went wrong? Weak policies (#1) Shared accounts/password No logical auditing or review No required vacation policies Weak/missing Incident Response plan (#7) Allowed malicious insider misuse (#2) This particular case did not result in a direct loss of money (i.e. being stolen), but others with very similar circumstances have. 4

5 Wednesday, Hi, I am Jerry, the new IT guy up from Atlanta Story #2 Jerry hangs out at the smokers door. Drops names and company information Google-hacking Follows new friends/co-workers into building Hi, I am Jerry, the new IT guy up from Atlanta What went wrong? Weak policies (#1) Badges not required, or requirement not enforced No one verified the story What appeared to be good physical security was in fact weak. It was easily defeated through social engineering by exploiting poorly understood and/or enforced policies (#1, #6) Jerry hid out in the bathroom, and later in conference rooms and offices (more on this later ;-) 5

6 Wednesday, Can I use the bathroom? Story #3 John walks in, asks about opening an account, and fills out some paperwork. John asks to use the bathroom. Provides Jerry with hacking tools to use on the inside. Can I use the bathroom? What went wrong? When John came in he was carrying a bag full of goodies Planted keystroke loggers and wireless access point Discovered un-patched systems, AND default credentials (#6 and #8) This resulted in Domain Admin access to Windows systems, and ROOT access to AIX within 20 minutes 6

7 Wednesday, Hi, this is (net admin s name), I need Story #4 Hi, it s Dave, I am sending over two technicians, please put them in the training room. a consultant to fix the branch router. the Xerox copier repair technician Greeted, shown to conference room, and offered beverages Left alone when everyone left at 5:30 PM Hi, this is (net admin s name), I need What went wrong? Person was accepted for what they claimed to be Social Engineering (#4) Phone system did not authenticate the caller Recipient/Receptionist did not authenticate the caller (#1) We discovered un-patched systems, AND default credentials (#6 and #8) AGAIN Planted code and devices on the network. Left with lots of good stuff. 7

8 Wednesday, We caught our limit in only 30 minutes Story #5 (spear) phishing attack resulted in: Harvested credentials Access to webmail and RAS dial up Discovery of un-patched systems (browsers) Remote access to the inside of the network We caught our limit in only 30 minutes What went wrong? Employees did not recognize what was happening Weak/Incomplete polices and/or awareness (#1) Employees supplied credentials (#1) Un-patched systems were exploited for remote access Missing or incomplete Patch Management system (#8) This was all a result of what we call the second generation of phishing (now coined spear phishing) (#3) 8

9 Wednesday, Questions? Select *1 now to ask a live question through the phone OR Type your question into the chat box in the lower left corner of the screen and click on the Send button located right below the box. Mark, you need to see this.. Story #6 Our tech discovers an unpublished vulnerability in Internet banking application Allows FULL COMPROMISE of the web banking server and the entire network!! 9

10 Wednesday, Mark, you need to see this.. What went wrong? Unpublished vulnerability zero day threat (#9) Microsoft is easy to work with compared to these guys!! POLLING QUESTION Does your network penetration testing scope include web applications? Yes No 10

11 Wednesday, Long weekend.. Story #7 Friday 4PM Firewall failed open Open for 3 days Long weekend.. What went wrong Misunderstood level of service from MSSP (#10) No IR policy (#7) Run anti-virus and call me in the morning 11

12 Wednesday, Long weekend (redux).. Story #8 IT manager needs to use Internet banking on Saturday morning Web-site hacked by Turkish group! Long weekend (redux).. What went wrong Misunderstood level of service from web host (#10) Web site had access data base for applications (#5) Host would not allow forensics research (#10) 12

13 Wednesday, Identifying and Mitigating Risks Employees need to be aware of their role in the security of the Bank Regular awareness training Large group sessions blasts Weekly/Monthly flyers Catch them doing it right and make a big deal of it Identifying and Mitigating Risks Systems and Vendors need to be managed Security solutions are tools that need to be managed this takes time. They need to be hardened They need to be patched They need to be used/monitored/managed Their behavior & effectiveness needs to be tested Vendors need to be held to the same standards as those we apply to ourselves Understand EXPLICITLY what you are buying 13

14 Wednesday, Identifying and Mitigating Risks Systems and people need to be audited and tested to make sure processes are functioning properly. Opportunity for continuous improvement vs. Gotcha IT needs to get used to the idea of being audited. This should be done by in-house resources, as well as independent sources. Make your external auditors allow your in-house people to shoulder surf! Identifying and Mitigating Risks Risk Assessments Every 1 to 3 years GLBA focuses on protection of all forms of Customer (consumer) information. Electronic or Paper Risk Assessments should drive what is audited, and how often 14

15 Wednesday, POLLING QUESTION Have you ever experienced a social engineering attack? Yes No Social Engineering: Quantifying the Threat 15

16 Wednesday, Identifying and Mitigating Risks IT Audits Every 1 to 2 years General audits focused on business controls Organization and Management Controls System Security Administration and Access Controls Operational Controls Physical Security and Environmental Controls Disaster Recovery and Contingency Planning Systems and Program Development Controls Internet Banking Controls Identifying and Mitigating Risks Penetration Tests Every 3 to 12 months Frequency based on risk Penetration Tests should be scheduled based on size and complexity of the Banks IT infrastructure Vulnerability scans should supplement penetration tests, NOT replace them 16

17 Wednesday, Identifying and Mitigating Risks Penetration Tests Starts where a vulnerability scan ends - true test of vulnerabilities and resulting risk Should mimic how and what the hackers do - requires experts Should present the Bank with options based on the Bank s particular circumstances Identifying and Mitigating Risks Penetration Tests what should they cover? External Tests Internet facing infrastructure and applications Internal systems that touch the Internet (Phishing) Modems Don t forget the people (Social Engineering) Internal Tests Servers Workstations Infrastructure Don t forget the people 17

18 Wednesday, Security is a Business Issue Think in terms of Standards Administrative, Physical, and Technical Think in terms of People, Rules, and Tools Security is NOT a technical issue Security and Risk should be Managed Questions? 18

19 Wednesday, Questions? Select *1 now to ask a live question through the phone OR Type your question into the chat box in the lower left corner of the screen and click on the Send button located right below the box. Your feedback is important to us! Don t forget to complete the seminar survey. 1. Simply click on the Seminar Survey in the LINKS area to the left of this slide. 2. From the drop-down box at the top of the survey, choose the Top 10 IT Risks. 3. Complete the survey and click on Submit to send us your responses This concludes this program. Thank you for your participation. 19