ION-E Defense In Depth Presentation for The Institiute of Internal Auditors

DEFENSE IN DEPTH

Michael A. DaGrossa - CISSP, CEH, CCE

Managing Partner Business Risk [email protected]

Proprietary and Confidential

Take advantage of the enemy's un-readiness, make your way by unexpected routes, and attack unguarded spots.

—Sun Tzu


Consultants and clients should develop a Defense in Depth Strategy, which should be regularly tested and corrected

Definition : DID

Defined by the Defense Information Security Agency: the Defense in Depth approach builds mutually supporting

layers of defense to reduce vulnerabilities and to assist you to protect against, detect and react to as many attacks as possible. By constructing mutually supporting layers of defense, you will cause an adversary who penetrates or breaks one layer of defense to promptly encounter another and another until unsuccessful in the quest for unauthorized entrance, the attack ends. To protect against different attack methods, you must employ corresponding security measures. The weakness of one security measure should be compensated for by the strength of another.

Does your Business Look like this


The general characteristics of defensive operations are:

To understand the enemy See the battlefield Use the defenders’ advantages Concentrate at critical times and places Conduct counter reconnaissance and

counterattacks Coordinate critical defense assets Balance base security with political and legal

constraints And know the law of war and rules of

engagement.


Why being compliant does not equal secure?

Why secure does not equal compliant?


PCI-Compliant

To Name a Few

TJ Maxx

Heartland

Hannaford


HIPAA-Compliant

To Name a Few

AV Med Health Plans

Kinetic Concepts

University of Pittsburgh


FDIC-FFIEC GLBA BITS

To Name a Few

ING

Education Credit Management Corp

Lincoln National Corp


NIST-Secure

To Name a Few

DOD

SSA

West Memphis PD, AZ


ISO-Secure

To Name a Few

Target

Choicepoint

JCPenney


Skydiving

Think of a corporate risk assessment as a life threatening scenario to appropriately perceive it


We have a parachute, what could go wrong?


Standards, Controls and Security

Primary Chute

Reserve Chute

Automatic Activation Device (A.A.D.)

Reserve Static Line

Altimeter

Helmet/Goggles/Jumpsuit

Trained professional assistance


Using one standard as an umbrella approach to holistic security for a corporation is similar to taking one measure to guarantee the safety of a freefall jump. The jumper should be prepared well before the jump and do everything accurately during the jump, until the time he/she reaches the ground.


Layers of Safety

What are we protecting

Data breach incidents cost U.S. companies an average of $204 per compromised customer record in 2009.

The average total per-incident costs in 2009 were $6.75 million.

A total of 498 breaches were reported in 2009 according to the Identity Theft Resource Center.

Engaging a consultant or third party expert to assist in the data breach incidence results in lower average cost per compromised record (almost 26% lesser). About 44% of participating companies engaged an outside consultant to

assist them over the course of the data breach incident.

Organizations in highly trusted industries such as financial services and health care are more likely to experience a data breach with higher abnormal churn rate (5% and 6% respectively). Source: Key findings from 2009 Ponemon Institute Annual Study



Too many times we get focused on only our roles for an engagement

Problems with independence

Knowledge

Check list approach

Source: Key findings from 2009 Ponemon Institute Annual Study



Source: DatalossDB.org






DatalossDB.orgProprietary and Confidential


Senior management should:

Clearly support all aspects of the information security program

Implement the information security program as approved by the board of directors

Establish appropriate policies, procedures, and controls

Participate in assessing the effect of security issues on the financial institution and its business lines and processes


Senior management should:

Delineate clear lines of responsibility and accountability for information security risk management decisions

Define risk measurement definitions and criteria

Establish acceptable levels of information security risks

Oversee risk mitigation activities.


Controls

Internal Control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a) Effectiveness and efficiency of operations; b) Reliability of financial reporting; and c) Compliance with laws and regulations


Controls - COSO

Control Environment

Risk Assessment

Information and Communication

Control Activities

Monitoring


Controls

Internal controls may be described in terms of:

a) the objective they pertain to

b) the nature of the control activity itself.

Auditors understand this

Information Technology people do not

Business does not either


Controls - COBIT

IT Governance

Strategic Alignment

Value Delivery

Risk Management

Resource Management

Performance Measurement


Controls- CISSP

Access Control

Application Security

BCP/DR

Cryptography

Info Sec and Risk Management

Legal, Regulations and Compliance

Physical

Security Architecture and Design

Telecom and Network Security


Controls - CISM

Information Security Governance

Information Risk Management

Information Security Program Development

Information Security Program Management

Incident Management and Response


SANS-GIAC


Controls - PCI

Build and Maintain a Secure Network

Protect Cardholder Data

Maintain a Vulnerability Management Program

Implement Strong Access Control Measures

Regularly Monitor and Test Networks

Maintain Information Security Policy


Controls- ISO 27K

27001 – ISMS

27002 -Practices

27003- implementation Guidance

27004-Metrics

27therest- defined up to 27037

*27799-ISMS for Health Sector



Controls – Planned Out

Business Breakdown

Systems, Applications, Infrastructure, Data, Processes

IT Service Management IT Security Management

IT Governance

Corporate Governance

Business Goals Regulatory Compliance


Frameworks for Business


IT Service Management ITSecurity Management

ISO

IT GovernanceCOBIT

Corporate GovernanceBalanced Scorecard, COSO

Business GoalsGrowth, Efficiency.

Regulatory ComplianceSOX, PCI, HIPAA,

FISMA


DID for Business


IT Service Management IT Security Management

ISO

IT Governance

COBIT

Corporate Governance

Balanced Scorecard, COSO

Business Goals

Growth, Efficiency.

Regulatory Compliance

SOX, PCI, HIPAA, FISMA


Management, security, risk, audit, and compliance professionals should:

Look beyond the standard

Determine whether it is sufficient to manage the related risks to the organization

A start to finish, multi-layered security approach is the only option to minimize business impact and mitigate the most possible risk.


The Bad Guys

Anti Forensics

Exploits

Social Engineering

Insiders

Outsiders


Anti-Forensics

Encryption

Steganography

Disk Wiping

Signatures

Bootable Disks –Bart,BT,HELIX, OWASP, MOJO

Slacker, TimeStomp, Trasnmogrify, SAMJuicer

Everything run in Ram

Linux-Where tools don’t look-Rune, Waffen, KY, DataMule


Exploits

Spear-Phishing

Phishing

Pharming

Cross Site anything

Spoofing

SQL Injection

Patch


High

Technical Knowledge

Required

Sophistication of

Hacker Tools

Password Guessing

Password Cracking

Time

Self-Replicating Code

Back Doors

Hijacking Sessions

Sweepers Sniffers

Stealth Diagnotics

DDOS

Packet Forging & Spoofing

New Internet

Attacks

[Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]


Social Engineering

“Social Engineer Specialist” Because there is no patch for human stupidity- DeFcon Tshirt

The art of utilizing human behavior to breach security without the participant even realizing they have been manipulated.


Social Engineering

Technical –Google, Maltego, PiPL

Non-Technical-

Poor Physical Controls

Lack of Security Awareness Training

Lack of Policies and Procedures

Weak Employee Screening

Lack of Management Support

Poor Controls on Data


Social Engineering

People are the weakest link

Desire to be helpful

Fear of getting in trouble

Tendency to trust

Desire to be successful


Social Engineering


Path of least resistance

Insider

Motivators-The Dark Side

Profit

Revenge

Fame


Insider

Motivators-Good Doing Bad

Evolving Loyalties

Job Change

Management Change

Company Change

Misdirection/Social Engineering

Influence


Insider-Telltale Signs

Insiders already have access

Insiders just need intent


Insider-Watch For

Some Kind of Activity

Revealing information not directly observable

Noticed

Significance Recognized


Insider-HR

Monitoring included in Policy

Clearly defined processes to include HR, Legal, Security and Management

Understand the evolving privacy statutory requirements


Outsider

Hactivism

SKIDDIES

Profit

Revenge

Fame


Risk Modeling

Know your Risk Formulas (ALE=AROxSLE)(EV*AV)

Susceptibility

Impact

Risk

= Materiality


Threat Modeling

Attacker - Centric

Software - Centric

Asset - Centric


Attack Methodology

Phase I: Reconnaissance

Phase II: Enumeration

Phase III: Vulnerability Analysis

Phase IV: Exploit


Attack Methodology


Case Study #1:

Defense Contractor Investigation

Data Leakage

Results

Targeted Spear Phishing

Breakdown

AV

DLP

Firewall/IDS

Incident response


Case Study #2:

Insurance Investigation

Data Leakage

Results

Loss of ACL, Passwords, Intellectual Capital

Breakdown

Security Awareness

Improper Access Control

DLP

IDS/IPS/HIDS


Case Study #3:

Healthcare Investigation

Outside Hack

Results

Loss of proprietary information

Loss of reputation

Company ended up closing shop

Breakdown

Internal IT Violated controls set in place through HiPAA


Questions and Answers

Michael A. DaGrossa, CISSP,CEH,CCEManaging Partner, Business Risk Services302.261.9013 (office)302.383.2737 (mobile)ION-e Group100 Dean DriveNewark, DE 19711www.ion-e.comwww.linkedin.com/in/dagrossawww.deinfragard.com


http://www.ion-e.com

http://www.linkedin.com/in/dagrossa

http://www.deinfragard.com

ION-E Defense In Depth Presentation for The Institiute of Internal Auditors

Documents

confidential section

confidential standards

confidential skydivingthink

confidential accessing

confidential consultants

az proprietary

tzu proprietary

confidential hipaacompliantto