2. PwC
Contents
2
Real threats in the real world
Targeting Sensitive Data with Commercial Value
Targeting Sensitive Data with Economic Value
Public-Private Partnership
Considerations as we go forward
4. PwC
Risks we face
• Significant threat profile, like never before in
history;
• Adversaries that are patient, meticulous, smart;
• Sophisticated attackers hold access to
environments, undetected for months, even
years; and
• Require new thinking related to how we protect
and manage sensitive data.
Infosecurity.nl 2010
4
6. PwC
Common failures that enable the attackers
1. Don’t know where sensitive data is located;
2. Don’t properly utilize monitoring and
investigative tools;
3. Failure to address/shut down known security
vulnerabilities; and
4. Have suboptimal Organizational design.
Infosecurity.nl 2010
6
9. PwC
Hypothetical Attack Overview
Preparation and Reconnaissance
Slide 9
Preparation and
Reconnaissance
Initial
Compromise
Expand
Footprint
Execute
Attack
Major Activities
• Identify Potential Targets: Use search engines
and browse web sites to identify potential targets
• Prepare Tools: Write custom applications and
assemble publicly available tools to bypass antivirus
• Identify Initial Entry Point: Test identified
websites for SQL injection vulnerabilities to gain
access to the target network
Timeline
13 Days
Impact
• Read/Write access to database records
• Administrative privileges to database OS
• Ability to initiate connections to other internal
systems
• Recode web applications to accept a white list of
characters and filter all unnecessary characters
• Use unprivileged accounts for databases
• Perform web application security assessments
Slide 9
Infosecurity.nl 2010
10. PwC
Hypothetical Attack Overview
Initial Compromise
Slide 10
Preparation and
Reconnaissance
Initial
Compromise
Expand
Footprint
Execute
Attack
Major Activities
•Information Gathering: Craft SQL queries to
obtain database structure and contained data
•Exploit Database Links: Identify linked databases
and search the databases for sensitive data or
credit/debit card data
•Upload Tools through SQL Injection: Upload
malicious tools to database servers to obtain Domain
Administrator password and target other systems
Timeline
12 Days13 Days
Impact
• Identified dozens of databases with sensitive
personal or business data or credit/debit card
data
• Obtained Domain Administrator privileges
Slide 10
11. PwC
Hypothetical Attack Overview
Expand Footprint
Slide 11
Preparation and
Reconnaissance
Initial
Compromise
Expand
Footprint
Execute
Attack
Major Activities
•Establish presence in environment: Push custom
developed network sniffer or other custom hacker
tools onto dozens of systems to understand network
topology and system traffic
•Upload Web Based Tools: Upload custom web
pages to external web servers to perform command
and control functions on tools on internal systems
•Exfiltrate data: Obtain target data
•Locate Business Critical Hardware: Identify
system (HSM) that creates encrypted PIN numbers
Timeline
3 Days12 Days13 Days
Impact
• Attackers able to authenticate with privileged
access to Windows systems
Slide 11
Infosecurity.nl 2010
12. PwC
Hypothetical Attack Overview
Execute Attack
Slide 12
Preparation and
Reconnaissance
Initial
Compromise
Expand
Footprint
Execute
Attack
Major Activities
•Initiate Attack on HSM: Obtain clear text PIN
numbers by attacking HSM device. Reverse
engineer/decode sensitive encrypted data and/or
gain control of wire transfer authorization process
•Manipulate Financial Account Values: Use
custom web pages on external web servers to
modify internal database values such as the balance
and transaction limits to assist in financial fraud
•Distribute compromised payment cards
•Set up recipient accounts to obtain fraudulent
proceeds
Timeline
• Initiate unauthorized ATM withdrawals or
transactions
• Unauthorized ACH wires issued
Impact
3 Days12 Days13 Days 4 Days
Slide 12
Infosecurity.nl 2010
16. PwC
Public-Private Partnership
Examples across this Continuum
• Collaboration with law enforcement;
• Collaboration with select corporate peers (Google example);
• Collaboration among Financial Services in US (FS-ISAC - hundreds
of Companies sharing information about critical threats to systems
within the financial services sector);
• Collaboration among industry (US Department of Defense); and
• Collaboration to protect National Critical Infrastructure (US
Department of Homeland Security).
Infosecurity.nl 2010
16
18. PwC
Considerations as we go forward
1: Sensitive Data
• Inventory and prioritize sensitive data;
• Include electronic communication among key
component of the definition of sensitive data; and
• Enhance vigilance around the protection of these
assets.
Key takeaways:
18
Infosecurity.nl 2010
19. PwC
Considerations as we go forward
2: Technical
• Increase visibility into live memory on user
systems;
• Increase vigilance on Domain Controller
logs;
• Increase focus on analysis of outbound
traffic (look for large outbound RAR files);
• Perform ongoing audits of key personnel
(i.e., M&A team) – look for web based mail
login from machines not normally used by
employee; and
• Automate the above to minimize human
time commitment.
Key takeaways:
19
Infosecurity.nl 2010
20. PwC
Considerations as we go forward
3: Organizational
• Cyber security, and the CISO or equivalent,
should be independent of IT and the CIO;
• Cyber security should have deep insight into
business operations to be effective: if the CEO is
traveling outside the US or if a 10-person team is
working on a deal in Country X, cyber security
should be aware; and
• Applying cyber security based on business
operations will likely require a broader
perspective than most technical oriented types
are capable, making cyber security ripe for
alignment under the CSO.
Key takeaways:
20
Infosecurity.nl 2010
21. PwC
PwC - Who we are
• PwC has greater than 160,000 in greater than
150 countries. We focus on audit and
assurance, tax and advisory services. We help
our clients resolve complex issues and identify
opportunities.
• PwC is a leading provider of security advisory
and assessment services. Our Global Security
practice has more than 2,100 professionals
helping our clients solve complex security
challenges.
• PwC was recognized by the Forrester Wave
Vendor Summary as a leader in information
security and IT risk consulting.
• PwC has assisted Fortune 500 companies in
responding to security breaches, including
network and system forensics, containment,
and remediation activities.
21
Infosecurity.nl 2010