Upgrade to Pro — share decks privately, control downloads, hide ads and more …

15 Years Later – Data Awareness In A Post Robert Hanssen World

15 Years Later – Data Awareness In A Post Robert Hanssen World

Former FBI agent Robert Phillip Hanssen was arrested in 2001 for selling classified information to the Soviet Union and Russian Federation for more than $1.4 million in cash and diamonds over a 22-year period. Fifteen years later, classified data remains a target for security attacks. Though America has grown in terms of the technology at its disposal and its understanding of data security, a focus on locating and protecting sensitive data remains absent from many information security programs.

When companies lack visibility into their data, they make it possible for sensitive, personal information to exist in places people are unaware of. The consequences are visible in recent security breach reports from across the globe. On May 20 at the CyberSecureGov conference in Washington, D.C, DataGravity CISO Andrew Hay will share insights to help companies update their data security tactics, gain control of their sensitive data and avoid such consequences.

Data-awareness has changed in the post-Robert Hanssen world, and it will continue to evolve until companies and individuals can feel secure about their personal information. During the CyberSecureGov conference, additional interactive sessions and workshops will explore data security across multiple channels. Topics will include best practices for responding to major incidents, how to get through the aftermath of a security breach, companies’ top 10 security expectations and more. In his session, Andrew will present tips, tricks and proven methodologies for detecting, defending and even destroying sensitive data within an IT environment. As Andrew will cover, every organization should approach sensitive data management with respect and confidence – regardless of the target industry or company’s size.

End users and security pros alike need to become more data-aware, especially when sensitive data remains at risk.

7eaca7b954a0966ed47bda102a669af9?s=128

Andrew Hay

May 20, 2016
Tweet

Transcript

  1. None
  2. 15 Years Later – Data Awareness In A Post Robert

    Hanssen World Andrew Hay, CISO DataGravity, Inc. www.datagravity.com ahay@datagravity.com twitter: @andrewsmhay
  3. 3 About Me » Andrew Hay • Chief Information Security

    Officer (CISO) @ DataGravity • Former: – Director of Research @ OpenDNS – Chief Evangelist & Director of Research @ CloudPassage – Senior Security Analyst @ 451 Research » Wrote some books, blog, spend more time on planes than I care to mention…
  4. 4 Agenda » Who is Robert Hanssen? » What have

    we learned? » Defending against data theft » Detecting attempted data theft » Destroying data properly » Summary
  5. Who is Robert Hanssen?

  6. 6 Name Robert Phillip Hanssen Born April 18, 1944 in

    Chicago, Illinois. School BSc Chemistry @ Knox College Dental School @ Northwestern (DNF) Psychiatry @ Northwestern (DNF) MBA Accounting & Information Systems @ Northwestern Work History ~1966 - NSA Cryptographer – Application Rejected ~1973 - Chicago Police Department and assigned to police corruption division ~1974-1975 - FBI – Application Rejected ~1976 - FBI – Application Accepted Dossier: Robert P. Hanssen
  7. 7 Dossier: Robert P. Hanssen » Was assigned to the

    Bureau’s Gary, Indiana office » Transferred two years later to New York City » Hanssen was having a tough time making ends meet and decided to exploit his position with the FBI
  8. 8 Dossier: Robert P. Hanssen » Disenchanted by the lackadaisical

    attitude of fellow FBI agents » Hanssen approached Russian agents and offered to sell secret documents » He was rewarded but was caught by his wife while counting $20,000 and writing a letter to the Soviets in his basement.
  9. 9 Timeline of Events 1979 1980 1981 1985 1999 1H2000

    2H2000 Joins Chicago PD 1972 1976 1H2001 2H2001 2002 1991
  10. 10 Timeline of Events 1979 1980 1981 1985 1999 1H2000

    2H2000 Joins Chicago PD Joins FBI 1972 1976 1H2001 2H2001 2002 1991
  11. 11 Timeline of Events 1979 1980 1981 1985 1999 1H2000

    2H2000 Joins Chicago PD Joins FBI Begins spying for the Soviet Union 1972 1976 1H2001 2H2001 2002 1991
  12. 12 Timeline of Events 1979 1980 1981 1985 1999 1H2000

    2H2000 Joins Chicago PD Joins FBI Begins spying for the Soviet Union Begins working Soviet counterintelligence unit 1972 1976 1H2001 2H2001 2002 1991
  13. 13 Timeline of Events 1979 1980 1981 1985 1999 1H2000

    2H2000 Joins Chicago PD Joins FBI Begins spying for the Soviet Union Begins working Soviet counterintelligence unit 1972 1976 1H2001 2H2001 2002 Transferred to FBI HQ to track white-collar crime and foreign officials / caught by wife 1991
  14. 14 Timeline of Events 1979 1980 1981 1985 1999 1H2000

    2H2000 Joins Chicago PD Joins FBI Begins spying for the Soviet Union Begins working Soviet counterintelligence unit 1972 1976 1H2001 2H2001 2002 Transferred to FBI HQ to track white-collar crime and foreign officials / caught by wife Resumes spying 1991
  15. 15 Timeline of Events 1979 1980 1981 1985 1999 1H2000

    2H2000 Joins Chicago PD Joins FBI Begins spying for the Soviet Union Begins working Soviet counterintelligence unit 1972 1976 1H2001 2H2001 2002 Transferred to FBI HQ to track white-collar crime and foreign officials / caught by wife Resumes spying Breaks off relations with KGB 1991
  16. 16 Timeline of Events 1979 1980 1981 1985 1999 1H2000

    2H2000 Joins Chicago PD Joins FBI Begins spying for the Soviet Union Begins working Soviet counterintelligence unit 1972 1976 1H2001 2H2001 2002 Transferred to FBI HQ to track white-collar crime and foreign officials / caught by wife Resumes spying Breaks off relations with KGB 1991 Resumes spying for Russian Intelligence
  17. 17 Timeline of Events 1979 1980 1981 1985 1999 1H2000

    2H2000 Joins Chicago PD Joins FBI Begins spying for the Soviet Union Begins working Soviet counterintelligence unit 1972 1976 1H2001 2H2001 2002 Transferred to FBI HQ to track white-collar crime and foreign officials / caught by wife Resumes spying Breaks off relations with KGB 1991 Resumes spying for Russian Intelligence FBI identifies Hanssen from a fingerprint & recording. FBI also obtains the complete original KGB dossier on Hanssen.
  18. 18 Timeline of Events 1979 1980 1981 1985 1999 1H2000

    2H2000 Joins Chicago PD Joins FBI Begins spying for the Soviet Union Begins working Soviet counterintelligence unit 1972 1976 1H2001 2H2001 2002 Transferred to FBI HQ to track white-collar crime and foreign officials / caught by wife Resumes spying Breaks off relations with KGB 1991 Resumes spying for Russian Intelligence FBI identifies Hanssen from a fingerprint & recording. FBI also obtains the complete original KGB dossier on Hanssen. FBI begins surveillance on Hanssen
  19. 19 Timeline of Events 1979 1980 1981 1985 1999 1H2000

    2H2000 Joins Chicago PD Joins FBI Begins spying for the Soviet Union Begins working Soviet counterintelligence unit 1972 1976 1H2001 2H2001 2002 Transferred to FBI HQ to track white-collar crime and foreign officials / caught by wife Resumes spying Breaks off relations with KGB 1991 Resumes spying for Russian Intelligence FBI identifies Hanssen from a fingerprint & recording. FBI also obtains the complete original KGB dossier on Hanssen. FBI begins surveillance on Hanssen Hanssen reassigned to obscure office at FBI HQ / arrested making drop at Virginia park
  20. 20 Timeline of Events 1979 1980 1981 1985 1999 1H2000

    2H2000 Joins Chicago PD Joins FBI Begins spying for the Soviet Union Begins working Soviet counterintelligence unit 1972 1976 1H2001 2H2001 2002 Transferred to FBI HQ to track white-collar crime and foreign officials / caught by wife Resumes spying Breaks off relations with KGB 1991 Resumes spying for Russian Intelligence FBI identifies Hanssen from a fingerprint & recording. FBI also obtains the complete original KGB dossier on Hanssen. FBI begins surveillance on Hanssen Hanssen reassigned to obscure office at FBI HQ / arrested making drop at Virginia park Pleads guilty to 15 counts of espionage and conspiracy in exchange for no death penalty
  21. 21 Timeline of Events 1979 1980 1981 1985 1999 1H2000

    2H2000 Joins Chicago PD Joins FBI Begins spying for the Soviet Union Begins working Soviet counterintelligence unit 1972 1976 1H2001 2H2001 2002 Transferred to FBI HQ to track white-collar crime and foreign officials / caught by wife Resumes spying Breaks off relations with KGB 1991 Resumes spying for Russian Intelligence FBI identifies Hanssen from a fingerprint & recording. FBI also obtains the complete original KGB dossier on Hanssen. FBI begins surveillance on Hanssen Hanssen reassigned to obscure office at FBI HQ / arrested making drop at Virginia park Pleads guilty to 15 counts of espionage and conspiracy in exchange for no death penalty Sentenced to fifteen life terms without the possibility of parole
  22. 22 Dossier: Robert P. Hanssen » Hanssen was arrested on

    February 18, 2001 at Foxstone Park near his home in Virginia » Charged with selling U.S. secrets to the Soviet Union and the Russian Federation • For more than US$1.4 million in cash and diamonds over a 22-year period » Pleaded guilty to fifteen counts of espionage • Sentenced to fifteen life terms without the possibility of parole
  23. What Have We Learned?

  24. 24 What Have We Learned? » You’d think that such

    a high profile and damaging breach would have set us down the path to… • Data awareness • Better protecting our data • More quickly responding to data breaches » Right.....right???
  25. 25 Verizon DBIR 2016 » This year’s dataset is made

    up of over 100,000 incidents, of which 3,141 were confirmed data breaches » Of these, 64,199 incidents and 2,260 breaches comprise the finalized dataset that was used in the analysis and figures throughout the report
  26. 26 DBIR 2016 » Number of security incidents with confirmed

    data loss by victim industry and organization size, 2015 dataset • Finance – 795 • Accommodation - 282 • Public – 193 • Small is < 1,000 employees • Large is > 1,000 employees
  27. 27

  28. 28 Verizon DBIR 2016 » 66% of all security incidents

    in the public sector • Miscellaneous errors • Insider and privilege misuse • Physical theft and loss » Crimeware was also a significant factor, at16% of the total
  29. 29 What Have We Learned? » Technology has enabled •

    Faster data breaches • Larger data breaches • Automated data breaches • More profitable data breaches • More brand damaging data breaches • New revenue streams for organized crime
  30. 30 What Have We Learned? » • • • •

    • • » And, of course, job security for us J
  31. Detecting Attempted Data Theft

  32. 32 We Have A Monitoring Plan…

  33. 33 We Have A Monitoring Plan…

  34. 34 How We Monitor » Perimeter • Logs & Alerts

    » Applications • Logs & Alerts » Server and Workstations • Logs & Alerts » Network • Logs & Alerts (and also flows/traffic)
  35. 35 What About The Data? » We often forget about

    monitoring the data » I mean, that’s where we keep the important stuff, right? » It’s like a present we hang onto until just the right time…
  36. 36 IP Theft Disgruntled employee copying files to Dropbox before

    leaving. Digital Extortion Manufacturer recovered from Ransomware without paying fines. Sensitive Data Exposure Government agency found 600 files with exposed PII. Admin inadvertently copied exec credit card # into public share. Company has illegal content on their file shares. Illegal Entry Data moving to Cloud in violation of regulator requirements or company policy. Data Trespassing Students storing personal MP3 collections on school servers. Government employee storing Lego movies on file share. Thwarted Theft Themes
  37. 37 Detecting Attempted Data Theft » Some indicators of attempted

    data theft include: • Abnormally high data reads and rights • Increased authentication/authorization failures – Followed by successful authentication/authorization • Access to never before accessed files • Off-hours access
  38. 38 Detecting Attempted Data Theft » Some indicators of attempted

    data theft include: • Large file transfers – Size & number of files • Communications with never before seen domains/IPs • Sustained network communications for long periods of time
  39. Defending Against Data Theft

  40. 40 So Where Is The Data?

  41. 41 » “It is a capital mistake to theorise before

    one has data.” ― Sir Arthur Conan Doyle, The Adventures of Sherlock Holmes
  42. 42 So Where Is The IMPORTANT Data?

  43. 43 This ‘Cloud Thing’ Might Have Legs… Source: Okta Businesses

    @ Work 2016
  44. 44 How To Get 42GB of Free Storage… Or, How

    To Not Sleep Anymore
  45. 45 People Often Forget About Traditional Storage

  46. 46 So Where Is The IMPORTANT Data?

  47. 47 Suggested Tools? I’ll get you started…

  48. Destroying Data Properly

  49. 49 Once Upon A Time… » In a magical land

    called Bermuda
  50. 50 Once Upon A Time… » In a magical land

    called Bermuda » There was an evil semi- documented data destruction procedure
  51. 51 Once Upon A Time… » In a magical land

    called Bermuda » There was an evil semi- documented data destruction procedure » In it, were details of how to dispose of hard drives used by the bank
  52. 52 Once Upon A Time… » In a magical land

    called Bermuda » There was an evil semi- documented data destruction procedure » In it, were details of how to dispose of hard drives used by the bank » The procedure involved a scooter, a garbage dump, and a shovel…
  53. INTERLUDE This is the part of the presentation allocated to

    feeling sorry for the presenter and his impossible mission of securing a bank in Bermuda…
  54. 54 Proper Data Destruction » DoD 5220.22-M (“National Industrial Security

    Program Operating Manual “) » NIST 800-88 (“Guidelines for Media Sanitization”) » However…the responsibility for wiping cloud data to standards is almost always the responsibility of the customer
  55. 55 Summary » Look to your data for ways to

    detect data theft » It is incredibly difficult to defend your data when you don’t know where it’s located • Find it…find it all! » Data destruction needs to be carefully considered • Especially as storage mediums evolve
  56. Thank You…Questions? Andrew Hay, CISO DataGravity, Inc. www.datagravity.com ahay@datagravity.com twitter:

    @andrewsmhay