Download presentation
Presentation is loading. Please wait.
Published byReginald Harsha Modified over 9 years ago
1
MANAGEMENT – AN ACHILLES HEEL OF INFORMATION ASSURANCE SECURITY: A CASE STUDY OF VERIZON’S DATA BREACH REPORTS Dr. Pedro A. Diaz-Gomez Cameron University Ing. Alfonso Valencia and Ing. Luis E. Gomez Universidad Piloto de Colombia 1
2
Outline Motivation Introduction PCI Security Standards Statistics Verizon What Organizations Who Made and Who Discovered Where Data Breaches Occurred How data Breaches Occurred How Long Data is Compromised Without Discovery Why 2 Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports
3
Outline Information Assurance & Security Management System Information Technology GRC Risk Management Security Architecture as Systematic Approach Recommendations & Conclusions Simple Countermeasures Prevent up to an Av. 59% of Data Breaches Simple & Intermediate Countermeasures Prevent an Av. 90.6% of Data Breaches Appendix 3 Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports
4
Motivation 4 Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports
5
Motivation Attacks on data and information are a continual threat, but it has been shown that basic countermeasures can detect some of those at early stages of penetration or misuse. 5 Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports
6
Motivation This presentation focuses on managerial principles pretending to help organizations prevent security data breaches on data and information, and it presents a systematic view of Information Security Management. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 6
7
Introduction Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 7
8
introduction Attackers of computer resources are developing new techniques that allow sophisticated penetrations and anti forensics. In response, security policies, procedures, standards and computer and network countermeasures have been proposed. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 8 Attackers Responders
9
The PCI Security Standards Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 9
10
PCI Security Standards Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 10 Image with permission from Tim Marley – Cameron U. Presentation
11
Payment Card Industry – Data Security Standard Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 11 Taken with permission from Tim Marley – Cameron U. Presentation
12
Statistics Verizon Why Verizon? Because those reports reflect forensic investigations of security data breaches. It needs to be emphasized that the economic sectors presented in Verizon’s reports are those in which Verizon has done investigations, and those are not necessary a statistical sample selected to make inferences to any organization. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 12
13
Statistics Verizon Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 13
14
Statistics Verizon - What Percentage of Data Breaches by Sector Target Organizations & PCI Compliant Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 14 YearFinan.RetailOther 04-0737%49% 200837%33% 200938%29% 201056%9% 2011*12%60% (*) Just Larger Organizations, i.e., more than 1,000 employees. YearOppor.TargetComplNot C. 04-0785%15%-- 200872%28%19%81% 200974%27%21%79% 201083%17%11%89% 201179%16%!4%96% 2011*35%50%!-- (*) Just Larger Organizations. (!) Remaining Percentage Unknown.
15
Statistics Verizon - Who Who Made Data Breaches Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 15 YearExternalInternalPartnersMultiple 200811%7%39% 200927%1%27% 20107%<1%9% 20112%<1%2% YearExternal Internal Active - Passive Unkn. 04-077%18%- 20087%24%- 200916%23%- 20106%5%3% Who Discovered Data Breaches
16
Statistics Verizon - Where Where Data Breaches Occurred Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 16 YearServersU. DevicesOff-linePeopleNetworks 04-077% -5% 200817%2%-0% 200936%25%4%1% 201056%12%10%2% 201160%3%7%<1%
17
Statistics Verizon - How How Data Breaches Occurred Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 17 YearHack.Malw.Misus.Phys.SocialError 04-0731%22%15%10%62% 200838%22%9%2%67% 200938%48%15%28%- 201049%17%29%11%- 201169%5%10%7%1%
18
Statistics Verizon - How Difficulty of Data Breaches YearHighMod.LowNone 04-0717%28%52%6% 200817%31%42%10% 200915%44%28%13% 20108%49%37%6% 2011*0%24%65%2% Difficulty of Countermeasures Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 18 YearSimpleInterm.Diffic. 04-0752%28%17% 200853%34%13% 200964%32%4% 201063%33%4% 2011*63%31%3% (*) 8% is reported as unknown.(*) 3% is reported as unknown.
19
Statistics Verizon – How Long… Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 19 Initial Attack to Initial Compromise Initial Compromise To Data Exfiltration Initial Compromise to Discovery Discovery to Conta- inment/Restoration SecondsDaysWeeksMonthsYearsMinutesHours 10%0%12%2%1%0%75% 8% 14%25%8%0%38% 0%29%2%13%54%2%0% 38%9%32%17%4%1% Verizon’s 2012 Data Breaches Report.
20
Statistics Verizon - Why Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 20
21
Statistics Verizon - Why 2012 Report: Highest percentage of Data Breaches occurred in user devices (60%) since 2004, External from Organizations, who discovered Data Breaches, reported as the highest (92%) since 2004; and as active participation from internals the lowest (2%), Difficulty to commit a Data Breach reported as the lowest (~0%) since 2004 (there is an 8% reported as unknown), Difficulty of the corresponding countermeasures the lowest (3%) since 2004, Initial attacks to compromise takes at most minutes (85%), as well as data exfiltration (46%), but the majority of discoveries take months (54%). Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 21
22
Information Assurance & Security Management System Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 22
23
Information Assurance & Security Management System Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 23 Shell idea Taken from S. Heim in the Resonant Interface.
24
Risk Management Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 24
25
Information Assurance & Security Management System Security Architecture Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 25 Adapted from M. E. Whitman and H. J. Mattord.
26
Security Architecture as Systemic Approach Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 26 Cloud from http://itstechsolved.com/cloud-computing/
27
Simple Countermeasures prevent up to an Av. 59% of Data Breaches Assignment of least privilege. Monitoring of event logs, passwords, firewalls configurations, anti- viruses, physical and logical accesses, backups. Encryption of sensitive data. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 27 YearSimpleInterm.Diffic. 04-0752%28%17% 200853%34%13% 200964%32%4% 201063%33%4% 2011*63%31%3%
28
Simple & Intermediate Countermeasures Prevent an Av. 90.6% of Data Breaches Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 28 YearSimpleInterm.Diffic. 04-0752%28%17% 200853%34%13% 200964%32%4% 201063%33%4% 2011*63%31%3%
29
Questions/Answers www.cameron.edu/~pdiaz-go pdiaz-go@cameron.edu Thanks! Ing. Alfonso Valencia Rodriguez and Ing. Luis E. Gomez H. Universidad Piloto de Colombia Mr. Timothy Marley University of Oklahoma Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 29
30
APPENDIX Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 30
31
Brief Bibliography Used in this Research Verizon Business Risk Team, “2012 Data Breach Investigations Report” and the ones corresponding to 2008 – 2011. PCI Security Standards Council LLC, “Payment Card Industry (PCI) Data Security Standard Navigation PCI DSS. Version 2.0”. C. Schou and D. Shoemaker, “Information Assurance for the Enterprise. A Roadmap to Information Security.” Tripwire, “PCI Basics: What it takes to be Compliant.” M. E. Whitman and H. J. Mattord, “Management of Information Security” Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 31
32
Top Security Mechanisms – Case Study Australian Government: Australian computer networks are being targeted by adversaries seeking access to sensitive information. A commonly used technique is social engineering, where malicious 'spear phishing' emails are tailored to entice the reader to open them. The Defense Signals Directorate (DSD) has developed the Top 35 Mitigation Strategies for targeted cyber intrusions. The list is informed by DSD’s experience in operational cyber security, including responding to serious cyber incidents and performing vulnerability assessments and penetration testing for Australian government agencies.Top 35 Mitigation Strategies Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 32
33
Top Security Mechanisms – Case Study Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 33
34
Top Security Mechanisms – Case Study RankingStrategy Effectiv- eness User Re- sistance Cost Maintena- nce Cost 1 Patch Applications ExcellentLowHigh 2 Patch Operating S. ExcellentLowMedium 3 Minimize # of Users ExcellentMedium Low 4 Application Whitelisting ExcellentMediumHighMedium 5 Host-Based IDS ExcellentLowMedium Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 34
35
Framework Documentation Key components: Subject Purpose Scope Coverage Date Version Revision Approval Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 35 Source: CISA Certified Information Systems Auditor Guide Taken with permission from Tim Marley – Cameron U. Presentation
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.