There are many (small) risks and threats which are frequently overlooked in an organization. The presentation takes a look at where Risks & Threats (RaT) come from and at the "Biggies" in the RaT Lists. We look at a few Frequently Overlooked Threats and Risks (FORT) and Course Correction Options and finally a few Case Studies to highlight FORTs
2. • Where Risks & Threats come from
• “Biggies” in the RaT Lists
• (Generally) Overlooked RaTs
• Course Correction Options
• Case Studies
Copenhagen Compliance, Mumbai.
October 08,2013
3. Present day RaTs usually arise from …
•
•
•
•
•
Non-compliance
Competition
People, Processes, Technology Weaknesses
Ignorance, Errors, Accidents
Manual Controls
Copenhagen Compliance, Mumbai.
October 08,2013
6. Top 10 Enterprise Security Predictions
1. Targeted Attacks
2. Signed malware
4. Non-Windows attacks
5. Ransomware
6. Impact of changing regulations
7. Need for incident response
8. Security Process Automation
9. Connected Devices
10. Bring Your Own Application
(BYOA)
Copenhagen Compliance, Mumbai.
October 08,2013
7. However, today I am not
here to talk about the ‘big’
bad stuff
Why !
Because every InfoSec
effort is made to secure the
enterprise from tsunamis, Today’s focus
tidal waves, pandemics etc is on this little
guy and his
small friends
Copenhagen Compliance, Mumbai.
October 08,2013
8. The story of the ant felling an elephant is part
of folklore and may be true.
Human tendency is to shut down risk antennae
when faced with unfamiliar scenarios.
These are explained with cute explanations like
“unknown knowns”, “black swans”, “pig out of
the sty”
All this time destiny / fate / fatality will be
staring in the face but still you don’t buy
insurance
Copenhagen Compliance, Mumbai.
October 08,2013
9. Hardening
Configuration
Patch Mgt
Incident
DR
Anti Piracy: Software License Management
VAPT
Encryption (Voice/Data)
Mobile Computing
Data Classification
Home Computing
Spear Phishing
Secure Software Development
Privilege User and God
Management
Background Checks, Exit Programs
Copenhagen Compliance, Mumbai.
October 08,2013
10. • Asset Management (disposal):
– Photocopier hard drive goes out during maintenance
– Recirculation and trade-in of assets
• Background Check:
– InfoSec consultant is an unknown person who is provided access
to all crown jewels
– Simple NDAs
– Guards (on premises and in cash-vans)
• God’s and Godmen:
– SysAdmin / DataAdmin / DLP Admin is an unknown entrusted
with safekeeping
– DLP Admin – someone who has to power to read all mails
• 1
Copenhagen Compliance, Mumbai.
October 08,2013
11. • Blind Faith in Technology:
– Logs are collected but not read; one is safe because
the appliance did not give an alert
– Complacence after implementation of security
technology
– InfoSec consultant provided advice is always correct
• Me, My Machine at my Home
• Overlooking Social Media
• Awareness and Training is a common function
leading to lack of awareness culture
Copenhagen Compliance, Mumbai.
October 08,2013
12. • Not mentioned in this RaT list
– Hardware backdoors
– Software backdoors
– State Monitoring (PRISM, IMS)
– Information Sharing
– Passwords
Copenhagen Compliance, Mumbai.
October 08,2013
13. • Include cost-to-enterprise in risk assessment
• Prioritize risk icebergs based on impact size
rather than just hype and bug PR
• Start a bug bounty program and enable 24x7
network testing (nearly) free-of-cost
Copenhagen Compliance, Mumbai.
October 08,2013
14. • Re-look at those itsy bitsy pieces of technology
feel-good paraphernalia around the
organization: fingerprint readers, access cards,
certificate on your wall
• Reach out to the ethical InfoSec community
Copenhagen Compliance, Mumbai.
October 08,2013
15. It has happened to the best and to the
biggest – Governments, corporations,
individuals
They have all been felled by an unknown
blackhat, or some virus / APT, or by virtue
of non-compliance or overlooking the
‘small’ stuff
Some recovered, some died – but one
thing is common: all suffered a big dent in
their reputation plus financial losses and
significant setbacks in their business.
Copenhagen Compliance, Mumbai.
October 08,2013
16. •
•
•
•
Up to 12,000 laptops are lost in United States airports each week
Between 65 and 70 percent of lost laptops are never reclaimed
Most laptops are lost at security checkpoints
53 percent of business travelers surveyed carry sensitive corporate
information on their laptop
• 65 percent of those who carry confidential information have not
taken steps to protect it while traveling
• 42 percent of respondents say they do not back up their data
- Lost Laptop and Business Traveler Study by Dell and the Ponemon Institute
The first study of its kind by wsa carried out in the first half of 2008. The Ponemon Institute surveyed 106 United
States airports and over 800 business travelers to understand the frequency with which laptops are lost in
airports and the steps business travelers are taking to protect sensitive information on corporate systems.
Copenhagen Compliance, Mumbai.
October 08,2013
18. Terry Childs
Judge ordered former city worker who locked San
Francisco out of its main computer network for 12
days in 2008 to pay nearly $1.5 million in restitution
Prosecutors said.' Keep in mind the network never
went down and no user services were denied, and
given that Terry Childs was the only one who had
admin access (for years prior) it is difficult to
understand how they came up in $1.5 million in
costs
In June 2008, he was arrested on computer
crime charges for refusing to divulge the passwords
to San Francisco's FiberWAN system to his
supervisors.
After being arrested he was held on $5 million
bail. He is also accused of tampering with the
network and subversively avoiding auditing checks
Copenhagen Compliance, Mumbai.
October 08,2013
20. March 2000 :
• WINTECH COMPUTERS circa late 90’s
'I want to be the Bill
Gates of India's
170 operational centers all over the
computer education
country, nearly 1,700 employees, and at
industry.'
least 40 students per institute
– Murtuza Mathani,
Wintech CEO.
Raid carried out on the company in
September 2000 by Mumbai Police and
officials a private investigating firm.
Wintech Computers had no license to teach May 2001:
Oracle® software
Mathani's
whereabouts
The Rest is History
unknown
Copenhagen Compliance, Mumbai.
October 08,2013
21. There are many ‘small’ things lying around with enough
power to trip your organization
If you have not yet assimilated information security and
management into the mainstream of your business…
wake up !
Copenhagen Compliance, Mumbai.
October 08,2013
23. There are many ‘small’ things lying around with enough
power to trip your organization
If you have not yet assimilated information security and
management into the mainstream of your business…
wake up !
Plough the InfoSec field deeper, as deep as can do!
Copenhagen Compliance, Mumbai.
October 08,2013
25. •
Professional Positions
–
–
–
–
•
Open Security Alliance (Principal and CEO)
Jharkhand Police (Cyber Surveillance Advisor)
Pyramid Cyber Security & Forensics (Principal Advisor)
Indian Honeynet Project (Co Founder)
Professional skills and special interest areas
– Security Consulting and Advisory services for IS Strategy, Architecture,
Analysis, Policy Development, Optimization
– Technologies: SOC, DLP, IRM, SIEM…
– Practices: Incident Response, SAM, Forensics, Regulatory guidance..
– Community: mentoring, training, citizen outreach, India research..
•
Blogger, Occasional columnist, wannabe photographer, research & survey
Copenhagen Compliance, Mumbai.
October 08,2013
26. Contact Information
E: dinesh@opensecurityalliance.org
T: +91.9769890505
Twitter: @bizsprite
Facebook: dineshobareja
L: http://in.linkedin.com/in/dineshbareja
Acknowledgements & Disclaimer
Various resources on the internet have been referred to contribute to the information presented.
Images have been acknowledged where possible and if we have infringed on your rights it is
unintentional – we assure you the removal immediately on being notified. The use of company
names, brand names, trade marks are only to facilitate understanding of the message being
communicated - no claim is made to establish any sort of relation (exclusive or otherwise) by the
author(s), unless otherwise mentioned. Apologies for any infraction, as this would be wholly
unintentional, and objections may please be communicated to us for remediation of the
erroneous action(s).
Copenhagen Compliance, Mumbai.
October 08,2013