This presentation outlines the leaps and bounds of Cloud Computing and Risk Management in the age of enormous global data surveillance, whistle blowers, Wikileaks, data leakage and what to do to protect data.
2. 2
Agenda
• Current IT Security Issue and Concerns (non technical)
• Non-technical overview of recent industry breaches
“Sony, Amazon, Wikileaks, and Stephen Harper and
Ontario Courts webpage defacement”.
• How does it relate to us?
• Solutions
3. 3
Current Security Breaches and Concerns
• Stuxnet Virus - nation-state supported, highly complex, first programmable logic
controller (PLC) rootkit worm (July 2010)
• Wiki leaks - 779 secret government files leaked relating to prisoners detained in
Guantanamo Bay detention camp (April 2011)
• Sony Playstation Network Hack - The PlayStation Network outage was the result of
an "external intrusion" on Sony's PlayStation Network and Qriocity services, in which
personal details from approximately 77 million accounts were stolen and prevented
users of PlayStation 3 and PlayStation Portable consoles from playing online through
the service. (April 2011)
• RSA Hack - sophisticated spear phishing attack that exploited zero day vulnerability
to steal authentication information (March 2011)
• Lockheed Martin Hack - possible state sponsor complex attack on top secret military
systems using stolen RSA authentication data (May 2011)
4. 4
Current Security Breaches and Concerns
• Amazon Cloud computing availability issues - Amazon's "Elastic Compute Cloud,"
part of the online retail company's cloud-computing service that hosts websites for
start-ups, experienced latency problems and other errors. (April 2011)
• Conservative Website Hack – The website of the Canadian Conservative Party was
hacked, and it reported that the Prime Minister Stephen Harper was rushed to
hospital. (June 2011)
• Hacker groups Anonymous and LulzSec - Anonymous is a group initiating active civil
disobedience, they spread through the Internet while staying hidden, representing
the concept of many online community users simultaneously existing as an anarchic,
digitized global brain. In 2011 they have been involved in the hack of the website of
the Irish Political Party Fine Gael, websites for the Government of Tunisia, releasing
emails it obtained from Bank of America, and a mass email/fax bomb to the Bay
Area Rapid Transit (BART)
LulzSec is a computer hacker group that claims responsibility for several high profile
attacks, including the compromise of user accounts from Sony Pictures in 2011. The
group also claimed responsibility for taking the CIA website offline. The group has
been described as a "cyber terrorism group" by the Arizona Department of Public
Safety after their systems were compromised and information leaked.
5. 5
2011, Sony hacked 3 times
• Playstation Network
“PlayStation Network is a free-to-access interactive
environment where you can play online games, chat to friends and family around
the world and surf the web - and all for free”
• The attack
“Cyber-security expert Dr. Gene Spafford has told the U.S. House of
Representatives that Sony allegedly ignored reports of gaping vulnerabilities on
its servers.”
• How did they notice it?
• How they’ve noticed the impact?
Sony’s Stock Drops 2.08 Billion Dollars Since PSN Outage
6. 6
2011, Sony hacked 3 times
Asset: Names, addresses, passwords,
credit card info, and security answers.
Threat: Unauthorized access, disclosure of
personal / confidential data
Agent: Hackers (Anonymous, Lulzsec Hacktivists), disgruntled employees
Vulnerability: “known-vulnerability in non-specified web application server platform”
Planned Safeguards:
Automated software monitoring to their networks;
Enhanced levels of data protection and encryption, new firewalls;
Moving the data center to a different location, and
Hiring a Chief Information Security Officer (CISO)
8. 8
Harper hacked by Hash Brown
Threat agent: Lulzraft
"no useful credit card information was
taken and our internal database was not
hacked," DeLorey said
“The conservatives said no contributor
data was accessed..I wonder where this
sample came from then!”
Donors information gets published, Email
to CBC news.
Ontario Courts, MOF and TSB have also been hacked this year.
9. 9
Wikileaks
We provide an innovative, secure and anonymous way for independent
sources around the world to leak information to our journalists
10. 10
Amazon Cloud Incident
• Security Process Document
• The attack, impact, compensation...
• Customer Agreement
• We may change, discontinue or add SLA from time to time...
• Another outage in Aug 9th.
Your Responsibilities
You are responsible for properly configuring and using the Service Offerings and taking
your own steps to maintain appropriate security, protection and backup of Your Content,
which may include the use of encryption technology to protect Your Content from
unauthorized access
Proprietary DDoS mitigation techniques are
used.
11. 11
How does it relate to us?
• All IT systems and infrastructure are at risk – whether they
are exposed publicly or to just internal users (insiders).
• We are all collectively mandated to protect and secure the
public’s sensitive and private information
• Ontario is the financial capital of Canada, and is a high value
target not only to Hackers, but also organized crime units for
the purpose of identity theft
12. 12
Solutions
• Information Protection Centers – Security Operating Centers are reactive
security teams working 24/7 to monitor and protect our networks and data
from Hackers, Viruses, Botnets, DDoS attacks etc.
• Threat and Risk Assessment (TRA) and Risk Advisory groups provide
proactive risk assessments advice to protect data and infrastructures by
providing security recommendations such as encryption of sensitive data in
transit and in storage, software updates and security patches, proper
Business Continuity and Disaster Recovery planning, least-privilege role
base access controls, Vulnerability Assessments, Penetration Tests etc.
• Vulnerability Assessment and Penetration Testing teams work to test and
discover security vulnerabilities.