Moving to the Cloud: A Security and Hosting Introduction
•Download as PPTX, PDF•
3 likes•791 views
By Ron Rainville
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Moving to the Cloud: A Security and Hosting Introduction
Similar to Moving to the Cloud: A Security and Hosting Introduction (20)
More from Blackbaud
More from Blackbaud (20)
Recently uploaded
Recently uploaded (20)
Moving to the Cloud: A Security and Hosting Introduction
- 1. Service Delivery Operations BBCON 2014 Ron Rainville – VP/Service Delivery Operations
- 2. 2 Overview • Today’s Landscape • What is Blackbaud doing? • Protection thru technology • Protection thru people • Protection thru certifications • Protection thru process Blackbaud Confidential
- 3. Today’s Landscape 3 Breaches in the News • Banks • Massive bank hack: What you need to know - CNN • Retailers • Home Depot hack could lead to $3 billion in fake charges – CBS News • Target store chain security breach • Healthcare • There is an epidemic of medical identity theft – USA Today • Universities • Ex-contractor says he hacked into U-Md. databases to alert others to security flaws – Washington Post • Governments • U.S. Probes Hacking of Government Computers at Personnel Agency – The Wall Street Journal
- 4. Theft has been Automated and Targeted 4 A variety of adversaries • Script Kiddies • Organized Crime • Nation States The value of targeted data is rising • Cardholder data • Personally Identifiable Information (“PII”) • Protected Health Information (“PHI”) • Social network handles (Twitter, Facebook)
- 5. 5 Attack Vectors Zero-Day Vulnerabilities • Vulnerabilities discovered by criminals within software, sold in Black Markets to the highest bidder Social Engineering • Targeted campaigns against key resources within an organization for the purpose of gaining access to confidential information Insider Threat • Disgruntled employees looking to get even • User mistakes (e.g. bringing data home) Best source for statistics: Verizon Data Breach Investigations Report
- 6. How Do Large Credit Card Breaches Happen? The Advanced Persistent Threat (“APT”) 6 Recon Infiltration Delivery & Exploitation Exfiltration Monetization Reconnaissance Adversaries probe targets for holes and vulnerabilities and/or steal credentials Infiltration Exploit these weaknesses to get inside Delivery & Exploitation Hook malware into processing streams Exfiltration Get data out as quietly as possible Monetization Data sold on the black market This can occur over months at a time
- 7. 7 Impact Reputational • Brand damage • Customers will seek alternative choices Financial and Liability • Stock price tumbles • Cost of data breach • Legal issues • Post-mortem audits – regulatory (e.g. HIPAA) or contractual (PCI)
- 8. So What is Blackbaud Doing?
- 9. Protection thru Technology 9 Strong Perimeter • Firewalls • IDS Control • DDoS • 2FA Access Control • Granted on an as needed basis • Role separation Password/Account Management Environment Awareness • Log and activity monitoring Data Centers • All tier III+ certified No Special cases
- 10. Protection thru People 10 Blackbaud Security Team • Dedicated to Security – complete focus • All personal heavily trained • High level of visibility Training • All employees receive security training – social engineering & best practices – annually and NEO • ITIL training Certifications • CISSP, GISM, GSEC, CCNA, CNSS, DoD 85 Partnerships • PCI/SOC: Brightline CPAs • Pen-testing: Praetorian (annual rotation) • PCI validation scans: Qualys • Ethical hacking and forensics: eMagined Security Consultants Vendor Management • all service providers we use are required to meet or exceed our security standards
- 11. Protection thru Certifications 11 PCI – Credit Card • PCI level 1 – Annual Event, Brightline SSAE16 – PII, Best Practices – risk mitigation • SOC2, Level 2: based on Security, Availability, Confidentiality principles - Brightline • SOC1, Level 2: based on Financial Reporting for Ledger based products - Brightline ITIL Based • Annual Security Audit – 3rd Party, eMagined Security • Policy validation and Perimeter testing • Internal LAN – Ethical hacking; Credentialed and non-Credentialed
- 12. Protection thru Process 12 Security Patching – all platforms • Monthly and on-demand • Heartbleed, Shellshock Change Management • Rigorous process • Completely documented • Multi-level management approval Event and Incident Management • Complete log and event monitoring and response • 7X24 NOCC • eMagined on retainer and used often – false positives Security Testing • Vulnerability management (monthly) • Penetration testing / ethical hacking (annually and after major changes)
- 13. After all that… Are we completely Protected?
Editor's Notes
- Today’s Security Landscape is dominated by negative news. From major banks to government organizations, not a week goes by before another possible data breach is announced. Links: Banks - http://money.cnn.com/2014/08/28/technology/security/bank-hack/ Retailers - http://www.cbsnews.com/news/credit-monitoring-company-home-depot-breach-could-result-in-2b-in-fraud/ Healthcare - http://www.usatoday.com/story/money/personalfinance/2014/09/13/identity-theft-hacking-medical/15345643/ Universities - http://www.washingtonpost.com/local/crime/former-contractor-calls-himself-whistleblower-in-exposing-security-problems-at-u-md/2014/04/10/7312699e-c0b3-11e3-b195-dd0c1174052c_story.html Governments - http://online.wsj.com/articles/u-s-probes-hacking-of-government-computers-at-personnel-agency-1404970913
- How did we get to where we are in the Security Landscape? Who are the main perpetrators when it comes to breaches? 3 main categories of attackers. Script Kiddies – Unskilled individuals who copy, modify, and use scripts to attack computer systems. Most are simply looking for glory or notoriety. They usually go after low-level hanging fruit Facebook accounts, gaming credentials, etc. Organized Crime – This group is compromised of highly skilled individuals that are pooling skills, resources and infrastructure for buying, selling, and trading stolen data. - http://www.washingtonpost.com/blogs/the-switch/wp/2014/04/22/hackers-are-getting-better-at-offense-companies-arent-getting-better-at-defense/ Nation States – Countries that can provide unlimited resources to groups of people employed by them to gain access to highly sensitive information on their enemies. - http://www.cnbc.com/id/101845869#. At the same time, as hacks get more complex and require more resources, the value of data begins to increase. As with all markets, it all depends on supply and demand. “A Twitter account costs more to purchase than a stolen credit card because the former’s account credentials potentially have a greater yield. Immediately after a large breach, freshly acquired credit cards command a higher price—as there is greater possibility for the credit cards to still be active. But after time, prices fall because the market becomes flooded” - http://blogs.wsj.com/corporate-intelligence/2014/03/28/whats-more-valuable-a-stolen-twitter-account-or-a-stolen-credit-card/ PHI is valued in order to exploit the prescription drug market. A user can change their credit card number, but they can’t change their health records
- These are the most common. Other attack vectors include: Weak authentication (e.g. easy to guess or weak passwords) Unpatched vulnerabilities Weak cryptography Wireless network sniffing Spyware on end user machines (e.g. keyloggers) Too much access (improper permissions) Simple user error (e.g. publishing sensitive data to a web site) Physical attacks (e.g. PoS skimming)
- Some notes taken from the “Lessons for SDO document”: What can we in Blackbaud Service Delivery Operations learn from this to improve our defense in depth? PCI Compliance is not the end goal; it is just the beginning. Receiving a PCI certification is intended to indicate compliance- and in Target’s case it seemed that wasn’t true either. Be vigilant for unusual activity. System administrators must learn to recognize social engineering attacks as well as processes and files on systems that don’t belong. Control access. In Target’s case, two‑factor authentication could have been used for granting remote access by third party vendors, making it more difficult to for the attackers to gain access. Firewalls and DMZs are not enough. Control networks. Target lacked sufficient security segregation boundaries to contain their vendors. And attackers sent data outward over FTP, indicating outbound well known ports to foreign servers were unblocked at the firewall. Assume any account can be used for malicious purposes and mitigate accordingly. To mitigate risks, we need to follow password requirements, principle of least privilege, separation of duties, and ensure service accounts cannot be used for login purposes. Configure technical controls and follow up on alerting. File integrity monitoring and intrusion detection can be effective security tools but we need to configure these appropriately and have the expertise necessary to manage response. In Target’s case, they had outsourced alerting but when escalated back to Target’s Security Operations Team at their US HQ, alerts went ignored. Protect vendor related information as confidential and proprietary. Target’s vendor information was posted publicly. Third-party vendors must be held to our security standards. In the case of Target Stores, the HVAC vendor could have disrupted infection using industry standard real-time anti-malware software. Instead, they used free Malwarebytes anti-malware intended for individual consumer use which did not work in real‑time.
- The impact of a breach can be measured in two main categories: Customer perception and Company perception. Target’s customer-perception level dropped to a negative score of 23 following their breach announcement. That means 23% more shoppers have a negative perception of the brand than have a positive perception. - http://blogs.marketwatch.com/behindthestorefront/2013/12/30/targets-reputation-takes-another-hit/ AP Twitter hack causes panic on Wall Street and sends Dow plunging - http://www.theguardian.com/business/2013/apr/23/ap-tweet-hack-wall-street-freefall How Main Street will pay for Home Depot’s data breach - http://www.businessweek.com/articles/2014-09-16/home-depot-breach-why-small-merchants-will-pay
- BBPS and Sphere store card info
- policy was created upon Blackbaud’s business plan