15 Years Later – Data Awareness In A Post Robert Hanssen World

Transcript

1. None

2. 15 Years Later – Data Awareness In A Post Robert

   Hanssen World Andrew Hay, CISO DataGravity, Inc. www.datagravity.com [email protected] twitter: @andrewsmhay

3. 3 About Me » Andrew Hay • Chief Information Security

   Officer (CISO) @ DataGravity • Former: – Director of Research @ OpenDNS – Chief Evangelist & Director of Research @ CloudPassage – Senior Security Analyst @ 451 Research » Wrote some books, blog, spend more time on planes than I care to mention…

4. 4 Agenda » Who is Robert Hanssen? » What have

   we learned? » Defending against data theft » Detecting attempted data theft » Destroying data properly » Summary

5. Who is Robert Hanssen?

6. 6 Name Robert Phillip Hanssen Born April 18, 1944 in

   Chicago, Illinois. School BSc Chemistry @ Knox College Dental School @ Northwestern (DNF) Psychiatry @ Northwestern (DNF) MBA Accounting & Information Systems @ Northwestern Work History ~1966 - NSA Cryptographer – Application Rejected ~1973 - Chicago Police Department and assigned to police corruption division ~1974-1975 - FBI – Application Rejected ~1976 - FBI – Application Accepted Dossier: Robert P. Hanssen

7. 7 Dossier: Robert P. Hanssen » Was assigned to the

   Bureau’s Gary, Indiana office » Transferred two years later to New York City » Hanssen was having a tough time making ends meet and decided to exploit his position with the FBI

8. 8 Dossier: Robert P. Hanssen » Disenchanted by the lackadaisical

   attitude of fellow FBI agents » Hanssen approached Russian agents and offered to sell secret documents » He was rewarded but was caught by his wife while counting $20,000 and writing a letter to the Soviets in his basement.

9. 9 Timeline of Events 1979 1980 1981 1985 1999 1H2000

   2H2000 Joins Chicago PD 1972 1976 1H2001 2H2001 2002 1991

10. 10 Timeline of Events 1979 1980 1981 1985 1999 1H2000

    2H2000 Joins Chicago PD Joins FBI 1972 1976 1H2001 2H2001 2002 1991

11. 11 Timeline of Events 1979 1980 1981 1985 1999 1H2000

    2H2000 Joins Chicago PD Joins FBI Begins spying for the Soviet Union 1972 1976 1H2001 2H2001 2002 1991

12. 12 Timeline of Events 1979 1980 1981 1985 1999 1H2000

    2H2000 Joins Chicago PD Joins FBI Begins spying for the Soviet Union Begins working Soviet counterintelligence unit 1972 1976 1H2001 2H2001 2002 1991

13. 13 Timeline of Events 1979 1980 1981 1985 1999 1H2000

    2H2000 Joins Chicago PD Joins FBI Begins spying for the Soviet Union Begins working Soviet counterintelligence unit 1972 1976 1H2001 2H2001 2002 Transferred to FBI HQ to track white-collar crime and foreign officials / caught by wife 1991

14. 14 Timeline of Events 1979 1980 1981 1985 1999 1H2000

    2H2000 Joins Chicago PD Joins FBI Begins spying for the Soviet Union Begins working Soviet counterintelligence unit 1972 1976 1H2001 2H2001 2002 Transferred to FBI HQ to track white-collar crime and foreign officials / caught by wife Resumes spying 1991

15. 15 Timeline of Events 1979 1980 1981 1985 1999 1H2000

    2H2000 Joins Chicago PD Joins FBI Begins spying for the Soviet Union Begins working Soviet counterintelligence unit 1972 1976 1H2001 2H2001 2002 Transferred to FBI HQ to track white-collar crime and foreign officials / caught by wife Resumes spying Breaks off relations with KGB 1991

16. 16 Timeline of Events 1979 1980 1981 1985 1999 1H2000

    2H2000 Joins Chicago PD Joins FBI Begins spying for the Soviet Union Begins working Soviet counterintelligence unit 1972 1976 1H2001 2H2001 2002 Transferred to FBI HQ to track white-collar crime and foreign officials / caught by wife Resumes spying Breaks off relations with KGB 1991 Resumes spying for Russian Intelligence

17. 17 Timeline of Events 1979 1980 1981 1985 1999 1H2000

    2H2000 Joins Chicago PD Joins FBI Begins spying for the Soviet Union Begins working Soviet counterintelligence unit 1972 1976 1H2001 2H2001 2002 Transferred to FBI HQ to track white-collar crime and foreign officials / caught by wife Resumes spying Breaks off relations with KGB 1991 Resumes spying for Russian Intelligence FBI identifies Hanssen from a fingerprint & recording. FBI also obtains the complete original KGB dossier on Hanssen.

18. 18 Timeline of Events 1979 1980 1981 1985 1999 1H2000

    2H2000 Joins Chicago PD Joins FBI Begins spying for the Soviet Union Begins working Soviet counterintelligence unit 1972 1976 1H2001 2H2001 2002 Transferred to FBI HQ to track white-collar crime and foreign officials / caught by wife Resumes spying Breaks off relations with KGB 1991 Resumes spying for Russian Intelligence FBI identifies Hanssen from a fingerprint & recording. FBI also obtains the complete original KGB dossier on Hanssen. FBI begins surveillance on Hanssen

19. 19 Timeline of Events 1979 1980 1981 1985 1999 1H2000

    2H2000 Joins Chicago PD Joins FBI Begins spying for the Soviet Union Begins working Soviet counterintelligence unit 1972 1976 1H2001 2H2001 2002 Transferred to FBI HQ to track white-collar crime and foreign officials / caught by wife Resumes spying Breaks off relations with KGB 1991 Resumes spying for Russian Intelligence FBI identifies Hanssen from a fingerprint & recording. FBI also obtains the complete original KGB dossier on Hanssen. FBI begins surveillance on Hanssen Hanssen reassigned to obscure office at FBI HQ / arrested making drop at Virginia park

20. 20 Timeline of Events 1979 1980 1981 1985 1999 1H2000

    2H2000 Joins Chicago PD Joins FBI Begins spying for the Soviet Union Begins working Soviet counterintelligence unit 1972 1976 1H2001 2H2001 2002 Transferred to FBI HQ to track white-collar crime and foreign officials / caught by wife Resumes spying Breaks off relations with KGB 1991 Resumes spying for Russian Intelligence FBI identifies Hanssen from a fingerprint & recording. FBI also obtains the complete original KGB dossier on Hanssen. FBI begins surveillance on Hanssen Hanssen reassigned to obscure office at FBI HQ / arrested making drop at Virginia park Pleads guilty to 15 counts of espionage and conspiracy in exchange for no death penalty

21. 21 Timeline of Events 1979 1980 1981 1985 1999 1H2000

    2H2000 Joins Chicago PD Joins FBI Begins spying for the Soviet Union Begins working Soviet counterintelligence unit 1972 1976 1H2001 2H2001 2002 Transferred to FBI HQ to track white-collar crime and foreign officials / caught by wife Resumes spying Breaks off relations with KGB 1991 Resumes spying for Russian Intelligence FBI identifies Hanssen from a fingerprint & recording. FBI also obtains the complete original KGB dossier on Hanssen. FBI begins surveillance on Hanssen Hanssen reassigned to obscure office at FBI HQ / arrested making drop at Virginia park Pleads guilty to 15 counts of espionage and conspiracy in exchange for no death penalty Sentenced to fifteen life terms without the possibility of parole

22. 22 Dossier: Robert P. Hanssen » Hanssen was arrested on

    February 18, 2001 at Foxstone Park near his home in Virginia » Charged with selling U.S. secrets to the Soviet Union and the Russian Federation • For more than US$1.4 million in cash and diamonds over a 22-year period » Pleaded guilty to fifteen counts of espionage • Sentenced to fifteen life terms without the possibility of parole

23. What Have We Learned?

24. 24 What Have We Learned? » You’d think that such

    a high profile and damaging breach would have set us down the path to… • Data awareness • Better protecting our data • More quickly responding to data breaches » Right.....right???

25. 25 Verizon DBIR 2016 » This year’s dataset is made

    up of over 100,000 incidents, of which 3,141 were confirmed data breaches » Of these, 64,199 incidents and 2,260 breaches comprise the finalized dataset that was used in the analysis and figures throughout the report

26. 26 DBIR 2016 » Number of security incidents with confirmed

    data loss by victim industry and organization size, 2015 dataset • Finance – 795 • Accommodation - 282 • Public – 193 • Small is < 1,000 employees • Large is > 1,000 employees

27. 27

28. 28 Verizon DBIR 2016 » 66% of all security incidents

    in the public sector • Miscellaneous errors • Insider and privilege misuse • Physical theft and loss » Crimeware was also a significant factor, at16% of the total

29. 29 What Have We Learned? » Technology has enabled •

    Faster data breaches • Larger data breaches • Automated data breaches • More profitable data breaches • More brand damaging data breaches • New revenue streams for organized crime

30. 30 What Have We Learned? » • • • •

    • • » And, of course, job security for us J

31. Detecting Attempted Data Theft

32. 32 We Have A Monitoring Plan…

33. 33 We Have A Monitoring Plan…

34. 34 How We Monitor » Perimeter • Logs & Alerts

    » Applications • Logs & Alerts » Server and Workstations • Logs & Alerts » Network • Logs & Alerts (and also flows/traffic)

35. 35 What About The Data? » We often forget about

    monitoring the data » I mean, that’s where we keep the important stuff, right? » It’s like a present we hang onto until just the right time…

36. 36 IP Theft Disgruntled employee copying files to Dropbox before

    leaving. Digital Extortion Manufacturer recovered from Ransomware without paying fines. Sensitive Data Exposure Government agency found 600 files with exposed PII. Admin inadvertently copied exec credit card # into public share. Company has illegal content on their file shares. Illegal Entry Data moving to Cloud in violation of regulator requirements or company policy. Data Trespassing Students storing personal MP3 collections on school servers. Government employee storing Lego movies on file share. Thwarted Theft Themes

37. 37 Detecting Attempted Data Theft » Some indicators of attempted

    data theft include: • Abnormally high data reads and rights • Increased authentication/authorization failures – Followed by successful authentication/authorization • Access to never before accessed files • Off-hours access

38. 38 Detecting Attempted Data Theft » Some indicators of attempted

    data theft include: • Large file transfers – Size & number of files • Communications with never before seen domains/IPs • Sustained network communications for long periods of time

39. Defending Against Data Theft

40. 40 So Where Is The Data?

41. 41 » “It is a capital mistake to theorise before

    one has data.” ― Sir Arthur Conan Doyle, The Adventures of Sherlock Holmes

42. 42 So Where Is The IMPORTANT Data?

43. 43 This ‘Cloud Thing’ Might Have Legs… Source: Okta Businesses

    @ Work 2016

44. 44 How To Get 42GB of Free Storage… Or, How

    To Not Sleep Anymore

45. 45 People Often Forget About Traditional Storage

46. 46 So Where Is The IMPORTANT Data?

47. 47 Suggested Tools? I’ll get you started…

48. Destroying Data Properly

49. 49 Once Upon A Time… » In a magical land

    called Bermuda

50. 50 Once Upon A Time… » In a magical land

    called Bermuda » There was an evil semi- documented data destruction procedure

51. 51 Once Upon A Time… » In a magical land

    called Bermuda » There was an evil semi- documented data destruction procedure » In it, were details of how to dispose of hard drives used by the bank

52. 52 Once Upon A Time… » In a magical land

    called Bermuda » There was an evil semi- documented data destruction procedure » In it, were details of how to dispose of hard drives used by the bank » The procedure involved a scooter, a garbage dump, and a shovel…

53. INTERLUDE This is the part of the presentation allocated to

    feeling sorry for the presenter and his impossible mission of securing a bank in Bermuda…

54. 54 Proper Data Destruction » DoD 5220.22-M (“National Industrial Security

    Program Operating Manual “) » NIST 800-88 (“Guidelines for Media Sanitization”) » However…the responsibility for wiping cloud data to standards is almost always the responsibility of the customer

55. 55 Summary » Look to your data for ways to

    detect data theft » It is incredibly difficult to defend your data when you don’t know where it’s located • Find it…find it all! » Data destruction needs to be carefully considered • Especially as storage mediums evolve

56. Thank You…Questions? Andrew Hay, CISO DataGravity, Inc. www.datagravity.com [email protected] twitter:

    @andrewsmhay