How a Company s IT Systems Can Be Breached Despite Strict Security Protocols

Transcription

1 How a Company s IT Systems Can Be Breached Despite Strict Security Protocols Brian D. Huntley, CISSP, PMP, CBCP, CISA Senior Information Security Advisor Information Security Officer, IDT911

2 Overview Good enough never is. The strongest, most secure systems can be breached by hackers. It can happen to anyone. What does it look and feel like? What risks and threats should you be on the lookout for? Time-telling and clock building. Program monitoring, program management, and continuous improvement are critical success factors.

3 Information Security Is Never Done Why isn t it a one-and-done? What kinds of change are behind this? How do these changes affect the risk baseline to introduce risk at the margins? The core? What are the most critical changes in this regard? How do you deal with them?

4 Setting the Stage Security Protocol Information Security Risk Triples Data Breach Threat Spectrum Information Security Program Program Management Program Monitoring Program Update

5 Security Protocol Defined Internet Host Configuration Vendor Management Physical Security Risk Assessment Encryption Remote Access Security Access Management BC/DRP Data Security Acceptable Use Electronic Communications Security Third-Party Access Firewalls Record Retention Patch Management Information Management Password Management Incident Response Vulnerabilities Management Information Classification Network Security Awareness and Training Application Security Intrusion Monitoring and Detection

6 Information Security Risk Triples

7 Information Security Risk Triples Example -- ASSET Customer Data Protected, Regulated Information Non-Public Personal information (PII; GLBA, et al) Protected health information (PHI; HIPAA, et al) Primary credit card account numbers (PANs; PCI, et al)

8 Information Security Risk Triples Example -- VULNERABILITY testuser The password fields on the [? YOUR WEBSITE HERE?] page do not have autocomplete attribute set to off.

9 Information Security Risk Triples Example -- ASSET VULNERABILITY testuser THREAT Customer Data Protected, Regulated Information Personal information (PII; GLBA, et al) Protected health info (PHI; HIPAA, et al) Primary credit card account numbers (PANs; PCI, et al) The password fields on the [? YOUR WEBSITE HERE?] page do not have autocomplete attribute set to off. As a result, the browser pops up a remember password dialog box to the user upon submission of a login or change password request. If the user selects the remember password option, the browser saves the password for the user profile in the browser cache. An attacker with access to the same system as the victim user may find the credentials of the valid user in the browser. The attacker may then use the credentials for unauthorized access to the account of the victim user and compromise it. RISK DATA SECURITY BREACH

10 The Cyber Threat Spectrum (abridged) Threat Type Non- *Both Types Threat Category Data Integrity* Denial of Service (DoS) Attack Infiltration Malicious Code Unauthorized Access* WWW Services Disruption Fraud Information Spillage Lost Asset Reputation Theft

11 The Cyber Threat Spectrum (abridged) Threat Category Threat Signature Threat Type Infiltration Compromised Database Server Cyber-Espionage Security Information & Event Monitor (SIEM) System Event Correlation Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) Alerts Disappearing Host WWW Services Disruption Website Compromise or Defacement DNS Fraud (external) SQL Injection Attack Web Application Attack

12 The Cyber Threat Spectrum (abridged) Threat Category Threat Signature Threat Type Malicious Code Anti-Virus Program Detection of virus or phishingrelated files, Crimeware Malicious Scripting Trojan Programs Virus Infection Worm Programs Zero-Day Vulnerability Event Unauthorized Access Unauthorized Access Attempt Unauthorized System Changes Unknown Wireless Access Point Telecommuting/Remote Access Compromise

13 The Cyber Threat Spectrum (abridged) Threat Category Threat Signature Threat Type Denial of Service (DoS) Attack Data Integrity Cloud Storage Upload Storm Distributed DoS (DDoS) Agent Infestation Domain Name System (DNS) Server Denial of Service DoS/DDoS Attack (external) File Integrity Monitor sensitive file system change alerts External data source contamination Non-technical

14 The Cyber Threat Spectrum (abridged) Threat Category Threat Signature Threat Type The Information Cyber Spillage Improper Threat disposal Spectrum (abridged) Non-technical Mis-handled classified documents Non-technical Mis-mailed classified documents Unencrypted classified Customer/client- misdirected/mishandled classified data Unknown exfiltration Non-technical Non-technical Non-technical Non-technical Fraud Fraud Non-technical General Anonymous Threat Non-technical Suspicious Activity Non-technical Lost Asset Missing/Unaccounted for IT Equipment Non-technical

15 The Cyber Threat Spectrum (abridged) Threat Category Threat Signature Threat Type Reputation 3 rd Party Fraud Monitoring Service Alert Non-technical Adverse Internet Reputation Report Non-technical Adverse Media Reputation Report Non-technical Copyright Infringement Non-technical Targeted Social Media/Twitter Storm Non-technical Violations of Acceptable Use Policy Non-technical Theft Insider Theft Non-technical Lost/Stolen Laptop PC/Mobile Device Non-technical Stolen Documents Non-technical Theft of Intellectual Property or Client Data Non-technical Unauthorized Access Physical Intruder Non-technical

16 A Different Kind of Change Management CHANGE Amount of Rate of.. Type of. Impact of time

17 A Different Kind of Change Management Information }? 2015? Knowledge Data

18 Assets as a Function of Time ASSET POPULATION Hardware Software Applications Processes Websites Addresses Physical Locations INFORMATION time

19 Vulnerabilities as a Function of Time CVEs; January, 1999 August, Source: U.S. NIST National Vulnerability Database (NVD)

20 Threats as a Function of Time Script Kiddies Organized Crime THE CYBER CRIME INDUSTRY time Q. E. D.

21 Creating Holes in the Line Vendors, Service Providers and Other Third Parties Organizational Changes New Business Ventures Significant Technological Changes

22 Vendor/Third Party Risk User Control Considerations Sufficient transparency; apparency? Rules of Entropy apply -- R < 1 R < 1 R 2 < R

23 Risk Introduced by Organizational Change Here again Entropy Rules Relative skill sets, experience Relative values, motivations Toxic Combinations

24 Toxic Combinations

25 New Business Ventures are Risky! Mergers Acquisitions De Novo / Greenfield Risk = Likelihood x Consequences Uncertainty Strategy Reputation Liquidity Market Legal and Regulatory

26 What is Significant Technology Change? Disruptive Forklift Upgrade New Applications and Systems Application and System Enhancements Routine Moves, Additions, and Changes Significant Technology Change

27 Bridging the Gaps Vendor Management Organizational Change Management Personnel Security Information Security Monitoring and Testing Information Security Program Management

28 Vendor Management Vendor Management Policy Due Diligence Reviews Initial Qualifying Ongoing Contractual Safeguards Mutual Non-Disclosure Agreement (NDA) Bi-Lateral Data Security Breach Notification Proof of Cyber Coverage and Liability Insurance Controls Certification

29 Organizational Change Management Transition Planning Communication Information Security Awareness and Training Terminations and Transfers Management Logical Access Reviews

30 Personnel Security Background Checks Pre-Employment Post-Employment Employment Agreements Separation of Duties Dual Control Job Rotation Mandatory Vacation

31 Information Security Program Monitoring Controls Testing Existence Effectiveness Asset Inventories Key Statistics Reporting Information Security Risk Assessment Benchmarking and Gap Analysis Independent Third-Party Assessment Trusted Advisor(s)

32 Information Security Program Management Information Security Risk Assessment Assigned Roles and Responsibilities Management Reporting Board Education User Awareness and Training

33 Top 5 Takeaways Information Security work is never done Mind the gaps User Control Considerations Toxic Combinations Information Security Program Management

34

35 Thank You Brian Huntley, CISSP, PMP, CBCP, CISA Sr. Information Security Advisor Information Security Officer, IDT911 IDT911 Consulting 1501 Broadway Suite 1616 New York, NY P: E: