RIT "Snowfall and Stolen Laptop" Research for Enterprise Security Models
-
Upload
clinton-den-heyer -
Category
Internet
-
view
488 -
download
2
Transcript of RIT "Snowfall and Stolen Laptop" Research for Enterprise Security Models
I think computer viruses should count as life. I think it says something about human nature that the only form of life we have created so far is purely destructive. We’ve created life in our own image.
Stephen Hawking
WE ARE VERYCREATIVE PEOPLE
SITUATIONAL ANALYSIS0
1SUPPORTING INFORMATION0
2
Enterprise SecurityInnovation SuggestionsRMIT Clinton den Heyer
MACRO
CONTEXT
CASE QUESTIONS
OVERALL RECOMMENDATIONS
Please note: Each section above is welcomed by “We Are Very Creative People.”
Florida State G E N E R A L L A P T O P G U I D E L I N E S
Laptops offer a great convenience due to their portability. This portability, however, makes them a prime target for thieves. These thieves not only target portable computers for the value of the device itself, but also for the restricted data they might contain.
WE ARE VERYCREATIVE PEOPLE
By far this is the most common response to discussions and presentations around issues of digital, the net, data, social, organisational security, and specifically, personal safety. In part, this is due to advances in technology, in part, because this is not something that most people ever want to deal with.
The potential loss and fall out posed by digital security breaches is crippling. To the largest degree breaches occur due to human error. We must accept that by and large this is a human problem. Yet technology offers fascinating solutions.
In order to establish a case for RIT, and to allow people to work this out for themselves, let us first take a look metrics and resources that illustrate current state.
“BUT IS IT REALLY THAT BAD?”
4
How much?I T S W O RT H A L O T
The metrics on the right indicate a small snapshot of where ecommerce is, and where it is heading. Figures represent Google and Mobile for North America (RIT Base Country of Operations).h t t p : / / w w w . b r a i n s i n s . c o m /e n / b l o g / c u r r e n t - s t a t e - u s -e c o m m e r c e - i n f o g r a p h i c /3 6 0 9
W h a t i s a t s t a k e ?
https://gigaom.com/2013/09/23/check-out-this-visual-map-that-shows-24-hours-of-internet-usage-around-the-world/
R E D : D e n s e . R e a l t i m e f r o m b o t n e t 2 0 1 2 C e n s u s
Mobile devices are now almost equal to desktop devices: https://www.hallaminternet.com/google-analytics-desktop-vs-mobile-vs-tablet-metrics/
B U T D E V I C E U S E I S C H A N G I N G
W h o i s a ff e c t e d ?
The World is On-Line
AGGREGATED THREAT METRICSThe following three resources represent industry standard metrics.
K A S P E R S K YAvailable at apt.securelist.com
H U M A N FA C T O R 2 0 1 6The cost of the human factor in breaches.Available from https://www.proofpoint.com/us/human-factor-2016-world-map
M C A F E E S D AThe SDA Cyber Defense Report sponsored by McAfeewww.mcafee.com
WHAT DOES BAD LOOK LIKE?
B O T T O M L E F TNORSE:http://map.norsecorp.com/#/
B O T T O M R I G H TSKYNET*:http://vignette1.wikia.nocookie.net/terminator/images/f/f1/Skynet_network01.jpg/revision/latest?cb=20120627213317
MOBILE MALWARE:https://www.lookout.com/resources/reports/mobile-threat-report-2013
T O P L E F T
DDoS: http://www.digitalattackmap.com/#anim=1&color=0&country=ALL&list=0&time=16911&view=map
T O P R I G H T
A large number of real time threat maps are available online. They give concise details about world wide attacks.
*SKYNET: I like to use this to see if anyone is paying attention or is a sci fi fan. It’s a kind of wonderful when art and reality collide.
But it remains a human problem
We are very creative people
We can figure this out
THIS IS A MASSIVE PROBLEM
It is a fairly open secret that almost all systems can be hacked, somehow. It is a less spoken of secret that such hacking has actually gone quite mainstream.
Dan Kaminsky
WE ARE VERYCREATIVE PEOPLE
CONTEXTAssumptions have been made. Sections can be recognized by chapter slides titled “We are very creative people” accompanied by a quote.
1 . S H O RTSteps taken by Ballard and Fransesco: Which were effective and ineffective? Arguably, none of the steps were effective given the potential loss of resources and brand equity.
2 . M E D I U MRole of the Dean: What digital assets might he use, what might be stored, and what kind of vulnerability if compromised? Digital assets identified in the case, vulnerabilities not addressed, and a list of assumptions provided.
3 . LO N G T E R MCOB Infosec controls and incident response activities: The main weaknesses, and key takeaway, is that RIT is operating with a fragmented security architecture and does not have a consolidated direct response security division. Security threats are increasing, suggestions have been made.
A SS U M P T I O N SThis research takes the position that any organizational employee assigned a laptop will be using it to full functionality. Areas addressed:Mobile device functionalityAPIsBrowsersSocial
STEPS TAKEN
BALLARD ISOFRANCESCODEAN
EFFECTIVE NEEDS ADDRESSING
SUGGESTED
Calls DEANCannot get through, emails. Receives
answerEnabled asset management alerts
SHOULD CALL RIT ISC Contacts FRANCESCO
Contacts RIT Public SafetyCall DEAN again
Email list of critical questionsContact COB Infosec for next steps
2
BALLARD
Discovers missing laptopCalls PoliceEmails BALLARD (Email is now a Vulnerability as phone synch later established)Awaits PoliceCall HEAD OF RIT IT SECURITYTranslate details of theft: Just Laptop? Or other household items?RECALL: Open items, if Laptop P/W protected, any critical files on H/D
1 (Presumably Sunday Evening)
DEAN
TIMELINE
Inform BALLARD that ISO and ITS have been notified
ISO and ITS had also been in touch with BALLARD
FRANCESCO now in the loop
4
RIT INFORMATION SECURITY COUNCIL
Concern for potential credit monitoring if student PII on laptop expressedFRANCESCO: Asks DEAN about info on HDEstablished: Faculty Salary Information on HDHD had prior PII deleted (therefore still on HD)Too late for this information – should have been established immediately
5
BALLARD, FRANCESCO, DEAN
Locates new laptop from pool of refreshed laptopsLANDesk utilizedDEAN’s new laptop configured to preferencesMeeting scheduled with DEAN
3
Monday (Assumed) Morning pre 9.30am
BALLARD
Not sure of last back upLast back up 2 months ago
Hard to establish what data is missing on stolen HD
7
DEAN
Confirms OUTLOOK emails synched with phoneEstablish that data has not been backed upNew machine restored from last backup
6
DEAN, FRANCESCO, BALLARD
Confirms OUTLOOK emails synched with phoneEstablish that data has not been backed upNew machine restored from last backup
8
FRANCESCO, BALLARD
This is the second time a security breach has occurred at RIT due to stolen laptops. The cost to RIT if compromised is potentially significant. The loss of reputation would hinder the extended mission of the institution to assist in the process of state invigoration and invariably causes loss of both income and resources.
Individuals that may have been compromised should be informed. Violating RIT Policy and New York legislation was irresponsible. Individuals and agencies need to be notified, Francesco and Ballard have effectivly taken the law into their own hands.
The overall assessment, being satisfied by the outcome, indicates that no lessons were actually learned. No documentation was expressly supplied to COB meaning that decision makers had no access to adjust policy and guidelines, much less protect their assetts and integrity. Furthermore, the Deans two month old back up leaves a gap in quantitive knowledge. At the very least his own PII may have been on the stolen laptop.
Loss of laptops, while a seemingly small area of concern for enterprise security, represents a significant portal for large scale loss. In malicious hands, a laptop can provide enough information for a skilled impersonator to access critical areas of an organisations architecture.
Laptop password authentication may be easily bypassed by individuals experienced in IT.
CONCERNS WITH STEPS IDENTIFIED
16
Dedicated Technical Security team notified of theft or data breachRelevant authorities notified. Relevant heads of organization notified. Color code system: Red, Amber, Green for levels of vulnerability, process and levels of escalation.
POINT OF NOTIFICATION
Utilize last back up and scan of breached Hardware or Software to ascertain level of vulnerability. All users equipment is backed up automatically when on campus. Various solutions are available for this.
TECHNICAL SECURITY TEAM
Social, Browsers, APIs and common updates for Windows devices are flagged. Steps taken to mitigate vulnerabilities. Outlook vulnerabilities patched.
VULNERABLE SOFTWARE FLAGGED
Off site usage can be monitored by cloud based HD snapshot software.
BACK UP TO ENCRYPTED CLOUD
SUGGESTED
John McAfee, 1988
WE ARE VERYCREATIVE PEOPLE
The problem of viruses is
temporary and will be
solved in two years.
19
O U T LO O KInformation in Outlook is
stored in HD cache file. Immediately available
H D H I S T O RYHD history stored as drafts. Available to extract with freeware
D E F I N E D H I E R A R C H YGovernance should dictate
levels of monitoring and usage. Rights assigned on
need basis
AT TA C H M E N T SScanned via central database. Remote scans of HD should indicate vulnerable software and APIs installed
DEAN’S LAPTOPVulnerabilities in GREY area. Suggestions in WHITE (white-hat)
area.
20
DEAN’S REQUIREMENTSIndividuals use a random assortment of browsers, API’s, Social Networking sites and Enterprise solutions depending on their
requirements, preferences and option exposure. Almost all expose vulnerabilities.
S O C I A LSocial (FB, LinkedIn, Twitter) plus
Academic (Academia.edu, ResearchGate.net, Slideshare.net –
extension of LinkedIn). All accessed via FB
E N T E R P R I S E C LO U DBlack-Board or similar SaaS offering.
SAP and ORACLE both suffer numerous breaches and are
particularly vulnerable as patches are not often applied after installation
S A F E F I L E S H A R EAny file sharing not detected by Outlook as malicious, or any file
sharing through browsers such as Mozilla, DuckDuckGo, Tor or Chrome
may expose vulnerabilities
D ATA B A C K U P Lack of data back up costs an
organization in efficiency. Mitigating actions for data breaches can be sped
up if back up information is immediately available
21
SUGGESTIONSTechnology and data encryption are not advanced enough to ensure all
potential breach portals are safely secured. Suggestions are best practice given current limitations. All mobile devices are assumed
included.G OV E R N A N C E
Lock devices. Use non standard passwords. Admin authorization required restricted and banned sites. Hierarchy of governance relating to position and permissions established.
R E M O T E F I R E WA L L
Access to HD of any connected device requires permissioned firewall. This should be updated regularly.
E N C RY P T I O NRemote encryption for access. Encrypted password for turning device on.
AU T O U P D AT EEnsure that weekly backups, software and data scans are completed. Set frequency according to risk and position permissions.
22
ORGANIZATIONAL VULNERABILITYRemote devices, digital use, footprint and HD storage only represent a
small part of the potential vulnerability that Universities face. Any updates, Enterprise Applications, or use of ERP Applications (such as
PeopleSoft and the well publicized TokenChpoken breach) expose such organizations to constant orchestrated breaches. ERP’s are particularly
vulnerable.
C O M M U N I C A T E
The key to solution thinking is communication,
understanding and permission based trial and error
I N N O V A T E
Innovation requires teams, new thinking, old thinking and
disrupted incubators
U P D A T E
Ensure organization is up to date across all areas of
identifiable vulnerabilities
WHAT CAN WE DO ABOUT THIS?Innovation stems from need, reward, and a lack of resources. It also stems from shared values and a willingness to make a difference.
Ultimately, breaches are conceived by creative individuals. Universities possess an unlimited resource of creative innovators and experienced gatekeepers. How can we utilize such resources effectively?
23
John McAfee
WE ARE VERYCREATIVE PEOPLE
If operating in a network environment, do not place public domain or shareware programs in a common file-server directory that could be accessible to any other PC on the network.
25
CURRENT + SUGGESTED
The current RIT Architecture is siloed and decentralized. Key players in the case did not appear via the narrative to learn too much from the theft other than the importance of back ups. There is nothing to indicate that this story will not be repeated in the same fashion as reported.The key learning from this case is that a new model should be established.
C E N T R A L I Z AT I O NA central security agency needs to be established first.
I N N OVAT I O NRIT has ready access to great minds. Real world applications are a value proposition for students.
It is the opinion of this research that centralization is not a one sized fits all approach, however, given the fragmentation of the current structure a hybrid model is recommended. This model requires a centralized approach and a decentralized innovation team. Recommended models utilize abundantly available RIT resources.
26
OVERALL OBJECTIVES
RITs Digital Security Department will instigate Processes and
Policies to:
Identify and ProtectMonitor and Detect
Respond and RecoverReduce Risk
27
R e l a t e d a r e a s o f f r a g m e n t e d v u l n e r a b i l i t y H i g h l i g h t e dCurrent Model
B U S I N E S S C O N T I N U I T YMost at risk if Security is compromised.
I N F O R M A T I O N & T E C H N O L O G Y S E R V I C E SResponsible for areas that include security, yet fragmented from Security
I N F O R M A T I O N S E C U R I T YShould be main focus as a serious prolonged breach will cease all other operations
L E G A L S E R V I C E SDirectly affected in the event of a breach
Consolidating a IT Governance and Management structure is never easy.
The nature of the technology itself is fragmented and specialized. Creating an appropriate Architecture is challenging. The following areas are closely related but operating under siloed departments.
28 C e n t r a l i z e d a p p r o a c h t o E n t e r p r i s e S e c u r i t y
To Be Model
C E N T R A L I Z E DReporting, governance and responsibility
M E T R I C SData and Analytics drive organizational decision making
S T R U C T U R E DFragmented areas of responsibility re-defined, silos considerably reduced
C O M M U N I C AT I O NAcross vital areas of the organization, between technology, and people
Combining all Digital Security requirements into one division will consolidate future risk and allow RIT to ensure that assets are secure.
Steps to deliver RITs Digital Security Architecture
A P P R O A C H D I G I T A L T E C H N O L O G I E SC O M M U N I C A T I O N & I N N O V A T I O NO R G A N I Z A T I O N A L F R A M E W O R K
DETERMINEDISCOVERDESIGNDELIVER
DATA & ANALYTICSAIMONITORING & ASSESSMENTEMERGING TECH
COMMUNICATIONEXCHANGEDISRUPTIONINNOVATION
INTEGRATION
29
and Future-Proof Strategy
F U T U R E G R O W T H
INTERNAL FOCUSEXTERNAL FOCUS
30
The Determine phase defines the objectives of the Strategy. Key Stakeholders are consulted, Legislation is factored, Data & Analytics are gathered.
The Discover phase defines the baseline and current situation for the Strategy. This phase incorporates innovation gathered from all areas of RIT.
The Design phase builds the Digital Strategy: the Architecture, the areas of focus and the initiatives to deliver.Capability and Maturity models utilized.
The Deliver phase creates the implementation plan for both the Strategy and supporting structures. Continuous improvements are made to ensure Future Proofing.
APPROACH
Build a Security Strategy using a Structured Four Stage Process.
DETERMINE
DISCOVER DESIGN DELIVER
DIGITAL TECHNOLOGIES
A Digital Security Strategy integrates Digital Technologies into a company’s Strategies and Operations in ways that not only protect, but fundamentally alter the Value Chain. Security Research and Capability; a market predicted to be investing in 2025 at the same levels that Medical Research is investing in 2016.
AI is capable of identifying and predicting up to 85% of Digital threats.
EMERGING TECH
MONITORING &
ASSESSMENT
DATA & ANALYTICS
AI
Building on Quantifiable Data and Analytics toward Process Automation
Approaches | Architecture
Enterprise PortalHOME BASE
ExecutiveGovernanc
e
InnovationGreen Light
Channel ManagementChampio
n Innovati
on
Broadcast
Innovation
External Consultants
Innovation Incubator Home Base
Green Light
Xone Matrix
Best ideas
RIT D & A
RIT Faculty
RIT Information
School
RIT Dept Heads
COMMUNICATION & INNOVATION
Strategy
COMMUNICATION: Working in groups with different specialities
EXCHANGE: Teams are made up of people from different backgrounds and expertise
DISRUPTION: Teams are broken up consistently before they conform
INNOVATION: Fed back to Home Base
ORGANIZATIONAL FRAMEWORK
This approach is built on cross platform communication to guide the overall strategy of RIT.
The 5 areas of intelligence are necessary as we approach integration of IPV6, and 3.0: The Semantic Web.
RIT Digital Security
RIT ProductPlanning
RIT Data &
AnalyticsRIT
CustomerDecisionJourney
RIT Finance &
Budget
STRATEGY
LEGISLATION &CROSS BORDER MANAGEMENT
PARTNERSHIPS &ECO-SYSTEM LEVERAGE
DATA ANALYTICS& INSIGHTS
INNOVATIONCULTURE
BRAND &POSITIONING
FUTUREGROWTH
DIGITALGOVERNANCE
FUTURE PROOF STRATEGY
EXTERNAL FOCUS
INTERNAL FOCUS
By focusing the development of Security Strategies on D&A combined with RITs innovation resources, a framework can established to protect, plan, educate and future-proof while adding value to RITs branding and positioning.
Software production is unlike any other production that preceded it. No raw materials are required, no time is required, and no effort is required. You can make a million copies of a piece of software instantaneously for free. It's a totally new paradigm of production.John McAfee
WE ARE VERYCREATIVE PEOPLE
40 Votes40 Votes40 Votes40 Votes40 Votes40 Votes40 Votes40 Votes40 Votes
RECOMMENDED RESOURCESTHE INTERNET
http://michellechandra.github.io/synchronicity.htmlhttp://www.bustle.com/articles/96396-how-many-people-are-on-the-internet-in-the-world-this-map-shows-you-and-itshttps://www.shodan.iohttp://www.businessinsider.com.au/this-world-map-shows-every-device-connected-to-the-internet-2014-9?r=US&IR=Thttp://www.internetworldstats.com/stats.htmhttp://internet-map.nethttp://data.worldbank.org/indicator/IT.NET.USER.P2/countries/1W?display=maphttp://www.theverge.com/2016/2/22/11075456/facebook-population-density-maps-internet-orghttp://qz.com/215669/forget-drones-microsofts-plan-to-bring-the-internet-to-the-world-is-all-about-tv/https://www.e-nor.com/blog/google-analytics/abcs-of-google-analyticshttp://www.cpcstrategy.com/blog/2013/08/ecommerce-infographic/http://www.businessinsider.com.au/google-search-traffic-mobile-passes-desktop-2015-5?r=US&IR=Thttps://searchenginewatch.com/sew/opinion/2353616/mobile-now-exceeds-pc-the-biggest-shift-since-the-internet-beganhttps://www.hallaminternet.com/google-analytics-desktop-vs-mobile-vs-tablet-metrics/http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml
RECOMMENDED RESOURCESTHREATS
http://www.theregister.co.uk/2014/09/15/wikileaks_leaks_finfisher_docs_binaries/https://community.rapid7.com/community/infosec/blog/2012/08/08/finfisherhttp://www.securityweek.com/growing-number-governments-using-finfisher-spyware-reporthttps://commons.wikimedia.org/wiki/File:FinFisher_proxy_networks.jpghttp://threatmap.fortiguard.comhttps://www.checkpoint.com/ThreatPortal/livemap.htmlhttp://www.businesscloudnews.com/2015/11/27/conficker-is-commonest-criminal-in-the-cloud-says-threatcloud-report/http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/http://www.trendmicro.com/us/security-intelligence/current-threat-activity/global-botnet-map/index.htmlhttp://www.csoonline.com/article/2130877/data-protection/data-protection-the-15-worst-data-security-breaches-of-the-21st-century.htmlhttp://www.networkworld.com/article/2185187/security/15-worst-internet-privacy-scandals-of-all-time.htmlhttp://www.devry.edu/blog/2014/02/top_information_security_breaches_in_history.htmlhttp://blog.maytech.net/history-of-datahttp://www.dailymail.co.uk/news/article-3181179/Shocking-map-shows-600-times-Chinese-hackers-stolen-American-secrets-past-five-years.html
Your text
Your text
RECOMMENDED RESOURCESSECURITY
http://www.slideshare.net/Sligo/Most-malignant-viruses?qid=0b4c1910-5967-427a-a477-7dd47a8a8aff&v=&b=&from_search=10http://www.slideshare.net/cyberjure/virus-or-worm-attacks-india?qid=0b4c1910-5967-427a-a477-7dd47a8a8aff&v=&b=&from_search=6http://www.slideshare.net/CelloLtd/marcelo-silva-lot2task2final?qid=fe9ce00f-0501-4f5f-b446-adf9620a76e1&v=&b=&from_search=12http://www.slideshare.net/InstartLogic/webinar-behavioral-shifts-in-recent-ddos-attacks-that-should-get-you-worried?qid=fe9ce00f-0501-4f5f-b446-adf9620a76e1&v=&b=&from_search=2http://www.slideshare.net/matrosov/zn2012-pdf?qid=e10dd516-2d89-4322-b656-3f21e5480f14&v=&b=&from_search=12http://www.slideshare.net/elie-bursztein/lessons-learned-while-protecting-gmail?qid=e10dd516-2d89-4322-b656-3f21e5480f14&v=&b=&from_search=10http://www.slideshare.net/Dell/ten-expert-tips-on-internet-of-things-security?qid=37865bd8-b543-4327-b448-acb6a6dc3e4f&v=&b=&from_search=3http://www.slideshare.net/abhijitjgd214/graphical-password-authentication-36753648?qid=3643fffb-fbe9-4919-9e16-4120cce7c9ac&v=&b=&from_search=4https://nz.pinterest.com/adgcreative/cyber-security-visualizations/
METRICBASED INFO GRAPHICS
Top to bottom, left to right:
http://raconteur.net/infographics/security-in-the-cloudhttp://blog.theimf.com/2015/06/study-shows-high-rate-of-businesses-hacked-risk-managers-want-more-resources-to-prevent-hacking/http://www.lockheedmartin.com/content/dam/lockheed/data/space/documents/AEHF/Infographic%20Screen%20layout%20FINAL.jpghttp://cbspulse.com/2015/07/05/infographic-cybersecurity-tactics-now/https://nz.pinterest.com/pin/294000681900481386/http://www.svb.com/cybersecurity-report-infographic/
41
IFSEC BEECHAM RESEARCHThe Periodic Table of Security is considered by
many as an industry benchmark for security protocols.
http://www.ifsecglobal.com/periodic-table-of-security/
The Beecham Research IoT vulnerability map provides speculation on immediate areas of
concern for IPV6http://www.beechamresearch.com/download.aspx?
id=43
REAL TIME ATTACK MAPShttp://www.networkworld.com/article/2366962/microsoft-subnet/spellbound-by-maps-tracking-hack-attacks-and-cyber-threats-in-real-time.html
http://krebsonsecurity.com/2015/01/whos-attacking-whom-realtime-attack-trackers/
M A P S O F T H E I N T E R N E Thttp://internetcensus2012.bitbucket.org/images.html
http://blog.visual.ly/mapping-the-internet/
ATTACK METRICS
45
46
C l i n t o n d e n H e y e [email protected]