Data Breaches and Credential Theft: A Discussion on Preventative Measures

Transcription

1 Data Breaches and Credential Theft: A Discussion on Preventative Measures Shawn McCabe, MCSE Michael Baker, CISSP The market leader in digital identity management.

2 Recent Attacks in the News Sony Pictures Entertainment (SPE) Initial infiltration was via a spear-phishing attack, exploration of network, theft of high-value credentials and finally, deployment of malware across the SPE utilizing compromised high-value creds. Target Initial infiltration was via a spear-phishing attack on Target subcontractor, malware was leveraged to parlay subcontractor s access credentials in to admin level access in to Target s network and payment processing systems. Carbanak Initial infiltration via spear-phishing attack, malware leveraged to compromise administrative credentials and learn banking procedures.

3 Attack Vectors/Exploits/Techniques Social Engineering Browser Exploits & Back Doors - Document/Application (Office, PDF) Remote Code Execution Weak and Stolen Creds/Credential Stuffing/ Authentication-based attacks

4 What Can You Do Now? People are overwhelmed to the point where inaction or doing nothing is as common as doing something. You have to start somewhere; start tomorrow! (For example, implement a policy where administrators are required to use a separate account for administrative functions).

5 Prevention You Can Implement Now Harden soft points that attackers look for (risk elimination) Patching Use DISA STIGS as guidelines ( Privileged Account Management and separation of duty (risk mitigation) Compartmentalized so that a compromise can be contained Accounting for employee risk (often not malicious often negligence or ignorance) Don t count on users to help you with security! Authn/Authz done with digital identity to get into key programs Prevent attacks coming through Patching! Antivirus Disable attachments (require attachments be uploaded through a secure portal) Require signing for internal The average users are not [fluent in security]. They might be fluent in spreadsheets, or ebay, or sending stupid jokes over ; but they re not technologists, let alone security people. -Bruce Schneier, 2006

6 Prevention You Can Implement Now Smart Cards For Admins - enforced for server logons For everyone? Smart Cards can be virtual!! (Smart cards advantage: no more calls to the help desk to reset passwords) Administrative password management (Just In Time access/pam/step-up access) Accounts are enabled for a certain window - password reassigned and given to a specific user, etc Require this process be secured with MFA User Education Frequent friendly reminders about social engineering, or blindly opening attachments, or temporarily giving your password to Joe in marketing. Make an effort to keep it fun and informational. Encourage secure thinking instead of resentment or boredom.

7 Implementing Longer-term Solutions IdM Many vendors are willing to sell you a solution for this Be aware of the need to customize most IdM solutions Some features of technology you may already own are making it easier to implement things like privileged access management as part of IdM

8 Implementing Longer-term Solutions Digital Identity There is overhead to managing a digital identity infrastructure A certain level of expertise required to stand it up and keep it running 80% planning - 20% implementation A well-defined PKI can help your risk/audit story, and support to HIPPA/PCI/SOX requirements Implementing Digital Identity Do it yourself? Engage a specialty company to set it up for you Have it provided to you as a managed service Enterprise? IOT? Management software It should: Make your job easer enable certificate lifecycle

9 About / How to Contact CSS About CSS CSS is an information and security services and software company headquartered in Cleveland, OH with operations throughout North America and resellers in the EU, Southeast Asia and Australia. Contact CSS For more information about the Certificate Management System (CMS), please contact [email protected], call , or visit Michael Baker Director, Enterprise Services Western Region [email protected] Shawn McCabe Solution Architect [email protected]