SlideShare une entreprise Scribd logo

Security Fact & Fiction: Three Lessons from the Headlines

Duo Security
Duo Security

Real-word breaches are often caused by simple lapses of judgment. Hollywood movies and some of the media representations of data breaches are sensationalized and over-complicated compared to reality.

Technologie
1  sur  26
Télécharger pour lire hors ligne
Security Fact & Fiction Three Lessons from the Headlines
(that one’s real)
Real-word breaches are often caused by simple lapses of judgment. Hollywood movies and some of the media representations of data breaches are sensationalized and over-complicated compared to reality. source: Verizon DBIR 2015 verizonenterprise.com/DBIR/2015/
Security Facts ❏ The cost of a data breach is on the rise ❏ average cost increased 8.3% from $5.4 MM in 2013 to $5.85 MM in 2014 ❏ average cost per record increased 6.9% from $188 in 2013 to $201 in 2014 ❏ the most costly breaches are malicious & criminal attacks ❏ Will your organization be breached? ❏ “The results show that a probability of a material data breach [over the next 2 years] involving a minimum of 10,000 records is more than 22 percent”* * source: IBM/Ponemon “Cost of Data Breach Study”, 2014: http://ibm.co/1Df4urk based on survey of 314 global organizations that experienced data breach
Factors Affecting the Cost of Breaches Factor Effect on Price/Record Strong Security Posture -$14.14 Incident Response Plan -$12.77 CISO Appointment -$6.59 Business Continuity Management -$8.98 Lost/Stolen Devices +$16.10 3rd Party Involvement +$14.80 Quick Notification +$10.45 Consultant Engagement +$2.10 source: IBM/Ponemon, 2014 US Avg. Cost/Record: $201
Security Fiction ❏ Purchasing data breach insurance policies indicates an organization is slacking on security ❏ more likely to have other proactive measures in place ❏ Password policies and user education can save us ❏ most security advice targeting users has a poor cost/benefit tradeoff (MS, 2009 http://bit.ly/1lwMErH) ❏ The threats you care about are Advanced Persistent Threat 0dayz ❏ most breaches actually use very simple methods, exploiting oversights and poor security policy, even from sophisticated attackers ❏ PCI/HIPAA/whatever compliant means secure ❏ nope! these don’t encompass everything
The Present State of Security ❏ The answer to most security questions is “it’s complicated” but that doesn’t mean there’s no hope “You must never confuse faith that you will prevail in the end -- which you can never afford to lose -- with the discipline to confront the most brutal facts of your current reality, whatever they may be” -- Admiral James Stockdale, US Navy “I’m here to tell you that your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents” -- Brian Snow, NSA Information Assurance Head, 2012 “Lulzsec hacks embarrassed the security community by showing we were outclassed as defenders. NSA leaks show we were outclassed as attackers too” -- Haroon Meer, 2015
The Security Blanket ❏ Preparedness can reduce the cost of data breaches, while other factors can increase the cost ❏ Many expensive breaches are preventable in a cost-effective way in retrospect ❏ There are many commonalities in how attacks begin… ❏ poor passwords ❏ malware ❏ phishing ❏ application misconfiguration/bugs ❏ lost/stolen devices
our management statement: why the information security policy exists
❏ Ownership which team/people are responsible for which systems? ❏ Employee responsibilities e.g. honoring PII policy & access restrictions. ❏ Device use policy BYOD is huge. ❏ Risk assessment policy evaluate org for risk on an ongoing basis ❏ Employee off-boarding policy prevent biz critical material from leaving ❏ Operations management policy backups? monitoring? segregation? ❏ Compliance & Auditing policy to ensure you remain compliant with regulations Contents of Security Policy ❏ Access control policy specify how your org controls sensitive access ❏ Incident management policy incident management policy decreases cost of breach ❏ Physical security policy who controls the literal keys? how is access given/revoked? ❏ Business continuity & disaster recovery if operations can’t continue at current office, then what? ❏ Data confidentiality policy procedures & requirements for dealing w/ sensitive data ❏ Software change management policy how do you keep track and control of important updates?
Target in the Crosshairs ❏ 95% of security incidents involve credential theft ❏ Target’s HVAC vendor’s credentials to vendor project system were compromised ❏ It’s hard to control your employees, let alone a vendor’s… ❏ but mitigation should always be in mind ❏ the vendor project system and payments systems weren’t segregated ❏ no two-factor authentication ❏ 70 million customer records stolen ❏ 40 million credit/debit cards ❏ up to $1 billion in damages
How it happened 1. “Citadel” malware email, spearphishing to HVAC vendor 2. Vendor application vulnerability 3. Active Directory target enumeration 4. Steal admin hash from memory 5. Create new admin user 6. Bypass Target’s firewalls and access restrictions run code remotely with PSExec & remote desktop Microsoft Orchestrator access allowed them to ensure persistence 7. this gave them access to PII, but no credit cards as those were never stored, as per PCI-DSS 8. attackers deployed custom ‘Kaptoxa’ malware on PoS terminals using domain admin credentials 9. used internal AD-linked FTP server to aggregate data before sending it out
How it COULD have happened 1. “Citadel” malware email, spearphishing to HVAC vendor 2. Vendor application vulnerability was caught internally first 3. Active Directory target enumeration was detected as anomalous, stopped, and the incidence response policy defined what to do next 4. There was no domain admin password to be stolen on the vendor system 5. Creation of new domain admin user triggered an alert to the responsible team 6. Bypass of Target’s firewalls and access restrictions was impossible due to extensive internal/external risk assessment and threat modeling 7. attackers couldn’t access to PII because it was encrypted and the keys were on uncompromised, segregated application servers 8. attackers couldn’t deploy custom malware on PoS terminals because terminals whitelisted processes and attackers had no access to config management 9. couldn’t use internal AD-linked FTP server to aggregate data because it whitelisted hosts
Security Facts RISK ASSESSMENT FTW: Third-party access needs to be controlled and understood. Threat model, assess, and mitigate risk. SEGREGATION CAN BE HARD: there’s evidence Target made some effort to segregate their systems, using firewalls and restricting access from certain hosts. However, this can sometimes be bypassed by proxying through other hosts. Fully-segregated networks, or ones with strongly defined access control barriers are ideal. One Active Directory to Rule Them All introduces risk. MONITORING IS CRUCIAL: Target could have noticed the attackers at several points during their setup and reconnaissance if monitoring alerted them.
Security Fiction PCI-DSS compliance should keep data secure PCI-DSS requires two-factor authentication for external logins to networks falling under the scope of PCI-DSS. Target likely assumed the vendor management system was properly segregated with firewalls and access controls. PCI-DSS also doesn’t require network segregation, and only recommends it. Custom malware is a big threat While custom malware was used, its scope was limited: scraping POS terminal memory for credit cards and exfiltrating. It didn’t use any undisclosed software vulnerabilities or do anything particularly sophisticated. The best thing to do is keep it from appearing on systems in the first place.
JPMorgan: Financial Cost of Neglect ❏ 7 million businesses, 76 million consumers affected ❏ existing $250 million/year security budget ❏ suspected entry point: ❏ employee laptop compromised with malware ❏ corporate marathon site bug ❏ US gov’t & JPMC initially pointed fingers at Russia… ❏ until October, when the FBI said they were no longer a suspect ❏ One server which missed being upgraded with two-factor authentication provided a foothold ❏ ultimately, 90+ servers were compromised
Security Fact ❏ Negligence is costly ❏ security policy means nothing if it isn’t constantly evaluated and adhered to ❏ security is active, not set-and- forget, not an add-on ❏ Expense-in-depth doesn’t mean defense- in-depth ❏ JPMC had 1000+ security personnel & a massive security spend, but one oversight allowed a massive breach
Security Fiction ❏ You’ll be taken down by an advanced adversary with never-before-seen techniques ❏ it’s more likely you’ll be taken down by your own oversight ❏ advanced adversaries are more persistent but adhere to the same rules as everyone else
Anthem: healthy access control ❏ 80 million records stolen from large health insurance provider ❏ database containing records was unencrypted… ❏ but encryption isn’t a panacea: it can be done poorly, keys can be stolen, and the data needs to be unencrypted at some point ❏ there’s no indication Anthem used any two- factor authentication whatsoever ❏ credentials from between 1-5 users were enough to access all subscriber data ❏ does any user need unfettered access to all data?
Security Fact ❏ Access controls are critical ❏ nobody needs access to all data on a regular basis. ❏ records being accessed should be restricted as much as possible (principle of least privilege/default deny). ❏ Encryption is valuable, but not foolproof ❏ 64% of healthcare record leaks were attributed to employee endpoint compromise (US Dept. Health & Human Services, 2014) ❏ what risks do mostly insecure endpoints bring organizations? ❏ can employee credentials get attackers access to data retrieval applications? is uncharacteristic usage flagged?
Security Fiction ❏ HIPAA keeps health care information safe ❏ HIPAA does not require encryption ❏ HIPAA does not require two-factor “Implement two-factor authentication for granting remote access to systems that contain EPHI. This process requires factors beyond general usernames and passwords to gain access to systems (e.g., requiring users to answer a security question such as “Favorite Pet’s Name”)” ❏ HIPAA’s access control requirement: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. - 164.312(d) Technical Safeguards of the Security Standards for the Protection of ePHI, HHS.gov
Security Fact and Fiction FACT: many hacks are facilitated by oversight of service operators this is somewhat comforting: it means it can be addressed FICTION: today’s APTs require expensive threat intelligence feeds to understand FACT: ongoing internal and external risk assessment can uncover problems FICTION: “security” is a one-time expense FACT: your organization needs to own and understand its security program
Security Fact and Fiction FICTION: spending a lot of money on security means you’re doing it right FACT: an information security policy is a good step to address your security reality FICTION: there’s a magic box you can plug in to your network to secure it all FACT: it’s possible to make hacking your organization very difficult FICTION: you can be completely hack-proof

Recommandé

How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...Brian Kelly
 
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerSecuring Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerDuo Security
 
Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Duo Security
 
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongForrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongDuo Security
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021Adrian Sanabria
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?centralohioissa
 
Building securable infrastructures
Building securable infrastructures Building securable infrastructures
Building securable infrastructures Steven Aiello
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditorsmdagrossa
 

Recommandé

How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...Brian Kelly
 
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerSecuring Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerDuo Security
 
Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Duo Security
 
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongForrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongDuo Security
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021Adrian Sanabria
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?centralohioissa
 
Building securable infrastructures
Building securable infrastructures Building securable infrastructures
Building securable infrastructures Steven Aiello
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditorsmdagrossa
 
What Happens Before the Kill Chain
What Happens Before the Kill Chain What Happens Before the Kill Chain
What Happens Before the Kill Chain OpenDNS
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
 
Ransomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyRansomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyVeriato
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 
Operationalizing Security Intelligence
Operationalizing Security IntelligenceOperationalizing Security Intelligence
Operationalizing Security IntelligenceSplunk
 
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALDefending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALMichael Bunn
 
Making Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software DevelopmentMaking Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software DevelopmentConSanFrancisco123
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopDavid Sweigert
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of CompromiseFireEye, Inc.
 
Cisa ransomware guide
Cisa ransomware guideCisa ransomware guide
Cisa ransomware guideanpapathanasiou
 
Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...Huntsman Security
 
Art Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat PreventionArt Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat Preventioncentralohioissa
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
Top Tactics For Endpoint Security
Top Tactics For Endpoint SecurityTop Tactics For Endpoint Security
Top Tactics For Endpoint SecurityBen Rothke
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 
Grc f42
Grc f42Grc f42
Grc f42SelectedPresentations
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012DaveEdwards12
 
Triangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughTriangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughMartin Opsahl
 
Cyber Security Needs and Challenges
Cyber Security Needs and ChallengesCyber Security Needs and Challenges
Cyber Security Needs and ChallengesHappiest Minds Technologies
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?Kurt Hagerman
 

Contenu connexe

Tendances

What Happens Before the Kill Chain
What Happens Before the Kill Chain What Happens Before the Kill Chain
What Happens Before the Kill Chain OpenDNS
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
 
Ransomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyRansomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyVeriato
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 
Operationalizing Security Intelligence
Operationalizing Security IntelligenceOperationalizing Security Intelligence
Operationalizing Security IntelligenceSplunk
 
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALDefending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALMichael Bunn
 
Making Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software DevelopmentMaking Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software DevelopmentConSanFrancisco123
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopDavid Sweigert
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of CompromiseFireEye, Inc.
 
Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...Huntsman Security
 
Art Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat PreventionArt Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat Preventioncentralohioissa
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
Top Tactics For Endpoint Security
Top Tactics For Endpoint SecurityTop Tactics For Endpoint Security
Top Tactics For Endpoint SecurityBen Rothke
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012DaveEdwards12
 
Triangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughTriangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughMartin Opsahl
 

Tendances (20)

What Happens Before the Kill Chain
What Happens Before the Kill Chain What Happens Before the Kill Chain
What Happens Before the Kill Chain
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
 
Ransomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyRansomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your Company
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
 
Operationalizing Security Intelligence
Operationalizing Security IntelligenceOperationalizing Security Intelligence
Operationalizing Security Intelligence
 
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINALDefending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
Defending Against Advanced Threats-Addressing the Cyber Kill Chain_FINAL
 
Making Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software DevelopmentMaking Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software Development
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loop
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of Compromise
 
Cisa ransomware guide
Cisa ransomware guideCisa ransomware guide
Cisa ransomware guide
 
Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...
 
Art Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat PreventionArt Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat Prevention
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
 
Top Tactics For Endpoint Security
Top Tactics For Endpoint SecurityTop Tactics For Endpoint Security
Top Tactics For Endpoint Security
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General Audience
 
Grc f42
Grc f42Grc f42
Grc f42
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
Triangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughTriangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enough
 
Cyber Security Needs and Challenges
Cyber Security Needs and ChallengesCyber Security Needs and Challenges
Cyber Security Needs and Challenges
 

Similaire à Security Fact & Fiction: Three Lessons from the Headlines

Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?Kurt Hagerman
 
Shariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz Abdeen
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants- Mark - Fullbright
 
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Education & Training Boards
 
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?CA Technologies
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperNetIQ
 
Who is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityWho is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityUlf Mattsson
 
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataLaw Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataAccellis Technology Group
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and riskEY
 
secureit-cloudsecurity-151130141528-lva1-app6892.pdf
secureit-cloudsecurity-151130141528-lva1-app6892.pdfsecureit-cloudsecurity-151130141528-lva1-app6892.pdf
secureit-cloudsecurity-151130141528-lva1-app6892.pdfYounesChafi1
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)Norm Barber
 
Key note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyougKey note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyougUlf Mattsson
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityJoel Cardella
 

Similaire à Security Fact & Fiction: Three Lessons from the Headlines (20)

Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?
 
Shariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentation
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS Deck
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
 
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
 
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White Paper
 
Who is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityWho is the next target proactive approaches to data security
Who is the next target proactive approaches to data security
 
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataLaw Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
 
unit-1-is1.pptx
unit-1-is1.pptxunit-1-is1.pptx
unit-1-is1.pptx
 
Spo2 t17
Spo2 t17Spo2 t17
Spo2 t17
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
 
secureit-cloudsecurity-151130141528-lva1-app6892.pdf
secureit-cloudsecurity-151130141528-lva1-app6892.pdfsecureit-cloudsecurity-151130141528-lva1-app6892.pdf
secureit-cloudsecurity-151130141528-lva1-app6892.pdf
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 
Key note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyougKey note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyoug
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics security
 
Cloud & Sécurité
Cloud & SécuritéCloud & Sécurité
Cloud & Sécurité
 

Plus de Duo Security

How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...Duo Security
 
A Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
A Place to Hang Our Hats: Security Community and Culture by Domenic RizzoloA Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
A Place to Hang Our Hats: Security Community and Culture by Domenic RizzoloDuo Security
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Duo Security
 
Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Duo Security
 
Probing Mobile Operator Networks - Collin Mulliner
Probing Mobile Operator Networks - Collin MullinerProbing Mobile Operator Networks - Collin Mulliner
Probing Mobile Operator Networks - Collin MullinerDuo Security
 
The Real Deal of Android Device Security: The Third Party
The Real Deal of Android Device Security: The Third PartyThe Real Deal of Android Device Security: The Third Party
The Real Deal of Android Device Security: The Third PartyDuo Security
 
No Apology Required: Deconstructing BB10
No Apology Required: Deconstructing BB10No Apology Required: Deconstructing BB10
No Apology Required: Deconstructing BB10Duo Security
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatDuo Security
 

Plus de Duo Security (8)

How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
 
A Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
A Place to Hang Our Hats: Security Community and Culture by Domenic RizzoloA Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
A Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
 
Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default"
 
Probing Mobile Operator Networks - Collin Mulliner
Probing Mobile Operator Networks - Collin MullinerProbing Mobile Operator Networks - Collin Mulliner
Probing Mobile Operator Networks - Collin Mulliner
 
The Real Deal of Android Device Security: The Third Party
The Real Deal of Android Device Security: The Third PartyThe Real Deal of Android Device Security: The Third Party
The Real Deal of Android Device Security: The Third Party
 
No Apology Required: Deconstructing BB10
No Apology Required: Deconstructing BB10No Apology Required: Deconstructing BB10
No Apology Required: Deconstructing BB10
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to Chat
 

Dernier

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 

Dernier (20)

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 

Security Fact & Fiction: Three Lessons from the Headlines

  • 1. Security Fact & Fiction Three Lessons from the Headlines
  • 2.
  • 4.
  • 5. Real-word breaches are often caused by simple lapses of judgment. Hollywood movies and some of the media representations of data breaches are sensationalized and over-complicated compared to reality. source: Verizon DBIR 2015 verizonenterprise.com/DBIR/2015/
  • 6. Security Facts ❏ The cost of a data breach is on the rise ❏ average cost increased 8.3% from $5.4 MM in 2013 to $5.85 MM in 2014 ❏ average cost per record increased 6.9% from $188 in 2013 to $201 in 2014 ❏ the most costly breaches are malicious & criminal attacks ❏ Will your organization be breached? ❏ “The results show that a probability of a material data breach [over the next 2 years] involving a minimum of 10,000 records is more than 22 percent”* * source: IBM/Ponemon “Cost of Data Breach Study”, 2014: http://ibm.co/1Df4urk based on survey of 314 global organizations that experienced data breach
  • 7. Factors Affecting the Cost of Breaches Factor Effect on Price/Record Strong Security Posture -$14.14 Incident Response Plan -$12.77 CISO Appointment -$6.59 Business Continuity Management -$8.98 Lost/Stolen Devices +$16.10 3rd Party Involvement +$14.80 Quick Notification +$10.45 Consultant Engagement +$2.10 source: IBM/Ponemon, 2014 US Avg. Cost/Record: $201
  • 8. Security Fiction ❏ Purchasing data breach insurance policies indicates an organization is slacking on security ❏ more likely to have other proactive measures in place ❏ Password policies and user education can save us ❏ most security advice targeting users has a poor cost/benefit tradeoff (MS, 2009 http://bit.ly/1lwMErH) ❏ The threats you care about are Advanced Persistent Threat 0dayz ❏ most breaches actually use very simple methods, exploiting oversights and poor security policy, even from sophisticated attackers ❏ PCI/HIPAA/whatever compliant means secure ❏ nope! these don’t encompass everything
  • 9. The Present State of Security ❏ The answer to most security questions is “it’s complicated” but that doesn’t mean there’s no hope “You must never confuse faith that you will prevail in the end -- which you can never afford to lose -- with the discipline to confront the most brutal facts of your current reality, whatever they may be” -- Admiral James Stockdale, US Navy “I’m here to tell you that your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents” -- Brian Snow, NSA Information Assurance Head, 2012 “Lulzsec hacks embarrassed the security community by showing we were outclassed as defenders. NSA leaks show we were outclassed as attackers too” -- Haroon Meer, 2015
  • 10. The Security Blanket ❏ Preparedness can reduce the cost of data breaches, while other factors can increase the cost ❏ Many expensive breaches are preventable in a cost-effective way in retrospect ❏ There are many commonalities in how attacks begin… ❏ poor passwords ❏ malware ❏ phishing ❏ application misconfiguration/bugs ❏ lost/stolen devices
  • 11. our management statement: why the information security policy exists
  • 12. ❏ Ownership which team/people are responsible for which systems? ❏ Employee responsibilities e.g. honoring PII policy & access restrictions. ❏ Device use policy BYOD is huge. ❏ Risk assessment policy evaluate org for risk on an ongoing basis ❏ Employee off-boarding policy prevent biz critical material from leaving ❏ Operations management policy backups? monitoring? segregation? ❏ Compliance & Auditing policy to ensure you remain compliant with regulations Contents of Security Policy ❏ Access control policy specify how your org controls sensitive access ❏ Incident management policy incident management policy decreases cost of breach ❏ Physical security policy who controls the literal keys? how is access given/revoked? ❏ Business continuity & disaster recovery if operations can’t continue at current office, then what? ❏ Data confidentiality policy procedures & requirements for dealing w/ sensitive data ❏ Software change management policy how do you keep track and control of important updates?
  • 13. Target in the Crosshairs ❏ 95% of security incidents involve credential theft ❏ Target’s HVAC vendor’s credentials to vendor project system were compromised ❏ It’s hard to control your employees, let alone a vendor’s… ❏ but mitigation should always be in mind ❏ the vendor project system and payments systems weren’t segregated ❏ no two-factor authentication ❏ 70 million customer records stolen ❏ 40 million credit/debit cards ❏ up to $1 billion in damages
  • 14. How it happened 1. “Citadel” malware email, spearphishing to HVAC vendor 2. Vendor application vulnerability 3. Active Directory target enumeration 4. Steal admin hash from memory 5. Create new admin user 6. Bypass Target’s firewalls and access restrictions run code remotely with PSExec & remote desktop Microsoft Orchestrator access allowed them to ensure persistence 7. this gave them access to PII, but no credit cards as those were never stored, as per PCI-DSS 8. attackers deployed custom ‘Kaptoxa’ malware on PoS terminals using domain admin credentials 9. used internal AD-linked FTP server to aggregate data before sending it out
  • 15. How it COULD have happened 1. “Citadel” malware email, spearphishing to HVAC vendor 2. Vendor application vulnerability was caught internally first 3. Active Directory target enumeration was detected as anomalous, stopped, and the incidence response policy defined what to do next 4. There was no domain admin password to be stolen on the vendor system 5. Creation of new domain admin user triggered an alert to the responsible team 6. Bypass of Target’s firewalls and access restrictions was impossible due to extensive internal/external risk assessment and threat modeling 7. attackers couldn’t access to PII because it was encrypted and the keys were on uncompromised, segregated application servers 8. attackers couldn’t deploy custom malware on PoS terminals because terminals whitelisted processes and attackers had no access to config management 9. couldn’t use internal AD-linked FTP server to aggregate data because it whitelisted hosts
  • 16. Security Facts RISK ASSESSMENT FTW: Third-party access needs to be controlled and understood. Threat model, assess, and mitigate risk. SEGREGATION CAN BE HARD: there’s evidence Target made some effort to segregate their systems, using firewalls and restricting access from certain hosts. However, this can sometimes be bypassed by proxying through other hosts. Fully-segregated networks, or ones with strongly defined access control barriers are ideal. One Active Directory to Rule Them All introduces risk. MONITORING IS CRUCIAL: Target could have noticed the attackers at several points during their setup and reconnaissance if monitoring alerted them.
  • 17.
  • 18. Security Fiction PCI-DSS compliance should keep data secure PCI-DSS requires two-factor authentication for external logins to networks falling under the scope of PCI-DSS. Target likely assumed the vendor management system was properly segregated with firewalls and access controls. PCI-DSS also doesn’t require network segregation, and only recommends it. Custom malware is a big threat While custom malware was used, its scope was limited: scraping POS terminal memory for credit cards and exfiltrating. It didn’t use any undisclosed software vulnerabilities or do anything particularly sophisticated. The best thing to do is keep it from appearing on systems in the first place.
  • 19. JPMorgan: Financial Cost of Neglect ❏ 7 million businesses, 76 million consumers affected ❏ existing $250 million/year security budget ❏ suspected entry point: ❏ employee laptop compromised with malware ❏ corporate marathon site bug ❏ US gov’t & JPMC initially pointed fingers at Russia… ❏ until October, when the FBI said they were no longer a suspect ❏ One server which missed being upgraded with two-factor authentication provided a foothold ❏ ultimately, 90+ servers were compromised
  • 20. Security Fact ❏ Negligence is costly ❏ security policy means nothing if it isn’t constantly evaluated and adhered to ❏ security is active, not set-and- forget, not an add-on ❏ Expense-in-depth doesn’t mean defense- in-depth ❏ JPMC had 1000+ security personnel & a massive security spend, but one oversight allowed a massive breach
  • 21. Security Fiction ❏ You’ll be taken down by an advanced adversary with never-before-seen techniques ❏ it’s more likely you’ll be taken down by your own oversight ❏ advanced adversaries are more persistent but adhere to the same rules as everyone else
  • 22. Anthem: healthy access control ❏ 80 million records stolen from large health insurance provider ❏ database containing records was unencrypted… ❏ but encryption isn’t a panacea: it can be done poorly, keys can be stolen, and the data needs to be unencrypted at some point ❏ there’s no indication Anthem used any two- factor authentication whatsoever ❏ credentials from between 1-5 users were enough to access all subscriber data ❏ does any user need unfettered access to all data?
  • 23. Security Fact ❏ Access controls are critical ❏ nobody needs access to all data on a regular basis. ❏ records being accessed should be restricted as much as possible (principle of least privilege/default deny). ❏ Encryption is valuable, but not foolproof ❏ 64% of healthcare record leaks were attributed to employee endpoint compromise (US Dept. Health & Human Services, 2014) ❏ what risks do mostly insecure endpoints bring organizations? ❏ can employee credentials get attackers access to data retrieval applications? is uncharacteristic usage flagged?
  • 24. Security Fiction ❏ HIPAA keeps health care information safe ❏ HIPAA does not require encryption ❏ HIPAA does not require two-factor “Implement two-factor authentication for granting remote access to systems that contain EPHI. This process requires factors beyond general usernames and passwords to gain access to systems (e.g., requiring users to answer a security question such as “Favorite Pet’s Name”)” ❏ HIPAA’s access control requirement: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. - 164.312(d) Technical Safeguards of the Security Standards for the Protection of ePHI, HHS.gov
  • 25. Security Fact and Fiction FACT: many hacks are facilitated by oversight of service operators this is somewhat comforting: it means it can be addressed FICTION: today’s APTs require expensive threat intelligence feeds to understand FACT: ongoing internal and external risk assessment can uncover problems FICTION: “security” is a one-time expense FACT: your organization needs to own and understand its security program
  • 26. Security Fact and Fiction FICTION: spending a lot of money on security means you’re doing it right FACT: an information security policy is a good step to address your security reality FICTION: there’s a magic box you can plug in to your network to secure it all FACT: it’s possible to make hacking your organization very difficult FICTION: you can be completely hack-proof