A Case Study of Verizon`s Data Breach Reports

advertisement
1
MANAGEMENT – AN ACHILLES HEEL OF
INFORMATION ASSURANCE SECURITY: A
CASE STUDY OF VERIZON’S DATA
BREACH REPORTS
Dr. Pedro A. Diaz-Gomez
Cameron University
Ing. Alfonso Valencia and Ing. Luis E. Gomez
Universidad Piloto de Colombia
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
Outline
• Motivation
• Introduction
• PCI Security Standards
• Statistics Verizon
• What Organizations
• Who Made and Who Discovered
• Where Data Breaches Occurred
• How data Breaches Occurred
• How Long Data is Compromised Without Discovery
• Why
2
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
3
Outline
• Information Assurance & Security Management System
• Information Technology GRC
• Risk Management
• Security Architecture as Systematic Approach
• Recommendations & Conclusions
• Simple Countermeasures Prevent up to an Av. 59% of Data
Breaches
• Simple & Intermediate Countermeasures Prevent an Av. 90.6% of
Data Breaches
• Appendix
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
4
Motivation
• As Society becomes increasingly interconnected
electronically hacktivist and new avenues for getting
data and information become available,
, not only as a
, but also as a responsibility to
customers and as a step in business continuity.
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
5
Motivation
• Attacks on data and information are a continual threat, but
it has been shown that basic countermeasures can detect
some of those at early stages of penetration or misuse.
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
6
Motivation
• This presentation focuses on managerial principles
pretending to help organizations prevent security data
breaches on data and information, and it presents a
systematic view of Information Security Management.
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
7
Introduction
• The basic recommendation proposed in this presentation
could be seen as
: The information assurance/security
management system of
.
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
8
introduction
• Attackers
• Attackers of computer
resources are
developing new
techniques that allow
sophisticated
penetrations and anti
forensics.
• Responders
• In response, security
policies, procedures,
standards and computer
and network
countermeasures have
been proposed.
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
9
The PCI Security Standards
• The PCI security standards are private and
that offer
electronic card payment.
• Not being compliant overcome monetary sanctions or
revocation of services and loss of prestige.
Tripwire
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
10
PCI Security Standards
• PCI proposes a
that can anticipate the discovery of
vulnerabilities and weaknesses that could be re-mediated
depending on the risk and benefit/cost of
countermeasures.
Image with permission from Tim Marley – Cameron U. Presentation
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
11
Payment Card Industry – Data Security
Standard
Taken with permission from Tim Marley – Cameron U. Presentation
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
12
Statistics Verizon
• Why Verizon? Because those reports reflect forensic
investigations of security data breaches.
• It needs to be emphasized that the economic sectors
presented in Verizon’s reports are those in which Verizon
has done investigations, and those are not necessary a
statistical sample selected to make inferences to any
organization.
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
Statistics Verizon
• However, from these reports, organizations
such experiences, or unfortunately, from
.
13
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
14
Statistics Verizon - What
• Percentage of Data
Breaches by Sector
Year
Finan. Retail
• Target Organizations
& PCI Compliant
Other
Year
Oppor.
Target
Compl
Not C.
04-07
14%
37%
49%
04-07
85%
15%
-
-
2008
30%
37%
33%
2008
72%
28%
19%
81%
2009
33%
38%
29%
2009
74%
27%
21%
79%
2010
35%
56%
9%
2010
83%
17%
11%
89%
2011*
28%
12%
60%
2011
79%
16%!
4%
96%
2011*
35%
50%!
-
-
(*) Just Larger Organizations, i.e., more than 1,000 employees.
(*) Just Larger Organizations.
(!) Remaining Percentage Unknown.
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
15
Statistics Verizon - Who
• Who Made Data Breaches
Year External
Internal
Partners
Multiple
2008
43%
11%
7%
39%
2009
45%
27%
1%
27%
2010
83%
7%
<1%
9%
2011
95%
2%
<1%
2%
• Who Discovered Data Breaches
Internal
Active - Passive
Year
External
Unkn.
04-07
75%
7%
18%
-
2008
69%
7%
24%
-
2009
61%
16%
23%
-
2010
86%
6%
5%
3%
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
16
Statistics Verizon - Where
• Where Data Breaches Occurred
Year
Servers
U. Devices
Off-line
People
Networks
04-07
93%
7%
7%
-
5%
2008
94%
17%
2%
-
0%
2009
50%
36%
25%
4%
1%
2010
57%
56%
12%
10%
2%
2011
64%
60%
3%
7%
<1%
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
17
Statistics Verizon - How
• How Data Breaches Occurred
Year
Hack.
Malw.
Misus.
Phys.
Social
Error
04-07
59%
31%
22%
15%
10%
62%
2008
64%
38%
22%
9%
2%
67%
2009
40%
38%
48%
15%
28%
-
2010
50%
49%
17%
29%
11%
-
2011
81%
69%
5%
10%
7%
1%
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
18
Statistics Verizon - How
Difficulty of Data Breaches
Year
High
Difficulty of Countermeasures
Mod.
Low
None
Year
Simple
Interm.
Diffic.
04-07 17%
28%
52%
6%
04-07
52%
28%
17%
2008
17%
31%
42%
10%
2008
53%
34%
13%
2009
15%
44%
28%
13%
2009
64%
32%
4%
2010
8%
49%
37%
6%
2010
63%
33%
4%
2011* 0%
24%
65%
2%
2011*
63%
31%
3%
(*) 8% is reported as unknown.
(*) 3% is reported as unknown.
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
19
Statistics Verizon – How Long…
Seconds
Minutes
Hours
Days
Weeks
Months
10%
75%
12%
8%
38%
0%
0%
Years
2%
0%
1%
0%
14%
25%
8%
8%
0%
0%
2%
13%
29%
54%
2%
1%
9%
38%
17%
Initial Attack to Initial
Compromise
Initial Compromise
To Data Exfiltration
Initial Compromise
to Discovery
Discovery to Containment/Restoration
32%
4%
Verizon’s 2012 Data Breaches Report.
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
20
Statistics Verizon - Why
• 2012 Report:
• Compliance: the lowest percentage (4%) since 2004,
• Financial Institutions in Larger organizations continues in a
steady percentage of Data Breaches (28%) since 2008,
• Larger organizations certainly targeted (50%):
“
”
• Hackivism growing (95%) since 2008,
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
21
Statistics Verizon - Why
• 2012 Report:
• Highest percentage of Data Breaches occurred in user devices
(60%) since 2004,
• External from Organizations, who discovered Data Breaches,
reported as the highest (92%) since 2004; and as active
participation from internals the lowest (2%),
• Difficulty to commit a Data Breach reported as the lowest (~0%)
since 2004 (there is an 8% reported as unknown),
• Difficulty of the corresponding countermeasures the lowest
(3%) since 2004,
• Initial attacks to compromise takes at most minutes (85%), as
well as data exfiltration (46%), but the majority of discoveries
take months (54%).
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
Information Assurance & Security
Management System
22
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
23
Information Assurance & Security
Management System
Shell idea Taken from S. Heim in the Resonant Interface.
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
24
Risk Management
• NIST 800-30:
• “Every organization has a mission. In this digital era, as
organizations use automated information technology (IT) systems
to process their information for better support of their missions,
,
from IT-related risk.”
National Institute of Standards and Technology
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
25
Information Assurance & Security
Management System
• Security Architecture
Adapted from M. E. Whitman and H. J. Mattord.
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
26
Security Architecture as Systemic
Approach
Cloud from http://itstechsolved.com/cloud-computing/
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
27
Simple Countermeasures prevent up to
an Av. 59% of Data Breaches
• Assignment of least
Year
Simple
Interm.
Diffic.
04-07
52%
28%
17%
2008
53%
34%
13%
2009
64%
32%
4%
2010
63%
33%
4%
2011*
63%
31%
3%
privilege.
• Monitoring of event
logs, passwords,
firewalls
configurations, antiviruses, physical and
logical accesses,
backups.
• Encryption of sensitive
data.
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
28
Simple & Intermediate Countermeasures
Prevent an Av. 90.6% of Data Breaches
Year
Simple
Interm.
Diffic.
04-07
52%
28%
17%
2008
53%
34%
13%
2009
64%
32%
4%
2010
63%
33%
4%
2011*
63%
31%
3%
• Assignment of least
privilege.
• Monitoring of event logs,
passwords, firewalls
configurations, antiviruses, physical and
logical accesses,
backups.
• Encryption of sensitive
data.
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
Questions/Answers
• www.cameron.edu/~pdiaz-go
• pdiaz-go@cameron.edu
• Thanks!
• Ing. Alfonso Valencia Rodriguez and
• Ing. Luis E. Gomez H.
• Universidad Piloto de Colombia
• Mr. Timothy Marley
• University of Oklahoma
29
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
APPENDIX
30
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
31
Brief Bibliography Used in this Research
• Verizon Business Risk Team, “2012 Data Breach
•
•
•
•
Investigations Report” and the ones corresponding to
2008 – 2011.
PCI Security Standards Council LLC, “Payment Card
Industry (PCI) Data Security Standard Navigation PCI
DSS. Version 2.0”.
C. Schou and D. Shoemaker, “Information Assurance for
the Enterprise. A Roadmap to Information Security.”
Tripwire, “PCI Basics: What it takes to be Compliant.”
M. E. Whitman and H. J. Mattord, “Management of
Information Security”
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
32
Top Security Mechanisms – Case Study
• Australian Government:
• Australian computer networks are being targeted by adversaries
seeking access to sensitive information. A commonly used
technique is social engineering, where malicious 'spear phishing'
emails are tailored to entice the reader to open them.
• The Defense Signals Directorate (DSD) has developed the Top 35
Mitigation Strategies for targeted cyber intrusions. The list is
informed by DSD’s experience in operational cyber security,
including responding to serious cyber incidents and performing
vulnerability assessments and penetration testing for Australian
government agencies.
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
33
Top Security Mechanisms – Case Study
• Australian Government:
• While no single strategy can prevent this type of malicious activity,
the
remains unchanged. Implemented as a package, these strategies
would have prevented at least 70% of the intrusions that DSD
responded to in 2009, and at least 85% of the intrusions responded
to in 2010.
• Implementing the top four strategies can be achieved gradually,
starting with computers used by the employees most likely to be
targeted by intrusions, and eventually extending them to all users.
Once this is achieved, organizations can selectively implement
additional mitigation strategies based on the risk to their
information.
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
34
Top Security Mechanisms – Case Study
Effectiveness
Cost
Maintenance Cost
Low
High
High
Excellent
Low
Medium
Medium
Minimize #
of Users
Excellent
Medium
Medium
Low
4
Application
Whitelisting
Excellent
Medium
High
Medium
5
Host-Based
IDS
Excellent
Low
Medium
Medium
Ranking
Strategy
1
Patch
Applications
Excellent
2
Patch
Operating S.
3
User Resistance
Management - An Achilles Heel of Information Assurance
Security: A Case Study of Verizon's Data Breach Reports
35
Framework Documentation
• Key components:
• Subject
• Purpose
• Scope
• Coverage
• Date
• Version
• Revision
• Approval
Source: CISA Certified Information Systems Auditor Guide
Taken with permission from Tim Marley – Cameron U. Presentation
Download