220 likes | 231 Views
Critical Data Points to Assess the True Risk of a Data Breach. PRESENTED BY A li Alwan Director, SecurityScorecard, Inc. AGENDA. Paradigm shift from fortress mentality to security ecosystem Examples of data points around us Securit y Benchmarking outside-in approach
E N D
Critical Data Points to Assess the True Risk of a Data Breach PRESENTED BY Ali Alwan Director,SecurityScorecard, Inc.
AGENDA • Paradigm shift from fortress mentality to security ecosystem • Examples of data points around us • Security Benchmarkingoutside-in approach • Analysis of financial services industry trends
Paradigm Shift – From Fortress to Ecosystem • FORTRESS • High level of trust • You own the blueprint • Control of audit, policies • “Crown jewels” are in a centralized, monitored data center • “IF we get breached…”
Paradigm Shift – From Fortress to 3rd Party Ecosystem • ECOSYSTEM • Empowered employees (BYOD) • Decentralized infrastructure with many 3rd party cloud services • Limited audits without validation • “Crown jewels” are everywhere – continuity is not • Only as strong as your weakest link • “WHEN we get breached…”
Third Party Risk Challenge • Your company spends millions of dollars on IT security – systems, technologies, appliances • InfoSec professionals • Internal Audit professionals • External Auditors • Processes, technologies, systems • Then some manager in marketing dumps your client data to an Excel spreadsheet, and emails it to a direct mail firm in Omaha. • Perhaps even worse – Usually not random. Usually not one vendor. Often thousands of vendors.
Third Party Breach- The Numbers • 41% to 63% of breaches involved third parties • Per-record costs of a 3rd party breach higher - $231 vs. $188 • 71% of companies failed to adequately manage risk of third parties • 92% of companies planned to expand their use of vendors in 2013 • 90% of anti-corruption actions by DOJ involved 3rd parties
Target by the Numbers, Remember Fazio HVAC? 40,000,000 - Number of credit and debit numbers stolen 70,000,000 - Number of non-credit-card PII records stolen November 27 to December 15, 2013 – Duration of theft 46% - The percentage drop in profits for 4th quarter 2013 from the year before $250,000,000 - Total estimated costs as of August 2014 $90,000,000 - Amount paid by Target’s insurers (maxed out) $54,000,000 - Estimated amount generated from sale of cards stolen 0 – Number of CIOs and CEOs who kept their jobs
So 3rd party risk is a high priority right? 98% of IT pros feel third-party secure access is not a top priority - Soha Systems via SC Magazine, May 2016
CURRENT STATE OF THIRD PARTY CYBERSECURITY • Ineffective point-in-time security snapshots • Pen & paper questionnaires – expensive, time consuming, and difficult to validate • Intrusive penetration tests require expensive and time consuming site visits • Difficult to meet needs of business • Slow process to onboard new vendors • Challanging to communicate security challanges to business executives • Offer lower risk vendor alternatives • Labor Intensive • Unable to scale program beyond small sub-set of critical high risk vendors without a big increase in both Risk & Security teams • Difficult to prioritize vendors without benchmarked data • Challenging to substantiate survey responses and ensure ongoing compliance
TPRM – What It Is Third Party Risk Management (TPRM) is the process of analyzing and controlling risks presented to your company, your data, your operations and your finances by parties OTHER than your own company. Due Diligence is the investigative process by which a company or other third party is reviewed to determine its suitability for a given task. Due diligence is an ongoing activity, including review, monitoring, and management communication over the entire vendor lifecycle. No universally-accepted framework like CObIT or COSO
TPRM – Who It Is Vendors Customers Joint Ventures Counterparties Fourth parties
AGENDA Examples of Critical Data around us
Question: What year was Castello di Amorosa castle built in?
Critical Data Point:construction photos of the same castle. Any other guesses?
Question: How secure is National Weather Service from 0-100?
Critical Data Point “Dorking” which discovers a bad XSS injection "failed to open stream: No such file or" AND -"topic" AND -"topics" AND -"reply" AND -"replies" AND -"forums" AND -"forum" AND -"answer" AND -"inject" AND -"comment" AND -"comments" AND -"exploit" AND -troubleshoot AND -"troubleshooting" AND -"Previous message" AND -"posts" AND -"documentation" AND -"bug" AND -"discourse" AND -inurl:"forum" AND -"discussion" AND -inurl:"collab" AND -inurl:"community"
Question: Should I book my vacation to China on chinavista.com? http://travel.chinavista.com/culture2.php?id=1
AGENDA Security Benchmarking: Outside/In Approach
Indirect data exfiltration 3rd Party Ecosystem Attack Surface & Degrees of Threat Are Expanded Habitat Indirect data exfiltration Fortress Pathway infiltration / exfiltration Direct infiltration /exfiltration
Are there subtle “data points” that can help us identify companies at significantly higher risk of being breached? • FOR MY COMPANY • What can a hacker find out without knocking on my door? • Do you know? • System or app misconfigurations • Unpatched or insecure technology • Inadvertent exposure • Self-enumeration • “Unknown unknowns” • FOR MY THIRD PARTIES • Are my partners as diligent as I am in protecting my data? • Do you know? • Do the questionnaire results match their true posture? • Litmus test – reflections of maturity and awareness
Examples of Critical Data Points Beyond Malware • Take a holistic approach to security risk assessments • Security is more than just understanding malware • Trust but validate • Data with more depth and breadth DORKING Prevent sensitive information accessibility through advanced search techniques APPLICATION SECURITY Determine if insecure applications exist that may yield information leaks COMPLIANCE VALIDATION Validate compliance with ISO 27001, SIG, & NIST to identify potential gaps in your information security framework SOCIAL ENGINEERING Understand risk for non-technical intrusion based on human interaction CREDENTIAL LEAKS Instantly know if corporate passwords are circulating out in the hacker underground HACKER CHATTER Uncover and monitor chatter that puts your company at risk