1 /GE /

Orrie DinsteinChief Privacy Leader and Senior IP Counsel GE Capital

Preventing the next WikiLeaks

Compliance & Ethics Institute; Las Vegas, Sept 2011

2Orrie Dinstein

2 /GE /

Threats in the news

4Orrie Dinstein

3 /GE /

5Orrie Dinstein

6Orrie Dinstein

Cyber threatsMotivation Threat

• Espionage• Strategic or

political advantage • Terrorism • Data theft• War

• Working ability jeopardized• Physical safety at risk• Loss of productivity• Loss of sensitive data• Reputational damage

• Corporateespionage

• Financial gain

• Identify theft• Loss of sensitive data• Decreased

competitiveness• Reputational damage

• Business disruption

• Harassment• Vandalism• Fame/PR

• Identify theft• Personal information and

nonpublic data made public

• Competitiveness jeopardized

• Reputational damage

Nation States &

Terrorists

(cyber-war)

Cyber-

criminals

Hactivists

(Anonymous; Wikileaks)

4 /GE /

The Evolution of Threats

8Orrie Dinstein

1986

1987

1988

1989

1990

1991

1992

1993

1994

1995

1996

1997

1998

1999

2000

2001

2002

2003

2004

2005

2006

2007

2008

2009

2010

Diskette-based viruses

Often written for pride

If malicious, would delete

files

Web-delivered malware

Bots, password stealers

Advanced Persistent ThreatNetwork worms

E-mail worms

Adware, spywareMacro viruses in MS Office

docs

Motiva

tion

Curiosity Pride Vandalism Theft Nationalism/Military

5 /GE /

9Orrie Dinstein

Threat Trends

Alarming increase.. highly sophisticated, targeted attacks!

Malware/Rougeware

Phishing

Botnets

Web Site Attacks

Social Engineering

Insider

Infrastructure

SCADDA Systems

Stupid Mistakes

Lack of security controls

Cyber Weapon Characteristics

• Self defending

• Self morphing

• Self propagating

• Man-in-the browser

• Command & control

• Undetectable!

Real threat examples

Protecting data is harder than ever

6 /GE /

11Orrie Dinstein

• Multiple End-Point Storage Devices (PDAs, iPads, Digital Cameras, Thumb Drives, Cell Phones, CD/DVD Drives) –data is hard to protect, easy to lose/steal

• Installation of unauthorized software or use of unlicensed programs by employees introduces new threats that can be used to steal data/IP from unsuspecting employees

• Use of Instant Messaging tools introduces new avenues for data/IP loss

• Use of Social Media introduces new threats to data/IP• More complex embedded systems like printers and copiers:

networked + harddrives with data = can be hacked = data loss

• And the biggest threat of all is…

Increasingly complex environment

12Orrie Dinstein

Employee Mobility

Remote access (VPN, hotels, cyber cafes) + increased mobility (Wireless; Mobile

devices) = new avenues for theft or loss of data/IP

7 /GE /

13Orrie Dinstein

Threat Matrix

Loss of Proprietary Data

Intentional Unintentional

Social Networks

Internal

Internally aided Unaided

Social Networks

External

Internal intentional

8 /GE /

15Orrie Dinstein

• Passing secrets to a competitor for financial gain

• Leaking secrets to the public (altruism, whistleblowing)

• Stealing data for “job security”

• Stealing data due to sense of ownership

• Stealing data because unaware of the confidential nature

of the data

• Intentional deletion of data to cause harm

• Cyber-extortion

Risks:

16Orrie Dinstein

Departing employees – easier task

Physical documentsRolodex

THEN

Portable devicesEmailOnline storageLinkedIn

NOW

9 /GE /

17Orrie Dinstein

Internal unintentional

10 /GE /

19Orrie Dinstein

�Lost laptops�Lost Blackberry, iPhone, cell phone, iPad etc.�Lost backup tapes�Lost portable storage media (thumb drives;

DVDs)�Lost paper files�Misrouted faxes�Misrouted mail�Misdirected email�Erroneous FTP/file upload�P2P software�IM file sharing�Social media errors�Falling for traps/tricks

50 ways to lose your…. data

20Orrie Dinstein

What are some of the methods used by the bad guys?

11 /GE /

21Orrie Dinstein

�Malware (virus; worm; spyware; Trojan; backdoor; rootkit; keystroke logger)

�Scareware

�P2P accounts

�Scams; Spoofing of accounts

�Social engineering

�Botnets/zombies (DDoS attacks)

�SPAM (also in use in VoIP (SPIT) and IM (SPIM))

�Phishing (spear phishing and whaling)

22Orrie Dinstein

12 /GE /

23Orrie Dinstein

Spam is the lynchpin to a variety of attacks. By opening spam, users are opening their machines, and their entire networks. Increasingly, these computers become members of a botnet -- the frontline ‘grunts' of an invading spam army. Without spam, hackers and criminals would have to work much harder to exploit our cyber weaknesses, and their efforts would be slowed considerably.

Social networks

13 /GE /

25Orrie Dinstein

Social Networking threats

• Social networking is becoming the preferred way to interact/connect and becoming a massive repository of personal data

• Increased capability on portable devices and networks

• Convergence of Personal and Business Data

• Increased Software/Hardware Vulnerabilities

• Organized Crime and Targeted Attacks

• Social Engineering

External aided= same risks as internal intentional

14 /GE /

External unaided

28Orrie Dinstein

Hacks� Password crackers

• Social engineering

• Internet attacks (SQL injection; XSS)

Hacks

15 /GE /

29Orrie Dinstein

30Orrie Dinstein

16 /GE /

31Orrie Dinstein

Anatomy of a hack –HB Gary is taken down by Anonymous

32Orrie Dinstein

� Step 1: SQL injection attack – generated emails, usernames and passwords; passwords were encrypted

� Step 2: password crack (Rainbow tables) [weak algorithm and short passwords]

� Step 3: reuse of passwords allowed access to other machines and to CEO’s email

� Step 4: elevation of privileges flaw allowed root access to some machines

� Step 5: emails to admin allowed to get access to other necessary servers where remote root access is denied

17 /GE /

33Orrie Dinstein

Bottom line – through Social Engineering the attacker was able to obtain:

- password- user name- open access without knowing the

secure IP

34Orrie Dinstein

SQL injection – the most common web attack• Exploits web applications that process user input and make database calls

• Successful attacks allow unauthorized users to access or modify data

Sign in

Username

Password

MyName

*******

Sign in

Username

Password

MyName

*******’ OR‘1’ = ‘1

Example: vulnerable login formSELECT name from users WHERE name =‘Username’ AND password= ‘password’

Legitimate transaction …• WHERE name =‘MyName’ AND password=

‘******’• Name and password must match to login

Malicious transaction ...• WHERE name =‘MyName’ AND password=

‘******’ OR ‘1’=‘1’• This will login as any legitimate user name, since

the 1=1 test will pass

18 /GE /

Impact

36Orrie Dinstein

• Federal and state laws (privacy, security, other)

• International laws

• Financial

� Loss of Business

� Regulatory Fines

� Civil Class Actions

� Remedial Costs

• Reputational

� Loss of Goodwill

� Negative Press

� Securities laws - proposal to require disclosure

Data Theft/loss has a broad impact

19 /GE /

Prevention

38Orrie Dinstein

• Policies

• Data classification

• Training and awareness campaigns

– Last line of defense but also the front line of attacks

– What we need EVERYONE to know and do

– Anti-phishing education is key

• Robust exit process for employees and contractors

• Investigate all cases and act against the offenders

• Manage third parties/contractors

• Be paranoid – they are out to get you……

Compliance controls

20 /GE /

39Orrie Dinstein

Technology• Encryption of your data and devices helps but not against the

internal threat• Multi factor authentication

- User ID and password not enough- Additional factors can be something you have, something you are

• Access controls help but not against internal threat• Proxy hardening – authenticate all outbound Internet requests• Log management – centralize log storage to facilitate IRP• Network monitoring• Server security – focus on where sensitive information resides• Increased vulnerability detection (perform pen tests)• Keep up with your patches• Eliminate unmanaged and rogue devices• DLP tools

40Orrie Dinstein

DLP toolsBlock, warn, or record movement of data from PCs:SSNs, addresses E-mail addresses

Customer information Health data

Credit card data Bank accounts

Ethnicity data Any custom filters…

Monitor e-mail, website uploads, transfers to external storage, instant messaging, and more

Device Control

• Block or allow removable media based on type or model (e.g. allow approved encrypted USB drive)

• Render devices read-only

21 /GE /

41Orrie Dinstein

Designing a DLP program

Insight into all data movement & actions

Education, Communication & Awareness Programs

Collaboration between Risk, IT, Legal, Compliance, & HR

Standardized processes to address data visibility

People Policy

Process

DLP is first and foremost a business strategy;

technology is just a component

Technolog

y

42Orrie Dinstein

• $$$

• You can’t lock it all down

• Procedures are burdening users - too much to understand and remember – complex policies, password management

• Users tend to ignore rules and find workarounds

• Too many places where proprietary data resides and too many ways that it can be lost/stolen

• Shrinking time between vulnerabilities and exploits: “0 Day Exploit” = exploit released into the wild before patch or AV definition is available

Some challenges

22 /GE /

43Orrie Dinstein

• Be familiar with the privacy laws in your jurisdictions/state

� Access to employee files

� Access to emails (stored vs. in transit)

� Recording phone calls

� Keystroke loggers

• Be familiar with your corporate policies

• Monitor cases on the topic – U.S. courts are not consistent and the notion that in the U.S. there is no workplace privacy is misleading

• Outside the U.S. things get harder very fast

• What is your goal (get data back vs. punish)

• How much publicity can you afford

Handling incidents

44Orrie Dinstein

• Focus on the unintentional losses – that’s the easiest to tackle

• Training and awareness are vital to protecting your data (and distinguishing between the intentional/ unintentional acts)

• Technology is a key component but realize that it always lag behind the threats which makes a robust IRP critical

• Partner with your InfoSec guys as the threats are increasingly digital

Conclusions

23 /GE /

45Orrie Dinstein

Orrie Dinsteinorrie.dinstein@ge.com

QUESTIONS?