1 MANAGEMENT – AN ACHILLES HEEL OF INFORMATION ASSURANCE SECURITY: A CASE STUDY OF VERIZON’S DATA BREACH REPORTS Dr. Pedro A. Diaz-Gomez Cameron University Ing. Alfonso Valencia and Ing. Luis E. Gomez Universidad Piloto de Colombia Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Outline • Motivation • Introduction • PCI Security Standards • Statistics Verizon • What Organizations • Who Made and Who Discovered • Where Data Breaches Occurred • How data Breaches Occurred • How Long Data is Compromised Without Discovery • Why 2 Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 3 Outline • Information Assurance & Security Management System • Information Technology GRC • Risk Management • Security Architecture as Systematic Approach • Recommendations & Conclusions • Simple Countermeasures Prevent up to an Av. 59% of Data Breaches • Simple & Intermediate Countermeasures Prevent an Av. 90.6% of Data Breaches • Appendix Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 4 Motivation • As Society becomes increasingly interconnected electronically hacktivist and new avenues for getting data and information become available, , not only as a , but also as a responsibility to customers and as a step in business continuity. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 5 Motivation • Attacks on data and information are a continual threat, but it has been shown that basic countermeasures can detect some of those at early stages of penetration or misuse. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 6 Motivation • This presentation focuses on managerial principles pretending to help organizations prevent security data breaches on data and information, and it presents a systematic view of Information Security Management. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 7 Introduction • The basic recommendation proposed in this presentation could be seen as : The information assurance/security management system of . Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 8 introduction • Attackers • Attackers of computer resources are developing new techniques that allow sophisticated penetrations and anti forensics. • Responders • In response, security policies, procedures, standards and computer and network countermeasures have been proposed. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 9 The PCI Security Standards • The PCI security standards are private and that offer electronic card payment. • Not being compliant overcome monetary sanctions or revocation of services and loss of prestige. Tripwire Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 10 PCI Security Standards • PCI proposes a that can anticipate the discovery of vulnerabilities and weaknesses that could be re-mediated depending on the risk and benefit/cost of countermeasures. Image with permission from Tim Marley – Cameron U. Presentation Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 11 Payment Card Industry – Data Security Standard Taken with permission from Tim Marley – Cameron U. Presentation Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 12 Statistics Verizon • Why Verizon? Because those reports reflect forensic investigations of security data breaches. • It needs to be emphasized that the economic sectors presented in Verizon’s reports are those in which Verizon has done investigations, and those are not necessary a statistical sample selected to make inferences to any organization. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Statistics Verizon • However, from these reports, organizations such experiences, or unfortunately, from . 13 Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 14 Statistics Verizon - What • Percentage of Data Breaches by Sector Year Finan. Retail • Target Organizations & PCI Compliant Other Year Oppor. Target Compl Not C. 04-07 14% 37% 49% 04-07 85% 15% - - 2008 30% 37% 33% 2008 72% 28% 19% 81% 2009 33% 38% 29% 2009 74% 27% 21% 79% 2010 35% 56% 9% 2010 83% 17% 11% 89% 2011* 28% 12% 60% 2011 79% 16%! 4% 96% 2011* 35% 50%! - - (*) Just Larger Organizations, i.e., more than 1,000 employees. (*) Just Larger Organizations. (!) Remaining Percentage Unknown. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 15 Statistics Verizon - Who • Who Made Data Breaches Year External Internal Partners Multiple 2008 43% 11% 7% 39% 2009 45% 27% 1% 27% 2010 83% 7% <1% 9% 2011 95% 2% <1% 2% • Who Discovered Data Breaches Internal Active - Passive Year External Unkn. 04-07 75% 7% 18% - 2008 69% 7% 24% - 2009 61% 16% 23% - 2010 86% 6% 5% 3% Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 16 Statistics Verizon - Where • Where Data Breaches Occurred Year Servers U. Devices Off-line People Networks 04-07 93% 7% 7% - 5% 2008 94% 17% 2% - 0% 2009 50% 36% 25% 4% 1% 2010 57% 56% 12% 10% 2% 2011 64% 60% 3% 7% <1% Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 17 Statistics Verizon - How • How Data Breaches Occurred Year Hack. Malw. Misus. Phys. Social Error 04-07 59% 31% 22% 15% 10% 62% 2008 64% 38% 22% 9% 2% 67% 2009 40% 38% 48% 15% 28% - 2010 50% 49% 17% 29% 11% - 2011 81% 69% 5% 10% 7% 1% Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 18 Statistics Verizon - How Difficulty of Data Breaches Year High Difficulty of Countermeasures Mod. Low None Year Simple Interm. Diffic. 04-07 17% 28% 52% 6% 04-07 52% 28% 17% 2008 17% 31% 42% 10% 2008 53% 34% 13% 2009 15% 44% 28% 13% 2009 64% 32% 4% 2010 8% 49% 37% 6% 2010 63% 33% 4% 2011* 0% 24% 65% 2% 2011* 63% 31% 3% (*) 8% is reported as unknown. (*) 3% is reported as unknown. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 19 Statistics Verizon – How Long… Seconds Minutes Hours Days Weeks Months 10% 75% 12% 8% 38% 0% 0% Years 2% 0% 1% 0% 14% 25% 8% 8% 0% 0% 2% 13% 29% 54% 2% 1% 9% 38% 17% Initial Attack to Initial Compromise Initial Compromise To Data Exfiltration Initial Compromise to Discovery Discovery to Containment/Restoration 32% 4% Verizon’s 2012 Data Breaches Report. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 20 Statistics Verizon - Why • 2012 Report: • Compliance: the lowest percentage (4%) since 2004, • Financial Institutions in Larger organizations continues in a steady percentage of Data Breaches (28%) since 2008, • Larger organizations certainly targeted (50%): “ ” • Hackivism growing (95%) since 2008, Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 21 Statistics Verizon - Why • 2012 Report: • Highest percentage of Data Breaches occurred in user devices (60%) since 2004, • External from Organizations, who discovered Data Breaches, reported as the highest (92%) since 2004; and as active participation from internals the lowest (2%), • Difficulty to commit a Data Breach reported as the lowest (~0%) since 2004 (there is an 8% reported as unknown), • Difficulty of the corresponding countermeasures the lowest (3%) since 2004, • Initial attacks to compromise takes at most minutes (85%), as well as data exfiltration (46%), but the majority of discoveries take months (54%). Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Information Assurance & Security Management System 22 Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 23 Information Assurance & Security Management System Shell idea Taken from S. Heim in the Resonant Interface. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 24 Risk Management • NIST 800-30: • “Every organization has a mission. In this digital era, as organizations use automated information technology (IT) systems to process their information for better support of their missions, , from IT-related risk.” National Institute of Standards and Technology Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 25 Information Assurance & Security Management System • Security Architecture Adapted from M. E. Whitman and H. J. Mattord. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 26 Security Architecture as Systemic Approach Cloud from http://itstechsolved.com/cloud-computing/ Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 27 Simple Countermeasures prevent up to an Av. 59% of Data Breaches • Assignment of least Year Simple Interm. Diffic. 04-07 52% 28% 17% 2008 53% 34% 13% 2009 64% 32% 4% 2010 63% 33% 4% 2011* 63% 31% 3% privilege. • Monitoring of event logs, passwords, firewalls configurations, antiviruses, physical and logical accesses, backups. • Encryption of sensitive data. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 28 Simple & Intermediate Countermeasures Prevent an Av. 90.6% of Data Breaches Year Simple Interm. Diffic. 04-07 52% 28% 17% 2008 53% 34% 13% 2009 64% 32% 4% 2010 63% 33% 4% 2011* 63% 31% 3% • Assignment of least privilege. • Monitoring of event logs, passwords, firewalls configurations, antiviruses, physical and logical accesses, backups. • Encryption of sensitive data. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Questions/Answers • www.cameron.edu/~pdiaz-go • pdiaz-go@cameron.edu • Thanks! • Ing. Alfonso Valencia Rodriguez and • Ing. Luis E. Gomez H. • Universidad Piloto de Colombia • Mr. Timothy Marley • University of Oklahoma 29 Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports APPENDIX 30 Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 31 Brief Bibliography Used in this Research • Verizon Business Risk Team, “2012 Data Breach • • • • Investigations Report” and the ones corresponding to 2008 – 2011. PCI Security Standards Council LLC, “Payment Card Industry (PCI) Data Security Standard Navigation PCI DSS. Version 2.0”. C. Schou and D. Shoemaker, “Information Assurance for the Enterprise. A Roadmap to Information Security.” Tripwire, “PCI Basics: What it takes to be Compliant.” M. E. Whitman and H. J. Mattord, “Management of Information Security” Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 32 Top Security Mechanisms – Case Study • Australian Government: • Australian computer networks are being targeted by adversaries seeking access to sensitive information. A commonly used technique is social engineering, where malicious 'spear phishing' emails are tailored to entice the reader to open them. • The Defense Signals Directorate (DSD) has developed the Top 35 Mitigation Strategies for targeted cyber intrusions. The list is informed by DSD’s experience in operational cyber security, including responding to serious cyber incidents and performing vulnerability assessments and penetration testing for Australian government agencies. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 33 Top Security Mechanisms – Case Study • Australian Government: • While no single strategy can prevent this type of malicious activity, the remains unchanged. Implemented as a package, these strategies would have prevented at least 70% of the intrusions that DSD responded to in 2009, and at least 85% of the intrusions responded to in 2010. • Implementing the top four strategies can be achieved gradually, starting with computers used by the employees most likely to be targeted by intrusions, and eventually extending them to all users. Once this is achieved, organizations can selectively implement additional mitigation strategies based on the risk to their information. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 34 Top Security Mechanisms – Case Study Effectiveness Cost Maintenance Cost Low High High Excellent Low Medium Medium Minimize # of Users Excellent Medium Medium Low 4 Application Whitelisting Excellent Medium High Medium 5 Host-Based IDS Excellent Low Medium Medium Ranking Strategy 1 Patch Applications Excellent 2 Patch Operating S. 3 User Resistance Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports 35 Framework Documentation • Key components: • Subject • Purpose • Scope • Coverage • Date • Version • Revision • Approval Source: CISA Certified Information Systems Auditor Guide Taken with permission from Tim Marley – Cameron U. Presentation