Defense in Depth<br />Michael A. DaGrossa - CISSP, CEH, CCE<br />Managing Partner Business Risk <br />mike@ion-e.com<br />...
Take advantage of the enemy's un-readiness, make your way by unexpected routes, and attack unguarded spots.<br />—Sun Tzu<...
Consultants and clients should develop a Defense in Depth Strategy, which should be regularly tested and corrected<br />
	Definition : DID<br /><ul><li>Defined by the Defense Information Security Agency:
the Defense in Depth approach builds mutually supporting layers of defense to reduce vulnerabilities and to assist you to ...
The general characteristics of defensive operations are: <br /><ul><li>To understand the enemy
See the battlefield
Use the defenders’ advantages
Concentrate at critical times and places
Conduct counter reconnaissance and counterattacks
Coordinate critical defense assets
Balance base security with political and legal constraints
And know the law of war and rules of engagement.</li></ul>Proprietary and Confidential <br />
Why being compliant does not equal secure?Why secure does not equal compliant?<br />Proprietary and Confidential <br />
	PCI-Compliant		<br />To Name a Few<br />TJ Maxx<br />Heartland<br />Hannaford<br />Proprietary and Confidential <br />
	HIPAA-Compliant		<br />To Name a Few<br />AV Med Health Plans<br />Kinetic Concepts<br />University of Pittsburgh<br />Pr...
	FDIC-FFIEC GLBA BITS	<br />To Name a Few<br />ING<br />Education Credit Management Corp<br />Lincoln National Corp<br />P...
	NIST-Secure		<br />To Name a Few<br />DOD<br />SSA<br />West Memphis PD, AZ<br />Proprietary and Confidential <br />
	ISO-Secure		<br />To Name a Few<br />Target<br />Choicepoint<br />JCPenney<br />Proprietary and Confidential <br />
Skydiving<br />Think of a corporate risk assessment as a life threatening scenario to appropriately perceive it<br />Propr...
We have a parachute, what could go wrong?<br />Proprietary and Confidential <br />
Standards, Controls and Security<br />Primary Chute<br />Reserve Chute<br />Automatic Activation Device (A.A.D.)<br />Rese...
Layers of Safety<br />    Using one standard as an umbrella approach to holistic security for a corporation is similar to ...
What are we protecting<br />Data breach incidents cost U.S. companies an average of $204 per compromised customer record i...
What are we protecting<br />Too many times we get focused on only our roles for an engagement<br />Problems with independe...
What are we protecting<br />Source:  DatalossDB.org<br />Proprietary and Confidential <br />
What are we protecting<br />Source:  DatalossDB.org<br />Proprietary and Confidential <br />
What are we protecting<br />Source:  DatalossDB.org<br />DatalossDB.org<br />Proprietary and Confidential <br />
Senior management should:<br />Clearly support all aspects of the information security program<br />Implement the informat...
Senior management should:<br />Delineate clear lines of responsibility and accountability for information security risk ma...
Controls<br />Internal Control is broadly defined as a process, effected by an entity's board of directors, management, an...
Controls - COSO	<br />Control Environment<br />Risk Assessment<br />Information and Communication<br />Control Activities<...
Controls<br />Internal controls may be described in terms of: <br />	a) the objective they pertain to 	<br />	b) the natur...
Controls - COBIT<br />IT Governance<br />Strategic Alignment<br />Value Delivery<br />Risk Management<br />Resource Manage...
Controls- CISSP<br /><ul><li>Access Control
Application Security
BCP/DR
Cryptography
Info Sec and Risk Management
Legal, Regulations and Compliance
Physical
Security Architecture and Design
Telecom and Network Security</li></ul>Proprietary and Confidential <br />
Controls - CISM<br />Information Security Governance<br />Information Risk Management<br />Information Security Program De...
SANS-GIAC<br />Proprietary and Confidential <br />
Controls - PCI<br />Build and Maintain a Secure Network<br />Protect Cardholder Data<br />Maintain a Vulnerability Managem...
Controls- ISO 27K<br />27001 – ISMS<br />27002 -Practices<br />27003- implementation Guidance<br />27004-Metrics<br />27th...
Controls – Planned Out<br />Proprietary and Confidential <br />
Business Breakdown<br />Proprietary and Confidential <br />
Frameworks for Business<br />Proprietary and Confidential <br />
DID for Business<br />Proprietary and Confidential <br />
Management, security, risk, audit, and compliance professionals should:<br />Look beyond the standard<br />Determine wheth...
The Bad Guys<br />Anti Forensics<br />Exploits<br />Social Engineering<br />Insiders<br />Outsiders<br />Proprietary and C...
Anti-Forensics<br /><ul><li>Encryption
Steganography
Disk Wiping
Signatures
Bootable Disks –Bart,BT,HELIX, OWASP, MOJO
Slacker, TimeStomp, Trasnmogrify, SAMJuicer
Upcoming SlideShare
Loading in …5
×

ION-E Defense In Depth Presentation for The Institiute of Internal Auditors

2,400 views
2,315 views

Published on

Defense In Depth

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,400
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
32
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • AV Med, 20000-Laptop, Kinetic – 4000 people through wrong email attachment,UPMC Hipaa violation, stolen records
  • Section 501, ING600000 (Multiple laptop losses, now encryption) ECMC 330000
  • Accessing others information
  • Clients know there is problem and ask for advice.
  • Near 1 Billion dollares. ¼ breaches are laptops
  • Don’t be confused by the Society of Payment security professionals
  • Rune-Hide data in bad blocks inode, Wafen-Hide data in spoofed journal file, KY-Hide Data in Null directory entries, Data Mule-Hided data in reserved space.
  • Attacker-Centric
    Attacker-centric threat modeling starts with an attacker, and evaluates their goals, and how they might achieve them. Attacker's motivations are often considered, for example, "The NSA wants to read this email," or "Jon wants to copy this DVD and share it with his friends." This approach usually starts from either entry points or assets.
    Software-Centric
    Software-centric threat modeling (also called 'system-centric,' 'design-centric,' or 'architecture-centric') starts from the design of the system, and attempts to step through a model of the system, looking for types of attacks against each element of the model. This approach is used in threat modeling in Microsoft's Security Development Lifecycle.
    Asset-Centric
    Asset-centric threat modeling involves starting from assets entrusted to a system, such as a collection of sensitive personal information.
  • ION-E Defense In Depth Presentation for The Institiute of Internal Auditors

    1. 1. Defense in Depth<br />Michael A. DaGrossa - CISSP, CEH, CCE<br />Managing Partner Business Risk <br />mike@ion-e.com<br />Proprietary and Confidential <br />
    2. 2. Take advantage of the enemy's un-readiness, make your way by unexpected routes, and attack unguarded spots.<br />—Sun Tzu<br /> Proprietary and Confidential <br />
    3. 3. Consultants and clients should develop a Defense in Depth Strategy, which should be regularly tested and corrected<br />
    4. 4. Definition : DID<br /><ul><li>Defined by the Defense Information Security Agency:
    5. 5. the Defense in Depth approach builds mutually supporting layers of defense to reduce vulnerabilities and to assist you to protect against, detect and react to as many attacks as possible. By constructing mutually supporting layers of defense, you will cause an adversary who penetrates or breaks one layer of defense to promptly encounter another and another until unsuccessful in the quest for unauthorized entrance, the attack ends. To protect against different attack methods, you must employ corresponding security measures. The weakness of one security measure should be compensated for by the strength of another. </li></li></ul><li>Does your Business Look like this<br />Proprietary and Confidential <br />
    6. 6. The general characteristics of defensive operations are: <br /><ul><li>To understand the enemy
    7. 7. See the battlefield
    8. 8. Use the defenders’ advantages
    9. 9. Concentrate at critical times and places
    10. 10. Conduct counter reconnaissance and counterattacks
    11. 11. Coordinate critical defense assets
    12. 12. Balance base security with political and legal constraints
    13. 13. And know the law of war and rules of engagement.</li></ul>Proprietary and Confidential <br />
    14. 14. Why being compliant does not equal secure?Why secure does not equal compliant?<br />Proprietary and Confidential <br />
    15. 15. PCI-Compliant <br />To Name a Few<br />TJ Maxx<br />Heartland<br />Hannaford<br />Proprietary and Confidential <br />
    16. 16. HIPAA-Compliant <br />To Name a Few<br />AV Med Health Plans<br />Kinetic Concepts<br />University of Pittsburgh<br />Proprietary and Confidential <br />
    17. 17. FDIC-FFIEC GLBA BITS <br />To Name a Few<br />ING<br />Education Credit Management Corp<br />Lincoln National Corp<br />Proprietary and Confidential <br />
    18. 18. NIST-Secure <br />To Name a Few<br />DOD<br />SSA<br />West Memphis PD, AZ<br />Proprietary and Confidential <br />
    19. 19. ISO-Secure <br />To Name a Few<br />Target<br />Choicepoint<br />JCPenney<br />Proprietary and Confidential <br />
    20. 20. Skydiving<br />Think of a corporate risk assessment as a life threatening scenario to appropriately perceive it<br />Proprietary and Confidential <br />
    21. 21. We have a parachute, what could go wrong?<br />Proprietary and Confidential <br />
    22. 22. Standards, Controls and Security<br />Primary Chute<br />Reserve Chute<br />Automatic Activation Device (A.A.D.)<br />Reserve Static Line<br />Altimeter<br />Helmet/Goggles/Jumpsuit<br />Trained professional assistance<br />Proprietary and Confidential <br />
    23. 23. Layers of Safety<br /> Using one standard as an umbrella approach to holistic security for a corporation is similar to taking one measure to guarantee the safety of a freefall jump. The jumper should be prepared well before the jump and do everything accurately during the jump, until the time he/she reaches the ground. <br />Proprietary and Confidential <br />
    24. 24. What are we protecting<br />Data breach incidents cost U.S. companies an average of $204 per compromised customer record in 2009.<br />The average total per-incident costs in 2009 were $6.75 million.<br />A total of 498 breaches were reported in 2009 according to the Identity Theft Resource Center.<br />Engaging a consultant or third party expert to assist in the data breach incidence results in lower average cost per compromised record (almost 26% lesser). <br />About 44% of participating companies engaged an outside consultant to assist them over the course of the data breach incident.<br />Organizations in highly trusted industries such as financial services and health care are more likely to experience a data breach with higher abnormal churn rate (5% and 6% respectively).<br />Source: Key findings from 2009 Ponemon Institute Annual Study <br />Proprietary and Confidential <br />
    25. 25. What are we protecting<br />Too many times we get focused on only our roles for an engagement<br />Problems with independence<br />Knowledge<br />Check list approach<br />Source: Key findings from 2009 Ponemon Institute Annual Study <br />Proprietary and Confidential <br />
    26. 26. What are we protecting<br />Source: DatalossDB.org<br />Proprietary and Confidential <br />
    27. 27. What are we protecting<br />Source: DatalossDB.org<br />Proprietary and Confidential <br />
    28. 28. What are we protecting<br />Source: DatalossDB.org<br />DatalossDB.org<br />Proprietary and Confidential <br />
    29. 29. Senior management should:<br />Clearly support all aspects of the information security program<br />Implement the information security program as approved by the board of directors<br />Establish appropriate policies, procedures, and controls<br />Participate in assessing the effect of security issues on the financial institution and its business lines and processes<br />Proprietary and Confidential <br />
    30. 30. Senior management should:<br />Delineate clear lines of responsibility and accountability for information security risk management decisions<br />Define risk measurement definitions and criteria<br />Establish acceptable levels of information security risks<br />Oversee risk mitigation activities.<br />Proprietary and Confidential <br />
    31. 31. Controls<br />Internal Control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a) Effectiveness and efficiency of operations; b) Reliability of financial reporting; and c) Compliance with laws and regulations<br />Proprietary and Confidential <br />
    32. 32. Controls - COSO <br />Control Environment<br />Risk Assessment<br />Information and Communication<br />Control Activities<br />Monitoring<br />Proprietary and Confidential <br />
    33. 33. Controls<br />Internal controls may be described in terms of: <br /> a) the objective they pertain to <br /> b) the nature of the control activity itself.<br />Auditors understand this <br />Information Technology people do not <br />Business does not either<br />Proprietary and Confidential <br />
    34. 34. Controls - COBIT<br />IT Governance<br />Strategic Alignment<br />Value Delivery<br />Risk Management<br />Resource Management<br />Performance Measurement<br />Proprietary and Confidential <br />
    35. 35. Controls- CISSP<br /><ul><li>Access Control
    36. 36. Application Security
    37. 37. BCP/DR
    38. 38. Cryptography
    39. 39. Info Sec and Risk Management
    40. 40. Legal, Regulations and Compliance
    41. 41. Physical
    42. 42. Security Architecture and Design
    43. 43. Telecom and Network Security</li></ul>Proprietary and Confidential <br />
    44. 44. Controls - CISM<br />Information Security Governance<br />Information Risk Management<br />Information Security Program Development<br />Information Security Program Management<br />Incident Management and Response<br />Proprietary and Confidential <br />
    45. 45. SANS-GIAC<br />Proprietary and Confidential <br />
    46. 46. Controls - PCI<br />Build and Maintain a Secure Network<br />Protect Cardholder Data<br />Maintain a Vulnerability Management Program<br />Implement Strong Access Control Measures<br />Regularly Monitor and Test Networks<br />Maintain Information Security Policy<br />Proprietary and Confidential <br />
    47. 47. Controls- ISO 27K<br />27001 – ISMS<br />27002 -Practices<br />27003- implementation Guidance<br />27004-Metrics<br />27therest- defined up to 27037<br />*27799-ISMS for Health Sector<br />Proprietary and Confidential <br />
    48. 48. Controls – Planned Out<br />Proprietary and Confidential <br />
    49. 49. Business Breakdown<br />Proprietary and Confidential <br />
    50. 50. Frameworks for Business<br />Proprietary and Confidential <br />
    51. 51. DID for Business<br />Proprietary and Confidential <br />
    52. 52. Management, security, risk, audit, and compliance professionals should:<br />Look beyond the standard<br />Determine whether it is sufficient to manage the related risks to the organization<br />A start to finish, multi-layered security approach is the only option to minimize business impact and mitigate the most possible risk. <br />Proprietary and Confidential <br />
    53. 53. The Bad Guys<br />Anti Forensics<br />Exploits<br />Social Engineering<br />Insiders<br />Outsiders<br />Proprietary and Confidential <br />
    54. 54. Anti-Forensics<br /><ul><li>Encryption
    55. 55. Steganography
    56. 56. Disk Wiping
    57. 57. Signatures
    58. 58. Bootable Disks –Bart,BT,HELIX, OWASP, MOJO
    59. 59. Slacker, TimeStomp, Trasnmogrify, SAMJuicer
    60. 60. Everything run in Ram
    61. 61. Linux-Where tools don’t look-Rune, Waffen, KY, DataMule</li></ul>Proprietary and Confidential <br />
    62. 62. Exploits<br />Spear-Phishing<br />Phishing<br />Pharming<br />Cross Site anything<br />Spoofing<br />SQL Injection<br />Patch <br />Proprietary and Confidential <br />
    63. 63. High<br />New Internet Attacks<br />Packet Forging& Spoofing<br />Stealth Diagnotics<br />Sophistication of Hacker Tools<br />DDOS<br />Sniffers<br />Sweepers<br />Hijacking Sessions<br />Back Doors<br />Technical KnowledgeRequired<br />Self-Replicating Code<br />Password Cracking<br />Password Guessing<br />Time<br />[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]<br />Proprietary and Confidential <br />
    64. 64. Social Engineering<br />“Social Engineer Specialist” Because there is no patch for human stupidity- DeFconTshirt<br />The art of utilizing human behavior to breach security without the participant even realizing they have been manipulated. <br />Proprietary and Confidential <br />
    65. 65. Social Engineering<br />Technical –Google, Maltego, PiPL<br />Non-Technical-<br />Poor Physical Controls<br />Lack of Security Awareness Training<br />Lack of Policies and Procedures<br />Weak Employee Screening<br />Lack of Management Support<br />Poor Controls on Data <br />Proprietary and Confidential <br />
    66. 66. Social Engineering<br />People are the weakest link<br />Desire to be helpful<br />Fear of getting in trouble<br />Tendency to trust<br />Desire to be successful<br />Proprietary and Confidential <br />
    67. 67. Social Engineering<br />Path of least resistance<br />Proprietary and Confidential <br />
    68. 68. Insider<br />Motivators-The Dark Side<br />Profit<br />Revenge<br />Fame<br />Proprietary and Confidential <br />
    69. 69. Insider<br />Motivators-Good Doing Bad<br />Evolving Loyalties<br />Job Change<br />Management Change<br />Company Change<br />Misdirection/Social Engineering<br />Influence<br />Proprietary and Confidential <br />
    70. 70. Insider-Telltale Signs<br />Insiders already have access<br />Insiders just need intent<br />Proprietary and Confidential <br />
    71. 71. Insider-Watch For<br />Some Kind of Activity<br />Revealing information not directly observable<br />Noticed<br />Significance Recognized <br />Proprietary and Confidential <br />
    72. 72. Insider-HR<br />Monitoring included in Policy<br />Clearly defined processes to include HR, Legal, Security and Management<br />Understand the evolving privacy statutory requirements<br />Proprietary and Confidential <br />
    73. 73. Outsider <br />Hactivism<br />SKIDDIES<br />Profit<br />Revenge<br />Fame<br />Proprietary and Confidential <br />
    74. 74. Risk Modeling<br />Know your Risk Formulas (ALE=AROxSLE)(EV*AV)<br />Susceptibility<br />Impact<br />Risk <br />= Materiality<br />Proprietary and Confidential <br />
    75. 75. Threat Modeling <br />Attacker - Centric<br />Software - Centric<br />Asset - Centric<br />Proprietary and Confidential <br />
    76. 76. Attack Methodology<br />Phase I: Reconnaissance <br />Phase II: Enumeration <br />Phase III: Vulnerability Analysis <br />Phase IV: Exploit<br />Proprietary and Confidential <br />
    77. 77. Attack Methodology<br />Proprietary and Confidential <br />
    78. 78. Case Study #1:Defense Contractor<br />Investigation<br />Data Leakage<br />Results<br />Targeted Spear Phishing<br />Breakdown<br />AV<br />DLP<br />Firewall/IDS<br />Incident response<br />Proprietary and Confidential <br />
    79. 79. Case Study #2:Insurance<br />Investigation <br />Data Leakage<br />Results<br />Loss of ACL, Passwords, Intellectual Capital<br />Breakdown<br />Security Awareness<br />Improper Access Control<br />DLP<br />IDS/IPS/HIDS<br />Proprietary and Confidential <br />
    80. 80. Case Study #3:Healthcare<br />Investigation<br />Outside Hack<br />Results <br />Loss of proprietary information<br />Loss of reputation<br />Company ended up closing shop<br />Breakdown<br />Internal IT Violated controls set in place through HiPAA<br />Proprietary and Confidential <br />
    81. 81. Questions and Answers<br />Michael A. DaGrossa, CISSP,CEH,CCEManaging Partner, Business Risk Services302.261.9013 (office)302.383.2737 (mobile)ION-e Group100 Dean DriveNewark, DE 19711www.ion-e.comwww.linkedin.com/in/dagrossawww.deinfragard.com<br />Proprietary and Confidential <br />

    ×