Data Leakage Prevention - K. K. Mookhey

3,873 views
3,619 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,873
On SlideShare
0
From Embeds
0
Number of Embeds
1,497
Actions
Shares
0
Downloads
82
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Data Leakage Prevention - K. K. Mookhey

  1. 1. Data LeakagePrevention Interop 2010 w w w .niiconsulting.com
  2. 2. Agenda Introduction Data Leakage Scenario  Cases  Real-world impacts  Vulnerabilities Building the Business Case Demystifying DLP Solutions Implementation Challenges w w w .niiconsulting.com
  3. 3. Speaker Introduction Founder & Principal Consultant, Network Intelligence Certified as CISA, CISSP and CISM Speaker at Blackhat 2004, Interop 2005, IT Underground 2005, OWASP Asia 2008,2009 Co-author of book on Metasploit Framework (Syngress), Linux Security & Controls (ISACA) Author of numerous articles on SecurityFocus, IT Audit, IS Controls (ISACA) Conducted numerous pen-tests, application security assessments, forensics, etc. w w w .niiconsulting.com
  4. 4. THE BIGGEST HACK INHISTORY w w w .niiconsulting.com
  5. 5. Gonzalez, TJX and Heart-break-land >200 million credit card number stolen Heartland Payment Systems, 7-Eleven, and 2 US national retailers hacked Modus operandi  Visit retail stores to understand workings  Analyze websites for vulnerabilities  Hack in using SQL injection  Inject malware  Sniff for card numbers and details  Hide tracks w w w .niiconsulting.com
  6. 6. The hacker underground Albert Gonzalez  a/k/a “segvec,”  a/k/a “soupnazi,”  a/k/a “j4guar17” Malware, scripts and hacked data hosted on servers in:  Latvia Ukraine New Jersey  Netherlands California IRC chats  March 2007: Gonzalez “planning my second phase against Hannaford”  December 2007: Hacker P.T. “that’s how [HACKER 2] hacked Hannaford.” w w w .niiconsulting.com
  7. 7. Where does all this end up? IRC Channels #cc #ccards #ccinfo #ccpower #ccs #masterccs #thacc #thecc #virgincc Commands used on IRC  !cardable  !cc, !cclimit, !chk, !cvv2, !exploit, !order.log, !proxychk w w w .niiconsulting.com
  8. 8. TJX direct costs $200 million in fines/penalties $41 million to Visa$24 million to MasterCard w w w .niiconsulting.com
  9. 9. Who’s been affected? w w w .niiconsulting.com
  10. 10. BUILDING THE BUSINESSCASE w w w .niiconsulting.com
  11. 11. Profitability in hacking – 2009 w w w .niiconsulting.com
  12. 12. Sectors hacked – Q1 2009 w w w .niiconsulting.com
  13. 13. Back of the envelopeSECURITY ROI w w w .niiconsulting.com
  14. 14. Cost of an incident $6.6 million average cost of a data breach From this, cost of lost business is $4.6 million More than $200 per compromised recordOn the other hand: Fixing a bug costs $400 to $4000 Cost increases exponentially as time lapses w w w .niiconsulting.com
  15. 15. Direct Costs Fees for legal recourse to address and forensics Short-term impact to R&D cost recuperation Long-term impact to profitability/revenue projections System and process audits Fines Regulatory audit fees Strategy consulting fees w w w .niiconsulting.com
  16. 16. Numbers on the table w w w .niiconsulting.com
  17. 17. Indirect Cost $1 billion business 20% new customer base lost 10% of repeat customers lost w w w .niiconsulting.com
  18. 18. Impact to profit margin w w w .niiconsulting.com
  19. 19. The Legal Angle Computer Crimes Act, 1997 Electronic Commerce Act, 2006 PCI DSS Central Bank of Malaysia Act, 2009 Personal Data Protection Bill, ?? Guidelines on Internet Insurance Other regulations w w w .niiconsulting.com
  20. 20. DEMYSTIFYING DLPSOLUTIONS w w w .niiconsulting.com
  21. 21. What does it stand for? Data Leakage Prevention Data Loss Protection Information Loss Protection Extrusion Prevention Content Monitoring and Filtering Content Monitoring and Protection w w w .niiconsulting.com
  22. 22. DLP Solutions Options Vendors Network End-point Content-aware Context-aware w w w .niiconsulting.com
  23. 23. FEATURES TO LOOK OUTFOR w w w .niiconsulting.com
  24. 24. Comprehensive Coverage w w w .niiconsulting.com
  25. 25. Pre-defined policies w w w .niiconsulting.com
  26. 26. Blocking & Alerting w w w .niiconsulting.com
  27. 27. Management Console & Dashboards w w w .niiconsulting.com
  28. 28. Under the hood1. Rule-based Regular Expressions2. Database Fingerprinting3. Exact File Matching4. Partial Document Matching5. Statistical Analysis6. Conceptual/Lexicon7. Categories w w w .niiconsulting.com
  29. 29. Protecting Data Data in motion  Network monitor  Email integration  Filtering/blocking and proxy integration  Internal networks  Distributed and Hierarchical deployments Data at rest  Content discovery techniques  Remote scanning / Agent-Based Scanning / Memory-Resident Agent Scanning Data in use  Endpoint protection w w w .niiconsulting.com
  30. 30. Coverage Network End-point Bluetooth Blackberry/iPhones/Smartphones Operating systems Virtualized servers Integration with AD/LDAP Integration with DRM w w w .niiconsulting.com
  31. 31. GETTING DOWN TOBRASS TACKS w w w .niiconsulting.com
  32. 32. Challenges User resistance – yet another solution Over-optimism – this is it! Under-estimation of effort involved Lack of trained resources Absence of policy and procedure framework Ownership resides with IT Expensive False positives Legal & regulatory framework w w w .niiconsulting.com
  33. 33. Implementation Plan What matters to you – listing of assets How important is it – classification of assets Where does it reside? Who should be able to do what with it – access rights policy Strategy  Network Focused  Endpoint Focused  Storage Focused Integration with existing infrastructure Monitoring and fine-tuning w w w .niiconsulting.com
  34. 34. Is it working? Number of people/business groups contacted about incidents -- tie in somehow with user awareness training. Remediation metrics to show trend results in reducing incidents Trend analysis over 3, 6, & 9 month periods to show how the number of events has reduced as remediation efforts kick in Reduction in the average severity of an event per user, business group, etc. Trend: number of broken business policies Trend: number of incidents related to automated business practices (automated emails) Trend: number of incidents that generated automatic email Trend: number of incidents that were generated from service accounts -- (emails, batch files, etc.)Reference : http://securosis.com/blog/some-dlp-metrics/, Rich Mogull w w w .niiconsulting.com
  35. 35. Questions? Thank you! kkmookhey@niiconsulting.comInformation Security Information SecurityConsulting Services Training Services w w w .niiconsulting.com

×