Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Through Intel: Learning from Other People's Mistakes

Published bySophie Lloyd Modified over 7 years ago

Similar presentations

Presentation on theme: "Security Through Intel: Learning from Other People's Mistakes"— Presentation transcript:

1 Security Through Intel: Learning from Other People's Mistakes
Review of breaches and what went wrong! Mike D’Arezzo, CISSP, CISA Director of Security Services

2 Agenda What is a “Breach”? Review of a sample of Breaches from 2016
What could have been avoided? What can be learned?

3 What is a “Breach”? Merriam- Webster Definition of breach 1: infraction or violation of a law, obligation, tie, or standard <a breach of trust> <sued them for breach of contract> 2a : a broken, ruptured, or torn condition or area <a breach of the skin> <the leak was a major security breach>b : a gap (as in a wall) made by battering <fixing a breach in the fence> <once more unto the breach, dear friends, … or close the wall up with our English dead — Shakespeare> 3a : a break in accustomed friendly relations <caused a breach between the two countries>b : a temporary gap in continuity : hiatus <a breach of routine> 4: a leap especially of a whale out of water

4 (a.k.a. Papa’s Revenge)  
Two meter exhaust port (a.k.a. Papa’s Revenge)  

5 But a “breach” really is…
A compromise of security and/or compliance resulting in the loss, destruction, theft, or unauthorized change/access of data But what is an “incident”? The suspected compromise of security and/or compliance resulting in the loss, destruction, theft, or unauthorized change/access of data

6 What happens during Breach?
Security of a system or process is violated or compromised OR Compromise of security or infrastructure is circumvented Security of a system or process is circumvented AND Data (PII, PHI, Intellectual Property, etc.)or processes are viewed, copied, manipulated, changed, deleted without permission NOT ME I PROMISE!

7 Office of Personnel Management
WHAT: Personnel records on 22 million current and former federal employees including anyone who requested a background check for military or federal agencies. HOW: Suspected Spear phishing attack on contractors with elevated access WHERE DID IT GO WRONG: Security Training of Phishing Campaigns Third Party Risk Management – do contractors require elevated access? Maintaining watch of highly privileged accounts for activity/ behavior

8 WHAT: Loss of six hard drives that included personal health information on members who had had lab services between 2009 and It also included names, addresses, dates of birth, Social Security numbers, ID numbers and other health information HOW: Improper disposal of media WHERE DID IT GO WRONG: Data classification documenting disposal of sensitive data Secure processes for disposal of media containing sensitive data Encryption of media, especially mobile and media that contains, will contain, or have contained sensitive information

9 WHAT: Internal Revenue Service announced that it had been hit by a massive data breach, exposing the information of more than 700,000 individuals. HOW: Through the IRS' "Get Transcript" program, which was created to allow taxpayers to check their history online. The hackers potentially accessed the accounts using data from breaches of IRS-approved tax preparers or other online accounts, the IRS said at the time. Potential involvement of an internal phishing campaign WHERE DID IT GO WRONG: Potentially previously compromised accounts were not reset from previous or third party breaches Asset management of servers to protect against “legitimate” internal hacker servers Data management for external resources – no 2FA in place

10 Secure configuration of devices
WHAT: Chinese hackers had access to the department's systems from 2010 to 2013 though back- end malware that had been installed on workstations and servers. In May, the FDIC had retroactively reported five other breaches, affecting a total of 160,000 individuals.  HOW: Malware installed on workstations and servers was identified as the final cause WHERE DID IT GO WRONG: Secure configuration of devices “Least Privilege” in place for employees to minimize available authentication Scanning of network for malware through heuristic and behavioral methods

11 WHAT: LinkedIn was hacked four years ago, and what initially seemed to be a theft of 6.5 million passwords has actually turned out to be a breach of 117 million passwords HOW: Older and less secure password policies in place allowed hackers to gain access externally WHERE DID IT GO WRONG: Encryption of sensitive data at rest Management of external network connections (VPNs, Private tunnels, third parties Old, and no longer relevant, security policies for passwords of employees Encouraging clients to use higher and more secure methods of authentication

12 WHAT: The breach allowed hackers to collect information on an estimated 1.5 million enterprise clients, including basic contact information. Verizon said no customer proprietary network information or other data was accessed. HOW: Hackers leverage an older vulnerability that Verizon later remediated WHERE DID IT GO WRONG: Active vulnerability scanning of the network and resources Encryption of information at rest: databases, files, folders Review of account behavior and activity

13 Clear Desk Policy – remove all sensitive data from insecure areas
WHAT: A laptop and portable hard drives containing personal information was stolen from the Office of Child Support Enforcement in Washington. The devices contained personal information on as many as 5 million individuals, including Social Security numbers, birth dates, addresses and phone numbers. HOW: The devices were stolen by intruders that likely used a key from a disgruntled former employee WHERE DID IT GO WRONG: Clear Desk Policy – remove all sensitive data from insecure areas Termination policy – return of all assets Asset Management Program and Data Management – know where your data is!

14 Summary “Know Thyself” “Limit the Attack Surface”
Develop a security plan and strategy based on the following tenets from CIS Top 20 Critical Controls: “Know Thyself” “Limit the Attack Surface” “Protect the Perimeter” (and interior) “Plan, Train, and Drill”

15 Q & A

16 Schedule Security Through Intel or “Learning from other people’s mistakes” Thursday 9am – 10am – Mike D’Arezzo Building an Incident Response Plan Thursday 4:15 PM – 5:15 PM – Don Murdoch Penetration Testing for the everyday security analyst Friday 9am – 10am – Mike D’Arezzo Portable NFAT Tools, Techniques, and System Build 11:30 – 12:30 – Don Murdoch

17 SLAIT Security Offerings
Governance Prevention Response Risk Assessment Policy and Procedure PCI Prep HIPAA Gap Analysis Audit Preparation Assistance Security Organization Review Security Checkup Managed Firewall and Endpoint Secure Infrastructure Design & Review vISO Program Awareness Training Assessment Vulnerability Scanning Penetration Testing Phishing Exercises ThreatRecon Pre-breach Preparation ThreatManage Breach Response Cyber Forensics Technology Partners

18 References biggest-data-breaches-of-2016-so-far.htm data-breaches-of-2015.html

Download ppt "Security Through Intel: Learning from Other People's Mistakes"

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Current Security Threats WMO CBS ET-CTS Toulouse, France 26-30 May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
Mr C Johnston ICT Teacher

Mr C Johnston ICT Teacher
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
The Privacy Office U.S. Department of Homeland Security Washington, DC 20528 t: 703-235-0780; f: 703-235-0442 Safeguarding.

The Privacy Office U.S. Department of Homeland Security Washington, DC t: ; f: Safeguarding.
DHS SECURITY INCIDENT REPORTING AND RESPONSE SECURITY INCIDENT REPORTING AND RESPONSE DHS managers, employees, and other authorized information users.

DHS SECURITY INCIDENT REPORTING AND RESPONSE SECURITY INCIDENT REPORTING AND RESPONSE DHS managers, employees, and other authorized information users.
Information Security Policies and Standards

Information Security Policies and Standards
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Market Trends Enterprise Web Applications Cloud Computing SaaS Applications BYOD Data Compliance Regulations 30 Second Elevator Pitch Web browsers have.

Market Trends Enterprise Web Applications Cloud Computing SaaS Applications BYOD Data Compliance Regulations 30 Second Elevator Pitch Web browsers have.

Similar presentations

Ads by Google