Presentation is loading. Please wait.

Presentation is loading. Please wait.

MANAGEMENT – AN ACHILLES HEEL OF INFORMATION ASSURANCE SECURITY: A CASE STUDY OF VERIZON’S DATA BREACH REPORTS Dr. Pedro A. Diaz-Gomez Cameron University.

Published byReginald Harsha Modified over 9 years ago

Similar presentations

Presentation on theme: "MANAGEMENT – AN ACHILLES HEEL OF INFORMATION ASSURANCE SECURITY: A CASE STUDY OF VERIZON’S DATA BREACH REPORTS Dr. Pedro A. Diaz-Gomez Cameron University."— Presentation transcript:

1 MANAGEMENT – AN ACHILLES HEEL OF INFORMATION ASSURANCE SECURITY: A CASE STUDY OF VERIZON’S DATA BREACH REPORTS Dr. Pedro A. Diaz-Gomez Cameron University Ing. Alfonso Valencia and Ing. Luis E. Gomez Universidad Piloto de Colombia 1

2 Outline Motivation Introduction PCI Security Standards Statistics Verizon What Organizations Who Made and Who Discovered Where Data Breaches Occurred How data Breaches Occurred How Long Data is Compromised Without Discovery Why 2 Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports

3 Outline Information Assurance & Security Management System Information Technology GRC Risk Management Security Architecture as Systematic Approach Recommendations & Conclusions Simple Countermeasures Prevent up to an Av. 59% of Data Breaches Simple & Intermediate Countermeasures Prevent an Av. 90.6% of Data Breaches Appendix 3 Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports

4 Motivation 4 Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports

5 Motivation Attacks on data and information are a continual threat, but it has been shown that basic countermeasures can detect some of those at early stages of penetration or misuse. 5 Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports

6 Motivation This presentation focuses on managerial principles pretending to help organizations prevent security data breaches on data and information, and it presents a systematic view of Information Security Management. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 6

7 Introduction Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 7

8 introduction Attackers of computer resources are developing new techniques that allow sophisticated penetrations and anti forensics. In response, security policies, procedures, standards and computer and network countermeasures have been proposed. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 8 Attackers Responders

9 The PCI Security Standards Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 9

10 PCI Security Standards Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 10 Image with permission from Tim Marley – Cameron U. Presentation

11 Payment Card Industry – Data Security Standard Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 11 Taken with permission from Tim Marley – Cameron U. Presentation

12 Statistics Verizon Why Verizon? Because those reports reflect forensic investigations of security data breaches. It needs to be emphasized that the economic sectors presented in Verizon’s reports are those in which Verizon has done investigations, and those are not necessary a statistical sample selected to make inferences to any organization. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 12

13 Statistics Verizon Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 13

14 Statistics Verizon - What Percentage of Data Breaches by Sector Target Organizations & PCI Compliant Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 14 YearFinan.RetailOther 04-0737%49% 200837%33% 200938%29% 201056%9% 2011*12%60% (*) Just Larger Organizations, i.e., more than 1,000 employees. YearOppor.TargetComplNot C. 04-0785%15%-- 200872%28%19%81% 200974%27%21%79% 201083%17%11%89% 201179%16%!4%96% 2011*35%50%!-- (*) Just Larger Organizations. (!) Remaining Percentage Unknown.

15 Statistics Verizon - Who Who Made Data Breaches Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 15 YearExternalInternalPartnersMultiple 200811%7%39% 200927%1%27% 20107%<1%9% 20112%<1%2% YearExternal Internal Active - Passive Unkn. 04-077%18%- 20087%24%- 200916%23%- 20106%5%3% Who Discovered Data Breaches

16 Statistics Verizon - Where Where Data Breaches Occurred Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 16 YearServersU. DevicesOff-linePeopleNetworks 04-077% -5% 200817%2%-0% 200936%25%4%1% 201056%12%10%2% 201160%3%7%<1%

17 Statistics Verizon - How How Data Breaches Occurred Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 17 YearHack.Malw.Misus.Phys.SocialError 04-0731%22%15%10%62% 200838%22%9%2%67% 200938%48%15%28%- 201049%17%29%11%- 201169%5%10%7%1%

18 Statistics Verizon - How Difficulty of Data Breaches YearHighMod.LowNone 04-0717%28%52%6% 200817%31%42%10% 200915%44%28%13% 20108%49%37%6% 2011*0%24%65%2% Difficulty of Countermeasures Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 18 YearSimpleInterm.Diffic. 04-0752%28%17% 200853%34%13% 200964%32%4% 201063%33%4% 2011*63%31%3% (*) 8% is reported as unknown.(*) 3% is reported as unknown.

19 Statistics Verizon – How Long… Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 19 Initial Attack to Initial Compromise Initial Compromise To Data Exfiltration Initial Compromise to Discovery Discovery to Conta- inment/Restoration SecondsDaysWeeksMonthsYearsMinutesHours 10%0%12%2%1%0%75% 8% 14%25%8%0%38% 0%29%2%13%54%2%0% 38%9%32%17%4%1% Verizon’s 2012 Data Breaches Report.

20 Statistics Verizon - Why Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 20

21 Statistics Verizon - Why 2012 Report: Highest percentage of Data Breaches occurred in user devices (60%) since 2004, External from Organizations, who discovered Data Breaches, reported as the highest (92%) since 2004; and as active participation from internals the lowest (2%), Difficulty to commit a Data Breach reported as the lowest (~0%) since 2004 (there is an 8% reported as unknown), Difficulty of the corresponding countermeasures the lowest (3%) since 2004, Initial attacks to compromise takes at most minutes (85%), as well as data exfiltration (46%), but the majority of discoveries take months (54%). Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 21

22 Information Assurance & Security Management System Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 22

23 Information Assurance & Security Management System Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 23 Shell idea Taken from S. Heim in the Resonant Interface.

24 Risk Management Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 24

25 Information Assurance & Security Management System Security Architecture Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 25 Adapted from M. E. Whitman and H. J. Mattord.

26 Security Architecture as Systemic Approach Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 26 Cloud from http://itstechsolved.com/cloud-computing/

27 Simple Countermeasures prevent up to an Av. 59% of Data Breaches Assignment of least privilege. Monitoring of event logs, passwords, firewalls configurations, anti- viruses, physical and logical accesses, backups. Encryption of sensitive data. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 27 YearSimpleInterm.Diffic. 04-0752%28%17% 200853%34%13% 200964%32%4% 201063%33%4% 2011*63%31%3%

28 Simple & Intermediate Countermeasures Prevent an Av. 90.6% of Data Breaches Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 28 YearSimpleInterm.Diffic. 04-0752%28%17% 200853%34%13% 200964%32%4% 201063%33%4% 2011*63%31%3%

29 Questions/Answers www.cameron.edu/~pdiaz-go pdiaz-go@cameron.edu Thanks! Ing. Alfonso Valencia Rodriguez and Ing. Luis E. Gomez H. Universidad Piloto de Colombia Mr. Timothy Marley University of Oklahoma Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 29

30 APPENDIX Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 30

31 Brief Bibliography Used in this Research Verizon Business Risk Team, “2012 Data Breach Investigations Report” and the ones corresponding to 2008 – 2011. PCI Security Standards Council LLC, “Payment Card Industry (PCI) Data Security Standard Navigation PCI DSS. Version 2.0”. C. Schou and D. Shoemaker, “Information Assurance for the Enterprise. A Roadmap to Information Security.” Tripwire, “PCI Basics: What it takes to be Compliant.” M. E. Whitman and H. J. Mattord, “Management of Information Security” Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 31

32 Top Security Mechanisms – Case Study Australian Government: Australian computer networks are being targeted by adversaries seeking access to sensitive information. A commonly used technique is social engineering, where malicious 'spear phishing' emails are tailored to entice the reader to open them. The Defense Signals Directorate (DSD) has developed the Top 35 Mitigation Strategies for targeted cyber intrusions. The list is informed by DSD’s experience in operational cyber security, including responding to serious cyber incidents and performing vulnerability assessments and penetration testing for Australian government agencies.Top 35 Mitigation Strategies Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 32

33 Top Security Mechanisms – Case Study Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 33

34 Top Security Mechanisms – Case Study RankingStrategy Effectiv- eness User Re- sistance Cost Maintena- nce Cost 1 Patch Applications ExcellentLowHigh 2 Patch Operating S. ExcellentLowMedium 3 Minimize # of Users ExcellentMedium Low 4 Application Whitelisting ExcellentMediumHighMedium 5 Host-Based IDS ExcellentLowMedium Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 34

35 Framework Documentation Key components: Subject Purpose Scope Coverage Date Version Revision Approval Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 35 Source: CISA Certified Information Systems Auditor Guide Taken with permission from Tim Marley – Cameron U. Presentation

Download ppt "MANAGEMENT – AN ACHILLES HEEL OF INFORMATION ASSURANCE SECURITY: A CASE STUDY OF VERIZON’S DATA BREACH REPORTS Dr. Pedro A. Diaz-Gomez Cameron University."

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 

11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 
Security Controls – What Works

Security Controls – What Works
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Controls for Information Security

Controls for Information Security
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Network security policy: best practices

Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Introduction to Network Defense

Introduction to Network Defense
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
A First Course in Information Security

A First Course in Information Security
CHAPTER 4 Information Security. CHAPTER OUTLINE 4.1 Introduction to Information Security 4.2 Unintentional Threats to Information Security 4.3 Deliberate.

CHAPTER 4 Information Security. CHAPTER OUTLINE 4.1 Introduction to Information Security 4.2 Unintentional Threats to Information Security 4.3 Deliberate.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Similar presentations

Ads by Google