Endpoint Security

Data At Rest

Bryan Hadzik

Network Consulting Services, inc.

Look back on 2010

Incident types

Inside Job ?

Source of Risk

Role of Encryption

Some Conclusions

Agenda

• The Good

• The Bad

• And the (occasionally) Ugly

2010 – A Year In Review

• Some good news:

First, The Good News (Or Is It?)

More Likely….

Incident Types: 2010

Incident by Vector

Understanding Insider Attacks:Some Definitions

• "There are two kinds of people in the world: those who divide the world into two kinds of people, and those who don't―

• – Robert Benchley

Understanding Insider Attacks:Quantifying Attacks

•48% of attacks involve an insider

• Source: 2010 Verizon Risk Team Data Breach Investigation Report

Understanding Insider Attacks:Some Definitions

Accidental MaliciousInsider

Risk

Non-Malicious

Understanding Insider Attacks:Non-Malicious

Some Stats

•7% of all laptops are lost during their operational

lifetime

Source: Ponemon Institute

Some Stats

•7% of all laptops are lost during their operational

lifetime

•60% are simply misplacedSource: Ponemon Institute

Examples in 2010

Healthcare ALONE

•147 Breaches in 2010

Healthcare ALONE

•45% involved a laptop or•portable electronic device

Not just the BIG companies

It happens every day

Malicious Insiders

Malicious InsidersI’ll just blend

right in…

Malicious Insiders

• CERT indentified four, broad groups:

1. Sabotage (often out of a desire for revenge)

2. Attacks for financial benefit

3. Attacks for business gain

4. Attacks associated with unauthorized access but not necessarily for personal gain

Source: "Common Sense Guide to Prevention and Detection of Insider Threats

Looking For Commonalities

46% of attacks – another staff member had direct knowledge of the attacker’s plans

US Secret Service/Carnegie Mellon whitepaper :"Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector"

Malicious InsidersAt least no-one has mentioned

WikiLeaks..

The WikiLeak Era

Coming To A Board Room Near You?

Some Practical Steps

CERT’s 16 Step Program1. CONSIDER THREATS FROM INSIDERS AND BUSINESS PARTNERS IN ENTERPRISE-WIDE RISK

ASSESSMENTS

2. CLEARLY DOCUMENT AND CONSISTENTLY ENFORCE POLICIES AND CONTROLS

3. INSTITUTE PERIODIC SECURITY AWARENESS TRAINING FOR ALL EMPLOYEES

4. MONITOR AND RESPOND TO SUSPICIOUS OR DISRUPTIVE BEHAVIOR, BEGINNING WITH THE HIRING PROCESS

5. ANTICIPATE AND MANAGE NEGATIVE WORKPLACE ISSUES

6. TRACK AND SECURE THE PHYSICAL ENVIRONMENT

7. IMPLEMENT STRICT PASSWORD AND ACCOUNT MANAGEMENT POLICIES AND PRACTICES.

8. ENFORCE SEPARATION OF DUTIES AND LEAST PRIVILEGE

9. CONSIDER INSIDER THREATS IN THE SOFTWARE DEVELOPMENT LIFE CYCLE

10. USE EXTRA CAUTION WITH SYSTEM ADMINISTRATORS AND TECHNICAL OR PRIVILEGED USERS

11. IMPLEMENT SYSTEM CHANGE CONTROLS

12. LOG, MONITOR, AND AUDIT EMPLOYEE ONLINE ACTIONS

13. USE LAYERED DEFENSE AGAINST REMOTE ATTACKS

14. DEACTIVATE COMPUTER ACCESS FOLLOWING TERMINATION

15. IMPLEMENT SECURE BACKUP AND RECOVERY PROCESSES

16. DEVELOP AN INSIDER INCIDENT RESPONSE PLAN

Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats"

CERT’s 16 Step Program1. CONSIDER THREATS FROM INSIDERS AND BUSINESS PARTNERS IN ENTERPRISE-WIDE RISK

ASSESSMENTS

2. CLEARLY DOCUMENT AND CONSISTENTLY ENFORCE POLICIES AND CONTROLS

3. INSTITUTE PERIODIC SECURITY AWARENESS TRAINING FOR ALL EMPLOYEES

4. MONITOR AND RESPOND TO SUSPICIOUS OR DISRUPTIVE BEHAVIOR, BEGINNING WITH THE HIRING PROCESS

5. ANTICIPATE AND MANAGE NEGATIVE WORKPLACE ISSUES

6. TRACK AND SECURE THE PHYSICAL ENVIRONMENT

7. IMPLEMENT STRICT PASSWORD AND ACCOUNT MANAGEMENT POLICIES AND PRACTICES.

8. ENFORCE SEPARATION OF DUTIES AND LEAST PRIVILEGE

9. CONSIDER INSIDER THREATS IN THE SOFTWARE DEVELOPMENT LIFE CYCLE

10. USE EXTRA CAUTION WITH SYSTEM ADMINISTRATORS AND TECHNICAL OR PRIVILEGED USERS

11. IMPLEMENT SYSTEM CHANGE CONTROLS

12. LOG, MONITOR, AND AUDIT EMPLOYEE ONLINE ACTIONS

13. USE LAYERED DEFENSE AGAINST REMOTE ATTACKS

14. DEACTIVATE COMPUTER ACCESS FOLLOWING TERMINATION

15. IMPLEMENT SECURE BACKUP AND RECOVERY PROCESSES

16. DEVELOP AN INSIDER INCIDENT RESPONSE PLAN

Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats"

Tec

hn

ica

l C

on

tro

ls/P

roce

ssN

on

-Tec

hn

ica

l C

on

tro

ls/P

roce

ss

Boiling That Down

• Be able to identify the causes of insider attacks

• Technical or process vulnerabilities

• Management problems

• Enforce good segregation of duties

• Watch for technical precursors (log, monitor, audit)

• Privilege escalations

• Service account use

• Changing access rights

• Have good processes in place for high-risk events and individuals

30

The Business Problem

Employee

ContractorPartner

Prospect List

Intellectual Property

Customer Credit Card Info.Social Security Numbers

Classified Information

Airport

Internet Cafe

Home

Office

Site

Transit

Critical enterprise data resides on numerous endpoint devices —enterprises are now looking for comprehensive data protection solutions

Patient Records

Industry Regulations PCI DSS

▫ Visa Europe

Sarbanes Oxley (SOX)▫ EuroSOX - Directive 2006/43/EC ▫ Basel II - International Convergence of

Capital Measurement and Capital Standards

US Federal Regulations HIPAA & The HITECH Act FISMA 2 (ICE) Data Breach Notification Act (S139) Data Accountability and Trust Act (HR

2221)

US State Regulations SB1386 (the first) 201 CMR 17 (one of the latest) NRS 603A (requires PCI DSS)

▫ >45 other State & US Jurisdiction Laws

How are you Keeping up with Changing Regulations?

CD/DVD

USB Memory Sticks

Smartphone’s & PDA’s

Desktops

Laptops

Ponemon Institute estimates $243 per victim for a first time data breach in it’s Fourth Annual US Cost of Data Breach Study published in January 2009. Gartner estimate: $160 per account in direct charges: legal expenses, professional fees; customer notification; embedded costs of cleanup and recovery, systems – Gartner G00162711

Consider: Non-Compliance Costs

CompanyAccounts

ImpactedEstimated Breach Cost

Health Net 446k $70 - $75 Million

MA Secretary of Commonwealth 139k $22 - $25 Million

AMR 79k $10 - $15 Million

Lincoln Medical & Mental Health 130k $15 - $20 Million

San Jose Medical 110k $12 - $17 Million

Boeing 382k $60 - $65 Million

ING 13k $1.5 - $2 Million

Fidelity 196k $31 - $36 Million

A4e 24k $3 - $4 Million

Gartner Estimates

$160/account

Ponemon Estimates

$243/account

- Reputation

- Brand

- Innovation

Country

Avg. Cost

per Record

(USD)

Avg. Total Cost

of a breach

(USD)

Australia 114 1.83 million

France 119 2.53 million

Germany 177 3.44 million

UK 98 2.57 million

US 204 6.75 million

Average 142 3.43 million

- Operations

- Personal Risks

Other Costs:

How Encryption Can Help

A little help here, please...

How Encryption Can Help:Non-Malicious Incidents

Source: Ponemon Institute: ―Cost of a lost laptop‖

Especially important to

prevent accidental data

breaches

How Encryption Can Help:Non-Malicious Incidents

Source: Ponemon Institute: ―Cost of a lost laptop‖

Especially important to

prevent accidental data

breaches

Role Of Encryption• ―Technologies such as encryption can be

implemented to prevent such users from reading or modifying sensitive files to which they should not have access.‖

Source: CERT's "Common Sense Guide to Prevention and Detection of Insider Threats"

Should we encrypt the entire disk ?

• Everything needs to go through the encryption

• Overhead on every single read/write

• The system cannot boot up without password

• Password sync can be difficult

• NOT required for audit purposes

• NOT required for security

What are we encrypting with “full

disk” encryption

10%

40%15%

20%

Files

OS

Program Files

Temp data

User Data

What are they looking for?

Fixed drive

C:\documents and settings\username

C:\windows\system32\config\sam

C:\pagefile.sys

Removable drive

Any documents

Which encryption is best ?

Disadvantage:

• Encryption only on system level - no awareness of user or type of data

• Only available for Desktops and Laptops

• System administration significantly impacted

• No separation of system and security administration

• No protection against copy onto external media

Full Disk Encryption

Complete encryption of hard disk, including boot and system files

File & Folder Encryption

Files and Folders specifically selected by the user are encrypted

Disadvantage:

• Security dependent on user behavior

• Temporary application files can leak information

• No central administration or key recovery

• Impossible to enforce or prove compliance

• Data automatically encrypted based on policies

• Encryption awareness of users, groups,

systems and data types

• System remains accessible for system

administration

• Central Administration for all devices

and storage media with automated key

escrow for guaranteed recovery

• Automatic detection and enforced

protection of external media

Data-Centric Encryption

How should the protection work ?

Fixed drive

C:\documents and settings\username

File level user encryption

Policy based

C:\windows\system32\config\sam

Tamper protection

C:\pagefile.sys

System level encryption

How should the protection work ?

Removable Drive

Policy based file level encryption

Only encrypt what is important

No user interaction required

The problem with iPads

• Top down

enterprise adoption

• “New” platform

• Personal devices

The specs

• 256 bit AES*

• Local wipe

• Remote wipe

• VPN

• Code signing

• Passcode policies

*Not perfect

http://www.businesswire.com/news/home/20110209007321/en

The Challenges

• Top Down

• C-levels are the first to get the device

• Bypass normal testing and validation

• “Make it work” attitude

• Personal

• All I need to know is username/password

• Easy to discover settings even without auto

discover

• Wipe

iOS is the target

Phone, iPad share the same OS

Jailbreakers are doing all the work for other reasons

Most exciting new platform

Commonplace

Encryption?

• Rated at AES 256 bit

• Passcode does not relate to encryption

• The keychain is the key

• Email username/password

• Vpn username/password

• http://www.sit.fraunhofer.de/en/Images/sc_iPhone%20Passwords_tcm502-80443.pdf

How to do it?

• Jailbreak

• Install ssh server

• Execute script that asks for the keychain info

• No reverse encryption necessary

• Just ask nicely

• Cannot be removed and broken, but just as

easy to break on the device

• http://www.sit.fraunhofer.de/en/Images/sc_iPhone%20Passwords_tcm502-80443.pdf

What do we get?

• http://www.sit.fraunhofer.de/en/Images/sc_iPhone%20Passwords_tcm502-80443.pdf

How to protect Data

• The hard way

• Keep the data off the device*

• VDI

• Disallow Exchange activesync

• Disallow email syncing

*Not technologically difficult

How to protect Data

• The medium difficult way

• Allow data, but encrypt and secure access

• Insist on Exchange activesync

• Create policies

• Local wipe

• Remote wipe

• Local encryption

• Keeping device current

• VDI the very sensitive data

• Remote wipe means password reset

FIR

EW

AL

L

FIR

EW

AL

L

52

LANDesk MOBILE GUARDIAN Enterprise Edition

Secure and control data across all mobile and portable endpoints

▫ Device detection and enforced provisioning across all connections

▫ Local policy enforcement ensures data protection travels with the device at all times

▫ Scalable, single point of management and control for all platforms

▫ Leverages existing infrastructure for seamless integration

CMG Local Gatekeeper or

Proxy Policy

Central Admin Console

CMG Shielded Devices

Enterprise Server

Active

DirectoryExchange Server with

CMG OTA Sync Control

Existing Infrastructure

CMG Policy Proxy

INTERNAL NETWORK DMZ

CMG Shielded Devices

FIR

EW

AL

L

Internet

REMOTE NETWORK

Primary objectives

Keeps your business out of the headlines and protects your

brand by eliminating the need to notify

customers/employees of lost or stolen data

Provides proof that a lost or stolen mobile device was

encrypted to meet compliance requirements

Provides Maximum Security with Minimal Impact on

operational processes and end users

1

2

3

Moving Out To The Cloud

• The Cloud makes the challenges of Insider Threat more complex:

• Increases complexity of quantifying risk

• Managing that risk

• Ensuring compliance

• Serves as a barrier to adoption of Cloud offerings

•These challenges exist for both private and public cloud infrastructures

Some Conclusions

• Insider incidents are often accidental

Some Conclusions

• In the event of an accidental disclosure, or malicious theft, encryption has been proven

to reduce both risk and cost

Three important things to protect

• Data on the local HD

▫ Lost laptop scenario

▫ Policy based file encryption

▫ No user interaction

▫ User/system level keys

▫ Escrowed to server

• Removable media

▫ Malicious or not data removal

▫ Drive level encryption

Three important things to protect

• Tablets/Smart Phones

▫ Local Wipe

▫ Remote wipe(password reset)

▫ Insist on exchange activesync

Thank You!