Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The...

Who’s that knocking at your door?The soft underbelly of Information Security…

Glenn M. WilsonDeloitte & Touche LLP

2 Copyright © 2013 Deloitte Development LLC. All rights reserved.

Discussion Overview

• Today’s Cyber Risks• How a malicious hacker views a target• Approaches to data protection

Intro and Background


A question…

Corporations must, by law, operate not in the interest of the public but to

maximize shareholder value

What is the primary “job” of a corporation?


Glenn’s wish

I wish that the SEC would mandate that all publically traded company’s put the value of their information on the balance sheet


The big data challenge

The world’s data footprint is growing rapidly: • 90% of all data were created in the last two years• Information Technology budgets are expected to

expand 40% by the year 2020• Data available will soon increase to 40,000 Exabytes

Source: ibm.com

Exabyte: 1,000,000,000,000,000,000


Have you been breached?

90% of organizations have had a leakage of sensitive data in the last 12 months

-Ponemon Institute2013 Cost of Breach Study


How data is lost

The Hacker


Opinion poll

Are hackers good or bad?


Types of hackers


Noobs and script kiddies

A noob or script kiddie is an amateur who breaks into computer systems not through his knowledge in IT security, but through the prepackaged automated scripts

Source: Search for “How to hack a website” conducted on google.com


Threat actors vary

Very high

High

Moderate

Low

KEY


Guess who

• Malicious code released 05:30 UTC on January 25, 2003• Infects nearly all of it’s 75,000 victims in less than 10

minutes• Causes over $1,200,000,000.00 in damage• Microsoft reported the vulnerability and released a patch

on…July 24, 2002• It’s name was the Sapphire worm but it is commonly

referred to as SQL Slammer

This more than anything created patch management as we know it today.


We’re social beings at heart

“The ability to research a target online has enabled hackers to create powerful social engineering attacks that easily fool even sophisticated users”. - Symantec

“One hour of research . . .is usually all it takes to garner the answers for a users bank challenge questions” - Anonymous

“Why would I risk getting a gun and a mask, then going into a bank and robbing it when I can just steal the money anonymously?” -2013 Grey Hat


In the news today…


What happens to stolen data?

Source: Symantec

Underground IRC Chat…


Threat interest

Increased DarkNet activity in:• Vanity attacks• Watering hole attacks• BYOD and data mobility• Social media bridges• Connected homes – ISO v8 highlights health and

home monitoring• Connected cars – 360-degree sensing, fusing sensor

inputs together like camera, radar and sonar, and integration of mapping, GPS and vehicle-to-vehicle communication systems


What’s wrong with this picture?

Internet

Untrusted Networks Trusted Networks

Business Partners

There are NO


Hacking 30,000’ view

-Footprinting-Discovery

-Enumeration-Penetration

-Escalation

Privileged Access


Discovering passwords

By executing a simple search, we are able to discover a number of potentially insecure installations that reveal sensitive information such as admin usernames and passwords.

“filetype:pwd service”


Discovering website vulnerabilities

Some websites expose unknown vulnerabilities to the internet. These can often be easily searched and exploited• Type “php?id=1” into a search

engine• Copy the URL of the site to be

checked• Paste that URL plus an

apostrophe and see if the site may be vulnerable to a SQL injection attack

A few words about physical security…

If I can touch it, I can take it


Physical security

Who has a Physical Security policy?


Physical security

•Who uses Two Factor?

•Who uses Proximity Sensors?‒Key card for building access‒Passport


Physical security

Tailgate Security

Keeping Secrets


What are we really protecting?

A record is any information created or received that should be retained as evidence by an organization or person in pursuance of compliance, legal obligations, or in the transaction of business*

*ISO-15489

RECORDS! …but what IS a record?


The Data Lifecycle

Steps:1. Identify & Classify2. Secure & Store3. Monitor & Log4. Recover5. Disposition6. Archive

OR6. Destruction

Structured

Identify &

Classify

Disposition

Secure

Unstructured

Semi-Structured

DefensibleDestruction

Archive

The

Dat

a Li

fecy

cle Monitor

Recover


If you don’t CLASSIFY it, you’re likely not protecting it correctlyExamples of classification:• Public — Non-sensitive information (e.g., sales brochures)• Internal use only — Internal information (e.g., corporate policies)• Confidential — Sensitive information (e.g., corporate financials)• Restricted — Highly sensitive information (e.g., PII, pre-release

earnings) Don’t know5%

Yes47%

No48%

Information classification still has a way to go —Number of organizations conducting information classification— Source: Forrester Research, 2008


Value vs RiskIn

form

atio

n

Creation Use Expiration

RiskCostValue

Cost to Value gap

Risk to Value gap


The sad reality

It is estimated that over 1/3 of corporate data is expired, redundant, or worthless

-Improving Data Warehouse and Business Information Quality: Methods

for Reducing Costs and Increasing Profits – Larry English


Case study

Who here could use an extra $50 million?•One of the largest mortgage servicing firms in the nation lost a case for $130 million

•If Data Lifecycle fundamentals were applied the cost would have been around $80 million

The bad guys can’t hack in and steal something you don’t have!!


In summary

• Classify what you need• Protect what you have• Delete ANYTHING you no

longer need


Contact Info:Glenn Wilson - CIP, CRISC, SCS-DLP, MCSE, CNA, CCA, ACECyber Risk – Data Lifecycle ServicesDeloitte & Touche LLP+1 213 688 [email protected] with me on LinkedIn: http://www.linkedin.com/in/gmw13Follow me on Twitter:DeloitteGlenn

Closing Questions?

Copyright © 2014 Deloitte Development LLC. All rights reserved.36 Network security auditing

This presentation is provided solely for informational purposes and, in developing and presenting these materials, Deloitte is not providing accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decisions or actions that may affect your business or to provide assurance that any decision or action will be supported by your auditors and regulators. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates and related entities shall not be liable for any claims, liabilities, or expenses sustained by any person who relies on this information for such purposes.

Disclaimer

This publication contains general information only and is based on the experiences and research of Deloitte practitioners. Deloitte is not, by means of this publication, rendering business, financial, investment, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2013 Deloitte Development LLC. All rights reserved.Member of Deloitte Touche Tohmatsu Limited

Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The...

Documents

Transcript of Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The...