1 / 0

Management – An Achilles Heel of Information Assurance Security: A Case Study of Verizon’s Data Breach Reports

Management – An Achilles Heel of Information Assurance Security: A Case Study of Verizon’s Data Breach Reports. Dr. Pedro A. Diaz-Gomez Cameron University Ing . Alfonso Valencia and Ing . Luis E. Gomez Universidad Piloto de Colombia. Outline. Motivation Introduction

theola
Download Presentation

Management – An Achilles Heel of Information Assurance Security: A Case Study of Verizon’s Data Breach Reports

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Management – An Achilles Heel of Information Assurance Security: A Case Study of Verizon’s Data Breach Reports

    Dr. Pedro A. Diaz-Gomez Cameron University Ing. Alfonso Valencia and Ing. Luis E. Gomez Universidad Piloto de Colombia
  2. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Outline Motivation Introduction PCI Security Standards Statistics Verizon What Organizations Who Made and Who Discovered Where Data Breaches Occurred How data Breaches Occurred How Long Data is Compromised Without Discovery Why
  3. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Outline Information Assurance & Security Management System Information Technology GRC Risk Management Security Architecture as Systematic Approach Recommendations & Conclusions Simple Countermeasures Prevent up to an Av. 59% of Data Breaches Simple & Intermediate Countermeasures Prevent an Av. 90.6% of Data Breaches Appendix
  4. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Motivation As Society becomes increasingly interconnected electronically hacktivist and new avenues for getting data and information become available, the assurance and security of data and information in businesses are more critical, not only as a legal requirement or business compliance, but also as a responsibility to customers and as a step in business continuity.
  5. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Motivation Attacks on data and information are a continual threat, but it has been shown that basic countermeasures can detect some of those at early stages of penetration or misuse. Attackers can simply wait for a patch to be released, reverse engineering it and produce a working exploit within seconds. Coupled with a worm, all vulnerable hosts could be compromised before most are even aware a patch is available, let alone download it. Bruce Schneier
  6. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Motivation This presentation focuses on managerial principles pretending to help organizations prevent security data breaches on data and information, and it presents a systematic view of Information Security Management.
  7. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Introduction The basic recommendation proposed in this presentation could be seen as steps in the ladder of quality improvement suggested by managerial principles: The information assurance/security management system of planning, doing, evaluating and updating as a continual process.
  8. Attackers Responders Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports introduction Attackers of computer resources are developing new techniques that allow sophisticated penetrations and anti forensics. In response, security policies, procedures, standards and computer and network countermeasures have been proposed. However, a fault in management has allowed computer penetrations to permeate organizations without notice for hours, days, months and even years. Verizons’ Data Breach Reports
  9. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports The PCI Security Standards The PCI security standards are private and mandatory for institutions and their partners that offer electronic card payment. Not being compliant overcome monetary sanctions or revocation of services and loss of prestige. Tripwire A security policy for an organization belonging to the card industry must include a policy regarding PCI compliance.
  10. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports PCI Security Standards PCI proposes a proactive approach through security testing of computer systems, applications, networks and security mechanisms that can anticipate the discovery of vulnerabilities and weaknesses that could be re-mediated depending on the risk and benefit/cost of countermeasures. Proactive! Image with permission from Tim Marley – Cameron U. Presentation
  11. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Payment Card Industry – Data Security Standard Taken with permission from Tim Marley – Cameron U. Presentation
  12. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Statistics Verizon Why Verizon? Because those reports reflect forensic investigations of security data breaches. It needs to be emphasized that the economic sectors presented in Verizon’s reports are those in which Verizon has done investigations, and those are not necessary a statistical sample selected to make inferences to any organization.
  13. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Statistics Verizon However, from these reports, organizations can learn from such experiences, or unfortunately, from the bad experience of others.
  14. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Statistics Verizon - What Percentage of Data Breaches by Sector Target Organizations & PCI Compliant (*) Just Larger Organizations, i.e., more than 1,000 employees. (*) Just Larger Organizations. (!) Remaining Percentage Unknown.
  15. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Statistics Verizon - Who Who Made Data Breaches Who Discovered Data Breaches
  16. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Statistics Verizon - Where Where Data Breaches Occurred
  17. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Statistics Verizon - How How Data Breaches Occurred
  18. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Statistics Verizon - How Difficulty of Data Breaches Difficulty of Countermeasures (*) 8% is reported as unknown. (*) 3% is reported as unknown.
  19. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Statistics Verizon – How Long… Seconds Minutes Hours Days Weeks Months Years Initial Attack to Initial Compromise 10% 75% 12% 2% 0% 1% 0% Initial Compromise To Data Exfiltration 8% 38% 14% 25% 8% 8% 0% Initial Compromise to Discovery 0% 0% 2% 13% 29% 54% 2% Discovery to Conta- inment/Restoration 0% 1% 9% 32% 38% 17% 4% Verizon’s 2012 Data Breaches Report.
  20. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Statistics Verizon - Why 2012 Report: Compliance: the lowest percentage (4%) since 2004, Financial Institutions in Larger organizations continues in a steady percentage of Data Breaches (28%) since 2008, Larger organizations certainly targeted (50%): “Becoming a target of choice is just one of those things comes with the territory of having a higher profile and/or being known to posses valuable assets”Verizon’s 2011 Hackivismgrowing (95%) since 2008,
  21. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Statistics Verizon - Why 2012 Report: Highest percentage of Data Breaches occurred in user devices (60%) since 2004, External from Organizations, who discovered Data Breaches, reported as the highest (92%) since 2004; and as active participation from internals the lowest (2%), Difficulty to commit a Data Breach reported as the lowest (~0%) since 2004 (there is an 8% reported as unknown), Difficulty of the corresponding countermeasures the lowest (3%) since 2004, Initial attacks to compromise takes at most minutes (85%), as well as data exfiltration (46%), but the majority of discoveries take months (54%).
  22. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Information Assurance & Security Management System
  23. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Information Assurance & Security Management System Shell idea Taken from S. Heim in the Resonant Interface.
  24. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Risk Management NIST 800-30: “Every organization has a mission. In this digital era, as organizations use automated information technology (IT) systemsto process their information for better support of their missions, risk management plays a critical role in protecting an organization’s information assets, and therefore its mission, from IT-related risk.” National Institute of Standards and Technology
  25. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Information Assurance & Security Management System Security Architecture Adapted from M. E. Whitman and H. J. Mattord.
  26. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Security Architecture as Systemic Approach Cloud from http://itstechsolved.com/cloud-computing/
  27. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Simple Countermeasures prevent up to an Av. 59% of Data Breaches Assignment of least privilege. Monitoring of event logs, passwords, firewalls configurations, anti-viruses, physical and logical accesses, backups. Encryption of sensitive data.
  28. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Simple & Intermediate Countermeasures Prevent an Av. 90.6% of Data Breaches Patching OSs and Applications. Prevention of Malware. Assignment of least privilege. Monitoring of event logs, passwords, firewalls configurations, anti-viruses, physical and logical accesses, backups. Encryption of sensitive data.
  29. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Questions/Answers www.cameron.edu/~pdiaz-go pdiaz-go@cameron.edu Thanks! Ing. Alfonso Valencia Rodriguez and Ing. Luis E. Gomez H. Universidad Piloto de Colombia Mr. Timothy Marley University of Oklahoma
  30. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Appendix
  31. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Brief Bibliography Used in this Research Verizon Business Risk Team, “2012 Data Breach Investigations Report” and the ones corresponding to 2008 – 2011. PCI Security Standards Council LLC, “Payment Card Industry (PCI) Data Security Standard Navigation PCI DSS. Version 2.0”. C. Schou and D. Shoemaker, “Information Assurance for the Enterprise. A Roadmap to Information Security.” Tripwire, “PCI Basics: What it takes to be Compliant.” M. E. Whitman and H. J. Mattord, “Management of Information Security”
  32. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Top Security Mechanisms – Case Study Australian Government: Australian computer networks are being targeted by adversaries seeking access to sensitive information. A commonly used technique is social engineering, where malicious 'spear phishing' emails are tailored to entice the reader to open them. The Defense Signals Directorate (DSD) has developed the Top 35 Mitigation Strategies for targeted cyber intrusions. The list is informed by DSD’s experience in operational cyber security, including responding to serious cyber incidents and performing vulnerability assessments and penetration testing for Australian government agencies.
  33. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Top Security Mechanisms – Case Study Australian Government: While no single strategy can prevent this type of malicious activity, the effectiveness of implementing the top four strategies remains unchanged. Implemented as a package, these strategies would have prevented at least 70% of the intrusions that DSD responded to in 2009, and at least 85% of the intrusions responded to in 2010. Implementing the top four strategies can be achieved gradually, starting with computers used by the employees most likely to be targeted by intrusions, and eventually extending them to all users. Once this is achieved, organizations can selectively implement additional mitigation strategies based on the risk to their information.
  34. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Top Security Mechanisms – Case Study
  35. Management - An Achilles Heel of Information Assurance Security: A Case Study of Verizon's Data Breach Reports Framework Documentation Key components: Subject Purpose Scope Coverage Date Version Revision Approval Taken with permission from Tim Marley – Cameron U. Presentation Source: CISA Certified Information Systems Auditor Guide
More Related