The document discusses the concept of defense in depth (DID) as it relates to cybersecurity. DID is defined as building mutually supporting layers of defense to reduce vulnerabilities and protect against attacks. The key aspects of DID include understanding threats, seeing the full battlefield, using defensive advantages, concentrating defenses, coordinating assets, and balancing security and legal constraints. The document advocates applying DID principles through multiple overlapping controls and frameworks, rather than relying on a single compliance standard, in order to provide comprehensive security that can withstand attacks from various threat actors.
16. HIPAA-Compliant To Name a Few AV Med Health Plans Kinetic Concepts University of Pittsburgh Proprietary and Confidential
17. FDIC-FFIEC GLBA BITS To Name a Few ING Education Credit Management Corp Lincoln National Corp Proprietary and Confidential
18. NIST-Secure To Name a Few DOD SSA West Memphis PD, AZ Proprietary and Confidential
19. ISO-Secure To Name a Few Target Choicepoint JCPenney Proprietary and Confidential
20. Skydiving Think of a corporate risk assessment as a life threatening scenario to appropriately perceive it Proprietary and Confidential
21. We have a parachute, what could go wrong? Proprietary and Confidential
22. Standards, Controls and Security Primary Chute Reserve Chute Automatic Activation Device (A.A.D.) Reserve Static Line Altimeter Helmet/Goggles/Jumpsuit Trained professional assistance Proprietary and Confidential
23. Layers of Safety Using one standard as an umbrella approach to holistic security for a corporation is similar to taking one measure to guarantee the safety of a freefall jump. The jumper should be prepared well before the jump and do everything accurately during the jump, until the time he/she reaches the ground. Proprietary and Confidential
24. What are we protecting Data breach incidents cost U.S. companies an average of $204 per compromised customer record in 2009. The average total per-incident costs in 2009 were $6.75 million. A total of 498 breaches were reported in 2009 according to the Identity Theft Resource Center. Engaging a consultant or third party expert to assist in the data breach incidence results in lower average cost per compromised record (almost 26% lesser). About 44% of participating companies engaged an outside consultant to assist them over the course of the data breach incident. Organizations in highly trusted industries such as financial services and health care are more likely to experience a data breach with higher abnormal churn rate (5% and 6% respectively). Source: Key findings from 2009 Ponemon Institute Annual Study Proprietary and Confidential
25. What are we protecting Too many times we get focused on only our roles for an engagement Problems with independence Knowledge Check list approach Source: Key findings from 2009 Ponemon Institute Annual Study Proprietary and Confidential
26. What are we protecting Source: DatalossDB.org Proprietary and Confidential
27. What are we protecting Source: DatalossDB.org Proprietary and Confidential
28. What are we protecting Source: DatalossDB.org DatalossDB.org Proprietary and Confidential
29. Senior management should: Clearly support all aspects of the information security program Implement the information security program as approved by the board of directors Establish appropriate policies, procedures, and controls Participate in assessing the effect of security issues on the financial institution and its business lines and processes Proprietary and Confidential
30. Senior management should: Delineate clear lines of responsibility and accountability for information security risk management decisions Define risk measurement definitions and criteria Establish acceptable levels of information security risks Oversee risk mitigation activities. Proprietary and Confidential
31. Controls Internal Control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a) Effectiveness and efficiency of operations; b) Reliability of financial reporting; and c) Compliance with laws and regulations Proprietary and Confidential
32. Controls - COSO Control Environment Risk Assessment Information and Communication Control Activities Monitoring Proprietary and Confidential
33. Controls Internal controls may be described in terms of: a) the objective they pertain to b) the nature of the control activity itself. Auditors understand this Information Technology people do not Business does not either Proprietary and Confidential
34. Controls - COBIT IT Governance Strategic Alignment Value Delivery Risk Management Resource Management Performance Measurement Proprietary and Confidential
44. Controls - CISM Information Security Governance Information Risk Management Information Security Program Development Information Security Program Management Incident Management and Response Proprietary and Confidential
46. Controls - PCI Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain Information Security Policy Proprietary and Confidential
47. Controls- ISO 27K 27001 – ISMS 27002 -Practices 27003- implementation Guidance 27004-Metrics 27therest- defined up to 27037 *27799-ISMS for Health Sector Proprietary and Confidential
52. Management, security, risk, audit, and compliance professionals should: Look beyond the standard Determine whether it is sufficient to manage the related risks to the organization A start to finish, multi-layered security approach is the only option to minimize business impact and mitigate the most possible risk. Proprietary and Confidential
53. The Bad Guys Anti Forensics Exploits Social Engineering Insiders Outsiders Proprietary and Confidential
63. High New Internet Attacks Packet Forging& Spoofing Stealth Diagnotics Sophistication of Hacker Tools DDOS Sniffers Sweepers Hijacking Sessions Back Doors Technical KnowledgeRequired Self-Replicating Code Password Cracking Password Guessing Time [Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington] Proprietary and Confidential
64. Social Engineering “Social Engineer Specialist” Because there is no patch for human stupidity- DeFconTshirt The art of utilizing human behavior to breach security without the participant even realizing they have been manipulated. Proprietary and Confidential
65. Social Engineering Technical –Google, Maltego, PiPL Non-Technical- Poor Physical Controls Lack of Security Awareness Training Lack of Policies and Procedures Weak Employee Screening Lack of Management Support Poor Controls on Data Proprietary and Confidential
66. Social Engineering People are the weakest link Desire to be helpful Fear of getting in trouble Tendency to trust Desire to be successful Proprietary and Confidential
71. Insider-Watch For Some Kind of Activity Revealing information not directly observable Noticed Significance Recognized Proprietary and Confidential
72. Insider-HR Monitoring included in Policy Clearly defined processes to include HR, Legal, Security and Management Understand the evolving privacy statutory requirements Proprietary and Confidential
73. Outsider Hactivism SKIDDIES Profit Revenge Fame Proprietary and Confidential
74. Risk Modeling Know your Risk Formulas (ALE=AROxSLE)(EV*AV) Susceptibility Impact Risk = Materiality Proprietary and Confidential
78. Case Study #1:Defense Contractor Investigation Data Leakage Results Targeted Spear Phishing Breakdown AV DLP Firewall/IDS Incident response Proprietary and Confidential
79. Case Study #2:Insurance Investigation Data Leakage Results Loss of ACL, Passwords, Intellectual Capital Breakdown Security Awareness Improper Access Control DLP IDS/IPS/HIDS Proprietary and Confidential
80. Case Study #3:Healthcare Investigation Outside Hack Results Loss of proprietary information Loss of reputation Company ended up closing shop Breakdown Internal IT Violated controls set in place through HiPAA Proprietary and Confidential
81. Questions and Answers Michael A. DaGrossa, CISSP,CEH,CCEManaging Partner, Business Risk Services302.261.9013 (office)302.383.2737 (mobile)ION-e Group100 Dean DriveNewark, DE 19711www.ion-e.comwww.linkedin.com/in/dagrossawww.deinfragard.com Proprietary and Confidential
Notas del editor
AV Med, 20000-Laptop, Kinetic – 4000 people through wrong email attachment,UPMC Hipaa violation, stolen records
Section 501, ING600000 (Multiple laptop losses, now encryption) ECMC 330000
Accessing others information
Clients know there is problem and ask for advice.
Near 1 Billion dollares. ¼ breaches are laptops
Don’t be confused by the Society of Payment security professionals
Rune-Hide data in bad blocks inode, Wafen-Hide data in spoofed journal file, KY-Hide Data in Null directory entries, Data Mule-Hided data in reserved space.
Attacker-Centric
Attacker-centric threat modeling starts with an attacker, and evaluates their goals, and how they might achieve them. Attacker's motivations are often considered, for example, "The NSA wants to read this email," or "Jon wants to copy this DVD and share it with his friends." This approach usually starts from either entry points or assets.
Software-Centric
Software-centric threat modeling (also called 'system-centric,' 'design-centric,' or 'architecture-centric') starts from the design of the system, and attempts to step through a model of the system, looking for types of attacks against each element of the model. This approach is used in threat modeling in Microsoft's Security Development Lifecycle.
Asset-Centric
Asset-centric threat modeling involves starting from assets entrusted to a system, such as a collection of sensitive personal information.