Click here for the PPT file

Document Sample
Click here for the PPT file Powered By Docstoc
					      Towards a

Secured Organization

         Powered by

 Malware from UN's security STEALING MILLIONS N.J. U.S. CREDIT
 Learningto investigatingsupermarket data breach theft
 MasterCardblame in USFOR failurecredit card data
  Massive warns of massive credit-card breach
  Symantecbank security breach
 HACKER SENTENCED customer uncovered in FROM
 By Staff, ZDNet UK CNET2005-06-17
 By Michelle Meyers,
 Robert Lemos, SecurityFocus
  By Elinor
 CARDSMills, CNET 08:44 AM
 Thursday, January 22 2009 11:37 AM
  Wednesday, April 2008 11:15 AM
 Monday, March 31,01, 2009 Staff
  Bank employees implicated in conspiracy; 500,000 victims alleged
 Data thieves|breached the systems of credit-card processor CardSystems Solutions and made
 23 Feb 2009
 off with data looking somehow found its a call affecting various credit-card credit find
  Symantec malware intoas who prefer onto a Maine-based supermarket may
 commentary Those 40 millionthatwayconvenience to securitychain's servers,
  By Tom
 It turns Costello
Hackeroutis on as manyT-Mobile systems center employee in India soldbrands,card
            penetrates allegations accounts
 A Bulgarian up with2005-01-11News
 they end its customerssaid4-1/2 year jail sentence forundercover investigation. 4.2 million
 which led to Internationalneither.
 MasterCard the was givento BBCFriday. reporters this his connection to a up to
Kevin Poulsen,ofman security breach announced earlier in anmonth compromisingcybercriminal
  numbers SecurityFocus a on
  NBC News
 credit cards. NewApril 28, 2005 Attorney General Kellycards. ReutersMarchagency reported
  updated 7:22to
  In that p.m. millions of dollars from stolen credit breach which has failed an security
 This credit-card ETthe United Nations Galileo logistical system,datedafter analyzing the data,
 Thea is thebilked giant's anti-fraud systems detected the Ayotte and, news 24, theinternal
 gang letter fate of Hampshire
 CitingAssaid pinpointed the 28, fora the internationalthird-partyinvolving a as responsible,of
 MasterCard it computer hacker hadfour members an organized US$2 small numberon
 Monday Galileo Mehmed, Atlanta, access to servers incident ofgiant The Boston gang were
 audit. a that Issa is responsible and potential Massachusetts regulators, T-Mobile for at of the
   sophisticated was "investigating sent to security at wireless cybercriminal Globe
A vendor letter the Hannaford grocerGeorgia-basedofdisposition processorbillion worth least a
 company said in that thefor court Thursday, intercepted datais no extortion passwords and
 Fridayvarying usedstatementmoney softwareOrazio Lembo wasandoverstatingtiedthey paid with
 material, includingN.J. information".late Service
  customers' credit aid, In released
  HACKENSACK, to monitor U.S. military supplies, there described as as importance
year, which he sentences-medical andSecretFriday. e-mail, obtain customers'the alleged ring of
 given reported a card malicious laundering, financial fraudfrom customers the to spending
 the report's stolen credit cards.a massivecandid guilty tocustomer in New users, toand who may
 plastic atonsaid it was sending a Mehmed pledinsecure,takencrimes. Reuters said mostpersonal
  leader of what police saynetwork links an photos
  Symantec conclusions: was sent data overseas. the by Sidekickaccounts detect
Social Security numbers, and andnotice toscheme to steal 500,000 bank existed including the
 millions checkout counters download wereunnamed no mechanisms Hampshire of
  have and affected by it to bill collectors.
  information, then sell authentication information
 creditbeen celebrities, the alleged U.S. learned. was devastatingly unsafe.
Hollywood debit cards belonged to incident, even though the company does not believe a
 security breaches, and SecurityFocus has...
  security the fun, defined by included servers at with the 300-some stores frightening
  Lembo's alleged installed on New Hampshire statue hadand employees from some of New
 The malware was accomplices computerbranch managersofoccurred.
 To add to breach asbackup systems were co-located each the main systems, with operated by
  Jersey's biggest banks, including Bank of America,
 Hannaford and its partners, the Globe reported. Wachovia and Commerce Bank.done a great
 implications for business continuity. A determined, informed opponent could have
 The company isat little risk.its investigation into how the malware mayavailable even in the the
 deal of damage continuing With IT skills and equipment now widely have been placed on
 servers. The theaters, the UN has placedis conducting its own risk--a risk to which it was
 remotest of Secret Service, meanwhile itself at considerable investigation.
 seemingly blind.
Today’s Problem?
 Insecure Data at Rest

80% of information theft and frauds are caused
              by internal users
                    - IDC -
Insecure Data in Motion

   70% - 80% of electronic fraudulent
activities are committed by the Trust User.
               - Gartner -
Insecure Identities

Losses resulting from internal theft are 500%
     more costly than external attacks.
               - FBI report -
 Weak Authentication

  Growing list of applications forces users to
remember more than 10 different passwords.
Repudiation of Actions

Users deny their actions or involvements.
 Today’s Concerns in Security….

                           A PAIN !
   • be sure you know who you are communicating with

   Privacy (Confidentiality)
   • keep secrets secret

   • ensure users do not exceed their allowed authority

                     Integrity (of the Data)
   • be sure nothing is changed behind your back

   • have the evidence in the event of a dispute
  What are the
Options we have
to address these
   concerns ?
The Best Option we have today to address
these issues is …

  Public/Private Key (PKI) based
     Enterprise-wide Security
At least protect your Data in Motion AND
       authenticate the users with

      Digital User Identity
        Data Encryption
  Main components of PKI
• Public Key
• Private Key
• Digital

• Security Application
• CA & RA (not necessarily in-house)
• IT Infra (depends)
    How to achieve A PAIN….

Use of Digital Signatures/Certificates.

Use of Digitally Signed Event/Operation Logs.

Encrypting Data Communication Channels.

Usage of proper Anti Virus, Anti Spy-ware Tools.

Usage of effective Firewalls.
How to achieve A PAIN….

     Manage Users on Applications and Systems.

     Usage of Licensed Software with support.

     Imposing Application Level Security.

     Imposing Web Server Level Security.
Recommended Steps towards building a
      Protected Organization
• Discover and Classify the Data.
• Establish consistent Data Protection Policies.
• Educate the Users.
• Roll-out Data Protection Solutions (to protect Data
  at Rest and Data in Motion).
• Roll-out effective User Identity Management
  Solutions (Public-Private Keys and Digital IDs).
• Automate Enforcement.
          Today’s Organizations

How you think
              Today’s Organizations

How I think

Are your Information
Systems Secured and
adequately protected   ?
Thank You
Public/Private Key: Encryption + Authentication for
                                       Data in motion
 Alice                  B’s public             B’s Private                   Bob
     Plaintext          key                    key                Plaintext
      Bob:                                                         Bob:
      Take                                                         Take
      the                                                          the
      day off                                                      day off
                                       3X7b          Decrypt                    Check
                Encrypt                 Mbd0           message)                   the sig-
                                        2zQO                                      nature
                                        3Gh7           Decryp                         
                 Sign it                                                Signed   Signature
                                        @$?4            t
                 again)                 Uv%r            the sig         Alic        OK?

                                      Signature                         e
    A’s private key
                                               A's public key

Shared By: