Vulnerability Assessment & Compliance

Transcription

1 Vulnerability Assessment & Compliance August 3 rd, 2011 Building trust through Information security* Citizen-Centric egovernment state Consultantion workshop

2 Agenda VAPT What and Why Threats - Who and How Case Studies Slide 2

3 Focus Area: Vulnerability Assessment & Penetration Testing 3 Key Questions What is it? A simulation of actions a hacker would take A real-life test of security event detection and response An attempt to find the weaknesses before the bad guys do What is involved? Manual penetration testing Attempt to access client data without logging into application or network Attempt to access database directly or via an application Attempt to access administrative functions Automated web security scanning Automated network vulnerability scanning What are the Results? Identification of actual security vulnerabilities that could be used to compromise sensitive corporate data (e.g. payment card data, customer contact information, strategy etc.) Slide 3

4 The Changing Landscape This is an IT issue Erstwhile Perspective This will never happen to us Disorganized, amateurish hackers working out of their homes, doing it for fun rather than money Negligible impact on customers, employees and company costs We trust our employees to secure our information. Risk exposures are small and manageable We passed our audit, so we re safe Modern Perspective Companies of all sizes and across all industries confront a real, growing, and strategic risk from data and identity theft. Theft is a lucrative business for sophisticated, organized criminal enterprises based worldwide. Data loss commonly occurs through physical loss, data exchanges, fraud, and human error; rather than just IT breaches. Loss of personal data leaves customers and employees at risk of fraud and personal identity theft. Employees and collaboration networks are the most common data leak sources. Risks are substantial, including customer lawsuits, erosion of future revenue, loss of brand reputation and customers, government fines and new regulation. Data protection is a CEO-level concern. Slide 4

5 Common misconceptions My security controls are adequate The only way to prove security is to test it We already audit security I m not a target Slide 5

6 Types of Assessments External Penetration Test Identifies AND confirms external vulnerabilities Simulates actual external hacker attempting Internal Penetration Test Web Application Assessment Wireless Assessment Identifies AND confirms internal vulnerabilities Simulates malicious internal user or contractor hacking network. Identifies AND confirms vulnerabilities existing within the Web sites. Simulates hacker attempting to steal information from web site. Identifies potential rogue or weak access Simulates hacker attempting to gain access to network via wireless network. Vulnerability Scanning Identifies potential vulnerabilities, but does not confirm if they actually exist. Slide 6

7 The Real Threats External Attackers Malicious Software Insider threat Phishing & Website defacement Organised Crime CERT Coordination Centre Research Hackers Break into computers primarily for the challenge and status of obtaining access Spies Break into computers primarily for information which can be used for political gain Terrorists Break into computers primarily to cause fear which will aid in achieving political gain Corporate raiders Employees of one company break into computers of competitors for financial gain Professional Criminals Break into computers for personal financial gain Vandals Break into computers primarily to cause damage Slide 7

8 The Real Threats External Attackers Malicious Software Insider threat Phishing & Website defacements Organised Crime Increasing malware threats Significant malware growth in the last few years Stuxnet caused havoc at Natanz Iran s Uranium enrichment plant Significant growth in malware-mcafee Threat Report 2011 Slide 8

9 The Real Threats External Attackers Insider Threat a major concern for India. Malicious Software Insider threat Phishing & Website Defacements All service provider organizations believe current employees are primary source of insider incidents. 75% of the client organizations believe that personal financial gain is the prime motive for insiders at service provider organisations. Organised Crime Insider Threat Report 2011 DSCI & PwC Government Infrastructure Vulnerability Assessment & Compliance Slide 9

10 The Real Threats CERT-IN Defacement statisitcs for May 2011 External Attackers Malicious Software Insider threat Phishing & Website defacements Organised Crime Govt sites are Web site defacement targets India along with the US and UK accounted for 70% of the brands targeted by phishing Slide 10

11 The Real Threats External Attackers Malicious Software Insider threat Phishing & Website defacements Organised Crime Cyberterror: The deliberate destruction, disruption or distortion of digital data or information flows with widespread effect for political, religious or ideological reasons. Cyber-utilisation: The use of on-line networks or data by terrorist organisations for supportive purposes. Cybercrime: The deliberate misuse of digital data or information flows. Last year was the first year that proceeds from cybercrime were greater than proceeds from the sale of illegal drugs, and that was, I believe, over $105 Billion - Valerie McNiven, US Treasury Adviser Organised crime has changed. You still have traditional organised crime but now they have learned to compromise employees and contractors - Tony Neate, e-crime liaison officer for the Serious Organised Crime Agency CERT Coordination Centre Research Slide 11

12 Attack Types Denial of Service Stopping legitimate services offered by a system through exhausting its available resources with illegitimate requests Defacement / Vandalism A malicious change to a public service for kudos. Can result in serious legal or PR damage Eavesdropping Listening to or intercepting sensitive information between two or more points Social Engineering An attack designed to gain sensitive information inadvertently disclosed via the human element Indirect Attacks An attack by a malicious threat via a medium such as the internet, a modem or other network Direct access attacks An attack by a malicious threat directly on the system with physical proximity Malware Malicious code such as Virus, Worm or Trojan Horse designed to perform a malicious action or assist in another attack type Slide 12

13 Evolving Business Risks Data and identities are increasingly at risk of theft Data is portable, and can be easily transferred and replicated - once distributed, all subsequent media are potential breach points Shifting business models that emphasize collaboration with 3 rd parties makes traditional protection methods inadequate (e.g., application security, perimeter controls) Compliance is merely the minimum level of security needed compliance does not equal security An unpleasant fact is that most company security measures are compliancefocused, which are inadequate against today's sophisticated threats. Slide 13

14 Case: TJX Computer Systems TJX Intrusions Exposed 45.7 Million Credit and Debit Cards 45.7 million credit and debit card numbers were compromised over 18 months 455,000 individuals who returned items without receipts also had personal data stolen, including their driver's license numbers. The company became aware of suspicious software on their computers on December 18, 2006, and with the investigatory help of General Dynamics and IBM, by December 21 they had learned that the systems had been breached and the intruder still had access to the system. Slide 14

15 TJX Share Price, Post January 19 th Press Release Media frenzy post release Slide 15

16 Cost of TJX Breach $256m spent so far $1.6bn estimated total spend Class action law suit underway in the US Slide 16

17 Cost of Data Breach Annual Study :Ponemon Institute, LLC Breaches included in the survey ranged from 2,500 records to 263,000 records from 15 different industry sectors and cover the costs resulting from 815,000 compromised customer records. Among the study s key findings: Total costs: averaged $182 per lost customer record, an increase of 30 percent over 2005 results. The average total cost per reporting company was $4.8 million per breach and ranged from $226,000 to $22 million. Direct incremental costs: averaged $54 per lost record, an 8 percent increase over 2005 results for unbudgeted, out-of-pocket spending. Includes free or discounted services offered; notification letters, phone calls, and s; legal, audit and accounting fees; call center expenses; public and investor relations; and other costs. Lost productivity costs: averaged $30 per lost record, an increase of 100 percent over 2005 results, for lost employee or contractor time and productivity diverted from other tasks. Customer opportunity costs: averaged $98 per lost record, an increase of 31 percent over 2005 results, covering turnover of existing customers and increased difficulty in acquiring new customers. Customer turnover averaged 2 percent and ranged as high as 7 percent. Slide 17

18 What happens to stolen data? Hackers Selling Stolen Identities for $14 Identity thieves are offering credit card numbers, dates of birth, and other sensitive information for sale for as little as $14 a pop over the Internet. The data is sold on so-called "underground economy servers, used by criminal organizations to hawk information they've captured through hacking. The information can then be used for identity scams, such as opening a bank account in a false name. Slide 18

19 Example: Underground Economy Server Slide 19

20 Compliance Continual Assurance Framework Using risk analysis to define the right testing for the right area Predetermined real life scenarios Continual Year round testing schedules Engage Ethical Hackers/Third Party Penetration Testers. Slide 20

21 Sample Test Programme Test Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Perimeter Vulnerability Scan Perimeter Penetration Test Wireless Penetration Test Internal Penetration Test (L1 Risk) Internal Penetration Test (L2 Risk) Web Application Test Modem Access Test Slide 21

22 Benefits Creates proactive focus on information security Finds potential exploits before crackers find them Results in systems being kept up to date and patched Promotes growth and aids in developing staff expertise Abates Financial loss and negative publicity Slide 22

23 Q & A

24 Traversing Global... Thank You Government Infrastructure Vulnerability Assessment & Compliance Slide 24

25 This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers Pvt Ltd., its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it All rights reserved. PwC, a registered trademark, refers to PricewaterhouseCoopers Private Limited (a limited company in India) or, as the context requires, other member firms of PwC International Limited, each of which is a separate and independent legal entity.