Presentation is loading. Please wait.

Presentation is loading. Please wait.

MANAGEMENT – AN ACHILLES HEEL OF INFORMATION ASSURANCE SECURITY: A CASE STUDY OF VERIZON’S DATA BREACH REPORTS Dr. Pedro A. Diaz-Gomez Cameron University.

Similar presentations


Presentation on theme: "MANAGEMENT – AN ACHILLES HEEL OF INFORMATION ASSURANCE SECURITY: A CASE STUDY OF VERIZON’S DATA BREACH REPORTS Dr. Pedro A. Diaz-Gomez Cameron University."— Presentation transcript:

1 MANAGEMENT – AN ACHILLES HEEL OF INFORMATION ASSURANCE SECURITY: A CASE STUDY OF VERIZON’S DATA BREACH REPORTS Dr. Pedro A. Diaz-Gomez Cameron University Ing. Alfonso Valencia and Ing. Luis E. Gomez Universidad Piloto de Colombia 1

2 Outline Motivation Introduction PCI Security Standards Statistics Verizon What Organizations Who Made and Who Discovered Where Data Breaches Occurred How data Breaches Occurred How Long Data is Compromised Without Discovery Why 2 Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports

3 Outline Information Assurance & Security Management System Information Technology GRC Risk Management Security Architecture as Systematic Approach Recommendations & Conclusions Simple Countermeasures Prevent up to an Av. 59% of Data Breaches Simple & Intermediate Countermeasures Prevent an Av. 90.6% of Data Breaches Appendix 3 Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports

4 Motivation 4 Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports

5 Motivation Attacks on data and information are a continual threat, but it has been shown that basic countermeasures can detect some of those at early stages of penetration or misuse. 5 Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports

6 Motivation This presentation focuses on managerial principles pretending to help organizations prevent security data breaches on data and information, and it presents a systematic view of Information Security Management. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 6

7 Introduction Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 7

8 introduction Attackers of computer resources are developing new techniques that allow sophisticated penetrations and anti forensics. In response, security policies, procedures, standards and computer and network countermeasures have been proposed. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 8 Attackers Responders

9 The PCI Security Standards Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 9

10 PCI Security Standards Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 10 Image with permission from Tim Marley – Cameron U. Presentation

11 Payment Card Industry – Data Security Standard Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 11 Taken with permission from Tim Marley – Cameron U. Presentation

12 Statistics Verizon Why Verizon? Because those reports reflect forensic investigations of security data breaches. It needs to be emphasized that the economic sectors presented in Verizon’s reports are those in which Verizon has done investigations, and those are not necessary a statistical sample selected to make inferences to any organization. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 12

13 Statistics Verizon Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 13

14 Statistics Verizon - What Percentage of Data Breaches by Sector Target Organizations & PCI Compliant Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 14 YearFinan.RetailOther %49% %33% %29% %9% 2011*12%60% (*) Just Larger Organizations, i.e., more than 1,000 employees. YearOppor.TargetComplNot C %15% %28%19%81% %27%21%79% %17%11%89% %16%!4%96% 2011*35%50%!-- (*) Just Larger Organizations. (!) Remaining Percentage Unknown.

15 Statistics Verizon - Who Who Made Data Breaches Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 15 YearExternalInternalPartnersMultiple %7%39% %1%27% 20107%<1%9% 20112%<1%2% YearExternal Internal Active - Passive Unkn %18% %24% %23% %5%3% Who Discovered Data Breaches

16 Statistics Verizon - Where Where Data Breaches Occurred Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 16 YearServersU. DevicesOff-linePeopleNetworks % -5% %2%-0% %25%4%1% %12%10%2% %3%7%<1%

17 Statistics Verizon - How How Data Breaches Occurred Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 17 YearHack.Malw.Misus.Phys.SocialError %22%15%10%62% %22%9%2%67% %48%15%28% %17%29%11% %5%10%7%1%

18 Statistics Verizon - How Difficulty of Data Breaches YearHighMod.LowNone %28%52%6% %31%42%10% %44%28%13% 20108%49%37%6% 2011*0%24%65%2% Difficulty of Countermeasures Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 18 YearSimpleInterm.Diffic %28%17% %34%13% %32%4% %33%4% 2011*63%31%3% (*) 8% is reported as unknown.(*) 3% is reported as unknown.

19 Statistics Verizon – How Long… Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 19 Initial Attack to Initial Compromise Initial Compromise To Data Exfiltration Initial Compromise to Discovery Discovery to Conta- inment/Restoration SecondsDaysWeeksMonthsYearsMinutesHours 10%0%12%2%1%0%75% 8% 14%25%8%0%38% 0%29%2%13%54%2%0% 38%9%32%17%4%1% Verizon’s 2012 Data Breaches Report.

20 Statistics Verizon - Why Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 20

21 Statistics Verizon - Why 2012 Report: Highest percentage of Data Breaches occurred in user devices (60%) since 2004, External from Organizations, who discovered Data Breaches, reported as the highest (92%) since 2004; and as active participation from internals the lowest (2%), Difficulty to commit a Data Breach reported as the lowest (~0%) since 2004 (there is an 8% reported as unknown), Difficulty of the corresponding countermeasures the lowest (3%) since 2004, Initial attacks to compromise takes at most minutes (85%), as well as data exfiltration (46%), but the majority of discoveries take months (54%). Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 21

22 Information Assurance & Security Management System Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 22

23 Information Assurance & Security Management System Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 23 Shell idea Taken from S. Heim in the Resonant Interface.

24 Risk Management Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 24

25 Information Assurance & Security Management System Security Architecture Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 25 Adapted from M. E. Whitman and H. J. Mattord.

26 Security Architecture as Systemic Approach Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 26 Cloud from

27 Simple Countermeasures prevent up to an Av. 59% of Data Breaches Assignment of least privilege. Monitoring of event logs, passwords, firewalls configurations, anti- viruses, physical and logical accesses, backups. Encryption of sensitive data. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 27 YearSimpleInterm.Diffic %28%17% %34%13% %32%4% %33%4% 2011*63%31%3%

28 Simple & Intermediate Countermeasures Prevent an Av. 90.6% of Data Breaches Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 28 YearSimpleInterm.Diffic %28%17% %34%13% %32%4% %33%4% 2011*63%31%3%

29 Questions/Answers Thanks! Ing. Alfonso Valencia Rodriguez and Ing. Luis E. Gomez H. Universidad Piloto de Colombia Mr. Timothy Marley University of Oklahoma Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 29

30 APPENDIX Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 30

31 Brief Bibliography Used in this Research Verizon Business Risk Team, “2012 Data Breach Investigations Report” and the ones corresponding to 2008 – PCI Security Standards Council LLC, “Payment Card Industry (PCI) Data Security Standard Navigation PCI DSS. Version 2.0”. C. Schou and D. Shoemaker, “Information Assurance for the Enterprise. A Roadmap to Information Security.” Tripwire, “PCI Basics: What it takes to be Compliant.” M. E. Whitman and H. J. Mattord, “Management of Information Security” Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 31

32 Top Security Mechanisms – Case Study Australian Government: Australian computer networks are being targeted by adversaries seeking access to sensitive information. A commonly used technique is social engineering, where malicious 'spear phishing' s are tailored to entice the reader to open them. The Defense Signals Directorate (DSD) has developed the Top 35 Mitigation Strategies for targeted cyber intrusions. The list is informed by DSD’s experience in operational cyber security, including responding to serious cyber incidents and performing vulnerability assessments and penetration testing for Australian government agencies.Top 35 Mitigation Strategies Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 32

33 Top Security Mechanisms – Case Study Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 33

34 Top Security Mechanisms – Case Study RankingStrategy Effectiv- eness User Re- sistance Cost Maintena- nce Cost 1 Patch Applications ExcellentLowHigh 2 Patch Operating S. ExcellentLowMedium 3 Minimize # of Users ExcellentMedium Low 4 Application Whitelisting ExcellentMediumHighMedium 5 Host-Based IDS ExcellentLowMedium Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 34

35 Framework Documentation Key components: Subject Purpose Scope Coverage Date Version Revision Approval Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 35 Source: CISA Certified Information Systems Auditor Guide Taken with permission from Tim Marley – Cameron U. Presentation


Download ppt "MANAGEMENT – AN ACHILLES HEEL OF INFORMATION ASSURANCE SECURITY: A CASE STUDY OF VERIZON’S DATA BREACH REPORTS Dr. Pedro A. Diaz-Gomez Cameron University."

Similar presentations


Ads by Google