Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

NASPL 2015 – Information Security in the Lottery Sector

advertisement 
Information Security
Protecting the Player and the Lottery
Gus Fritschie
July 22, 2015
Presentation Overview
•
•
•
•
•
•
•
•
•
•
Introduction
Past/Future Lottery Attacks
Recent Cyber Security Attacks
Threat Sources (Internal/External)
Compliance and Security Controls
Security Testing
Top 10 Security Weaknesses
Emerging Technologies and Risk
How to Build Security Into New Projects
Examples
© SeNet International Corp. 2015
2
July 2015
Company Overview – SeNet
International
© SeNet International Corp. 2015
3
July 2015
Who I Am – Gus Fritschie
• CTO of SeNet International
• Subject Matter Expert in Gaming
and iGaming security
• Presented at multiple conferences,
including Defcon on iGaming issues
• Written multiple articles on gaming
security for both print and online
publications
• Most importantly I want sites and
organizations to be safe and secure
because I am also a player
• Follow on Twitter @gfritschie
© SeNet International Corp. 2015
4
July 2015
Gaming Customers
© SeNet International Corp. 2015
5
July 2015
Past Lottery Attack Vectors
© SeNet International Corp. 2015
6
July 2015
Future/Present Lottery Attacks
• More technical of nature involving computer “hacking” or some other
form of cyber intrusion.
• Good example with the current Hot Lotto trial that is in the news
currently.
© SeNet International Corp. 2015
7
July 2015
Houston, We Have a Problem
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
© SeNet International Corp. 2015
8
July 2015
OPM
© SeNet International Corp. 2015
9
July 2015
Target
© SeNet International Corp. 2015
10
July 2015
Sony
© SeNet International Corp. 2015
11
July 2015
Las Vegas Sands Hacked
© SeNet International Corp. 2015
12
July 2015
New Jersey DDOS Attacks
© SeNet International Corp. 2015
13
July 2015
Barcelona Laptop Issue
http://pokerfuse.com/news/live-and-online/confirmed-ept-barcelonalaptop-infected-with-screen-sharing-trojan-11-12/
© SeNet International Corp. 2015
14
July 2015
Ashley Madison
© SeNet International Corp. 2015
15
July 2015
Risk Assessment
© SeNet International Corp. 2015
16
July 2015
Threat Sources
http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf
© SeNet International Corp. 2015
17
July 2015
Internal Threats
Internal users often have the most knowledge about an organization
and can cause the most harm.
Types of internal threats:
• Rogue/disgruntled employee
• Insider as part of external attack
• Accidental user mistakes
© SeNet International Corp. 2015
18
July 2015
External Threats
• Script Kiddies
• Corporate Espionage
• Hacktivist
• State Sponsored
• APT
• Worms/Viruses
© SeNet International Corp. 2015
19
July 2015
Compliance
Compliance != Security, but if you are Secure you will be Compliant
© SeNet International Corp. 2015
20
July 2015
Security Controls and Standards
© SeNet International Corp. 2015
21
July 2015
Similarities in Standards
• What is different about these standards?
• Have you ever had to do a cross-walk between them?
© SeNet International Corp. 2015
22
July 2015
800-53 Management Controls
• Planning
• Program Management
• Risk Assessment
• Security Assessment and Authorization
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
© SeNet International Corp. 2015
23
July 2015
800-53 Operational Controls
•
•
•
•
•
•
•
•
Awareness and Training
Configuration Management
Contingency Planning
Incident Response
Maintenance
Media Protection
Personnel Security
Physical and Environmental Protection
© SeNet International Corp. 2015
24
July 2015
800-53 Technical Controls
• Access Control
• Audit and Accountability
• Identification and Authentication
• System and Communication Protection
• System and Information Integrity
© SeNet International Corp. 2015
25
July 2015
800-53 Control Example
© SeNet International Corp. 2015
26
July 2015
Continuous Monitoring
© SeNet International Corp. 2015
27
July 2015
How to Test Controls
• 800-53A
• Interviews
• Examinations
• Testing
© SeNet International Corp. 2015
28
July 2015
Penetration Testing vs. Vulnerability
Assessment
Vulnerability Assessment
Penetration Testing
Typically is general in scope and
includes a large assessment
Focused in scope and may include
targeted attempts to exploit specific
vectors
Predictable
Unpredictable by the recipient
Unreliable at times and high rate of
false positives
Highly accurate and reliable
Often invites debate among system
administrators
Penetration Test = Proof of Concept
against vulnerabilities
Produces a report with mitigation
guidelines and action items
Produces a binary result (either the
team owned you, or they didn’t)
© SeNet International Corp. 2015
29
July 2015
Penetration Testing vs. Vulnerability
Assessment (Cont.)
•
Vulnerability Assessment:
• Goal = list of vulnerabilities
•
Penetration testing:
• Goal = bypassing security controls to obtain network resources
•
The maturity of the organization’s security program should
determine which type of test to perform. Little value in
performing a penetration test if organization does not have an
implemented security patching program for example.
© SeNet International Corp. 2015
30
July 2015
Testing Non-technical Controls
• Most often assessed via interviews and document collection.
© SeNet International Corp. 2015
31
July 2015
Security Architecture Review
© SeNet International Corp. 2015
32
July 2015
Sample Project Plan/Schedule
© SeNet International Corp. 2015
33
July 2015
Top 10 Security Weaknesses
© SeNet International Corp. 2015
34
July 2015
#10 Lack of Commitment/Buy-in
From Management
© SeNet International Corp. 2015
35
July 2015
#9 Weak Configuration Management
© SeNet International Corp. 2015
36
July 2015
#7 Weak/Default Passwords
© SeNet International Corp. 2015
37
July 2015
#6 Vulnerable Web Applications
© SeNet International Corp. 2015
38
July 2015
#5 Network/Data
Inventory/Classification
© SeNet International Corp. 2015
39
July 2015
#4 Unnecessary/Dangerous Services
© SeNet International Corp. 2015
40
July 2015
#3 Missing Patches
© SeNet International Corp. 2015
41
July 2015
#2 Lack of Audit Log
Review/Monitoring
© SeNet International Corp. 2015
42
July 2015
#1 Users
© SeNet International Corp. 2015
43
July 2015
Emerging Technologies and Risk
© SeNet International Corp. 2015
44
July 2015
Mobile
• MDM
• BYOD
• Gaming
© SeNet International Corp. 2015
45
July 2015
Cloud
© SeNet International Corp. 2015
46
July 2015
iGaming
© SeNet International Corp. 2015
47
July 2015
How to Build Security into New
Projects
© SeNet International Corp. 2015
48
July 2015
Built into the SDLC
Security integration to system development
is critical to front-end design (not to confuse
the term "front-end" with network design
terms).
Align the application design to your
corporate information security program
initiatives (you have one, right??).
© SeNet International Corp. 2015
49
July 2015
Built into the SDLC (Cont.)
Examples:
• Audit logging design
• possibly include redundancy, retention, and reliability
(unintentional 3 r's there);
• Session design
• possibly include concurrency control, lock, identification, replay
• Access, authentication, and authorization (intentional 3 a's there)
• Error handling design
• Unit test automation by check-in gates
• Code coverage
• Design for functional testing
• Information input restriction
• RBAC
• Partitioning
• Information validation
• Rules engine/input validation, app firewall
© SeNet International Corp. 2015
50
July 2015
IV&V
© SeNet International Corp. 2015
51
July 2015
Examples
© SeNet International Corp. 2015
52
July 2015
Security Configuration Issues
© SeNet International Corp. 2015
53
July 2015
DFS Mobile Password Disclosure
© SeNet International Corp. 2015
54
July 2015
Authentication Weaknesses
http://www.onlinepokerreport.com/9529/authenticationcomparison-two-nj-igaming-sites/
© SeNet International Corp. 2015
55
July 2015
Backend Password and Username
Exposed in Request
© SeNet International Corp. 2015
56
July 2015
Password Stored in Clear-text in
Database
Using the forgot password function the password is sent via
email and is the same password as initially set. This indicates
passwords are stored in clear-text.
© SeNet International Corp. 2015
57
July 2015
Weak Password Policy
© SeNet International Corp. 2015
58
July 2015
Questions
© SeNet International Corp. 2015
59
July 2015
Related documents
SM Development Corporation Two E-Com Center
SM Development Corporation Two E-Com Center
Immigration in the early 20th century
Immigration in the early 20th century
course objectives
course objectives
Download
advertisement