on the rise ❏ average cost increased 8.3% from $5.4 MM in 2013 to $5.85 MM in 2014 ❏ average cost per record increased 6.9% from $188 in 2013 to $201 in 2014 ❏ the most costly breaches are malicious & criminal attacks ❏ Will your organization be breached? ❏ “The results show that a probability of a material data breach [over the next 2 years] involving a minimum of 10,000 records is more than 22 percent”* * source: IBM/Ponemon “Cost of Data Breach Study”, 2014: http://ibm.co/1Df4urk based on survey of 314 global organizations that experienced data breach
organization is slacking on security ❏ more likely to have other proactive measures in place ❏ Password policies and user education can save us ❏ most security advice targeting users has a poor cost/benefit tradeoff (MS, 2009 http://bit.ly/1lwMErH) ❏ The threats you care about are Advanced Persistent Threat 0dayz ❏ most breaches actually use very simple methods, exploiting oversights and poor security policy, even from sophisticated attackers ❏ PCI/HIPAA/whatever compliant means secure ❏ nope! these don’t encompass everything
security questions is “it’s complicated” but that doesn’t mean there’s no hope “You must never confuse faith that you will prevail in the end -- which you can never afford to lose -- with the discipline to confront the most brutal facts of your current reality, whatever they may be” -- Admiral James Stockdale, US Navy “I’m here to tell you that your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents” -- Brian Snow, NSA Information Assurance Head, 2012 “Lulzsec hacks embarrassed the security community by showing we were outclassed as defenders. NSA leaks show we were outclassed as attackers too” -- Haroon Meer, 2015
data breaches, while other factors can increase the cost ❏ Many expensive breaches are preventable in a cost-effective way in retrospect ❏ There are many commonalities in how attacks begin… ❏ poor passwords ❏ malware ❏ phishing ❏ application misconfiguration/bugs ❏ lost/stolen devices
Employee responsibilities e.g. honoring PII policy & access restrictions. ❏ Device use policy BYOD is huge. ❏ Risk assessment policy evaluate org for risk on an ongoing basis ❏ Employee off-boarding policy prevent biz critical material from leaving ❏ Operations management policy backups? monitoring? segregation? ❏ Compliance & Auditing policy to ensure you remain compliant with regulations Contents of Security Policy ❏ Access control policy specify how your org controls sensitive access ❏ Incident management policy incident management policy decreases cost of breach ❏ Physical security policy who controls the literal keys? how is access given/revoked? ❏ Business continuity & disaster recovery if operations can’t continue at current office, then what? ❏ Data confidentiality policy procedures & requirements for dealing w/ sensitive data ❏ Software change management policy how do you keep track and control of important updates?
credential theft ❏ Target’s HVAC vendor’s credentials to vendor project system were compromised ❏ It’s hard to control your employees, let alone a vendor’s… ❏ but mitigation should always be in mind ❏ the vendor project system and payments systems weren’t segregated ❏ no two-factor authentication ❏ 70 million customer records stolen ❏ 40 million credit/debit cards ❏ up to $1 billion in damages
vendor 2. Vendor application vulnerability 3. Active Directory target enumeration 4. Steal admin hash from memory 5. Create new admin user 6. Bypass Target’s firewalls and access restrictions run code remotely with PSExec & remote desktop Microsoft Orchestrator access allowed them to ensure persistence 7. this gave them access to PII, but no credit cards as those were never stored, as per PCI-DSS 8. attackers deployed custom ‘Kaptoxa’ malware on PoS terminals using domain admin credentials 9. used internal AD-linked FTP server to aggregate data before sending it out
to HVAC vendor 2. Vendor application vulnerability was caught internally first 3. Active Directory target enumeration was detected as anomalous, stopped, and the incidence response policy defined what to do next 4. There was no domain admin password to be stolen on the vendor system 5. Creation of new domain admin user triggered an alert to the responsible team 6. Bypass of Target’s firewalls and access restrictions was impossible due to extensive internal/external risk assessment and threat modeling 7. attackers couldn’t access to PII because it was encrypted and the keys were on uncompromised, segregated application servers 8. attackers couldn’t deploy custom malware on PoS terminals because terminals whitelisted processes and attackers had no access to config management 9. couldn’t use internal AD-linked FTP server to aggregate data because it whitelisted hosts
controlled and understood. Threat model, assess, and mitigate risk. SEGREGATION CAN BE HARD: there’s evidence Target made some effort to segregate their systems, using firewalls and restricting access from certain hosts. However, this can sometimes be bypassed by proxying through other hosts. Fully-segregated networks, or ones with strongly defined access control barriers are ideal. One Active Directory to Rule Them All introduces risk. MONITORING IS CRUCIAL: Target could have noticed the attackers at several points during their setup and reconnaissance if monitoring alerted them.
two-factor authentication for external logins to networks falling under the scope of PCI-DSS. Target likely assumed the vendor management system was properly segregated with firewalls and access controls. PCI-DSS also doesn’t require network segregation, and only recommends it. Custom malware is a big threat While custom malware was used, its scope was limited: scraping POS terminal memory for credit cards and exfiltrating. It didn’t use any undisclosed software vulnerabilities or do anything particularly sophisticated. The best thing to do is keep it from appearing on systems in the first place.
million consumers affected ❏ existing $250 million/year security budget ❏ suspected entry point: ❏ employee laptop compromised with malware ❏ corporate marathon site bug ❏ US gov’t & JPMC initially pointed fingers at Russia… ❏ until October, when the FBI said they were no longer a suspect ❏ One server which missed being upgraded with two-factor authentication provided a foothold ❏ ultimately, 90+ servers were compromised
nothing if it isn’t constantly evaluated and adhered to ❏ security is active, not set-and- forget, not an add-on ❏ Expense-in-depth doesn’t mean defense- in-depth ❏ JPMC had 1000+ security personnel & a massive security spend, but one oversight allowed a massive breach
large health insurance provider ❏ database containing records was unencrypted… ❏ but encryption isn’t a panacea: it can be done poorly, keys can be stolen, and the data needs to be unencrypted at some point ❏ there’s no indication Anthem used any two- factor authentication whatsoever ❏ credentials from between 1-5 users were enough to access all subscriber data ❏ does any user need unfettered access to all data?
access to all data on a regular basis. ❏ records being accessed should be restricted as much as possible (principle of least privilege/default deny). ❏ Encryption is valuable, but not foolproof ❏ 64% of healthcare record leaks were attributed to employee endpoint compromise (US Dept. Health & Human Services, 2014) ❏ what risks do mostly insecure endpoints bring organizations? ❏ can employee credentials get attackers access to data retrieval applications? is uncharacteristic usage flagged?
HIPAA does not require encryption ❏ HIPAA does not require two-factor “Implement two-factor authentication for granting remote access to systems that contain EPHI. This process requires factors beyond general usernames and passwords to gain access to systems (e.g., requiring users to answer a security question such as “Favorite Pet’s Name”)” ❏ HIPAA’s access control requirement: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. - 164.312(d) Technical Safeguards of the Security Standards for the Protection of ePHI, HHS.gov
oversight of service operators this is somewhat comforting: it means it can be addressed FICTION: today’s APTs require expensive threat intelligence feeds to understand FACT: ongoing internal and external risk assessment can uncover problems FICTION: “security” is a one-time expense FACT: your organization needs to own and understand its security program
on security means you’re doing it right FACT: an information security policy is a good step to address your security reality FICTION: there’s a magic box you can plug in to your network to secure it all FACT: it’s possible to make hacking your organization very difficult FICTION: you can be completely hack-proof