Oldest crime on record – not prostitution First recorded case of identity theft Bible: Genesis XXX
Risk Factory: Beyond Data Leakage
Beyond Accidental Data Leakage
A simple, easy to use, online, B2B procurement portal for purchasing products and services to identify, minimise and manage the security threat to business data. www.riskfactory.com
Read All About It… TJX Data Breach: At 45.6M TJX Data Breach: At 45.6M Card Numbers, Its the Card Numbers, Its the Biggest Ever Biggest Ever (March 2007) (March 2007) “We may never be able to identify much of the “We may never be able to identify much of the information believed stolen." information believed stolen." The company has so far spent about The company has so far spent about $250+ million to resolve it $250+ million to resolve it ($1B+ estimate in cases / / lost revenue) ($1B+ estimate in cases lost revenue)
Leakage Defined Data-Leakage is a loosely defined term used to describe an incident where the confidentiality of information has been compromised . • Data-Breach and Information Loss are also widely used terms • Data Slurping: The use of iPODs or portable USB hard drives
Accidents Can Happen • Accidental / unintentional • Carelessness • Leaving sensitive information accessible to others • Loosing a laptop • Sending email to mistaken name or “all” • Malicious code (viruses, worms, Trojan horses) • Suspicious email, jokes, etc.
Beyond Accidental • Malicious / intentional vandalism / delinquency • Bulletin board postings (Fu*kedCompany, Dotcomscoop, Deja) • Disgruntled employees • Forwarding company data to home email, time bombs, deletion of data
You Can Find• Without hacking• Without intrusion (denial of service)• Without breaking any law• With consent of firewall• Regardless of company consent• With consent of end-user / author• Virtually untraceable• Replicable millions of times• Available to anyone with a PC online• Accessible anywhere in the world
Beyond Accidental II The trusted user turned entrepreneur Under cover / overlooked Easy to trust / hard to detect Has a key to the house Know’s when you’re not home Knows your strengths / weaknesses Why do they do it?
Easy Money GettingEasier 2000Name, Address DOB = £2.00Credit card # = £2.00Expiry date = £ 3.00 2005Security Code = £3.00 Name, Address DOB = £1.00 Total = £10.00 Credit card # = £1.00 Expiry date = £ 1.00 Security Code = £2.00 2010 Total = £5.00 Name, Address DOB = £.25 Credit card # = £.25 Expiry date = £ .25 Security Code = £.25 Total = £1.00
Where to Start ? Conduct data leakage survey – ITM software – Logical review – Physical review
Detecting the CovertChannels1. Check classification scheme & security policies2. Write policy-synchronised objective & scope3. Identify keywords/folders & files4. Identify target department5. Get Board-level approval before you start6. Deploy data leakage detection software (30-60 free trials!)7. Audit office equipment (copy machine, faxes, scanners)8. Audit VoIP storage access logs9. Audit CCTV footage10. Test physical/procedural security measures
Where Is Your Data?• Network• Client devices: removable media, unauthorised connections, devices, applications, local storage, file copy, save as….• Remote connections• Storage: photocopiers, scanners, faxes• 3rd Parties• Service Providers• Contractors
How & Where Leaking? Laptop / Desktop Server CD / DVD Piggybacking USB iPod Dumpster (Skip) Diving Social Engineering Memory Stick Contractors Road Apple PCMCIA Eavesdropping Memory Card Readers Bluetooth Endpoint Communication Infrared Databases Firewire File Systems Serial / Parallel Ports File Servers NAS Data-At-Rest Virtual Machine SANs / iSCSI Storage Screen Scrapers Voice Mail Data Loss Trojans Other Threat Vectors Video Surveillance Key Loggers Phishing / Spear Phishing E-Mail HTTP/S Printers SSH Backup Tapes / CD / DVD FTP Laptop / Desktop / Server Data-In-Motion IM Fax VoIP Physical Photocopier P2P Mobile Phone / PDA Blogs Digital Camera (incl. Mobile Phone Cameras) Incorrect Disposal Printed Reports
Free Advice…• Stay focussed. Follow the White Rabbit.• Stay cool. Stay professional.• Be a-political. No hidden agendas.• Be prepared. You will see the Sexy Beast.• Remember: What you will see is not new.• You’ll see how the business really operates
But Remember “When the Gods want to punish us, they answer our prayers.”
Top Ten Distractions• Employees viewing porn / shopping …• Management viewing porn / shopping…• Clandestine affairs• Personal affairs• Rumours• Employees falsifying company records (expense accounts)• Employees running a side business• Convenience connections
Risk Factory Survey• Analysed over 200,000 hours of user activity• Carried out over 24 months• Linked to specific files, folders, and keywords• Identified the who, what where & when
Summary Findings• 68% theft linked to mobile rather than fixed desktop systems.• IT and Customer Services Departments highest number data thefts.• 96% male• 79% incidents occurred on Fridays between 3 and 5PM.• Applications most favoured to remove data were identified as web mail, instant messaging (IM) and social networking web sites.• The top 4 theft vectors were identified as mobile devices, web mail, removable media and web applications.• All instances identified could have been prevented. Existing corporate security policies were not implemented, monitored or enforced.
Defense Must Be Layered Spyware Hackers Inappropriate Content Network Perimeter security Layer Attacks Strong authentication URL filtering Anti-virus Viruses IDS/IPS UNAUTHORISED APPLICATION USE Cut, Copy, Paste, Print, Rename, Save As UNAUTHORISED APPLICATIONS UNAUTHORISED CONNECTIONS Malware, IM, Webmail, Skype, MySpace, file sharing Wireless (802.11, Bluetooth, IR, GPRS/UMTS/HSPDA), Modems UNAUTHORISED FILE COPYING & OUTPUT DEVICES Local file copies (removable storage, mobile devices), printers, copiers, faxes
Obligatory SummarySlide• Data leakage is not a phenomenon• Your data worth money - treat it accordingly• Statistically speaking, bad guy works for you• Know where your data resides: exit end points, at rest and in motion…• Its all about the user
26 Dover Street London United Kingdom W1S 4LY +44 (0)20 3586 1025+44 (0)20 7763 7101(fax)