uncovering hidden it threats in your credit union · proactive security services • vulnerability...
TRANSCRIPT
© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Presented by
Tom DeSotExecutive Vice PresidentChief Information Officer
Uncovering Hidden IT Threats In Your Credit Union
June 2012
2© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
About Your Presenter
Tom DeSot, NSA‐IAM•
EVP, Chief Information Officer
•
20+ Years of FI Experience•
Board Member –
Generations FCU
•
Former Supervisory Committee Chair•
ISACA Board Member
•
Former ISSA Board Member
3© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
About Digital Defense
Our ComprehensiveSecurity GRC Solutions Portfolio
Proactive Security Services• Vulnerability Scanning• Penetration Testing• Environmental Assessments• General Consulting
Security Compliance Management• Industry‐Specific Packages
• Financial, Healthcare• Commercial
• Standards Adherence Evaluations• PCI DSS
Risk Identification• Information Security Risk• Assessments
• Enterprise‐wide• OCTAVE™
‐based
Security Education & Awareness• Employee• Online Patron• Industry‐centric Studies
4© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
This Presentation Is Not Meant To Drive You To Drink…but…
4
Image courtesy of buzzle.com
5© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Let’s Discuss Some Hidden Threats
6© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
7© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Cloud computing
is a style of computing
in which
dynamically
scalable
and
often
virtualized
resources
are
provided
as
a service
over
the
Internet.
Users
need
not
have
knowledge
of,
expertise
in,
or
control over
the
technology
infrastructure
"in
the
cloud" that supports them.
(http://en.wikipedia.org/wiki/Cloud_computing)
What Is Cloud Computing?
8© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Cloud Computing Visualized
Source: http://infreemation.net/cloud-computing-linear-utility-or-complex-ecosystem/
9© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Cloud Offerings
*All
logos are the property of therespective brand holders.
10© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Gartner Study on Cloud Computing
•
In 2008, Gartner Group released a study that highlighted seven key areas that each
organization should consider when evaluating the use of “cloud computing”
1.
Privileged User Access2.
Regulatory Compliance3.
Data Location4.
Data Segregation5.
Recovery 6.
Investigative Support7.
Long‐term Viability
Source: http://www.infoworld.com/d/security-central/gartner-seven-cloud-computing-security-risks-853
11© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Privileged User Access
•
Gartner Quote“Sensitive data processed outside the enterprise brings with
it an inherent level of risk, because outsourced services bypass the "physical, logical and personnel controls" IT shops exert over in‐house programs. Get as much
information as you can about the people who manage customer data. "Ask providers to supply specific
information on the hiring and oversight of privileged administrators, and the controls over their access,"
Gartner says.
Source: http://www.infoworld.com/d/security-central/gartner-seven-cloud-computing-security-risks-853
12© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
What Should CUs Be Asking?
1.
Who has access to protected data within the CBSO?2.
Does the CBSO limit the personnel in their
organization that can see protected data, if so how?3.
Does the CBSO conduct background investigations
of their personnel, if so, how often?4.
Does the CBSO outsource administration of their
systems, if so, to whom?
13© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Compliance
•
Gartner Quote–
“Customers are ultimately responsible for the security
and integrity of their own data, even when it is held by a service provider. Traditional service providers are
subjected to external audits and security certifications. Cloud computing providers who refuse to undergo this scrutiny are "signaling that customers can only use them
for the most trivial functions," according to Gartner.”
Source: http://www.infoworld.com/d/security-central/gartner-seven-cloud-computing-security-risks-853
14© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
What Should CUs Be Asking?
1.
Has the CBSO undergone a SAS‐70 or equivalent audit?
2.
Has the CBSO had vulnerability assessments or penetration tests performed against their
platforms, if so, will they share the reports?3.
Is the CBSO in compliance with my organization’s
regulatory data storage requirements, if so, which ones and how?
15© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Recovery
•
Gartner Quote–
“Even if you don't know where your data is, a cloud
provider should tell you what will happen to customer data and service in case of a disaster. "Any offering that
does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure,"
Gartner says. Ask your provider if it has "the ability to do a complete restoration, and how long it will take."
Source: http://www.infoworld.com/d/security-central/gartner-seven-cloud-computing-security-risks-853
16© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
What Should CUs Be Asking?
1.
How is the my organization’s data going to be segregated from other client data?
2.
How often are backups of my data completed by the CBSO?3.
Does the CBSO have a business continuity and disaster
recovery program in place? When were the programs last updated?
4.
Does the CBSO have a disaster recovery site?5.
Does the CBSO’s SLA define how quickly they can recover
and what remedies are available if they cannot meet the SLA?
17© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Protecting Your Credit Union
•
Conduct a Risk Assessment–
Why A Risk Assessment First?•
Do you know what cloud‐based data you are actually
worried about protecting?•
Do you know where all of the data is being stored
electronically or physically?•
Do you know what safeguards are already in place at
the cloud‐provider?•
Do you know what risk you are still being presented
with? (Risk Gap)
18© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Risk Assessment
•
Common Questions–
Does the organization utilize or plan to utilize
“cloud computing”?–
What are the risks of doing so? Are we willing to
accept them?–
What risks are we placing upon our data by using
cloud‐based services?–
Would our existing plans (technology, DR, etc.)
cover issues associated with down services or a breach at the cloud provider?
19© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Technology Plan Impact Analysis
•
Cloud Computing Will Impact Your…–
Information Security Plan
–
Disaster Recovery Plan–
Business Continuity Plan
–
E‐Commerce Plan–
Many Others!
Each Plan Needs To Be Evaluated & Adjusted Accordingly.Each Plan Needs To Be Evaluated & Adjusted Accordingly.
20© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Policies & Procedures
•
Document, Document, Document–
Make sure customer information security program is
formally documented with policies and procedures related to the organization’s use of cloud computing.
–
Make sure policies and procedures address key regulatory concerns regarding third party vendors and
cloud computing.–
Make sure the appropriate staff members review the
materials at least annually, or as it is updated.–
Make sure you document the review and update of the
materials on at least an annual basis.
21© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Policies & Procedures
•
Common Policies & Procedures For Cloud Computing Users
–
3rd
Party Due Diligence–
Utilization of Virtual Services
–
Risk Assessment Programs–
Encryption Usage
–
Data Access–
Usage of Remote Storage
22© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Image courtesy of cpatrendlines.com
23© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
How Are Mobile Devices Being Used?
•
A Mobile Device may…–
Provide the user access to the Internet
–
Send and receive corporate e‐mail–
Provide access to corporate calendars
–
Utilize and provide corporate VPN access–
Be utilized to send and receive text messages
–
Provide access to webinar software (GoToMeeting, etc.)
–
Provide access to corporate applications
24© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Unique Uses for Mobile Devices
•
Financial Institutions–
Home banking, bill pay
•
Retailers–
Sales forecast updates/monitoring
•
Manufacturing Companies–
Production line monitoring, robotic interaction
•
Healthcare–
Monitoring patient vitals, reviewing x‐rays
25© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Hidden Dangers and Mobile Devices
26© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Device Loss/Theft
•
Users asleep on smartphone security and data loss.
•
http://www.theaustralian.com.au/australian‐it/users‐ asleep‐on‐smartphone‐security‐and‐data‐loss/story‐
e6frgakx‐1226037450099
•
Why?–
It’s just a phone.
–
IT takes care of protecting my e‐mail.–
It has a password on it.
27© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Data Exposure
•
The leading cause of data breaches that could lead to identity theft was the theft or loss of a computer or
data‐storage device. •
http://cybersecurityreport.nextgov.com/2011/04/symantec_threa
t_activity_report_us_1.php
•
Why?–
Users fail to understand the types of data stored on the
device?–
Users are careless with the device. Remember, it’s just a
phone.
28© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Malicious Applications
•
Another malicious Android app is spotted ‐ this time texting all user contacts and taking
phone data.•
http://www.itpro.co.uk/632476/malicious‐android‐
app‐taps‐user‐contacts
•
Why?–
It’s my phone, I can load apps if I want!
–
It was made by XYZ vendor, so it must be safe.
29© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Ownership Issues
•
Wipeout: When Your Company Kills Your iPhone
•
http://www.npr.org/2010/11/22/131511381/wipeout‐ when‐your‐company‐kills‐your‐iphone
•
Why?–
Who really owns the phone?
–
Who really owns the data on the phone?
30© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Managing the Risk
31© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Policies
•
The First Critical Step –
Polices & Procedures–
Who furnishes the device?
–
Is the employee reimbursed for any part of their phone or phone bill?
–
Can the employee use the phone for personal use?–
Can the employee load applications from outside sources?
–
What should the employee do if the device is lost or stolen?
–
What should IT do to protect the organization?
32© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Protecting the Device
•
Passwords–
Most mobile devices support passwords, however
some do not allow passwords that exceed four characters or passwords that meet corporate
passwords standards.–
Many devices will allow the user to disable the
password or change it to meet their needs (easier).
33© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Protecting the Device
•
Encryption–
Most modern mobile devices support the
encryption of user data on the device.•
Passwords
•
PIN
–
Some devices may not allow you to encrypt removable media (SD cards, etc.)
–
Some devices allow for encryption of certain data sets and as such may leave critical data
unprotected.
34© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Recovery After Loss
•
Remote Wiping–
Most devices will allow IT to remote wipe the
device and erase all of the stored information, including data stored on removable storage.
•
Remote Discovery & Recovery–
Many devices now link to services that allow IT to
remotely monitor the location of the device.
35© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Image
courtesy
of
darkgovernment
com
36© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Targeted Cyber‐Attacks
• Recently there have been a raft of successful high-profile targeted network attacks:– Aurora network penetration against Google – Stuxnet attack against Bushehr Reactor in Iran– US Centcom Computers compromised – Canadian Government State Secrets Stolen by
attacks originating in China.– Anonymous attacks security company HBGary
37© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
The HBGary Incident
•
In January 2011 the CEO of HBGary
Federal, a DC‐based network security firm declares his
intention to ‘unmask’
the leaders of ‘Anonymous’, an internet ‘hacktivist’
group which had recently engaged in a series of
internet attacks in support of Wikileaks.•
February 2011:–
Anonymous decides to retaliate.
38© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Attacks Begin
• Anonymous scouts HBGary's internet facing systems.• Determines one of the systems is vulnerable to SQL-
Injection attack, proceeds to use this to hack into it, cracks the passwords.
• Uses newly acquired usernames and passwords to break into other company systems and obtain more sets of credentials.
• Attempts all acquired credentials against HBGary's main corporate email account (hosted on Google Apps) and obtains Administrator access.
39© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Attacks Continue
• Anonymous now has access to every email anyone at HBGary has ever written or received at work.
• Downloads entire corporate email archive.• Leverages the compromised email accounts
to socially engineer access to additional systems that have thus far resisted attacks.– Targets: www.rootkit.com a popular security
website run by HBGary co-founder Greg Hoglund.
40© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Protecting Against Targeted Attacks
• Employee Security Training– Don’t make it just a checkbox.– Build this into new employee orientation.– Give concrete examples of what can happen
when these policies aren’t followed• Don't just say "Don't give out your password over
the phone"• Play an audiotape of someone getting talked into
doing just that.(Google at Defcon 18 Example)
41© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Protecting Against Targeted Attack
• Reduce The Attack Surface– You can’t hack software which isn’t installed.– Do people really need Adobe Shockwave
Flash installed at work?• It has an abysmal security record.• Often times used by attackers as the browser
exploitation vector of choice.• Just remove it unless you have a legitimate
business case (few do).
(iPhone seems to do just fine without it)
42© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.
Questions?
Follow Us OnTwitter
Read Our Blog on Blogger
Like Us OnFacebook
www.ddifrontline.com
Connect with Us OnLinkedIn