uncovering hidden it threats in your credit union · proactive security services • vulnerability...

© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.

Presented by

Tom DeSotExecutive Vice PresidentChief Information Officer

Uncovering Hidden IT Threats In Your Credit Union

June 2012

2© 2012 Digital Defense, Inc. The information contained herein constitutes proprietary information of Digital Defense, Inc. and may not be copied, reproduced or disseminated without the prior written authorization of Digital Defense, Inc.

About Your Presenter

Tom DeSot, NSA‐IAM•

EVP, Chief Information Officer

•

20+ Years of FI Experience•

Board Member –

Generations FCU

•

Former Supervisory Committee Chair•

ISACA Board Member

•

Former ISSA Board Member


About Digital Defense

Our ComprehensiveSecurity GRC Solutions Portfolio

Proactive Security Services• Vulnerability Scanning• Penetration Testing• Environmental Assessments• General Consulting

Security Compliance Management• Industry‐Specific Packages

• Financial, Healthcare• Commercial

• Standards Adherence Evaluations• PCI DSS

Risk Identification• Information Security Risk• Assessments

• Enterprise‐wide• OCTAVE™

‐based

Security Education & Awareness• Employee• Online Patron• Industry‐centric Studies


This Presentation Is Not Meant To Drive You To Drink…but…

4

Image courtesy of buzzle.com


Let’s Discuss Some Hidden Threats


Cloud computing

is a style of computing

in which

dynamically

scalable

and

often

virtualized

resources

are

provided

as

a service

over

the

Internet.

Users

need

not

have

knowledge

of,

expertise

in,

or

control over

the

technology

infrastructure

"in

the

cloud" that supports them.

(http://en.wikipedia.org/wiki/Cloud_computing)

What Is Cloud Computing?


Cloud Computing Visualized

Source: http://infreemation.net/cloud-computing-linear-utility-or-complex-ecosystem/


Cloud Offerings

*All

logos are the property of therespective brand holders.


Gartner Study on Cloud Computing

•

In 2008, Gartner Group released a study that highlighted seven key areas that each

organization should consider when evaluating the use of “cloud computing”

1.

Privileged User Access2.

Regulatory Compliance3.

Data Location4.

Data Segregation5.

Recovery 6.

Investigative Support7.

Long‐term Viability

Source: http://www.infoworld.com/d/security-central/gartner-seven-cloud-computing-security-risks-853


Privileged User Access

•

Gartner Quote“Sensitive data processed outside the enterprise brings with

it an inherent level of risk, because outsourced services bypass the "physical, logical and personnel controls" IT shops exert over in‐house programs. Get as much

information as you can about the people who manage customer data. "Ask providers to supply specific

information on the hiring and oversight of privileged administrators, and the controls over their access,"

Gartner says.



What Should CUs Be Asking?

1.

Who has access to protected data within the CBSO?2.

Does the CBSO limit the personnel in their

organization that can see protected data, if so how?3.

Does the CBSO conduct background investigations

of their personnel, if so, how often?4.

Does the CBSO outsource administration of their

systems, if so, to whom?


Compliance

•

Gartner Quote–

“Customers are ultimately responsible for the security

and integrity of their own data, even when it is held by a service provider. Traditional service providers are

subjected to external audits and security certifications. Cloud computing providers who refuse to undergo this scrutiny are "signaling that customers can only use them

for the most trivial functions," according to Gartner.”




1.

Has the CBSO undergone a SAS‐70 or equivalent audit?

2.

Has the CBSO had vulnerability assessments or penetration tests performed against their

platforms, if so, will they share the reports?3.

Is the CBSO in compliance with my organization’s

regulatory data storage requirements, if so, which ones and how?


Recovery

•

Gartner Quote–

“Even if you don't know where your data is, a cloud

provider should tell you what will happen to customer data and service in case of a disaster. "Any offering that

does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure,"

Gartner says. Ask your provider if it has "the ability to do a complete restoration, and how long it will take."




1.

How is the my organization’s data going to be segregated from other client data?

2.

How often are backups of my data completed by the CBSO?3.

Does the CBSO have a business continuity and disaster

recovery program in place? When were the programs last updated?

4.

Does the CBSO have a disaster recovery site?5.

Does the CBSO’s SLA define how quickly they can recover

and what remedies are available if they cannot meet the SLA?


Protecting Your Credit Union

•

Conduct a Risk Assessment–

Why A Risk Assessment First?•

Do you know what cloud‐based data you are actually

worried about protecting?•

Do you know where all of the data is being stored

electronically or physically?•

Do you know what safeguards are already in place at

the cloud‐provider?•

Do you know what risk you are still being presented

with? (Risk Gap)


Risk Assessment

•

Common Questions–

Does the organization utilize or plan to utilize

“cloud computing”?–

What are the risks of doing so? Are we willing to

accept them?–

What risks are we placing upon our data by using

cloud‐based services?–

Would our existing plans (technology, DR, etc.)

cover issues associated with down services or a breach at the cloud provider?


Technology Plan Impact Analysis

•

Cloud Computing Will Impact Your…–

Information Security Plan

–

Disaster Recovery Plan–

Business Continuity Plan

–

E‐Commerce Plan–

Many Others!

Each Plan Needs To Be Evaluated & Adjusted Accordingly.Each Plan Needs To Be Evaluated & Adjusted Accordingly.


Policies & Procedures

•

Document, Document, Document–

Make sure customer information security program is

formally documented with policies and procedures related to the organization’s use of cloud computing.

–

Make sure policies and procedures address key regulatory concerns regarding third party vendors and

cloud computing.–

Make sure the appropriate staff members review the

materials at least annually, or as it is updated.–

Make sure you document the review and update of the

materials on at least an annual basis.


Policies & Procedures

•

Common Policies & Procedures For Cloud Computing Users

–

3rd

Party Due Diligence–

Utilization of Virtual Services

–

Risk Assessment Programs–

Encryption Usage

–

Data Access–

Usage of Remote Storage


Image courtesy of cpatrendlines.com


How Are Mobile Devices Being Used?

•

A Mobile Device may…–

Provide the user access to the Internet

–

Send and receive corporate e‐mail–

Provide access to corporate calendars

–

Utilize and provide corporate VPN access–

Be utilized to send and receive text messages

–

Provide access to webinar software (GoToMeeting, etc.)

–

Provide access to corporate applications


Unique Uses for Mobile Devices

•

Financial Institutions–

Home banking, bill pay

•

Retailers–

Sales forecast updates/monitoring

•

Manufacturing Companies–

Production line monitoring, robotic interaction

•

Healthcare–

Monitoring patient vitals, reviewing x‐rays


Hidden Dangers and Mobile Devices


Device Loss/Theft

•

Users asleep on smartphone security and data loss.

•

http://www.theaustralian.com.au/australian‐it/users‐ asleep‐on‐smartphone‐security‐and‐data‐loss/story‐

e6frgakx‐1226037450099

•

Why?–

It’s just a phone.

–

IT takes care of protecting my e‐mail.–

It has a password on it.

http://www.theaustralian.com.au/australian-it/users-asleep-on-smartphone-security-and-data-loss/story-e6frgakx-1226037450099





Data Exposure

•

The leading cause of data breaches that could lead to identity theft was the theft or loss of a computer or

data‐storage device. •

http://cybersecurityreport.nextgov.com/2011/04/symantec_threa

t_activity_report_us_1.php

•

Why?–

Users fail to understand the types of data stored on the

device?–

Users are careless with the device. Remember, it’s just a

phone.

http://cybersecurityreport.nextgov.com/2011/04/symantec_threat_activity_report_us_1.php

http://cybersecurityreport.nextgov.com/2011/04/symantec_threat_activity_report_us_1.php


Malicious Applications

•

Another malicious Android app is spotted ‐ this time texting all user contacts and taking

phone data.•

http://www.itpro.co.uk/632476/malicious‐android‐

app‐taps‐user‐contacts

•

Why?–

It’s my phone, I can load apps if I want!

–

It was made by XYZ vendor, so it must be safe.

http://www.itpro.co.uk/632476/malicious-android-app-taps-user-contacts

http://www.itpro.co.uk/632476/malicious-android-app-taps-user-contacts


Ownership Issues

•

Wipeout: When Your Company Kills Your iPhone

•

http://www.npr.org/2010/11/22/131511381/wipeout‐ when‐your‐company‐kills‐your‐iphone

•

Why?–

Who really owns the phone?

–

Who really owns the data on the phone?

http://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphone

http://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphone


Managing the Risk


Policies

•

The First Critical Step –

Polices & Procedures–

Who furnishes the device?

–

Is the employee reimbursed for any part of their phone or phone bill?

–

Can the employee use the phone for personal use?–

Can the employee load applications from outside sources?

–

What should the employee do if the device is lost or stolen?

–

What should IT do to protect the organization?


Protecting the Device

•

Passwords–

Most mobile devices support passwords, however

some do not allow passwords that exceed four characters or passwords that meet corporate

passwords standards.–

Many devices will allow the user to disable the

password or change it to meet their needs (easier).


Protecting the Device

•

Encryption–

Most modern mobile devices support the

encryption of user data on the device.•

Passwords

•

PIN

–

Some devices may not allow you to encrypt removable media (SD cards, etc.)

–

Some devices allow for encryption of certain data sets and as such may leave critical data

unprotected.


Recovery After Loss

•

Remote Wiping–

Most devices will allow IT to remote wipe the

device and erase all of the stored information, including data stored on removable storage.

•

Remote Discovery & Recovery–

Many devices now link to services that allow IT to

remotely monitor the location of the device.


Image

courtesy

of

darkgovernment

com


Targeted Cyber‐Attacks

• Recently there have been a raft of successful high-profile targeted network attacks:– Aurora network penetration against Google – Stuxnet attack against Bushehr Reactor in Iran– US Centcom Computers compromised – Canadian Government State Secrets Stolen by

attacks originating in China.– Anonymous attacks security company HBGary


The HBGary Incident

•

In January 2011 the CEO of HBGary

Federal, a DC‐based network security firm declares his

intention to ‘unmask’

the leaders of ‘Anonymous’, an internet ‘hacktivist’

group which had recently engaged in a series of

internet attacks in support of Wikileaks.•

February 2011:–

Anonymous decides to retaliate.


Attacks Begin

• Anonymous scouts HBGary's internet facing systems.• Determines one of the systems is vulnerable to SQL-

Injection attack, proceeds to use this to hack into it, cracks the passwords.

• Uses newly acquired usernames and passwords to break into other company systems and obtain more sets of credentials.

• Attempts all acquired credentials against HBGary's main corporate email account (hosted on Google Apps) and obtains Administrator access.


Attacks Continue

• Anonymous now has access to every email anyone at HBGary has ever written or received at work.

• Downloads entire corporate email archive.• Leverages the compromised email accounts

to socially engineer access to additional systems that have thus far resisted attacks.– Targets: www.rootkit.com a popular security

website run by HBGary co-founder Greg Hoglund.


Protecting Against Targeted Attacks

• Employee Security Training– Don’t make it just a checkbox.– Build this into new employee orientation.– Give concrete examples of what can happen

when these policies aren’t followed• Don't just say "Don't give out your password over

the phone"• Play an audiotape of someone getting talked into

doing just that.(Google at Defcon 18 Example)


Protecting Against Targeted Attack

• Reduce The Attack Surface– You can’t hack software which isn’t installed.– Do people really need Adobe Shockwave

Flash installed at work?• It has an abysmal security record.• Often times used by attackers as the browser

exploitation vector of choice.• Just remove it unless you have a legitimate

business case (few do).

(iPhone seems to do just fine without it)


Questions?

[email protected]

Follow Us OnTwitter

Read Our Blog on Blogger

Like Us OnFacebook

www.ddifrontline.com

Connect with Us OnLinkedIn

uncovering hidden it threats in your credit union · proactive security services • vulnerability...

Documents