Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Lapses Top 10 Security Breaches Kyle Chase Revati Kailasam Kelly Walker.

Similar presentations

Presentation on theme: "Information Security Lapses Top 10 Security Breaches Kyle Chase Revati Kailasam Kelly Walker."— Presentation transcript:

1 Information Security Lapses Top 10 Security Breaches Kyle Chase Revati Kailasam Kelly Walker

2 Information Security Lapses Since 2005, more than 3,000 data breaches have been reported. Over 545 million records compromised as a result of these data breaches. - Privacy Rights Clearinghouse

3 Top 10 Information Security Failures in Recent History What happened? ◦A summary of the breach How did it happen? ◦Attack Methods ◦Control Failures How could it be prevented or minimized? ◦Preventative IT security Financial Impact ◦Cost of the breach

4 TJX (2005) Parent company of TJ Maxx, Marshalls, Home Goods, and more Reported data breach potentially affecting thousands of consumers Masterminded by Albert Gonzalez Hackers gained access via store wireless networks ◦Outdated WEP security Gained access to corporate servers housing sensitive information ◦Including CC Information

5 TJX (2005) PCI compliance issues ◦In compliance with only 3 of 12 standards ◦Failure to upgrade systems in timely manner Too much information stored ◦CC #s, PINs, CVV #s Lack of encryption Lack of fraud detection ◦Breach lasted 18 months Result: 45.7 Million credit card numbers stolen

6 AOL (2006) Intentionally released search logs ◦Contained-  SSN’s  Bank account information  Demographic information Exposed 650,000 users to identity theft IT Security/Control Issues Violation of Electronic Communications Privacy Act Lawsuits averaged $5,000 per victim

7 7-Eleven (2007) Links to TJX Case ◦Albert Gonzalez – connected to cases involving TJX, Heartland, Hannaford, 7-Eleven SQL injection attack to access ATM and Point of Sale systems Injected malware to intercept user inputs in real-time ◦Also were able to access historical data ◦PINs stolen in electronic transmission $2 million in damages Better encryption and fraud detection systems could have decreased the loss

8 Sony (2011) Already bad reputation for protecting consumer data ◦Rootkit Incident Reported breach to PlayStation Network and Qriocity music service ◦Immediate shutdown of the PlayStation Network Affected: ◦77 million PlayStation Network users ◦25.4 million Sony Online Entertainment users Released: ◦Customer Names ◦Addresses ◦Email ◦Log-Ons ◦Credit card information

9 Sony (2011) Access to system administrator PC containing sensitive information ◦Malicious Email to gain access ◦Masked by Anonymous DDOS attack  Slowed Fraud Detection  Anonymous denies involvement “Sony probably did not pay enough attention to security when it was developing the software that runs its network.” – Reuters

10 (2007) Monster was created in 1999 is one of the largest employment website in the world Hackers broke the password protected resume library Information from 1.3 million users were stolen Information stolen were limited to names, addresses, phone numbers and email addresses

11 (2007) Hackers sent phishing emails and made extortion based threat Monster waited five days to inform it’s users about the security breach Monster put a notice on its website and also posted letters to the affected users about the breach As per monster the estimated cost for upgrading it’s site was 80 million

12 Epsilon (2011) Epsilon created in 1969, is the world’s largest permission based email marketing service company Epsilon has more than 2400 A-list clients and sends more then 40 billion emails annually on behalf of its clients On march 30, 2011 epsilon detected “ an unauthorized entry” into its email system Nearly 75 of Epsilon’s clients were affected 60 million email addresses were stolen Data compromised were limited to email addresses and names

13 Epsilon (2011) Some of the clients under attack were financial institutions; (Capital One, US Bank, JPMorgan Chase, Citi and Barclays Bank of Delaware) retail chains (best buy, Home Shopping Network, Walgreens, Brookstone, New York & Company and Kroger, TiVo), hotel chains (Ritz- Carlton Rewards and Marriott Rewards), McKinsey, The College Board, Disney Destinations and many more.

14 Epsilon (2011) Hackers sent spam and phishing emails to the victims of breach Epsilon reported about the breach on April 01, 2011 to both customers and clients Epsilon announced that it was going to enhance its data security system Epsilon could have faced a price tag as high as 4 billion for data breach

15 Operation shady RAT (2009-2011) In 2009 McAfee client, a U.S. defense contractor, identified suspicious programs running on its network Forensic investigation revealed that a spear phishing email containing a link to web page that when clicked automatically downloaded a remote access tool or “RAT” onto the victim’s computer McAfee while investigating command-and-control operation in 2009 discovered about the cyber espionage “operation shady RAT”

16 Operation shady RAT (2009-2011) McAfee traced the activity back to 2006 The widespread cyber-espionage campaign dubbed “Operation shady RAT” infiltrated the computer systems for national governments, global corporations, non profit and other organizations Fourteen countries were victims Forty nine of the seventy two organizations compromised were from United States

17 Operation shady RAT (2009-2011) Data compromised were email archives, sensitive corporate documents and other intellectual property McAfee is working closely with U.S. government agencies, law enforcement and others in hopes of eventually shutting down shady RAT’s command-and-control server Most of the targets have removed the malware from the system

18 TriCare (2011) Department of Defense health care program SAIC – business partner of TriCare September 14, 2011 breach of patient information affecting approximately 4.9 million patients Largest Federal breach to date

19 TriCare (2011) Unencrypted computer backup tapes stolen from SAIC employee’s car Tapes contained patient information TriCare states that risk is low Breach caused 3 lawsuits totaling $4.9 billion

20 HBGary (2011) Company that provides tools and services to protect assets and information Specializes in computer forensics and malware analysis tools February 6, 2011 Anonymous hacks into computer system in retaliation Compromised web server and cracked passwords

21 HBGary (2011) Used Barr’s administrative password to change password for Greg Hoglund’s email Greg operated Hackers used social engineering to gain control of Defaced HBGary’s website and accessed 71,000 emails

22 HBGary (2011) Published some emails that revealed immoral and illegal activities that company was involved in Since the breach – Aaron Barr has resigned March 6, 2012 Hector Xavier Monsegur – member of anonymous pled guilty

23 RSA SecurID (2011) Authentication mechanism developed by Security Dynamics Token generates a code at fixed intervals Uses random key known as seed record – key to generating a one time password Used in combination with password user creates – the server has real time clock and a database of valid cards that can validate code

24 RSA SecurID (2011) Difficult to hack – need both pieces of information March 17, 2011 victims of attack costing the company $66.3 million Sent phishing emails with malware attached Malware exploited a back door in Adobe Flash Hackers used Poison Ivy Remote Administrative Tool Attack is known as APT – Advanced Persistent Threat

25 RSA SecurID (2011) Replaced 40 million tokens Breach resulted in attacks on three U.S Defense contractors ◦L-3 Communications ◦Lockheed Martin ◦Northrop Grumman Could be tied to cyber espionage from China

26 The financial impact Costs directly associated with the breach include:  Cost of replacing stolen devices  Cost of recovering lost information  strengthening IT security and in some cases Premise’s security Other costs include:  Expenses related to informing and providing credit monitoring service for the victims  Expenses related to lawsuits

27 The financial impact Other monetary impacts are:  Fall in share prices  Increased marketing expenses  Cost of hiring and training new employees

28 Accounting and Security AICPA listed in its Personal Competencies ◦Accountants need to address “privacy, intellectual property rights and security issues related to electronic communications” as element of Leverage Technology to develop and enhance personal competencies. Statements on Auditing Standards (SAS) 94 ◦Requires auditors to take an in depth look at how IT controls affect internal controls.

29 References Anderson, H. (2011, October 14). TRICARE Hit With $4.9 Billion Lawsuit. Damages Sought for Privacy Violations in Breach Incident. Retrieved March 6, 2012, from Bank Info Security: Anderson, M. (2012, March 6). Anonymous hackers identified, including one tied to HBGary hack. Retrieved March 6, 2012. Arrington, M. (2006, August 6). AOL Proudly Releases Massive Amounts of Private Data. Retrieved March 19, 2012. Baker, L. B. & Finkle, J. (2011, April 26). Sony PlayStation Suffers Massive Data Breach. Reuters. Retrieved March 15, 2012. Beard, D., & Wen, H. J. (2007). Reducing the Threat Levels for Accounting Information Systems. The CPA Journal, 7. Bright, P. (n.d.). Anonymous speaks:the inside story of the HBGary hack. Garrison, C. P., & Posey, O. G. Computer Security Awareness of Accounting Students. Jewell, M. (2007, September 7). Encryption Faulted in TJX Hacking. Associated Press. Kantor, A. (2005, November 17). Sony: The Rootkit of All Evil. USA Today. Retrieved March 15, 2012. Mills, E. (2011, June 6). China Linked to New Breaches Tied to RSA. Retrieved March 7, 2012, from CNET News: new-breaches-tied-to-rsa/?tag=mncol;txt 6 Worst Data Breaches Of 2011 by By Mathew J. Schwartz December 28, 2011Mathew J. Schwartz Hit With Possible Monster-Sized Data Breach By Thomas Claburn January 26, 2009Thomas Claburn Epsilon Data Breach Hits Banks, Retail Giants By: Fahmida Y. Rashid April 2011Fahmida Y. Rashid Analysis: Is the Epsilon data breach a watershed for the marketing industry? Tuesday 05 April 2011 The real cost of a security breach By David Hobson August 12, 2008 Epsilon Data Breach: Expect a Surge in Spear Phishing Attacks by Tony Bradley Apr 4, 2011Tony Bradley Admits Keeping Data Breach Under Wraps,2933,294471,00.html Report on ‘Operation Shady RAT’ identifies widespread cyber-spying By Ellen Nakashima, August 2, 2011Ellen Nakashima Exclusive: Operation Shady RAT —Unprecedented Cyber-espionage Campaign and Intellectual-Property Bonanza ByMichael Joseph Gross August 2, 2011Michael Joseph Gross Panko, R. (2010) Corporate Computer and Network Security. 2 nd Edition. Prentice Hall Publishing. Rashid, F. Y. (2011, March 01). HBGary Federal CEO Aaron Barr Quits Due to Anonymous Attack. IT Security & Network Security News. SecurID. (2012, January 10). Retrieved March 2012, from Wikipedia: Zetter, K. (2010, March 26). Hacker Sentenced to 20 Years for Breach of Credit Card Processor. Retrieved April 1, 2012.

Download ppt "Information Security Lapses Top 10 Security Breaches Kyle Chase Revati Kailasam Kelly Walker."

Similar presentations

Ads by Google