1 / 27

Slide Heading

Slide Heading. Cyber Security. Munish Verma, Ron Verhaalen Ernst & Young LLP April 7, 2014. EY Services.

winka
Download Presentation

Slide Heading

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Slide Heading Cyber Security Munish Verma, Ron Verhaalen Ernst & Young LLP April 7, 2014

  2. EY Services At EY, our Advisory services for information security and privacy focus on your specific business needs and issues because we recognize that every need and issue is unique. The table below outlines the areas in which we can help your organization manage your security and privacy risks

  3. Introductions • Munish Verma is a senior in the Advisory Services practice with Ernst & Young. He has over 7 Years of Information Technology Experience and 5 years of Internal Audit & consulting experience. Throughout his career, Munish has performed Data Privacy & Integrity assessments, IT Security, risk and controls consulting. He has provided these services for clients in range of industries including: Financial, Retail, Healthcare, Biotech and Manufacturing. • Ron Verhaalen is a Senior Manager in the Advisory Services group with Ernst & Young LLP. Throughout his career, Ron has led teams performing security configuration, data loss prevention, and attack and penetration engagements. He has more then 12 years of experience in IT security, risk and controls consulting and is a certified information systems auditor (CISA) and a certified information systems security professional (CISSP).

  4. Agenda Slide Heading

  5. Evolution of Cyber Security Risk

  6. Types of Attackers Unsophisticated attackers (script kiddies) You are attacked because you are on the internet and have a vulnerability Sophisticated attackers (hackers) You are attacked because you are on the internet and have information of value Corporate espionage (malicious insiders) Your current or former employee seeks financial gain from stealing/selling your IP Organized crime (criminal gangs) You are attacked because you have money or something else of value that can be sold State sponsored attacks Advanced Persistent Threat (APT) You are targeted because of who you are, what you do, or the value of your intellectual property State sponsored espionage Market manipulation Competitive advantage Military/political objectives APT criminal gangs Cash Credit cards Identities Inside information malicious insiders Revenge Personal gain Stock price manipulation Money Embarrassment Political/social/ environmental causes hackers Amusement/ Experimentation/ Nuisance/ Notoriety script kiddies Attacker resources and sophistication 2013 1980s/1990s • BrainBoot/Morris Worm • Polymorphic viruses • Michelangelo • Concept Macro Virus • Melissa • “I Love You” • Anna Kournikova • Sircam • Code Red and Nimda • SQL Slammer • Blaster • Fizzer • MyDoom • NetSky • Sasser • Zeus • Koobface • Conficker • Aurora • Poison Ivy • agent.btz • Stuxnet • WikiLeaks • Anonymous • SpyEye • Duqu • Flame

  7. Advanced Persistent Threat Imperative

  8. The Advanced Persistent Threat imperativeWe must have a new strategy • Given the nature of the APT, there is a high likelihood of success over time if they target you – take “prevent” out of the dictionary • Complicate • Assess what you are doing to make it difficult for an attacker to be successful • Detect • Logging, monitoring and alerting • Infrastructure wide – with strong governance • Security Operations Center (SOC) • Deploy enterprise forensics tools before an incident • Capture data and support post-incident analysis • Respond • Cybersecurity Response program • Defined, documented and practiced • Educate/Govern • Change the corporate culture or culture will eat your strategy • The “user” is the target – they are also the first line of defense • Educate them on cyber risk • Establish a strong Threat and Vulnerability Management program fed by threat intelligence • Without strong governance, change will not occur

  9. Governance, Risk Assessment, Security Program life cycle

  10. Govern Without a governance structure, your ability to effectively manage the security program will be limited. Governance may and will look different for every organization. Not all companies will have the same stakeholders and/or the same reporting structures. Different risk profiles will impact strategic reporting relationships. A solid and agreed upon structure to manage the security program is key. What does yours look like…?

  11. Organizational Example Does this look familiar? Board of Directors CEO CFO CIO CSO InfoSec Mgmt Committee

  12. Organizational Example Does this look any better? Board of Directors CEO CIO CSO InfoSec Mgmt Committee

  13. Risk Assessment • Threat Intelligence • Understand (Current, Upcoming) • Internally or vendor supported • Business Priorities • Understand your critical data assets • Legal Responsibilities • External Impacts • Risk Tolerance • Updated for appropriateness • Approved

  14. ComplicateOverview  “If sophisticated and well-funded attackers target a specific environment, they will get in. In this rapidly evolving threat landscape, information security professionals need to adopt the mindset that their network is already compromised or soon will be.” – James Holley, Leader for Ernst & Young LLP Companies must smartly deploy technologies and configure technical controls that complicate hackers’ attempts to steal data. Assume breaches will occur – improve processes that complicate. Attacks will occur regardless of your prevent strategy so we must complicate and not assume prevention only will be effective You need to take Prevent out of your dictionary, so you can be better prepared for security events

  15. ComplicateApply Controls: • Data Classification • Least Privilege • Configuration Management • Privileged access reviews!

  16. ComplicateApply Technology: • VPN Devices • IPS/IDS • Firewalls • Encrypt All Data • Incorporate Least Privilege Principle Policies • Sensitive Data Sensitive segregation • Activation of data loss prevention (DLP) capabilities. • Upgrade your perimeter and network-Based Security

  17. DetectOverview “There are no universal solutions to prevent being infiltrated,” – James Holley, Leader for Ernst & Young LLP Regardless how many preventive/complicate methods are employed, businesses will likely still become crime victims! Detection mechanism needs to be in placed to detect Detection logs are needed to conduct forensic analysis across the enterprise Ability to sweep the enterprise for “indicators of compromise Ability to inspect memory to detect malicious code

  18. DetectApply IDS Establish continuous Monitoring programs Automatically scan all incoming emails for viruses and alert you if they contain them.  Regular examination of network logs. This allows for any suspect programs to be found.  Port Scanning

  19. RespondOverview A cyber security incident response program should be documented, approved, communicated and followed. In the overall program consider incident types, data loss risk, response times, legal obligations, compliance… Continuous improvement to your overall process is key, periodically test the process and update policies as applicable

  20. RespondApply Concepts • Some key response concepts to consider; • Initial Assessment • Notification • Containment • Impact Evaluation • Forensic Evidence Handling • Recovery • Appropriate disclosure to external parties • Damage/Cost assessment • Root cause identification, control updates • Documentation of the incident

  21. EducateOverview Security is not just an IT risk, it is a business risk and should have visibility company wide. If you do not continuously educate ALL stakeholders, your security and business risk exposure will increase. To keep your program up to date, you must stay current on emerging threats and apply them at all levels in your program.

  22. EducateApply Concepts • Some key educate concepts to consider; • Basics – Awareness, Education • Role-centric security awareness program • Emerging Threats • Security Intelligence Services • Thought Leadership

  23. What are others doing?

  24. What are others doing?Complicate, detect, respond, educate, govern Complicate Get in and establish foothold • Educate users on social engineering techniques • Perform self-phishing tests to monitor effectiveness • Reduce users with local administrator privileges and maintain visibility for exceptions • Reduce internet access points • Block uncategorized websites • Improve patch and configuration management policies and process and compliance monitoring • Enable user-based authentication for internet access (authenticated proxy) • Filter email attachments and disable links from external sources • Deploy technologies at all internet points of presence and monitor all packets (full packet inspection versus logging until something matches a signature) • Deploy host-based detection technologies on all workstations and servers Detect and respond • Restrict anonymous connections • Lock down “open shares” Complicate Conduct enterprise reconnaissance

  25. What are others doing?Complicate, detect, respond, educate, govern Complicate • Disable LanMan authentication and remove LanMan hashes • Reduce cached credentials • Monitor for and change default credentials • Use application whitelisting on high-risk servers (DMZ, DC, messaging, datarepositories, etc.) • Enable password vaulting for local administrator accounts and other accounts with elevated privileges • Remove stale accounts • Rationalize and minimize privileges of service/application accounts • Review/rationalize administrator privileges on workstations and servers • Put in place multifactor authentication (smart card) for domain admins • Configure host-based IDS (e.g., SEP) to log and alert on potential malicious use of utilities • Increase IR capability and establishing team dedicated to APT threat monitoring, detection and response • Implement comprehensive, consolidated logs (DNS, DHCP, AV, IDS, VPN, firewall, proxy, Windows events, etc.) with efficient search capabilities • Detect and alert on attempts to access the internet using domain admin accounts Move laterally and escalate privileges Detect and respond

  26. What are others doing?Complicate, detect, respond, educate, govern Complicate Steal data from victim systems • Disable webmail or use multifactor authentication after VPN • Perform sensitive/high-value information asset inventory to: • Identify high-risk users for special training • Identify critical applications and data repositories (systems) to harden/apply more advanced controls (e.g., secure zones, application whitelisting) • Use DLP to discover copies of high-value/sensitive information in unauthorized locations • Prevent internet and email access for domain admin accounts • Restrict FTP connections (i.e., no FTP to anywhere) • Only allow FTP to certain IP addresses of business partners that require the service • Disable and replace with secure file transfer system • Allow only certain users FTP permission (e.g., create FTP group in active directory) • Log and alert on RAR files leaving the network (e.g., using DLP) • Log and alert on larger volume of data leaving the network over a session than came in • Log and alert on traffic over port 443 that is not compliant with SSL specification Detect and respond

  27. Questions?

More Related