Preventing the next WikiLeaks - SCCE Official Site · 2014-09-03 · Preventing the next WikiLeaks...
Transcript of Preventing the next WikiLeaks - SCCE Official Site · 2014-09-03 · Preventing the next WikiLeaks...
1 /GE /
Orrie DinsteinChief Privacy Leader and Senior IP Counsel GE Capital
Preventing the next WikiLeaks
Compliance & Ethics Institute; Las Vegas, Sept 2011
2Orrie Dinstein
2 /GE /
Threats in the news
4Orrie Dinstein
3 /GE /
5Orrie Dinstein
6Orrie Dinstein
Cyber threatsMotivation Threat
• Espionage• Strategic or
political advantage • Terrorism • Data theft• War
• Working ability jeopardized• Physical safety at risk• Loss of productivity• Loss of sensitive data• Reputational damage
• Corporateespionage
• Financial gain
• Identify theft• Loss of sensitive data• Decreased
competitiveness• Reputational damage
• Business disruption
• Harassment• Vandalism• Fame/PR
• Identify theft• Personal information and
nonpublic data made public
• Competitiveness jeopardized
• Reputational damage
Nation States &
Terrorists
(cyber-war)
Cyber-
criminals
Hactivists
(Anonymous; Wikileaks)
4 /GE /
The Evolution of Threats
8Orrie Dinstein
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
Diskette-based viruses
Often written for pride
If malicious, would delete
files
Web-delivered malware
Bots, password stealers
Advanced Persistent ThreatNetwork worms
E-mail worms
Adware, spywareMacro viruses in MS Office
docs
Motiva
tion
Curiosity Pride Vandalism Theft Nationalism/Military
5 /GE /
9Orrie Dinstein
Threat Trends
Alarming increase.. highly sophisticated, targeted attacks!
Malware/Rougeware
Phishing
Botnets
Web Site Attacks
Social Engineering
Insider
Infrastructure
SCADDA Systems
Stupid Mistakes
Lack of security controls
Cyber Weapon Characteristics
• Self defending
• Self morphing
• Self propagating
• Man-in-the browser
• Command & control
• Undetectable!
Real threat examples
Protecting data is harder than ever
6 /GE /
11Orrie Dinstein
• Multiple End-Point Storage Devices (PDAs, iPads, Digital Cameras, Thumb Drives, Cell Phones, CD/DVD Drives) –data is hard to protect, easy to lose/steal
• Installation of unauthorized software or use of unlicensed programs by employees introduces new threats that can be used to steal data/IP from unsuspecting employees
• Use of Instant Messaging tools introduces new avenues for data/IP loss
• Use of Social Media introduces new threats to data/IP• More complex embedded systems like printers and copiers:
networked + harddrives with data = can be hacked = data loss
• And the biggest threat of all is…
Increasingly complex environment
12Orrie Dinstein
Employee Mobility
Remote access (VPN, hotels, cyber cafes) + increased mobility (Wireless; Mobile
devices) = new avenues for theft or loss of data/IP
7 /GE /
13Orrie Dinstein
Threat Matrix
Loss of Proprietary Data
Intentional Unintentional
Social Networks
Internal
Internally aided Unaided
Social Networks
External
Internal intentional
8 /GE /
15Orrie Dinstein
• Passing secrets to a competitor for financial gain
• Leaking secrets to the public (altruism, whistleblowing)
• Stealing data for “job security”
• Stealing data due to sense of ownership
• Stealing data because unaware of the confidential nature
of the data
• Intentional deletion of data to cause harm
• Cyber-extortion
Risks:
16Orrie Dinstein
Departing employees – easier task
Physical documentsRolodex
THEN
Portable devicesEmailOnline storageLinkedIn
NOW
9 /GE /
17Orrie Dinstein
Internal unintentional
10 /GE /
19Orrie Dinstein
�Lost laptops�Lost Blackberry, iPhone, cell phone, iPad etc.�Lost backup tapes�Lost portable storage media (thumb drives;
DVDs)�Lost paper files�Misrouted faxes�Misrouted mail�Misdirected email�Erroneous FTP/file upload�P2P software�IM file sharing�Social media errors�Falling for traps/tricks
50 ways to lose your…. data
20Orrie Dinstein
What are some of the methods used by the bad guys?
11 /GE /
21Orrie Dinstein
�Malware (virus; worm; spyware; Trojan; backdoor; rootkit; keystroke logger)
�Scareware
�P2P accounts
�Scams; Spoofing of accounts
�Social engineering
�Botnets/zombies (DDoS attacks)
�SPAM (also in use in VoIP (SPIT) and IM (SPIM))
�Phishing (spear phishing and whaling)
22Orrie Dinstein
12 /GE /
23Orrie Dinstein
Spam is the lynchpin to a variety of attacks. By opening spam, users are opening their machines, and their entire networks. Increasingly, these computers become members of a botnet -- the frontline ‘grunts' of an invading spam army. Without spam, hackers and criminals would have to work much harder to exploit our cyber weaknesses, and their efforts would be slowed considerably.
Social networks
13 /GE /
25Orrie Dinstein
Social Networking threats
• Social networking is becoming the preferred way to interact/connect and becoming a massive repository of personal data
• Increased capability on portable devices and networks
• Convergence of Personal and Business Data
• Increased Software/Hardware Vulnerabilities
• Organized Crime and Targeted Attacks
• Social Engineering
External aided= same risks as internal intentional
14 /GE /
External unaided
28Orrie Dinstein
Hacks� Password crackers
• Social engineering
• Internet attacks (SQL injection; XSS)
Hacks
15 /GE /
29Orrie Dinstein
30Orrie Dinstein
16 /GE /
31Orrie Dinstein
Anatomy of a hack –HB Gary is taken down by Anonymous
32Orrie Dinstein
� Step 1: SQL injection attack – generated emails, usernames and passwords; passwords were encrypted
� Step 2: password crack (Rainbow tables) [weak algorithm and short passwords]
� Step 3: reuse of passwords allowed access to other machines and to CEO’s email
� Step 4: elevation of privileges flaw allowed root access to some machines
� Step 5: emails to admin allowed to get access to other necessary servers where remote root access is denied
17 /GE /
33Orrie Dinstein
Bottom line – through Social Engineering the attacker was able to obtain:
- password- user name- open access without knowing the
secure IP
34Orrie Dinstein
SQL injection – the most common web attack• Exploits web applications that process user input and make database calls
• Successful attacks allow unauthorized users to access or modify data
Sign in
Username
Password
MyName
*******
Sign in
Username
Password
MyName
*******’ OR‘1’ = ‘1
Example: vulnerable login formSELECT name from users WHERE name =‘Username’ AND password= ‘password’
Legitimate transaction …• WHERE name =‘MyName’ AND password=
‘******’• Name and password must match to login
Malicious transaction ...• WHERE name =‘MyName’ AND password=
‘******’ OR ‘1’=‘1’• This will login as any legitimate user name, since
the 1=1 test will pass
18 /GE /
Impact
36Orrie Dinstein
• Federal and state laws (privacy, security, other)
• International laws
• Financial
� Loss of Business
� Regulatory Fines
� Civil Class Actions
� Remedial Costs
• Reputational
� Loss of Goodwill
� Negative Press
� Securities laws - proposal to require disclosure
Data Theft/loss has a broad impact
19 /GE /
Prevention
38Orrie Dinstein
• Policies
• Data classification
• Training and awareness campaigns
– Last line of defense but also the front line of attacks
– What we need EVERYONE to know and do
– Anti-phishing education is key
• Robust exit process for employees and contractors
• Investigate all cases and act against the offenders
• Manage third parties/contractors
• Be paranoid – they are out to get you……
Compliance controls
20 /GE /
39Orrie Dinstein
Technology• Encryption of your data and devices helps but not against the
internal threat• Multi factor authentication
- User ID and password not enough- Additional factors can be something you have, something you are
• Access controls help but not against internal threat• Proxy hardening – authenticate all outbound Internet requests• Log management – centralize log storage to facilitate IRP• Network monitoring• Server security – focus on where sensitive information resides• Increased vulnerability detection (perform pen tests)• Keep up with your patches• Eliminate unmanaged and rogue devices• DLP tools
40Orrie Dinstein
DLP toolsBlock, warn, or record movement of data from PCs:SSNs, addresses E-mail addresses
Customer information Health data
Credit card data Bank accounts
Ethnicity data Any custom filters…
Monitor e-mail, website uploads, transfers to external storage, instant messaging, and more
Device Control
• Block or allow removable media based on type or model (e.g. allow approved encrypted USB drive)
• Render devices read-only
21 /GE /
41Orrie Dinstein
Designing a DLP program
Insight into all data movement & actions
Education, Communication & Awareness Programs
Collaboration between Risk, IT, Legal, Compliance, & HR
Standardized processes to address data visibility
People Policy
Process
DLP is first and foremost a business strategy;
technology is just a component
Technolog
y
42Orrie Dinstein
• $$$
• You can’t lock it all down
• Procedures are burdening users - too much to understand and remember – complex policies, password management
• Users tend to ignore rules and find workarounds
• Too many places where proprietary data resides and too many ways that it can be lost/stolen
• Shrinking time between vulnerabilities and exploits: “0 Day Exploit” = exploit released into the wild before patch or AV definition is available
Some challenges
22 /GE /
43Orrie Dinstein
• Be familiar with the privacy laws in your jurisdictions/state
� Access to employee files
� Access to emails (stored vs. in transit)
� Recording phone calls
� Keystroke loggers
• Be familiar with your corporate policies
• Monitor cases on the topic – U.S. courts are not consistent and the notion that in the U.S. there is no workplace privacy is misleading
• Outside the U.S. things get harder very fast
• What is your goal (get data back vs. punish)
• How much publicity can you afford
Handling incidents
44Orrie Dinstein
• Focus on the unintentional losses – that’s the easiest to tackle
• Training and awareness are vital to protecting your data (and distinguishing between the intentional/ unintentional acts)
• Technology is a key component but realize that it always lag behind the threats which makes a robust IRP critical
• Partner with your InfoSec guys as the threats are increasingly digital
Conclusions