endpoint security data at rest · 2019. 8. 2. · source: cert's "common sense guide to...
TRANSCRIPT
Endpoint Security
Data At Rest
Bryan Hadzik
Network Consulting Services, inc.
Look back on 2010
Incident types
Inside Job ?
Source of Risk
Role of Encryption
Some Conclusions
Agenda
• The Good
• The Bad
• And the (occasionally) Ugly
2010 – A Year In Review
• Some good news:
First, The Good News (Or Is It?)
More Likely….
Incident Types: 2010
Incident by Vector
Understanding Insider Attacks:Some Definitions
• "There are two kinds of people in the world: those who divide the world into two kinds of people, and those who don't―
• – Robert Benchley
Understanding Insider Attacks:Quantifying Attacks
•48% of attacks involve an insider
• Source: 2010 Verizon Risk Team Data Breach Investigation Report
Understanding Insider Attacks:Some Definitions
Accidental MaliciousInsider
Risk
Non-Malicious
Understanding Insider Attacks:Non-Malicious
Some Stats
•7% of all laptops are lost during their operational
lifetime
Source: Ponemon Institute
Some Stats
•7% of all laptops are lost during their operational
lifetime
•60% are simply misplacedSource: Ponemon Institute
Examples in 2010
Healthcare ALONE
•147 Breaches in 2010
Healthcare ALONE
•45% involved a laptop or•portable electronic device
Not just the BIG companies
It happens every day
Malicious Insiders
Malicious InsidersI’ll just blend
right in…
Malicious Insiders
• CERT indentified four, broad groups:
1. Sabotage (often out of a desire for revenge)
2. Attacks for financial benefit
3. Attacks for business gain
4. Attacks associated with unauthorized access but not necessarily for personal gain
Source: "Common Sense Guide to Prevention and Detection of Insider Threats
Looking For Commonalities
46% of attacks – another staff member had direct knowledge of the attacker’s plans
US Secret Service/Carnegie Mellon whitepaper :"Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector"
Malicious InsidersAt least no-one has mentioned
WikiLeaks..
The WikiLeak Era
Coming To A Board Room Near You?
Some Practical Steps
CERT’s 16 Step Program1. CONSIDER THREATS FROM INSIDERS AND BUSINESS PARTNERS IN ENTERPRISE-WIDE RISK
ASSESSMENTS
2. CLEARLY DOCUMENT AND CONSISTENTLY ENFORCE POLICIES AND CONTROLS
3. INSTITUTE PERIODIC SECURITY AWARENESS TRAINING FOR ALL EMPLOYEES
4. MONITOR AND RESPOND TO SUSPICIOUS OR DISRUPTIVE BEHAVIOR, BEGINNING WITH THE HIRING PROCESS
5. ANTICIPATE AND MANAGE NEGATIVE WORKPLACE ISSUES
6. TRACK AND SECURE THE PHYSICAL ENVIRONMENT
7. IMPLEMENT STRICT PASSWORD AND ACCOUNT MANAGEMENT POLICIES AND PRACTICES.
8. ENFORCE SEPARATION OF DUTIES AND LEAST PRIVILEGE
9. CONSIDER INSIDER THREATS IN THE SOFTWARE DEVELOPMENT LIFE CYCLE
10. USE EXTRA CAUTION WITH SYSTEM ADMINISTRATORS AND TECHNICAL OR PRIVILEGED USERS
11. IMPLEMENT SYSTEM CHANGE CONTROLS
12. LOG, MONITOR, AND AUDIT EMPLOYEE ONLINE ACTIONS
13. USE LAYERED DEFENSE AGAINST REMOTE ATTACKS
14. DEACTIVATE COMPUTER ACCESS FOLLOWING TERMINATION
15. IMPLEMENT SECURE BACKUP AND RECOVERY PROCESSES
16. DEVELOP AN INSIDER INCIDENT RESPONSE PLAN
Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats"
CERT’s 16 Step Program1. CONSIDER THREATS FROM INSIDERS AND BUSINESS PARTNERS IN ENTERPRISE-WIDE RISK
ASSESSMENTS
2. CLEARLY DOCUMENT AND CONSISTENTLY ENFORCE POLICIES AND CONTROLS
3. INSTITUTE PERIODIC SECURITY AWARENESS TRAINING FOR ALL EMPLOYEES
4. MONITOR AND RESPOND TO SUSPICIOUS OR DISRUPTIVE BEHAVIOR, BEGINNING WITH THE HIRING PROCESS
5. ANTICIPATE AND MANAGE NEGATIVE WORKPLACE ISSUES
6. TRACK AND SECURE THE PHYSICAL ENVIRONMENT
7. IMPLEMENT STRICT PASSWORD AND ACCOUNT MANAGEMENT POLICIES AND PRACTICES.
8. ENFORCE SEPARATION OF DUTIES AND LEAST PRIVILEGE
9. CONSIDER INSIDER THREATS IN THE SOFTWARE DEVELOPMENT LIFE CYCLE
10. USE EXTRA CAUTION WITH SYSTEM ADMINISTRATORS AND TECHNICAL OR PRIVILEGED USERS
11. IMPLEMENT SYSTEM CHANGE CONTROLS
12. LOG, MONITOR, AND AUDIT EMPLOYEE ONLINE ACTIONS
13. USE LAYERED DEFENSE AGAINST REMOTE ATTACKS
14. DEACTIVATE COMPUTER ACCESS FOLLOWING TERMINATION
15. IMPLEMENT SECURE BACKUP AND RECOVERY PROCESSES
16. DEVELOP AN INSIDER INCIDENT RESPONSE PLAN
Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats"
Tec
hn
ica
l C
on
tro
ls/P
roce
ssN
on
-Tec
hn
ica
l C
on
tro
ls/P
roce
ss
Boiling That Down
• Be able to identify the causes of insider attacks
• Technical or process vulnerabilities
• Management problems
• Enforce good segregation of duties
• Watch for technical precursors (log, monitor, audit)
• Privilege escalations
• Service account use
• Changing access rights
• Have good processes in place for high-risk events and individuals
30
The Business Problem
Employee
ContractorPartner
Prospect List
Intellectual Property
Customer Credit Card Info.Social Security Numbers
Classified Information
Airport
Internet Cafe
Home
Office
Site
Transit
Critical enterprise data resides on numerous endpoint devices —enterprises are now looking for comprehensive data protection solutions
Patient Records
Industry Regulations PCI DSS
▫ Visa Europe
Sarbanes Oxley (SOX)▫ EuroSOX - Directive 2006/43/EC ▫ Basel II - International Convergence of
Capital Measurement and Capital Standards
US Federal Regulations HIPAA & The HITECH Act FISMA 2 (ICE) Data Breach Notification Act (S139) Data Accountability and Trust Act (HR
2221)
US State Regulations SB1386 (the first) 201 CMR 17 (one of the latest) NRS 603A (requires PCI DSS)
▫ >45 other State & US Jurisdiction Laws
How are you Keeping up with Changing Regulations?
CD/DVD
USB Memory Sticks
Smartphone’s & PDA’s
Desktops
Laptops
Ponemon Institute estimates $243 per victim for a first time data breach in it’s Fourth Annual US Cost of Data Breach Study published in January 2009. Gartner estimate: $160 per account in direct charges: legal expenses, professional fees; customer notification; embedded costs of cleanup and recovery, systems – Gartner G00162711
Consider: Non-Compliance Costs
CompanyAccounts
ImpactedEstimated Breach Cost
Health Net 446k $70 - $75 Million
MA Secretary of Commonwealth 139k $22 - $25 Million
AMR 79k $10 - $15 Million
Lincoln Medical & Mental Health 130k $15 - $20 Million
San Jose Medical 110k $12 - $17 Million
Boeing 382k $60 - $65 Million
ING 13k $1.5 - $2 Million
Fidelity 196k $31 - $36 Million
A4e 24k $3 - $4 Million
Gartner Estimates
$160/account
Ponemon Estimates
$243/account
- Reputation
- Brand
- Innovation
Country
Avg. Cost
per Record
(USD)
Avg. Total Cost
of a breach
(USD)
Australia 114 1.83 million
France 119 2.53 million
Germany 177 3.44 million
UK 98 2.57 million
US 204 6.75 million
Average 142 3.43 million
- Operations
- Personal Risks
Other Costs:
How Encryption Can Help
A little help here, please...
How Encryption Can Help:Non-Malicious Incidents
Source: Ponemon Institute: ―Cost of a lost laptop‖
Especially important to
prevent accidental data
breaches
How Encryption Can Help:Non-Malicious Incidents
Source: Ponemon Institute: ―Cost of a lost laptop‖
Especially important to
prevent accidental data
breaches
Role Of Encryption• ―Technologies such as encryption can be
implemented to prevent such users from reading or modifying sensitive files to which they should not have access.‖
Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats"
Should we encrypt the entire disk ?
• Everything needs to go through the encryption
• Overhead on every single read/write
• The system cannot boot up without password
• Password sync can be difficult
• NOT required for audit purposes
• NOT required for security
What are we encrypting with “full
disk” encryption
10%
40%15%
20%
Files
OS
Program Files
Temp data
User Data
What are they looking for?
Fixed drive
C:\documents and settings\username
C:\windows\system32\config\sam
C:\pagefile.sys
Removable drive
Any documents
Which encryption is best ?
Disadvantage:
• Encryption only on system level - no awareness of user or type of data
• Only available for Desktops and Laptops
• System administration significantly impacted
• No separation of system and security administration
• No protection against copy onto external media
Full Disk Encryption
Complete encryption of hard disk, including boot and system files
File & Folder Encryption
Files and Folders specifically selected by the user are encrypted
Disadvantage:
• Security dependent on user behavior
• Temporary application files can leak information
• No central administration or key recovery
• Impossible to enforce or prove compliance
• Data automatically encrypted based on policies
• Encryption awareness of users, groups,
systems and data types
• System remains accessible for system
administration
• Central Administration for all devices
and storage media with automated key
escrow for guaranteed recovery
• Automatic detection and enforced
protection of external media
Data-Centric Encryption
How should the protection work ?
Fixed drive
C:\documents and settings\username
File level user encryption
Policy based
C:\windows\system32\config\sam
Tamper protection
C:\pagefile.sys
System level encryption
How should the protection work ?
Removable Drive
Policy based file level encryption
Only encrypt what is important
No user interaction required
The problem with iPads
• Top down
enterprise adoption
• “New” platform
• Personal devices
The specs
• 256 bit AES*
• Local wipe
• Remote wipe
• VPN
• Code signing
• Passcode policies
*Not perfect
http://www.businesswire.com/news/home/20110209007321/en
The Challenges
• Top Down
• C-levels are the first to get the device
• Bypass normal testing and validation
• “Make it work” attitude
• Personal
• All I need to know is username/password
• Easy to discover settings even without auto
discover
• Wipe
iOS is the target
Phone, iPad share the same OS
Jailbreakers are doing all the work for other reasons
Most exciting new platform
Commonplace
Encryption?
• Rated at AES 256 bit
• Passcode does not relate to encryption
• The keychain is the key
• Email username/password
• Vpn username/password
• http://www.sit.fraunhofer.de/en/Images/sc_iPhone%20Passwords_tcm502-80443.pdf
How to do it?
• Jailbreak
• Install ssh server
• Execute script that asks for the keychain info
• No reverse encryption necessary
• Just ask nicely
• Cannot be removed and broken, but just as
easy to break on the device
• http://www.sit.fraunhofer.de/en/Images/sc_iPhone%20Passwords_tcm502-80443.pdf
What do we get?
• http://www.sit.fraunhofer.de/en/Images/sc_iPhone%20Passwords_tcm502-80443.pdf
How to protect Data
• The hard way
• Keep the data off the device*
• VDI
• Disallow Exchange activesync
• Disallow email syncing
*Not technologically difficult
How to protect Data
• The medium difficult way
• Allow data, but encrypt and secure access
• Insist on Exchange activesync
• Create policies
• Local wipe
• Remote wipe
• Local encryption
• Keeping device current
• VDI the very sensitive data
• Remote wipe means password reset
FIR
EW
AL
L
FIR
EW
AL
L
52
LANDesk MOBILE GUARDIAN Enterprise Edition
Secure and control data across all mobile and portable endpoints
▫ Device detection and enforced provisioning across all connections
▫ Local policy enforcement ensures data protection travels with the device at all times
▫ Scalable, single point of management and control for all platforms
▫ Leverages existing infrastructure for seamless integration
CMG Local Gatekeeper or
Proxy Policy
Central Admin Console
CMG Shielded Devices
Enterprise Server
Active
DirectoryExchange Server with
CMG OTA Sync Control
Existing Infrastructure
CMG Policy Proxy
INTERNAL NETWORK DMZ
CMG Shielded Devices
FIR
EW
AL
L
Internet
REMOTE NETWORK
Primary objectives
Keeps your business out of the headlines and protects your
brand by eliminating the need to notify
customers/employees of lost or stolen data
Provides proof that a lost or stolen mobile device was
encrypted to meet compliance requirements
Provides Maximum Security with Minimal Impact on
operational processes and end users
1
2
3
Moving Out To The Cloud
• The Cloud makes the challenges of Insider Threat more complex:
• Increases complexity of quantifying risk
• Managing that risk
• Ensuring compliance
• Serves as a barrier to adoption of Cloud offerings
•These challenges exist for both private and public cloud infrastructures
Some Conclusions
• Insider incidents are often accidental
Some Conclusions
• In the event of an accidental disclosure, or malicious theft, encryption has been proven
to reduce both risk and cost
Three important things to protect
• Data on the local HD
▫ Lost laptop scenario
▫ Policy based file encryption
▫ No user interaction
▫ User/system level keys
▫ Escrowed to server
• Removable media
▫ Malicious or not data removal
▫ Drive level encryption
Three important things to protect
• Tablets/Smart Phones
▫ Local Wipe
▫ Remote wipe(password reset)
▫ Insist on exchange activesync
Thank You!