O'Connor & Drew, P.C. www.ocd.com @ocdcpa 1 DATA THEFT: WHAT CAN BE DONE TO LIMIT RISK? IT Audit and Security O’Connor & Drew, P.C. www.ocd.com @ocdcpa March 2014
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 2 Jake McAleer, CISA jmcaleer@ocd.com Professional Profile • Senior IT Audit and Security Manager, O’Connor & Drew, P.C. • Director of Operations, Dyn • Senior IT Auditor, State Street Bank • Network and Systems Engineer, Raytheon Company Industry Expertise • Internet Services and Infrastructure (IaaS, PaaS, SaaS, Colocation, Data Center) • Financial Services • Manufacturing • Government • Not-for-Profit Organizations • Family-Owned Businesses
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 3 Data Breach The intentional or unintentional release of secure information to an untrusted environment. -Wikipedia
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 4 Security Breaches in the News Target • 70+ Million credit cards stolen • $61 million cost (to date), CIO resigns University of Maryland • Records of more than 300,000 faculty members and students dating back to 1998 were compromised in a data breach Oregon Secretary of State’s website • 337,811 accounts contacted and asked to reset their password
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 5 Statistics About Data Breaches • Two-thirds of the breaches took months or more to discover. http://adage.com/article/datadriven-marketing/nrf-offensive-data-breaches/291476/ • 69% of all breaches were discovered by someone outside the affected organization. http://adage.com/article/datadriven-marketing/nrf-offensive-data-breaches/291476/ • German and US companies had the most costly data breaches ($199 and $188 per record, respectively) https://www4.symantec.com/mktginfo/whitepaper/053013 GL NA WP Ponemon-2013-Cost-of-a-Data-Breach- Report daiNA cta72382.pdf
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 6 But we’re a smaller company… Why would hackers go after us?
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 7 You have information they want.
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 8 Information IS Your Business Your Business IS Information Customer Data • Personally Identifiable Information (PII) – SSN, Credit Card Numbers, Routing Numbers, License Numbers, etc • Sensitive – Address, E-mail Address, Phone Number, etc Business Data • Sales Information • Customer Lists • Contracts • Acquisitions/Business Valuation Employee Data • Compensation • HR Data (PII and HIPAA)
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 9 SMBs Are Often Easy Targets • Limited IT staff • Less technical controls • Outdated anti-virus • Unpatched end user systems • No data loss prevention (DLP) software • Limited or no policies (AUP, ICG, etc) • Lack of employee awareness and training • Lack of website filtering
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 10 How can they get my business’ information?
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 11 Data Breaches – Many Different Forms • External access • Insecure firewall settings; poorly patched servers and applications • Internal resources (infected with malware) • Compromised servers, laptops, desktops • 3 rd party hosting/cloud providers • Compromised backups; shared resources (storage, VMs, etc) • Cloud storage accounts (Dropbox, OneDrive, Carbonite) • Disgruntled employees • Theft, disruption, use of old account credentials
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 12 Data Breaches – Many Different Forms • E-mail • Accidental forwarding to 3 rd parties (typos, wrong attachment, etc) • Intentional forwarding to 3 rd parties (competition, personal e-mail accounts, etc) • Compromised account (weak password, insecure connection, etc) • Social Engineering • Phishing, pretexting, baiting, etc. • Assets (Thumb drives, Laptops, Cell Phones, etc) • Lost or stolen devices without PINs/passwords and encryption • Unattended unlocked devices
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 13 Malware ( mal icious soft ware ) is used to disrupt computer networks, gather sensitive information, or gain access to private computer systems. This software typically relies on local access and/or internal network access to gather data. Viruses, trojans, worms, and ransomware are just some examples.
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 14 Malware – A Threat To All Businesses • Malware Wants Data • Names, Date of birth (DOB), SSNs • Addresses, Phone numbers, E-mail addresses • Confidential competitor information • Malware Looks Everywhere • Company directories • Local files (Word Docs, Spreadsheets, etc) • E-mail • Network file shares (NAS, NFS) • Malware Doesn’t Care Where It Gets The Data • A computer is a computer
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 21 Ever visited a website with ads?
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 22 Ever used one of these? CD/DVD Public WIFI Thumb Drive E-Mail Attachments
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 23 We all have! Much of what you do day to day for work and personal purposes exposes you to cyber threats.
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 24 Social Engineering “Psychological manipulation of people into performing actions or divulging confidential information” -Wikipedia
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 25 Examples Of Social Engineering • Pretexting • Using some information (name, address, phone #) in an attempt to gain access to other information or account details (SSN, CC #). • Baiting • Leaving CDs, DVDs, USB drives around and waiting for employees to pick them up and plug them into work computers. • Tailgating or Piggybacking • Following someone into a secured space who has valid access. • Name/Title Dropping • Using social media to find officers and then pretending to be working on “a special project for them” or pretending to be tech support calling to troubleshoot an issue, but needs your password first.
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 26 Examples Of Social Engineering • Confidence • “Looking the part”, “He was dressed up”, “He looked like he worked here” • Role Playing • Pretending to be maintenance or repair workers, contractor, delivery person, or law enforcement • Buddies at work • “I locked myself out of my account and need to go! What’s your password so I can get this done and head out for the weekend?” • Phishing/Spearphishing • Attempting to gather sensitive information by posing as a trusted source or known entity (posing as bank website, Facebook, etc)
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 27 Phishing - Can You Spot the Problem?
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 29 We’re All Susceptible! I was nearly tricked by a Twitter phishing scheme just last week! SomeGuy @someguy Rofl this was posted by you? tinyurl.com/sfsjkl23jk$
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 31 I should have known… It was a rather generic message. Notice 5 similar tweets from the same person to different people all within 1 minute.
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 32 Forgery Warning in Firefox Browser
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 33 Many Organizations Assume Their IT Department Manages All IT Risk
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 34 SMB Business IT Departments • Often a small group • Perhaps just 1-2 members; part-time or contractors • A long “to do list” • Security takes a backseat; “I don’t have time!” • Difficulty assessing or explaining risk to the business • Too “in the weeds” or “techie” to help business understand • Not empowered to help make/enforce policies • Limited budget • Lack of ownership • Limited training
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 35 Business Departments • Executives • Sales • Talent Management (HR, Payroll, etc) • Support Staff • Facilities Staff • Consultants • Visitors • Customers
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 36 Everyone Uses IT In The Business • Desktops/Laptops • Company Website • Customer Portals • E-mail • Phones (VoIP) • Internet Access • Printers • Fax Machines • Network File Storage • Physical Access (Electronic Door)
O'Connor & Drew, P.C. www.ocd.com @ocdcpa 37 Information Lives On All of These. Information Security is Everyone’s Responsibility.
Recommend
More recommend
