Bryan Hadzik Network Consulting Services, inc. Endpoint Security Data At Rest

Transcription

1 Bryan Hadzik Network Consulting Services, inc. Endpoint Security Data At Rest

2 Look back on 2010 Agenda Incident types Inside Job? Source of Risk Role of Encryption Some Conclusions

3 2010 A Year In Review The Good The Bad And the (occasionally) Ugly

4 First, The Good News (Or Is It?) Some good news:

5 More Likely.

6 Incident Types: 2010

7 Incident by Vector

8 Understanding Insider Attacks: Some Definitions "There are two kinds of people in the world: those who divide the world into two kinds of people, and those who don't Robert Benchley

9 Understanding Insider Attacks: Quantifying Attacks 48% of attacks involve an insider Source: 2010 Verizon Risk Team Data Breach Investigation Report

10 Understanding Insider Attacks: Some Definitions Accidental Malicious Insider Risk

11 Non-Malicious

12 Understanding Insider Attacks: Non-Malicious

13 Some Stats 7% of all laptops are lost during their operational lifetime Source: Ponemon Institute

14 Some Stats 7% of all laptops are lost during their operational lifetime 60% are simply misplaced Source: Ponemon Institute

15 Examples in 2010

16 Healthcare ALONE 147 Breaches in 2010

17 Healthcare ALONE 45% involved a laptop or portable electronic device

18 Not just the BIG companies It happens every day

19 Malicious Insiders

20 Malicious Insiders I ll just blend right in

21 Malicious Insiders CERT indentified four, broad groups: 1. Sabotage (often out of a desire for revenge) 2. Attacks for financial benefit 3. Attacks for business gain 4. Attacks associated with unauthorized access but not necessarily for personal gain Source: "Common Sense Guide to Prevention and Detection of Insider Threats

22 Looking For Commonalities 46% of attacks another staff member had direct knowledge of the attacker s plans US Secret Service/Carnegie Mellon whitepaper :"Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector"

23 Malicious Insiders At least no-one has mentioned WikiLeaks..

24 The WikiLeak Era

25 Coming To A Board Room Near You?

26 Some Practical Steps

27 CERT s 16 Step Program 1. CONSIDER THREATS FROM INSIDERS AND BUSINESS PARTNERS IN ENTERPRISE-WIDE RISK ASSESSMENTS 2. CLEARLY DOCUMENT AND CONSISTENTLY ENFORCE POLICIES AND CONTROLS 3. INSTITUTE PERIODIC SECURITY AWARENESS TRAINING FOR ALL EMPLOYEES 4. MONITOR AND RESPOND TO SUSPICIOUS OR DISRUPTIVE BEHAVIOR, BEGINNING WITH THE HIRING PROCESS 5. ANTICIPATE AND MANAGE NEGATIVE WORKPLACE ISSUES 6. TRACK AND SECURE THE PHYSICAL ENVIRONMENT 7. IMPLEMENT STRICT PASSWORD AND ACCOUNT MANAGEMENT POLICIES AND PRACTICES. 8. ENFORCE SEPARATION OF DUTIES AND LEAST PRIVILEGE 9. CONSIDER INSIDER THREATS IN THE SOFTWARE DEVELOPMENT LIFE CYCLE 10. USE EXTRA CAUTION WITH SYSTEM ADMINISTRATORS AND TECHNICAL OR PRIVILEGED USERS 11. IMPLEMENT SYSTEM CHANGE CONTROLS 12. LOG, MONITOR, AND AUDIT EMPLOYEE ONLINE ACTIONS 13. USE LAYERED DEFENSE AGAINST REMOTE ATTACKS 14. DEACTIVATE COMPUTER ACCESS FOLLOWING TERMINATION 15. IMPLEMENT SECURE BACKUP AND RECOVERY PROCESSES 16. DEVELOP AN INSIDER INCIDENT RESPONSE PLAN Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats"

28 CERT s 16 Step Program 1. CONSIDER THREATS FROM INSIDERS AND BUSINESS PARTNERS IN ENTERPRISE-WIDE RISK ASSESSMENTS 2. CLEARLY DOCUMENT AND CONSISTENTLY ENFORCE POLICIES AND CONTROLS 3. INSTITUTE PERIODIC SECURITY AWARENESS TRAINING FOR ALL EMPLOYEES 4. MONITOR AND RESPOND TO SUSPICIOUS OR DISRUPTIVE BEHAVIOR, BEGINNING WITH THE HIRING PROCESS 5. ANTICIPATE AND MANAGE NEGATIVE WORKPLACE ISSUES 6. TRACK AND SECURE THE PHYSICAL ENVIRONMENT 7. IMPLEMENT STRICT PASSWORD AND ACCOUNT MANAGEMENT POLICIES AND PRACTICES. 8. ENFORCE SEPARATION OF DUTIES AND LEAST PRIVILEGE 9. CONSIDER INSIDER THREATS IN THE SOFTWARE DEVELOPMENT LIFE CYCLE 10. USE EXTRA CAUTION WITH SYSTEM ADMINISTRATORS AND TECHNICAL OR PRIVILEGED USERS 11. IMPLEMENT SYSTEM CHANGE CONTROLS 12. LOG, MONITOR, AND AUDIT EMPLOYEE ONLINE ACTIONS 13. USE LAYERED DEFENSE AGAINST REMOTE ATTACKS 14. DEACTIVATE COMPUTER ACCESS FOLLOWING TERMINATION 15. IMPLEMENT SECURE BACKUP AND RECOVERY PROCESSES 16. DEVELOP AN INSIDER INCIDENT RESPONSE PLAN Technical Controls/Process Non-Technical Controls/Process Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats"

29 Boiling That Down Be able to identify the causes of insider attacks Technical or process vulnerabilities Management problems Enforce good segregation of duties Watch for technical precursors (log, monitor, audit) Privilege escalations Service account use Changing access rights Have good processes in place for high-risk events and individuals

30 The Business Problem Internet Cafe Prospect List Employee Patient Records Transit Home Social Security Numbers Customer Credit Card Info. Site Intellectual Property Classified Information Office Partner Contractor Airport Critical enterprise data resides on numerous endpoint devices enterprises are now looking for comprehensive data protection solutions 30

31 How are you Keeping up with Changing Regulations? Industry Regulations PCI DSS Visa Europe Sarbanes Oxley (SOX) EuroSOX - Directive 2006/43/EC Basel II - International Convergence of Capital Measurement and Capital Standards US Federal Regulations HIPAA & The HITECH Act FISMA 2 (ICE) Data Breach Notification Act (S139) Data Accountability and Trust Act (HR 2221) US State Regulations SB1386 (the first) 201 CMR 17 (one of the latest) NRS 603A (requires PCI DSS) >45 other State & US Jurisdiction Laws Desktops Laptops USB Memory Sticks Smartphone s & PDA s CD/DVD

32 Consider: Non-Compliance Costs Gartner Estimates $160/account Ponemon Estimates $243/account Company Accounts Impacted Estimated Breach Cost Country Avg. Cost per Record (USD) Avg. Total Cost of a breach (USD) Health Net 446k $70 - $75 Million MA Secretary of Commonwealth 139k $22 - $25 Million AMR 79k $10 - $15 Million Lincoln Medical & Mental Health 130k $15 - $20 Million San Jose Medical 110k $12 - $17 Million Boeing 382k $60 - $65 Million Australia million France million Germany million UK million US million Average million ING 13k $1.5 - $2 Million Fidelity 196k $31 - $36 Million A4e 24k $3 - $4 Million Other Costs: - Reputation - Brand - Innovation - Operations - Personal Risks Ponemon Institute estimates $243 per victim for a first time data breach in it s Fourth Annual US Cost of Data Breach Study published in January Gartner estimate: $160 per account in direct charges: legal expenses, professional fees; customer notification; embedded costs of cleanup and recovery, systems Gartner G

33 How Encryption Can Help A little help here, please...

34 How Encryption Can Help: Non-Malicious Incidents Especially important to prevent accidental data breaches Source: Ponemon Institute: Cost of a lost laptop

35 How Encryption Can Help: Non-Malicious Incidents Especially important to prevent accidental data breaches Source: Ponemon Institute: Cost of a lost laptop

36 Role Of Encryption Technologies such as encryption can be implemented to prevent such users from reading or modifying sensitive files to which they should not have access. Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats"

37 Should we encrypt the entire disk? Everything needs to go through the encryption Overhead on every single read/write The system cannot boot up without password Password sync can be difficult NOT required for audit purposes NOT required for security

38 What are we encrypting with full disk encryption Files 20% 10% 15% 40% OS Program Files Temp data User Data

39 What are they looking for? Fixed drive C:\documents and settings\username C:\windows\system32\config\sam C:\pagefile.sys Removable drive Any documents

40 Which encryption is best? Full Disk Encryption Complete encryption of hard disk, including boot and system files Disadvantage: Encryption only on system level - no awareness of user or type of data Only available for Desktops and Laptops System administration significantly impacted No separation of system and security administration No protection against copy onto external media Data-Centric Encryption Data automatically encrypted based on policies Encryption awareness of users, groups, systems and data types System remains accessible for system administration Central Administration for all devices and storage media with automated key escrow for guaranteed recovery Automatic detection and enforced protection of external media File & Folder Encryption Files and Folders specifically selected by the user are encrypted Disadvantage: Security dependent on user behavior Temporary application files can leak information No central administration or key recovery Impossible to enforce or prove compliance

41 How should the protection work? Fixed drive C:\documents and settings\username File level user encryption Policy based C:\windows\system32\config\sam Tamper protection C:\pagefile.sys System level encryption

42 How should the protection work? Removable Drive Policy based file level encryption Only encrypt what is important No user interaction required

43 The problem with ipads Top down enterprise adoption New platform Personal devices

44 The specs 256 bit AES* Local wipe Remote wipe VPN Code signing Passcode policies *Not perfect

45 The Challenges Top Down C-levels are the first to get the device Bypass normal testing and validation Make it work attitude Personal All I need to know is username/password Easy to discover settings even without auto discover Wipe

46 ios is the target Phone, ipad share the same OS Jailbreakers are doing all the work for other reasons Most exciting new platform Commonplace

47 Encryption? Rated at AES 256 bit Passcode does not relate to encryption The keychain is the key username/password Vpn username/password

48 How to do it? Jailbreak Install ssh server Execute script that asks for the keychain info No reverse encryption necessary Just ask nicely Cannot be removed and broken, but just as easy to break on the device

49 What do we get?

50 How to protect Data The hard way Keep the data off the device* VDI Disallow Exchange activesync Disallow syncing *Not technologically difficult

51 How to protect Data The medium difficult way Allow data, but encrypt and secure access Insist on Exchange activesync Create policies Local wipe Remote wipe Local encryption Keeping device current VDI the very sensitive data Remote wipe means password reset

52 FIREWALL FIREWALL LANDesk MOBILE GUARDIAN Enterprise Edition INTERNAL NETWORK Existing Infrastructure DMZ REMOTE NETWORK Central Admin Console Active Directory Exchange Server with CMG OTA Sync Control CMG Local Gatekeeper or Proxy Policy Enterprise Server CMG Policy Proxy Internet CMG Shielded Devices CMG Shielded Devices Secure and control data across all mobile and portable endpoints Device detection and enforced provisioning across all connections Local policy enforcement ensures data protection travels with the device at all times Scalable, single point of management and control for all platforms Leverages existing infrastructure for seamless integration 52

53 Primary objectives 1 Keeps your business out of the headlines and protects your brand by eliminating the need to notify customers/employees of lost or stolen data 2 Provides proof that a lost or stolen mobile device was encrypted to meet compliance requirements 3 Provides Maximum Security with Minimal Impact on operational processes and end users

54 Moving Out To The Cloud The Cloud makes the challenges of Insider Threat more complex: Increases complexity of quantifying risk Managing that risk Ensuring compliance Serves as a barrier to adoption of Cloud offerings These challenges exist for both private and public cloud infrastructures

55 Some Conclusions Insider incidents are often accidental

56 Some Conclusions In the event of an accidental disclosure, or malicious theft, encryption has been proven to reduce both risk and cost

57 Three important things to protect Data on the local HD Lost laptop scenario Policy based file encryption No user interaction User/system level keys Escrowed to server Removable media Malicious or not data removal Drive level encryption

58 Three important things to protect Tablets/Smart Phones Local Wipe Remote wipe(password reset) Insist on exchange activesync

59 Thank You!