A Sunny Day at the Breach Jeff Sanchez Adam Brand
Agenda • Introduction • Story Time
• Reducing Headlines • Q&A
2
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Introduction – Who We Are • Protiviti • IT Security Services
• Jeff Sanchez, Managing Director • Adam Brand, Senior Manager
3
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Introduction – Why Should IA Care about Breaches? • Understand the risk • Insight into systemic issues
• Potential financial impact
4
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Story Time: The Four Horsemen
5
Ivan & Co. Credit Card Thieves
Digital D0gs Defacers
The Bad Sh3pherds Botnet Herders
Red Team 3 Corporate Secrets Thieves
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Story Time: Ivan & Co. – Credit Card Thieves
6
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Story Time: Ivan & Co. – The Source
7
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Story Time: Ivan & Co. – The Malware
8
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Story Time: Ivan & Co. – The Scope
9
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Story Time: Ivan & Co. – The Agent
10
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Story Time: Ivan & Co. – The Resolution Yay…free credit monitoring!
I get a free prison tattoo. 11
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Story Time: Digital D0gs – Defacers
12
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Story Time: Digital D0gs – Awesome Web Designers
13
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Story Time: Digital D0gs – The Resolution This new design is actually cleaner and loads faster!
14
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Story Time: The Bad Sh3pherds – Botnet Herders
15
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Story Time: The Bad Sh3pherds – Oldie But Goodie
16
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Story Time: The Bad Sh3pherds – The Resolution
Ah: rebuild, patch, done.
17
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Story Time: Red Team 3 – Corporate Secrets Thieves
18
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Story Time: Red Team 3 – The Source
We “heard” you were hacked.
19
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Story Time: Red Team 3 – The Malware
If I keep installing malware…
I can be advanced and persistent! 20
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Story Time: Red Team 3 – The Secrets
That IS the droid
they were looking for!
21
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Story Time: Red Team 3 – The Resolution
Lucky, smart…who cares? I still got the girl.
If only I wasn’t so incompetent…
I get a free prison tattoo.
I could steal secrets faster. 22
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Reducing Headlines: Overview • Breaches are inevitable – make sure there is a plan! • Reduce headlines by reducing impact
• Reduce duration and impact with a few key controls – Limit Outbound Internet – No user “administrators” – Implement File Monitoring
23
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Reducing Headlines: Limit Outbound Internet Traffic • No Internet without a proxy! • Turn off “Uncategorized Sites” (whitelist approach)
• Servers = very limited outbound access Limit the attacker’s options for command and control of their malware.
24
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Reducing Headlines: No user “administrators” • End users = guaranteed win • Heavily restrict end user machine admin rights
• Users should not install software
Many favorite attacker programs require local admin rights to run.
25
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Reducing Headlines: Implement File Monitoring • Don’t rely on anti-virus alone • Often malware places files in Windows system folders
• Follow up on alerts
Many attackers download files during their attack that should raise suspicion.
26
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Closing Thought: Get Involved Internal Audit has a role to play with breach prevention, response, and remediation – it’s time to bridge the gap.
27
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Q&A
28
© 2012 Protiviti Inc. An Equal Opportunity Employer.
Contact Information:
Jeffrey Sanchez Managing Director
Phone: (213) 327-1433
Security & Privacy Services
[email protected]
Adam Brand Senior Manager
Phone: (213) 260-4660
Security & Privacy Services
[email protected]
Powerful Insights. Proven Delivery.™
29
© 2012 Protiviti Inc. An Equal Opportunity Employer.