Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
-
date post
19-Oct-2014 -
Category
Technology
-
view
504 -
download
0
description
Transcript of Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Copenhagen Compliance, Mumbai. October 08,2013
• Where Risks & Threats come from
• “Biggies” in the RaT Lists
• (Generally) Overlooked RaTs
• Course Correction Options
• Case Studies
Copenhagen Compliance, Mumbai. October 08,2013
Present day RaTs usually arise from …
• Non-compliance
• Competition
• People, Processes, Technology Weaknesses
• Ignorance, Errors, Accidents
• Manual Controls
Copenhagen Compliance, Mumbai. October 08,2013
Top 10 Enterprise Security Predictions
1. Targeted Attacks2. Signed malware4. Non-Windows attacks5. Ransomware6. Impact of changing regulations7. Need for incident response8. Security Process Automation9. Connected Devices10. Bring Your Own Application (BYOA)
Copenhagen Compliance, Mumbai. October 08,2013
However, today I am nothere to talk about the ‘big’bad stuff
Why !
Because every InfoSeceffort is made to secure theenterprise from tsunamis,tidal waves, pandemics etc
Today’s focus is on this little
guy and his small friends
Copenhagen Compliance, Mumbai. October 08,2013
The story of the ant felling an elephant is partof folklore and may be true.
Human tendency is to shut down risk antennaewhen faced with unfamiliar scenarios.
These are explained with cute explanations like“unknown knowns”, “black swans”, “pig out ofthe sty”
All this time destiny / fate / fatality will bestaring in the face but still you don’t buyinsurance
Copenhagen Compliance, Mumbai. October 08,2013
Hardening
Configuration
Patch Mgt
Incident
DR
VAPT
Mobile Computing
Home Computing Spear Phishing
Anti Piracy: Software License Management
Data Classification
Encryption (Voice/Data)
Secure Software Development
Privilege User and God ManagementBackground Checks, Exit Programs
Copenhagen Compliance, Mumbai. October 08,2013
• Asset Management (disposal): – Photocopier hard drive goes out during maintenance– Recirculation and trade-in of assets
• Background Check: – InfoSec consultant is an unknown person who is provided access
to all crown jewels– Simple NDAs– Guards (on premises and in cash-vans)
• God’s and Godmen:– SysAdmin / DataAdmin / DLP Admin is an unknown entrusted
with safekeeping– DLP Admin – someone who has to power to read all mails
• 1
Copenhagen Compliance, Mumbai. October 08,2013
• Blind Faith in Technology:– Logs are collected but not read; one is safe because
the appliance did not give an alert
– Complacence after implementation of security technology
– InfoSec consultant provided advice is always correct
• Me, My Machine at my Home
• Overlooking Social Media
• Awareness and Training is a common function leading to lack of awareness culture
Copenhagen Compliance, Mumbai. October 08,2013
• Not mentioned in this RaT list
– Hardware backdoors
– Software backdoors
– State Monitoring (PRISM, IMS)
– Information Sharing
– Passwords
Copenhagen Compliance, Mumbai. October 08,2013
• Include cost-to-enterprise in risk assessment
• Prioritize risk icebergs based on impact size rather than just hype and bug PR
• Start a bug bounty program and enable 24x7 network testing (nearly) free-of-cost
Copenhagen Compliance, Mumbai. October 08,2013
• Re-look at those itsy bitsy pieces of technology feel-good paraphernalia around the organization: fingerprint readers, access cards, certificate on your wall
• Reach out to the ethical InfoSec community
Copenhagen Compliance, Mumbai. October 08,2013
It has happened to the best and to thebiggest – Governments, corporations,individualsThey have all been felled by an unknownblackhat, or some virus / APT, or by virtueof non-compliance or overlooking the‘small’ stuffSome recovered, some died – but onething is common: all suffered a big dent intheir reputation plus financial losses andsignificant setbacks in their business.
Copenhagen Compliance, Mumbai. October 08,2013
• Up to 12,000 laptops are lost in United States airports each week• Between 65 and 70 percent of lost laptops are never reclaimed• Most laptops are lost at security checkpoints• 53 percent of business travelers surveyed carry sensitive corporate
information on their laptop• 65 percent of those who carry confidential information have not
taken steps to protect it while traveling• 42 percent of respondents say they do not back up their data
- Lost Laptop and Business Traveler Study by Dell and the Ponemon InstituteThe first study of its kind by wsa carried out in the first half of 2008. The Ponemon Institute surveyed 106 UnitedStates airports and over 800 business travelers to understand the frequency with which laptops are lost inairports and the steps business travelers are taking to protect sensitive information on corporate systems.
Copenhagen Compliance, Mumbai. October 08,2013
• SONY
• RSA
• Boeing
• Lockheed Martin
• HB Gary
• PMO
• Navy, Air Force
• Laptop Story
• Terry Childs
• License story
• Chairman’s statement
• Aramco + Iran’s Nuclear Facility
• US Banks
Copenhagen Compliance, Mumbai. October 08,2013
Terry Childs
Judge ordered former city worker who locked San Francisco out of its main computer network for 12 days in 2008 to pay nearly $1.5 million in restitution
Prosecutors said.' Keep in mind the network never went down and no user services were denied, and given that Terry Childs was the only one who had admin access (for years prior) it is difficult to understand how they came up in $1.5 million in costs
In June 2008, he was arrested on computer crime charges for refusing to divulge the passwords to San Francisco's FiberWAN system to his supervisors.
After being arrested he was held on $5 million bail. He is also accused of tampering with the network and subversively avoiding auditing checks
Copenhagen Compliance, Mumbai. October 08,2013
• WINTECH COMPUTERS circa late 90’s
170 operational centers all over the country, nearly 1,700 employees, and at least 40 students per institute
Raid carried out on the company in September 2000 by Mumbai Police and officials a private investigating firm.
Wintech Computers had no license to teach Oracle® software
The Rest is History
March 2000 :'I want to be the Bill Gates of India's computer education industry.' – Murtuza Mathani, Wintech CEO.
May 2001:Mathani'swhereabouts unknown
Copenhagen Compliance, Mumbai. October 08,2013
There are many ‘small’ things lying around with enoughpower to trip your organization
If you have not yet assimilated information security andmanagement into the mainstream of your business…wake up !
Copenhagen Compliance, Mumbai. October 08,2013
There are many ‘small’ things lying around with enough
power to trip your organization
If you have not yet assimilated information security and
management into the mainstream of your business…
wake up !
Plough the InfoSec field deeper, as deep as can do!
Copenhagen Compliance, Mumbai. October 08,2013
• Professional Positions
– Open Security Alliance (Principal and CEO)– Jharkhand Police (Cyber Surveillance Advisor)– Pyramid Cyber Security & Forensics (Principal Advisor)– Indian Honeynet Project (Co Founder)
• Professional skills and special interest areas
– Security Consulting and Advisory services for IS Strategy, Architecture, Analysis, Policy Development, Optimization
– Technologies: SOC, DLP, IRM, SIEM…– Practices: Incident Response, SAM, Forensics, Regulatory guidance..– Community: mentoring, training, citizen outreach, India research..
• Blogger, Occasional columnist, wannabe photographer, research & survey
Copenhagen Compliance, Mumbai. October 08,2013
Contact Information
Acknowledgements & DisclaimerVarious resources on the internet have been referred to contribute to the information presented.Images have been acknowledged where possible and if we have infringed on your rights it isunintentional – we assure you the removal immediately on being notified. The use of companynames, brand names, trade marks are only to facilitate understanding of the message beingcommunicated - no claim is made to establish any sort of relation (exclusive or otherwise) by theauthor(s), unless otherwise mentioned. Apologies for any infraction, as this would be whollyunintentional, and objections may please be communicated to us for remediation of theerroneous action(s).
E: [email protected] T: +91.9769890505
Twitter: @bizsprite Facebook: dineshobareja
L: http://in.linkedin.com/in/dineshbareja