Protecting Information Assets - Week 6 - Creating a Security Aware Organization. MIS 5206 Protecting Information Assets

Transcription

1 Protecting Information Assets - Week 6 - Creating a Security Aware Organization

2 MIS5206 Week 5 In the News Creating a Security Aware Organization Case Study 2: Autopsy of a Data Breach: The Target Case Test Taking Tip Quiz

3 Case study 2 Background: 1. World s biggest data breaches Target in context 2. Outline of the case Hacking Timeline: What Did Target Know and When?

4 Walk us through timeline 1. Consumers shop at Target (physical purchases) and pay with their credit or debit card 2. Cyber criminals in Russia 3. Identify

5 What is in this picture? From Jiang, W., Tian, Z., and CUI, X., DMAT: A New Network and Computer Attack Classification, Journal of Engineering Science and Technology Review, 6(5), pp

6 What is in this picture? What is missing from these pictures? Howard s process-based taxonomy, from Hansman, S. and Hunt, R., 2004, A taxonomy of network and computer attacks, Computers & Security, page 3, Elsevier Ltd. Cited from Howard, JD, 1997, An analysis of security incidents on the internet PhD thesis, Carnegie Mellon University.

7 The threat landscape. Information Security Threats Humans What is the role of humans in a breach of information security? IP theft IT sabotage Fraud Espionage Malicious Attacks Non-Malicious Mistakes Outsiders Hackers Crackers Social engineers... Insiders Disgruntled employees... Employee Mistakes Ignorance... Intentional Rule Breaking

8 Threat landscape: financial services sector pwc survey of >10,000 businesses

9 Threat landscape: retail and consumer products pwc survey of >10,000 businesses

10 The threat landscape What is the role of humans in a breach of information security?

11 Creating a Security Aware Organization An ongoing information security awareness program is vital - because of the need and importance of defending against social engineering and other information security threats

12 Why Security Awareness is essential We have a culture of trust that can be taken advantage of with dubious intent Most people feel security is not part of their job People underestimate the value of information Security technologies give people a false sense of protection from attack 12

13 The NonMalicous insider threat 1. A current or former employee, contractor, or business partner 2. Has or had authorized access to an organization s network, system, or data 3. Through action or inaction without malicious intent 4. Causes harm or substantially increases the probability of future serious harm to confidentiality, integrity, or availability of the organization s information or information systems Major characteristic is failure in human performance Carnegie Mellon Univeristy s Software Engineering Institute s (SEI) Computer Emergency Response Team (CRT) CERT Definition (2013)

14 The Unintentional Insider threat from an add for

15 Characterizing insiders mistakes Ignorant An unintentional accident Negligent Willingly ignores policy to make things easier Well meaning Prioritizes completing work and getting er done takes over following policy Willis-Ford, C.D. (2015) Education & Awareness: Manage the Insider Threat, SRA International Inc., FISSA (Federal Information Systems Security Awareness) Working Group

16 Examples of insiders accidents Accidental Disclosure Posting sensitive data on public website Sending sensitive data to wrong address Malicious Code Clicking on suspicious link in Using found USB drive Physical data release Losing paper records Portable equipment Losing laptop, tablet Losing portable storage device (USB drive, CD) Willis-Ford, C.D. (2015) Education & Awareness: Manage the Insider Threat, SRA International Inc., FISSA (Federal Information Systems Security Awareness) Working Group

17 Example of an accident made by a well meaning employee Terrific employee : Account Manager handling Medicaid data for Utah Employee had trouble uploading a file requested by State Health Dept. Copied 6,000 medical records to USB drive Lost the USB drive CEO admits the employee probably didn t even know she was breaking policy this makes it accidental i.e. well meaning

18 The threat landscape. Information Security Threats Humans IP theft IT sabotage Fraud Espionage Malicious Attacks Non-Malicious Mistakes Outsiders Hackers Crackers Social engineers... Insiders Disgruntled employees... Employee Mistakes Ignorance... Intentional Rule Breaking What is the role of humans in protecting from a breach of information security?

19 Training courses

20 Training course example A. Physical security B. Desktop security C. Wireless Networks and Security D. Password security E. Phishing F. Hoaxes G. Malware 1. Viruses 2. Worms 3. Trojans 4. Spyware and Adware H. File sharing and copyright Brodie, C. (2009), The Importance of Security Awareness Training, SANS Institute InfoSec Reading Room, SANS Institute

21 Training course example A. Physical security B. Desktop security C. Wireless Networks and Security D. Password security E. Phishing F. Hoaxes G. Malware 1. Viruses 2. Worms 3. Trojans 4. Spyware and Adware H. File sharing and copyright Brodie, C. (2009), The Importance of Security Awareness Training, SANS Institute InfoSec Reading Room, SANS Institute

22 Training course content example Every employee should know their responsibility to comply with the policies and the consequences for non-compliance A. Physical security policies Physical security requirements such as wearing a badge The responsibility to challenge people on the premises who aren't wearing a badge

23 Training course content example A. Physical security B. Desktop security C. Wireless Networks and Security D. Password security E. Phishing F. Hoaxes G. Malware 1. Viruses 2. Worms 3. Trojans 4. Spyware and Adware H. File sharing and copyright Brodie, C. (2009), The Importance of Security Awareness Training, SANS Institute InfoSec Reading Room, SANS Institute

24 Training course content example A. Password safety and security B. safety and security C. Desktop security D. FERPA Issues (i.e. student information security) E. Acceptable Use Policy Fowler, B.T. (2008), Making Security Awareness Efforts Work for You, SANS Institute InfoSec Reading Room, SANS Institute

25 Training course content example Password safety and security 63% of confirmed breaches involved weak, default or stolen passwords - Verizon s 2016 Data Breach Investigations Report Security policies related to computer and voice mail passwords Every employee should be instructed in how to devise a difficult-to-guess password

26 Training course content example A. Physical security B. Desktop security C. Wireless Networks and Security D. Password security E. Phishing F. Hoaxes G. Malware 1. Viruses 2. Worms 3. Trojans 4. Spyware and Adware H. File sharing and copyright Brodie, C. (2009), The Importance of Security Awareness Training, SANS Institute InfoSec Reading Room, SANS Institute

27 Training course content example A. Password safety and security B. safety and security C. Desktop security D. FERPA Issues (i.e. student information security) E. Acceptable Use Policy Fowler, B.T. (2008), Making Security Awareness Efforts Work for You, SANS Institute InfoSec Reading Room, SANS Institute

28 Training course content and Voic usage policy, including the safeguards to prevent malicious code attacks including viruses, worms, and Trojan Horses Best security practices of voice mail usage

29 Training course content example A. Physical security B. Desktop security C. Wireless Networks and Security D. Password security E. Phishing F. Hoaxes G. Malware 1. Viruses 2. Worms 3. Trojans 4. Spyware and Adware H. File sharing and copyright Brodie, C. (2009), The Importance of Security Awareness Training, SANS Institute InfoSec Reading Room, SANS Institute

30 Training course content example A. Password safety and security B. safety and security C. Desktop security D. FERPA Issues (i.e. student information security) E. Acceptable Use Policy Fowler, B.T. (2008), Making Security Awareness Efforts Work for You, SANS Institute InfoSec Reading Room, SANS Institute

31 Training course content Every employee should know their responsibility to comply with the policies and the consequences for non-compliance Handling sensitive information How to determine the classification of information and the proper safeguards for protecting sensitive information The procedure for disclosing sensitive information or materials Proper disposal of sensitive documents and computer media that contain, or have at any time in the past contained, confidential materials

32 Just in time training Data from network incident reporting tools, such as security and information event management (SIEM) systems and data loss prevention(dlp) software will help in understanding the prevalence of data handling issues The concept of user and entity behavioral analytics (UBA and UEBA) is quickly emerging as a way to parse through all the information collected by SIEM and DLP An exciting emerging use of UEBA is tying it directly to just in time training at the spot of a foul: UEBA might identify Jane Doe saving a company document to an unapproved Dropbox, Box or Google Drive, and deliver a system-generated pop-up that reminds her of the company s policy on storing company documents in an authorized ecosystem. Pendergast, T. (2016) How to Audit the Human Element and Assess Your Organization s Security Risk, ISACA Journal, Volume 5 pp

33 Just in time training If Jane does it again, the system then might provide a quick video on the reasons why it is best to avoid an unapproved cloud storage system. Months later, if Jane makes the same mistake again, she might be automatically enrolled in a 15-minute course on approved cloud storage and the appropriate way to store company documents. This is a perfect example of delivering the right training to the right person at the right time.

34 Training course content Social Engineering Social engineering attacks have the same common element: deception (with the goal of getting an employee to do something the social engineer desires ) Verify the identity of the person making an information request Verify the person is authorized to receive the information

35 Warning Signs of a Social Engineering Attack Refusal to give call back number Out-of-ordinary request Claim of authority Stresses urgency Threatens negative consequences of non-compliance Shows discomfort when questioned Name dropping Compliments or flattery Flirting

36 Common Social Engineering Strategies Posing as a fellow employee a new employee requesting help someone in authority a vendor or systems manufacturer calling to offer a system patch or update an employee of a vendor, partner company, or law enforcement Offering help if a problem occurs, then making the problem occur, thereby manipulating the victim to call them for help free software or patch for victim to install

37 Common Social Engineering Strategies (continued) Sending a virus or Trojan Horse as an attachment Using a false pop-up window asking user to log in again or sign on with password Capturing victim keystrokes with a computer system or program Leaving a floppy disk or CD around the workplace with malicious software on it Using insider lingo and terminology to gain trust Offering a prize for registering at a Web site with username and password 37

38 Common Social Engineering Strategies (continued) Dropping a document or file at company mail room for intra-office delivery Modifying fax machine heading to appear to come from an internal location Asking receptionist to receive then forward a fax Asking for a file to be transferred to an apparently internal location Getting a voice mailbox set up so call backs perceive attacker as internal Pretending to be from remote office and asking for access locally

39 IT Security Learning Continuum Where does employee training fit? Where does ITACS fit? Bowen, P., Hash, J. and Wilson, M. (2006), Information Security Handbook: A Guide for Managers, NIST Special Publication

40 Teams What caused this breach? What are the main risk sources (vulnerabilities) that jeopardized Target s data? Who played what role in the breach? Be prepared to explain/defend your answer Risk Sources Incompetent employees Rogue employees Hackers Business partners Technology partners Technology components Role(s) in breach

41 Teams What mitigations were in place? What had Target already done, or what should it have done, to protect itself against each of the risks identified below? Risk Sources Incompetent employees Rogue employees Hackers Business partners Technology partners Technology components Role(s) in breach

42 Test Taking Tip - If you don t know the answer guess and then move on - Your score will be higher if you guess and move on even if your guess is wrong Here s why: Most certification tests do not penalize for wrong answers. That is, they only count the number of correct answers in computing the score In a 4 option multiple choice test, guessing at questions to which you do not know the answer is likely to get you an additional right answer ¼ of the time Guessing, and then moving on, gives you time to answer the questions that you do know, raising your score

43 Quiz

44

45