Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ION-E Defense In Depth Presentation for The Institiute of Internal Auditors


Published on

Defense In Depth

  • Be the first to comment

ION-E Defense In Depth Presentation for The Institiute of Internal Auditors

  1. 1. Defense in Depth<br />Michael A. DaGrossa - CISSP, CEH, CCE<br />Managing Partner Business Risk <br /><br />Proprietary and Confidential <br />
  2. 2. Take advantage of the enemy's un-readiness, make your way by unexpected routes, and attack unguarded spots.<br />—Sun Tzu<br /> Proprietary and Confidential <br />
  3. 3. Consultants and clients should develop a Defense in Depth Strategy, which should be regularly tested and corrected<br />
  4. 4. Definition : DID<br /><ul><li>Defined by the Defense Information Security Agency:
  5. 5. the Defense in Depth approach builds mutually supporting layers of defense to reduce vulnerabilities and to assist you to protect against, detect and react to as many attacks as possible. By constructing mutually supporting layers of defense, you will cause an adversary who penetrates or breaks one layer of defense to promptly encounter another and another until unsuccessful in the quest for unauthorized entrance, the attack ends. To protect against different attack methods, you must employ corresponding security measures. The weakness of one security measure should be compensated for by the strength of another. </li></li></ul><li>Does your Business Look like this<br />Proprietary and Confidential <br />
  6. 6. The general characteristics of defensive operations are: <br /><ul><li>To understand the enemy
  7. 7. See the battlefield
  8. 8. Use the defenders’ advantages
  9. 9. Concentrate at critical times and places
  10. 10. Conduct counter reconnaissance and counterattacks
  11. 11. Coordinate critical defense assets
  12. 12. Balance base security with political and legal constraints
  13. 13. And know the law of war and rules of engagement.</li></ul>Proprietary and Confidential <br />
  14. 14. Why being compliant does not equal secure?Why secure does not equal compliant?<br />Proprietary and Confidential <br />
  15. 15. PCI-Compliant <br />To Name a Few<br />TJ Maxx<br />Heartland<br />Hannaford<br />Proprietary and Confidential <br />
  16. 16. HIPAA-Compliant <br />To Name a Few<br />AV Med Health Plans<br />Kinetic Concepts<br />University of Pittsburgh<br />Proprietary and Confidential <br />
  17. 17. FDIC-FFIEC GLBA BITS <br />To Name a Few<br />ING<br />Education Credit Management Corp<br />Lincoln National Corp<br />Proprietary and Confidential <br />
  18. 18. NIST-Secure <br />To Name a Few<br />DOD<br />SSA<br />West Memphis PD, AZ<br />Proprietary and Confidential <br />
  19. 19. ISO-Secure <br />To Name a Few<br />Target<br />Choicepoint<br />JCPenney<br />Proprietary and Confidential <br />
  20. 20. Skydiving<br />Think of a corporate risk assessment as a life threatening scenario to appropriately perceive it<br />Proprietary and Confidential <br />
  21. 21. We have a parachute, what could go wrong?<br />Proprietary and Confidential <br />
  22. 22. Standards, Controls and Security<br />Primary Chute<br />Reserve Chute<br />Automatic Activation Device (A.A.D.)<br />Reserve Static Line<br />Altimeter<br />Helmet/Goggles/Jumpsuit<br />Trained professional assistance<br />Proprietary and Confidential <br />
  23. 23. Layers of Safety<br /> Using one standard as an umbrella approach to holistic security for a corporation is similar to taking one measure to guarantee the safety of a freefall jump. The jumper should be prepared well before the jump and do everything accurately during the jump, until the time he/she reaches the ground. <br />Proprietary and Confidential <br />
  24. 24. What are we protecting<br />Data breach incidents cost U.S. companies an average of $204 per compromised customer record in 2009.<br />The average total per-incident costs in 2009 were $6.75 million.<br />A total of 498 breaches were reported in 2009 according to the Identity Theft Resource Center.<br />Engaging a consultant or third party expert to assist in the data breach incidence results in lower average cost per compromised record (almost 26% lesser). <br />About 44% of participating companies engaged an outside consultant to assist them over the course of the data breach incident.<br />Organizations in highly trusted industries such as financial services and health care are more likely to experience a data breach with higher abnormal churn rate (5% and 6% respectively).<br />Source: Key findings from 2009 Ponemon Institute Annual Study <br />Proprietary and Confidential <br />
  25. 25. What are we protecting<br />Too many times we get focused on only our roles for an engagement<br />Problems with independence<br />Knowledge<br />Check list approach<br />Source: Key findings from 2009 Ponemon Institute Annual Study <br />Proprietary and Confidential <br />
  26. 26. What are we protecting<br />Source:<br />Proprietary and Confidential <br />
  27. 27. What are we protecting<br />Source:<br />Proprietary and Confidential <br />
  28. 28. What are we protecting<br />Source:<br /><br />Proprietary and Confidential <br />
  29. 29. Senior management should:<br />Clearly support all aspects of the information security program<br />Implement the information security program as approved by the board of directors<br />Establish appropriate policies, procedures, and controls<br />Participate in assessing the effect of security issues on the financial institution and its business lines and processes<br />Proprietary and Confidential <br />
  30. 30. Senior management should:<br />Delineate clear lines of responsibility and accountability for information security risk management decisions<br />Define risk measurement definitions and criteria<br />Establish acceptable levels of information security risks<br />Oversee risk mitigation activities.<br />Proprietary and Confidential <br />
  31. 31. Controls<br />Internal Control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a) Effectiveness and efficiency of operations; b) Reliability of financial reporting; and c) Compliance with laws and regulations<br />Proprietary and Confidential <br />
  32. 32. Controls - COSO <br />Control Environment<br />Risk Assessment<br />Information and Communication<br />Control Activities<br />Monitoring<br />Proprietary and Confidential <br />
  33. 33. Controls<br />Internal controls may be described in terms of: <br /> a) the objective they pertain to <br /> b) the nature of the control activity itself.<br />Auditors understand this <br />Information Technology people do not <br />Business does not either<br />Proprietary and Confidential <br />
  34. 34. Controls - COBIT<br />IT Governance<br />Strategic Alignment<br />Value Delivery<br />Risk Management<br />Resource Management<br />Performance Measurement<br />Proprietary and Confidential <br />
  35. 35. Controls- CISSP<br /><ul><li>Access Control
  36. 36. Application Security
  37. 37. BCP/DR
  38. 38. Cryptography
  39. 39. Info Sec and Risk Management
  40. 40. Legal, Regulations and Compliance
  41. 41. Physical
  42. 42. Security Architecture and Design
  43. 43. Telecom and Network Security</li></ul>Proprietary and Confidential <br />
  44. 44. Controls - CISM<br />Information Security Governance<br />Information Risk Management<br />Information Security Program Development<br />Information Security Program Management<br />Incident Management and Response<br />Proprietary and Confidential <br />
  45. 45. SANS-GIAC<br />Proprietary and Confidential <br />
  46. 46. Controls - PCI<br />Build and Maintain a Secure Network<br />Protect Cardholder Data<br />Maintain a Vulnerability Management Program<br />Implement Strong Access Control Measures<br />Regularly Monitor and Test Networks<br />Maintain Information Security Policy<br />Proprietary and Confidential <br />
  47. 47. Controls- ISO 27K<br />27001 – ISMS<br />27002 -Practices<br />27003- implementation Guidance<br />27004-Metrics<br />27therest- defined up to 27037<br />*27799-ISMS for Health Sector<br />Proprietary and Confidential <br />
  48. 48. Controls – Planned Out<br />Proprietary and Confidential <br />
  49. 49. Business Breakdown<br />Proprietary and Confidential <br />
  50. 50. Frameworks for Business<br />Proprietary and Confidential <br />
  51. 51. DID for Business<br />Proprietary and Confidential <br />
  52. 52. Management, security, risk, audit, and compliance professionals should:<br />Look beyond the standard<br />Determine whether it is sufficient to manage the related risks to the organization<br />A start to finish, multi-layered security approach is the only option to minimize business impact and mitigate the most possible risk. <br />Proprietary and Confidential <br />
  53. 53. The Bad Guys<br />Anti Forensics<br />Exploits<br />Social Engineering<br />Insiders<br />Outsiders<br />Proprietary and Confidential <br />
  54. 54. Anti-Forensics<br /><ul><li>Encryption
  55. 55. Steganography
  56. 56. Disk Wiping
  57. 57. Signatures
  58. 58. Bootable Disks –Bart,BT,HELIX, OWASP, MOJO
  59. 59. Slacker, TimeStomp, Trasnmogrify, SAMJuicer
  60. 60. Everything run in Ram
  61. 61. Linux-Where tools don’t look-Rune, Waffen, KY, DataMule</li></ul>Proprietary and Confidential <br />
  62. 62. Exploits<br />Spear-Phishing<br />Phishing<br />Pharming<br />Cross Site anything<br />Spoofing<br />SQL Injection<br />Patch <br />Proprietary and Confidential <br />
  63. 63. High<br />New Internet Attacks<br />Packet Forging& Spoofing<br />Stealth Diagnotics<br />Sophistication of Hacker Tools<br />DDOS<br />Sniffers<br />Sweepers<br />Hijacking Sessions<br />Back Doors<br />Technical KnowledgeRequired<br />Self-Replicating Code<br />Password Cracking<br />Password Guessing<br />Time<br />[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]<br />Proprietary and Confidential <br />
  64. 64. Social Engineering<br />“Social Engineer Specialist” Because there is no patch for human stupidity- DeFconTshirt<br />The art of utilizing human behavior to breach security without the participant even realizing they have been manipulated. <br />Proprietary and Confidential <br />
  65. 65. Social Engineering<br />Technical –Google, Maltego, PiPL<br />Non-Technical-<br />Poor Physical Controls<br />Lack of Security Awareness Training<br />Lack of Policies and Procedures<br />Weak Employee Screening<br />Lack of Management Support<br />Poor Controls on Data <br />Proprietary and Confidential <br />
  66. 66. Social Engineering<br />People are the weakest link<br />Desire to be helpful<br />Fear of getting in trouble<br />Tendency to trust<br />Desire to be successful<br />Proprietary and Confidential <br />
  67. 67. Social Engineering<br />Path of least resistance<br />Proprietary and Confidential <br />
  68. 68. Insider<br />Motivators-The Dark Side<br />Profit<br />Revenge<br />Fame<br />Proprietary and Confidential <br />
  69. 69. Insider<br />Motivators-Good Doing Bad<br />Evolving Loyalties<br />Job Change<br />Management Change<br />Company Change<br />Misdirection/Social Engineering<br />Influence<br />Proprietary and Confidential <br />
  70. 70. Insider-Telltale Signs<br />Insiders already have access<br />Insiders just need intent<br />Proprietary and Confidential <br />
  71. 71. Insider-Watch For<br />Some Kind of Activity<br />Revealing information not directly observable<br />Noticed<br />Significance Recognized <br />Proprietary and Confidential <br />
  72. 72. Insider-HR<br />Monitoring included in Policy<br />Clearly defined processes to include HR, Legal, Security and Management<br />Understand the evolving privacy statutory requirements<br />Proprietary and Confidential <br />
  73. 73. Outsider <br />Hactivism<br />SKIDDIES<br />Profit<br />Revenge<br />Fame<br />Proprietary and Confidential <br />
  74. 74. Risk Modeling<br />Know your Risk Formulas (ALE=AROxSLE)(EV*AV)<br />Susceptibility<br />Impact<br />Risk <br />= Materiality<br />Proprietary and Confidential <br />
  75. 75. Threat Modeling <br />Attacker - Centric<br />Software - Centric<br />Asset - Centric<br />Proprietary and Confidential <br />
  76. 76. Attack Methodology<br />Phase I: Reconnaissance <br />Phase II: Enumeration <br />Phase III: Vulnerability Analysis <br />Phase IV: Exploit<br />Proprietary and Confidential <br />
  77. 77. Attack Methodology<br />Proprietary and Confidential <br />
  78. 78. Case Study #1:Defense Contractor<br />Investigation<br />Data Leakage<br />Results<br />Targeted Spear Phishing<br />Breakdown<br />AV<br />DLP<br />Firewall/IDS<br />Incident response<br />Proprietary and Confidential <br />
  79. 79. Case Study #2:Insurance<br />Investigation <br />Data Leakage<br />Results<br />Loss of ACL, Passwords, Intellectual Capital<br />Breakdown<br />Security Awareness<br />Improper Access Control<br />DLP<br />IDS/IPS/HIDS<br />Proprietary and Confidential <br />
  80. 80. Case Study #3:Healthcare<br />Investigation<br />Outside Hack<br />Results <br />Loss of proprietary information<br />Loss of reputation<br />Company ended up closing shop<br />Breakdown<br />Internal IT Violated controls set in place through HiPAA<br />Proprietary and Confidential <br />
  81. 81. Questions and Answers<br />Michael A. DaGrossa, CISSP,CEH,CCEManaging Partner, Business Risk Services302.261.9013 (office)302.383.2737 (mobile)ION-e Group100 Dean DriveNewark, DE<br />Proprietary and Confidential <br />