DATA THEFT: WHAT CAN BE DONE TO LIMIT RISK? IT Audit and Security - - PowerPoint PPT Presentation

DATA THEFT: WHAT CAN BE DONE TO LIMIT RISK?

IT Audit and Security O’Connor & Drew, P.C. www.ocd.com @ocdcpa

March 2014

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

1

Jake McAleer, CISA

jmcaleer@ocd.com

Professional Profile

• Senior IT Audit and Security Manager, O’Connor & Drew, P.C.
• Director of Operations, Dyn
• Senior IT Auditor, State Street Bank
• Network and Systems Engineer, Raytheon Company

Industry Expertise

• Internet Services and Infrastructure (IaaS, PaaS, SaaS, Colocation, Data Center)
• Financial Services
• Manufacturing
• Government
• Not-for-Profit Organizations
• Family-Owned Businesses

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

2

Data Breach The intentional or unintentional release of secure information to an untrusted environment.

• Wikipedia

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

3

Security Breaches in the News

Target

• 70+ Million credit cards stolen
• $61 million cost (to date), CIO resigns

University of Maryland

• Records of more than 300,000 faculty members and

students dating back to 1998 were compromised in a data breach

Oregon Secretary of State’s website

• 337,811 accounts contacted and asked to reset their

password

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

4

Statistics About Data Breaches

• Two-thirds of the breaches took months or more to

discover.

http://adage.com/article/datadriven-marketing/nrf-offensive-data-breaches/291476/

• 69% of all breaches were discovered by someone outside

the affected organization.

http://adage.com/article/datadriven-marketing/nrf-offensive-data-breaches/291476/

• German and US companies had the most costly data

breaches ($199 and $188 per record, respectively)

https://www4.symantec.com/mktginfo/whitepaper/053013 GL NA WP Ponemon-2013-Cost-of-a-Data-Breach- Report daiNA cta72382.pdf O'Connor & Drew, P.C. www.ocd.com @ocdcpa

5

But we’re a smaller company…

Why would hackers go after us?

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

6

You have information they want.

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

7

Information IS Your Business Your Business IS Information

Customer Data

• Personally Identifiable Information (PII) – SSN, Credit Card

Numbers, Routing Numbers, License Numbers, etc

• Sensitive – Address, E-mail Address, Phone Number, etc

Business Data

• Sales Information
• Customer Lists
• Contracts
• Acquisitions/Business Valuation

Employee Data

• Compensation
• HR Data (PII and HIPAA)

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

8

SMBs Are Often Easy Targets

• Limited IT staff
• Less technical controls
• Outdated anti-virus
• Unpatched end user systems
• No data loss prevention (DLP) software
• Limited or no policies (AUP, ICG, etc)
• Lack of employee awareness and training
• Lack of website filtering

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

9

How can they get my business’ information?

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

10

Data Breaches – Many Different Forms

• External access
• Insecure firewall settings; poorly patched servers and applications
• Internal resources (infected with malware)
• Compromised servers, laptops, desktops
• 3rd party hosting/cloud providers
• Compromised backups; shared resources (storage, VMs, etc)
• Cloud storage accounts (Dropbox, OneDrive, Carbonite)
• Disgruntled employees
• Theft, disruption, use of old account credentials

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

11

Data Breaches – Many Different Forms

• E-mail
• Accidental forwarding to 3rd parties (typos, wrong attachment, etc)
• Intentional forwarding to 3rd parties (competition, personal e-mail

accounts, etc)

• Compromised account (weak password, insecure connection, etc)
• Social Engineering
• Phishing, pretexting, baiting, etc.
• Assets (Thumb drives, Laptops, Cell Phones, etc)
• Lost or stolen devices without PINs/passwords and encryption
• Unattended unlocked devices

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

12

Malware (malicious software) is used to disrupt computer networks, gather sensitive information, or gain access to private computer

• systems. This software typically relies on local

access and/or internal network access to gather data. Viruses, trojans, worms, and ransomware are just some examples.

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

13

Malware – A Threat To All Businesses

• Malware Wants Data
• Names, Date of birth (DOB), SSNs
• Addresses, Phone numbers, E-mail addresses
• Confidential competitor information
• Malware Looks Everywhere
• Company directories
• Local files (Word Docs, Spreadsheets, etc)
• E-mail
• Network file shares (NAS, NFS)
• Malware Doesn’t Care Where It Gets The Data
• A computer is a computer

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

14

Ever visited a website with ads?

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

21

Ever used one of these?

CD/DVD Thumb Drive Public WIFI E-Mail Attachments

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

22

We all have! Much of what you do day to day for work and personal purposes exposes you to cyber threats.

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

23

Social Engineering

“Psychological manipulation of people

into performing actions or divulging confidential information”

• Wikipedia

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

24

Examples Of Social Engineering

• Pretexting
• Using some information (name, address, phone #) in an attempt to

gain access to other information or account details (SSN, CC #).

• Baiting
• Leaving CDs, DVDs, USB drives around and waiting for employees

to pick them up and plug them into work computers.

• Tailgating or Piggybacking
• Following someone into a secured space who has valid access.
• Name/Title Dropping
• Using social media to find officers and then pretending to be

working on “a special project for them” or pretending to be tech support calling to troubleshoot an issue, but needs your password first.

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

25

Examples Of Social Engineering

• Confidence
• “Looking the part”, “He was dressed up”, “He looked like he worked

here”

• Role Playing
• Pretending to be maintenance or repair workers, contractor,

delivery person, or law enforcement

• Buddies at work
• “I locked myself out of my account and need to go! What’s your

password so I can get this done and head out for the weekend?”

• Phishing/Spearphishing
• Attempting to gather sensitive information by posing as a trusted

source or known entity (posing as bank website, Facebook, etc)

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

26

Phishing - Can You Spot the Problem?

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

27

We’re All Susceptible!

I was nearly tricked by a Twitter phishing scheme just last week!

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

29

SomeGuy @someguy Rofl this was posted by you? tinyurl.com/sfsjkl23jk$

I should have known…

It was a rather generic message. Notice 5 similar tweets from the same person to different people all within 1 minute.

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

31

Forgery Warning in Firefox Browser

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

32

Many Organizations Assume Their IT Department Manages All IT Risk

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

33

SMB Business IT Departments

• Often a small group
• Perhaps just 1-2 members; part-time or contractors
• A long “to do list”
• Security takes a backseat; “I don’t have time!”
• Difficulty assessing or explaining risk to the business
• Too “in the weeds” or “techie” to help business understand
• Not empowered to help make/enforce policies
• Limited budget
• Lack of ownership
• Limited training

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

34

Business Departments

• Executives
• Sales
• Talent Management (HR, Payroll, etc)
• Support Staff
• Facilities Staff
• Consultants
• Visitors
• Customers

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

35

Everyone Uses IT In The Business

• Desktops/Laptops
• Company Website
• Customer Portals
• E-mail
• Phones (VoIP)
• Internet Access
• Printers
• Fax Machines
• Network File Storage
• Physical Access (Electronic Door)

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

36

Information Lives On All of These.

Information Security is Everyone’s Responsibility.

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

37

IT Costs vs. Breach Costs

• Mitigation Costs
• Target: >$60M 1
• Cost To Notify Customers
• Kickstarter: “Law enforcement officials [notified us] that

hackers had sought and gained unauthorized access to some of our customers' data.” 2

• Identity Theft Protection
• UMD: 309,079 people x 5 years of ID service
• Company Reputation and Image
• Target: “Profits took a large hit from the data breach

reported in December.” 1

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

38

1 - http://seekingalpha.com/news/1592713-target-navigates-choppy-water-in-q4 2 - http://www.theinquirer.net/inquirer/news/2329171/kickstarter-breach-blags-users-details-encrypted-passwords

IT Costs vs. Breach Costs

• Mitigation Costs
• Target: >$60M 1
• Cost To Notify Customers
• Kickstarter: “Law enforcement officials [notified us] that

hackers had sought and gained unauthorized access to some of our customers' data.” 2

• Identity Theft Protection
• UMD: 309,079 people x 5 years of ID service
• Company Reputation and Image
• Target: “Profits took a large hit from the data breach

reported in December.” 1

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

39

1 - http://seekingalpha.com/news/1592713-target-navigates-choppy-water-in-q4 2 - http://www.theinquirer.net/inquirer/news/2329171/kickstarter-breach-blags-users-details-encrypted-passwords

Clearly there’s a risk. What can a business do?

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

40

IT Frameworks

Frameworks help design a program that facilitates CIA There are many different frameworks and standards

• Some are industry specific
• North American Electric Reliability Corporation (NERC)
• Some are very high level
• COBIT
• Some are process specific
• ITIL
• Some are generic (very long, complex, and/or high level)
• NIST
• ISO
• COSO

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

43

What are Objectives and IT Controls?

Controls are defined by the SEC as: "...a specific set of policies, procedures, and activities designed to meet an objective.”

• What are your organization’s IT objectives?
• Does anyone own this? If so, who?
• CEO, CIO, CFO, IT Manager…every organization is different
• Are they empowered to do so?
• Are they working closely with business stakeholders?
• Do they have the right people (team)?
• What controls are they designing and utilizing?
• What frameworks are they using?
• How are they being measured?

Every business has some form of this in place, even if it’s informal.

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

44

IT Controls - Design, Implement, Test

The business should assign someone to work with business stakeholders to:

• Select framework(s) and best practices that are appropriate
• Develop plan (guidance)
• Understand the current controls
• Work with internal IT staff and outside experts to review current controls
• Highlight areas that are lacking compared to guidance
• Test if existing controls are working
• Prioritize future efforts based upon risk
• Implement new solutions (controls) to fill gaps
• Develop a process for periodically reviewing controls

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

45

Risk

• Many people confuse the risk event for the risk rating
• Risk Event = The description of the risk
• Risk Rating = Likelihood + Impact

Example: Car crashes into office building and causes gas leak.

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

48

SANS 20 Critical Security Controls

• A list of the top 20 critical security controls (CSCs) were

agreed upon and outlined, taking risk into consideration.

• Collaborative work across various governmental, public,

and private organizations

• U.S. Department of Homeland Security
• U.S. Department of State, Office of the CISO
• MITRE Corporation
• SANS Institute
• Great starting point for a SMB
• Tangible, measurable, includes examples of processes and

technologies to implement

http://www.sans.org/critical-security-controls

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

50

Number 1: Inventory Devices

Inventory of Authorized and Unauthorized Devices Actively manage (inventory, track, and correct) all hardware devices on the network so that

• nly authorized devices are

given access, and unauthorized and unmanaged devices are found and prevented from gaining access.

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

51 https://www.sans.org/media/critical-security-controls/spring-2013-poster.pdf

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

52

Larry Wilson

Information Security Lead University of Massachusetts President’s Office

One Size Doesn’t Fit All

• Every organization is different
• Different needs
• Different information/data
• Different customers
• Different size
• Different regulatory requirements

Every organization is different. Every security plan is different. SANS 20 Critical Security Controls is a great place to start.

• Outside organizations are available as a resource
• General IT assessments
• Specific engagements for a particular product, project, or customer

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

54

O’Connor & Drew’s Key IS Wins for 2014

• Patch frequently and utilize anti-virus software
• Settings enforceable with a GPO in Windows
• Application support is important for continued patches
• Get rid any systems running Windows XP or older
• Windows XP and Office 2003 support officially ends April 2014
• Hackers are saving known exploits until after the expiration date
• Uninstall Java from all office systems; Consider using

something other than Internet Explorer (IE)

• First half of 2013, Java was the most common zero-day focus for
• attackers. Second half of 2013, observed a burst of Internet Explorer (IE)

zero-days.

http://www2.fireeye.com/rs/fireye/images/fireeye-advanced-threat-report-2013.pdf

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

55

• Encrypt all assets that leave the office (laptops, thumb drives,

smartphones, etc) and ensure they have a password/PIN enabled

• “UC San Francisco is alerting some individuals to a burglary involving

unencrypted desktop computers that contained some personal and health information.”1

• Secure and segregate your office WIFI
• Use hardened security (e.g. WPA2 or individual certificates) and segregate

WIFI to limit access to key resources such as file shares

• Utilize industry tools to scan your internal and external network
• Ensure firewalls are appropriately configured, devices are patched

appropriately, and generate an inventory of what’s on your network

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

56

1 https://www.ucsf.edu/news/2014/03/112556/computer-theft-uc-san-francisco

O’Connor & Drew’s Key IS Wins for 2014

Policies and Procedures

• AUP (Acceptable Use Policy)
• Users understand potentially everything they do is monitored
• No outside software may be installed
• Limited personal use
• Consequences for not following policies
• Don’t leave laptops in plain view or unlocked vehicles

Example Template:

http://www.sans.org/security-resources/policies/Acceptable Use Policy.pdf

• Information/Data Classification Guide (IGG/DCG)
• Types of data (confidential, internal use only, public, etc)
• Owners, handlers
• How to properly handle, store, destroy

More information and examples:

http://www.giac.org/paper/gsec/736/data-classification/101635 http://www.sans.org/reading-room/whitepapers/auditing/information-classification-who-846

• Written Information Security Program - WISP
• Legally required document for businesses with Massachusetts customers

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

57

Regulations and Industry-Specific Rules

• Different countries have specific laws covering

personal information, how it must be protected, and data breach disclosure requirements.

• EU privacy protection is notoriously strict
• US laws often vary by state, some federal oversight
• Different industries have specific requirements
• PCI
• HIPAA
• BASEL II and GLBA

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

58

Outsourcing Considerations

• Consulting
• Outside expertise and fresh perspective
• Vendor specific experience, “set it and forget it”
• Staff augmentation vs. project by project
• Infrastructure Hosting
• E-mail
• Anti-SPAM and Anti-Phishing protection
• VoIP
• Website
• Mass e-mail lists
• Backup service
• Ask for a SOC 2 or 3 from infrastructure providers!

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

59

Personally Identifiable Information (PII)

• NIST Special Publication 800-122 defines PII as “any

information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”

http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

60

MA 201 CMR 17.00 - PII

• PII is “a Massachusetts resident's first name and last name
• r first initial and last name in combination with any one or

more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.”

http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

61

MA 201 CMR 17.00 - Requirements

• Every person that owns or licenses personal information

about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program. [Every person…] shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system.

http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf

• MA 201 Compliance Checklist:

http://www.mass.gov/ocabr/docs/idtheft/compliance-checklist.pdf

• Notification Requirement

http://www.mass.gov/ocabr/data-privacy-and-security/data/requirements-for-security- breach-notifications.html

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

62

Cyber Insurance

• General liability policies often do not cover digital loss
• Insurance is not a replacement for security
• Not all cyber insurance policies are created equal
• Coverage amounts
• What they cover
• How they are activated
• What must be in place in order to be “covered”

“Partners bought the policy in 2007 and made a claim two years after an employee left the records of 192 Massachusetts General Hospital patients on an MBTA train. The hospital paid a $1 million fine to the US Department of Health and Human Services, which was covered by the cyber insurance.”

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

63

https://www.bostonglobe.com/business/2014/02/17/more-companies-buying-insurance-against-hackers-and-privacy-breaches/9qYrvlhskcoPEs5b4ch3PP/story.html

Crisis Management – Data Breach

• Is it clear how an employee, customer, or outside firm

reports a potential issue or concern to your business?

• 69% of breaches were discovered by an outsider
• Internally
• Who would take the lead on managing a crisis management plan?
• Who needs to be involved/notified? Who can declare an event?
• Externally
• Can your firm do a mass notification (email list, social media, etc)?
• Who manages external communications?
• Legal
• What laws/regulations is your industry held to?
• Reporting requirements

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

65

Crisis Management - Social Media

“[During the Boston Marathon bombings…] Boston Police Department tweets in effect became the official source of information for everyone, including the media, especially after numerous reports by the press turned out to be false.”

http://www.emergencymgmt.com/training/Bostons-Experience-Social-Media.html

• Can you blog or post on your website and keep it updated?
• Who can access and help with communications? Are they

external to your organization? Are they available in an emergency?

It’s important to realize that some companies block social media such as Twitter and Facebook.

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

66

Questions?

O’Connor & Drew’s IT Audit and Security team is here to help!

Jake McAleer jmcaleer@ocd.com Senior IT Security and Audit Manager O’Connor & Drew, P.C. @ocdcpa

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

67

Download Link

• Please visit the following link to download a digital copy of

the presentation:

http://www.ocd.com/2014datatheft

O'Connor & Drew, P.C. www.ocd.com @ocdcpa

68