IT Security Essentials

35
- 1 - WELCOME! IT Security Essentials Linkedin.com/company/skoda-minotti Twitter.com/SkodaMinotti Facebook.com/SkodaMinotti

Transcript of IT Security Essentials

Page 1: IT Security Essentials

- 1 -

WELCOME!

IT Security Essentials

Linkedin.com/company/skoda-minotti

Twitter.com/SkodaMinotti

Facebook.com/SkodaMinotti

Page 2: IT Security Essentials

IT Security EssentialsJoseph Compton, CISSP, CISA, QSA

Gregory Skoda, Jr., CISA

November 9, 2015

Page 3: IT Security Essentials

- 3 -

• Threat landscape

• Understanding your risks

• Implementing a data security program

• Testing your data security program

AGENDA

Page 4: IT Security Essentials

- 4 -

DATA BREACHES

Page 5: IT Security Essentials

- 5 -

DATA BREACHES

Page 6: IT Security Essentials

- 6 -

DATA BREACHES

Page 7: IT Security Essentials

- 7 -

DATA BREACHES

Page 8: IT Security Essentials

- 8 -

DATA BREACHES

Page 9: IT Security Essentials

- 9 -

DATA BREACHES

Page 10: IT Security Essentials

- 10 -

DATA BREACHES

Page 11: IT Security Essentials

- 11 -

DATA BREACHES

Page 12: IT Security Essentials

- 12 -

DATA SECURITY CONCERNS Access Controls (both Physical and Logical) Data Jurisdiction Data Backup, Recovery and Destruction (Exit Strategy) eDiscovery and Legal Hold issues Audit frequency and responsibilities Co-mingling of data Insecure interfaces and APIs (application development) Insufficient due diligence by cloud provider Shared technology vulnerabilities (Denial of Service attacks) Data breach response and forensics Poor or no encryption of sensitive data Account or service hijacking Readiness for cloud services - every cloud service is different, each

one must be evaluated individually

Page 13: IT Security Essentials

- 13 -

LEGAL CONCERNSCOMPLIANCE Application ownership can be unclear Regulatory controls for cloud (HITECT, PCI, GLBA, FERPA, HIPAA) Data return/destruction at the end of contracts Lack of SLA’s – slow or no service Lack of recourse for lost data Jurisdictional issues (data stored across multiple states or countries) e-Discovery and legal hold issues (data stored across multiple servers) Breach notification timeframes and forensics in a shared environment Client vs. Cloud Provider responsibilities Subcontracting and third parties

Page 14: IT Security Essentials

- 14 -

Source: Verizon 2015 Data Breach Investigation Report

THREAT ACTIONS

Page 15: IT Security Essentials

- 15 -

THREAT ACTIONS

Source: Verizon 2015 Data Breach Investigation Report

Page 16: IT Security Essentials

- 16 -

BREACH DISCOVERY

Source: Verizon 2015 Data Breach Investigation Report

Page 17: IT Security Essentials

- 17 -

DATA BREACHES• SnapChat – 4.5 million compromised names and phone

numbers

• Kickstarter – 5.6 million victims

• Korean Telecom – One of the year’s largest breaches affected 12 million customers

• Heartbleed – First of three open-source vulnerabilities in 2014

• eBay – Database of 145 million customers compromised

Page 18: IT Security Essentials

- 18 -

• PF Chang’s

• Energetic Bear – Cyber spying operation targeted the energy industry

• Cybervor – 1.2 billion compromised credentials

• iCloud – Celebrity accounts hacked

• Sandword – Attached a Windows vulnerability

• Sony Pictures Entertainment – Highest-profile hack of the year

• Inception Framework – Cyber-Espionage attached targeted the public sector

DATA BREACHES

Page 19: IT Security Essentials

- 19 -

• 75% say their organizations are as or more vulnerable to malicious code attacks and security breaches compared with a year ago. And in the face of a crushing skills shortage, 40% subsist on no more than 5% of the IT budget.

• "Managing the complexity of security" reclaimed the No. 1 spot among 10 challenges facing the respondents to our security survey, all from organizations with 100 or more employees

INSIDER THREAT

Source: InformationWeek 2014 Strategic Security Survey

Page 20: IT Security Essentials

- 20 -

• 58% see an infected personal device connecting to the corporate network as a top endpoint security concern, making it the No. 1 response, ahead of phishing and lost devices

• 56% say cyber-criminals pose the greatest threat to their organizations this year, the top answer, ahead of authorized users and employees at 49%

• 23% have experienced a security breach or espionage in the past year

INSIDER THREAT

Source: InformationWeek 2014 Strategic Security Survey

Page 21: IT Security Essentials

- 21 -

Source: SpectorSoft Insider Threat Survey Report

INSIDER THREAT SURVEY53% of enterprise respondents have discovered that employees use company-issued devices to send company information to personal email and cloud-based file-sharing accounts such as Yahoo! or Gmail and cloud-based file sharing accounts such as Box, DropBox or Hightail (419 enterprise respondents)

23% of end-user employee respondents reported that they transfer corporate information using Box, DropBox or Hightail (200 end-user employee respondents)

Page 22: IT Security Essentials

- 22 -

INSIDER THREAT SURVEY

Source: SpectorSoft Insider Threat Survey Report

33% of end-user employee respondents reported that they transfer corporate information via personal Yahoo! and Gmail accounts (200 end-user employee respondents)

49% of enterprise respondents have discovered that employees are copying corporate data to USB flash storage devices (419 enterprise respondents)

Page 23: IT Security Essentials

- 23 -

MANAGER ISSUESCURRENT RISK• 55% of risk managers feel they have not dedicated enough

resources to combat the evolution of hacking techniques• 76% of risk managers feel the biggest risk of cloud technology

is the loss of confidentiality of information

Source: The Hartford Steam Boiler Inspection and Insurance Company (HSB) Cyber Risk Survey

Page 24: IT Security Essentials

- 24 -

SMALL BUSINESSESTHREATS TOSmall businesses can be forced to close down due to a data breach

Four common company weak points:

1. Intrusion detection software

2. Encryption of private data

3. Patch management

4. Vendor mismanagement

Source: PropertyCasualty360.com

Page 25: IT Security Essentials

- 25 -

WHERE DO I START?

Page 26: IT Security Essentials

- 26 -

COMPLIANCE LIFE CYCLE

Page 27: IT Security Essentials

- 27 -

RISK ASSESSMENT

Page 28: IT Security Essentials

- 28 -

RISK ASSESSMENTUnderstand organizational risks Key risk prioritization Identify high risk areas

• Gain an understanding of the high risk areas and underlying rationales by conducting interviews with members of Senior Management, Legal and your Trust Advisors

• Identify key risks based on the threats and vulnerabilities relevant to the organization and ranked these items based upon on their overall impact (environment, system and technical analysis) and expected likelihood of occurrence.

• Identified the top risks to the Company based on inherent risk ranking.

Threat Categories A B C D E

External attack 2 3

Internal misuse and abuse 6 2

Theft 2

System malfunction 2 1

Service interruption 1 5

Customer 4

Information Risk Ratings: A-Verify High, B-High, C-Medium, D-Low, E-Very Low

Page 29: IT Security Essentials

- 29 -

CONTROL FRAMEWORKS• CSA Star – Cloud Security Alliance

• COBIT – Control Objectives for Information and Related Technology

• FEDRAMP – Federal Risk and Authorization Management Program

• FISMA – Federal Information Security Management Act

• HIPAA – Health Insurance Portability and Accountability Act

• ISO – International Organization for Standardization

• ITIL – Information Technology Infrastructure Library

• PCI DSS – Payment Card Industry Data Security Standard

• NIST – National Institute of Standards and Technology

• SOC 2 (AT 101) – Service Organization Control Reports

Page 30: IT Security Essentials

- 30 -

SECURITY STANDARDSPCI DATA

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs6. Develop and maintain secure systems and applications

Page 31: IT Security Essentials

- 31 -

SECURITY STANDARDSPCI DATA

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

Page 32: IT Security Essentials

- 32 -

VALIDATEIndependent auditor assessments and attestations• Review of policies and administrative procedures

• Inspection of configurations and settings

• Testing of manual procedures

• Observation of control activities

Page 33: IT Security Essentials

- 33 -

Security Testing

• Vulnerability Assessments Internal and external testing

• Internal and external penetration testingNetwork penetration testingWeb application testingSocial engineering

VALIDATE

Page 34: IT Security Essentials

- 34 -

WHAT CAN I DO FIRST?• 40% of the

controls determined to be most effective against data breaches fall into the “Quick Win” Category

Source: Verizon 2015 Data Breach Investigation Report

Page 35: IT Security Essentials

- 35 -

CONTACTJoe Compton, CISSP, CISA, QSA(440) [email protected]

Greg Skoda, Jr., CISA(440) [email protected]