Kevin Wharram Security Summit


Published on

Presentation on Data Theft and Data Leakage.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Kevin Wharram Security Summit

  1. 1. Do you know where your data is? Kevin Wharram - Guidance Software the Maker of ‘EnCase’
  2. 2. Agenda <ul><li>Welcome and Introduction </li></ul><ul><li>Cause and Cost of data breaches </li></ul><ul><li>Get an understanding of Data Movement </li></ul><ul><li>Identify Challenges in protecting data (via theft and leakage) </li></ul><ul><li>Differentiate between Data theft / Data leakage </li></ul><ul><li>What to do after you have a had a data breach </li></ul><ul><li>Identify some methods on getting started in protecting corporate data </li></ul>
  3. 3. Welcome <ul><li>Kevin Wharram CISSP, CISM, CEH, 27001 Lead Auditor My interests are in – Data Privacy & Data Protection </li></ul><ul><li>Technical Manager – Guidance Software Inc. </li></ul><ul><li>Previous to Guidance Software – I was the European Security Manager for Sony Computer Entertainment Europe (PlayStation) in London </li></ul>
  4. 4. Vusi Pikoli Where is my Data?
  5. 5. Industry Headlines Old hard drives still full of sensitive data Hard drives full of confidential data are still turning up on the second-hand market, researchers have reported. T.J. Maxx Breach Costs Hit $17 Million BOSTON - Information from at least 45.7 million credit and debit cards was stolen by hackers who accessed TJX’s customer information in a security breach that the discount retailer disclosed more than two months ago. Thieves setup data supermarkets Web criminals are stepping back from infecting computers themselves and creating &quot;one-stop shops&quot; which offer gigabytes of data for a fixed price. Credit card details are cheap, however, the log files of big companies can go for up to $300
  6. 6. Source : The Ponemon Institute - (PGP Survey) Cause of Data Breaches
  7. 7. <ul><li>Key Statistics </li></ul><ul><ul><li>Data breaches cost US companies an average of $197 for every record lost </li></ul></ul><ul><ul><li>The size of the losses examined ranged from from $225,000 to almost $35 million </li></ul></ul>Source : The Ponemon Institute Cost of Data Breaches
  8. 8. <ul><ul><li>Intellectual Property </li></ul></ul><ul><ul><li>Design Documents </li></ul></ul><ul><ul><li>Source Code </li></ul></ul><ul><ul><li>Trade secrets </li></ul></ul><ul><ul><li>Corporate Data </li></ul></ul><ul><ul><li>Financial data </li></ul></ul><ul><ul><li>Mergers & Acquisition info </li></ul></ul><ul><ul><li>HR data i.e. employee data </li></ul></ul><ul><ul><li>Marketing and Sales data </li></ul></ul><ul><ul><li>Customer Data </li></ul></ul><ul><ul><li>Personal Data </li></ul></ul><ul><ul><li>Credit card numbers </li></ul></ul><ul><ul><li>Customer financial data </li></ul></ul><ul><ul><li>Government Data </li></ul></ul><ul><ul><li>Economic data i.e. Interest Rate – “what is it worth a day before its released?” </li></ul></ul><ul><ul><li>Intelligence information </li></ul></ul><ul><ul><li>Law Enforcement Information </li></ul></ul>What type of Data are at Risk?
  9. 9. <ul><li>Being recieved? </li></ul>Understanding Data Movement Where is your Data Stored? - Data at Rest <ul><li>Is your sensitive data stored in unauthorised locations in your network ? </li></ul><ul><li>Do you have sufficient controls in place to protect your sensitive information? </li></ul><ul><li>What individuals have access to your sensitive information? </li></ul>Where is your Data being sent? – Data in Motion <ul><li>Who is sending your sensitive data; is it “Personal Data, IP, etc?” </li></ul><ul><li>Do individuals have the right authorisation to view the data after they have received it? </li></ul><ul><li>Where about is your sensitive data being sent within your network – is it accessible to anyone”? </li></ul>Where is your Data being copied? <ul><li>What devices is the data being copied onto – USB, iPods, CD / DVD etc? </li></ul><ul><li>What data is being copied – is it “Personal Data, IP, etc?” </li></ul><ul><li>How many portable USB devices have been connected to systems to copy data? </li></ul>
  10. 10. <ul><li>Confusing Regulatory environment – Protection of Personal Information Act, EU Data Protection Directive 95/46/EC , KING II, PCI compliance </li></ul><ul><li>Legal and Regulatory Violations Caused by not protecting personal data </li></ul><ul><li>Ensuring sensitive data is not located in unauthorised areas of the network </li></ul><ul><li>Not being able to remediate instances of confidential information residing where it shouldn't be </li></ul><ul><li>Not knowing if the companies Intellectual Property (IP) and Personal Data (PII) is currently being protected by controls currently in place </li></ul>Challenges facing Companies
  11. 11. Data Theft & Data Leakage
  12. 12. <ul><ul><li>Data Theft - where someone takes information from an organization without permission, including: </li></ul></ul><ul><ul><li>Accessing a company network or computer to take data – e.g. “TJ Max” & “Vusi Pikoli computer being hacked” </li></ul></ul><ul><ul><li>Employees taking data from the company when they leave for a new job – i.e. customer information, marketing plans, etc </li></ul></ul><ul><ul><li>An employee taking hard copies of information that should remain within the company i.e. product information, IP, etc </li></ul></ul>Data Theft
  13. 13. <ul><ul><li>Data Leakage - the unintentional release of data from a secure to an insecure environment, including: </li></ul></ul><ul><ul><li>Loss of computer tapes, hard drives, computers, etc </li></ul></ul><ul><ul><li>Posting information on blogs, and message boards </li></ul></ul><ul><ul><li>Sending emails to the wrong recipient </li></ul></ul><ul><ul><li>A computer being accessible from the Internet without proper information security precautions </li></ul></ul><ul><ul><li>Old computers, laptops, servers, etc – “is the information securely wiped?” </li></ul></ul><ul><ul><li>Shoulder Surfing </li></ul></ul><ul><ul><li>RFID, Infrared (Adam Laurie), P2P, etc </li></ul></ul>Data Leakage
  14. 14. <ul><li>Lack of senior management understanding and recognition of a problem </li></ul><ul><li>Criminal / Malicious Intent </li></ul><ul><li>Lack of internal processes and controls </li></ul><ul><li>Weak internal controls (role and access right changes) </li></ul><ul><li>Lack of clear policies and enforcement, (e.g. Clear Desk Policies) </li></ul><ul><li>Misconception that security products will solve all problems i.e. - &quot;I have all the bells and whistles&quot; </li></ul><ul><li>Vulnerability Management / Patching practices </li></ul><ul><li>Organisation Culture (they owe me attitude) </li></ul><ul><li>Incidental opportunities </li></ul>What leads to Data Theft?
  15. 15. <ul><li>Lack of Senior Management support </li></ul><ul><li>Lack of internal Processes and controls </li></ul><ul><li>Weak internal controls i.e.(role and access right changes) – example &quot;SocGen incident&quot; </li></ul><ul><li>Lack of security awareness among employees </li></ul><ul><li>Misconception that security products will solve all problems </li></ul><ul><li>Vulnerability Management </li></ul><ul><li>Patching practices </li></ul>What leads to Data Leakage?
  16. 16. <ul><li>Portable storage devices – USB, Cameras, PDA’s etc </li></ul><ul><li>iPods and MP3 players – “PodSlurping” </li></ul><ul><li>email – personal webmail i.e. Yahoo, Google, etc </li></ul><ul><li>Taking out or sending DVD / CD’s </li></ul><ul><ul><ul><li>VOIP - All conversations are stored electronically, and therefore can be extracted </li></ul></ul></ul><ul><li>Spear Phishing – targeting specific companies for information; then using that information to steal data </li></ul><ul><li>Exploiting corporate systems, networks and laptops through system and software vulnerabilities </li></ul><ul><li>Printing / copying and taking off premises </li></ul><ul><li>Using telephone conference pin numbers </li></ul>How is Data Taken
  17. 17. My Data is gone! – “what do I do?”
  18. 18. <ul><li>Don’t panic </li></ul><ul><li>Follow your incident response plan and procedures </li></ul><ul><li>Investigate completely using a forensically sound court validated investigation platform </li></ul><ul><li>Disclose information only on a need to know basis </li></ul><ul><li>If there has been a leak or theft of personal data, then you will have to notify the commission and the individuals concerned of the data breach – “Principle 6” of the Protection of Personal Information Act </li></ul><ul><li>Clean up & Remediate </li></ul>Incident Response
  19. 19. Countermeasures to Protect Data
  20. 20. Identify & Classify Information 1 Identify & Classify Information <ul><li>Identify confidential, personal and sensitive information </li></ul><ul><li>Update information classifications based on best practices </li></ul><ul><li>Apply classification(s) to distinguish types of confidential information </li></ul>
  21. 21. Assess Risks 2 <ul><li>Identify business processes, systems, and information that are perceived to be of high risk to the business </li></ul><ul><li>Identify which information should be protected </li></ul><ul><li>Determine perceived risks and severity of information loss </li></ul>Assess Risks
  22. 22. Develop and apply Policies, and Procedures Develop and apply Policies, Procedures 3 <ul><li>Compare your existing Data Classification, Information Protection policies, etc to best practice </li></ul><ul><li>Develop or implement Data Classification, Information Protection policies, and distribute the policies to users </li></ul>
  23. 23. Audit Data 4 Deploy Technologies that Audit Data and Enforce Policies <ul><li>Use software to audit sensitive data to ensure it’s not located in unauthorised areas of your network and systems </li></ul><ul><li>Remediate instances of sensitive data residing where it shouldn’t be </li></ul>EnCase Data Audit & Policy Enforcement
  24. 24. Communicate & Monitor Communicate & Monitor to assess use & Compliance 5 <ul><li>Educate users about the policies and other security issues </li></ul><ul><li>Ensure that users have read, understood and have accepted the policies </li></ul><ul><li>Continually monitor through the use of tools that that the policies are not breached </li></ul>
  25. 25. <ul><li>Identify and categorise what data you have </li></ul><ul><li>Decide where it is most secure </li></ul><ul><li>Determine the risks of how it could leak </li></ul><ul><li>Plan what to do if it does leak </li></ul><ul><li>Implement 'best practice' security measures </li></ul>Summary
  26. 26. k [email_address] Questions?