security fact & fiction: three lessons from the headlines
TRANSCRIPT
Security Fact & FictionThree Lessons from the Headlines
(that one’s real)
Real-word breaches are often caused by simple lapses of judgment.
Hollywood movies and some of the media representations of data breaches are sensationalized and over-complicated compared to reality.
source: Verizon DBIR 2015verizonenterprise.com/DBIR/2015/
Security Facts
❏ The cost of a data breach is on the rise❏ average cost increased 8.3% from $5.4 MM in 2013 to $5.85
MM in 2014❏ average cost per record increased 6.9% from $188 in 2013
to $201 in 2014❏ the most costly breaches are malicious & criminal attacks
❏ Will your organization be breached?❏ “The results show that a probability of a material data
breach [over the next 2 years] involving a minimum of 10,000 records is more than 22 percent”*
* source: IBM/Ponemon “Cost of Data Breach Study”, 2014: http://ibm.co/1Df4urk based on survey of 314 global organizations that experienced data breach
Factors Affecting the Cost of Breaches
Factor Effect on Price/Record
Strong Security Posture -$14.14
Incident Response Plan -$12.77
CISO Appointment -$6.59
Business Continuity Management -$8.98
Lost/Stolen Devices +$16.10
3rd Party Involvement +$14.80
Quick Notification +$10.45
Consultant Engagement +$2.10
source:IBM/Ponemon, 2014
US Avg.Cost/Record: $201
Security Fiction
❏ Purchasing data breach insurance policies indicates an organization is slacking on security❏ more likely to have other proactive measures in place
❏ Password policies and user education can save us❏ most security advice targeting users has a poor
cost/benefit tradeoff (MS, 2009 http://bit.ly/1lwMErH)❏ The threats you care about are Advanced Persistent Threat
0dayz❏ most breaches actually use very simple methods,
exploiting oversights and poor security policy, even from sophisticated attackers
❏ PCI/HIPAA/whatever compliant means secure❏ nope! these don’t encompass everything
The Present State of Security
❏ The answer to most security questions is “it’s complicated”but that doesn’t mean there’s no hope
“You must never confuse faith that you will prevail in the end -- which you can never afford to lose -- with the discipline to confront the most brutal facts of your current reality, whatever they may be” -- Admiral James Stockdale, US Navy
“I’m here to tell you that your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents”-- Brian Snow, NSA Information Assurance Head, 2012
“Lulzsec hacks embarrassed the security community by showing we were outclassed as defenders. NSA leaks show we were outclassed as attackers too” -- Haroon Meer, 2015
The Security Blanket
❏ Preparedness can reduce the cost of data breaches, while other factors can increase the cost
❏ Many expensive breaches are preventable in a cost-effective way in retrospect
❏ There are many commonalities in how attacks begin…❏ poor passwords❏ malware❏ phishing❏ application misconfiguration/bugs❏ lost/stolen devices
our management statement:why the information security policy exists
❏ Ownershipwhich team/people are responsible for which systems?
❏ Employee responsibilitiese.g. honoring PII policy & access restrictions.
❏ Device use policyBYOD is huge.
❏ Risk assessment policyevaluate org for risk on an ongoing basis
❏ Employee off-boarding policyprevent biz critical material from leaving
❏ Operations management policybackups? monitoring? segregation?
❏ Compliance & Auditing policyto ensure you remain compliant with regulations
Contents of Security Policy
❏ Access control policyspecify how your org controls sensitive access
❏ Incident management policyincident management policy decreases cost of breach
❏ Physical security policywho controls the literal keys? how is access given/revoked?
❏ Business continuity & disaster recoveryif operations can’t continue at current office, then what?
❏ Data confidentiality policyprocedures & requirements for dealing w/ sensitive data
❏ Software change management policyhow do you keep track and control of important updates?
Target in the Crosshairs❏ 95% of security incidents involve credential theft
❏ Target’s HVAC vendor’s credentials to vendor project system
were compromised
❏ It’s hard to control your employees, let alone a vendor’s…
❏ but mitigation should always be in mind
❏ the vendor project system and payments systems weren’t
segregated
❏ no two-factor authentication
❏ 70 million customer records stolen
❏ 40 million credit/debit cards
❏ up to $1 billion in damages
How it happened1. “Citadel” malware email, spearphishing to HVAC vendor
2. Vendor application vulnerability
3. Active Directory target enumeration
4. Steal admin hash from memory
5. Create new admin user
6. Bypass Target’s firewalls and access restrictions
run code remotely with PSExec & remote desktop
Microsoft Orchestrator access allowed them to ensure persistence
7. this gave them access to PII, but no credit cards as those were never stored,
as per PCI-DSS
8. attackers deployed custom ‘Kaptoxa’ malware on PoS terminals using domain
admin credentials
9. used internal AD-linked FTP server to aggregate data before sending it out
How it COULD have happened1. “Citadel” malware email, spearphishing to HVAC vendor
2. Vendor application vulnerability was caught internally first
3. Active Directory target enumeration was detected as anomalous, stopped, and
the incidence response policy defined what to do next
4. There was no domain admin password to be stolen on the vendor system
5. Creation of new domain admin user triggered an alert to the responsible team
6. Bypass of Target’s firewalls and access restrictions was impossible due to
extensive internal/external risk assessment and threat modeling
7. attackers couldn’t access to PII because it was encrypted and the keys were on
uncompromised, segregated application servers
8. attackers couldn’t deploy custom malware on PoS terminals because terminals
whitelisted processes and attackers had no access to config management
9. couldn’t use internal AD-linked FTP server to aggregate data because it
whitelisted hosts
Security Facts
RISK ASSESSMENT FTW: Third-party access needs to be controlled and understood. Threat model, assess, and mitigate risk.
SEGREGATION CAN BE HARD: there’s evidence Target made some effort to segregate their systems, using firewalls and restricting access from certain hosts. However, this can sometimes be bypassed by proxying through other hosts. Fully-segregated networks, or ones with strongly defined access control barriers are ideal. One Active Directory to Rule Them All introduces risk.
MONITORING IS CRUCIAL: Target could have noticed the attackers at several points during their setup and reconnaissance if monitoring alerted them.
Security Fiction
PCI-DSS compliance should keep data securePCI-DSS requires two-factor authentication for external logins to networks falling under the scope of PCI-DSS. Target likely assumed the vendor management system was properly segregated with firewalls and access controls. PCI-DSS also doesn’t require network segregation, and only recommends it.
Custom malware is a big threatWhile custom malware was used, its scope was limited: scraping POS terminal memory for credit cards and exfiltrating. It didn’t use any undisclosed software vulnerabilities or do anything particularly sophisticated. The best thing to do is keep it from appearing on systems in the first place.
JPMorgan: Financial Cost of Neglect
❏ 7 million businesses, 76 million consumers affected
❏ existing $250 million/year security budget❏ suspected entry point:
❏ employee laptop compromised with malware❏ corporate marathon site bug
❏ US gov’t & JPMC initially pointed fingers at Russia…❏ until October, when the FBI said they were no
longer a suspect
❏ One server which missed being upgraded with two-factor authentication provided a foothold❏ ultimately, 90+ servers were compromised
Security Fact
❏ Negligence is costly❏ security policy means nothing if
it isn’t constantly evaluated and adhered to
❏ security is active, not set-and-forget, not an add-on
❏ Expense-in-depth doesn’t mean defense-in-depth❏ JPMC had 1000+ security
personnel & a massive security spend, but one oversight allowed a massive breach
Security Fiction
❏ You’ll be taken down by an advanced adversary with never-before-seen techniques❏ it’s more likely you’ll be taken down by your own oversight❏ advanced adversaries are more persistent but adhere to the same rules as
everyone else
Anthem: healthy access control
❏ 80 million records stolen from large health insurance provider
❏ database containing records was unencrypted… ❏ but encryption isn’t a panacea: it can be done poorly, keys can be
stolen, and the data needs to be unencrypted at some point
❏ there’s no indication Anthem used any two-factor authentication whatsoever❏ credentials from between 1-5 users were enough to access all subscriber
data❏ does any user need unfettered access to all data?
Security Fact
❏ Access controls are critical❏ nobody needs access to all data on a regular basis.❏ records being accessed should be restricted as much as possible
(principle of least privilege/default deny).
❏ Encryption is valuable, but not foolproof❏ 64% of healthcare record leaks were attributed to employee endpoint
compromise (US Dept. Health & Human Services, 2014)❏ what risks do mostly insecure endpoints bring organizations?❏ can employee credentials get attackers access to data retrieval
applications?is uncharacteristic usage flagged?
Security Fiction
❏ HIPAA keeps health care information safe❏ HIPAA does not require encryption❏ HIPAA does not require two-factor
“Implement two-factor authentication for granting remote access to systems that contain EPHI. This process requires factors beyond general usernames and passwords to gain access to systems (e.g., requiring users to answer a security question such as “Favorite Pet’s Name”)”
❏ HIPAA’s access control requirement:
Implement procedures to verify that a person or entity seeking access to
electronic protected health information is the one claimed. - 164.312(d)
Technical Safeguards of the Security Standards for the Protection of
ePHI, HHS.gov
Security Fact and Fiction
FACT: many hacks are facilitated by oversight of service operators
this is somewhat comforting: it means it can be addressed
FICTION: today’s APTs require expensive threat intelligence feeds to understand
FACT: ongoing internal and external risk assessment can uncover problems
FICTION: “security” is a one-time expense
FACT: your organization needs to own and understand its security program
Security Fact and Fiction
FICTION: spending a lot of money on security means you’re doing it right
FACT: an information security policy is a good step to address your security
reality
FICTION: there’s a magic box you can plug in to your network to secure it all
FACT: it’s possible to make hacking your organization very difficult
FICTION: you can be completely hack-proof