Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

ION-E Defense In Depth Presentation for The Institiute of Internal Auditors



Defense In Depth

Defense In Depth



Total Views
Views on SlideShare
Embed Views



1 Embed 9

http://www.linkedin.com 9



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • AV Med, 20000-Laptop, Kinetic – 4000 people through wrong email attachment,UPMCHipaa violation, stolen records
  • Section 501, ING600000 (Multiple laptop losses, now encryption) ECMC 330000
  • Accessing others information
  • Clients know there is problem and ask for advice.
  • Near 1 Billion dollares. ¼ breaches are laptops
  • Don’t be confused by the Society of Payment security professionals
  • Rune-Hide data in bad blocks inode, Wafen-Hide data in spoofed journal file, KY-Hide Data in Null directory entries, Data Mule-Hided data in reserved space.
  • Attacker-CentricAttacker-centric threat modeling starts with an attacker, and evaluates their goals, and how they might achieve them. Attacker's motivations are often considered, for example, "The NSA wants to read this email," or "Jon wants to copy this DVD and share it with his friends." This approach usually starts from either entry points or assets.Software-CentricSoftware-centric threat modeling (also called 'system-centric,' 'design-centric,' or 'architecture-centric') starts from the design of the system, and attempts to step through a model of the system, looking for types of attacks against each element of the model. This approach is used in threat modeling in Microsoft's Security Development Lifecycle.Asset-CentricAsset-centric threat modeling involves starting from assets entrusted to a system, such as a collection of sensitive personal information.

ION-E Defense In Depth Presentation for The Institiute of Internal Auditors ION-E Defense In Depth Presentation for The Institiute of Internal Auditors Presentation Transcript

  • Defense in Depth
    Michael A. DaGrossa - CISSP, CEH, CCE
    Managing Partner Business Risk
    Proprietary and Confidential
  • Take advantage of the enemy's un-readiness, make your way by unexpected routes, and attack unguarded spots.
    —Sun Tzu
    Proprietary and Confidential
  • Consultants and clients should develop a Defense in Depth Strategy, which should be regularly tested and corrected
  • Definition : DID
    • Defined by the Defense Information Security Agency:
    • the Defense in Depth approach builds mutually supporting layers of defense to reduce vulnerabilities and to assist you to protect against, detect and react to as many attacks as possible. By constructing mutually supporting layers of defense, you will cause an adversary who penetrates or breaks one layer of defense to promptly encounter another and another until unsuccessful in the quest for unauthorized entrance, the attack ends. To protect against different attack methods, you must employ corresponding security measures. The weakness of one security measure should be compensated for by the strength of another.
  • Does your Business Look like this
    Proprietary and Confidential
  • The general characteristics of defensive operations are:
    • To understand the enemy
    • See the battlefield
    • Use the defenders’ advantages
    • Concentrate at critical times and places
    • Conduct counter reconnaissance and counterattacks
    • Coordinate critical defense assets
    • Balance base security with political and legal constraints
    • And know the law of war and rules of engagement.
    Proprietary and Confidential
  • Why being compliant does not equal secure?Why secure does not equal compliant?
    Proprietary and Confidential
  • PCI-Compliant
    To Name a Few
    TJ Maxx
    Proprietary and Confidential
  • HIPAA-Compliant
    To Name a Few
    AV Med Health Plans
    Kinetic Concepts
    University of Pittsburgh
    Proprietary and Confidential
    To Name a Few
    Education Credit Management Corp
    Lincoln National Corp
    Proprietary and Confidential
  • NIST-Secure
    To Name a Few
    West Memphis PD, AZ
    Proprietary and Confidential
  • ISO-Secure
    To Name a Few
    Proprietary and Confidential
  • Skydiving
    Think of a corporate risk assessment as a life threatening scenario to appropriately perceive it
    Proprietary and Confidential
  • We have a parachute, what could go wrong?
    Proprietary and Confidential
  • Standards, Controls and Security
    Primary Chute
    Reserve Chute
    Automatic Activation Device (A.A.D.)
    Reserve Static Line
    Trained professional assistance
    Proprietary and Confidential
  • Layers of Safety
    Using one standard as an umbrella approach to holistic security for a corporation is similar to taking one measure to guarantee the safety of a freefall jump. The jumper should be prepared well before the jump and do everything accurately during the jump, until the time he/she reaches the ground.
    Proprietary and Confidential
  • What are we protecting
    Data breach incidents cost U.S. companies an average of $204 per compromised customer record in 2009.
    The average total per-incident costs in 2009 were $6.75 million.
    A total of 498 breaches were reported in 2009 according to the Identity Theft Resource Center.
    Engaging a consultant or third party expert to assist in the data breach incidence results in lower average cost per compromised record (almost 26% lesser).
    About 44% of participating companies engaged an outside consultant to assist them over the course of the data breach incident.
    Organizations in highly trusted industries such as financial services and health care are more likely to experience a data breach with higher abnormal churn rate (5% and 6% respectively).
    Source: Key findings from 2009 Ponemon Institute Annual Study
    Proprietary and Confidential
  • What are we protecting
    Too many times we get focused on only our roles for an engagement
    Problems with independence
    Check list approach
    Source: Key findings from 2009 Ponemon Institute Annual Study
    Proprietary and Confidential
  • What are we protecting
    Source: DatalossDB.org
    Proprietary and Confidential
  • What are we protecting
    Source: DatalossDB.org
    Proprietary and Confidential
  • What are we protecting
    Source: DatalossDB.org
    Proprietary and Confidential
  • Senior management should:
    Clearly support all aspects of the information security program
    Implement the information security program as approved by the board of directors
    Establish appropriate policies, procedures, and controls
    Participate in assessing the effect of security issues on the financial institution and its business lines and processes
    Proprietary and Confidential
  • Senior management should:
    Delineate clear lines of responsibility and accountability for information security risk management decisions
    Define risk measurement definitions and criteria
    Establish acceptable levels of information security risks
    Oversee risk mitigation activities.
    Proprietary and Confidential
  • Controls
    Internal Control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a) Effectiveness and efficiency of operations; b) Reliability of financial reporting; and c) Compliance with laws and regulations
    Proprietary and Confidential
  • Controls - COSO
    Control Environment
    Risk Assessment
    Information and Communication
    Control Activities
    Proprietary and Confidential
  • Controls
    Internal controls may be described in terms of:
    a) the objective they pertain to
    b) the nature of the control activity itself.
    Auditors understand this
    Information Technology people do not
    Business does not either
    Proprietary and Confidential
  • Controls - COBIT
    IT Governance
    Strategic Alignment
    Value Delivery
    Risk Management
    Resource Management
    Performance Measurement
    Proprietary and Confidential
  • Controls- CISSP
    • Access Control
    • Application Security
    • BCP/DR
    • Cryptography
    • Info Sec and Risk Management
    • Legal, Regulations and Compliance
    • Physical
    • Security Architecture and Design
    • Telecom and Network Security
    Proprietary and Confidential
  • Controls - CISM
    Information Security Governance
    Information Risk Management
    Information Security Program Development
    Information Security Program Management
    Incident Management and Response
    Proprietary and Confidential
    Proprietary and Confidential
  • Controls - PCI
    Build and Maintain a Secure Network
    Protect Cardholder Data
    Maintain a Vulnerability Management Program
    Implement Strong Access Control Measures
    Regularly Monitor and Test Networks
    Maintain Information Security Policy
    Proprietary and Confidential
  • Controls- ISO 27K
    27001 – ISMS
    27002 -Practices
    27003- implementation Guidance
    27therest- defined up to 27037
    *27799-ISMS for Health Sector
    Proprietary and Confidential
  • Controls – Planned Out
    Proprietary and Confidential
  • Business Breakdown
    Proprietary and Confidential
  • Frameworks for Business
    Proprietary and Confidential
  • DID for Business
    Proprietary and Confidential
  • Management, security, risk, audit, and compliance professionals should:
    Look beyond the standard
    Determine whether it is sufficient to manage the related risks to the organization
    A start to finish, multi-layered security approach is the only option to minimize business impact and mitigate the most possible risk.
    Proprietary and Confidential
  • The Bad Guys
    Anti Forensics
    Social Engineering
    Proprietary and Confidential
  • Anti-Forensics
    • Encryption
    • Steganography
    • Disk Wiping
    • Signatures
    • Bootable Disks –Bart,BT,HELIX, OWASP, MOJO
    • Slacker, TimeStomp, Trasnmogrify, SAMJuicer
    • Everything run in Ram
    • Linux-Where tools don’t look-Rune, Waffen, KY, DataMule
    Proprietary and Confidential
  • Exploits
    Cross Site anything
    SQL Injection
    Proprietary and Confidential
  • High
    New Internet Attacks
    Packet Forging& Spoofing
    Stealth Diagnotics
    Sophistication of Hacker Tools
    Hijacking Sessions
    Back Doors
    Technical KnowledgeRequired
    Self-Replicating Code
    Password Cracking
    Password Guessing
    [Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
    Proprietary and Confidential
  • Social Engineering
    “Social Engineer Specialist” Because there is no patch for human stupidity- DeFconTshirt
    The art of utilizing human behavior to breach security without the participant even realizing they have been manipulated.
    Proprietary and Confidential
  • Social Engineering
    Technical –Google, Maltego, PiPL
    Poor Physical Controls
    Lack of Security Awareness Training
    Lack of Policies and Procedures
    Weak Employee Screening
    Lack of Management Support
    Poor Controls on Data
    Proprietary and Confidential
  • Social Engineering
    People are the weakest link
    Desire to be helpful
    Fear of getting in trouble
    Tendency to trust
    Desire to be successful
    Proprietary and Confidential
  • Social Engineering
    Path of least resistance
    Proprietary and Confidential
  • Insider
    Motivators-The Dark Side
    Proprietary and Confidential
  • Insider
    Motivators-Good Doing Bad
    Evolving Loyalties
    Job Change
    Management Change
    Company Change
    Misdirection/Social Engineering
    Proprietary and Confidential
  • Insider-Telltale Signs
    Insiders already have access
    Insiders just need intent
    Proprietary and Confidential
  • Insider-Watch For
    Some Kind of Activity
    Revealing information not directly observable
    Significance Recognized
    Proprietary and Confidential
  • Insider-HR
    Monitoring included in Policy
    Clearly defined processes to include HR, Legal, Security and Management
    Understand the evolving privacy statutory requirements
    Proprietary and Confidential
  • Outsider
    Proprietary and Confidential
  • Risk Modeling
    Know your Risk Formulas (ALE=AROxSLE)(EV*AV)
    = Materiality
    Proprietary and Confidential
  • Threat Modeling
    Attacker - Centric
    Software - Centric
    Asset - Centric
    Proprietary and Confidential
  • Attack Methodology
    Phase I: Reconnaissance
    Phase II: Enumeration
    Phase III: Vulnerability Analysis
    Phase IV: Exploit
    Proprietary and Confidential
  • Attack Methodology
    Proprietary and Confidential
  • Case Study #1:Defense Contractor
    Data Leakage
    Targeted Spear Phishing
    Incident response
    Proprietary and Confidential
  • Case Study #2:Insurance
    Data Leakage
    Loss of ACL, Passwords, Intellectual Capital
    Security Awareness
    Improper Access Control
    Proprietary and Confidential
  • Case Study #3:Healthcare
    Outside Hack
    Loss of proprietary information
    Loss of reputation
    Company ended up closing shop
    Internal IT Violated controls set in place through HiPAA
    Proprietary and Confidential
  • Questions and Answers
    Michael A. DaGrossa, CISSP,CEH,CCEManaging Partner, Business Risk Services302.261.9013 (office)302.383.2737 (mobile)ION-e Group100 Dean DriveNewark, DE 19711www.ion-e.comwww.linkedin.com/in/dagrossawww.deinfragard.com
    Proprietary and Confidential