Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The...
Transcript of Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The...
Who’s that knocking at your door?The soft underbelly of Information Security…
Glenn M. WilsonDeloitte & Touche LLP
2 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Discussion Overview
• Today’s Cyber Risks• How a malicious hacker views a target• Approaches to data protection
Intro and Background
4 Copyright © 2013 Deloitte Development LLC. All rights reserved.
A question…
Corporations must, by law, operate not in the interest of the public but to
maximize shareholder value
What is the primary “job” of a corporation?
5 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Glenn’s wish
I wish that the SEC would mandate that all publically traded company’s put the value of their information on the balance sheet
6 Copyright © 2013 Deloitte Development LLC. All rights reserved.
The big data challenge
The world’s data footprint is growing rapidly: • 90% of all data were created in the last two years• Information Technology budgets are expected to
expand 40% by the year 2020• Data available will soon increase to 40,000 Exabytes
Source: ibm.com
Exabyte: 1,000,000,000,000,000,000
7 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Have you been breached?
90% of organizations have had a leakage of sensitive data in the last 12 months
-Ponemon Institute2013 Cost of Breach Study
8 Copyright © 2013 Deloitte Development LLC. All rights reserved.
How data is lost
The Hacker
10 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Opinion poll
Are hackers good or bad?
11 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Types of hackers
12 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Noobs and script kiddies
A noob or script kiddie is an amateur who breaks into computer systems not through his knowledge in IT security, but through the prepackaged automated scripts
Source: Search for “How to hack a website” conducted on google.com
13 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Threat actors vary
Very high
High
Moderate
Low
KEY
14 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Guess who
• Malicious code released 05:30 UTC on January 25, 2003• Infects nearly all of it’s 75,000 victims in less than 10
minutes• Causes over $1,200,000,000.00 in damage• Microsoft reported the vulnerability and released a patch
on…July 24, 2002• It’s name was the Sapphire worm but it is commonly
referred to as SQL Slammer
This more than anything created patch management as we know it today.
15 Copyright © 2013 Deloitte Development LLC. All rights reserved.
We’re social beings at heart
“The ability to research a target online has enabled hackers to create powerful social engineering attacks that easily fool even sophisticated users”. - Symantec
“One hour of research . . .is usually all it takes to garner the answers for a users bank challenge questions” - Anonymous
“Why would I risk getting a gun and a mask, then going into a bank and robbing it when I can just steal the money anonymously?” -2013 Grey Hat
16 Copyright © 2013 Deloitte Development LLC. All rights reserved.
In the news today…
17 Copyright © 2013 Deloitte Development LLC. All rights reserved.
What happens to stolen data?
Source: Symantec
Underground IRC Chat…
18 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Threat interest
Increased DarkNet activity in:• Vanity attacks• Watering hole attacks• BYOD and data mobility• Social media bridges• Connected homes – ISO v8 highlights health and
home monitoring• Connected cars – 360-degree sensing, fusing sensor
inputs together like camera, radar and sonar, and integration of mapping, GPS and vehicle-to-vehicle communication systems
19 Copyright © 2013 Deloitte Development LLC. All rights reserved.
What’s wrong with this picture?
Internet
Untrusted Networks Trusted Networks
Business Partners
There are NO
20 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Hacking 30,000’ view
-Footprinting-Discovery
-Enumeration-Penetration
-Escalation
Privileged Access
21 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Discovering passwords
By executing a simple search, we are able to discover a number of potentially insecure installations that reveal sensitive information such as admin usernames and passwords.
“filetype:pwd service”
22 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Discovering website vulnerabilities
Some websites expose unknown vulnerabilities to the internet. These can often be easily searched and exploited• Type “php?id=1” into a search
engine• Copy the URL of the site to be
checked• Paste that URL plus an
apostrophe and see if the site may be vulnerable to a SQL injection attack
A few words about physical security…
If I can touch it, I can take it
24 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Physical security
Who has a Physical Security policy?
25 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Physical security
•Who uses Two Factor?
•Who uses Proximity Sensors?‒Key card for building access‒Passport
26 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Physical security
Tailgate Security
Keeping Secrets
28 Copyright © 2013 Deloitte Development LLC. All rights reserved.
What are we really protecting?
A record is any information created or received that should be retained as evidence by an organization or person in pursuance of compliance, legal obligations, or in the transaction of business*
*ISO-15489
RECORDS! …but what IS a record?
29 Copyright © 2013 Deloitte Development LLC. All rights reserved.
The Data Lifecycle
Steps:1. Identify & Classify2. Secure & Store3. Monitor & Log4. Recover5. Disposition6. Archive
OR6. Destruction
Structured
Identify &
Classify
Disposition
Secure
Unstructured
Semi-Structured
DefensibleDestruction
Archive
The
Dat
a Li
fecy
cle Monitor
Recover
30 Copyright © 2013 Deloitte Development LLC. All rights reserved.
If you don’t CLASSIFY it, you’re likely not protecting it correctlyExamples of classification:• Public — Non-sensitive information (e.g., sales brochures)• Internal use only — Internal information (e.g., corporate policies)• Confidential — Sensitive information (e.g., corporate financials)• Restricted — Highly sensitive information (e.g., PII, pre-release
earnings) Don’t know5%
Yes47%
No48%
Information classification still has a way to go —Number of organizations conducting information classification— Source: Forrester Research, 2008
31 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Value vs RiskIn
form
atio
n
Creation Use Expiration
RiskCostValue
Cost to Value gap
Risk to Value gap
32 Copyright © 2013 Deloitte Development LLC. All rights reserved.
The sad reality
It is estimated that over 1/3 of corporate data is expired, redundant, or worthless
-Improving Data Warehouse and Business Information Quality: Methods
for Reducing Costs and Increasing Profits – Larry English
33 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Case study
Who here could use an extra $50 million?•One of the largest mortgage servicing firms in the nation lost a case for $130 million
•If Data Lifecycle fundamentals were applied the cost would have been around $80 million
The bad guys can’t hack in and steal something you don’t have!!
34 Copyright © 2013 Deloitte Development LLC. All rights reserved.
In summary
• Classify what you need• Protect what you have• Delete ANYTHING you no
longer need
35 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Contact Info:Glenn Wilson - CIP, CRISC, SCS-DLP, MCSE, CNA, CCA, ACECyber Risk – Data Lifecycle ServicesDeloitte & Touche LLP+1 213 688 [email protected] with me on LinkedIn: http://www.linkedin.com/in/gmw13Follow me on Twitter:DeloitteGlenn
Closing Questions?
Copyright © 2014 Deloitte Development LLC. All rights reserved.36 Network security auditing
This presentation is provided solely for informational purposes and, in developing and presenting these materials, Deloitte is not providing accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decisions or actions that may affect your business or to provide assurance that any decision or action will be supported by your auditors and regulators. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates and related entities shall not be liable for any claims, liabilities, or expenses sustained by any person who relies on this information for such purposes.
Disclaimer
This publication contains general information only and is based on the experiences and research of Deloitte practitioners. Deloitte is not, by means of this publication, rendering business, financial, investment, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.
About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Copyright © 2013 Deloitte Development LLC. All rights reserved.Member of Deloitte Touche Tohmatsu Limited