iPods, CD/DVD, USB, etc. - How to Protect From the Dangers Within

www.lumension.com

© Copyright 2008 - Lumension Security

iPods, CD/DVD, USB, etc.How to Protect From the Dangers Within

Speakers: Matt Mosher, LumensionJohn Dasher, PGP Corporation


www.lumension.com 1

How much would you pay for this USB stick?


www.lumension.com 2

Some would pay


www.lumension.com 3

would!


www.lumension.com 4

The Shifting Endpoint

What has changed in today’s

market to make a USB stick

so valuable to some and

potentially such a great risk to

others?


www.lumension.com 5

The Value of Data Has Been Recognized and Targeted

Financial Records

� Social security numbers

� Credit card numbers

� Bank account numbers

� Brokerage account numbers

� Mortgage account

Personal Identification

� Drivers License

� Account Passwords

� Passport

� Date of Birth

Medical Records

� Patient medical history

� Health Insurance information

Government Classified Information

� Military Intelligence

� Nuclear Secrets

� Homeland Security

� Infrastructure Data

� Counter-Terrorism

� Immigration Data

Corporate IP

� Customer Lists

� Product Roadmap and R&D

� Marketing Strategies

� Company Financials

� Trade secrets

� Patents

� Trademarks and Copyrights

� Designs and Architectures


www.lumension.com 6

The Borderless Enterprise

Remote users and mobile technology.

6

Data has moved beyond the enterprise firewall:

Laptops / Home Offices USB Sticks / WiFi / VPN

and more…

Data


www.lumension.com

New Technology - New Sources of Risk

Easy of Connectivity = Risk Increases

Increased Storage Capacity = Risk Increases


www.lumension.com 8

Removable media stores more at lower cost than ever before and fits in your pocket

Plug and Play offers seamless support for removable media

Removable media is significant to daily business operations

Professional and personal use of removable media has merged

Evolution of Removable Media

Physical Size Storage Size Per MB Price


www.lumension.com 9

Increasing Internal Risk

Insiders have direct access to your most sensitive data.

70% of all serious incidents

are sparked by insiders.

Lost Laptops & Devices

Disgruntled Employees

P2P File Sharing Software

IDC Worldwide Security Products and Services2007 Top 10 Predictions


www.lumension.com 10

What Threat Does an Insider Pose?

John’s iPod might have 80 GB of his favorite music and video's or it might contain:

� software he brought from home to install

� malicious software, such as malware, spyware, crime ware

� a virus or Trojan

When John leaves at night it might have:

� your customer database

� financial data

� intellectual property

53% of organizations would NEVER know what data

was on a lost USB device 1

Source:1– Ponemon Institute, 2006 Cost of Data Breach Study



External Threats use Mobile Technology

Data is not just going out on Mobile Devices

Malware coming in on Mobile Devices

New form of Social Engineering

Leaving USB drives in parking lots of Targeted Companies with Malware installed


www.lumension.com

Malware in the Supply Chain

What do these removable devices all have in common?

All came pre-installed with viruses capable of stealing passwords and opening doors for hackers



Data Leakage Costs On the Rise

Data breaches remain the leading cause of financial losses 1

Data breach costs continue to increase 2

Source:1 - 2006 CSI/FBI Computer Crime and Security Survey2 - Ponemon Institute, 2007 Cost of Data Breach Study



Data Leakage Can Amount to Lost Business

Lost business accounts for 65% of data breach costs

Source:Ponemon Institute, 2007 Cost of Data Breach Study



Who Are the Victims and How Often

Sources:1 – 2006 CSI/FBI Computer Crime and Security Survey2 – IT Policy Compliance, Taking Action to Protect Sensitive Data, Benchmark Research Report, February 20073 – Privacy Rights Clearinghouse http://www.privacyrights.org/ar/ChronDataBreaches.htm

Corporations

� 75% of Fortune 1000 companies fell victim to data leakage 1

� 68% experience six losses of sensitive data annually 2

� 20% suffer from 22 or more sensitive data losses per year 2

Recent examples of individuals include:

� Consumers - Fidelity National Information Services Inc. (2.3 million)

� US Military Veterans (26 million)

� Patients - Stockport Primary Care Trust Patients (4,000)

� Students - Georgetown University students (38,000)

More than 217 million records exposed in 2007 3



Removable Media Has Legitimate Business Use

Every device isn't there to harm you, John might need a...� USB drive

� to easily move large files

� to take work on the road with him

� to carry a “toolkit” with him to support other users

� As backup data

� iPod

� to watch a video training

� to listen to a company podcast

� to listen to a class he is taking



Rethink Your Policies

Organizations need to ask themselves...”do we need to allow access to these devices?”

If yes,

� Who should have access – everyone, specific groups or users

� What devices should be allowed – USB drives, mp3 players, etc.

� When should access be allowed - 24/7, Mon. - Fri., 9 to 5

� Where should they be used – every machine or specific machines

� How should they be used – read only or read/write permission

If not, how are you going to deny access to the devices



Policy Enforcement

How would you control these devices?� Order machines without USB ports

� Physically blocking the USB ports

� Disabling the USB ports in the Bios

� Disable the USB ports in the registry

� Ban portable storage devices

� Use a software based tool to control access

� Do nothing



Four Steps to Reduce Risk

DiscoveryKnow what applications and devices are in use on endpoints

Policy EstablishmentDevelop company-wide, group and/or user-specific policies that reduce, or eliminate endpoint security issues

Policy EnforcementEnforce and administer endpoint security policies and the flexibility to seamlessly make policy changes as appropriate, reducing end users’ need for involvement

Policy Monitoring and Compliance ReportingUnderstand the effectiveness of endpoint policies and to know when they have been violated



Strategic Approach to Data Protection


www.lumension.com21

Strategic Approach to Data Protection

Lumension Device Control

PGP Disk and File Encryption

Data Intelligence / DLP

Complete Data Security Solution

Best-of-Breed Technologies to Create Total Solution »

PGP Whole Disk EncryptionAssures FIPS 140-2 encryption onto removable media

Comprehensive data-at-rest policy enforcement

Data Intelligence / DLPIn-line analysis of data transferred over the network

Integration with Sanctuary Device Control provides deeper level of policy enforcement for removable media



Lumension’s Sanctuary Device Control


www.lumension.com

Lumension’s Sanctuary Device Control

Automates discovery of peripheral devices

Provides granular device control permission settings

Offers flexible encryption options

Enforcement of Removable Device Use Policies

Delivers detailed audit capabilities

� Patented bi-directional “Shadowing” of data written to/from a device

� All device access attempts

� All administrator actions


www.lumension.com

System Service scans the network

on pre-defined intervals for unknown

devices

Works clientless

Intuitive User Interface

Creates template-based HTML

Reports

XML Export Interface

Removable Device Discovery


www.lumension.com

Read / Write

Scheduled Access

From 08:00h to 18:00h Monday to Friday

Temporary Access

For the next 15 minutes; starting next Monday, for 2 days

Out-of-band Permissions

Assign permissions when not connected to network, all device classes supported

Online / Offline

Quota Management

� Limit copied data to 100 MB / day

Encryption enforcement

� Device has accessible only if encrypted (decentralized encryption) with password

recovery option

File Type Filtering

� Limit the access to specific file types

Granular Device Control Permission Settings


www.lumension.com

Removable Media Encryption

Assign any removable media to any user and then encrypt

the media. Encrypted device is accessible only by the user

who owns the access rights on the removable media

AES 256 = market standard

Fast and transparent within the network

Strong password enforcement for usage outside the

corporate network

Flexible Encryption Options


www.lumension.com

User Actions Logging

� Read Denied / Write denied

� Device entered / Medium inserted

� Open API for 3rd party reporting tools

Shadowing of all copied data

� Level 1: shows File Name and attributes of

copied data

� Level 2: Captures and retains full copy of data

written to extenal device or read from such a

device

Administrator Auditing

� Keeps track of all policy changes made by SDC

admins

Detailed Audit Capabilities



PGP Encryption


www.lumension.com

IT Security Evolves: Enterprise Data Protection

An evolutionary approach to data security

Comprehensive strategy based on multiple technologies

Securing data, wherever it goes

Encryption & key management play critical roles

Protect: Secure data according to policy

Detect: Identify risk & enforce policy

Access: Authenticate identity

Manage: Archive, backup, & store


www.lumension.com

Many Applications…Many Silos

• To date, the only approach

• Difficult to manage

• Expensive to acquire, deploy,

& maintain

• Likely inconsistent policies

across silos

FTP & Custom Apps

Key Management, Security Policies,

Deployment, Reporting







Gateway Email & Digital Signatures

Desktop Email, Mobile, Digital Signatures

Laptop Disk “At Boot”

Data in Folders, USB, File Servers









Archiving Tape Backup

Desktop Instant Messaging

File Servers


www.lumension.com

Silo Approach

Two Approaches

Plotted Cost, Effort, & Time ($)

• Change management

• Hardware

• Setup keys

• Clustering

• Failover

• Passphrase setup

• Internal enrollment

• External enrollment

• Package distribution

• LDAP

• Recovery configuration

• User profile

• Logging

• SNMP

• User training

• Admin training

• Help desk training

• Vendor support

• Policy configuration

Enrollment

Monitoring

RolloutInstall

Configure

Integration

Policy

Training


www.lumension.com

Silo Approach

Two Approaches

Platform-Enabled

Plotted Cost, Effort, & Time ($)

Enrollment

Monitoring

RolloutInstall

Configure

Integration

Policy

Training

App #1

Enrollment

Monitoring

RolloutInstall

Configure

Integration

Policy

Training

App #2

Enrollment

Monitoring

RolloutInstall

Configure

Integration

Policy

Training

App #3

Enrollment

Monitoring

RolloutInstall

Configure

Integration

Policy

Training

App #4

Deploy Once

App #1

App #2

App #3App #4


www.lumension.com

PGP® Encryption Platform

The first application deploys the Platform… future applications leverage it.


www.lumension.com

Platform Scalability

The PGP Platform reduces operational costs and business risks

Software CostDeployment Effort

Maintenance

Number of Encryption Applications



Data Protection in Action:

Case Studies


www.lumension.com

Total Economic Impact: PGP Encryption Platform

Case study of €19B global media company

PGP Encryption Platform vs. point products

� 4 encryption applications

� 65% cost savings

� 185%+ ROI

� Immediate payback


www.lumension.com

Case Study: John C. Lincoln Health Network

Summary Financial Results Unadjusted

(best case)

Risk-Adjusted

ROI (four year) 372% 365%

Payback* 16 month 19 months

Total four-year costs (PV) ($140,384) ($136,040)

Total four-year benefits (PV) $662,092 $632,966

Total four-year net savings (PV) $521,709 $496,926

Table 1: Company ROI, Original and Risk-Adjusted

*Note: Payback would have been faster, had deployment not been spread out over two years.Source: Forrester Research, Inc.

$500,000

$400,000

$300,000

$200,000

$100,000

0

($100,000)

Summary Financial Results, Risk Adjusted

Year 1 Year 2 Year 3 Year 4

Costs (PV)

Benefits (PV)

CumulativeCash Flow (PV)


www.lumension.com

Summary

Organizations of all sizes/industries are susceptible to data leakage

Removable devices provide an easy way to transfer data

Data leakage is expensive

Data loss is more common, but the greater risk is data theft

Enforce user and data controls and audit activity

� Minimize the greatest source of risk - data theft - by putting controls and auditing capabilities around removable media and endpoints

� Deliver and enforce FIPS 140-2 validated encryption for data on removable media and endpoints to protect against data loss


www.lumension.com

Conclusion

Contact Information

Lumension Security

Matt Mosher, SVP of Americas

[email protected]

PGP® Corporation

John Dasher, Director of Product Management

[email protected]


www.lumension.com

Thank You

Q&A

Date post:	13-Aug-2015
Category:	Business
Upload:	digitallibrary
View:	690 times
Download:	0 times