Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations

Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations

Dinesh O Bareja

Copenhagen Compliance, Mumbai. October 08,2013

• Where Risks & Threats come from

• “Biggies” in the RaT Lists

• (Generally) Overlooked RaTs

• Course Correction Options

• Case Studies


Present day RaTs usually arise from …

• Non-compliance

• Competition

• People, Processes, Technology Weaknesses

• Ignorance, Errors, Accidents

• Manual Controls


Top 10 Enterprise Security Predictions

1. Targeted Attacks2. Signed malware4. Non-Windows attacks5. Ransomware6. Impact of changing regulations7. Need for incident response8. Security Process Automation9. Connected Devices10. Bring Your Own Application (BYOA)


However, today I am nothere to talk about the ‘big’bad stuff

Why !

Because every InfoSeceffort is made to secure theenterprise from tsunamis,tidal waves, pandemics etc

Today’s focus is on this little

guy and his small friends


The story of the ant felling an elephant is partof folklore and may be true.

Human tendency is to shut down risk antennaewhen faced with unfamiliar scenarios.

These are explained with cute explanations like“unknown knowns”, “black swans”, “pig out ofthe sty”

All this time destiny / fate / fatality will bestaring in the face but still you don’t buyinsurance


Hardening

Configuration

Patch Mgt

Incident

DR

VAPT

Mobile Computing

Home Computing Spear Phishing

Anti Piracy: Software License Management

Data Classification

Encryption (Voice/Data)

Secure Software Development

Privilege User and God ManagementBackground Checks, Exit Programs


• Asset Management (disposal): – Photocopier hard drive goes out during maintenance– Recirculation and trade-in of assets

• Background Check: – InfoSec consultant is an unknown person who is provided access

to all crown jewels– Simple NDAs– Guards (on premises and in cash-vans)

• God’s and Godmen:– SysAdmin / DataAdmin / DLP Admin is an unknown entrusted

with safekeeping– DLP Admin – someone who has to power to read all mails

• 1


• Blind Faith in Technology:– Logs are collected but not read; one is safe because

the appliance did not give an alert

– Complacence after implementation of security technology

– InfoSec consultant provided advice is always correct

• Me, My Machine at my Home

• Overlooking Social Media

• Awareness and Training is a common function leading to lack of awareness culture


• Not mentioned in this RaT list

– Hardware backdoors

– Software backdoors

– State Monitoring (PRISM, IMS)

– Information Sharing

– Passwords


• Include cost-to-enterprise in risk assessment

• Prioritize risk icebergs based on impact size rather than just hype and bug PR

• Start a bug bounty program and enable 24x7 network testing (nearly) free-of-cost


• Re-look at those itsy bitsy pieces of technology feel-good paraphernalia around the organization: fingerprint readers, access cards, certificate on your wall

• Reach out to the ethical InfoSec community


It has happened to the best and to thebiggest – Governments, corporations,individualsThey have all been felled by an unknownblackhat, or some virus / APT, or by virtueof non-compliance or overlooking the‘small’ stuffSome recovered, some died – but onething is common: all suffered a big dent intheir reputation plus financial losses andsignificant setbacks in their business.


• Up to 12,000 laptops are lost in United States airports each week• Between 65 and 70 percent of lost laptops are never reclaimed• Most laptops are lost at security checkpoints• 53 percent of business travelers surveyed carry sensitive corporate

information on their laptop• 65 percent of those who carry confidential information have not

taken steps to protect it while traveling• 42 percent of respondents say they do not back up their data

- Lost Laptop and Business Traveler Study by Dell and the Ponemon InstituteThe first study of its kind by wsa carried out in the first half of 2008. The Ponemon Institute surveyed 106 UnitedStates airports and over 800 business travelers to understand the frequency with which laptops are lost inairports and the steps business travelers are taking to protect sensitive information on corporate systems.


• SONY

• RSA

• Boeing

• Lockheed Martin

• HB Gary

• PMO

• Navy, Air Force

• Laptop Story

• Terry Childs

• License story

• Chairman’s statement

• Aramco + Iran’s Nuclear Facility

• US Banks


Terry Childs

Judge ordered former city worker who locked San Francisco out of its main computer network for 12 days in 2008 to pay nearly $1.5 million in restitution

Prosecutors said.' Keep in mind the network never went down and no user services were denied, and given that Terry Childs was the only one who had admin access (for years prior) it is difficult to understand how they came up in $1.5 million in costs

In June 2008, he was arrested on computer crime charges for refusing to divulge the passwords to San Francisco's FiberWAN system to his supervisors.

After being arrested he was held on $5 million bail. He is also accused of tampering with the network and subversively avoiding auditing checks


• WINTECH COMPUTERS circa late 90’s

170 operational centers all over the country, nearly 1,700 employees, and at least 40 students per institute

Raid carried out on the company in September 2000 by Mumbai Police and officials a private investigating firm.

Wintech Computers had no license to teach Oracle® software

The Rest is History

March 2000 :'I want to be the Bill Gates of India's computer education industry.' – Murtuza Mathani, Wintech CEO.

May 2001:Mathani'swhereabouts unknown


There are many ‘small’ things lying around with enoughpower to trip your organization

If you have not yet assimilated information security andmanagement into the mainstream of your business…wake up !


There are many ‘small’ things lying around with enough

power to trip your organization

If you have not yet assimilated information security and

management into the mainstream of your business…

wake up !

Plough the InfoSec field deeper, as deep as can do!


• Professional Positions

– Open Security Alliance (Principal and CEO)– Jharkhand Police (Cyber Surveillance Advisor)– Pyramid Cyber Security & Forensics (Principal Advisor)– Indian Honeynet Project (Co Founder)

• Professional skills and special interest areas

– Security Consulting and Advisory services for IS Strategy, Architecture, Analysis, Policy Development, Optimization

– Technologies: SOC, DLP, IRM, SIEM…– Practices: Incident Response, SAM, Forensics, Regulatory guidance..– Community: mentoring, training, citizen outreach, India research..

• Blogger, Occasional columnist, wannabe photographer, research & survey


Contact Information

Acknowledgements & DisclaimerVarious resources on the internet have been referred to contribute to the information presented.Images have been acknowledged where possible and if we have infringed on your rights it isunintentional – we assure you the removal immediately on being notified. The use of companynames, brand names, trade marks are only to facilitate understanding of the message beingcommunicated - no claim is made to establish any sort of relation (exclusive or otherwise) by theauthor(s), unless otherwise mentioned. Apologies for any infraction, as this would be whollyunintentional, and objections may please be communicated to us for remediation of theerroneous action(s).

E: [email protected] T: +91.9769890505

Twitter: @bizsprite Facebook: dineshobareja

L: http://in.linkedin.com/in/dineshbareja

Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations

Technology

Transcript of Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations