Anatomy of a Data Breach - IAPP · PDF fileAnatomy of a Data Breach ... •Blacklist onion...

1

Anatomy of a Data Breach

Tim Matthews Director, Product Marketing


Relevant Modes of Data Loss

Well Meaning Insider

• Lost Laptop

• Data Spills

• Posting to P2P Networks

Malicious Insider

• Stolen USB Drive

• Anonymizing Proxies

External Adversaries

• Nationalists

• Crime Rings

• Hactivists

Anatomy of a Data Breach 2

Adversary Profile: Nationalists

3 Anatomy of a Data Breach

• Extensive research on target

• Adversary Objective

• Exfiltration or disruption of operations

Means of Attack

• Hydraq (Aurora)

• Stuxnet

• GhostNet

• TitanRain

• Moonlight Maze

Examples

Adversary Profile: Crime Rings

• Targeted attack, Banking trojans, Phishing


• Incursion and exfiltration leading to mass fraud and brand damage

Means of Attack

• Epsilon breach

• Zeus, Clampi

• Storm Botnet, Mariposa, McColo Examples


Adversary Profile: Malicious Insiders

5

• IP theft via email/webmail, USB, laptop


• Financial gain, revenge

Means of Attack

• Many financial organizations

• GM design document theft

• NASA espionage bust

• CD/DVD, P2P, TOR

Examples


Adversary Profile: Hacktivists

6

• Abuse of insider access, social-engineering and/or quasi-legal technical tools


• Political activism and revenge

Means of Attack

• U.S. Army

• U.S. Department of State

• Major financial institutions Examples


Overview of Data Breach Trends


Trends in Causes of Data Breaches


(Trends in Causes of Data Breaches, 2005–2010, courtesy Verizon Business RISK Team)

Data Breaches by Sector


Avg. # of Identities Exposed per Data Breach by Sector

Volume of Data Breaches by Sector

Threat Landscape Trends


Social Networking + social engineering = compromise

Attack Kits

get a caffeine boost

Targeted Attacks continued to evolve

Hide and Seek (zero-day vulnerabilities and rootkits)

Mobile Threats increase

Four Phases of an Attack


Textbook Controls are Failing to Protect Data


Access Controls and Compartmentalization should act as filters for confidential information, but are not sufficient protection for most companies

Compartmentalization Access Controls

Confidential Information

Laptops Servers Network Shares

Data is then lost via:

Data Spills

Network Communications

Laptops Removable Media

12

Data Breach Scenarios


Disgruntled Employee

• Setup – Utility did Data Loss Prevention (DLP) risk assessment with Symantec

– Configured to detect large downloads of confidential data

– DLP detected an employee doing mass downloads to a thumb drive

– Investigations revealed employee was planning defection to competition

• Implications – Damaging leak of enterprise IP was detected and controlled before loss

– This profile (technically simple malicious activity) fits most cases of theft

– Large scale rollout of these protections now underway

vs. Malicious Insider Large American Utility

Protecting Your Information in the Age of WikiLeaks 14

Hacker

• Setup

– March 2010: Shell reports breach of personal details of over 170k employees

– Details leaked to political adversaries of Shell: GreenPeace, Friends of Earth

– Investigation is now ongoing but suspicions are “Hacktivists” stole the data

• Implications

– Data has been purposefully leaked on to the open Internet

– Personal details (ph #s, home addresses) exposed to the outside world

– Security risk to Shell employees


External Adversary

15

Hackers vs. Royal Dutch Shell

Donor Database Inadvertently Leaked

• Setup – Well meaning insider mistakenly posted donor details

– No process in place to monitor or detect such exposures

• Implications – Identities of campaign contributors on display

– WikiLeaks activists discovered the breach and distributed it

– Embarrassing breach disclosure process ensued


and Well Meaning Insider Campaign Office for U.S.

Senate Run

16

Summary of Relevant Defensive Techniques


Recommended Countermeasures

• Deploy device control

• Encrypt laptops

• Update access control policies

• Employ security awareness training

• Conduct regular data loss risk assessments

• Monitor traffic to anonymizing proxies

• Monitor P2P traffic


Basic Protections

Recommended Countermeasures


19

Advised Controls for “At Risk” Organizations

• Identify critical information assets

• Develop content-aware policies to drive remediation

• Detect high risk data exposure and data flow

• Prevent large scale exfiltration

• Encrypt exposed confidential data

• Blacklist onion routing applications

19

Summary of Crucial Defensive Technologies

• Advanced Reputation Security

• Security Incident and Event Management

• Host Intrusion Prevention

• Strong Authentication

• Data Loss Prevention

• Encryption

• Network Threat/Vulnerability Monitoring


Recommended Actions

• Begin formulating your data protection policy

• Assess your risk

• Identify key cross functional stakeholders

• Start investigating technology solutions

• Drive a cross functional team to address risk


Thank you!

Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.


Tim Matthews

Director, Product Marketing

[email protected]

mailto:[email protected]

Date post:	19-Mar-2018
Category:	Documents
Upload:	trannguyet
View:	223 times
Download:	6 times

Anatomy of a Data Breach - IAPP · PDF fileAnatomy of a Data Breach ... •Blacklist onion...

Documents