Security Fact & Fiction: Three Lessons from the Headlines

Security Fact & Fiction: Three Lessons from the Headlines

Real-word breaches are often caused by simple lapses of judgment.

Hollywood movies and some of the media representations of data breaches are sensationalized and over-complicated compared to reality.


Duo Security

May 13, 2015


  1. Security Fact & Fiction Three Lessons from the Headlines

  2. None
  3. (that one’s real)

  4. None
  5. Real-word breaches are often caused by simple lapses of judgment.

    Hollywood movies and some of the media representations of data breaches are sensationalized and over-complicated compared to reality. source: Verizon DBIR 2015
  6. Security Facts ❏ The cost of a data breach is

    on the rise ❏ average cost increased 8.3% from $5.4 MM in 2013 to $5.85 MM in 2014 ❏ average cost per record increased 6.9% from $188 in 2013 to $201 in 2014 ❏ the most costly breaches are malicious & criminal attacks ❏ Will your organization be breached? ❏ “The results show that a probability of a material data breach [over the next 2 years] involving a minimum of 10,000 records is more than 22 percent”* * source: IBM/Ponemon “Cost of Data Breach Study”, 2014: based on survey of 314 global organizations that experienced data breach
  7. Factors Affecting the Cost of Breaches Factor Effect on Price/Record

    Strong Security Posture -$14.14 Incident Response Plan -$12.77 CISO Appointment -$6.59 Business Continuity Management -$8.98 Lost/Stolen Devices +$16.10 3rd Party Involvement +$14.80 Quick Notification +$10.45 Consultant Engagement +$2.10 source: IBM/Ponemon, 2014 US Avg. Cost/Record: $201
  8. Security Fiction ❏ Purchasing data breach insurance policies indicates an

    organization is slacking on security ❏ more likely to have other proactive measures in place ❏ Password policies and user education can save us ❏ most security advice targeting users has a poor cost/benefit tradeoff (MS, 2009 ❏ The threats you care about are Advanced Persistent Threat 0dayz ❏ most breaches actually use very simple methods, exploiting oversights and poor security policy, even from sophisticated attackers ❏ PCI/HIPAA/whatever compliant means secure ❏ nope! these don’t encompass everything
  9. The Present State of Security ❏ The answer to most

    security questions is “it’s complicated” but that doesn’t mean there’s no hope “You must never confuse faith that you will prevail in the end -- which you can never afford to lose -- with the discipline to confront the most brutal facts of your current reality, whatever they may be” -- Admiral James Stockdale, US Navy “I’m here to tell you that your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents” -- Brian Snow, NSA Information Assurance Head, 2012 “Lulzsec hacks embarrassed the security community by showing we were outclassed as defenders. NSA leaks show we were outclassed as attackers too” -- Haroon Meer, 2015
  10. The Security Blanket ❏ Preparedness can reduce the cost of

    data breaches, while other factors can increase the cost ❏ Many expensive breaches are preventable in a cost-effective way in retrospect ❏ There are many commonalities in how attacks begin… ❏ poor passwords ❏ malware ❏ phishing ❏ application misconfiguration/bugs ❏ lost/stolen devices
  11. our management statement: why the information security policy exists

  12. ❏ Ownership which team/people are responsible for which systems? ❏

    Employee responsibilities e.g. honoring PII policy & access restrictions. ❏ Device use policy BYOD is huge. ❏ Risk assessment policy evaluate org for risk on an ongoing basis ❏ Employee off-boarding policy prevent biz critical material from leaving ❏ Operations management policy backups? monitoring? segregation? ❏ Compliance & Auditing policy to ensure you remain compliant with regulations Contents of Security Policy ❏ Access control policy specify how your org controls sensitive access ❏ Incident management policy incident management policy decreases cost of breach ❏ Physical security policy who controls the literal keys? how is access given/revoked? ❏ Business continuity & disaster recovery if operations can’t continue at current office, then what? ❏ Data confidentiality policy procedures & requirements for dealing w/ sensitive data ❏ Software change management policy how do you keep track and control of important updates?
  13. Target in the Crosshairs ❏ 95% of security incidents involve

    credential theft ❏ Target’s HVAC vendor’s credentials to vendor project system were compromised ❏ It’s hard to control your employees, let alone a vendor’s… ❏ but mitigation should always be in mind ❏ the vendor project system and payments systems weren’t segregated ❏ no two-factor authentication ❏ 70 million customer records stolen ❏ 40 million credit/debit cards ❏ up to $1 billion in damages
  14. How it happened 1. “Citadel” malware email, spearphishing to HVAC

    vendor 2. Vendor application vulnerability 3. Active Directory target enumeration 4. Steal admin hash from memory 5. Create new admin user 6. Bypass Target’s firewalls and access restrictions run code remotely with PSExec & remote desktop Microsoft Orchestrator access allowed them to ensure persistence 7. this gave them access to PII, but no credit cards as those were never stored, as per PCI-DSS 8. attackers deployed custom ‘Kaptoxa’ malware on PoS terminals using domain admin credentials 9. used internal AD-linked FTP server to aggregate data before sending it out
  15. How it COULD have happened 1. “Citadel” malware email, spearphishing

    to HVAC vendor 2. Vendor application vulnerability was caught internally first 3. Active Directory target enumeration was detected as anomalous, stopped, and the incidence response policy defined what to do next 4. There was no domain admin password to be stolen on the vendor system 5. Creation of new domain admin user triggered an alert to the responsible team 6. Bypass of Target’s firewalls and access restrictions was impossible due to extensive internal/external risk assessment and threat modeling 7. attackers couldn’t access to PII because it was encrypted and the keys were on uncompromised, segregated application servers 8. attackers couldn’t deploy custom malware on PoS terminals because terminals whitelisted processes and attackers had no access to config management 9. couldn’t use internal AD-linked FTP server to aggregate data because it whitelisted hosts
  16. Security Facts RISK ASSESSMENT FTW: Third-party access needs to be

    controlled and understood. Threat model, assess, and mitigate risk. SEGREGATION CAN BE HARD: there’s evidence Target made some effort to segregate their systems, using firewalls and restricting access from certain hosts. However, this can sometimes be bypassed by proxying through other hosts. Fully-segregated networks, or ones with strongly defined access control barriers are ideal. One Active Directory to Rule Them All introduces risk. MONITORING IS CRUCIAL: Target could have noticed the attackers at several points during their setup and reconnaissance if monitoring alerted them.
  17. None
  18. Security Fiction PCI-DSS compliance should keep data secure PCI-DSS requires

    two-factor authentication for external logins to networks falling under the scope of PCI-DSS. Target likely assumed the vendor management system was properly segregated with firewalls and access controls. PCI-DSS also doesn’t require network segregation, and only recommends it. Custom malware is a big threat While custom malware was used, its scope was limited: scraping POS terminal memory for credit cards and exfiltrating. It didn’t use any undisclosed software vulnerabilities or do anything particularly sophisticated. The best thing to do is keep it from appearing on systems in the first place.
  19. JPMorgan: Financial Cost of Neglect ❏ 7 million businesses, 76

    million consumers affected ❏ existing $250 million/year security budget ❏ suspected entry point: ❏ employee laptop compromised with malware ❏ corporate marathon site bug ❏ US gov’t & JPMC initially pointed fingers at Russia… ❏ until October, when the FBI said they were no longer a suspect ❏ One server which missed being upgraded with two-factor authentication provided a foothold ❏ ultimately, 90+ servers were compromised
  20. Security Fact ❏ Negligence is costly ❏ security policy means

    nothing if it isn’t constantly evaluated and adhered to ❏ security is active, not set-and- forget, not an add-on ❏ Expense-in-depth doesn’t mean defense- in-depth ❏ JPMC had 1000+ security personnel & a massive security spend, but one oversight allowed a massive breach
  21. Security Fiction ❏ You’ll be taken down by an advanced

    adversary with never-before-seen techniques ❏ it’s more likely you’ll be taken down by your own oversight ❏ advanced adversaries are more persistent but adhere to the same rules as everyone else
  22. Anthem: healthy access control ❏ 80 million records stolen from

    large health insurance provider ❏ database containing records was unencrypted… ❏ but encryption isn’t a panacea: it can be done poorly, keys can be stolen, and the data needs to be unencrypted at some point ❏ there’s no indication Anthem used any two- factor authentication whatsoever ❏ credentials from between 1-5 users were enough to access all subscriber data ❏ does any user need unfettered access to all data?
  23. Security Fact ❏ Access controls are critical ❏ nobody needs

    access to all data on a regular basis. ❏ records being accessed should be restricted as much as possible (principle of least privilege/default deny). ❏ Encryption is valuable, but not foolproof ❏ 64% of healthcare record leaks were attributed to employee endpoint compromise (US Dept. Health & Human Services, 2014) ❏ what risks do mostly insecure endpoints bring organizations? ❏ can employee credentials get attackers access to data retrieval applications? is uncharacteristic usage flagged?
  24. Security Fiction ❏ HIPAA keeps health care information safe ❏

    HIPAA does not require encryption ❏ HIPAA does not require two-factor “Implement two-factor authentication for granting remote access to systems that contain EPHI. This process requires factors beyond general usernames and passwords to gain access to systems (e.g., requiring users to answer a security question such as “Favorite Pet’s Name”)” ❏ HIPAA’s access control requirement: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. - 164.312(d) Technical Safeguards of the Security Standards for the Protection of ePHI,
  25. Security Fact and Fiction FACT: many hacks are facilitated by

    oversight of service operators this is somewhat comforting: it means it can be addressed FICTION: today’s APTs require expensive threat intelligence feeds to understand FACT: ongoing internal and external risk assessment can uncover problems FICTION: “security” is a one-time expense FACT: your organization needs to own and understand its security program
  26. Security Fact and Fiction FICTION: spending a lot of money

    on security means you’re doing it right FACT: an information security policy is a good step to address your security reality FICTION: there’s a magic box you can plug in to your network to secure it all FACT: it’s possible to make hacking your organization very difficult FICTION: you can be completely hack-proof