SlideShare una empresa de Scribd logo

Defense in Depth Strategy

Descargar como PPTX, PDF
M
mdagrossa

The document discusses the concept of defense in depth (DID) as it relates to cybersecurity. DID is defined as building mutually supporting layers of defense to reduce vulnerabilities and protect against attacks. The key aspects of DID include understanding threats, seeing the full battlefield, using defensive advantages, concentrating defenses, coordinating assets, and balancing security and legal constraints. The document advocates applying DID principles through multiple overlapping controls and frameworks, rather than relying on a single compliance standard, in order to provide comprehensive security that can withstand attacks from various threat actors.

1 de 59
Defense in Depth Michael A. DaGrossa - CISSP, CEH, CCE Managing Partner Business Risk mike@ion-e.com Proprietary and Confidential
Take advantage of the enemy's un-readiness, make your way by unexpected routes, and attack unguarded spots. —Sun Tzu Proprietary and Confidential
Consultants and clients should develop a Defense in Depth Strategy, which should be regularly tested and corrected
Definition : DID ,[object Object]
the Defense in Depth approach builds mutually supporting layers of defense to reduce vulnerabilities and to assist you to protect against, detect and react to as many attacks as possible. By constructing mutually supporting layers of defense, you will cause an adversary who penetrates or breaks one layer of defense to promptly encounter another and another until unsuccessful in the quest for unauthorized entrance, the attack ends. To protect against different attack methods, you must employ corresponding security measures. The weakness of one security measure should be compensated for by the strength of another. ,[object Object]
The general characteristics of defensive operations are: ,[object Object]
See the battlefield
Use the defenders’ advantages
Concentrate at critical times and places
Conduct counter reconnaissance and counterattacks
Coordinate critical defense assets
Balance base security with political and legal constraints
And know the law of war and rules of engagement.Proprietary and Confidential
Why being compliant does not equal secure?Why secure does not equal compliant? Proprietary and Confidential
PCI-Compliant To Name a Few TJ Maxx Heartland Hannaford Proprietary and Confidential
HIPAA-Compliant To Name a Few AV Med Health Plans Kinetic Concepts University of Pittsburgh Proprietary and Confidential
FDIC-FFIEC GLBA BITS To Name a Few ING Education Credit Management Corp Lincoln National Corp Proprietary and Confidential
NIST-Secure To Name a Few DOD SSA West Memphis PD, AZ Proprietary and Confidential
ISO-Secure To Name a Few Target Choicepoint JCPenney Proprietary and Confidential
Skydiving Think of a corporate risk assessment as a life threatening scenario to appropriately perceive it Proprietary and Confidential
We have a parachute, what could go wrong? Proprietary and Confidential
Standards, Controls and Security Primary Chute Reserve Chute Automatic Activation Device (A.A.D.) Reserve Static Line Altimeter Helmet/Goggles/Jumpsuit Trained professional assistance Proprietary and Confidential
Layers of Safety Using one standard as an umbrella approach to holistic security for a corporation is similar to taking one measure to guarantee the safety of a freefall jump. The jumper should be prepared well before the jump and do everything accurately during the jump, until the time he/she reaches the ground. Proprietary and Confidential
What are we protecting Data breach incidents cost U.S. companies an average of $204 per compromised customer record in 2009. The average total per-incident costs in 2009 were $6.75 million. A total of 498 breaches were reported in 2009 according to the Identity Theft Resource Center. Engaging a consultant or third party expert to assist in the data breach incidence results in lower average cost per compromised record (almost 26% lesser). About 44% of participating companies engaged an outside consultant to assist them over the course of the data breach incident. Organizations in highly trusted industries such as financial services and health care are more likely to experience a data breach with higher abnormal churn rate (5% and 6% respectively). Source: Key findings from 2009 Ponemon Institute Annual Study Proprietary and Confidential
What are we protecting Too many times we get focused on only our roles for an engagement Problems with independence Knowledge Check list approach Source: Key findings from 2009 Ponemon Institute Annual Study Proprietary and Confidential
What are we protecting Source: DatalossDB.org Proprietary and Confidential
What are we protecting Source: DatalossDB.org Proprietary and Confidential
What are we protecting Source: DatalossDB.org DatalossDB.org Proprietary and Confidential
Senior management should: Clearly support all aspects of the information security program Implement the information security program as approved by the board of directors Establish appropriate policies, procedures, and controls Participate in assessing the effect of security issues on the financial institution and its business lines and processes Proprietary and Confidential
Senior management should: Delineate clear lines of responsibility and accountability for information security risk management decisions Define risk measurement definitions and criteria Establish acceptable levels of information security risks Oversee risk mitigation activities. Proprietary and Confidential
Controls Internal Control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a) Effectiveness and efficiency of operations; b) Reliability of financial reporting; and c) Compliance with laws and regulations Proprietary and Confidential
Controls - COSO Control Environment Risk Assessment Information and Communication Control Activities Monitoring Proprietary and Confidential
Controls Internal controls may be described in terms of: a) the objective they pertain to b) the nature of the control activity itself. Auditors understand this Information Technology people do not Business does not either Proprietary and Confidential
Controls - COBIT IT Governance Strategic Alignment Value Delivery Risk Management Resource Management Performance Measurement Proprietary and Confidential
Controls- CISSP ,[object Object]
Application Security
BCP/DR
Cryptography
Info Sec and Risk Management
Legal, Regulations and Compliance
Physical
Security Architecture and Design
Telecom and Network SecurityProprietary and Confidential
Controls - CISM Information Security Governance Information Risk Management Information Security Program Development Information Security Program Management Incident Management and Response Proprietary and Confidential
SANS-GIAC Proprietary and Confidential
Controls - PCI Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain Information Security Policy Proprietary and Confidential
Controls- ISO 27K 27001 – ISMS 27002 -Practices 27003- implementation Guidance 27004-Metrics 27therest- defined up to 27037 *27799-ISMS for Health Sector Proprietary and Confidential
Controls – Planned Out Proprietary and Confidential
Business Breakdown Proprietary and Confidential
Frameworks for Business Proprietary and Confidential
DID for Business Proprietary and Confidential
Management, security, risk, audit, and compliance professionals should: Look beyond the standard Determine whether it is sufficient to manage the related risks to the organization A start to finish, multi-layered security approach is the only option to minimize business impact and mitigate the most possible risk. Proprietary and Confidential
The Bad Guys Anti Forensics Exploits Social Engineering Insiders Outsiders Proprietary and Confidential
Anti-Forensics ,[object Object]
Steganography
Disk Wiping
Signatures
Bootable Disks –Bart,BT,HELIX, OWASP, MOJO
Slacker, TimeStomp, Trasnmogrify, SAMJuicer

Recomendados

DC970 Presents: Defense in Depth
DC970 Presents: Defense in DepthDC970 Presents: Defense in Depth
DC970 Presents: Defense in DepthIceQUICK
 
Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.marketingunitrends
 
Ransomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyRansomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyVeriato
 
Cisa ransomware guide
Cisa ransomware guideCisa ransomware guide
Cisa ransomware guideanpapathanasiou
 
How to Recover from a Ransomware Disaster
How to Recover from a Ransomware DisasterHow to Recover from a Ransomware Disaster
How to Recover from a Ransomware DisasterSpanning Cloud Apps
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
The Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup StoryThe Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup StoryQuest
 
Top Tactics For Endpoint Security
Top Tactics For Endpoint SecurityTop Tactics For Endpoint Security
Top Tactics For Endpoint SecurityBen Rothke
 

Recomendados

DC970 Presents: Defense in Depth
DC970 Presents: Defense in DepthDC970 Presents: Defense in Depth
DC970 Presents: Defense in DepthIceQUICK
 
Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.marketingunitrends
 
Ransomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyRansomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyVeriato
 
Cisa ransomware guide
Cisa ransomware guideCisa ransomware guide
Cisa ransomware guideanpapathanasiou
 
How to Recover from a Ransomware Disaster
How to Recover from a Ransomware DisasterHow to Recover from a Ransomware Disaster
How to Recover from a Ransomware DisasterSpanning Cloud Apps
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
The Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup StoryThe Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup StoryQuest
 
Top Tactics For Endpoint Security
Top Tactics For Endpoint SecurityTop Tactics For Endpoint Security
Top Tactics For Endpoint SecurityBen Rothke
 
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseDetect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseRahul Neel Mani
 
You can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainYou can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainFidelis Cybersecurity
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopDavid Sweigert
 
Cyber Kill Chain vs. Cyber Criminals
Cyber Kill Chain vs. Cyber CriminalsCyber Kill Chain vs. Cyber Criminals
Cyber Kill Chain vs. Cyber CriminalsDavid Sweigert
 
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...SaraPia5
 
Triangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughTriangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughMartin Opsahl
 
Safeguard your enterprise against ransomware
Safeguard your enterprise against ransomwareSafeguard your enterprise against ransomware
Safeguard your enterprise against ransomwareQuick Heal Technologies Ltd.
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...APNIC
 
The State of Threat Detection 2019
The State of Threat Detection 2019The State of Threat Detection 2019
The State of Threat Detection 2019Fidelis Cybersecurity
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 
How to Take the Ransom Out of Ransomware
How to Take the Ransom Out of RansomwareHow to Take the Ransom Out of Ransomware
How to Take the Ransom Out of Ransomwaremarketingunitrends
 
Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...Huntsman Security
 
Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?marketingunitrends
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Fidelis Cybersecurity
 
Evidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsEvidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsPriyanka Aash
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingPriyanka Aash
 
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...James Anderson
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudBob Rhubart
 
Fortifying Network Security with a Defense In Depth Strategy - IDC Romania preso
Fortifying Network Security with a Defense In Depth Strategy - IDC Romania presoFortifying Network Security with a Defense In Depth Strategy - IDC Romania preso
Fortifying Network Security with a Defense In Depth Strategy - IDC Romania presoNetwork Performance Channel GmbH
 

Más contenido relacionado

La actualidad más candente

Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseDetect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseRahul Neel Mani
 
You can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainYou can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainFidelis Cybersecurity
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopDavid Sweigert
 
Cyber Kill Chain vs. Cyber Criminals
Cyber Kill Chain vs. Cyber CriminalsCyber Kill Chain vs. Cyber Criminals
Cyber Kill Chain vs. Cyber CriminalsDavid Sweigert
 
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...SaraPia5
 
Triangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughTriangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughMartin Opsahl
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...APNIC
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 
How to Take the Ransom Out of Ransomware
How to Take the Ransom Out of RansomwareHow to Take the Ransom Out of Ransomware
How to Take the Ransom Out of Ransomwaremarketingunitrends
 
Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...Huntsman Security
 
Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?marketingunitrends
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Fidelis Cybersecurity
 
Evidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsEvidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsPriyanka Aash
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingPriyanka Aash
 
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...James Anderson
 

La actualidad más candente (20)

Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseDetect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
 
You can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainYou can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chain
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loop
 
Cyber Kill Chain vs. Cyber Criminals
Cyber Kill Chain vs. Cyber CriminalsCyber Kill Chain vs. Cyber Criminals
Cyber Kill Chain vs. Cyber Criminals
 
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
 
Triangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughTriangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enough
 
Safeguard your enterprise against ransomware
Safeguard your enterprise against ransomwareSafeguard your enterprise against ransomware
Safeguard your enterprise against ransomware
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
 
The State of Threat Detection 2019
The State of Threat Detection 2019The State of Threat Detection 2019
The State of Threat Detection 2019
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General Audience
 
How to Take the Ransom Out of Ransomware
How to Take the Ransom Out of RansomwareHow to Take the Ransom Out of Ransomware
How to Take the Ransom Out of Ransomware
 
Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...
 
Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019
 
Evidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsEvidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five Controls
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty Training
 
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
 

Destacado

Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudBob Rhubart
 
Fortifying Network Security with a Defense In Depth Strategy - IDC Romania preso
Fortifying Network Security with a Defense In Depth Strategy - IDC Romania presoFortifying Network Security with a Defense In Depth Strategy - IDC Romania preso
Fortifying Network Security with a Defense In Depth Strategy - IDC Romania presoNetwork Performance Channel GmbH
 
Enterprise 2.0: social networks behind the firewall
Enterprise 2.0: social networks behind the firewallEnterprise 2.0: social networks behind the firewall
Enterprise 2.0: social networks behind the firewallRandy Woods
 
Developing The Human Firewall
Developing The Human FirewallDeveloping The Human Firewall
Developing The Human FirewallFwintle
 
ISSA_CISO_Forum_2015_Distribution
ISSA_CISO_Forum_2015_DistributionISSA_CISO_Forum_2015_Distribution
ISSA_CISO_Forum_2015_DistributionPhillip Mahan
 
Inside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing FirewallInside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing Firewallamiable_indian
 
Layered Approach - Information Security Recommendations
Layered Approach - Information Security RecommendationsLayered Approach - Information Security Recommendations
Layered Approach - Information Security RecommendationsMichael Kaishar, MSIA | CISSP
 
Are Your IT Systems Secure?
Are Your IT Systems Secure?Are Your IT Systems Secure?
Are Your IT Systems Secure?Nex-Tech
 
The Great Firewall of China
The Great Firewall of ChinaThe Great Firewall of China
The Great Firewall of Chinaguest00df536
 
The human factor
The human factorThe human factor
The human factorKoen Maris
 
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesDefense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesPantheon
 
Virginia Tech - New Employee Orientation - Computer security
Virginia Tech - New Employee Orientation - Computer securityVirginia Tech - New Employee Orientation - Computer security
Virginia Tech - New Employee Orientation - Computer securityvt-hr-service-center
 
2012 FEPA Presentation: Larry Hjalmarson
2012 FEPA Presentation: Larry Hjalmarson2012 FEPA Presentation: Larry Hjalmarson
2012 FEPA Presentation: Larry HjalmarsonFloridaPipeTalk
 
Cyber security training for Non-IT Staff
Cyber security training for Non-IT StaffCyber security training for Non-IT Staff
Cyber security training for Non-IT StaffRajneesh G
 
How To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your CompanyHow To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your Companydanielblander
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in DepthDilum Bandara
 

Destacado (20)

Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
 
Fortifying Network Security with a Defense In Depth Strategy - IDC Romania preso
Fortifying Network Security with a Defense In Depth Strategy - IDC Romania presoFortifying Network Security with a Defense In Depth Strategy - IDC Romania preso
Fortifying Network Security with a Defense In Depth Strategy - IDC Romania preso
 
Enterprise 2.0: social networks behind the firewall
Enterprise 2.0: social networks behind the firewallEnterprise 2.0: social networks behind the firewall
Enterprise 2.0: social networks behind the firewall
 
Developing The Human Firewall
Developing The Human FirewallDeveloping The Human Firewall
Developing The Human Firewall
 
ISSA_CISO_Forum_2015_Distribution
ISSA_CISO_Forum_2015_DistributionISSA_CISO_Forum_2015_Distribution
ISSA_CISO_Forum_2015_Distribution
 
Inside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing FirewallInside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing Firewall
 
Layered Approach - Information Security Recommendations
Layered Approach - Information Security RecommendationsLayered Approach - Information Security Recommendations
Layered Approach - Information Security Recommendations
 
Defensive strategies
Defensive strategiesDefensive strategies
Defensive strategies
 
Are Your IT Systems Secure?
Are Your IT Systems Secure?Are Your IT Systems Secure?
Are Your IT Systems Secure?
 
The Great Firewall of China
The Great Firewall of ChinaThe Great Firewall of China
The Great Firewall of China
 
The human factor
The human factorThe human factor
The human factor
 
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesDefense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
 
Zonas dmz y_puertos
Zonas dmz y_puertosZonas dmz y_puertos
Zonas dmz y_puertos
 
Virginia Tech - New Employee Orientation - Computer security
Virginia Tech - New Employee Orientation - Computer securityVirginia Tech - New Employee Orientation - Computer security
Virginia Tech - New Employee Orientation - Computer security
 
2012 FEPA Presentation: Larry Hjalmarson
2012 FEPA Presentation: Larry Hjalmarson2012 FEPA Presentation: Larry Hjalmarson
2012 FEPA Presentation: Larry Hjalmarson
 
TechCoastRodriguezFinal
TechCoastRodriguezFinalTechCoastRodriguezFinal
TechCoastRodriguezFinal
 
Cyber security training for Non-IT Staff
Cyber security training for Non-IT StaffCyber security training for Non-IT Staff
Cyber security training for Non-IT Staff
 
Defense in Depth – Your Security Castle
Defense in Depth – Your Security CastleDefense in Depth – Your Security Castle
Defense in Depth – Your Security Castle
 
How To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your CompanyHow To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your Company
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
 

Similar a Defense in Depth Strategy

InfraGard Webinar March 2016 033016 A
InfraGard Webinar March 2016 033016 AInfraGard Webinar March 2016 033016 A
InfraGard Webinar March 2016 033016 AWard Pyles
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionIvanti
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldSafeNet
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for CybersecurityShawn Tuma
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationShritam Bhowmick
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of securityciso_insights
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Joe Bartolo
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general attSHIVA101531
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtJohn D. Johnson
 
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitThe Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitShawn Tuma
 
[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...
[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...
[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...AIIM International
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...EC-Council
 
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptxTop_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptxinfosec train
 
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxCISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxmccormicknadine86
 
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxCISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxsleeperharwell
 
Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010joevest
 
knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA SensePost
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeThe Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeShawn Tuma
 

Similar a Defense in Depth Strategy (20)

InfraGard Webinar March 2016 033016 A
InfraGard Webinar March 2016 033016 AInfraGard Webinar March 2016 033016 A
InfraGard Webinar March 2016 033016 A
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the Union
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative World
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general att
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
 
Sem 001 sem-001
Sem 001 sem-001Sem 001 sem-001
Sem 001 sem-001
 
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitThe Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
 
[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...
[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...
[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
 
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptxTop_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
Top_10_Interview_Questions_That_You_Should_Know_as_an_Information.pptx
 
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxCISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
 
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxCISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
 
Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010
 
knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA
 
The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should IncludeThe Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should Include
 

Defense in Depth Strategy

  • 1. Defense in Depth Michael A. DaGrossa - CISSP, CEH, CCE Managing Partner Business Risk mike@ion-e.com Proprietary and Confidential
  • 2. Take advantage of the enemy's un-readiness, make your way by unexpected routes, and attack unguarded spots. —Sun Tzu Proprietary and Confidential
  • 3. Consultants and clients should develop a Defense in Depth Strategy, which should be regularly tested and corrected
  • 4.
  • 5.
  • 6.
  • 9. Concentrate at critical times and places
  • 10. Conduct counter reconnaissance and counterattacks
  • 12. Balance base security with political and legal constraints
  • 13. And know the law of war and rules of engagement.Proprietary and Confidential
  • 14. Why being compliant does not equal secure?Why secure does not equal compliant? Proprietary and Confidential
  • 15. PCI-Compliant To Name a Few TJ Maxx Heartland Hannaford Proprietary and Confidential
  • 16. HIPAA-Compliant To Name a Few AV Med Health Plans Kinetic Concepts University of Pittsburgh Proprietary and Confidential
  • 17. FDIC-FFIEC GLBA BITS To Name a Few ING Education Credit Management Corp Lincoln National Corp Proprietary and Confidential
  • 18. NIST-Secure To Name a Few DOD SSA West Memphis PD, AZ Proprietary and Confidential
  • 19. ISO-Secure To Name a Few Target Choicepoint JCPenney Proprietary and Confidential
  • 20. Skydiving Think of a corporate risk assessment as a life threatening scenario to appropriately perceive it Proprietary and Confidential
  • 21. We have a parachute, what could go wrong? Proprietary and Confidential
  • 22. Standards, Controls and Security Primary Chute Reserve Chute Automatic Activation Device (A.A.D.) Reserve Static Line Altimeter Helmet/Goggles/Jumpsuit Trained professional assistance Proprietary and Confidential
  • 23. Layers of Safety Using one standard as an umbrella approach to holistic security for a corporation is similar to taking one measure to guarantee the safety of a freefall jump. The jumper should be prepared well before the jump and do everything accurately during the jump, until the time he/she reaches the ground. Proprietary and Confidential
  • 24. What are we protecting Data breach incidents cost U.S. companies an average of $204 per compromised customer record in 2009. The average total per-incident costs in 2009 were $6.75 million. A total of 498 breaches were reported in 2009 according to the Identity Theft Resource Center. Engaging a consultant or third party expert to assist in the data breach incidence results in lower average cost per compromised record (almost 26% lesser). About 44% of participating companies engaged an outside consultant to assist them over the course of the data breach incident. Organizations in highly trusted industries such as financial services and health care are more likely to experience a data breach with higher abnormal churn rate (5% and 6% respectively). Source: Key findings from 2009 Ponemon Institute Annual Study Proprietary and Confidential
  • 25. What are we protecting Too many times we get focused on only our roles for an engagement Problems with independence Knowledge Check list approach Source: Key findings from 2009 Ponemon Institute Annual Study Proprietary and Confidential
  • 26. What are we protecting Source: DatalossDB.org Proprietary and Confidential
  • 27. What are we protecting Source: DatalossDB.org Proprietary and Confidential
  • 28. What are we protecting Source: DatalossDB.org DatalossDB.org Proprietary and Confidential
  • 29. Senior management should: Clearly support all aspects of the information security program Implement the information security program as approved by the board of directors Establish appropriate policies, procedures, and controls Participate in assessing the effect of security issues on the financial institution and its business lines and processes Proprietary and Confidential
  • 30. Senior management should: Delineate clear lines of responsibility and accountability for information security risk management decisions Define risk measurement definitions and criteria Establish acceptable levels of information security risks Oversee risk mitigation activities. Proprietary and Confidential
  • 31. Controls Internal Control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a) Effectiveness and efficiency of operations; b) Reliability of financial reporting; and c) Compliance with laws and regulations Proprietary and Confidential
  • 32. Controls - COSO Control Environment Risk Assessment Information and Communication Control Activities Monitoring Proprietary and Confidential
  • 33. Controls Internal controls may be described in terms of: a) the objective they pertain to b) the nature of the control activity itself. Auditors understand this Information Technology people do not Business does not either Proprietary and Confidential
  • 34. Controls - COBIT IT Governance Strategic Alignment Value Delivery Risk Management Resource Management Performance Measurement Proprietary and Confidential
  • 35.
  • 39. Info Sec and Risk Management
  • 43. Telecom and Network SecurityProprietary and Confidential
  • 44. Controls - CISM Information Security Governance Information Risk Management Information Security Program Development Information Security Program Management Incident Management and Response Proprietary and Confidential
  • 46. Controls - PCI Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain Information Security Policy Proprietary and Confidential
  • 47. Controls- ISO 27K 27001 – ISMS 27002 -Practices 27003- implementation Guidance 27004-Metrics 27therest- defined up to 27037 *27799-ISMS for Health Sector Proprietary and Confidential
  • 48. Controls – Planned Out Proprietary and Confidential
  • 49. Business Breakdown Proprietary and Confidential
  • 50. Frameworks for Business Proprietary and Confidential
  • 51. DID for Business Proprietary and Confidential
  • 52. Management, security, risk, audit, and compliance professionals should: Look beyond the standard Determine whether it is sufficient to manage the related risks to the organization A start to finish, multi-layered security approach is the only option to minimize business impact and mitigate the most possible risk. Proprietary and Confidential
  • 53. The Bad Guys Anti Forensics Exploits Social Engineering Insiders Outsiders Proprietary and Confidential
  • 54.
  • 61. Linux-Where tools don’t look-Rune, Waffen, KY, DataMuleProprietary and Confidential
  • 62. Exploits Spear-Phishing Phishing Pharming Cross Site anything Spoofing SQL Injection Patch Proprietary and Confidential
  • 63. High New Internet Attacks Packet Forging& Spoofing Stealth Diagnotics Sophistication of Hacker Tools DDOS Sniffers Sweepers Hijacking Sessions Back Doors Technical KnowledgeRequired Self-Replicating Code Password Cracking Password Guessing Time [Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington] Proprietary and Confidential
  • 64. Social Engineering “Social Engineer Specialist” Because there is no patch for human stupidity- DeFconTshirt The art of utilizing human behavior to breach security without the participant even realizing they have been manipulated. Proprietary and Confidential
  • 65. Social Engineering Technical –Google, Maltego, PiPL Non-Technical- Poor Physical Controls Lack of Security Awareness Training Lack of Policies and Procedures Weak Employee Screening Lack of Management Support Poor Controls on Data Proprietary and Confidential
  • 66. Social Engineering People are the weakest link Desire to be helpful Fear of getting in trouble Tendency to trust Desire to be successful Proprietary and Confidential
  • 67. Social Engineering Path of least resistance Proprietary and Confidential
  • 68. Insider Motivators-The Dark Side Profit Revenge Fame Proprietary and Confidential
  • 69. Insider Motivators-Good Doing Bad Evolving Loyalties Job Change Management Change Company Change Misdirection/Social Engineering Influence Proprietary and Confidential
  • 70. Insider-Telltale Signs Insiders already have access Insiders just need intent Proprietary and Confidential
  • 71. Insider-Watch For Some Kind of Activity Revealing information not directly observable Noticed Significance Recognized Proprietary and Confidential
  • 72. Insider-HR Monitoring included in Policy Clearly defined processes to include HR, Legal, Security and Management Understand the evolving privacy statutory requirements Proprietary and Confidential
  • 73. Outsider Hactivism SKIDDIES Profit Revenge Fame Proprietary and Confidential
  • 74. Risk Modeling Know your Risk Formulas (ALE=AROxSLE)(EV*AV) Susceptibility Impact Risk = Materiality Proprietary and Confidential
  • 75. Threat Modeling Attacker - Centric Software - Centric Asset - Centric Proprietary and Confidential
  • 76. Attack Methodology Phase I: Reconnaissance Phase II: Enumeration Phase III: Vulnerability Analysis Phase IV: Exploit Proprietary and Confidential
  • 77. Attack Methodology Proprietary and Confidential
  • 78. Case Study #1:Defense Contractor Investigation Data Leakage Results Targeted Spear Phishing Breakdown AV DLP Firewall/IDS Incident response Proprietary and Confidential
  • 79. Case Study #2:Insurance Investigation Data Leakage Results Loss of ACL, Passwords, Intellectual Capital Breakdown Security Awareness Improper Access Control DLP IDS/IPS/HIDS Proprietary and Confidential
  • 80. Case Study #3:Healthcare Investigation Outside Hack Results Loss of proprietary information Loss of reputation Company ended up closing shop Breakdown Internal IT Violated controls set in place through HiPAA Proprietary and Confidential
  • 81. Questions and Answers Michael A. DaGrossa, CISSP,CEH,CCEManaging Partner, Business Risk Services302.261.9013 (office)302.383.2737 (mobile)ION-e Group100 Dean DriveNewark, DE 19711www.ion-e.comwww.linkedin.com/in/dagrossawww.deinfragard.com Proprietary and Confidential

Notas del editor

  1. AV Med, 20000-Laptop, Kinetic – 4000 people through wrong email attachment,UPMC Hipaa violation, stolen records
  2. Section 501, ING600000 (Multiple laptop losses, now encryption) ECMC 330000
  3. Accessing others information
  4. Clients know there is problem and ask for advice.
  5. Near 1 Billion dollares. ¼ breaches are laptops
  6. Don’t be confused by the Society of Payment security professionals
  7. Rune-Hide data in bad blocks inode, Wafen-Hide data in spoofed journal file, KY-Hide Data in Null directory entries, Data Mule-Hided data in reserved space.
  8. Attacker-Centric Attacker-centric threat modeling starts with an attacker, and evaluates their goals, and how they might achieve them. Attacker's motivations are often considered, for example, "The NSA wants to read this email," or "Jon wants to copy this DVD and share it with his friends." This approach usually starts from either entry points or assets. Software-Centric Software-centric threat modeling (also called 'system-centric,' 'design-centric,' or 'architecture-centric') starts from the design of the system, and attempts to step through a model of the system, looking for types of attacks against each element of the model. This approach is used in threat modeling in Microsoft's Security Development Lifecycle. Asset-Centric Asset-centric threat modeling involves starting from assets entrusted to a system, such as a collection of sensitive personal information.