Real-word breaches are often caused by simple lapses of judgment.
Hollywood movies and some of the media representations of data breaches are sensationalized and over-complicated compared to reality.
5. Real-word breaches are often
caused by simple lapses of
judgment.
Hollywood movies and some of the
media representations of data
breaches are sensationalized and
over-complicated compared to
reality.
source: Verizon DBIR 2015
verizonenterprise.com/DBIR/2015/
6. Security Facts
❏ The cost of a data breach is on the rise
❏ average cost increased 8.3% from $5.4 MM in 2013 to $5.85
MM in 2014
❏ average cost per record increased 6.9% from $188 in 2013
to $201 in 2014
❏ the most costly breaches are malicious & criminal attacks
❏ Will your organization be breached?
❏ “The results show that a probability of a material data
breach [over the next 2 years] involving a minimum of
10,000 records is more than 22 percent”*
* source: IBM/Ponemon “Cost of Data Breach Study”, 2014: http://ibm.co/1Df4urk
based on survey of 314 global organizations that experienced data breach
7. Factors Affecting the Cost of Breaches
Factor Effect on Price/Record
Strong Security Posture -$14.14
Incident Response Plan -$12.77
CISO Appointment -$6.59
Business Continuity Management -$8.98
Lost/Stolen Devices +$16.10
3rd Party Involvement +$14.80
Quick Notification +$10.45
Consultant Engagement +$2.10
source:
IBM/Ponemon,
2014
US Avg.
Cost/Record: $201
8. Security Fiction
❏ Purchasing data breach insurance policies indicates an
organization is slacking on security
❏ more likely to have other proactive measures in place
❏ Password policies and user education can save us
❏ most security advice targeting users has a poor
cost/benefit tradeoff (MS, 2009 http://bit.ly/1lwMErH)
❏ The threats you care about are Advanced Persistent Threat
0dayz
❏ most breaches actually use very simple methods,
exploiting oversights and poor security policy, even from
sophisticated attackers
❏ PCI/HIPAA/whatever compliant means secure
❏ nope! these don’t encompass everything
9. The Present State of Security
❏ The answer to most security questions is “it’s complicated”
but that doesn’t mean there’s no hope
“You must never confuse faith that you will prevail in the end -- which you can
never afford to lose -- with the discipline to confront the most brutal facts of
your current reality, whatever they may be”
-- Admiral James Stockdale, US Navy
“I’m here to tell you that your cyber systems continue to function and serve
you not due to the expertise of your security staff but solely due to the sufferance
of your opponents”
-- Brian Snow, NSA Information Assurance Head, 2012
“Lulzsec hacks embarrassed the security community by showing we were outclassed
as defenders. NSA leaks show we were outclassed as attackers too”
-- Haroon Meer, 2015
10. The Security Blanket
❏ Preparedness can reduce the cost of data breaches, while
other factors can increase the cost
❏ Many expensive breaches are preventable in a cost-effective
way in retrospect
❏ There are many commonalities in how attacks begin…
❏ poor passwords
❏ malware
❏ phishing
❏ application misconfiguration/bugs
❏ lost/stolen devices
12. ❏ Ownership
which team/people are responsible for which systems?
❏ Employee responsibilities
e.g. honoring PII policy & access restrictions.
❏ Device use policy
BYOD is huge.
❏ Risk assessment policy
evaluate org for risk on an ongoing basis
❏ Employee off-boarding policy
prevent biz critical material from leaving
❏ Operations management policy
backups? monitoring? segregation?
❏ Compliance & Auditing policy
to ensure you remain compliant with regulations
Contents of Security Policy
❏ Access control policy
specify how your org controls sensitive access
❏ Incident management policy
incident management policy decreases cost of breach
❏ Physical security policy
who controls the literal keys? how is access given/revoked?
❏ Business continuity & disaster recovery
if operations can’t continue at current office, then what?
❏ Data confidentiality policy
procedures & requirements for dealing w/ sensitive data
❏ Software change management policy
how do you keep track and control of important updates?
13. Target in the Crosshairs
❏ 95% of security incidents involve credential theft
❏ Target’s HVAC vendor’s credentials to vendor project system
were compromised
❏ It’s hard to control your employees, let alone a vendor’s…
❏ but mitigation should always be in mind
❏ the vendor project system and payments systems weren’t
segregated
❏ no two-factor authentication
❏ 70 million customer records stolen
❏ 40 million credit/debit cards
❏ up to $1 billion in damages
14. How it happened
1. “Citadel” malware email, spearphishing to HVAC vendor
2. Vendor application vulnerability
3. Active Directory target enumeration
4. Steal admin hash from memory
5. Create new admin user
6. Bypass Target’s firewalls and access restrictions
run code remotely with PSExec & remote desktop
Microsoft Orchestrator access allowed them to ensure persistence
7. this gave them access to PII, but no credit cards as those were never stored,
as per PCI-DSS
8. attackers deployed custom ‘Kaptoxa’ malware on PoS terminals using domain
admin credentials
9. used internal AD-linked FTP server to aggregate data before sending it out
15. How it COULD have happened
1. “Citadel” malware email, spearphishing to HVAC vendor
2. Vendor application vulnerability was caught internally first
3. Active Directory target enumeration was detected as anomalous, stopped, and
the incidence response policy defined what to do next
4. There was no domain admin password to be stolen on the vendor system
5. Creation of new domain admin user triggered an alert to the responsible team
6. Bypass of Target’s firewalls and access restrictions was impossible due to
extensive internal/external risk assessment and threat modeling
7. attackers couldn’t access to PII because it was encrypted and the keys were on
uncompromised, segregated application servers
8. attackers couldn’t deploy custom malware on PoS terminals because terminals
whitelisted processes and attackers had no access to config management
9. couldn’t use internal AD-linked FTP server to aggregate data because it
whitelisted hosts
16. Security Facts
RISK ASSESSMENT FTW: Third-party access needs to be controlled and
understood. Threat model, assess, and mitigate risk.
SEGREGATION CAN BE HARD: there’s evidence Target made some effort to segregate
their systems, using firewalls and restricting access
from certain hosts. However, this can sometimes be
bypassed by proxying through other hosts.
Fully-segregated networks, or ones with strongly defined
access control barriers are ideal. One Active Directory
to Rule Them All introduces risk.
MONITORING IS CRUCIAL: Target could have noticed the attackers at several
points during their setup and reconnaissance if
monitoring alerted them.
17.
18. Security Fiction
PCI-DSS compliance should keep data secure
PCI-DSS requires two-factor authentication for external logins to networks falling
under the scope of PCI-DSS. Target likely assumed the vendor management system was
properly segregated with firewalls and access controls. PCI-DSS also doesn’t
require network segregation, and only recommends it.
Custom malware is a big threat
While custom malware was used, its scope was limited: scraping POS terminal memory
for credit cards and exfiltrating. It didn’t use any undisclosed software
vulnerabilities or do anything particularly sophisticated. The best thing to do is
keep it from appearing on systems in the first place.
19. JPMorgan: Financial Cost of Neglect
❏ 7 million businesses, 76 million consumers
affected
❏ existing $250 million/year security budget
❏ suspected entry point:
❏ employee laptop compromised with malware
❏ corporate marathon site bug
❏ US gov’t & JPMC initially pointed fingers
at Russia…
❏ until October, when the FBI said they were no
longer a suspect
❏ One server which missed being upgraded
with two-factor authentication provided a
foothold
❏ ultimately, 90+ servers were compromised
20. Security Fact
❏ Negligence is costly
❏ security policy means nothing if
it isn’t constantly evaluated
and adhered to
❏ security is active, not set-and-
forget, not an add-on
❏ Expense-in-depth
doesn’t mean defense-
in-depth
❏ JPMC had 1000+ security
personnel & a massive security
spend, but one oversight allowed
a massive breach
21. Security Fiction
❏ You’ll be taken down by an advanced adversary
with never-before-seen techniques
❏ it’s more likely you’ll be taken down by your own oversight
❏ advanced adversaries are more persistent but adhere to the same rules as
everyone else
22. Anthem: healthy access control
❏ 80 million records stolen from large health
insurance provider
❏ database containing records was unencrypted…
❏ but encryption isn’t a panacea: it can be done poorly, keys can be
stolen, and the data needs to be unencrypted at some point
❏ there’s no indication Anthem used any two-
factor authentication whatsoever
❏ credentials from between 1-5 users were enough to access all subscriber
data
❏ does any user need unfettered access to all data?
23. Security Fact
❏ Access controls are critical
❏ nobody needs access to all data on a regular basis.
❏ records being accessed should be restricted as much as possible
(principle of least privilege/default deny).
❏ Encryption is valuable, but not foolproof
❏ 64% of healthcare record leaks were attributed to employee endpoint
compromise (US Dept. Health & Human Services, 2014)
❏ what risks do mostly insecure endpoints bring organizations?
❏ can employee credentials get attackers access to data retrieval
applications?
is uncharacteristic usage flagged?
24. Security Fiction
❏ HIPAA keeps health care information safe
❏ HIPAA does not require encryption
❏ HIPAA does not require two-factor
“Implement two-factor authentication for granting remote access to
systems that contain EPHI. This process requires factors beyond general
usernames and passwords to gain access to systems (e.g., requiring users
to answer a security question such as “Favorite Pet’s Name”)”
❏ HIPAA’s access control requirement:
Implement procedures to verify that a person or entity seeking access to
electronic protected health information is the one claimed. - 164.312(d)
Technical Safeguards of the Security Standards for the Protection of
ePHI, HHS.gov
25. Security Fact and Fiction
FACT: many hacks are facilitated by oversight of service operators
this is somewhat comforting: it means it can be addressed
FICTION: today’s APTs require expensive threat intelligence feeds to understand
FACT: ongoing internal and external risk assessment can uncover problems
FICTION: “security” is a one-time expense
FACT: your organization needs to own and understand its security program
26. Security Fact and Fiction
FICTION: spending a lot of money on security means you’re doing it right
FACT: an information security policy is a good step to address your security
reality
FICTION: there’s a magic box you can plug in to your network to secure it all
FACT: it’s possible to make hacking your organization very difficult
FICTION: you can be completely hack-proof