1 / 29

Information Security Lapses

Information Security Lapses. Top 10 Security Breaches Kyle Chase Revati Kailasam Kelly Walker. Since 2005, more than 3,000 data breaches have been reported. Over 545 million records compromised as a result of these data breaches. - Privacy Rights Clearinghouse. Information Security Lapses.

media
Download Presentation

Information Security Lapses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security Lapses Top 10 Security Breaches Kyle Chase RevatiKailasam Kelly Walker

  2. Since 2005, more than 3,000 data breaches have been reported. • Over 545 million records compromised as a result of these data breaches. -Privacy Rights Clearinghouse Information Security Lapses

  3. What happened? • A summary of the breach • How did it happen? • Attack Methods • Control Failures • How could it be prevented or minimized? • Preventative IT security • Financial Impact • Cost of the breach Top 10 Information Security Failures in Recent History

  4. Parent company of TJ Maxx, Marshalls, Home Goods, and more • Reported data breach potentially affecting thousands of consumers • Masterminded by Albert Gonzalez • Hackers gained access via store wireless networks • Outdated WEP security • Gained access to corporate servers housing sensitive information • Including CC Information TJX (2005)

  5. PCI compliance issues • In compliance with only 3 of 12 standards • Failure to upgrade systems in timely manner • Too much information stored • CC #s, PINs, CVV #s • Lack of encryption • Lack of fraud detection • Breach lasted 18 months • Result: 45.7 Million credit card numbers stolen TJX (2005)

  6. Intentionally released search logs • Contained- • SSN’s • Bank account information • Demographic information • Exposed 650,000 users to identity theft • IT Security/Control Issues • Violation of Electronic Communications Privacy Act • Lawsuits averaged $5,000 per victim AOL (2006)

  7. Links to TJX Case • Albert Gonzalez – connected to cases involving TJX, Heartland, Hannaford, 7-Eleven • SQL injection attack to access ATM and Point of Sale systems • Injected malware to intercept user inputs in real-time • Also were able to access historical data • PINs stolen in electronic transmission • $2 million in damages • Better encryption and fraud detection systems could have decreased the loss 7-Eleven (2007)

  8. Already bad reputation for protecting consumer data • Rootkit Incident • Reported breach to PlayStation Network and Qriocity music service • Immediate shutdown of the PlayStation Network • Affected: • 77 million PlayStation Network users • 25.4 million Sony Online Entertainment users • Released: • Customer Names • Addresses • Email • Log-Ons • Credit card information Sony (2011)

  9. Access to system administrator PC containing sensitive information • Malicious Email to gain access • Masked by Anonymous DDOS attack • Slowed Fraud Detection • Anonymous denies involvement • “Sony probably did not pay enough attention to security when it was developing the software that runs its network.” – Reuters Sony (2011)

  10. Monster was created in 1999 • Monster.com is one of the largest employment website in the world • Hackers broke the password protected resume library • Information from 1.3 million users were stolen • Information stolen were limited to names, addresses, phone numbers and email addresses Monster.com (2007)

  11. Hackers sent phishing emails and made extortion based threat • Monster waited five days to inform it’s users about the security breach • Monster put a notice on its website and also posted letters to the affected users about the breach • As per monster the estimated cost for upgrading it’s site was 80 million Monster.com (2007)

  12. Epsilon created in 1969, is the world’s largest permission based email marketing service company • Epsilon has more than 2400 A-list clients and sends more then 40 billion emails annually on behalf of its clients • On march 30, 2011 epsilon detected “ an unauthorized entry” into its email system • Nearly 75 of Epsilon’s clients were affected • 60 million email addresses were stolen • Data compromised were limited to email addresses and names Epsilon (2011)

  13. Some of the clients under attack were financial institutions; (Capital One, US Bank, JPMorgan Chase, Citi and Barclays Bank of Delaware) retail chains (best buy, Home Shopping Network, Walgreens, Brookstone, New York & Company and Kroger, TiVo), hotel chains (Ritz-Carlton Rewards and Marriott Rewards), McKinsey, The College Board, Disney Destinations and many more. Epsilon (2011)

  14. Hackers sent spam and phishing emails to the victims of breach • Epsilon reported about the breach on April 01, 2011 to both customers and clients • Epsilon announced that it was going to enhance its data security system • Epsilon could have faced a price tag as high as 4 billion for data breach Epsilon (2011)

  15. In 2009 McAfee client , a U.S. defense contractor, identified suspicious programs running on its network • Forensic investigation revealed that a spear phishing email containing a link to web page that when clicked automatically downloaded a remote access tool or “RAT” onto the victim’s computer • McAfee while investigating command-and-control operation in 2009 discovered about the cyber espionage “operation shady RAT” Operation shady RAT (2009-2011)

  16. McAfee traced the activity back to 2006 • The widespread cyber-espionage campaign dubbed “Operation shady RAT” infiltrated the computer systems for national governments, global corporations, non profit and other organizations • Fourteen countries were victims • Forty nine of the seventy two organizations compromised were from United States Operation shady RAT (2009-2011)

  17. Data compromised were email archives, sensitive corporate documents and other intellectual property • McAfee is working closely with U.S. government agencies, law enforcement and others in hopes of eventually shutting down shady RAT’s command-and-control server • Most of the targets have removed the malware from the system Operation shady RAT (2009-2011)

  18. Department of Defense health care program • SAIC – business partner of TriCare • September 14, 2011 breach of patient information affecting approximately 4.9 million patients • Largest Federal breach to date TriCare (2011)

  19. Unencrypted computer backup tapes stolen from SAIC employee’s car • Tapes contained patient information • TriCare states that risk is low • Breach caused 3 lawsuits totaling $4.9 billion TriCare (2011)

  20. Company that provides tools and services to protect assets and information • Specializes in computer forensics and malware analysis tools • February 6, 2011 Anonymous hacks into computer system in retaliation • Compromised web server and cracked passwords HBGary (2011)

  21. Used Barr’s administrative password to change password for Greg Hoglund’s email • Greg operated rootkit.com • Hackers used social engineering to gain control of rootkit.com • Defaced HBGary’s website and accessed 71,000 emails HBGary (2011)

  22. Published some emails that revealed immoral and illegal activities that company was involved in • Since the breach – Aaron Barr has resigned • March 6, 2012 Hector Xavier Monsegur – member of anonymous pled guilty HBGary (2011)

  23. Authentication mechanism developed by Security Dynamics • Token generates a code at fixed intervals • Uses random key known as seed record – key to generating a one time password • Used in combination with password user creates – the server has real time clock and a database of valid cards that can validate code RSA SecurID (2011)

  24. Difficult to hack – need both pieces of information • March 17, 2011 victims of attack costing the company $66.3 million • Sent phishing emails with malware attached • Malware exploited a back door in Adobe Flash • Hackers used Poison Ivy Remote Administrative Tool • Attack is known as APT – Advanced Persistent Threat RSA SecurID (2011)

  25. Replaced 40 million tokens • Breach resulted in attacks on three U.S Defense contractors • L-3 Communications • Lockheed Martin • Northrop Grumman • Could be tied to cyber espionage from China RSA SecurID (2011)

  26. Costs directly associated with the breach include: • Cost of replacing stolen devices • Cost of recovering lost information • strengthening IT security and in some cases Premise’s security • Other costs include: • Expenses related to informing and providing credit monitoring service for the victims • Expenses related to lawsuits The financial impact

  27. Other monetary impacts are: • Fall in share prices • Increased marketing expenses • Cost of hiring and training new employees The financial impact

  28. AICPA listed in its Personal Competencies • Accountants need to address “privacy, intellectual property rights and security issues related to electronic communications” as element of Leverage Technology to develop and enhance personal competencies. • Statements on Auditing Standards (SAS) 94 • Requires auditors to take an in depth look at how IT controls affect internal controls. Accounting and Security

  29. Anderson, H. (2011, October 14). TRICARE Hit With $4.9 Billion Lawsuit. Damages Sought for Privacy Violations in Breach Incident. Retrieved March 6, 2012, from Bank Info Security: www.govinfosecurity.com/p_print.php?t=a&id=4158 Anderson, M. (2012, March 6). Anonymous hackers identified, including one tied to HBGary hack. Retrieved March 6, 2012. http://www.bizjournals.com/sacramento/news/2012/03/06/anonymous-hackers-identified-hb-gary.html Arrington, M. (2006, August 6). AOL Proudly Releases Massive Amounts of Private Data. Retrieved March 19, 2012. http://techcrunch.com/2006/08/06/aol-proudly-releases-massive-amounts-of-user-search-data/ Baker, L. B. & Finkle, J. (2011, April 26). Sony PlayStation Suffers Massive Data Breach. Reuters. Retrieved March 15, 2012. http://www.reuters.com/article/2011/04/26/us-sony-stoldendata-idUSTRE73P6WB20110426 Beard, D., & Wen, H. J. (2007). Reducing the Threat Levels for Accounting Information Systems. The CPA Journal , 7. Bright, P. (n.d.). Anonymous speaks:the inside story of the HBGary hack. Garrison, C. P., & Posey, O. G. Computer Security Awareness of Accounting Students. Jewell, M. (2007, September 7). Encryption Faulted in TJX Hacking. Associated Press. http://www.msnbc.msn.com/id/20979359#.T30M9KsV3dI Kantor, A. (2005, November 17). Sony: The Rootkit of All Evil. USA Today. Retrieved March 15, 2012. http://www.usatoday.com/tech/columnist/andrewkantor/2005-11-17-sony-rootkit_x.htm Mills, E. (2011, June 6). China Linked to New Breaches Tied to RSA. Retrieved March 7, 2012, from CNET News: news.cnet.com/8301-27080_3-20068836-245/china-linked-to-new-breaches-tied-to-rsa/?tag=mncol;txt 6 Worst Data Breaches Of 2011 by ByMathew J. Schwartz December 28, 2011 http://www.informationweek.com/news/security/attacks/232301079 Monster.com Hit With Possible Monster-Sized Data Breach By Thomas Claburn January 26, 2009 http://www.informationweek.com/news/security/attacks/212902664 Epsilon Data Breach Hits Banks, Retail Giants By: Fahmida Y. Rashid April 2011 http://www.eweek.com/c/a/Security/Epsilon-Data-Breach-Hits-Banks-Retail-Giants-154971/ http://en.wikipedia.org/wiki/Monster.com Analysis: Is the Epsilon data breach a watershed for the marketing industry? Tuesday 05 April 2011 http://www.computerweekly.com/news/1280097340/Analysis-Is-the-Epsilon-data-breach-a-watershed-for-the-marketing-industry The real cost of a security breach By David Hobson August 12, 2008 http://www.scmagazine.com/the-real-cost-of-a-security-breach/article/113717/ Epsilon Data Breach: Expect a Surge in Spear Phishing Attacks by Tony Bradley Apr 4, 2011 http://www.pcworld.com/businesscenter/article/224192/epsilon_data_breach_expect_a_surge_in_spear_phishing_attacks.html Monster.com Admits Keeping Data Breach Under Wraps http://www.foxnews.com/story/0,2933,294471,00.html Report on ‘Operation Shady RAT’ identifies widespread cyber-spying By Ellen Nakashima, August 2, 2011 http://www.washingtonpost.com/national/national-security/report-identifies-widespread-cyber-spying/2011/07/29/gIQAoTUmqI_story.html Exclusive: Operation Shady rat—Unprecedented Cyber-espionage Campaign and Intellectual-Property Bonanza ByMichael Joseph Gross August 2, 2011 http://www.vanityfair.com/culture/features/2011/09/operation-shady-rat-201109 Panko, R. (2010) Corporate Computer and Network Security. 2nd Edition. Prentice Hall Publishing. Rashid, F. Y. (2011, March 01). HBGary Federal CEO Aaron Barr Quits Due to Anonymous Attack. IT Security & Network Security News . SecurID. (2012, January 10). Retrieved March 2012, from Wikipedia: en.wikipeida.org/w/index.php?title=SecurID&printable=yes Zetter, K. (2010, March 26). Hacker Sentenced to 20 Years for Breach of Credit Card Processor. Wired.com. Retrieved April 1, 2012. http://www.wired.com/threatlevel/2010/03/heartland-sentencing/ References

More Related