2. Agenda
1. Why is a discussion about user access important?
2. Insider Threats vs. External Threats
3. IT Security Standard Setters
4. Cost of a Breach
5. User Access Rights
6. Cloud Apps
7. Problems with Passwords
8. Data Breaches and Lessons Learned
9. Password Emerging Trends
10.Wrap Up
2
3. Why is a discussion about user access
important?
3
4. Why Talk About User Access?
SECURITY IS A NEGATIVE GOAL.
There are exactly two keys to information security
Configure the system and network correctly and keep it that way
Know the traffic coming into and out of your network
Network security tasks
Protection – configure as correctly as possible
Detection – quickly identify configuration changes or traffic issues
Reaction – respond as quickly as possible
4
5. Defense in depth
Security defensive lines and countermeasures to protect the integrity of
information assets
Five architectures to develop defense in depth
1. Perimeter Defense - Firewalls for segregating internal trusted zones from
the internet
2. Network Defense - Subdividing the internal network into trusted zones
3. Host Defense - Identify and locate information assets that need
protection
4. Application Defense - Prioritize the information assets to be protected
5. Data Defense - Role based access controls
Cryptography is the only remaining protection for information assets when
defense in depth fails.
5
7. Keys to implementing network security
1. Access,
Authentication,
Authorization (AAA)
2. Separation of duties,
separation of services
3. Endpoint security and
ubiquitous computing
4. Service-oriented
architecture (SOA)
7
8. Questions to keep in mind throughout
our discussion
Where are most threats to your information assets coming from?
What is your network access password change policy?
Which IT Guidance/Frameworks are you predominantly working with
now? COSO and/or COBIT and/or ISO and/or PCI?
Does your company perform an periodic user access review? Are
all user accounts reviewed, including B2B, generic/system, cloud
apps and 3rd party vendors?
Does your organization have a proven system for monitoring user
access activity?
8
10. Disgruntled employees and insiders pose
big hacking risk
73% of organizations considered insider threats—both
accidental data leakage by employees and
malicious breaches to be the greatest risk.
64% reported that manual processes, limited visibility into
security policies and poor change management
practices posed the greatest challenge to effective
management of network security devices.
one in five said that aligning priorities and plans between
development, security and operations teams created
the greatest obstacle
60% stated that their data center includes more than 50
critical business applications, 20% have more than 500.
142 information security professionals and
application owners state that current security
management processes make balancing
access to the rapidly rising number of business
critical applications and reducing system
vulnerability increasingly challenging
10
http://www.algosec.com/en/resources/network_security_2014
11. Annual reports on – insider threats11
89% - More at risk
from insider threats
12. Editor – 2 months w/access AFTER
TERMINATION
12
15. Notable IT standard setters
1. International Organization for Standardization
(ISO)
2. PCI Security Standards Council, LLC (PCI-DSS)
3. Committee of Sponsoring Organizations of the
Treadway Commission (COSO)
4. ISACA (COBIT)
15
19. Principle of Least Privilege Access
Defined as the practice of limiting access to the minimal
level that will allow normal functioning and is applied to both
human and system user access
Originated by the US Department of Defense in the 1970’s
to limit potential damage of any accidental or malicious
security breach
It is the underlying principle and the predominate strategy
used to assure confidentiality within a network
Role-based access was developed to group users with
common access needs, simplifying security and security
maintenance
19
20. Users with Elevated Access
By default systems will process commands based on the level of access the
user who initiated the command has.
System and domain administrators pose unique problems within a software
application.
20
Group Description Default user rights
Administrators
Members of this group have full control of all domain
controllers in the domain. By default, the Domain
Admins and Enterprise Admins groups are members
of the Administrators group. The Administrator
account is also a default member. Because this group
has full control in the domain, add users with caution.
Access this computer from the network; Adjust memory quotas for a process; Back up
files and directories; Bypass traverse checking; Change the system time; Create a
pagefile; Debug programs; Enable computer and user accounts to be trusted for
delegation; Force a shutdown from a remote system; Increase scheduling priority;
Load and unload device drivers; Allow log on locally; Manage auditing and security
log; Modify firmware environment values; Profile single process; Profile system
performance; Remove computer from docking station; Restore files and directories;
Shut down the system; Take ownership of files or other objects.
https://technet.microsoft.com/en-us/library/cc756898%28v=ws.10%29.aspx
22. Number of Cloud Apps a Company is Using
The cloud is nothing more than someone
else’s computer.
Survey results released by Netskope, February 2016 revealed
that
On average 917 apps are in use within each enterprise with the top
categories being marketing, human resources, collaboration, storage
and finance / accounting
13.6% of cloud app users currently use compromised account credentials
at work.
4.1% of enterprises have sanctioned apps that are laced with malware
Sanctioned apps are typically less than 5% of the total apps in use by an
enterprise.
22
https://resources.netskope.com/h/i/213041061-february-2016-worldwide-cloud-report
https://www.netskope.com/press-releases/netskope-survey-majority-of-companies-have-changed-cloud-security-strategies-as-a-result-of-ceo-and-board-level-discussions/
24. Top Cloud Activities24
HR Apps BI Apps Finance Apps
1 Share - 6 shares for every login Upload Share - 2 shares for every
upload
Edit
2 View Download -users downloading
sensitive employee data from
HR apps, then uploading the
data to cloud storage
View Create
3 Download - 2 downloads for
every one upload
View Upload View
Audit download activity and
ensure that only individuals with
proper privileges are executing
the downloads and shares. If
the data includes personally
identifiable information, it could
represent violations to serveral
regulations.
Understand the nature of
the data being shared. Will
it compromise the strategic
plan or competitive
advantages.
Cloud finance apps are
becoming more business-
critical by offering new ways
to track revenue, authorize
payments, pay employees,
execute subscription renewals,
etc.*
Understanding Risk and Auditing User Activity
Both activities highlight the
importance of communicating
and enforcing policy at both the
activity (manual), system and
data level
Cloud Storage
26. Problems with Passwords
People, process and technology are all needed to adequately secure a system
When left on their own, people will make the worst security decisions
Without any security training, people can be easily tricked into giving up their
passwords
Passwords can be insecure
People will choose easily remembered and easily guessed/cracked passwords
Passwords can be easily broken
Free programs are available on the Internet that can “crack” passwords
Passwords are inconvenient
Computer generated passwords can be difficult to remember and are written down
Passwords do not have any authority
Use of a password does not confirm the identity of the user entering the password
26
27. Passwords - Cloud Apps and Remote
Contractors
Cloud apps and remote contractors represent a significant risk to the
overall security of the company’s information assets because:
Cloud apps can be implemented and remote contractors can be engaged
without any knowledge from IT
Most companies do not have one central point of authority for cloud apps and
remote contractors
There is a general lack of understanding of the scope of work for cloud apps and
remote contractors so elevated access is generally granted without any
consideration of the risks
User access cannot be validated against active directory or there are
exceptions to the company’s password policy granted
One user account is shared among multiple users
27
29. 2014, Cox was hacked by "EvilJordie," a
member of the "Lizard Squad" hacker
collective.
The FCC's investigation found that by
posing as a Cox IT staffer, the hacker
convinced a customer service
representative to enter their user ID and
password into a fake website.
Under the terms of the settlement, Cox
will pay the fine, identify all victims of the
breach, notify them and give them a
year of credit monitoring. The agreement
also requires Cox to conduct internal
system audits, internal threat monitoring,
penetration testing and other security
measures to prevent further hacks
29
FCC fines Cox Communications
30. Nov 24 2014 – News breaks that Sony Pictures has been hacked.
The “Guardians of Peace” obtained 100 terabytes of data from the servers
Nov 27 2014 – 4 yet to be released films were uploaded to an online file
share site
Dec 1 2014 – pre-bonus salaries of 17 top Sony executives are leaked
Dec 2 2014 – Sony chiefs confirm the breach, and employee information
was included in the compromised data
Dec 16 2014 – Sony receives emails threatening to attack movie theaters
that show The Interview http://www.imdb.com/title/tt2788710/
Dec 17 2014 – Sony cancels the release of The Interview
Dec 19 2014 – The FBI confirms that North Korea was behind the cyber
attack
30
Sony Hack: A Timeline
http://deadline.com/2014/12/sony-hack-timeline-any-pascal-the-interview-north-korea-1201325501/
31. Sony continued – How the hack happened
The hackers gained access to Sony’s network by obtaining the login
credentials of a high-level systems administrator. Once hackers obtained
the credentials, they were granted “keys to the entire building,” according
to a U.S. official.
They hacked into one server that was not well protected, and escalated
the attack to gain access to the rest of the network.
Sony’s network was not layered well enough to prevent breaches occurring
in one part from affecting other parts. In addition, the password “password”
was used in 3 certificates.
A combination of weak passwords, lack of server layering, not responding
to alerts or setting up alerts, inadequate logging and monitoring, and lack
of Security Education Training and Awareness all contributed to the Sony
Breach.
31
32. 32
Nov 27 – Dec 15 2013 - data hack at Target stores exposes as many as 40 million
credit- and debit-card customers to potential fraud and compromised 70 million
customer records
Dec 18 2013 - News of the breach is reported by data and security blog
KrebsOnSecurity.
Dec 19 2013 - Target acknowledges the breach of information publicly
Dec 22 2013 - Traffic at Target stores takes a hit in the wake of the security
breach, with transactions down by 3-4% on the last weekend of holiday
shopping
Target Hack: Timeline
http://blogs.wsj.com/corporate-intelligence/2013/12/27/targets-data-breach-timeline/
33. Target continued – how the hack happened
The initial intrusion was traced back to
network credentials that were stolen from
a third-party vendor, Fazio Mechanical
Services a provider of HVAC systems
Multiple sources told Krebs that the
credentials were stolen in an email
malware attack at Fazio that began at
least two months before thieves started
stealing card data from Target cash
registers.
Two sources said the malware was the
Citadel — a password-stealing bot
program
Fazio stated that its data connection to
Target was exclusively for electronic billing,
contract submission and project
management.
Target did not specify which apps Fazio
could access but a former Target
employee said nearly all contractors
access Ariba, an external billing system,
the project management and contract
submissions portal - Partners Online, and
Target’s Property Development Zone portal
33
34. Home Depot Hack: Timeline
Sep 2 2014 - Home Depot became aware of a large data breach that
started April 2014
Banks and law enforcement notified Home Depot that there were signs that their
network had been compromise.
Sep 8 2014 - Home Depot confirmed that their payment security systems
had been breached
Nov 25 2014 – Home Depot was hit with 44 civil lawsuits
34
35. Home Depot continued – how the hack happened
Criminals used a 3rd party vendors user name
and password to enter the perimeter of Home
Depot’s network.
While the vendor credentials did not allow
access to the POS, the hackers acquired
elevated access rights allowing them to deploy
malware on the self-checkout system in the US
and Canada
Source close to the investigation stated that at
least some store registers had been infected
with a new variant of “BlackPOS” (a.k.a.
“Kaptoxa”), a malware strain designed to
siphon data from cards that are swiped on the
infected point-of-sale system running Microsoft
Windows.
The malware was reported as using XOR
encryption, a simple symmetric cipher that is
used in many applications where security is not
a defined requirement, making the malware
undetectable to IDS/IPS or Antivirus signatures
Krebs also identified that the perpetrators
appeared to be the same group of Russian and
Ukrainian hackers that compromised Target,
Sally Beauty, P.F. Chang’s, and others.
35
37. Single Sign-On and Password Emerging
Trends
Single sign-on is an authentication process that allows users to enter
one user name and password to access multiple applications they
have been given rights to.
Two-factor authentication requires additional factors to establish a users
identity such as, a password and a pin number and/or a fingerprint,
and/or a retina scan (in any combination)
Password managers that encrypt and store login information for auto
login
Establishing complex user names, such as K$@ssEr
Establishing meaningful, easy to remember complex passwords
t3chRock$ or $omething2about!
37
39. Securing an environment of Windows platforms from
abuse - external or internal - is akin to trying to install
sprinklers in a fireworks factory where smoking on the
job is permitted. — Gene Spafford
An American professor of computer science at Purdue University and a leading
computer security expert.
39
The mantra of any good security engineer
is: 'Security is a not a product, but a process.' It's
more than designing strong cryptography into a
system; it's designing the entire system such that all
security measures, including cryptography, work
together. — Bruce Schneier
An American cryptographer, computer security and privacy specialist, and writer
40. Questions to keep in mind throughout
our discussion
Where are most threats to your information assets coming from?
What is your network access password change policy?
Which IT Guidance/Frameworks are you predominantly working with
now? COSO and/or COBIT and/or ISO and/or PCI?
Does your company perform an periodic user access review? Are
all user accounts reviewed, including B2B, generic/system, cloud
apps and 3rd party vendors?
Does your organization have a proven system for monitoring user
access activity?
40
41. Win your very own copy of Friggin’
Bean Counters
Who can tell me the
name of the hacker
collective that EvilJordie
belongs to?
41
42. The Lizard Squad
42
Largely responsible for denial of service attacks on social media websites
and gaming related services
Known members are teens and young adults
44. Are there solutions?
Security is a negative goal.
People need to be considered a part of
the security design
End User Information Security Awareness Training
A robust password policy and strict adherence to that policy
Establish a central point of contact to manage contractors and other
3rd party access
Changes to established roles are done through a change
management process.
44
45. Best Practices for Administrative Accounts
Segregate and secure administrative passwords
Create a decoy admin account
Limit the number of service admin accounts
Separate admin and user accounts for admins
Assign trustworthy staff
Limit admin rights to only those rights needed
Control the admin logon process
Secure admin workstations
45
https://technet.microsoft.com/en-us/library/cc700835.aspx
46. Data breaches may cost less than the
security to prevent them
Benjamin Dean presented a hard to disagree with defense of why things
security-wise "ain't gonna change" soon
By examining the actual expenses from the Sony, Target and Home Depot
breaches, the total amounts to less than 1% of each company's annual
revenues
Target – Gross breach $252 million after insurance and tax deductions
$105 million, less than .01% of gross revenues
Home Depot – Net breach $28 million after a $15 million insurance
reimbursement, .01% of gross revenues
Sony - $35 million for the fiscal year ending March 31, represent from 0.9%
to 2% of Sony's total projected sales for 2014
46
http://www.techrepublic.com/article/data-breaches-may-cost-less-than-the-security-to-prevent-them/
47. Additional Resources
CYBERSECURITY – WHAT THE BOARD OF DIRECTORS NEEDS TO ASK
https://na.theiia.org/special-promotion/PublicDocuments/GRC-Cybersecurity-
Research-Report.pdf
5 Top Regulatory Compliance Concerns for Financial Services
https://www.roberthalf.com/management-resources/blog/5-top-regulatory-
compliance-concerns-for-financial-services
47
48. Community & Sharing48
Join Our LinkedIn Group
COSO Framework Discussion &
Webinars
Technical Community sharing Ideas ,Templates,
WEBINARS, Advise and Learn from others implementing
new framework.
Share your latest templates here!
https://www.linkedin.com/groups/COSO-
Implementation-4888186/about
49. Community & Sharing
49
Join our LinkedIn group:
Friggin’ Bean Counters
Accounting, Project Management and IT
Professionals come together to share
ideas, learn from each other, or if
necessary, vent frustrations.
https://www.linkedin.com/groups/6985169
51. 51Compliance Made Simple ™
User Access Procedure Diagnostic
Email us for 5 SPOTS ONLY:
Info@avivaspectrum.com
SUBJECT: USER ACCESS
Internal
Threat
Analysis
BenchmarkIn-take
51
52. 52Compliance Made Simple ™
Aviva Spectrum is HIRING
1. SOX 404 – Senior Internal Auditors
2. IT auditors
3. SEC Reporting Managers
4. Cybersecurity consultants
Email: Careers@avivaspectrum.com
52
