security lessons from verizon's analysis of 32,002 ... · security lessons from verizon's...

Security Lessons from Verizon's Analysis of 32,002 Security Incidents

Maury WeinsteinPresident and Co-Founder

System Source410-771-5544 x4319

[email protected]

mailto:[email protected]

We Hope You are

Enjoying Your

Pizza!!

If you haven’t received your pizza,

then contact Mike Jones:

[email protected]

mailto:[email protected]

During the Webinar…

Audio – In presentation mode until end

Control Panel

View webinar in full screen mode

In Chat – Tell us what you hope to learn today?

Feel free to submit written questions

Evaluation just after webinar finish

Security Lessons from Verizon's Analysis of 32,002 Security Incidents

IT Management - What to Retain or Outsource

Motivating and Retaining IT Staff in Face of Low Unemployment

Learning from our 167,000 Completed IT Support Tickets and 19,500 Satisfaction Surveys

Reducing Your IT Costs

Cloud Strategy

Evaluating Managed IT Services

Disaster Recovery Workshop

Building a Cost Effective and Crisis Free IT Team

Our Management Seminar Series

The Scope of the Problem

… a lot to worry about... 12,174 new vulnerabilities last year alone and hundreds of defenses you are told to deploy ASAP. The MITRE Common Weakness Enumeration list provides 839 potential cybersecurity weaknesses. The original, fairly small MITRE ATTACK framework now has 12 columns and 70 rows, and growing, showing the ways you can be compromised.

Defense-in-depth guidelines are growing. The NIST Cybersecurity Framework, one popular guide, is 55 pages long. The SANS Top 10 controls has turned into the Center for Internet Security’s Top 20 list.

I don’t know of any field that has so many simultaneous threats…

Agenda

• Your security agenda

• Report basics

• Breach trends

• Incident classification patterns

• By industry

• Gartner’s insource/outsource recommendation

Your Security Agenda

1. Following regulatory or other external direction• most standards treat all requirements equally

2. Seeking research driven direction to optimize security• maximize security at lowest cost

• no “one size fits all” approach

• preventing under-, over- and useless spending

Verizon Data Breach Investigations Report

• 81 organizations contribute world-wide• From Akamai to US Secret Services

• Lists threats, vulnerabilities and actions leading to security incidentsand data breaches

• Categorized by industry using NAICS codes

• 13th year

• North America accounts for 69% of incidents and 55% of breaches

Does the Internet get more vulnerable with each new vulnerability?

Breach Timelines

First Action in an Incident

$ Stolen by Breach Type

Does Adding a Defensive Step Reduce Breaches?

Fraud Losses

• FBI Recovery Asset Team recovered 79% of monies fraudulently transferred to domestic accounts in 2019

• Compromises require no work to cash out

• Versus stealing information or credentials which then must be sold

• Alternately, data can be used by hackers to commit fraud directly• Fraudulent tax returns or insurance claims via money laundering or cryptocurrency

Secondary Attacks Prevalent

• 5,831 incidents where web apps were compromised to attack another victim

• Servers compromised for denial-of service (DoS) attacks or hosting malware

• Botnets+ responsible for 103K incidents via Trojans and malware –drowns out all other categories

• Affects Financial (33%), Information (32%) and Professional Services (34%)

Denial of Service Sending junk network traffic to overwhelm systems, thereby causing

their services to be denied. The system can’t handle both the incoming illegitimate traffic and the legitimate traffic.

Understanding mitigation needed is key

What attack length and size do you need to resist?

Weigh business impact vs. defense cost

Distributed Denial-of-Service (DDoS) Attacks

Security Patterns (NA)

Everything Else>50% Phishing or Financially Motivated

Social Engineering where attackers commit fraud via email – includes pre-texting

Web Applications

Web app was path of the attack including cloud email (>50%)

Misc. Errors

Unintentional action directly compromising security

Delivering data to wrong recipient for immediate loss + Misconfiguration (unsecured database) (>50%)

Top Breach Patterns We Can Learn From (NA, 72%)

0%

5%

10%

15%

20%

25%

30%

PH

ISH

PR

ON

E %

Training Impact on Phish Prone Staff52 person sample

Training implemented

for thosefailing

New hires -untrained

ImpactLinear cost/record moves to more statistically sound $ ranges

Ranges of

expected loss

by # of

records

Incident Classification Patterns

Frequency

of data

disclosures

by incident

patterns

and victim

industry

Educational Services(61)

Everything Else Phishing dominates (23% of breaches)

Miscellaneous Errors

Misdelivery of data and misconfiguration

Web Applications

Mostly stolen creds from cloud email

Educational Services Top Breach Categories (81+%)

Top Controls – Education Services

• Implement a Security Awareness and Training Program (CSC 17)• Encourage users to let you know when your organization is targeted as an

early warning system.

• Boundary Defense (CSC 12)• Educational Services have the largest number of days in a year—28— with

credential dumps run against them. The global median is eight days.

• Secure Configuration (CSC 5, CSC 11)• Manage security configuration of infrastructure, mobile devices, servers and

workstations using a rigorous configuration management and change control process preventing exploits of vulnerable services and settings.

Financial and Insurance(52)

10s of thousands of botnets incidents analyzed separately

Web Applications

Using stolen credentials


Misdelivery of information to wrong person and misconfiguration

Everything Else Phishing and Pretexting

Financial and Insurance Breach Categories (81+%)

Top Controls – Financial and Insurance

• Implement a Security Awareness and Training Program (CSC 17)• Will the average user challenge a request appearing to come from someone

with authority to fire them?

• Boundary Defense (CSC 12)• Firewalls, network monitoring, proxies and multifactor authentication

• Secure Configurations (CSC 5, CSC 11)• Often a system administrator fails to secure a cloud storage bucket or

misconfigures firewall settings. In both Misdelivery and Misconfiguration, the motivation was overwhelmingly carelessness.

Healthcare(62)


MisdeliveryJ. Tinker’s discharge papers to J. Evers

Mass mailing out of sync with envelope contents

Web Applications

Portals and other interactive surfaces

Everything Else Phishing and Pretexting

Top Healthcare Breach Categories (72-%)

Top Controls - Healthcare

• Implement a Security Awareness and Training Program (CSC 17)• Identify knowledge to defend the organization, a plan to identify gaps, and

remediate through policy, organizational planning, training, and awareness programs for all roles prioritizing those mission-critical


• Data Protection (CSC 13)• Prevent and mitigate data exfiltration and ensure privacy and integrity of

sensitive information

Manufacturing(31-33)

Crimeware

• Stealing IP for competitive advantage

• Highly targeted rather than opportunistic

• Non-internal espionage

Web Applications

Using stolen credentials to compromise enterprise web apps including cloud email

Privilege Misuse

• Internal privilege abuse against databases

• Data mishandling via personal email or cloud drives to WFH

Top Manufacturing Breach Categories (64-%)

Top Controls - Manufacturing




• Data Protection (CSC 13)• Prevent and mitigate data exfiltration and ensure privacy and integrity of

sensitive information

Professional, Technical and Scientific Services (54)

Denial of Service and Trojan botnets removed from this data

Web Applications

Using stolen credentials from phishing

EverythingElse -

Phishing often for mail compromise


Misdelivery, misconfiguration and paper document loss

Top Professional Services Breach Categories (79-%)

Top Controls – Professional, Scientific andTechnical Services

• Secure Configurations (CSC 5, CSC 11)• Manage security configuration of infrastructure, mobile devices, servers and





Public Administration

(92)

Miscellaneous Errors Misdelivery of data and misconfiguration

Web Applications

Using stolen credentials for web access

Everything Else Phishing including pretexting

Top Public Administration Breach Categories (73+%)

Top Controls – Public Administration




• Secure Configurations (CSC 5, CSC 11)• Manage security configuration of infrastructure, mobile devices, servers and


Assigning Responsibilities forRun, Grow & Transform

Outsource Run So You Can Grow & Transform

“Run” “Grow”

“Transform”

Action- Staff Entrance and ExitDetailed procedures onboard/exit new staff efficiently

Employee

Exit

Checklist

Standard service level agreement is 2 business hours after form submission (w/o PC handling)

Employee Name

Phone

Location

Exit Terms Termination Resignation

Exit Date/Time Time: Network access:

Remove user from all non-primary groups, hide from the global access list and:

Change network password

Requested Password:

Delete network account effective

(Deletes Mailbox in 30 days after deletion)

Disable network account effective

Delete Network Account on Click here to enter a date.

File Retention Retain Personal Network Directory

Give access to the Personal Network Directory to:

Retain local My Documents folder

Move My Documents folder to:

Give access to the My Documents folder to

Mailbox Handling

Retain existing mailbox (available only if account is not deleted)

Allow Inbox to receive email

Give mailbox proxy rights to:

Forward new email to:

Create out of office reply to alert senders with the following message:

Use Default (messages will be forwarded for one year from departure):

Your email has been forwarded to for attention. For immediate assistance please contact at or email .

Thanks

Alternate message:

Save the mailbox as a static file (.pst) to

Action - Performance Reporting

35% score before

onboarding

Increases to 94%

with attention

Criteria

System Source Standards

Authentication Protection

Password policy Password Standard checked Q1

Password Protection Enabled

Dual factor authentication for O365 Enabled

Dual factor authentication for VPN Enabled

Next generation passwords NIST Password Standard 800-63

IMAP/POP/SMTP removal Remove legacy IMAP/POP protocols

Risky login alerts Near real time Office 365 breach alerting

Turn off external auto forwarding for email Reduce data leaks

Single Sign-On Single password for multiple web applications

Service Account ad hoc login removal Turn off ad hoc login for priviledged service accounts

Run and Review ORCA Report Run twice yearly with remediation

Intrusion Protection

Anti-Virus standard Using supported version of Symantec SESE, SESC or SEP

Update Microsoft software servers and workstations Microsoft Windows, application and Office updates

Patch policy Patch standard checked annually

Upgrade Microsoft Windows and Office Keep up to date with Microsoft Build versions

Upgrade/Update select non-Microsoft applications Upgrade/Update 3rd party software from select list

Eliminate mobile phone access to non-guest networks Remove mobile devices from the corporate network

Intrusion protection Enable firewall intrusion protection feature

DDoS protection Denial of Service protection for data centers

Firewall review and improvement recommendations Review configuration, age and updates

External vulnerability scan Run twice yearly with remediation

Active Directory security scans Scan out of date Active Directory entries for client resolution

Exit Process Employee exit procedure update - Review Q2 yearly

Disappear from business social media Remove accounting and HR from Linkedin

Internal vulnerability scan Check vulnerabilities within the firewall

Penetration testing Testing defenses by attempting penetration

Protection of Clients & Partners

Outbound email filtering Outbound email filtering standard

Increase Staff Productivity

Spam filtering Email filter standard

Entrance Process Employee onboarding procedure - Review Q2 yearly

IT orientation documentation IT orientation documentation for new employees - Reminder Q2 yearly

Self-Service Passwords Manage Engine installed

Protection of Staff Against Bad Security Choices

Phishing test Baseline= 27.4% Client Score= 25% Goal= 1.6%

Phishing tests - on-going with end user training Purchase KnowBe4 standard

Phishing targeting for accounting staff, HR and/or key roles In addition to regular phishing, targeted phishing for Accounting and HR staff

Flagging outside email as "external" Add "external" tag to mail arriving from outside to sensitive staff to email risks

Filtering inbound email for fraudulent attributes and link Scanning inbound email with machine learning to reduce pretexting and fraud

DNS filtering within firewall Reduce security risks associated with malicious web requests

DNS filtering for workstations outside of the firewall Reduce security risks associated with malicious web requests outside the firewall

Email security incident recovery protocol Protocol for handling email security incidents - Review Q1 annuallyDisable email from your domain received from the outside Block emails purportedly from your domain but received from outside the domain

Regulatory and Security Obligations

Review Microsoft Windows Server log sizing and retention Adequate sizing determined by audit needs - Review Q1 annually

Company Asset Protection

Email encryption Using supported version of Zix, McAfee, ShareFile or Office 365

Disk encryption for secure workstations Bitlocker installation for Windows 10 workstations

Data Loss Prevention Reduce data leakage from Office 365

Mobile Device Management Management of ioS and Android devices

Legend

Meets or Exceeds Standard

Caution, Unknown or Needs Discussion Yellow lights indicate risk assumed by the organization

Does Not Meet Standard Red lights indicate risk assumed by the organization

Not Applicable

This is a best effort glance based on covered products managed by System Source managed services

Security Posture Quick Glance