security lessons from verizon's analysis of 32,002 ... · security lessons from verizon's...
TRANSCRIPT
Security Lessons from Verizon's Analysis of 32,002 Security Incidents
Maury WeinsteinPresident and Co-Founder
System Source410-771-5544 x4319
We Hope You are
Enjoying Your
Pizza!!
If you haven’t received your pizza,
then contact Mike Jones:
During the Webinar…
Audio – In presentation mode until end
Control Panel
View webinar in full screen mode
In Chat – Tell us what you hope to learn today?
Feel free to submit written questions
Evaluation just after webinar finish
Security Lessons from Verizon's Analysis of 32,002 Security Incidents
IT Management - What to Retain or Outsource
Motivating and Retaining IT Staff in Face of Low Unemployment
Learning from our 167,000 Completed IT Support Tickets and 19,500 Satisfaction Surveys
Reducing Your IT Costs
Cloud Strategy
Evaluating Managed IT Services
Disaster Recovery Workshop
Building a Cost Effective and Crisis Free IT Team
Our Management Seminar Series
The Scope of the Problem
… a lot to worry about... 12,174 new vulnerabilities last year alone and hundreds of defenses you are told to deploy ASAP. The MITRE Common Weakness Enumeration list provides 839 potential cybersecurity weaknesses. The original, fairly small MITRE ATTACK framework now has 12 columns and 70 rows, and growing, showing the ways you can be compromised.
Defense-in-depth guidelines are growing. The NIST Cybersecurity Framework, one popular guide, is 55 pages long. The SANS Top 10 controls has turned into the Center for Internet Security’s Top 20 list.
I don’t know of any field that has so many simultaneous threats…
Agenda
• Your security agenda
• Report basics
• Breach trends
• Incident classification patterns
• By industry
• Gartner’s insource/outsource recommendation
Your Security Agenda
1. Following regulatory or other external direction• most standards treat all requirements equally
2. Seeking research driven direction to optimize security• maximize security at lowest cost
• no “one size fits all” approach
• preventing under-, over- and useless spending
Verizon Data Breach Investigations Report
• 81 organizations contribute world-wide• From Akamai to US Secret Services
• Lists threats, vulnerabilities and actions leading to security incidentsand data breaches
• Categorized by industry using NAICS codes
• 13th year
• North America accounts for 69% of incidents and 55% of breaches
Does the Internet get more vulnerable with each new vulnerability?
Breach Timelines
First Action in an Incident
$ Stolen by Breach Type
Does Adding a Defensive Step Reduce Breaches?
Fraud Losses
• FBI Recovery Asset Team recovered 79% of monies fraudulently transferred to domestic accounts in 2019
• Compromises require no work to cash out
• Versus stealing information or credentials which then must be sold
• Alternately, data can be used by hackers to commit fraud directly• Fraudulent tax returns or insurance claims via money laundering or cryptocurrency
Secondary Attacks Prevalent
• 5,831 incidents where web apps were compromised to attack another victim
• Servers compromised for denial-of service (DoS) attacks or hosting malware
• Botnets+ responsible for 103K incidents via Trojans and malware –drowns out all other categories
• Affects Financial (33%), Information (32%) and Professional Services (34%)
Denial of Service Sending junk network traffic to overwhelm systems, thereby causing
their services to be denied. The system can’t handle both the incoming illegitimate traffic and the legitimate traffic.
Understanding mitigation needed is key
What attack length and size do you need to resist?
Weigh business impact vs. defense cost
Distributed Denial-of-Service (DDoS) Attacks
Security Patterns (NA)
Everything Else>50% Phishing or Financially Motivated
Social Engineering where attackers commit fraud via email – includes pre-texting
Web Applications
Web app was path of the attack including cloud email (>50%)
Misc. Errors
Unintentional action directly compromising security
Delivering data to wrong recipient for immediate loss + Misconfiguration (unsecured database) (>50%)
Top Breach Patterns We Can Learn From (NA, 72%)
0%
5%
10%
15%
20%
25%
30%
PH
ISH
PR
ON
E %
Training Impact on Phish Prone Staff52 person sample
Training implemented
for thosefailing
New hires -untrained
ImpactLinear cost/record moves to more statistically sound $ ranges
Ranges of
expected loss
by # of
records
Incident Classification Patterns
Frequency
of data
disclosures
by incident
patterns
and victim
industry
Educational Services(61)
Everything Else Phishing dominates (23% of breaches)
Miscellaneous Errors
Misdelivery of data and misconfiguration
Web Applications
Mostly stolen creds from cloud email
Educational Services Top Breach Categories (81+%)
Top Controls – Education Services
• Implement a Security Awareness and Training Program (CSC 17)• Encourage users to let you know when your organization is targeted as an
early warning system.
• Boundary Defense (CSC 12)• Educational Services have the largest number of days in a year—28— with
credential dumps run against them. The global median is eight days.
• Secure Configuration (CSC 5, CSC 11)• Manage security configuration of infrastructure, mobile devices, servers and
workstations using a rigorous configuration management and change control process preventing exploits of vulnerable services and settings.
Financial and Insurance(52)
10s of thousands of botnets incidents analyzed separately
Web Applications
Using stolen credentials
Miscellaneous Errors
Misdelivery of information to wrong person and misconfiguration
Everything Else Phishing and Pretexting
Financial and Insurance Breach Categories (81+%)
Top Controls – Financial and Insurance
• Implement a Security Awareness and Training Program (CSC 17)• Will the average user challenge a request appearing to come from someone
with authority to fire them?
• Boundary Defense (CSC 12)• Firewalls, network monitoring, proxies and multifactor authentication
• Secure Configurations (CSC 5, CSC 11)• Often a system administrator fails to secure a cloud storage bucket or
misconfigures firewall settings. In both Misdelivery and Misconfiguration, the motivation was overwhelmingly carelessness.
Healthcare(62)
Miscellaneous Errors
MisdeliveryJ. Tinker’s discharge papers to J. Evers
Mass mailing out of sync with envelope contents
Web Applications
Portals and other interactive surfaces
Everything Else Phishing and Pretexting
Top Healthcare Breach Categories (72-%)
Top Controls - Healthcare
• Implement a Security Awareness and Training Program (CSC 17)• Identify knowledge to defend the organization, a plan to identify gaps, and
remediate through policy, organizational planning, training, and awareness programs for all roles prioritizing those mission-critical
• Boundary Defense (CSC 12)• Firewalls, network monitoring, proxies and multifactor authentication
• Data Protection (CSC 13)• Prevent and mitigate data exfiltration and ensure privacy and integrity of
sensitive information
Manufacturing(31-33)
Crimeware
• Stealing IP for competitive advantage
• Highly targeted rather than opportunistic
• Non-internal espionage
Web Applications
Using stolen credentials to compromise enterprise web apps including cloud email
Privilege Misuse
• Internal privilege abuse against databases
• Data mishandling via personal email or cloud drives to WFH
Top Manufacturing Breach Categories (64-%)
Top Controls - Manufacturing
• Boundary Defense (CSC 12)• Firewalls, network monitoring, proxies and multifactor authentication
• Implement a Security Awareness and Training Program (CSC 17)• Identify knowledge to defend the organization, a plan to identify gaps, and
remediate through policy, organizational planning, training, and awareness programs for all roles prioritizing those mission-critical
• Data Protection (CSC 13)• Prevent and mitigate data exfiltration and ensure privacy and integrity of
sensitive information
Professional, Technical and Scientific Services (54)
Denial of Service and Trojan botnets removed from this data
Web Applications
Using stolen credentials from phishing
EverythingElse -
Phishing often for mail compromise
Miscellaneous Errors
Misdelivery, misconfiguration and paper document loss
Top Professional Services Breach Categories (79-%)
Top Controls – Professional, Scientific andTechnical Services
• Secure Configurations (CSC 5, CSC 11)• Manage security configuration of infrastructure, mobile devices, servers and
workstations using a rigorous configuration management and change control process preventing exploits of vulnerable services and settings.
• Implement a Security Awareness and Training Program (CSC 17)• Identify knowledge to defend the organization, a plan to identify gaps, and
remediate through policy, organizational planning, training, and awareness programs for all roles prioritizing those mission-critical
• Boundary Defense (CSC 12)• Firewalls, network monitoring, proxies and multifactor authentication
Public Administration
(92)
Miscellaneous Errors Misdelivery of data and misconfiguration
Web Applications
Using stolen credentials for web access
Everything Else Phishing including pretexting
Top Public Administration Breach Categories (73+%)
Top Controls – Public Administration
• Implement a Security Awareness and Training Program (CSC 17)• Identify knowledge to defend the organization, a plan to identify gaps, and
remediate through policy, organizational planning, training, and awareness programs for all roles prioritizing those mission-critical
• Boundary Defense (CSC 12)• Firewalls, network monitoring, proxies and multifactor authentication
• Secure Configurations (CSC 5, CSC 11)• Manage security configuration of infrastructure, mobile devices, servers and
workstations using a rigorous configuration management and change control process preventing exploits of vulnerable services and settings.
Assigning Responsibilities forRun, Grow & Transform
Outsource Run So You Can Grow & Transform
“Run” “Grow”
“Transform”
Action- Staff Entrance and ExitDetailed procedures onboard/exit new staff efficiently
Employee
Exit
Checklist
Standard service level agreement is 2 business hours after form submission (w/o PC handling)
Employee Name
Phone
Location
Exit Terms Termination Resignation
Exit Date/Time Time: Network access:
Remove user from all non-primary groups, hide from the global access list and:
Change network password
Requested Password:
Delete network account effective
(Deletes Mailbox in 30 days after deletion)
Disable network account effective
Delete Network Account on Click here to enter a date.
File Retention Retain Personal Network Directory
Give access to the Personal Network Directory to:
Retain local My Documents folder
Move My Documents folder to:
Give access to the My Documents folder to
Mailbox Handling
Retain existing mailbox (available only if account is not deleted)
Allow Inbox to receive email
Give mailbox proxy rights to:
Forward new email to:
Create out of office reply to alert senders with the following message:
Use Default (messages will be forwarded for one year from departure):
Your email has been forwarded to for attention. For immediate assistance please contact at or email .
Thanks
Alternate message:
Save the mailbox as a static file (.pst) to
Action - Performance Reporting
35% score before
onboarding
Increases to 94%
with attention
Criteria
System Source Standards
Authentication Protection
Password policy Password Standard checked Q1
Password Protection Enabled
Dual factor authentication for O365 Enabled
Dual factor authentication for VPN Enabled
Next generation passwords NIST Password Standard 800-63
IMAP/POP/SMTP removal Remove legacy IMAP/POP protocols
Risky login alerts Near real time Office 365 breach alerting
Turn off external auto forwarding for email Reduce data leaks
Single Sign-On Single password for multiple web applications
Service Account ad hoc login removal Turn off ad hoc login for priviledged service accounts
Run and Review ORCA Report Run twice yearly with remediation
Intrusion Protection
Anti-Virus standard Using supported version of Symantec SESE, SESC or SEP
Update Microsoft software servers and workstations Microsoft Windows, application and Office updates
Patch policy Patch standard checked annually
Upgrade Microsoft Windows and Office Keep up to date with Microsoft Build versions
Upgrade/Update select non-Microsoft applications Upgrade/Update 3rd party software from select list
Eliminate mobile phone access to non-guest networks Remove mobile devices from the corporate network
Intrusion protection Enable firewall intrusion protection feature
DDoS protection Denial of Service protection for data centers
Firewall review and improvement recommendations Review configuration, age and updates
External vulnerability scan Run twice yearly with remediation
Active Directory security scans Scan out of date Active Directory entries for client resolution
Exit Process Employee exit procedure update - Review Q2 yearly
Disappear from business social media Remove accounting and HR from Linkedin
Internal vulnerability scan Check vulnerabilities within the firewall
Penetration testing Testing defenses by attempting penetration
Protection of Clients & Partners
Outbound email filtering Outbound email filtering standard
Increase Staff Productivity
Spam filtering Email filter standard
Entrance Process Employee onboarding procedure - Review Q2 yearly
IT orientation documentation IT orientation documentation for new employees - Reminder Q2 yearly
Self-Service Passwords Manage Engine installed
Protection of Staff Against Bad Security Choices
Phishing test Baseline= 27.4% Client Score= 25% Goal= 1.6%
Phishing tests - on-going with end user training Purchase KnowBe4 standard
Phishing targeting for accounting staff, HR and/or key roles In addition to regular phishing, targeted phishing for Accounting and HR staff
Flagging outside email as "external" Add "external" tag to mail arriving from outside to sensitive staff to email risks
Filtering inbound email for fraudulent attributes and link Scanning inbound email with machine learning to reduce pretexting and fraud
DNS filtering within firewall Reduce security risks associated with malicious web requests
DNS filtering for workstations outside of the firewall Reduce security risks associated with malicious web requests outside the firewall
Email security incident recovery protocol Protocol for handling email security incidents - Review Q1 annuallyDisable email from your domain received from the outside Block emails purportedly from your domain but received from outside the domain
Regulatory and Security Obligations
Review Microsoft Windows Server log sizing and retention Adequate sizing determined by audit needs - Review Q1 annually
Company Asset Protection
Email encryption Using supported version of Zix, McAfee, ShareFile or Office 365
Disk encryption for secure workstations Bitlocker installation for Windows 10 workstations
Data Loss Prevention Reduce data leakage from Office 365
Mobile Device Management Management of ioS and Android devices
Legend
Meets or Exceeds Standard
Caution, Unknown or Needs Discussion Yellow lights indicate risk assumed by the organization
Does Not Meet Standard Red lights indicate risk assumed by the organization
Not Applicable
This is a best effort glance based on covered products managed by System Source managed services
Security Posture Quick Glance