who’s that knocking at your door? - isaca.org€¦ · who’s that knocking at your door? the...
TRANSCRIPT
![Page 1: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/1.jpg)
Who’s that knocking at your door?The soft underbelly of Information Security…
Glenn M. WilsonDeloitte & Touche LLP
![Page 2: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/2.jpg)
2 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Discussion Overview
• Today’s Cyber Risks• How a malicious hacker views a target• Approaches to data protection
![Page 3: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/3.jpg)
Intro and Background
![Page 4: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/4.jpg)
4 Copyright © 2013 Deloitte Development LLC. All rights reserved.
A question…
Corporations must, by law, operate not in the interest of the public but to
maximize shareholder value
What is the primary “job” of a corporation?
![Page 5: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/5.jpg)
5 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Glenn’s wish
I wish that the SEC would mandate that all publically traded company’s put the value of their information on the balance sheet
![Page 6: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/6.jpg)
6 Copyright © 2013 Deloitte Development LLC. All rights reserved.
The big data challenge
The world’s data footprint is growing rapidly: • 90% of all data were created in the last two years• Information Technology budgets are expected to
expand 40% by the year 2020• Data available will soon increase to 40,000 Exabytes
Source: ibm.com
Exabyte: 1,000,000,000,000,000,000
![Page 7: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/7.jpg)
7 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Have you been breached?
90% of organizations have had a leakage of sensitive data in the last 12 months
-Ponemon Institute2013 Cost of Breach Study
![Page 8: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/8.jpg)
8 Copyright © 2013 Deloitte Development LLC. All rights reserved.
How data is lost
![Page 9: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/9.jpg)
The Hacker
![Page 10: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/10.jpg)
10 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Opinion poll
Are hackers good or bad?
![Page 11: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/11.jpg)
11 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Types of hackers
![Page 12: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/12.jpg)
12 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Noobs and script kiddies
A noob or script kiddie is an amateur who breaks into computer systems not through his knowledge in IT security, but through the prepackaged automated scripts
Source: Search for “How to hack a website” conducted on google.com
![Page 13: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/13.jpg)
13 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Threat actors vary
Very high
High
Moderate
Low
KEY
![Page 14: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/14.jpg)
14 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Guess who
• Malicious code released 05:30 UTC on January 25, 2003• Infects nearly all of it’s 75,000 victims in less than 10
minutes• Causes over $1,200,000,000.00 in damage• Microsoft reported the vulnerability and released a patch
on…July 24, 2002• It’s name was the Sapphire worm but it is commonly
referred to as SQL Slammer
This more than anything created patch management as we know it today.
![Page 15: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/15.jpg)
15 Copyright © 2013 Deloitte Development LLC. All rights reserved.
We’re social beings at heart
“The ability to research a target online has enabled hackers to create powerful social engineering attacks that easily fool even sophisticated users”. - Symantec
“One hour of research . . .is usually all it takes to garner the answers for a users bank challenge questions” - Anonymous
“Why would I risk getting a gun and a mask, then going into a bank and robbing it when I can just steal the money anonymously?” -2013 Grey Hat
![Page 16: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/16.jpg)
16 Copyright © 2013 Deloitte Development LLC. All rights reserved.
In the news today…
![Page 17: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/17.jpg)
17 Copyright © 2013 Deloitte Development LLC. All rights reserved.
What happens to stolen data?
Source: Symantec
Underground IRC Chat…
![Page 18: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/18.jpg)
18 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Threat interest
Increased DarkNet activity in:• Vanity attacks• Watering hole attacks• BYOD and data mobility• Social media bridges• Connected homes – ISO v8 highlights health and
home monitoring• Connected cars – 360-degree sensing, fusing sensor
inputs together like camera, radar and sonar, and integration of mapping, GPS and vehicle-to-vehicle communication systems
![Page 19: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/19.jpg)
19 Copyright © 2013 Deloitte Development LLC. All rights reserved.
What’s wrong with this picture?
Internet
Untrusted Networks Trusted Networks
Business Partners
There are NO
![Page 20: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/20.jpg)
20 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Hacking 30,000’ view
-Footprinting-Discovery
-Enumeration-Penetration
-Escalation
Privileged Access
![Page 21: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/21.jpg)
21 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Discovering passwords
By executing a simple search, we are able to discover a number of potentially insecure installations that reveal sensitive information such as admin usernames and passwords.
“filetype:pwd service”
![Page 22: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/22.jpg)
22 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Discovering website vulnerabilities
Some websites expose unknown vulnerabilities to the internet. These can often be easily searched and exploited• Type “php?id=1” into a search
engine• Copy the URL of the site to be
checked• Paste that URL plus an
apostrophe and see if the site may be vulnerable to a SQL injection attack
![Page 23: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/23.jpg)
A few words about physical security…
If I can touch it, I can take it
![Page 24: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/24.jpg)
24 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Physical security
Who has a Physical Security policy?
![Page 25: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/25.jpg)
25 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Physical security
•Who uses Two Factor?
•Who uses Proximity Sensors?‒Key card for building access‒Passport
![Page 26: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/26.jpg)
26 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Physical security
Tailgate Security
![Page 27: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/27.jpg)
Keeping Secrets
![Page 28: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/28.jpg)
28 Copyright © 2013 Deloitte Development LLC. All rights reserved.
What are we really protecting?
A record is any information created or received that should be retained as evidence by an organization or person in pursuance of compliance, legal obligations, or in the transaction of business*
*ISO-15489
RECORDS! …but what IS a record?
![Page 29: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/29.jpg)
29 Copyright © 2013 Deloitte Development LLC. All rights reserved.
The Data Lifecycle
Steps:1. Identify & Classify2. Secure & Store3. Monitor & Log4. Recover5. Disposition6. Archive
OR6. Destruction
Structured
Identify &
Classify
Disposition
Secure
Unstructured
Semi-Structured
DefensibleDestruction
Archive
The
Dat
a Li
fecy
cle Monitor
Recover
![Page 30: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/30.jpg)
30 Copyright © 2013 Deloitte Development LLC. All rights reserved.
If you don’t CLASSIFY it, you’re likely not protecting it correctlyExamples of classification:• Public — Non-sensitive information (e.g., sales brochures)• Internal use only — Internal information (e.g., corporate policies)• Confidential — Sensitive information (e.g., corporate financials)• Restricted — Highly sensitive information (e.g., PII, pre-release
earnings) Don’t know5%
Yes47%
No48%
Information classification still has a way to go —Number of organizations conducting information classification— Source: Forrester Research, 2008
![Page 31: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/31.jpg)
31 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Value vs RiskIn
form
atio
n
Creation Use Expiration
RiskCostValue
Cost to Value gap
Risk to Value gap
![Page 32: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/32.jpg)
32 Copyright © 2013 Deloitte Development LLC. All rights reserved.
The sad reality
It is estimated that over 1/3 of corporate data is expired, redundant, or worthless
-Improving Data Warehouse and Business Information Quality: Methods
for Reducing Costs and Increasing Profits – Larry English
![Page 33: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/33.jpg)
33 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Case study
Who here could use an extra $50 million?•One of the largest mortgage servicing firms in the nation lost a case for $130 million
•If Data Lifecycle fundamentals were applied the cost would have been around $80 million
The bad guys can’t hack in and steal something you don’t have!!
![Page 34: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/34.jpg)
34 Copyright © 2013 Deloitte Development LLC. All rights reserved.
In summary
• Classify what you need• Protect what you have• Delete ANYTHING you no
longer need
![Page 35: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/35.jpg)
35 Copyright © 2013 Deloitte Development LLC. All rights reserved.
Contact Info:Glenn Wilson - CIP, CRISC, SCS-DLP, MCSE, CNA, CCA, ACECyber Risk – Data Lifecycle ServicesDeloitte & Touche LLP+1 213 688 [email protected] with me on LinkedIn: http://www.linkedin.com/in/gmw13Follow me on Twitter:DeloitteGlenn
Closing Questions?
![Page 36: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/36.jpg)
Copyright © 2014 Deloitte Development LLC. All rights reserved.36 Network security auditing
This presentation is provided solely for informational purposes and, in developing and presenting these materials, Deloitte is not providing accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decisions or actions that may affect your business or to provide assurance that any decision or action will be supported by your auditors and regulators. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates and related entities shall not be liable for any claims, liabilities, or expenses sustained by any person who relies on this information for such purposes.
Disclaimer
![Page 37: Who’s that knocking at your door? - isaca.org€¦ · Who’s that knocking at your door? The soft underbelly of ... “filetype:pwd service ... a UK private company limited by](https://reader031.vdocument.in/reader031/viewer/2022020215/5b7a5e697f8b9ade618bcda9/html5/thumbnails/37.jpg)
This publication contains general information only and is based on the experiences and research of Deloitte practitioners. Deloitte is not, by means of this publication, rendering business, financial, investment, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.
About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Copyright © 2013 Deloitte Development LLC. All rights reserved.Member of Deloitte Touche Tohmatsu Limited