What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

What’s Wrong with Information

Security Today?

AGENDA

•

Current State of Information Security

•

Data Breach Statics

•

Data Breach Case Studies

•

Why current security controls are not working

•

Solutions for securing company data in 2014

CURRENT STATE OF

INFORMATION SECURITY

CURRENT STATE OF INFORMATION

SECURITY

4

Grade your current Information Security Program ….

CURRENT INFORMATION SECURITY

CONTROLS

•

Firewall

•  Keep the bad guys out

•

Anti-Virus

•  Stop viruses from running

•

SPAM Filtering

•  Stop viruses in email

•

Web Filtering

•  Stop viruses from web sites

CURRENT INFORMATION SECURITY

STRATEGY

•

We have spent (or planning

DATA BREACH STATICS

HOW DO BREACHES OCCUR?

8

2012

2013

SOURCE OF DATA BREACHES

9

THREAT PROFILE

ORGANIZED CRIME

STATE-AFFILIATED ACTIVISTS

VICTIM INDUSTRY •  Finance

•  Retail •  Food •  Manufacturing •  Professional •  Transportation •  Information •  Public •  Other Services REGION OF OPERATION •  Eastern Europe •  North America •  East Asia (China) •  Western Europe •  North America COMMON ACTIONS •  Tampering •  Brute force •  Spyware •  Adminware •  RAM Scraper •  Backdoor •  Phishing •  Export data •  Password dumper •  Stolen creds •  SQLi •  Stolen creds •  Brute force •  Backdoor

DESIRED DATA •  Payment cards •  Credentials •  Bank account information •  Credentials •  Internal data •  Trade secrets •  Personal info •  Credentials •  Internal data

10

ARE YOU A TARGET OR JUST LUCKY?

11

WHO IDENTIFIES DATA BREACHES

12

Verizon Business 2013 Data Breach Report

TIMESCALES OF DATA BREACHES

•

In 84% of cases, the initial compromise took hours to minutes

•

In 66% of cases, the breach wasn’t discovered for months to

years

•

In 22% of cases, it took months to contain the breach

13

DATA BREACH CASE STUDIES

“Those who do not learn from history

are doomed to repeat it”

- George Santayana

CASE STUDY #3 - SPEAR PHISHING

17

Keystroke Logger Captures Login Credentials

HTTPS

Bank account emptied with stolen login

CASE STUDY #4 – CREDIT CARD HACK

18

Exploit Vulnerability

Exploit Vulnerability

Install Ram Scraper

Upload & Encrypt Card Data

WHY CURRENT SECURITY

CONTROLS ARE NOT

WORKING

WHY CURRENT SECURITY CONTROLS ARE

NOT WORKING

1.

False sense of security

•  “We have never been hacked” – How do you know? J

2.

Limited operational budgets vs capital budgets

•  Easier to purchase security appliances then people

3.

Weak ( or no ) security awareness programs

•  People are your weakest link

4.

Lack of a vulnerability management program to identify,

risk rank and patch vulnerabilities

• 

Stop trying to hide vulnerabilities with other security controls

5.

A focus on preventive controls and a lack of detective

controls

•  Please realize that you cannot prevent 100% of attacks – See #1

WHY CURRENT SECURITY CONTROLS ARE

NOT WORKING

6.

Lack of configuration standards to properly harden systems

• 

Default credentials are one of largest sources of breaches

7.

Weak ( or no ) information security policies and procedures

• 

You have to build security into IT and business operations

8.

Over reliance on signature based detective controls

•  IDS, A/V and SIEM are marginally effective in detecting a breach

9.

Lack of an incident response plan, tools and staff

• 

You must be able to detect, respond and contain a breach

10.

Not understanding where sensitive data is stored or how it

flows through the organization

• 

Unknown storage of sensitive data is very dangerous!

SOLUTIONS FOR SECURING

COMPANY DATA IN 2014

STEP 1 – NON-TECHNICAL SOLUTIONS

•

Develop an Information Security Strategy

•  Focus on how to protect the business and its data

•

Invest in operational expenses such as staff and

training

•

Develop and implement policies, procedures and

configuration standards

•

Develop and implement a

security awareness training

program

•  Train IT staff

•  Train end users

•  Train management

STEP 2 – TECHNICAL SOLUTIONS

•

Implement solutions that have a balance of prevention,

detection and response capabilities

•  Prevention: Focus on removing vulnerabilities that could lead to a

malware infection and secure your network from authorized

access

•  Detection: Implement solutions to specifically detect malware

(other than A/V) and monitor systems for malicious activity

•  Response: Develop an Incident Response Plan and the staff to

respond to security incidents. Invest in the appropriate training

and tools or outsource.

•

Only implement hardware and software products when you

have the staff and training to support the solution

•

Use the SANs 20 Critical Security Controls as a guideline in

developing your technical information security program

SANS 20 CRITICAL SECURITY CONTROLS

1.  Inventory of Authorized and

Unauthorized Devices

2.  Inventory of Authorized and

Unauthorized Software

3.  Secure Configurations for

Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

4.  Continuous Vulnerability

Assessment and Remediation

5.  Malware Defenses

6.  Application Software Security

7.  Wireless Device Control

8.  Data Recovery Capability

9.  Security Skills Assessment and

Appropriate Training to Fill Gaps

10.  Secure Configurations for

Network Devices such as

Firewalls, Routers, and Switches

11.  Limitation and Control of Network

Ports, Protocols, and Services

12.  Controlled Use of Administrative

Privileges

13.  Boundary Defense

14.  Maintenance, Monitoring, and

Analysis of Audit Logs

15.  Controlled Access Based on the Need

to Know

16.  Account Monitoring and Control

17.  Data Loss Prevention

18.  Incident Response and Management

19.  Secure Network Engineering

20.  Penetration Tests and Red Team

Exercises

QUESTIONS