OC Chapter
Securing your Business for
2014, Leveraging Lessons
of 2013
2
The 10 Worst Data Breaches of 2013

Adobe (150 million exposed account credentials) (Source Code lost)


Edward Snowden (pervasive signals intelligence, subversion of encryption standards, collaboration with
overseas intelligence communities and other bombshells)



Had to be told by third part – Where was DLP?
Snowden didn’t work for one of the agencies. He worked for an outside defense contractor. He wasn’t even a fulltime employee of that contractor either, but a part-timer who had only been there for a few months.
NSA

The MUSCULAR program involved intercepting data from Yahoo and Google private clouds where the data is
unencrypted. The data collected included email, pictures, video, text documents, spreadsheets, and an array of
other similar file types.

With this new revelation, Google has taken a considerably stronger stance against the NSA’s spying programs
Data Broker Botnet (D&B, LexisNexis, Kroll Background America)

Using a Botnet hackers were able to work undetected for months to consolidate massive amounts of PII.

When its your job to collect, store and sell data !
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
3
The 10 Worst Data Breaches of 2013


Living Social

Attackers having access to those users’ information (name, email, password, buying history),

Encrypted password hashes can be "cracked" with computer software that essentially tries millions of
different possible passwords looking for a match. The bad guys will successfully crack the passwords of
many Living Social users, and knowing the password, name, and email address for a person, they may be
able to break into other accounts that those people maintain on other websites.
AHMC Hospitals


In October, more than 729,000 patients were put in jeopardy when two unencrypted laptops were stolen
from California-based AHMC hospitals. It took this breach for an encryption policy to be put into place at
the AHMC hospital network
Media Outlets

The Syrian Electronic Army (hacktivist) claim an attack on President Obama from the Associated Press’
Twitter handle, causing a brief $136 billion dollar dive in the stock market
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
4
The 10 Worst Data Breaches of 2013


New York Times (Chinese hackers)

The New York Times revealed that its computers were stealthily compromised by
Chinese hackers for a period of four months

The attackers first installed malware — malicious software — that enabled them to
gain entry to any computer on The Times’s network.
Google, Facebook, Twitter, Yahoo (Pony Botnet)

The botnet is responsible for the theft of 2 million passwords and user names from a
number of different locations, including Google, Facebook, Twitter and Yahoo

The massive data breach was a result of keylogging software maliciously installed on
an untold number of computers around the world, researchers at cybersecurity firm
Trustwave said. The virus was capturing login credentials for key websites over the
past month and sending those usernames and passwords to a server controlled by
the hackers.
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
5
The 10 Worst Data Breaches of 2013

Target (40-150 mil data elements) (AT&T or Trustwave) would can you trust?

Let discuss

Who should you listen to?

What Encryption should you use (3DES)

Can you trust your Vendors Security (e.g. HVAC)

How do you create good Network Segmentation

Who is running your IT?
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
6
The 10 Worst Data Breaches of 2013

Target continues

Tools


FireEye

Turned on but functions disabled

Data Monitoring Noc
Bit9


AV or No AV?
Encryption

P2PE
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
7
What do you have to loose?

PII

Customers

Money

Investors

Reputation
And….

What is your Managements Risk Appetite?
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
8
Security Layers
Firewalls
People
Policy
Is your out most layer secure from
cyber attack. How do you use
them? Is a Vendor a firewall or
vulnerability?
Do you have BOYD and
segregation of duties and
employee loyalty and…..
Does the company know what
security they want and does the
employee get the message
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
9
Firewalls – what are they

Traditionally a devise to secure the network from the internet



Are they used internally and why?
Is a vendor a breach in your firewall?

Does your vendor access your network over a public network?

Do they have elevated privileges
What happens when a firewall gets breached

Does Encryption help?

In motion and at rest

How long before you know (Adobe)
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
10
People – who needs them!

People (staff) make the work go round.



They also are responsible for most breaches
BYOD – MDM (Mobile Devise Management)

Does your employees access there bank via a insecure access method?

Does your employees care if their phone is insecure when accessing your network,
email, systems and software?

Big Data
Vacation? Not me!

Fraud indicator is someone who never takes a holiday

They cant afford to leave their post else their replacement might notice something wrong
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
11
Policy

Are you training your employees?



Do they know what you expect of them?
How does a employee stop a attack if they don’t know what to look for

Maybe if I ignore it, it will go away?

Does a post it note message constitute remediation of a breach?
What was the security policy for the companies in the top ten list?
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
12
Roundtable Discussion

Questions from the group?

PCI

HIPAA

SOX

ISO

ISMS

Scanning

Training
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
13
Copied Track 1 and 2 data
Used Mum & Pup web retails site to receive stolen data
without alerting the retailer. Store data and retrieve later.
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
14
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
15
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
16
Regents & Park

Jason James

President

+1 (949) 903-2524

[email protected]
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved