Duo Security, profile picture
Uploaded byDuo Security
PDF, PPTX684 views

Security Fact & Fiction: Three Lessons from the Headlines

The document discusses the realities of data breaches, highlighting that many incidents are caused by simple mistakes rather than sophisticated attacks. It emphasizes the importance of strong security measures, effective incident response plans, and access controls to mitigate risks and reduce breach costs. Additionally, it contrasts common misconceptions about security compliance and advanced threats with the actual vulnerabilities organizations face.

Technology
Related topics:
Information Security

Embed presentation

Download as PDF, PPTX
Security Fact & Fiction Three Lessons from the Headlines
(that one’s real)
Real-word breaches are often caused by simple lapses of judgment. Hollywood movies and some of the media representations of data breaches are sensationalized and over-complicated compared to reality. source: Verizon DBIR 2015 verizonenterprise.com/DBIR/2015/
Security Facts ❏ The cost of a data breach is on the rise ❏ average cost increased 8.3% from $5.4 MM in 2013 to $5.85 MM in 2014 ❏ average cost per record increased 6.9% from $188 in 2013 to $201 in 2014 ❏ the most costly breaches are malicious & criminal attacks ❏ Will your organization be breached? ❏ “The results show that a probability of a material data breach [over the next 2 years] involving a minimum of 10,000 records is more than 22 percent”* * source: IBM/Ponemon “Cost of Data Breach Study”, 2014: http://ibm.co/1Df4urk based on survey of 314 global organizations that experienced data breach
Factors Affecting the Cost of Breaches Factor Effect on Price/Record Strong Security Posture -$14.14 Incident Response Plan -$12.77 CISO Appointment -$6.59 Business Continuity Management -$8.98 Lost/Stolen Devices +$16.10 3rd Party Involvement +$14.80 Quick Notification +$10.45 Consultant Engagement +$2.10 source: IBM/Ponemon, 2014 US Avg. Cost/Record: $201
Security Fiction ❏ Purchasing data breach insurance policies indicates an organization is slacking on security ❏ more likely to have other proactive measures in place ❏ Password policies and user education can save us ❏ most security advice targeting users has a poor cost/benefit tradeoff (MS, 2009 http://bit.ly/1lwMErH) ❏ The threats you care about are Advanced Persistent Threat 0dayz ❏ most breaches actually use very simple methods, exploiting oversights and poor security policy, even from sophisticated attackers ❏ PCI/HIPAA/whatever compliant means secure ❏ nope! these don’t encompass everything
The Present State of Security ❏ The answer to most security questions is “it’s complicated” but that doesn’t mean there’s no hope “You must never confuse faith that you will prevail in the end -- which you can never afford to lose -- with the discipline to confront the most brutal facts of your current reality, whatever they may be” -- Admiral James Stockdale, US Navy “I’m here to tell you that your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents” -- Brian Snow, NSA Information Assurance Head, 2012 “Lulzsec hacks embarrassed the security community by showing we were outclassed as defenders. NSA leaks show we were outclassed as attackers too” -- Haroon Meer, 2015
The Security Blanket ❏ Preparedness can reduce the cost of data breaches, while other factors can increase the cost ❏ Many expensive breaches are preventable in a cost-effective way in retrospect ❏ There are many commonalities in how attacks begin… ❏ poor passwords ❏ malware ❏ phishing ❏ application misconfiguration/bugs ❏ lost/stolen devices
our management statement: why the information security policy exists
❏ Ownership which team/people are responsible for which systems? ❏ Employee responsibilities e.g. honoring PII policy & access restrictions. ❏ Device use policy BYOD is huge. ❏ Risk assessment policy evaluate org for risk on an ongoing basis ❏ Employee off-boarding policy prevent biz critical material from leaving ❏ Operations management policy backups? monitoring? segregation? ❏ Compliance & Auditing policy to ensure you remain compliant with regulations Contents of Security Policy ❏ Access control policy specify how your org controls sensitive access ❏ Incident management policy incident management policy decreases cost of breach ❏ Physical security policy who controls the literal keys? how is access given/revoked? ❏ Business continuity & disaster recovery if operations can’t continue at current office, then what? ❏ Data confidentiality policy procedures & requirements for dealing w/ sensitive data ❏ Software change management policy how do you keep track and control of important updates?
Target in the Crosshairs ❏ 95% of security incidents involve credential theft ❏ Target’s HVAC vendor’s credentials to vendor project system were compromised ❏ It’s hard to control your employees, let alone a vendor’s… ❏ but mitigation should always be in mind ❏ the vendor project system and payments systems weren’t segregated ❏ no two-factor authentication ❏ 70 million customer records stolen ❏ 40 million credit/debit cards ❏ up to $1 billion in damages
How it happened 1. “Citadel” malware email, spearphishing to HVAC vendor 2. Vendor application vulnerability 3. Active Directory target enumeration 4. Steal admin hash from memory 5. Create new admin user 6. Bypass Target’s firewalls and access restrictions run code remotely with PSExec & remote desktop Microsoft Orchestrator access allowed them to ensure persistence 7. this gave them access to PII, but no credit cards as those were never stored, as per PCI-DSS 8. attackers deployed custom ‘Kaptoxa’ malware on PoS terminals using domain admin credentials 9. used internal AD-linked FTP server to aggregate data before sending it out
How it COULD have happened 1. “Citadel” malware email, spearphishing to HVAC vendor 2. Vendor application vulnerability was caught internally first 3. Active Directory target enumeration was detected as anomalous, stopped, and the incidence response policy defined what to do next 4. There was no domain admin password to be stolen on the vendor system 5. Creation of new domain admin user triggered an alert to the responsible team 6. Bypass of Target’s firewalls and access restrictions was impossible due to extensive internal/external risk assessment and threat modeling 7. attackers couldn’t access to PII because it was encrypted and the keys were on uncompromised, segregated application servers 8. attackers couldn’t deploy custom malware on PoS terminals because terminals whitelisted processes and attackers had no access to config management 9. couldn’t use internal AD-linked FTP server to aggregate data because it whitelisted hosts
Security Facts RISK ASSESSMENT FTW: Third-party access needs to be controlled and understood. Threat model, assess, and mitigate risk. SEGREGATION CAN BE HARD: there’s evidence Target made some effort to segregate their systems, using firewalls and restricting access from certain hosts. However, this can sometimes be bypassed by proxying through other hosts. Fully-segregated networks, or ones with strongly defined access control barriers are ideal. One Active Directory to Rule Them All introduces risk. MONITORING IS CRUCIAL: Target could have noticed the attackers at several points during their setup and reconnaissance if monitoring alerted them.
Security Fiction PCI-DSS compliance should keep data secure PCI-DSS requires two-factor authentication for external logins to networks falling under the scope of PCI-DSS. Target likely assumed the vendor management system was properly segregated with firewalls and access controls. PCI-DSS also doesn’t require network segregation, and only recommends it. Custom malware is a big threat While custom malware was used, its scope was limited: scraping POS terminal memory for credit cards and exfiltrating. It didn’t use any undisclosed software vulnerabilities or do anything particularly sophisticated. The best thing to do is keep it from appearing on systems in the first place.
JPMorgan: Financial Cost of Neglect ❏ 7 million businesses, 76 million consumers affected ❏ existing $250 million/year security budget ❏ suspected entry point: ❏ employee laptop compromised with malware ❏ corporate marathon site bug ❏ US gov’t & JPMC initially pointed fingers at Russia… ❏ until October, when the FBI said they were no longer a suspect ❏ One server which missed being upgraded with two-factor authentication provided a foothold ❏ ultimately, 90+ servers were compromised
Security Fact ❏ Negligence is costly ❏ security policy means nothing if it isn’t constantly evaluated and adhered to ❏ security is active, not set-and- forget, not an add-on ❏ Expense-in-depth doesn’t mean defense- in-depth ❏ JPMC had 1000+ security personnel & a massive security spend, but one oversight allowed a massive breach
Security Fiction ❏ You’ll be taken down by an advanced adversary with never-before-seen techniques ❏ it’s more likely you’ll be taken down by your own oversight ❏ advanced adversaries are more persistent but adhere to the same rules as everyone else
Anthem: healthy access control ❏ 80 million records stolen from large health insurance provider ❏ database containing records was unencrypted… ❏ but encryption isn’t a panacea: it can be done poorly, keys can be stolen, and the data needs to be unencrypted at some point ❏ there’s no indication Anthem used any two- factor authentication whatsoever ❏ credentials from between 1-5 users were enough to access all subscriber data ❏ does any user need unfettered access to all data?
Security Fact ❏ Access controls are critical ❏ nobody needs access to all data on a regular basis. ❏ records being accessed should be restricted as much as possible (principle of least privilege/default deny). ❏ Encryption is valuable, but not foolproof ❏ 64% of healthcare record leaks were attributed to employee endpoint compromise (US Dept. Health & Human Services, 2014) ❏ what risks do mostly insecure endpoints bring organizations? ❏ can employee credentials get attackers access to data retrieval applications? is uncharacteristic usage flagged?
Security Fiction ❏ HIPAA keeps health care information safe ❏ HIPAA does not require encryption ❏ HIPAA does not require two-factor “Implement two-factor authentication for granting remote access to systems that contain EPHI. This process requires factors beyond general usernames and passwords to gain access to systems (e.g., requiring users to answer a security question such as “Favorite Pet’s Name”)” ❏ HIPAA’s access control requirement: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. - 164.312(d) Technical Safeguards of the Security Standards for the Protection of ePHI, HHS.gov
Security Fact and Fiction FACT: many hacks are facilitated by oversight of service operators this is somewhat comforting: it means it can be addressed FICTION: today’s APTs require expensive threat intelligence feeds to understand FACT: ongoing internal and external risk assessment can uncover problems FICTION: “security” is a one-time expense FACT: your organization needs to own and understand its security program
Security Fact and Fiction FICTION: spending a lot of money on security means you’re doing it right FACT: an information security policy is a good step to address your security reality FICTION: there’s a magic box you can plug in to your network to secure it all FACT: it’s possible to make hacking your organization very difficult FICTION: you can be completely hack-proof

More Related Content

PDF
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
byBrian Kelly
 
PDF
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
byDuo Security
 
PDF
Security For The People: End-User Authentication Security on the Internet by ...
byDuo Security
 
PDF
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
byDuo Security
 
PPTX
The state of endpoint defense in 2021
byAdrian Sanabria
 
PPTX
Kent King - PKI: Do You Know Your Exposure?
bycentralohioissa
 
PPTX
Building securable infrastructures
bySteven Aiello
 
PPTX
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
bymdagrossa
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
byBrian Kelly
 
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
byDuo Security
 
Security For The People: End-User Authentication Security on the Internet by ...
byDuo Security
 
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
byDuo Security
 
The state of endpoint defense in 2021
byAdrian Sanabria
 
Kent King - PKI: Do You Know Your Exposure?
bycentralohioissa
 
Building securable infrastructures
bySteven Aiello
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
bymdagrossa
 

What's hot

PDF
What Happens Before the Kill Chain
byOpenDNS
 
PPTX
Application Security Architecture and Threat Modelling
byPriyanka Aash
 
PDF
Automation: The Wonderful Wizard of CTI (or is it?)
byMITRE ATT&CK
 
PPTX
Ransomware Has Evolved And So Should Your Company
byVeriato
 
PDF
Addressing the cyber kill chain
bySymantec Brasil
 
PPTX
Operationalizing Security Intelligence
bySplunk
 
PDF
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
byMichael Bunn
 
PDF
Making Threat Modeling Useful To Software Development
byConSanFrancisco123
 
PDF
Understanding Cyber Kill Chain and OODA loop
byDavid Sweigert
 
PPTX
The Internal Signs of Compromise
byFireEye, Inc.
 
PDF
Cisa ransomware guide
byanpapathanasiou
 
PPTX
Intelligence-based computer network defence: Understanding the cyber kill cha...
byHuntsman Security
 
PPTX
Art Hathaway - Artificial Intelligence - Real Threat Prevention
bycentralohioissa
 
PPTX
kill-chain-presentation-v3
byShawn Croswell
 
PPT
Top Tactics For Endpoint Security
byBen Rothke
 
PDF
Cyber Kill Chain Deck for General Audience
byTom K
 
PDF
Grc f42
bySelectedPresentations
 
PPTX
Top Application Security Trends of 2012
byDaveEdwards12
 
PDF
Triangulum - Ransomware Evolved - Why your backups arent good enough
byMartin Opsahl
 
PPTX
Cyber Security Needs and Challenges
byHappiest Minds Technologies
 
What Happens Before the Kill Chain
byOpenDNS
 
Application Security Architecture and Threat Modelling
byPriyanka Aash
 
Automation: The Wonderful Wizard of CTI (or is it?)
byMITRE ATT&CK
 
Ransomware Has Evolved And So Should Your Company
byVeriato
 
Addressing the cyber kill chain
bySymantec Brasil
 
Operationalizing Security Intelligence
bySplunk
 
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
byMichael Bunn
 
Making Threat Modeling Useful To Software Development
byConSanFrancisco123
 
Understanding Cyber Kill Chain and OODA loop
byDavid Sweigert
 
The Internal Signs of Compromise
byFireEye, Inc.
 
Cisa ransomware guide
byanpapathanasiou
 
Intelligence-based computer network defence: Understanding the cyber kill cha...
byHuntsman Security
 
Art Hathaway - Artificial Intelligence - Real Threat Prevention
bycentralohioissa
 
kill-chain-presentation-v3
byShawn Croswell
 
Top Tactics For Endpoint Security
byBen Rothke
 
Cyber Kill Chain Deck for General Audience
byTom K
 
Grc f42
bySelectedPresentations
 
Top Application Security Trends of 2012
byDaveEdwards12
 
Triangulum - Ransomware Evolved - Why your backups arent good enough
byMartin Opsahl
 
Cyber Security Needs and Challenges
byHappiest Minds Technologies
 

Similar to Security Fact & Fiction: Three Lessons from the Headlines

PPTX
I’ve Been Hacked  The Essential Steps to Take Next
byBrian Pichman
 
PPT
Information security management v2010
byjoevest
 
PDF
Cybersecurity and liability your david willson
byDavid Willson, Attorney, CISSP, Security +
 
PDF
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
byWithum
 
PPTX
Cybercrime and the Hidden Perils of Patient Data
byStephen Cobb
 
PPTX
2024 Security Outlook & Essential Security Practices
byDan Houser
 
PPTX
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
byRishi Singh
 
PDF
Course Information Security Lecture 1.pdf
bySamahAdel16
 
PPTX
Management Information System Presentation
byAaDi Malik
 
PPTX
Community IT Webinar - IT Security for Nonprofits
byCommunity IT Innovators
 
PDF
cybersecurity-careers.pdf
byRakeshKumar442494
 
PPTX
So You Want a Job in Cybersecurity
by2nd Sight Lab
 
PPT
Rainer+3e Student Pp Ts Ch03
bykbzdox ivanovich
 
PDF
2016 legal seminar for credit professionals
byKegler Brown Hill + Ritter
 
PPTX
SoCal HIMSS Privacy Security Webinar
byMarty Miller
 
PPTX
Security in the enterprise - Why You Need It
bySlick Cyber Systems
 
PPTX
How To Secure MIS
byAaDi Malik
 
PPTX
Cybersecurity Seminar March 2015
byLawley Insurance
 
PPTX
Top 12 Threats to Enterprise
byArgyle Executive Forum
 
PPTX
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
byDamir Delija
 
I’ve Been Hacked  The Essential Steps to Take Next
byBrian Pichman
 
Information security management v2010
byjoevest
 
Cybersecurity and liability your david willson
byDavid Willson, Attorney, CISSP, Security +
 
Think You’re Covered? Think Again. Cybersecurity, Data Privacy, Payments Frau...
byWithum
 
Cybercrime and the Hidden Perils of Patient Data
byStephen Cobb
 
2024 Security Outlook & Essential Security Practices
byDan Houser
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
byRishi Singh
 
Course Information Security Lecture 1.pdf
bySamahAdel16
 
Management Information System Presentation
byAaDi Malik
 
Community IT Webinar - IT Security for Nonprofits
byCommunity IT Innovators
 
cybersecurity-careers.pdf
byRakeshKumar442494
 
So You Want a Job in Cybersecurity
by2nd Sight Lab
 
Rainer+3e Student Pp Ts Ch03
bykbzdox ivanovich
 
2016 legal seminar for credit professionals
byKegler Brown Hill + Ritter
 
SoCal HIMSS Privacy Security Webinar
byMarty Miller
 
Security in the enterprise - Why You Need It
bySlick Cyber Systems
 
How To Secure MIS
byAaDi Malik
 
Cybersecurity Seminar March 2015
byLawley Insurance
 
Top 12 Threats to Enterprise
byArgyle Executive Forum
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
byDamir Delija
 

More from Duo Security

PDF
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
byDuo Security
 
PDF
A Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
byDuo Security
 
PDF
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
byDuo Security
 
PDF
Making Web Development "Secure By Default"
byDuo Security
 
PDF
Probing Mobile Operator Networks - Collin Mulliner
byDuo Security
 
PDF
The Real Deal of Android Device Security: The Third Party
byDuo Security
 
PDF
No Apology Required: Deconstructing BB10
byDuo Security
 
PDF
The Internet of Things: We've Got to Chat
byDuo Security
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
byDuo Security
 
A Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
byDuo Security
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
byDuo Security
 
Making Web Development "Secure By Default"
byDuo Security
 
Probing Mobile Operator Networks - Collin Mulliner
byDuo Security
 
The Real Deal of Android Device Security: The Third Party
byDuo Security
 
No Apology Required: Deconstructing BB10
byDuo Security
 
The Internet of Things: We've Got to Chat
byDuo Security
 

Recently uploaded

PDF
AI for Risk Management & Fraud Detection ppt.pdf
byalexmartincaneda
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PDF
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
PDF
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PDF
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PDF
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
PDF
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PDF
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
PDF
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
PDF
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
AI for Risk Management & Fraud Detection ppt.pdf
byalexmartincaneda
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
Designing a Blog Using Wordpress
bymarkzubi50
 
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 

Security Fact & Fiction: Three Lessons from the Headlines

  • 1.
    Security Fact &Fiction Three Lessons from the Headlines
  • 3.
  • 5.
    Real-word breaches areoften caused by simple lapses of judgment. Hollywood movies and some of the media representations of data breaches are sensationalized and over-complicated compared to reality. source: Verizon DBIR 2015 verizonenterprise.com/DBIR/2015/
  • 6.
    Security Facts ❏ Thecost of a data breach is on the rise ❏ average cost increased 8.3% from $5.4 MM in 2013 to $5.85 MM in 2014 ❏ average cost per record increased 6.9% from $188 in 2013 to $201 in 2014 ❏ the most costly breaches are malicious & criminal attacks ❏ Will your organization be breached? ❏ “The results show that a probability of a material data breach [over the next 2 years] involving a minimum of 10,000 records is more than 22 percent”* * source: IBM/Ponemon “Cost of Data Breach Study”, 2014: http://ibm.co/1Df4urk based on survey of 314 global organizations that experienced data breach
  • 7.
    Factors Affecting theCost of Breaches Factor Effect on Price/Record Strong Security Posture -$14.14 Incident Response Plan -$12.77 CISO Appointment -$6.59 Business Continuity Management -$8.98 Lost/Stolen Devices +$16.10 3rd Party Involvement +$14.80 Quick Notification +$10.45 Consultant Engagement +$2.10 source: IBM/Ponemon, 2014 US Avg. Cost/Record: $201
  • 8.
    Security Fiction ❏ Purchasingdata breach insurance policies indicates an organization is slacking on security ❏ more likely to have other proactive measures in place ❏ Password policies and user education can save us ❏ most security advice targeting users has a poor cost/benefit tradeoff (MS, 2009 http://bit.ly/1lwMErH) ❏ The threats you care about are Advanced Persistent Threat 0dayz ❏ most breaches actually use very simple methods, exploiting oversights and poor security policy, even from sophisticated attackers ❏ PCI/HIPAA/whatever compliant means secure ❏ nope! these don’t encompass everything
  • 9.
    The Present Stateof Security ❏ The answer to most security questions is “it’s complicated” but that doesn’t mean there’s no hope “You must never confuse faith that you will prevail in the end -- which you can never afford to lose -- with the discipline to confront the most brutal facts of your current reality, whatever they may be” -- Admiral James Stockdale, US Navy “I’m here to tell you that your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents” -- Brian Snow, NSA Information Assurance Head, 2012 “Lulzsec hacks embarrassed the security community by showing we were outclassed as defenders. NSA leaks show we were outclassed as attackers too” -- Haroon Meer, 2015
  • 10.
    The Security Blanket ❏Preparedness can reduce the cost of data breaches, while other factors can increase the cost ❏ Many expensive breaches are preventable in a cost-effective way in retrospect ❏ There are many commonalities in how attacks begin… ❏ poor passwords ❏ malware ❏ phishing ❏ application misconfiguration/bugs ❏ lost/stolen devices
  • 11.
    our management statement: why theinformation security policy exists
  • 12.
    ❏ Ownership which team/peopleare responsible for which systems? ❏ Employee responsibilities e.g. honoring PII policy & access restrictions. ❏ Device use policy BYOD is huge. ❏ Risk assessment policy evaluate org for risk on an ongoing basis ❏ Employee off-boarding policy prevent biz critical material from leaving ❏ Operations management policy backups? monitoring? segregation? ❏ Compliance & Auditing policy to ensure you remain compliant with regulations Contents of Security Policy ❏ Access control policy specify how your org controls sensitive access ❏ Incident management policy incident management policy decreases cost of breach ❏ Physical security policy who controls the literal keys? how is access given/revoked? ❏ Business continuity & disaster recovery if operations can’t continue at current office, then what? ❏ Data confidentiality policy procedures & requirements for dealing w/ sensitive data ❏ Software change management policy how do you keep track and control of important updates?
  • 13.
    Target in theCrosshairs ❏ 95% of security incidents involve credential theft ❏ Target’s HVAC vendor’s credentials to vendor project system were compromised ❏ It’s hard to control your employees, let alone a vendor’s… ❏ but mitigation should always be in mind ❏ the vendor project system and payments systems weren’t segregated ❏ no two-factor authentication ❏ 70 million customer records stolen ❏ 40 million credit/debit cards ❏ up to $1 billion in damages
  • 14.
    How it happened 1.“Citadel” malware email, spearphishing to HVAC vendor 2. Vendor application vulnerability 3. Active Directory target enumeration 4. Steal admin hash from memory 5. Create new admin user 6. Bypass Target’s firewalls and access restrictions run code remotely with PSExec & remote desktop Microsoft Orchestrator access allowed them to ensure persistence 7. this gave them access to PII, but no credit cards as those were never stored, as per PCI-DSS 8. attackers deployed custom ‘Kaptoxa’ malware on PoS terminals using domain admin credentials 9. used internal AD-linked FTP server to aggregate data before sending it out
  • 15.
    How it COULDhave happened 1. “Citadel” malware email, spearphishing to HVAC vendor 2. Vendor application vulnerability was caught internally first 3. Active Directory target enumeration was detected as anomalous, stopped, and the incidence response policy defined what to do next 4. There was no domain admin password to be stolen on the vendor system 5. Creation of new domain admin user triggered an alert to the responsible team 6. Bypass of Target’s firewalls and access restrictions was impossible due to extensive internal/external risk assessment and threat modeling 7. attackers couldn’t access to PII because it was encrypted and the keys were on uncompromised, segregated application servers 8. attackers couldn’t deploy custom malware on PoS terminals because terminals whitelisted processes and attackers had no access to config management 9. couldn’t use internal AD-linked FTP server to aggregate data because it whitelisted hosts
  • 16.
    Security Facts RISK ASSESSMENTFTW: Third-party access needs to be controlled and understood. Threat model, assess, and mitigate risk. SEGREGATION CAN BE HARD: there’s evidence Target made some effort to segregate their systems, using firewalls and restricting access from certain hosts. However, this can sometimes be bypassed by proxying through other hosts. Fully-segregated networks, or ones with strongly defined access control barriers are ideal. One Active Directory to Rule Them All introduces risk. MONITORING IS CRUCIAL: Target could have noticed the attackers at several points during their setup and reconnaissance if monitoring alerted them.
  • 18.
    Security Fiction PCI-DSS complianceshould keep data secure PCI-DSS requires two-factor authentication for external logins to networks falling under the scope of PCI-DSS. Target likely assumed the vendor management system was properly segregated with firewalls and access controls. PCI-DSS also doesn’t require network segregation, and only recommends it. Custom malware is a big threat While custom malware was used, its scope was limited: scraping POS terminal memory for credit cards and exfiltrating. It didn’t use any undisclosed software vulnerabilities or do anything particularly sophisticated. The best thing to do is keep it from appearing on systems in the first place.
  • 19.
    JPMorgan: Financial Costof Neglect ❏ 7 million businesses, 76 million consumers affected ❏ existing $250 million/year security budget ❏ suspected entry point: ❏ employee laptop compromised with malware ❏ corporate marathon site bug ❏ US gov’t & JPMC initially pointed fingers at Russia… ❏ until October, when the FBI said they were no longer a suspect ❏ One server which missed being upgraded with two-factor authentication provided a foothold ❏ ultimately, 90+ servers were compromised
  • 20.
    Security Fact ❏ Negligenceis costly ❏ security policy means nothing if it isn’t constantly evaluated and adhered to ❏ security is active, not set-and- forget, not an add-on ❏ Expense-in-depth doesn’t mean defense- in-depth ❏ JPMC had 1000+ security personnel & a massive security spend, but one oversight allowed a massive breach
  • 21.
    Security Fiction ❏ You’llbe taken down by an advanced adversary with never-before-seen techniques ❏ it’s more likely you’ll be taken down by your own oversight ❏ advanced adversaries are more persistent but adhere to the same rules as everyone else
  • 22.
    Anthem: healthy accesscontrol ❏ 80 million records stolen from large health insurance provider ❏ database containing records was unencrypted… ❏ but encryption isn’t a panacea: it can be done poorly, keys can be stolen, and the data needs to be unencrypted at some point ❏ there’s no indication Anthem used any two- factor authentication whatsoever ❏ credentials from between 1-5 users were enough to access all subscriber data ❏ does any user need unfettered access to all data?
  • 23.
    Security Fact ❏ Accesscontrols are critical ❏ nobody needs access to all data on a regular basis. ❏ records being accessed should be restricted as much as possible (principle of least privilege/default deny). ❏ Encryption is valuable, but not foolproof ❏ 64% of healthcare record leaks were attributed to employee endpoint compromise (US Dept. Health & Human Services, 2014) ❏ what risks do mostly insecure endpoints bring organizations? ❏ can employee credentials get attackers access to data retrieval applications? is uncharacteristic usage flagged?
  • 24.
    Security Fiction ❏ HIPAAkeeps health care information safe ❏ HIPAA does not require encryption ❏ HIPAA does not require two-factor “Implement two-factor authentication for granting remote access to systems that contain EPHI. This process requires factors beyond general usernames and passwords to gain access to systems (e.g., requiring users to answer a security question such as “Favorite Pet’s Name”)” ❏ HIPAA’s access control requirement: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. - 164.312(d) Technical Safeguards of the Security Standards for the Protection of ePHI, HHS.gov
  • 25.
    Security Fact andFiction FACT: many hacks are facilitated by oversight of service operators this is somewhat comforting: it means it can be addressed FICTION: today’s APTs require expensive threat intelligence feeds to understand FACT: ongoing internal and external risk assessment can uncover problems FICTION: “security” is a one-time expense FACT: your organization needs to own and understand its security program
  • 26.
    Security Fact andFiction FICTION: spending a lot of money on security means you’re doing it right FACT: an information security policy is a good step to address your security reality FICTION: there’s a magic box you can plug in to your network to secure it all FACT: it’s possible to make hacking your organization very difficult FICTION: you can be completely hack-proof