ion-e defense in depth presentation for the institiute of internal auditors
TRANSCRIPT
DEFENSE IN DEPTH
Michael A. DaGrossa - CISSP, CEH, CCE
Managing Partner Business Risk [email protected]
Proprietary and Confidential
Take advantage of the enemy's un-readiness, make your way by unexpected routes, and attack unguarded spots.
—Sun Tzu
Proprietary and Confidential
Consultants and clients should develop a Defense in Depth Strategy, which should be regularly tested and corrected
Definition : DID
Defined by the Defense Information Security Agency: the Defense in Depth approach builds mutually supporting
layers of defense to reduce vulnerabilities and to assist you to protect against, detect and react to as many attacks as possible. By constructing mutually supporting layers of defense, you will cause an adversary who penetrates or breaks one layer of defense to promptly encounter another and another until unsuccessful in the quest for unauthorized entrance, the attack ends. To protect against different attack methods, you must employ corresponding security measures. The weakness of one security measure should be compensated for by the strength of another.
The general characteristics of defensive operations are:
To understand the enemy See the battlefield Use the defenders’ advantages Concentrate at critical times and places Conduct counter reconnaissance and
counterattacks Coordinate critical defense assets Balance base security with political and legal
constraints And know the law of war and rules of
engagement.
Proprietary and Confidential
Why being compliant does not equal secure?
Why secure does not equal compliant?
Proprietary and Confidential
HIPAA-Compliant
To Name a Few
AV Med Health Plans
Kinetic Concepts
University of Pittsburgh
Proprietary and Confidential
FDIC-FFIEC GLBA BITS
To Name a Few
ING
Education Credit Management Corp
Lincoln National Corp
Proprietary and Confidential
Skydiving
Think of a corporate risk assessment as a life threatening scenario to appropriately perceive it
Proprietary and Confidential
Standards, Controls and Security
Primary Chute
Reserve Chute
Automatic Activation Device (A.A.D.)
Reserve Static Line
Altimeter
Helmet/Goggles/Jumpsuit
Trained professional assistance
Proprietary and Confidential
Using one standard as an umbrella approach to holistic security for a corporation is similar to taking one measure to guarantee the safety of a freefall jump. The jumper should be prepared well before the jump and do everything accurately during the jump, until the time he/she reaches the ground.
Proprietary and Confidential
Layers of Safety
What are we protecting
Data breach incidents cost U.S. companies an average of $204 per compromised customer record in 2009.
The average total per-incident costs in 2009 were $6.75 million.
A total of 498 breaches were reported in 2009 according to the Identity Theft Resource Center.
Engaging a consultant or third party expert to assist in the data breach incidence results in lower average cost per compromised record (almost 26% lesser). About 44% of participating companies engaged an outside consultant to
assist them over the course of the data breach incident.
Organizations in highly trusted industries such as financial services and health care are more likely to experience a data breach with higher abnormal churn rate (5% and 6% respectively). Source: Key findings from 2009 Ponemon Institute Annual Study
Proprietary and Confidential
What are we protecting
Too many times we get focused on only our roles for an engagement
Problems with independence
Knowledge
Check list approach
Source: Key findings from 2009 Ponemon Institute Annual Study
Proprietary and Confidential
Senior management should:
Clearly support all aspects of the information security program
Implement the information security program as approved by the board of directors
Establish appropriate policies, procedures, and controls
Participate in assessing the effect of security issues on the financial institution and its business lines and processes
Proprietary and Confidential
Senior management should:
Delineate clear lines of responsibility and accountability for information security risk management decisions
Define risk measurement definitions and criteria
Establish acceptable levels of information security risks
Oversee risk mitigation activities.
Proprietary and Confidential
Controls
Internal Control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a) Effectiveness and efficiency of operations; b) Reliability of financial reporting; and c) Compliance with laws and regulations
Proprietary and Confidential
Controls - COSO
Control Environment
Risk Assessment
Information and Communication
Control Activities
Monitoring
Proprietary and Confidential
Controls
Internal controls may be described in terms of:
a) the objective they pertain to
b) the nature of the control activity itself.
Auditors understand this
Information Technology people do not
Business does not either
Proprietary and Confidential
Controls - COBIT
IT Governance
Strategic Alignment
Value Delivery
Risk Management
Resource Management
Performance Measurement
Proprietary and Confidential
Controls- CISSP
Access Control
Application Security
BCP/DR
Cryptography
Info Sec and Risk Management
Legal, Regulations and Compliance
Physical
Security Architecture and Design
Telecom and Network Security
Proprietary and Confidential
Controls - CISM
Information Security Governance
Information Risk Management
Information Security Program Development
Information Security Program Management
Incident Management and Response
Proprietary and Confidential
Controls - PCI
Build and Maintain a Secure Network
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain Information Security Policy
Proprietary and Confidential
Controls- ISO 27K
27001 – ISMS
27002 -Practices
27003- implementation Guidance
27004-Metrics
27therest- defined up to 27037
*27799-ISMS for Health Sector
Proprietary and Confidential
Business Breakdown
Systems, Applications, Infrastructure, Data, Processes
IT Service Management IT Security Management
IT Governance
Corporate Governance
Business Goals Regulatory Compliance
Proprietary and Confidential
Frameworks for Business
Systems, Applications, Infrastructure, Data, Processes
IT Service Management ITSecurity Management
ISO
IT GovernanceCOBIT
Corporate GovernanceBalanced Scorecard, COSO
Business GoalsGrowth, Efficiency.
Regulatory ComplianceSOX, PCI, HIPAA,
FISMA
Proprietary and Confidential
DID for Business
Systems, Applications, Infrastructure, Data, Processes
IT Service Management IT Security Management
ISO
IT Governance
COBIT
Corporate Governance
Balanced Scorecard, COSO
Business Goals
Growth, Efficiency.
Regulatory Compliance
SOX, PCI, HIPAA, FISMA
Proprietary and Confidential
Management, security, risk, audit, and compliance professionals should:
Look beyond the standard
Determine whether it is sufficient to manage the related risks to the organization
A start to finish, multi-layered security approach is the only option to minimize business impact and mitigate the most possible risk.
Proprietary and Confidential
The Bad Guys
Anti Forensics
Exploits
Social Engineering
Insiders
Outsiders
Proprietary and Confidential
Anti-Forensics
Encryption
Steganography
Disk Wiping
Signatures
Bootable Disks –Bart,BT,HELIX, OWASP, MOJO
Slacker, TimeStomp, Trasnmogrify, SAMJuicer
Everything run in Ram
Linux-Where tools don’t look-Rune, Waffen, KY, DataMule
Proprietary and Confidential
Exploits
Spear-Phishing
Phishing
Pharming
Cross Site anything
Spoofing
SQL Injection
Patch
Proprietary and Confidential
High
Technical Knowledge
Required
Sophistication of
Hacker Tools
Password Guessing
Password Cracking
Time
Self-Replicating Code
Back Doors
Hijacking Sessions
Sweepers Sniffers
Stealth Diagnotics
DDOS
Packet Forging & Spoofing
New Internet
Attacks
[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]
Proprietary and Confidential
Social Engineering
“Social Engineer Specialist” Because there is no patch for human stupidity- DeFcon Tshirt
The art of utilizing human behavior to breach security without the participant even realizing they have been manipulated.
Proprietary and Confidential
Social Engineering
Technical –Google, Maltego, PiPL
Non-Technical-
Poor Physical Controls
Lack of Security Awareness Training
Lack of Policies and Procedures
Weak Employee Screening
Lack of Management Support
Poor Controls on Data
Proprietary and Confidential
Social Engineering
People are the weakest link
Desire to be helpful
Fear of getting in trouble
Tendency to trust
Desire to be successful
Proprietary and Confidential
Insider
Motivators-Good Doing Bad
Evolving Loyalties
Job Change
Management Change
Company Change
Misdirection/Social Engineering
Influence
Proprietary and Confidential
Insider-Telltale Signs
Insiders already have access
Insiders just need intent
Proprietary and Confidential
Insider-Watch For
Some Kind of Activity
Revealing information not directly observable
Noticed
Significance Recognized
Proprietary and Confidential
Insider-HR
Monitoring included in Policy
Clearly defined processes to include HR, Legal, Security and Management
Understand the evolving privacy statutory requirements
Proprietary and Confidential
Risk Modeling
Know your Risk Formulas (ALE=AROxSLE)(EV*AV)
Susceptibility
Impact
Risk
= Materiality
Proprietary and Confidential
Attack Methodology
Phase I: Reconnaissance
Phase II: Enumeration
Phase III: Vulnerability Analysis
Phase IV: Exploit
Proprietary and Confidential
Case Study #1:
Defense Contractor Investigation
Data Leakage
Results
Targeted Spear Phishing
Breakdown
AV
DLP
Firewall/IDS
Incident response
Proprietary and Confidential
Case Study #2:
Insurance Investigation
Data Leakage
Results
Loss of ACL, Passwords, Intellectual Capital
Breakdown
Security Awareness
Improper Access Control
DLP
IDS/IPS/HIDS
Proprietary and Confidential
Case Study #3:
Healthcare Investigation
Outside Hack
Results
Loss of proprietary information
Loss of reputation
Company ended up closing shop
Breakdown
Internal IT Violated controls set in place through HiPAA
Proprietary and Confidential
Questions and Answers
Michael A. DaGrossa, CISSP,CEH,CCEManaging Partner, Business Risk Services302.261.9013 (office)302.383.2737 (mobile)ION-e Group100 Dean DriveNewark, DE 19711www.ion-e.comwww.linkedin.com/in/dagrossawww.deinfragard.com
Proprietary and Confidential