five quick wins from verizon’s 2013 data breach investigations report
DESCRIPTION
It’s that time of year again – new 2013 IT Security reports – trends, breach investigations, and more on 2012 data from Verizon, Symantec, Ponemon, Mandiant, PWC (focused on Europe) – and others have been published. In the interest of those of us with short attention spans, in this post I’ll focus on Verizon’s 2013 Data Breach Investigations Report™ (DBIR). Here are five “Quick Wins” (in SANS 20 Critical Security Controls (CSC) parlance) that CISOs/CIOs and their teams might want to take today, helping you to avoid being a participant in the 2014 IT Security reports.TRANSCRIPT
Five “Quick Wins” from Verizon’s 2013 Data Breach Investigation Report (DBIR)
OR…”HOW TO AVOID PARTICIPATING IN THE 2014 REPORT…”
MAY, 2013
5 “QUICK WINS” FROM VERIZON’S 2013 DATA BREACH INVESTIGATION REPORT (DBIR) OR…’HOW TO AVOID PARTICIPATING IN THE 2014 REPORT…”
Sales Executive Name and if desired, email/phone
3
“Verizon has been producing the Data Breach Investigations Report (DBIR) since 2008. This year its analysis covers more than 47,000 security incidents. Its scale is unparalleled.”
http://www.verizonenterprise.com/DBIR/2013/
4
Quick Win #1 - Address Credentials, Admin Privileges, and Password HygieneThe most significant short term action area
Applies to over 3/4ths of the breaches investigated
5
Quick Win #1 - Address Hardening Credentials, Admin Privileges, and Password HygieneSuggestions for CISOs -
Your team should be able to tell you and provide substantiative evidence on the following: What is your password policy and how compliant
Provide current metrics
Demonstrate trends
How many employees, rate of change
No perpetual accounts, hardened admin passwords
Any unused/inactive?
Trouble-ticket stats on password service
HR interlink for hired and departing employees
Consider employee security skills and awareness training
Assure you have highest level executive support
6
Quick Win #2 - Protect Key AssetsNew year, same song – no real improvement over 2011 data
66% of data exfiltrated was data “at rest” In servers and databases
Accessed via legitimate (though misused) credentials
Again – address hardening credentials, admin privileges, and password policy….
7
Quick Win #2 - Protect Key AssetsSuggestion for CISOs – What can your team tell you about….
Inventory lists for authorized/ unauthorized devices and software Location Asset criticality to the business
Patch (actual v. planned), and remediation (actual v. planned)
Assure all systems are configured for anti-malware: On insert/attach - disable auto-run content on
external devices
On insert/attach - Standard system configuration will run automatic anti-malware
8
Quick Win #3 – Prepare for AttackAttackers used low/very low-skill tactics Nearly 80% of the attacks are not sophisticated (DOH! They’re
misusing or stealing our credentials….)
9
Quick Win #3 – Prepare for AttackAddress the most common attack vectors Aside from Physical (largely ATM and POS devices) #1 Hacking – 40 varieties, 94% are 5 hacks #2 Malware – phishing via email with malware payload, then
75% install a keylogger #3 Aided by social / networking – spear phishing
10
Quick Win #3 – Prepare for Attack5 Hacks account for 94% “…easiest and least-detectable way to gain unauthorized
access is to leverage authorized access….authentication-based attacks (guessing, cracking, or reusing valid credentials) factored into about 4 of every five breaches involving hacking…” – 2013 DBIR
11
Quick Win #3 – Prepare for AttackSuggestions for CISOs Create a security awareness and skills campaign for all
employees and/or users if appropriate
12
Quick Win #4 – Detect and Contain EarlyTimespan of Events Overall
Breach• 24% secs/mins• 73% hrs/days (of these,60%hrs)
Data Exfiltration
• 23%secs/mins• 36% in hrs Discovery
• 95% up to months
Containment• 60% hrs/days• 35% weeksyears
13
Quick Win #4 – Detect and Contain EarlySuggestions for CISOs –
Being breached is inevitable….-DBIR Keep emphasizing prevention Focus resources on detection and containment Start with a risk assessment – know your status Join a collaborating group for alerts and details on current
and new attacks Have formalized and tested Breach Response procedures Know when to call the police or others
Discovery• 95% up to months
Containment• 60% hrs/days• 35% weeksyears
14
Quick Win #5 – Choose and Implement a Security FrameworkSuggestions for CISOs – SANS 20 Critical Security Controls (CSC) – recommended by
Verizon’s Data Breach Investigations Report NIST SP 800-53 (government oriented) ISO/IEC 27002 (process oriented) Cool things about SANS:
Developed by a consortium of experts, widely collaborated upon, maintained and updated for evolving conditions
Appropriate, actionable, and flexible for any org, maturity level, industry, budget, or likely attack vectors
Prioritized controls and sub-controls
Provides implementation guidance, test tools, automation procedures, etc
Indicates where NIST overlaps, and how NSA ranks the controls
15
Foundational Security from Tripwire
Risk-based security & compliance management Broadest set of foundational security controls
Focused on the “first four” SANS 20; Cover 16 of 20 in total
Security business intelligence with performance reporting and visualization to make better decisions
16
Tripwire Solutions
17
OR MAYBE THE NEXT ONE?
18
Integrated Security Solutions: A SANS 20 CSC View