2012 Data Breach Investigations Report

Similar documents
2012 雲 端 資 安 報 告. 黃 建 榮 資 深 顧 問 - Verizon Taiwan. August 2012

Information Security and Risk Management

How To Create Situational Awareness

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

2010 Data Breach Investigations Report

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Cisco Advanced Services for Network Security

Streamlining Web and Security

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

DBIR INDUSTRY SNAPSHOT: FINANCE AND INSURANCE

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Why The Security You Bought Yesterday, Won t Save You Today

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

How To Protect Your Data From Being Stolen

10 Smart Ideas for. Keeping Data Safe. From Hackers

Presented by Evan Sylvester, CISSP

INCIDENT RESPONSE CHECKLIST

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

The Top Web Application Attacks: Are you vulnerable?

INDUSTRY OVERVIEW: FINANCIAL

Critical Security Controls

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

IT Security Risks & Trends

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Defending Against Data Beaches: Internal Controls for Cybersecurity

Security Management. Keeping the IT Security Administrator Busy

Payment Card Industry Data Security Standard

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

The Business Case for Security Information Management

SANS Top 20 Critical Controls for Effective Cyber Defense

Global Partner Management Notice

Cybersecurity Health Check At A Glance

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Performanta Pty Ltd. Company Profile. May Trust. Practical. Performanta.

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

13 Ways Through A Firewall

SECURING YOUR REMOTE DESKTOP CONNECTION

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

Is Your IT Environment Secure? November 18, Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

PCI DSS Requirements - Security Controls and Processes

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

How To Manage Security On A Networked Computer System

Protecting Your Organisation from Targeted Cyber Intrusion

Database Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

DMZ Gateways: Secret Weapons for Data Security

Overcoming PCI Compliance Challenges

Goals. Understanding security testing

Achieving Compliance with the PCI Data Security Standard

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report

Information Blue Valley Schools FEBRUARY 2015

ICTN Enterprise Database Security Issues and Solutions

Managing internet security

How To Secure Your Store Data With Fortinet

Encryption and Tokenization: Protecting Customer Data. Your Payments Universally Amplified. Tia D. Ilori Sue Zloth September 18, 2013

Defending Against Attacks by Modeling Threat Behaviors

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

New PCI Standards Enhance Security of Cardholder Data

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

13 Ways Through A Firewall What you don t know will hurt you

Intro. Tod Ferran, CISSP, QSA. SecurityMetrics. 2 years PCI and HIPAA security consulting, performing entity compliance audits

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO p f

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Locking down a Hitachi ID Suite server

MITIGATING LARGE MERCHANT DATA BREACHES

Guideline on Auditing and Log Management

Information Security Basic Concepts

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Data Management Policies. Sage ERP Online

Targeted attacks: Tools and techniques

V ISA SECURITY ALERT 13 November 2015

Network Security & Privacy Landscape

Cybersecurity: What CFO s Need to Know

Transcription:

2012 Data Breach Investigations Report A study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting & Information Security Service, Police Central e-crime Unit of the London Metropolitan Police, and United States Secret Service. Brian Grayek CISSP, ITILv3 SW US Area Manager - Terremark

Data Breach Investigations Report (DBIR) Series An ongoing study into the world of cybercrime that analyzes forensic evidence to uncover how sensitive data is stolen from organizations, who s doing it, why they re doing it, and, of course, what might be done to prevent it. -- Available at: www.verizon.com/enterprise/databreach Updates/Commentary: http://www.verizon.com/enterprise/securityblog Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 3

Hold on Wha??? Why is my telco investigating breaches? Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 4

Enterprise Solutions to Meet Business Imperatives IT Services Security Services Communications Services Networking Services Mobility Cloud-based Services Data Center Services Managed Applications Managed IT Equipment and Services Professional Services Government, Risk and Compliance Identity and Access Management Managed Security Equipment and Services ICSA Labs Professional Services RISK Team falls here Contact Center Services Unified Communications Video, Web and Audio Conferencing Traditional Voice Emergency Communications Services Equipment and Services Professional Services Internet Private WAN Private Point to Point Access Services Managed Networks Equipment and Services Professional Services Advanced Communications Applications and Content Global Communications Hardware Mobile Data Voice and Messaging Professional Services Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 5

2012 DBIR Contributors Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 6

Methodology: Data Collection and Analysis DBIR participants use the Verizon Enterprise Risk and Incident Sharing (VERIS) framework to collect and share data. Enables case data to be shared anonymously to RISK Team for analysis VERIS is a (open and free) set of metrics designed to provide a common language for describing security incidents (or threats) in a structured and repeatable manner. VERIS: https://verisframework.wiki.zoho.com/ Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 7

An overview of our results and analysis Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 8

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 9

Threat Agents Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 10

Threat Agents: Larger Orgs Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 11

Threat Agents Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 12

Threat Agents: External Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 13

Threat Actions Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 14

Threat Actions: Larger Orgs Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 15

Top Threat Actions Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 16

Top Threat Actions: Larger Orgs Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 17

Compromised Assets Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 18

Most Compromised Assets Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 19

Compromised Assets: IP & classified data Servers 98% Networks 0% User Devices 7% Offline Data 41% People 46% Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 20

Asset Ownership, Hosting, and Management Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 21

Compromised Data Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 22

Compromised Data Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 23

Attack Difficulty Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 24

Attack Targeting Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 25

The 3-Day Workweek Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 26

Timespan of Events Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 27

Timespan of Events: Larger Orgs Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 28

Breach Discovery Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 29

Breach Discovery Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 30

PCI DSS Compliance Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 31

An overview of Recommendations Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 32

Recommendations: Smaller Orgs Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 33

Recommendations: Larger Orgs Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 34

Verizon Solutions: Larger Orgs Eliminate unnecessary data; keep tabs on what s left Strategy/Assessment Business Case Analysis, Roadmap and Policy Review, Data Protection Strategy, Product Evaluation Data Protection Data Discovery and Classification DDISC, Information Classification Data Loss Prevention DLP Maturity, DLP Post Leak Management Operationalization, DLP Rights Management, Health Check, DLP Mobile Device Remote Kill Management Encryption/Key Management PKI Roadmaps and Deployment, File/Folder and Full Disk, Email and Messaging, Application and Platform Specific (i.e. Oracle) Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 35

Verizon Solutions: Larger Orgs (cont d) Ensure essential controls are met; regularly check that they remain so : Managed Security Services Identity & Access Management Vulnerability Management Professional Services Business Security Assessment Information Assurance (IA) Management Action Plans Security Management Program Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 36

Recommendations and Solutions: Larger Orgs (cont d) Monitor and mine event logs : Managed Security Services Application log monitoring and management service Managed network and security services for remote monitoring and management of devices (e.g., firewalls, VPNs) Network and host intrusion detection/prevention systems Gateway anti-virus systems, proxy and content screening systems Identity & Access Management Log Analysis Tools Professional Services Identification of critical log sources Defining security requirements Customizing a filtering, classification policy Implementation capabilities including project and technology management, and configuration (including standardizing log formats before transport to central log server) On-site installation and staging Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 37

Recommendations and Solutions: Larger Orgs (cont d) Evaluate your threat landscape to prioritize your treatment strategy : Professional Services Internal and External Network Vulnerability Testing Penetration Testing Application Vulnerability Assessment Security Management Program Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 38

Verizon Solutions Protect Against the Top 10 Threat Actions: Hacking: Use of stolen credentials (30% of breaches) Description Refers to instances in which an attacker gains access to a protected system or device using valid but stolen credentials. Verizon Enterprise Solution - Identity & Access Management (professional and managed services) - Security Awareness Training - Security Management Program Malware: Backdoors, Command and Control (18% of breaches) Hacking: Exploitation of backdoor or command and control channel (17% of breaches) Description Tools that provide remote access to and/or control of infected systems. Backdoor and command/control programs bypass normal authentication mechanisms and other security controls enabled on a system and are designed to run covertly. Verizon Enterprise Solution - Professional Services: Security Policy Review - Professional Services: Host-build assessment - Managed Security Services: Host IDS - Internet Managed Scanning Services - Data Loss Prevention (strategy, planning, design, implementation & management) - Log Monitoring and Management - Identity and Access Management (professional and managed services) Physical: Tampering (17% of breaches) Description Unauthorized altering or interfering with the normal state or operation of an asset. Refers to physical forms of tampering rather than, for instance, altering software or system settings. Verizon Enterprise Solution - Security Awareness Training - Professional Services: Physical Security Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 39

Verizon Solutions Protect Against the Top 10 Threat Actions (cont d): Keylogger/Form-grabber/Spyware (13% of breaches) Description Malware that is specifically designed to collect, monitor, and log the actions of a system user. Typically used to collect usernames and passwords as part of a larger attack scenario. Also used to capture payment card information on compromised POS devices. Most run covertly to avoid alerting the user that their actions are being monitored. Verizon Enterprise Solution - Professional Services: Security Policy Review - Professional Services: Host-build assessment - Managed Security Services: Host IDS - Internet Managed Scanning Services - Identity and Access Management - Security Management Program Pretexting (Social Engineering) (12% of breaches) Description A social engineering technique in which the attacker invents a scenario to persuade, manipulate, or trick the target into performing an action or divulging information. These attacks exploit bugs in human hardware and, unfortunately, there is no patch for this. Verizon Enterprise Solution - Professional Services: Social Engineering - Security Awareness Training - Security Management Program Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 40

Alignment of Recommendations and Solutions Protect Against the Top 10 Threat Actions: Brute-force attack (8% of breaches) Description An automated process of iterating through possible username/password combinations until one is successful. Verizon Enterprise Solution - Identity & Access Management Services - Professional Services: Encryption and Key Management - Application Log Monitoring SQL injection (8% of breaches) Description SQL Injection is an attack technique used to exploit how web pages communicate with back-end databases. An attacker can issue commands (in the form of specially crafted SQL statements) to a database using input fields on a website. Verizon Enterprise Solution - Application Vulnerability Scanning - Secure Application Development Training - Application Security Program - Professional Services: - Secure Source Code Review - Penetration testing - Application firewall implementation, monitoring & management - Identity and Access Management - Database audit technology monitoring & management Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 41

Recommendations and Solutions Protect Against the Top 10 Threat Actions (cont d): Unauthorized access via default credentials (43% of breaches with single threat action) Description Refers to instances in which an attacker gains access to a system or device protected by standard preset (and therefore widely known) usernames and passwords. Verizon Enterprise Solution - Identity & Access Management (professional and managed services) - Partner Security Program - Security Management Program - Penetration Testing Phishing (and endless *ishing variations) (8% of breaches) Description A social engineering technique in which an attacker uses fraudulent electronic communication (usually e-mail) to lure the recipient into divulging information. Most appear to come from a legitimate entity and contain authentic-looking content. The attack often incorporates a fraudulent website component as well as the lure. Verizon Enterprise Solution - Internet Managed Scanning Services - Managed Web-Content Filtering (Websense, etc.) - Professional Services: Security Policy Review - Security Management Program Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 42

Measuring and managing information risk To properly manage risk, we must measure it. To properly measure risk, we must understand our information assets, the threats that can harm them, the impact of such events, and the controls that offer protection. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 43

A threat event that is measurable (and thus manageable) identifies the following 4 A s: Agent: Whose actions affected the asset Action: What actions affected the asset Asset: Which assets were affected Attribute: How the asset was affected Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 44

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 45

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 46

Diagnose Ailments Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 47

Policy People Process Technology Policy People Process Technology Policy People Process Technology Treatment strategy Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 48

EBRM aims to apply the best available evidence gained from empirical research to measure and manage information risk. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 49

Data Breach Investigations Report (DBIR) series = evidence for measuring and managing risk Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 50

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 51

DBIR: www.verizon.com/enterprise/databreach VERIS: https://verisframework.wiki.zoho.com/ Blog: http://www.verizon.com/enterprise/securityblog Email: dbir@verizon.com Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 52

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information