Information Security Threats and Strategies. Ted Ericson Product Marketing - ASI

Transcription

1 Information Security Threats and Strategies Ted Ericson Product Marketing - ASI

2 Agenda Security breaches today Attack vector mitigation Secure web implementation Penetration testing ASI Corporate Security Initiative

3 Security Breaches Today By the numbers in the US 2005 to April 2014 Recorded breaches = 4,455 Records exposed = 626,327,451 Cost per record = $188 Total cost = $117.8B Breach attack patterns 52% of stolen data due to hacktivism 40% of breaches incorporated malware Malicious or criminal attacks that exploit negligence or system glitches

4 Security Breaches Today Primary data breach targets Financial Informational Public 43% of all companies experienced a data breach in the last year Of these, 27% had no response plan in place 80% had root cause in employee negligence Membership organizations emerging Controversial missions/philosophies Play to self-anointed judgment of hacktivists Least likely to have protections in place

5 Security Breaches Today Cyber risk and liability Target breach of M compromised records, potential company liability of $90/exposed record = $3.6B Target directors and officers also facing derivative suits Home Depot breach of M compromised PCI records, liability to exceed $3B JPMorgan Chase breach of M compromised PII accounts White House breach of 2014??? compromised PII records Anthem breach of M compromised PHI records Multi-bank cyberheist 2014 discovered 2015 $1B+ from ATMs Kaspersky, LastPass, HackingTeam all breached in 2015 US National Guard ,000 employees Office of Professional Management million gov t employees

6 Security Breaches Today Cyber risk and liability Brand value drops 17-31% after a breach Data loss not typically covered under corporate insurance policies cyber liability insurance required to cover corporate costs of a breach Software vendors mostly protected by liability limits clauses in their EULAs Custom developed software and software implementation is another story Any technology company associated with a breach is open to litigation

7 Security Breaches Today One breach, 6 investigations Internal investigation Shareholders vs. Directors and Officers Card brand vs. Company Federal Government vs. Company State Government vs. Company Law Enforcement vs. Attacker

8 Security Breaches Today Why NPOs should be concerned Larger budgets/revenues are attractive Mission statements draw hostile attention Greater need for online service provision Growing IT complexity to maintain operating efficiency and maximize member benefits Increasing reliance on 3 rd party cloud/hosting service providers

9 Security Breaches Today Top 5 Security Breach Vulnerabilities Weak credentials Default credential provisioning Susceptible to brute force attacks System misconfiguration Accidental exposure of administrative consoles Stood up systems outside of policy Firewall errors/complexity Service/Software vulnerability Heartbleed, Shellshock Third party software Web application vulnerability Most commonly exploited Custom code developed without security Social engineering Phishing, link clicking

10 Security Breaches Today Web security today is both a proactive and reactive process one must be fully prepared in both aspects to survive in the current threat environment.

11 Attack Vector Mitigation - Business Identify and understand your business risks as regards likely channels of attack Educate Board and senior management on responsibilities and effectively managing cyber security risk Proactively secure data, systems, policies, and procedures in advance plan, Plan, PLAN Gather and share cyber attack intelligence internally and among industry peers

12 Attack Vector Mitigation - Business Train staff and elevate cyber security awareness (APEGGA) Engage outside help when needed Ensure compliance with all regulatory and certification security requirements Respond clearly and deliberately to any critical incident focus on maintaining stakeholder confidence Benchmark your cyber security program in relation to your peers

13 Attack Vector Mitigation - Business It s not just about PCI PCI = Payment Card Information PHI = Personal Health Information PII = Personal Identity Information Create your own Security Assurance Plan NIST s Cybersecurity Framework a great start Industry standards/best practices Technology/methodology agnostic Comprehensive ASI Security Assurance Center Source of all ASI security announcements, resources, hotfixes back to Repository of ASI Security Assurance Plan

14 Secure Web Implementation Perimeter protection security Protect each site with a valid SSL certificate and HTTPS protocol Isolate web servers in the DMZ zone Protect services in the Trusted zone Disallow non-vpn or non-direct RDP access to any server

15 Secure Web Implementation

16 Secure Web Implementation Database firewall security Hides and secures databases through reverse proxy Monitors all incoming and outgoing SQL queries Alerts and blocks signature-based query attacks Maintains database security policy in real-time Protects against known and unknown database exploits

17 Secure Web Implementation GreenSQL located between the imis application and the database inspects all access, including queries and database responses ensures complete coverage for securing, monitoring and masking of sensitive information stored in databases.

18 Secure Web Implementation Recommended GreenSQL deployment Database Server Green SQL imis Application Server Firewall Web Servers Firewall Public (web browsers) Trusted Internal imis Clients DMZ Registrants (web browsers)

19 Secure Web Implementation Runtime Application Self-Protection (RASP) Emerging security layer Sophisticated runtime instrumentation security Developer security expertise not required Agent plug-in to IIS controls execution Detects and prevents attacks in real-time HP s Application Defender Prevoty s Security Engine Shape Security s ShapeShifter

20 Penetration Testing Process to identify security vulnerabilities in a web application or site by evaluating the system or network with various malicious techniques Various end targets Full web site (Amazon, Google, imis customer) Web application product (imis 20 out-of-the-box) Various forms Social engineering Application security Physical penetration

21 Penetration Testing Automated testing tools Pros covers a lot of ground very fast, cost efficient, consistent and repeatable, best suited for rapidly evolving web applications Cons can frequently flag false positives, only as good as the latest signature database of known exploits Adaptive (manual) testing techniques Pros follows the black hat mindset, uncovers application-specific combinatorial vulnerabilities, leverages non-related tools, much more rigorous Cons labor-intensive, not easily repeatable, money sink

22 Penetration Testing ASI committed to conducting self penetration testing imis /200 and platforms Integral to pre-ea/ga regression testing Employ Netsparker tool as a start, expanding to others ASI engaged independent penetration testing services in 2014 Currently GA imis and platforms Adaptive pen testing techniques and methodology No critical vulnerabilities found Secure coding practices strongly recommended

23 ASI Corporate Security Initiative Formed mid-2013 to address the issue of imis running as a secure web application for the benefit of our customers Focused on three areas to mitigate our risk exposure with the use of the imis product Web application product development Site implementation Cloud services Phase 1 complete, Phase 2 emphasis on establishing a corporate ASI Security Assurance Plan with associated policies/procedures

24 Resources Articles Verizon 2014 Data Breach Investigations Report Best Practices OWASP - NIST pdf