Vulnerability Assessment & Compliance

Similar documents
Cybercrime: risks, penalties and prevention

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

Are you prepared to make the decisions that matter most? Decision making in retail

Are you prepared to make the decisions that matter most? Decision making in manufacturing

AUTOMATED PENETRATION TESTING PRODUCTS

Are you prepared to make the decisions that matter most? Decision making in healthcare

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

Monitoring and Logging Policy. Document Status. Security Classification. Level 1 - PUBLIC. Version 1.0. Approval. Review By June 2012

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

AUTOMATED PENETRATION TESTING PRODUCTS

Cybersecurity: Protecting Your Business. March 11, 2015

Penetration Testing Service. By Comsec Information Security Consulting

Incident Response. Proactive Incident Management. Sean Curran Director

How-To Guide: Cyber Security. Content Provided by

Cyber Security. A professional qualification awarded in association with University of Manchester Business School

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs

Network Security & Privacy Landscape

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Information Security in Universities

Information Security Breaches Survey 2013

Information Security Incident Management Guidelines

DON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS?

How To Stop A Cybercriminal From Stealing A Credit Card Data From A Business Network

Data Security for the Hospitality

DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS?

Cyber security Building confidence in your digital future

Protecting against cyber threats and security breaches

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

10 Smart Ideas for. Keeping Data Safe. From Hackers

Data Security Incident Response Plan. [Insert Organization Name]

Cyber Security and Critical Information Infrastructure

Promoting Network Security (A Service Provider Perspective)

Managed Security Services

Mitigating and managing cyber risk: ten issues to consider

Cyber Risks and Insurance Solutions Malaysia, November 2013

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

Cyber Security An Exercise in Predicting the Future

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

National Cyber Crime Unit

Current counter-measures and responses by CERTs

Using big data analytics to identify malicious content: a case study on spam s

Protecting Organizations from Cyber Attack

Collateral Effects of Cyberwar

AT&T Global Network Client for Windows Product Support Matrix January 29, 2015

Don t Fall Victim to Cybercrime:

Defensible Strategy To. Cyber Incident Response

Managing IT Security with Penetration Testing

Cybersecurity Workshop

Cyber Security Strategy

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

IBM Security Systems Trends and IBM Framework

Building The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

9. Information Assurance and Security, Protecting Information Resources. Janeela Maraj. Tutorial 9 21/11/2014 INFO 1500

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Getting real about cyber threats: where are you headed?

EY Cyber Security Hacktics Center of Excellence

The Value of Vulnerability Management*

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

How To Cover A Data Breach In The European Market

Data Security: Fight Insider Threats & Protect Your Sensitive Data

NATIONAL CYBER SECURITY AWARENESS MONTH

Anthony J. Keane, MSc, PhD and Jason Flood, MSc Information Security & Digital Forensics Research Group Institute of Technology Blanchardstown

Top tips for improved network security

Cyber Security & Role of CERT-In. Dr. Gulshan Rai Director General, CERT-IN Govt. of India grai@mit.gov.in

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

Course 4202: Fraud Awareness and Cyber Security Workshop (3 days)

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

EC-Council. Certified Ethical Hacker. Program Brochure

Cyber Security for audit committees

PCI Compliance for Healthcare

Cracking and Computer Security

Practical Steps To Securing Process Control Networks

Security for a Smarter Planet IBM Corporation All Rights Reserved.

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Protecting personally identifiable information: What data is at risk and what you can do about it

Gaining the upper hand in today s cyber security battle

DATA PROTECTION LAWS OF THE WORLD. India

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

93% of large organisations and 76% of small businesses

Transcription:

www.pwc.com Vulnerability Assessment & Compliance August 3 rd, 2011 Building trust through Information security* Citizen-Centric egovernment state Consultantion workshop

Agenda VAPT What and Why Threats - Who and How Case Studies Slide 2

Focus Area: Vulnerability Assessment & Penetration Testing 3 Key Questions What is it? A simulation of actions a hacker would take A real-life test of security event detection and response An attempt to find the weaknesses before the bad guys do What is involved? Manual penetration testing Attempt to access client data without logging into application or network Attempt to access database directly or via an application Attempt to access administrative functions Automated web security scanning Automated network vulnerability scanning What are the Results? Identification of actual security vulnerabilities that could be used to compromise sensitive corporate data (e.g. payment card data, customer contact information, strategy etc.) Slide 3

The Changing Landscape This is an IT issue Erstwhile Perspective This will never happen to us Disorganized, amateurish hackers working out of their homes, doing it for fun rather than money Negligible impact on customers, employees and company costs We trust our employees to secure our information. Risk exposures are small and manageable We passed our audit, so we re safe Modern Perspective Companies of all sizes and across all industries confront a real, growing, and strategic risk from data and identity theft. Theft is a lucrative business for sophisticated, organized criminal enterprises based worldwide. Data loss commonly occurs through physical loss, data exchanges, fraud, and human error; rather than just IT breaches. Loss of personal data leaves customers and employees at risk of fraud and personal identity theft. Employees and collaboration networks are the most common data leak sources. Risks are substantial, including customer lawsuits, erosion of future revenue, loss of brand reputation and customers, government fines and new regulation. Data protection is a CEO-level concern. Slide 4

Common misconceptions My security controls are adequate The only way to prove security is to test it We already audit security I m not a target Slide 5

Types of Assessments External Penetration Test Identifies AND confirms external vulnerabilities Simulates actual external hacker attempting Internal Penetration Test Web Application Assessment Wireless Assessment Identifies AND confirms internal vulnerabilities Simulates malicious internal user or contractor hacking network. Identifies AND confirms vulnerabilities existing within the Web sites. Simulates hacker attempting to steal information from web site. Identifies potential rogue or weak access Simulates hacker attempting to gain access to network via wireless network. Vulnerability Scanning Identifies potential vulnerabilities, but does not confirm if they actually exist. Slide 6

The Real Threats External Attackers Malicious Software Insider threat Phishing & Website defacement Organised Crime CERT Coordination Centre Research www.cert.org Hackers Break into computers primarily for the challenge and status of obtaining access Spies Break into computers primarily for information which can be used for political gain Terrorists Break into computers primarily to cause fear which will aid in achieving political gain Corporate raiders Employees of one company break into computers of competitors for financial gain Professional Criminals Break into computers for personal financial gain Vandals Break into computers primarily to cause damage Slide 7

The Real Threats External Attackers Malicious Software Insider threat Phishing & Website defacements Organised Crime Increasing malware threats Significant malware growth in the last few years Stuxnet caused havoc at Natanz Iran s Uranium enrichment plant Significant growth in malware-mcafee Threat Report 2011 Slide 8

The Real Threats External Attackers Insider Threat a major concern for India. Malicious Software Insider threat Phishing & Website Defacements All service provider organizations believe current employees are primary source of insider incidents. 75% of the client organizations believe that personal financial gain is the prime motive for insiders at service provider organisations. Organised Crime Insider Threat Report 2011 DSCI & PwC Government Infrastructure Vulnerability Assessment & Compliance Slide 9

The Real Threats CERT-IN Defacement statisitcs for May 2011 External Attackers Malicious Software Insider threat Phishing & Website defacements Organised Crime Govt sites are Web site defacement targets India along with the US and UK accounted for 70% of the brands targeted by phishing Slide 10

The Real Threats External Attackers Malicious Software Insider threat Phishing & Website defacements Organised Crime Cyberterror: The deliberate destruction, disruption or distortion of digital data or information flows with widespread effect for political, religious or ideological reasons. Cyber-utilisation: The use of on-line networks or data by terrorist organisations for supportive purposes. Cybercrime: The deliberate misuse of digital data or information flows. Last year was the first year that proceeds from cybercrime were greater than proceeds from the sale of illegal drugs, and that was, I believe, over $105 Billion - Valerie McNiven, US Treasury Adviser Organised crime has changed. You still have traditional organised crime but now they have learned to compromise employees and contractors - Tony Neate, e-crime liaison officer for the Serious Organised Crime Agency CERT Coordination Centre Research www.cert.org Slide 11

Attack Types Denial of Service Stopping legitimate services offered by a system through exhausting its available resources with illegitimate requests Defacement / Vandalism A malicious change to a public service for kudos. Can result in serious legal or PR damage Eavesdropping Listening to or intercepting sensitive information between two or more points Social Engineering An attack designed to gain sensitive information inadvertently disclosed via the human element Indirect Attacks An attack by a malicious threat via a medium such as the internet, a modem or other network Direct access attacks An attack by a malicious threat directly on the system with physical proximity Malware Malicious code such as Virus, Worm or Trojan Horse designed to perform a malicious action or assist in another attack type Slide 12

Evolving Business Risks Data and identities are increasingly at risk of theft Data is portable, and can be easily transferred and replicated - once distributed, all subsequent media are potential breach points Shifting business models that emphasize collaboration with 3 rd parties makes traditional protection methods inadequate (e.g., application security, perimeter controls) Compliance is merely the minimum level of security needed compliance does not equal security An unpleasant fact is that most company security measures are compliancefocused, which are inadequate against today's sophisticated threats. Slide 13

Case: TJX Computer Systems TJX Intrusions Exposed 45.7 Million Credit and Debit Cards 45.7 million credit and debit card numbers were compromised over 18 months 455,000 individuals who returned items without receipts also had personal data stolen, including their driver's license numbers. The company became aware of suspicious software on their computers on December 18, 2006, and with the investigatory help of General Dynamics and IBM, by December 21 they had learned that the systems had been breached and the intruder still had access to the system. Slide 14

TJX Share Price, Post January 19 th Press Release Media frenzy post release Slide 15

Cost of TJX Breach $256m spent so far $1.6bn estimated total spend Class action law suit underway in the US Slide 16

Cost of Data Breach Annual Study :Ponemon Institute, LLC Breaches included in the survey ranged from 2,500 records to 263,000 records from 15 different industry sectors and cover the costs resulting from 815,000 compromised customer records. Among the study s key findings: Total costs: averaged $182 per lost customer record, an increase of 30 percent over 2005 results. The average total cost per reporting company was $4.8 million per breach and ranged from $226,000 to $22 million. Direct incremental costs: averaged $54 per lost record, an 8 percent increase over 2005 results for unbudgeted, out-of-pocket spending. Includes free or discounted services offered; notification letters, phone calls, and emails; legal, audit and accounting fees; call center expenses; public and investor relations; and other costs. Lost productivity costs: averaged $30 per lost record, an increase of 100 percent over 2005 results, for lost employee or contractor time and productivity diverted from other tasks. Customer opportunity costs: averaged $98 per lost record, an increase of 31 percent over 2005 results, covering turnover of existing customers and increased difficulty in acquiring new customers. Customer turnover averaged 2 percent and ranged as high as 7 percent. Slide 17

What happens to stolen data? Hackers Selling Stolen Identities for $14 Identity thieves are offering credit card numbers, dates of birth, and other sensitive information for sale for as little as $14 a pop over the Internet. The data is sold on so-called "underground economy servers, used by criminal organizations to hawk information they've captured through hacking. The information can then be used for identity scams, such as opening a bank account in a false name. Slide 18

Example: Underground Economy Server Slide 19

Compliance Continual Assurance Framework Using risk analysis to define the right testing for the right area Predetermined real life scenarios Continual Year round testing schedules Engage Ethical Hackers/Third Party Penetration Testers. Slide 20

Sample Test Programme Test Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Perimeter Vulnerability Scan Perimeter Penetration Test Wireless Penetration Test Internal Penetration Test (L1 Risk) Internal Penetration Test (L2 Risk) Web Application Test Modem Access Test Slide 21

Benefits Creates proactive focus on information security Finds potential exploits before crackers find them Results in systems being kept up to date and patched Promotes growth and aids in developing staff expertise Abates Financial loss and negative publicity Slide 22

Q & A

Traversing Global... Thank You Government Infrastructure Vulnerability Assessment & Compliance Slide 24

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers Pvt Ltd., its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. 2011. All rights reserved. PwC, a registered trademark, refers to PricewaterhouseCoopers Private Limited (a limited company in India) or, as the context requires, other member firms of PwC International Limited, each of which is a separate and independent legal entity.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information