KC
Uploaded byKarla Sasser, CPA CITP, CIA, CGMA
PDF, PPTX192 views

User_Access_IIA-LA_3-9-2016

This document provides an overview of a presentation on cyber security user access pitfalls. It discusses why user access is an important topic, highlighting that insider threats can pose a big risk. It also covers IT security standards, the high costs of data breaches, principles of least privilege access and problems with passwords. Specific examples of data breaches at Cox Communications and Sony Pictures are also summarized, highlighting lessons learned about securing systems and user access.

Download as PDF, PPTX
Cyber Security: User Access Pitfalls March 9, 2016 1
Agenda 1. Why is a discussion about user access important? 2. Insider Threats vs. External Threats 3. IT Security Standard Setters 4. Cost of a Breach 5. User Access Rights 6. Cloud Apps 7. Problems with Passwords 8. Data Breaches and Lessons Learned 9. Password Emerging Trends 10.Wrap Up 2
Why is a discussion about user access important? 3
Why Talk About User Access? SECURITY IS A NEGATIVE GOAL.  There are exactly two keys to information security  Configure the system and network correctly and keep it that way  Know the traffic coming into and out of your network  Network security tasks  Protection – configure as correctly as possible  Detection – quickly identify configuration changes or traffic issues  Reaction – respond as quickly as possible 4
Defense in depth  Security defensive lines and countermeasures to protect the integrity of information assets  Five architectures to develop defense in depth 1. Perimeter Defense - Firewalls for segregating internal trusted zones from the internet 2. Network Defense - Subdividing the internal network into trusted zones 3. Host Defense - Identify and locate information assets that need protection 4. Application Defense - Prioritize the information assets to be protected 5. Data Defense - Role based access controls  Cryptography is the only remaining protection for information assets when defense in depth fails. 5
6
Keys to implementing network security 1. Access, Authentication, Authorization (AAA) 2. Separation of duties, separation of services 3. Endpoint security and ubiquitous computing 4. Service-oriented architecture (SOA) 7
Questions to keep in mind throughout our discussion  Where are most threats to your information assets coming from?  What is your network access password change policy?  Which IT Guidance/Frameworks are you predominantly working with now? COSO and/or COBIT and/or ISO and/or PCI?  Does your company perform an periodic user access review? Are all user accounts reviewed, including B2B, generic/system, cloud apps and 3rd party vendors?  Does your organization have a proven system for monitoring user access activity? 8
Insider Threats vs External Threats 9
Disgruntled employees and insiders pose big hacking risk  73% of organizations considered insider threats—both accidental data leakage by employees and malicious breaches to be the greatest risk.  64% reported that manual processes, limited visibility into security policies and poor change management practices posed the greatest challenge to effective management of network security devices.  one in five said that aligning priorities and plans between development, security and operations teams created the greatest obstacle  60% stated that their data center includes more than 50 critical business applications, 20% have more than 500.  142 information security professionals and application owners state that current security management processes make balancing access to the rapidly rising number of business critical applications and reducing system vulnerability increasingly challenging 10 http://www.algosec.com/en/resources/network_security_2014
Annual reports on – insider threats11 89% - More at risk from insider threats
Editor – 2 months w/access AFTER TERMINATION 12
IT Community Comments13
IT Security Standard Setters 14
Notable IT standard setters 1. International Organization for Standardization (ISO) 2. PCI Security Standards Council, LLC (PCI-DSS) 3. Committee of Sponsoring Organizations of the Treadway Commission (COSO) 4. ISACA (COBIT) 15
Cost of a Breach! 16
Cost of a Data Breach 17 https://securityintelligence.com/cost-of-a-data-breach-2015/
User Access Rights 18
Principle of Least Privilege Access  Defined as the practice of limiting access to the minimal level that will allow normal functioning and is applied to both human and system user access Originated by the US Department of Defense in the 1970’s to limit potential damage of any accidental or malicious security breach It is the underlying principle and the predominate strategy used to assure confidentiality within a network  Role-based access was developed to group users with common access needs, simplifying security and security maintenance 19
Users with Elevated Access  By default systems will process commands based on the level of access the user who initiated the command has.  System and domain administrators pose unique problems within a software application. 20 Group Description Default user rights Administrators Members of this group have full control of all domain controllers in the domain. By default, the Domain Admins and Enterprise Admins groups are members of the Administrators group. The Administrator account is also a default member. Because this group has full control in the domain, add users with caution. Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user accounts to be trusted for delegation; Force a shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects. https://technet.microsoft.com/en-us/library/cc756898%28v=ws.10%29.aspx
Cloud Apps 21
Number of Cloud Apps a Company is Using The cloud is nothing more than someone else’s computer.  Survey results released by Netskope, February 2016 revealed that  On average 917 apps are in use within each enterprise with the top categories being marketing, human resources, collaboration, storage and finance / accounting 13.6% of cloud app users currently use compromised account credentials at work. 4.1% of enterprises have sanctioned apps that are laced with malware Sanctioned apps are typically less than 5% of the total apps in use by an enterprise. 22 https://resources.netskope.com/h/i/213041061-february-2016-worldwide-cloud-report https://www.netskope.com/press-releases/netskope-survey-majority-of-companies-have-changed-cloud-security-strategies-as-a-result-of-ceo-and-board-level-discussions/
Top Cloud Apps Identified by Netskope 23
Top Cloud Activities24 HR Apps BI Apps Finance Apps 1 Share - 6 shares for every login Upload Share - 2 shares for every upload Edit 2 View Download -users downloading sensitive employee data from HR apps, then uploading the data to cloud storage View Create 3 Download - 2 downloads for every one upload View Upload View Audit download activity and ensure that only individuals with proper privileges are executing the downloads and shares. If the data includes personally identifiable information, it could represent violations to serveral regulations. Understand the nature of the data being shared. Will it compromise the strategic plan or competitive advantages. Cloud finance apps are becoming more business- critical by offering new ways to track revenue, authorize payments, pay employees, execute subscription renewals, etc.* Understanding Risk and Auditing User Activity Both activities highlight the importance of communicating and enforcing policy at both the activity (manual), system and data level Cloud Storage
Problems with passwords 25
Problems with Passwords  People, process and technology are all needed to adequately secure a system  When left on their own, people will make the worst security decisions  Without any security training, people can be easily tricked into giving up their passwords  Passwords can be insecure  People will choose easily remembered and easily guessed/cracked passwords  Passwords can be easily broken  Free programs are available on the Internet that can “crack” passwords  Passwords are inconvenient  Computer generated passwords can be difficult to remember and are written down  Passwords do not have any authority  Use of a password does not confirm the identity of the user entering the password 26
Passwords - Cloud Apps and Remote Contractors  Cloud apps and remote contractors represent a significant risk to the overall security of the company’s information assets because:  Cloud apps can be implemented and remote contractors can be engaged without any knowledge from IT  Most companies do not have one central point of authority for cloud apps and remote contractors  There is a general lack of understanding of the scope of work for cloud apps and remote contractors so elevated access is generally granted without any consideration of the risks  User access cannot be validated against active directory or there are exceptions to the company’s password policy granted  One user account is shared among multiple users 27
Data Breaches and Lessons Learned 28
 2014, Cox was hacked by "EvilJordie," a member of the "Lizard Squad" hacker collective.  The FCC's investigation found that by posing as a Cox IT staffer, the hacker convinced a customer service representative to enter their user ID and password into a fake website.  Under the terms of the settlement, Cox will pay the fine, identify all victims of the breach, notify them and give them a year of credit monitoring. The agreement also requires Cox to conduct internal system audits, internal threat monitoring, penetration testing and other security measures to prevent further hacks 29 FCC fines Cox Communications
 Nov 24 2014 – News breaks that Sony Pictures has been hacked.  The “Guardians of Peace” obtained 100 terabytes of data from the servers  Nov 27 2014 – 4 yet to be released films were uploaded to an online file share site  Dec 1 2014 – pre-bonus salaries of 17 top Sony executives are leaked  Dec 2 2014 – Sony chiefs confirm the breach, and employee information was included in the compromised data  Dec 16 2014 – Sony receives emails threatening to attack movie theaters that show The Interview http://www.imdb.com/title/tt2788710/  Dec 17 2014 – Sony cancels the release of The Interview  Dec 19 2014 – The FBI confirms that North Korea was behind the cyber attack 30 Sony Hack: A Timeline http://deadline.com/2014/12/sony-hack-timeline-any-pascal-the-interview-north-korea-1201325501/
Sony continued – How the hack happened  The hackers gained access to Sony’s network by obtaining the login credentials of a high-level systems administrator. Once hackers obtained the credentials, they were granted “keys to the entire building,” according to a U.S. official.  They hacked into one server that was not well protected, and escalated the attack to gain access to the rest of the network.  Sony’s network was not layered well enough to prevent breaches occurring in one part from affecting other parts. In addition, the password “password” was used in 3 certificates.  A combination of weak passwords, lack of server layering, not responding to alerts or setting up alerts, inadequate logging and monitoring, and lack of Security Education Training and Awareness all contributed to the Sony Breach. 31
32  Nov 27 – Dec 15 2013 - data hack at Target stores exposes as many as 40 million credit- and debit-card customers to potential fraud and compromised 70 million customer records  Dec 18 2013 - News of the breach is reported by data and security blog KrebsOnSecurity.  Dec 19 2013 - Target acknowledges the breach of information publicly  Dec 22 2013 - Traffic at Target stores takes a hit in the wake of the security breach, with transactions down by 3-4% on the last weekend of holiday shopping Target Hack: Timeline http://blogs.wsj.com/corporate-intelligence/2013/12/27/targets-data-breach-timeline/
Target continued – how the hack happened  The initial intrusion was traced back to network credentials that were stolen from a third-party vendor, Fazio Mechanical Services a provider of HVAC systems  Multiple sources told Krebs that the credentials were stolen in an email malware attack at Fazio that began at least two months before thieves started stealing card data from Target cash registers.  Two sources said the malware was the Citadel — a password-stealing bot program  Fazio stated that its data connection to Target was exclusively for electronic billing, contract submission and project management.  Target did not specify which apps Fazio could access but a former Target employee said nearly all contractors access Ariba, an external billing system, the project management and contract submissions portal - Partners Online, and Target’s Property Development Zone portal 33
Home Depot Hack: Timeline  Sep 2 2014 - Home Depot became aware of a large data breach that started April 2014  Banks and law enforcement notified Home Depot that there were signs that their network had been compromise.  Sep 8 2014 - Home Depot confirmed that their payment security systems had been breached  Nov 25 2014 – Home Depot was hit with 44 civil lawsuits 34
Home Depot continued – how the hack happened  Criminals used a 3rd party vendors user name and password to enter the perimeter of Home Depot’s network.  While the vendor credentials did not allow access to the POS, the hackers acquired elevated access rights allowing them to deploy malware on the self-checkout system in the US and Canada  Source close to the investigation stated that at least some store registers had been infected with a new variant of “BlackPOS” (a.k.a. “Kaptoxa”), a malware strain designed to siphon data from cards that are swiped on the infected point-of-sale system running Microsoft Windows.  The malware was reported as using XOR encryption, a simple symmetric cipher that is used in many applications where security is not a defined requirement, making the malware undetectable to IDS/IPS or Antivirus signatures  Krebs also identified that the perpetrators appeared to be the same group of Russian and Ukrainian hackers that compromised Target, Sally Beauty, P.F. Chang’s, and others. 35
Password Emerging Trends 36
Single Sign-On and Password Emerging Trends  Single sign-on is an authentication process that allows users to enter one user name and password to access multiple applications they have been given rights to.  Two-factor authentication requires additional factors to establish a users identity such as, a password and a pin number and/or a fingerprint, and/or a retina scan (in any combination)  Password managers that encrypt and store login information for auto login  Establishing complex user names, such as K$@ssEr  Establishing meaningful, easy to remember complex passwords t3chRock$ or $omething2about! 37
Benefits of Complex Passwords38 http://gizmodo.com/5753868/how-long-it-takes-hackers-to-crack-your-password t3chRock$ - 9 characters / $omething2about! – 19 characters
Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. — Gene Spafford An American professor of computer science at Purdue University and a leading computer security expert. 39 The mantra of any good security engineer is: 'Security is a not a product, but a process.' It's more than designing strong cryptography into a system; it's designing the entire system such that all security measures, including cryptography, work together. — Bruce Schneier An American cryptographer, computer security and privacy specialist, and writer
Questions to keep in mind throughout our discussion  Where are most threats to your information assets coming from?  What is your network access password change policy?  Which IT Guidance/Frameworks are you predominantly working with now? COSO and/or COBIT and/or ISO and/or PCI?  Does your company perform an periodic user access review? Are all user accounts reviewed, including B2B, generic/system, cloud apps and 3rd party vendors?  Does your organization have a proven system for monitoring user access activity? 40
Win your very own copy of Friggin’ Bean Counters Who can tell me the name of the hacker collective that EvilJordie belongs to? 41
The Lizard Squad 42  Largely responsible for denial of service attacks on social media websites and gaming related services  Known members are teens and young adults
Wrap Up 43
Are there solutions? Security is a negative goal. People need to be considered a part of the security design  End User Information Security Awareness Training  A robust password policy and strict adherence to that policy  Establish a central point of contact to manage contractors and other 3rd party access  Changes to established roles are done through a change management process. 44
Best Practices for Administrative Accounts  Segregate and secure administrative passwords  Create a decoy admin account  Limit the number of service admin accounts  Separate admin and user accounts for admins  Assign trustworthy staff  Limit admin rights to only those rights needed  Control the admin logon process  Secure admin workstations 45 https://technet.microsoft.com/en-us/library/cc700835.aspx
Data breaches may cost less than the security to prevent them  Benjamin Dean presented a hard to disagree with defense of why things security-wise "ain't gonna change" soon  By examining the actual expenses from the Sony, Target and Home Depot breaches, the total amounts to less than 1% of each company's annual revenues Target – Gross breach $252 million after insurance and tax deductions $105 million, less than .01% of gross revenues Home Depot – Net breach $28 million after a $15 million insurance reimbursement, .01% of gross revenues Sony - $35 million for the fiscal year ending March 31, represent from 0.9% to 2% of Sony's total projected sales for 2014 46 http://www.techrepublic.com/article/data-breaches-may-cost-less-than-the-security-to-prevent-them/
Additional Resources  CYBERSECURITY – WHAT THE BOARD OF DIRECTORS NEEDS TO ASK  https://na.theiia.org/special-promotion/PublicDocuments/GRC-Cybersecurity- Research-Report.pdf  5 Top Regulatory Compliance Concerns for Financial Services  https://www.roberthalf.com/management-resources/blog/5-top-regulatory- compliance-concerns-for-financial-services 47
Community & Sharing48 Join Our LinkedIn Group COSO Framework Discussion & Webinars Technical Community sharing Ideas ,Templates, WEBINARS, Advise and Learn from others implementing new framework. Share your latest templates here! https://www.linkedin.com/groups/COSO- Implementation-4888186/about
Community & Sharing 49 Join our LinkedIn group: Friggin’ Bean Counters Accounting, Project Management and IT Professionals come together to share ideas, learn from each other, or if necessary, vent frustrations. https://www.linkedin.com/groups/6985169
Information Security Best practices and Standard of Care 50 Monthly QuarterlyAnnual Weekly
51Compliance Made Simple ™ User Access Procedure Diagnostic Email us for 5 SPOTS ONLY: Info@avivaspectrum.com SUBJECT: USER ACCESS Internal Threat Analysis BenchmarkIn-take 51
52Compliance Made Simple ™ Aviva Spectrum is HIRING 1. SOX 404 – Senior Internal Auditors 2. IT auditors 3. SEC Reporting Managers 4. Cybersecurity consultants Email: Careers@avivaspectrum.com 52
Questions?53
54Compliance Made Simple ™ Speaker Contacts Karla Sasser, Senior Associate, Aviva Spectrum Connect: www.linkedin.com/in/karlasasser e-mail: Karla.Sasser@avivaspectrum.com PHONE: (818) 384-8846 54

More Related Content

PPS
Network Vulnerability Assessments: Lessons Learned
byamiable_indian
 
PDF
Anatomy of a breach - an e-book by Microsoft in collaboration with the EU
byUniversity of Essex
 
PDF
Top Solutions and Tools to Prevent Devastating Malware White Paper
byNetIQ
 
PDF
Fundamentals of information systems security ( pdf drive ) chapter 1
bynewbie2019
 
PDF
IRJET- A Survey on Cloud Data Security Methods and Future Directions
byIRJET Journal
 
PPTX
Privileged Account Management - Keep your logins safe
byJens Albrecht
 
PPTX
Scott Hogg - Gtri cloud security knowledge and certs
byTrish McGinity, CCSK
 
PPTX
The Role of Government in Identity Management
byDon Lovett
 
Network Vulnerability Assessments: Lessons Learned
byamiable_indian
 
Anatomy of a breach - an e-book by Microsoft in collaboration with the EU
byUniversity of Essex
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
byNetIQ
 
Fundamentals of information systems security ( pdf drive ) chapter 1
bynewbie2019
 
IRJET- A Survey on Cloud Data Security Methods and Future Directions
byIRJET Journal
 
Privileged Account Management - Keep your logins safe
byJens Albrecht
 
Scott Hogg - Gtri cloud security knowledge and certs
byTrish McGinity, CCSK
 
The Role of Government in Identity Management
byDon Lovett
 

What's hot

PDF
C02
bynewbie2019
 
PDF
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
byFireEye, Inc.
 
PPTX
Optimizing Security Operations: 5 Keys to Success
bySirius
 
PDF
Cis controls v8_guide (1)
byMHumaamAl
 
PPTX
Observe It Presentation
bytsteh
 
PDF
10 security problems unique to it
byIT-Toolkits.org
 
PDF
Enterprise Information Systems Security: A Case Study in the Banking Sector
byCONFENIS 2012
 
PPT
Security and information assurance
bybdemchak
 
PPT
Security Incidents
bybelsis
 
PPT
Information security in todays world
bySibghatullah Khattak
 
PDF
I Series User Management
bySJeffrey23
 
PDF
Application security testing an integrated approach
byIdexcel Technologies
 
PDF
2_24551_Virtualization_SC_0113
byJim Romeo
 
PPTX
Microsoft Platform Security Briefing
bytechnext1
 
PDF
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
bySymantec
 
PPTX
Cloud Audit and Compliance
byQuadrisk
 
PDF
PCI DSS Implementation: A Five Step Guide
byAlienVault
 
PPTX
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
byPositive Hack Days
 
PDF
VAPT Infomagnum
byARUN REDDY M
 
PPTX
ObserveIT Version 6.7 Release Highlights
byObserveIT
 
C02
bynewbie2019
 
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...
byFireEye, Inc.
 
Optimizing Security Operations: 5 Keys to Success
bySirius
 
Cis controls v8_guide (1)
byMHumaamAl
 
Observe It Presentation
bytsteh
 
10 security problems unique to it
byIT-Toolkits.org
 
Enterprise Information Systems Security: A Case Study in the Banking Sector
byCONFENIS 2012
 
Security and information assurance
bybdemchak
 
Security Incidents
bybelsis
 
Information security in todays world
bySibghatullah Khattak
 
I Series User Management
bySJeffrey23
 
Application security testing an integrated approach
byIdexcel Technologies
 
2_24551_Virtualization_SC_0113
byJim Romeo
 
Microsoft Platform Security Briefing
bytechnext1
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
bySymantec
 
Cloud Audit and Compliance
byQuadrisk
 
PCI DSS Implementation: A Five Step Guide
byAlienVault
 
Обнаружение вредоносного кода в зашифрованном с помощью TLS трафике (без деши...
byPositive Hack Days
 
VAPT Infomagnum
byARUN REDDY M
 
ObserveIT Version 6.7 Release Highlights
byObserveIT
 

Viewers also liked

PDF
Nateglinide 105816-04-4-api
byNateglinide-105816-04-4-api
 
PDF
Annual Report FY14
byAmanda Bory
 
DOCX
Biomaterial Testing W Electrical Stimulation
byEmily Koehler
 
PDF
2014_12_Sierra
byCarlos Sierra
 
PDF
Oxomemazine 3689-50-7-api
byOxomemazine-3689-50-7-api
 
PDF
Wave IP - Business communications
byICON
 
DOCX
Testing for the carry-over loss time period of SCI patients via FES in conjun...
byEmily Koehler
 
PDF
Oxyfedrine 15687-41-9-api
byOxyfedrine-15687-41-9-api
 
PPTX
MS5 Schadenfreude
byShadae Boakye-Yiadom
 
PPTX
Improve Issue Book Management
byHiram Alvarez
 
PDF
Pancuronium bromide 16974-53-1-api
byPancuronium-bromide-16974-53-1-apis
 
DOCX
ms word reusme
byA Hines
 
PPTX
QT4DP 10-04-2011
byHiram Alvarez
 
PPTX
HCCO Dashboard
byHiram Alvarez
 
ODP
Miguel
bymnavarro93
 
DOCX
resume - stephen watt, 2015
byStephen Watt
 
PDF
2015
byRegina Mason
 
PPTX
Presentation1 tugas ity
bysarityfitria
 
PPTX
Two-Bladed HAWT Final Presentation
byShadae Boakye-Yiadom
 
Nateglinide 105816-04-4-api
byNateglinide-105816-04-4-api
 
Annual Report FY14
byAmanda Bory
 
Biomaterial Testing W Electrical Stimulation
byEmily Koehler
 
2014_12_Sierra
byCarlos Sierra
 
Oxomemazine 3689-50-7-api
byOxomemazine-3689-50-7-api
 
Wave IP - Business communications
byICON
 
Testing for the carry-over loss time period of SCI patients via FES in conjun...
byEmily Koehler
 
Oxyfedrine 15687-41-9-api
byOxyfedrine-15687-41-9-api
 
MS5 Schadenfreude
byShadae Boakye-Yiadom
 
Improve Issue Book Management
byHiram Alvarez
 
Pancuronium bromide 16974-53-1-api
byPancuronium-bromide-16974-53-1-apis
 
ms word reusme
byA Hines
 
QT4DP 10-04-2011
byHiram Alvarez
 
HCCO Dashboard
byHiram Alvarez
 
Miguel
bymnavarro93
 
resume - stephen watt, 2015
byStephen Watt
 
2015
byRegina Mason
 
Presentation1 tugas ity
bysarityfitria
 
Two-Bladed HAWT Final Presentation
byShadae Boakye-Yiadom
 

Similar to User_Access_IIA-LA_3-9-2016

PPTX
Cyber Security: User Access Pitfalls, A Case Study Approach
byAviva Spectrum™
 
PDF
IS Risk Assessment example
byRamiro Cid
 
PPTX
Proven Practices to Protect Critical Data - DarkReading VTS Deck
byNetIQ
 
PPTX
Phi 235 social media security users guide presentation
byAlan Holyoke
 
PDF
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byhomjpxaa9886
 
PPTX
Cloud Security.pptx
byBinod Rimal
 
PPTX
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
PPTX
Information security trends and concerns
byJohn Napier
 
PPTX
Securing your digital world - Cybersecurity for SBEs
bySonny Hashmi
 
PPTX
Securing your digital world cybersecurity for sb es
bySonny Hashmi
 
PPTX
A guide to Sustainable Cyber Security
byErnest Staats
 
PDF
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
byJustinBrown267905
 
PDF
The Trust Paradox: Access Management and Trust in an Insecure Age
byEMC
 
PDF
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
bybaruulisy
 
PDF
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byveikkieymann
 
PPTX
Presentation 10.pptx
bymishogelashvili28
 
PDF
Your're Special (But Not That Special)
bySandra (Sandy) Dunn
 
PPTX
Will Your Business Get Hacked? #HumberBizWeek2016
byTim Pritchard
 
PPTX
Will Your Business Get Hacked? - #HumberBizWeek: 08.06.2016 @ Smailes Goldie
byHBP Systems Ltd
 
PPTX
Will Your Business Get Hacked in 2016?
byHBP Systems Ltd
 
Cyber Security: User Access Pitfalls, A Case Study Approach
byAviva Spectrum™
 
IS Risk Assessment example
byRamiro Cid
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
byNetIQ
 
Phi 235 social media security users guide presentation
byAlan Holyoke
 
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byhomjpxaa9886
 
Cloud Security.pptx
byBinod Rimal
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
Information security trends and concerns
byJohn Napier
 
Securing your digital world - Cybersecurity for SBEs
bySonny Hashmi
 
Securing your digital world cybersecurity for sb es
bySonny Hashmi
 
A guide to Sustainable Cyber Security
byErnest Staats
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
byJustinBrown267905
 
The Trust Paradox: Access Management and Trust in an Insecure Age
byEMC
 
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
bybaruulisy
 
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byveikkieymann
 
Presentation 10.pptx
bymishogelashvili28
 
Your're Special (But Not That Special)
bySandra (Sandy) Dunn
 
Will Your Business Get Hacked? #HumberBizWeek2016
byTim Pritchard
 
Will Your Business Get Hacked? - #HumberBizWeek: 08.06.2016 @ Smailes Goldie
byHBP Systems Ltd
 
Will Your Business Get Hacked in 2016?
byHBP Systems Ltd
 

User_Access_IIA-LA_3-9-2016

  • 1.
    Cyber Security: User AccessPitfalls March 9, 2016 1
  • 2.
    Agenda 1. Why isa discussion about user access important? 2. Insider Threats vs. External Threats 3. IT Security Standard Setters 4. Cost of a Breach 5. User Access Rights 6. Cloud Apps 7. Problems with Passwords 8. Data Breaches and Lessons Learned 9. Password Emerging Trends 10.Wrap Up 2
  • 3.
    Why is adiscussion about user access important? 3
  • 4.
    Why Talk AboutUser Access? SECURITY IS A NEGATIVE GOAL.  There are exactly two keys to information security  Configure the system and network correctly and keep it that way  Know the traffic coming into and out of your network  Network security tasks  Protection – configure as correctly as possible  Detection – quickly identify configuration changes or traffic issues  Reaction – respond as quickly as possible 4
  • 5.
    Defense in depth Security defensive lines and countermeasures to protect the integrity of information assets  Five architectures to develop defense in depth 1. Perimeter Defense - Firewalls for segregating internal trusted zones from the internet 2. Network Defense - Subdividing the internal network into trusted zones 3. Host Defense - Identify and locate information assets that need protection 4. Application Defense - Prioritize the information assets to be protected 5. Data Defense - Role based access controls  Cryptography is the only remaining protection for information assets when defense in depth fails. 5
  • 6.
  • 7.
    Keys to implementingnetwork security 1. Access, Authentication, Authorization (AAA) 2. Separation of duties, separation of services 3. Endpoint security and ubiquitous computing 4. Service-oriented architecture (SOA) 7
  • 8.
    Questions to keepin mind throughout our discussion  Where are most threats to your information assets coming from?  What is your network access password change policy?  Which IT Guidance/Frameworks are you predominantly working with now? COSO and/or COBIT and/or ISO and/or PCI?  Does your company perform an periodic user access review? Are all user accounts reviewed, including B2B, generic/system, cloud apps and 3rd party vendors?  Does your organization have a proven system for monitoring user access activity? 8
  • 9.
    Insider Threats vsExternal Threats 9
  • 10.
    Disgruntled employees andinsiders pose big hacking risk  73% of organizations considered insider threats—both accidental data leakage by employees and malicious breaches to be the greatest risk.  64% reported that manual processes, limited visibility into security policies and poor change management practices posed the greatest challenge to effective management of network security devices.  one in five said that aligning priorities and plans between development, security and operations teams created the greatest obstacle  60% stated that their data center includes more than 50 critical business applications, 20% have more than 500.  142 information security professionals and application owners state that current security management processes make balancing access to the rapidly rising number of business critical applications and reducing system vulnerability increasingly challenging 10 http://www.algosec.com/en/resources/network_security_2014
  • 11.
    Annual reports on– insider threats11 89% - More at risk from insider threats
  • 12.
    Editor – 2months w/access AFTER TERMINATION 12
  • 13.
  • 14.
  • 15.
    Notable IT standardsetters 1. International Organization for Standardization (ISO) 2. PCI Security Standards Council, LLC (PCI-DSS) 3. Committee of Sponsoring Organizations of the Treadway Commission (COSO) 4. ISACA (COBIT) 15
  • 16.
    Cost of aBreach! 16
  • 17.
    Cost of aData Breach 17 https://securityintelligence.com/cost-of-a-data-breach-2015/
  • 18.
  • 19.
    Principle of LeastPrivilege Access  Defined as the practice of limiting access to the minimal level that will allow normal functioning and is applied to both human and system user access Originated by the US Department of Defense in the 1970’s to limit potential damage of any accidental or malicious security breach It is the underlying principle and the predominate strategy used to assure confidentiality within a network  Role-based access was developed to group users with common access needs, simplifying security and security maintenance 19
  • 20.
    Users with ElevatedAccess  By default systems will process commands based on the level of access the user who initiated the command has.  System and domain administrators pose unique problems within a software application. 20 Group Description Default user rights Administrators Members of this group have full control of all domain controllers in the domain. By default, the Domain Admins and Enterprise Admins groups are members of the Administrators group. The Administrator account is also a default member. Because this group has full control in the domain, add users with caution. Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user accounts to be trusted for delegation; Force a shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects. https://technet.microsoft.com/en-us/library/cc756898%28v=ws.10%29.aspx
  • 21.
  • 22.
    Number of CloudApps a Company is Using The cloud is nothing more than someone else’s computer.  Survey results released by Netskope, February 2016 revealed that  On average 917 apps are in use within each enterprise with the top categories being marketing, human resources, collaboration, storage and finance / accounting 13.6% of cloud app users currently use compromised account credentials at work. 4.1% of enterprises have sanctioned apps that are laced with malware Sanctioned apps are typically less than 5% of the total apps in use by an enterprise. 22 https://resources.netskope.com/h/i/213041061-february-2016-worldwide-cloud-report https://www.netskope.com/press-releases/netskope-survey-majority-of-companies-have-changed-cloud-security-strategies-as-a-result-of-ceo-and-board-level-discussions/
  • 23.
    Top Cloud AppsIdentified by Netskope 23
  • 24.
    Top Cloud Activities24 HRApps BI Apps Finance Apps 1 Share - 6 shares for every login Upload Share - 2 shares for every upload Edit 2 View Download -users downloading sensitive employee data from HR apps, then uploading the data to cloud storage View Create 3 Download - 2 downloads for every one upload View Upload View Audit download activity and ensure that only individuals with proper privileges are executing the downloads and shares. If the data includes personally identifiable information, it could represent violations to serveral regulations. Understand the nature of the data being shared. Will it compromise the strategic plan or competitive advantages. Cloud finance apps are becoming more business- critical by offering new ways to track revenue, authorize payments, pay employees, execute subscription renewals, etc.* Understanding Risk and Auditing User Activity Both activities highlight the importance of communicating and enforcing policy at both the activity (manual), system and data level Cloud Storage
  • 25.
  • 26.
    Problems with Passwords People, process and technology are all needed to adequately secure a system  When left on their own, people will make the worst security decisions  Without any security training, people can be easily tricked into giving up their passwords  Passwords can be insecure  People will choose easily remembered and easily guessed/cracked passwords  Passwords can be easily broken  Free programs are available on the Internet that can “crack” passwords  Passwords are inconvenient  Computer generated passwords can be difficult to remember and are written down  Passwords do not have any authority  Use of a password does not confirm the identity of the user entering the password 26
  • 27.
    Passwords - CloudApps and Remote Contractors  Cloud apps and remote contractors represent a significant risk to the overall security of the company’s information assets because:  Cloud apps can be implemented and remote contractors can be engaged without any knowledge from IT  Most companies do not have one central point of authority for cloud apps and remote contractors  There is a general lack of understanding of the scope of work for cloud apps and remote contractors so elevated access is generally granted without any consideration of the risks  User access cannot be validated against active directory or there are exceptions to the company’s password policy granted  One user account is shared among multiple users 27
  • 28.
    Data Breaches andLessons Learned 28
  • 29.
     2014, Coxwas hacked by "EvilJordie," a member of the "Lizard Squad" hacker collective.  The FCC's investigation found that by posing as a Cox IT staffer, the hacker convinced a customer service representative to enter their user ID and password into a fake website.  Under the terms of the settlement, Cox will pay the fine, identify all victims of the breach, notify them and give them a year of credit monitoring. The agreement also requires Cox to conduct internal system audits, internal threat monitoring, penetration testing and other security measures to prevent further hacks 29 FCC fines Cox Communications
  • 30.
     Nov 242014 – News breaks that Sony Pictures has been hacked.  The “Guardians of Peace” obtained 100 terabytes of data from the servers  Nov 27 2014 – 4 yet to be released films were uploaded to an online file share site  Dec 1 2014 – pre-bonus salaries of 17 top Sony executives are leaked  Dec 2 2014 – Sony chiefs confirm the breach, and employee information was included in the compromised data  Dec 16 2014 – Sony receives emails threatening to attack movie theaters that show The Interview http://www.imdb.com/title/tt2788710/  Dec 17 2014 – Sony cancels the release of The Interview  Dec 19 2014 – The FBI confirms that North Korea was behind the cyber attack 30 Sony Hack: A Timeline http://deadline.com/2014/12/sony-hack-timeline-any-pascal-the-interview-north-korea-1201325501/
  • 31.
    Sony continued –How the hack happened  The hackers gained access to Sony’s network by obtaining the login credentials of a high-level systems administrator. Once hackers obtained the credentials, they were granted “keys to the entire building,” according to a U.S. official.  They hacked into one server that was not well protected, and escalated the attack to gain access to the rest of the network.  Sony’s network was not layered well enough to prevent breaches occurring in one part from affecting other parts. In addition, the password “password” was used in 3 certificates.  A combination of weak passwords, lack of server layering, not responding to alerts or setting up alerts, inadequate logging and monitoring, and lack of Security Education Training and Awareness all contributed to the Sony Breach. 31
  • 32.
    32  Nov 27– Dec 15 2013 - data hack at Target stores exposes as many as 40 million credit- and debit-card customers to potential fraud and compromised 70 million customer records  Dec 18 2013 - News of the breach is reported by data and security blog KrebsOnSecurity.  Dec 19 2013 - Target acknowledges the breach of information publicly  Dec 22 2013 - Traffic at Target stores takes a hit in the wake of the security breach, with transactions down by 3-4% on the last weekend of holiday shopping Target Hack: Timeline http://blogs.wsj.com/corporate-intelligence/2013/12/27/targets-data-breach-timeline/
  • 33.
    Target continued –how the hack happened  The initial intrusion was traced back to network credentials that were stolen from a third-party vendor, Fazio Mechanical Services a provider of HVAC systems  Multiple sources told Krebs that the credentials were stolen in an email malware attack at Fazio that began at least two months before thieves started stealing card data from Target cash registers.  Two sources said the malware was the Citadel — a password-stealing bot program  Fazio stated that its data connection to Target was exclusively for electronic billing, contract submission and project management.  Target did not specify which apps Fazio could access but a former Target employee said nearly all contractors access Ariba, an external billing system, the project management and contract submissions portal - Partners Online, and Target’s Property Development Zone portal 33
  • 34.
    Home Depot Hack:Timeline  Sep 2 2014 - Home Depot became aware of a large data breach that started April 2014  Banks and law enforcement notified Home Depot that there were signs that their network had been compromise.  Sep 8 2014 - Home Depot confirmed that their payment security systems had been breached  Nov 25 2014 – Home Depot was hit with 44 civil lawsuits 34
  • 35.
    Home Depot continued– how the hack happened  Criminals used a 3rd party vendors user name and password to enter the perimeter of Home Depot’s network.  While the vendor credentials did not allow access to the POS, the hackers acquired elevated access rights allowing them to deploy malware on the self-checkout system in the US and Canada  Source close to the investigation stated that at least some store registers had been infected with a new variant of “BlackPOS” (a.k.a. “Kaptoxa”), a malware strain designed to siphon data from cards that are swiped on the infected point-of-sale system running Microsoft Windows.  The malware was reported as using XOR encryption, a simple symmetric cipher that is used in many applications where security is not a defined requirement, making the malware undetectable to IDS/IPS or Antivirus signatures  Krebs also identified that the perpetrators appeared to be the same group of Russian and Ukrainian hackers that compromised Target, Sally Beauty, P.F. Chang’s, and others. 35
  • 36.
  • 37.
    Single Sign-On andPassword Emerging Trends  Single sign-on is an authentication process that allows users to enter one user name and password to access multiple applications they have been given rights to.  Two-factor authentication requires additional factors to establish a users identity such as, a password and a pin number and/or a fingerprint, and/or a retina scan (in any combination)  Password managers that encrypt and store login information for auto login  Establishing complex user names, such as K$@ssEr  Establishing meaningful, easy to remember complex passwords t3chRock$ or $omething2about! 37
  • 38.
    Benefits of ComplexPasswords38 http://gizmodo.com/5753868/how-long-it-takes-hackers-to-crack-your-password t3chRock$ - 9 characters / $omething2about! – 19 characters
  • 39.
    Securing an environmentof Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. — Gene Spafford An American professor of computer science at Purdue University and a leading computer security expert. 39 The mantra of any good security engineer is: 'Security is a not a product, but a process.' It's more than designing strong cryptography into a system; it's designing the entire system such that all security measures, including cryptography, work together. — Bruce Schneier An American cryptographer, computer security and privacy specialist, and writer
  • 40.
    Questions to keepin mind throughout our discussion  Where are most threats to your information assets coming from?  What is your network access password change policy?  Which IT Guidance/Frameworks are you predominantly working with now? COSO and/or COBIT and/or ISO and/or PCI?  Does your company perform an periodic user access review? Are all user accounts reviewed, including B2B, generic/system, cloud apps and 3rd party vendors?  Does your organization have a proven system for monitoring user access activity? 40
  • 41.
    Win your veryown copy of Friggin’ Bean Counters Who can tell me the name of the hacker collective that EvilJordie belongs to? 41
  • 42.
    The Lizard Squad 42 Largely responsible for denial of service attacks on social media websites and gaming related services  Known members are teens and young adults
  • 43.
  • 44.
    Are there solutions? Securityis a negative goal. People need to be considered a part of the security design  End User Information Security Awareness Training  A robust password policy and strict adherence to that policy  Establish a central point of contact to manage contractors and other 3rd party access  Changes to established roles are done through a change management process. 44
  • 45.
    Best Practices forAdministrative Accounts  Segregate and secure administrative passwords  Create a decoy admin account  Limit the number of service admin accounts  Separate admin and user accounts for admins  Assign trustworthy staff  Limit admin rights to only those rights needed  Control the admin logon process  Secure admin workstations 45 https://technet.microsoft.com/en-us/library/cc700835.aspx
  • 46.
    Data breaches maycost less than the security to prevent them  Benjamin Dean presented a hard to disagree with defense of why things security-wise "ain't gonna change" soon  By examining the actual expenses from the Sony, Target and Home Depot breaches, the total amounts to less than 1% of each company's annual revenues Target – Gross breach $252 million after insurance and tax deductions $105 million, less than .01% of gross revenues Home Depot – Net breach $28 million after a $15 million insurance reimbursement, .01% of gross revenues Sony - $35 million for the fiscal year ending March 31, represent from 0.9% to 2% of Sony's total projected sales for 2014 46 http://www.techrepublic.com/article/data-breaches-may-cost-less-than-the-security-to-prevent-them/
  • 47.
    Additional Resources  CYBERSECURITY– WHAT THE BOARD OF DIRECTORS NEEDS TO ASK  https://na.theiia.org/special-promotion/PublicDocuments/GRC-Cybersecurity- Research-Report.pdf  5 Top Regulatory Compliance Concerns for Financial Services  https://www.roberthalf.com/management-resources/blog/5-top-regulatory- compliance-concerns-for-financial-services 47
  • 48.
    Community & Sharing48 JoinOur LinkedIn Group COSO Framework Discussion & Webinars Technical Community sharing Ideas ,Templates, WEBINARS, Advise and Learn from others implementing new framework. Share your latest templates here! https://www.linkedin.com/groups/COSO- Implementation-4888186/about
  • 49.
    Community & Sharing 49 Joinour LinkedIn group: Friggin’ Bean Counters Accounting, Project Management and IT Professionals come together to share ideas, learn from each other, or if necessary, vent frustrations. https://www.linkedin.com/groups/6985169
  • 50.
    Information Security Bestpractices and Standard of Care 50 Monthly QuarterlyAnnual Weekly
  • 51.
    51Compliance Made Simple™ User Access Procedure Diagnostic Email us for 5 SPOTS ONLY: [email protected] SUBJECT: USER ACCESS Internal Threat Analysis BenchmarkIn-take 51
  • 52.
    52Compliance Made Simple™ Aviva Spectrum is HIRING 1. SOX 404 – Senior Internal Auditors 2. IT auditors 3. SEC Reporting Managers 4. Cybersecurity consultants Email: [email protected] 52
  • 53.
  • 54.
    54Compliance Made Simple™ Speaker Contacts Karla Sasser, Senior Associate, Aviva Spectrum Connect: www.linkedin.com/in/karlasasser e-mail: [email protected] PHONE: (818) 384-8846 54