1 / 41

Cyber Security: User Access Pitfalls

Cyber Security: User Access Pitfalls. Presented by Karla Sasser, CPA, CITP, CIA. Learning Objectives. Understand the password’s role and limitations in protecting privacy Understand the password’s role in the most infamous data breaches Learn the latest trends in password security.

osanna
Download Presentation

Cyber Security: User Access Pitfalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cyber Security: User Access Pitfalls Presented by Karla Sasser, CPA, CITP, CIA

  2. Learning Objectives • Understand the password’s role and limitations in protecting privacy • Understand the password’s role in the most infamous data breaches • Learn the latest trends in password security.

  3. Understand the password’s role and limitations in protecting privacy

  4. Why Talk About Passwords? • SECURITY IS A NEGATIVE GOAL. • There are exactly two keys to information security • Configure the system and network correctly and keep it that way • Know the traffic coming into and out of your network • Network security tasks • Protection – configure as correctly as possible • Detection – quickly identify configuration changes or traffic issues • Reaction – respond as quickly as possible

  5. Defense in depth • Security defensive lines and countermeasures to protect the integrity of information assets • Five architectures to develop defense in depth • Perimeter Defense - Firewalls for segregating internal trusted zones from the internet – Access is granted by role based access controls • Network Defense - Subdividing the internal network into trusted zones – Access is granted by role based access controls • Host Defense - Identify and locate information assets that need protection • Application Defense - Prioritize the information assets to be protected • Data Defense - Role based access controls • Cryptography is the only remaining protection for information assets when defense in depth fails.

  6. What is a password? • A string of characters used to verify the identity of a user during the authentication process. • Typically used in conjuncture with a username; they are designed to be known only to the user and allow that user to gain access to a device, application or website. • Can vary in length and can contain letters, numbers and special characters.

  7. Role Based Access • What does Role-Based Security mean? • principle which systems are designed that limit access or restrict operations according to a user’s constructed role within a system. Also known as role-based access control • many businesses and organizations use this principle to ensure that unauthorized users do not gain access to privileged information within an IT architecture.

  8. Principle of Least Privilege Access • Defined as the practice of limiting access to the minimal level that will allow normal functioning and is applied to both human and system user access • Originated by the US Department of Defense in the 1970’s to limit potential damage of any accidental or malicious security breach • It is the underlying principle and the predominate strategy used to assure confidentiality within a network • Role-based access was developed to group users with common access needs, simplifying security and security maintenance

  9. Poling Question What is a password? • A string of characters used to verify the identity of a user • Component of role based access • A component of defense in depth • All of the above • None/Don't Know

  10. Questions to keep in mind as you evaluate the security of your computer operations • Do you have a network access password change policy? • Do you have qualified IT support? • Is one of the IT Guidance/Frameworks relevant to your organization? COSO and/or COBIT and/or ISO and/or PCI? • Does your company perform an periodic user access review? Are all user accounts reviewed, including B2B, generic/system, cloud apps and 3rd party vendors? • Does your organization have a proven system for monitoring user access activity?

  11. Problems with passwords

  12. Problems with Passwords • People, process and technology are all needed to adequately secure a system • When left on their own, people will make the worst security decisions • Without any security training, people can be easily tricked into giving up their passwords • Passwords can be insecure • People will choose easily remembered and easily guessed/cracked passwords • Passwords can be easily broken • Free programs are available on the Internet that can “crack” passwords • Passwords are inconvenient • Computer generated passwords can be difficult to remember and are written down • Passwords do not have any authority • Use of a password does not confirm the identity of the user entering the password

  13. Number of Cloud Apps a Company is Using • The cloud is nothing more than someone else’s computer. • Survey results released by Netskope, February 2018 revealed that • On average 1,181 apps are in use within each enterprise with the top categories being marketing, human resources, collaboration, storage and finance / accounting • 13.6% of cloud app users currently use compromised account credentials at work.  • 4.1% of enterprises have sanctioned apps that are laced with malware https://resources.netskope.com/cloud-reports/february-2018-netskope-cloud-reporthttps://www.netskope.com/press-releases/

  14. Passwords - Cloud Apps and Remote Contractors • Cloud apps and remote contractors represent a significant risk to the overall security of the company’s information assets because: • Cloud apps can be implemented and remote contractors can be engaged without any knowledge from IT • Most companies do not have one central point of authority for cloud apps and remote contractors • There is a general lack of understanding of the scope of work for cloud apps and remote contractors so elevated access is generally granted without any consideration of the risks • User access cannot be validated against active directory or other user list • Often there are exceptions to the company’s password policy granted • One user account is shared among multiple users

  15. Polling Question What is the biggest problem with passwords • Passwords can be insecure • Passwords can be easily broken • Passwords are inconvenient • Passwords do not have any authority • All of the above

  16. Data Breaches and the Password’s Role

  17. Sony Hack: A Timeline • Nov 24 2014 – News breaks that Sony Pictures has been hacked. • The “Guardians of Peace” obtained 100 terabytes of data from the servers • Nov 27 2014 – 4 yet to be released films were uploaded to an online file share site • Dec 1 2014 – pre-bonus salaries of 17 top Sony executives are leaked • Dec 2 2014 – Sony chiefs confirm the breach, and employee information was included in the compromised data • Dec 16 2014 – Sony receives emails threatening to attack movie theaters that show The Interviewhttp://www.imdb.com/title/tt2788710/ • Dec 17 2014 – Sony cancels the release of The Interview • Dec 19 2014 – The FBI confirms that North Korea was behind the cyber attack http://deadline.com/2014/12/sony-hack-timeline-any-pascal-the-interview-north-korea-1201325501/

  18. Sony continued – How the hack happened • The hackers gained access to Sony’s network by obtaining the login credentials of a high-level systems administrator.  Once hackers obtained the credentials, they were granted “keys to the entire building,” according to a U.S. official. • They hacked into one server that was not well protected, and escalated the attack to gain access to the rest of the network. • Sony’s network was not layered well enough to prevent breaches occurring in one part from affecting other parts. In addition, the password “password” was used in 3 certificates. • A combination of weak passwords, lack of server layering, not responding to alertsor setting up alerts, inadequate logging and monitoring, and lack of Security Education Training and Awareness all contributed to the Sony Breach.

  19. Target Hack: Timeline • Nov 27 – Dec 15 2013 - data hack at Target stores exposes as many as 40 million credit- and debit-card customers to potential fraud and compromised 70 million customer records • Dec 18 2013 - News of the breach is reported by data and security blog KrebsOnSecurity.  • Dec 19 2013 - Target acknowledges the breach of information publicly • Dec 22 2013 - Traffic at Target stores takes a hit in the wake of the security breach, with transactions down by 3-4% on the last weekend of holiday shopping http://blogs.wsj.com/corporate-intelligence/2013/12/27/targets-data-breach-timeline/

  20. Target continued – how the hack happened • The initial intrusion was traced back to network credentials that were stolen from a third-party vendor, Fazio Mechanical Services a provider of HVAC systems • Multiple sources told Krebs that the credentials were stolen in an email malware attack at Fazio that began at least two months before thieves started stealing card data from Target cash registers. • Two sources said the malware was the Citadel — a password-stealing bot program • Fazio stated that its data connection to Target was exclusively for electronic billing, contract submission and project management.  • Target did not specify which apps Fazio could access but a former Target employee said nearly all contractors access Ariba, an external billing system, the project management and contract submissions portal - Partners Online, and Target’s Property Development Zone portal

  21. Home Depot Hack: Timeline • Sep 2 2014 - Home Depot became aware of a large data breach that started April 2014 • Banks and law enforcement notified Home Depot that there were signs that their network had been compromise. • Sep 8 2014 - Home Depot confirmed that their payment security systems had been breached • Nov 25 2014 – Home Depot was hit with 44 civil lawsuits

  22. Home Depot continued – how the hack happened • Criminals used a 3rd party vendors user name and password to enter the perimeter of Home Depot’s network. • While the vendor credentials did not allow access to the POS, the hackers acquired elevated access rights allowing them to deploy malware on the self-checkout system in the US and Canada • Source close to the investigation stated that at least some store registers had been infected with a new variant of “BlackPOS” (a.k.a. “Kaptoxa”), a malware strain designed to siphon data from cards that are swiped on the infected point-of-sale system running Microsoft Windows. • The malware was reported as using XOR encryption, a simple symmetric cipher that is used in many applications where security is not a defined requirement, making the malware undetectable to IDS/IPS or Antivirus signatures • Krebs also identified that the perpetrators appeared to be the same group of Russian and Ukrainian hackers that compromised Target, Sally Beauty, P.F. Chang’s, and others.

  23. Equifax: Timeline • Mid-May to July 2017 - criminal hackers carry out an attack and infiltration of Equifax servers. • resulted in unauthorized access to the personal information of nearly 44% of the U.S. population • Sep 7 2017 – breach publicly announced • Sep 8 2017 – stock plunges 13.7% • Sep 12 2017 - announcement that 2 senior computer security executives are retiring • Sep 15 2017 – announcement that CIO and CSO are retiring • Sep 21 2017 –admits it sent victims of the data breach to a bogus website that shared a similar address to the one it set up to help victims.  https://www.usatoday.com/story/tech/2017/09/26/timeline-events-surrounding-equifax-data-breach/703691001/

  24. Equifax continued: How it Happened • Equifax confirms an Apache Struts security flaw it failed to patch is to blame for hack • The cited Apache Struts flaw dates back to March, according to a public vulnerability disclosure. Patches were released for the vulnerability, suggesting that Equifax did not install the security updates. • According to the Center for Internet Security: • Successfully exploiting this vulnerability could allow for remote code execution in the context of the affected application. Depending on the privileges associated with the application, attackers could install programs; view, change, or delete data; or create new accounts with full user rights. 

  25. Cost of a Breach!

  26. https://www.forbes.com/sites/niallmccarthy/2018/07/13/the-average-cost-of-a-data-breach-is-highest-in-the-u-s-infographic/#9fbd1a32f373https://www.forbes.com/sites/niallmccarthy/2018/07/13/the-average-cost-of-a-data-breach-is-highest-in-the-u-s-infographic/#9fbd1a32f373

  27. Password Emerging Trends

  28. Single Sign-On and Password Emerging Trends • Single sign-on is an authentication process that allows users to enter one user name and password to access multiple applications they have been given rights to. • Two-factorauthentication requires additional factors to establish a users identity such as, a password and a pin number and/or a fingerprint, and/or a retina scan (in any combination) • Password managers thatencrypt and store login information for auto login • Establishing complex user names, such as K$@ssEr • Establishing meaningful, easy to remember complex passwords or passphrases t3chRock$ or $omething2about!

  29. Benefits of Complex Passwords t3chRock$ - 9 characters / $omething2about! – 19 characters http://gizmodo.com/5753868/how-long-it-takes-hackers-to-crack-your-password

  30. Polling Question What of the following emerging password trends have you implemented in your organization? • Single Sign-on • Two-factor authentication • Password Managers • Complex Passwords • None/Don't Know

  31. Creating a Complex Password You Can Remember

  32. Benefits of Complex Passwords t3chRock$ - 9 characters / $omething2about! – 19 characters Write down 3 words that are meaningful to you – the more they make you smile the better • Begin substitution – for example – • Something to Simile About • someThing2$mile@bout? • Something_2-$mile%About • SomeTHANG2@about

  33. Questions to keep in mind throughout our discussion • Where are most threats to your information assets coming from? • What is your network access password change policy? • Which IT Guidance/Frameworks are you predominantly working with now? COSO and/or COBIT and/or ISO and/or PCI? • Does your company perform an periodic user access review? Are all user accounts reviewed, including B2B, generic/system, cloud apps and 3rd party vendors? • Does your organization have a proven system for monitoring user access activity?

  34. Are there solutions? • Security is a negative goal. • People need to be considered a part of the security design • End User Information Security Awareness Training • A robust password policy and strict adherence to that policy • Establish a central point of contact to manage contractors and other 3rd party access • Changes to established roles are done through a change management process.

  35. Best Practices for Administrative Accounts • Segregate and secure administrative passwords – Admin users should have a separate user account • Create a decoy admin account • Limit the number of service admin accounts • Separate admin and user accounts for admins • Assign trustworthy staff • Limit admin rights to only those rights needed – Least Priviledge • Control the admin logon process • Secure admin workstations • https://technet.microsoft.com/en-us/library/cc700835.aspx

  36. Data breaches may cost less than the security to prevent them • Benjamin Dean presented a hard to disagree with defense of why things security-wise "ain't gonna change" soon • By examining the actual expenses from the Sony, Target and Home Depot breaches, the total amounts to less than 1% of each company's annual revenues • Target – Gross breach $252 million after insurance and tax deductions $105 million, less than .01% of gross revenues • Home Depot – Net breach $28 million after a $15 million insurance reimbursement, .01% of gross revenues • Sony - $35 million for the fiscal year ending March 31, represent from 0.9% to 2% of Sony's total projected sales for 2014 http://www.techrepublic.com/article/data-breaches-may-cost-less-than-the-security-to-prevent-them/

  37. Additional Resources • Internal Revenue Service • https://www.irs.gov/pub/irs-pdf/p4557.pdf • https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf • 5 Top Regulatory Compliance Concerns for Financial Services • https://www.roberthalf.com/management-resources/blog/5-top-regulatory-compliance-concerns-for-financial-services

  38. Community & Sharing Join our LinkedIn group: Friggin’ Bean Counters Accounting, Project Management and IT Professionals come together to share ideas, learn from each other, or if necessary, vent frustrations. https://www.linkedin.com/groups/6985169

  39. Questions?

  40. Speaker Contacts Karla Sasser Connect: www.linkedin.com/in/karlasasser e-mail: karla@the-virtual-cfo.com PHONE: (805) 328-4523

More Related