CYBER SECURITY AND MITIGATING RISKS
01 WHO Tom Stewart Associate Director Technology Consulting Chicago Technical Security Leader Protiviti Slides
PRESENTATION AGENDA 3 START HACKING DEFINITION BRIEF HISTORY TYPES COMPUTER HACKING MOTIVATIONS RISKS CONTROLS 4 SIMPLE STEPS FINISH
HACKING DEFINITON 4 Hacking is the practice of modifying the features of a system, in order to accomplish a goal outside of the creator's original purpose. Computer hacking refers to the technique or process by which an individual attempts to gather information or gain access to a computer system. People who engage in computer hacking activities are often called hackers. There is more than one type of hacking
MORE THAN ONE Types of Hacking. 5 ELECTICAL / MECHANICAL LIFE PHONE COMPUTER
BRIEF HISTORY 6 First Unix Vulnerability Phone Phreaking Worm Invented ---------------- First Large Scale Attacks Sting Op. Sundevil The Movies Mainstream Culture 65% Success Rate Of Government Attacks 1965 1970 s 1980 s 1990 1990 s 1996 Once only a hobby for few, quickly turned into a vehicle for criminal enterprises and garnered the attention main stream culture.
BRIEF HISTORY (Cont.) 7 Rise of the Internet ILOVEYOU Virus, Botnets New Type of Hackers Anonymous, Lulzsec, Wikileaks Large Retail Becomes Major Target (Nieman Marcus, Home Depot) Healthcare Industry Anthem, DDHS Paradigm Shift in Cyberwarfare Democratic National Committee Rising Ransomware (WannaCry) IoT Hacking 2000 s 2010 2012 2014 2016 2017+ A new wave of hackers has emerged based not on financial gain but rather social values
HACKER TYPES 01 WHITE HAT Good Guys; Non-Malicious Intent; Ethical Hacker 8 02 BLACK HAT Bad Guys; Malicious Intent; Cracker 03 GREY HAT White and Black Hat; Notifies Administrator of Issue 04 BLUE HAT Outside Consulting Firm that Tests a System Prior or After Launch 05 06 SCRIPT KIDDIES Little Knowledge; Uses Pre-Packaged Tools HACKTIVIST Uses Hacking to Announce a Social, Religious, or Political Message; WikiLeaks
MODERN HACKING Types of Computer Hacking. 9 VULNERABILITY EXPLOITATION Exploiting system flaws to obtain access to data or networks TYPES SOCIAL ENGINEERING Exploiting human emotion to gain access to personal information WIRELESS Exploiting wireless flaws to remotely obtain access to data or networks
VULNERABILITY EXPLOITATION 10 STEP 1 STEP 2 STEP 3 NETWORK ENUMERATION VULNERABILITY IDENTIFICATION EXPLOITATION ACCESS CRITICAL DATA 3 STEPS TO VULNERABILITY EXPLOITATION While exact techniques differ, modern vulnerability exploitation generally follows three set phases.
SOCIAL ENGINEERING 3 Types 11 PHYSICAL Key Loggers Virus Installs Remote System Setup. ELECTRONIC Phishing Emails Information Gathering TELEPHONIC TELEPHONIC Telephone Calls Information Gathering
WIRELESS 12 01 Major Threats Unauthorized Rogue Access Points New devices with wireless included 02 Compromise Internal Networks Confidentiality Integrity Availability 03 Use or Disrupt Resources Wireless DoS Inject traffic into internal networks Drive-by spammers
HACKER MOTIVATIONS What makes them go? 13 Curiosity and Challenges Reputation and Notoriety Money and Personal Gain Hactivism and Social Rights
RISK TYPES 14 It takes twenty years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. Warren Buffett Resulting in reduced customer and vendor confidence Resulting in fines or legal action Resulting in the loss of productivity and increased operational costs Resulting in employee accountability issues
CONTROL FRAMEWORKS How Do We Protect Ourselves? 15 Program Management 01 NIST CSF Incident Response Logical / Physical Security 02 03 ISO 27002 Cobit Training / Awareness Private Data Vendor Management Compliance Data Privacy
MULTI-FACTED APPROACH 16 Automated Processes and Preventative Controls Manual Processes and Detective Controls
RISK CONTROL Management 17 Management Data Privacy Information Security Physical Security Incident Response Training and Awareness Vendor Management Roles and Responsibilities Risk Assessment Do I know my risks regarding my information? Example Controls Roles and responsibilities for data protection have been clearly defined and assigned to specific individuals. Accessible data within the functional area is identified, classified, and inventoried in accordance with corporate Data Classification Standards. Classification of data is based on the importance of the asset, its business value and its associated security requirements.
RISK CONTROL Data Privacy 18 Management Data Privacy Information Security Physical Security Incident Response Training and Awareness Vendor Management Am I in compliance with all applicable privacy laws and regulations? Collection and Usage of Personal Data Notice, Consent, and Quality Knowledge Sharing Example Controls Personal Data should only be used in compliance with communicated privacy policies to customers, as well as applicable privacy laws and regulations. All procedures have been designed to protect the privacy of Personal Data in compliance with current data privacy laws. A written procedure is in place to confirm packaged knowledge from other sources can be utilized.
RISK CONTROL Information Security 19 Management Data Privacy Information Security Physical Security Incident Response Training and Awareness Vendor Management Access Rights Authentication Storage Transmission Backups Is my information protected? Example Controls Systems Security Network Security Information Disposal Application Development and Management Access rights to confidential data are defined and documented. Access to sensitive information is controlled by authentication methods that comply with current industry standards. The technology and processes used to store sensitive data are in accordance with current industry standards.
RISK CONTROL Physical Security 20 Management Data Privacy Information Security Physical Security Incident Response Training and Awareness Physical Security Walkthroughs Is my information physically secure? Example Controls Physical security controls are in place to prevent unauthorized physical access. Unscheduled physical walkthroughs are performed to check compliance with information security controls. Vendor Management
RISK CONTROL Incident Response 21 Management Data Privacy Information Security Physical Security Incident Response Training and Awareness Security Breach Response and Reporting Root Cause Analysis Am I prepared in the event that a breach occurs? Example Controls A written procedure is in place for the prompt reporting of any known or suspected security breach. Technology is in place to detect breaches. A process is in place after a breach to determine root causes. Vendor Management
RISK CONTROL Training and Awareness 22 Management Data Privacy Information Security Physical Security Incident Response Training and Awareness Vendor Management Is my organization aware of our information protection requirements? Initial Training Ongoing Training and Awareness Roll-On and Roll-Off Example Controls Personnel are required to complete training outlining the proper handling and protection of sensitive information prior to being granted access to sensitive information. Data protection training and awareness is communicated on an on-going basis and is updated annually. Roll-On and Roll-Off procedure is in place to (a) help to ensure personnel rolling onto and off the project are made aware of the requirements with respect to information protection and (b) prevent sensitive information from other projects from entering the current project environment.
RISK CONTROL Vendor Management 23 Management Data Privacy Vendor Compliance Do my vendors securely protect my information? Information Security Physical Security Incident Response Training and Awareness Vendor Management Example Controls A process is in place to protect against privacy concerns with regards to vendors or other third parties that handle confidential information on behalf of the company. VPN access is appropriately restricted to only those systems necessary to perform services.
4 SIMPLE STEPS Where to go from here. 24 01 PERMISSIONS File Shares, Applications, Vendors 02 PATCHING Operating System, Application 03 SYSTEM HARDENING Network Devices, Firewalls, Servers, Workstations 04 PROACTIVE TESTING Simulated penetration testing and vulnerability assessments for low hanging fruit
Q & A Tom Stewart Associate Director Technology Consulting Chicago Technical Security Leader Protiviti