Adjusting Your Security Controls: It’s the New Normal
0 likes445 views
The document discusses the evolving cybersecurity landscape and the necessity for organizations to adapt their security controls regularly. It emphasizes the limitations of traditional frameworks and highlights the need for innovative approaches to address dynamic threats, particularly in healthcare data security. Key recommendations include measuring control effectiveness, understanding top threats, and applying adaptive security practices.
![#RSAC
© 2016 Aetna Inc.
Sinkhole Newly Established Domains
18
A sinkhole, also known as a cenote, sink, sink-hole,[1] shakehole,[2] swallet, swallow hole, or
doline (the different terms for sinkholes are often used interchangeably[3]), is a depression or
hole in the ground caused by some form of collapse of the surface layer
Enterprise
DNS
Sinkhole
Threat Actor
bad_actor.com
Cyber
Security
Intelligence
Data Feeds
New domains (48 hrs)
eMail Gateway
1
FROM:
igor@bad_actor.com
2
DNS Request
SPF TXT Record
3
Custom SPF
Response
4
SPF Header
Added to email
5
BLOCK Rule
Check for
“192.0.2.1”
6
Redirect email
to CSI
7](https://image.slidesharecdn.com/str-t09r-adjustingyoursecuritycontrols-itsthenewnormal-160310122929/85/Adjusting-Your-Security-Controls-It-s-the-New-Normal-18-320.jpg)
Adjusting Your Security Controls: It’s the New Normal
- 1. SESSION ID: #RSAC Jim Routh Adjusting Your Security Controls: It’s The New Normal STR-T09R CSO Aetna @jimrouth1
- 2. #RSAC © 2016 Aetna Inc. We Were Taught to Adopt a Framework of Controls 2 1. Adopt a framework for controls 2. Document control objectives 3. Document control procedures 4. Implement control standards 5. Measure practices aligned with control procedures Security 101
- 3. #RSAC © 2016 Aetna Inc. Control Frameworks Implemented 3 NIST Cyber Security Framework NIST 800-53 PCI-DSS 3.0 Shared Assessments SIG Shared Assessments AUP SOC 1 & 2 BSIMM Changing controls due to the evolving threat landscape is the new “normal” Top Key Control Test Results BitSight Vulnerability Review Security Scorecard Vulnerability Review Synack Pen Test Results (crowdsourced) Vulnerability Management Software Security Program Mobile Security Program Identity & Access Management Security Data Analytics Adaptive Enablement (DLP) BYOD Controls Federated Identity Management Cloud Security Controls Cyber Threat Intelligence Policy Management (eGRC) Education & Communication Security Steering Committee Threat, Vulnerability Assessment Asset Inventory Prioritized by Risk Information Classification Policy Configuration Management 3rd Party Governance Incident Response Behavioral Based Authentication CORE
- 4. #RSAC © 2016 Aetna Inc. Control Compliance is Easily Measured 4 Self Assessment or 3rd Party Assessment NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations JOINT TASK FORCE TRANSFORMATION INITIATIVE This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-53r4
- 5. #RSAC © 2016 Aetna Inc. Privacy Relationship to Information Security 5 Privacy Federal State Local External Threat Internal Threat Vulnerability Assessment Info Sec
- 6. #RSAC © 2016 Aetna Inc. Compliance-Driven Info Sec 6 Event Committee Legislative Awareness Law Rules Enforcement -- Regulatory --
- 7. #RSAC © 2016 Aetna Inc. Frameworks Are Good…and Not Sufficient 7 +/w%K4)*}/Z@9s$v#H~={^0q< Critical Security Controls for Effective Cyber Defense In cryptography, encryption is the process of encoding messages or information in such a way that only authorized parties can read it. Encryption is Good…and Not Sufficient 800-53 Cyber Security Framework
- 8. #RSAC © 2016 Aetna Inc. Dynamic Diversity of Threats 8 1. Customer Service Rep uses a web- based translation service 2. Site vulnerability is exploited and malware loaded into the browser 3. New session opens and sophisticated malware is installed- interrogates the workstation 4. Attempts to capture claim information to use for phishing attacks on aerospace companies 1. Large cache of stolen credentials released publicly via Pastebin 2. Some of the released credentials used for 3rd party sites and enterprise log ins 3. A few of the credentials are from privilege users 1. Spanish company selling hacking tools is hacked releasing source code identifying 4 exploits of Adobe Flash 2. Adobe releases patches 3. Threat actor based in China sends phishing emails to senior executives encouraging them to click to install the Adobe patch The cyber threat landscape is changing too quickly for frameworks to respond to
- 9. #RSAC © 2016 Aetna Inc. The Cyber Threat Landscape Changes Quickly 9
- 10. #RSAC © 2016 Aetna Inc. Macro Economic Analysis Applied to Cyber 10 2013 2015 A bull black market The black market of health care data from a cyber economic perspective
- 11. #RSAC © 2016 Aetna Inc. A Bull Black Market 11 In 2014, PHI sold for $3-$50 per record. In 2015, $5-$700. The most valuable fields within a data set are SSN, name, and DOB. Hackers haven’t realized the real market value of health care data due to information asymmetries. Unlike traditional supply and demand economic model, the price of health care data is dependent on the threat actor’s use of the stolen data, not the volume of the data stolen. Health care data has a long shelf life on the black market. Health care data provides fuller data set than the financial sector (e.g., SSN, medical history, employee information). The supply of data on the black market is misleading due to dueling black markets *U.S. Department of Health and Human Services **2015 data is through October There are two black markets: one for common traders and one for nation states and organized crime syndicates. The two markets rarely interact and have different market dynamics. Amount of data stored across the industry. Interactions with health care providers. Total cybersecurity incidents targeting this industry. Maintaining value Change in price behavior Increasing supply 0 50 100 150 200 250 300 2009 2010 2011 2012 2013 2014 **2015 0 20 40 60 80 100 120 2009 2010 2011 2012 2013 2014 **2015 Millions Total records breached* Total breaches*
- 12. #RSAC © 2016 Aetna Inc. What Have Nation States Learned? 12 You are! “It’s a walk in the park.” • Search capability • Mail account with free storage • Maps and navigation • Docs • And more … Who is their product? … One million gigs of data processed each day Who is their customer? It’s not you!
- 13. #RSAC © 2016 Aetna Inc. The Mobile Device is Our New Appendage 13 There are now more cell phones on the planet than there are people 90% of 19-29 year-olds in the U.S. sleep with their cell phones 65% of survey respondents said mobile phones make them better parents 75% of survey respondents bring their phones to the bathroom Apple Siri captures everything you say to her for 6 months and aggregates it for 18 months Social media apps have the ability to use your phone’s microphone to listen to your dialog You did! What is the most commonly used mobile app? Source: Qualcomm, Slick Text Surveys Who authorized this potential invasion of privacy?
- 14. #RSAC © 2016 Aetna Inc. Terms of Service - ToS 14 The average American encounters 1,462 privacy policies a year with an average length of 2,518 words. The privacy policy for one of the world’s largest online payment systems is 36,275 words … more than Shakespeare’s Hamlet! “You grant … a nonexclusive, irrevocable, worldwide, perpetual, unlimited, assignable, sublicenseable, fully paid up and royalty-free right to us to copy, prepare derivative works of, improve, distribute, publish, remove, retain, add, process, analyze, use and commercialize, in any way now known or in the future discovered, any information you provide, directly or indirectly to … including, but not limited to, any user generated content, ideas, concepts, techniques and/or data to the services, you submit to … without any further consent, notice and/or compensation to you or your any third parties. Any information you submit to us is at your own risk of loss.” … Source: Carnegie Mellon University study I agree with the Terms of Service.
- 15. #RSAC © 2016 Aetna Inc. Walks in the Park Are No Longer Free … 15 In the U.S., social networks are considered public spaces … this means that you should have no expectations of privacy in the data collected. • 81% of divorce attorneys admit to searching social media for evidence • 70% of HR professionals have rejected a candidate based on information uncovered in an online search • 86.1% of police departments now routinely include social media searches as part of criminal investigations Sources: IACP Center for Social Media survey and Microsoft Your social content from the “Park” Phishing eMailHey John, It was great seeing you last week at the reunion. I’m sure you didn’t recognize me since I lost over 75 pounds from our college days. BTW- you look great and I enjoyed meeting your wife. Here is a picture from the reunion that you’ll get a kick out of! All the best, Jane Credentials to Employer site 1. John Doe, IluvWk2ay 2. John deColleague Sysadmin 1
- 16. #RSAC © 2016 Aetna Inc. The Most Popular Threat Vector is… 16 "One of the most effective ways you can minimize the phishing threat is through awareness and training." —Lance Spitzner, Training Director, SANS Securing The Human 23% of recipients now open phishing messages and 11% click on attachments Phishing was associated with 95% of incidents attributed to state-sponsored threat actors Over 100 million phishing messages arrive in our inboxes every day Nearly 50% open emails and click on phishing links within the first hour The median time-to-first-click came in at one minute and 22 seconds across all campaigns According to the 2015 Verizon Data Breach Investigations Report (VDBIR): What can we do? 1. New email gateway payload inspection and filters 2. Sinkhole all new domains for 48 hours 3. Enforce inbound filtering (DMARC) Improve education/awareness Consider unconventional controls
- 17. #RSAC © 2016 Aetna Inc. Apply Unconventional Controls 17 1. Sinkhole new domains 2. Heuristic filtering on in-bound using DMARC 3. Next Generation Authentication
- 18. #RSAC © 2016 Aetna Inc. Sinkhole Newly Established Domains 18 A sinkhole, also known as a cenote, sink, sink-hole,[1] shakehole,[2] swallet, swallow hole, or doline (the different terms for sinkholes are often used interchangeably[3]), is a depression or hole in the ground caused by some form of collapse of the surface layer Enterprise DNS Sinkhole Threat Actor bad_actor.com Cyber Security Intelligence Data Feeds New domains (48 hrs) eMail Gateway 1 FROM: igor@bad_actor.com 2 DNS Request SPF TXT Record 3 Custom SPF Response 4 SPF Header Added to email 5 BLOCK Rule Check for “192.0.2.1” 6 Redirect email to CSI 7
- 19. #RSAC © 2016 Aetna Inc. Protect In-Bound Email with Domain Protection 19 Using email traffic data, the system learns the unique fingerprint of all email senders into your enterprise This durable identity trust model is used to stop all messages that do not prove they should be trusted 29,231 servers sent email for an enterprise on a single day 312 servers for the enterprise 4,641 servers owned by service providers 9,732 benign email forwarders 14,526 malicious senders
- 20. #RSAC © 2016 Aetna Inc. Design an Authentication Hub 20 One framework Multiple authentication tools Change controls without changing applications Across mobile and web Policy-driven authentication model
- 21. #RSAC © 2016 Aetna Inc. Next Generation Authentication 21 Binary authentication is obsolete Behavioral- based model is key Innovation applied to the interface Authentication Hub LOA Advanced Analytics Risk Score API Dynamic LOA API Backend Analytics & Risk Engine Prevent @ Inception RT Push+TouchID iWatch & Sign Out Wearables + T/Haptic Spatiotemporal + Real-Time (RT) Authorization SWIPE + Contextual SWIPE + TAP Advanced Contextual Cognitive & Device Biometrics FIDO UAF 1.0 FIDO 2.0 When Available Decentralized Authentication
- 22. #RSAC © 2016 Aetna Inc. Automated vs. Normal Behavior 22 https://member.aetna.com/appConfig/login/login.fccShifterCustomers Attackers Legitimate traffic encounters no barriers Automated traffic can no longer send valid requests • Scripts • Content Scraping • Botnets • dDOS
- 23. #RSAC © 2016 Aetna Inc. Recommendations 23 Adopt and implement practices aligned with regulatory framework of choice Measure the effectiveness of the controls aligned with the framework Identify the enterprise’s top threats/risks Apply control design skills to top threats/risks and consider innovation opportunities
- 24. #RSAC © 2016 Aetna Inc. Which Statement Gives You More Assurance? 24 Aetna conforms to the NIST Cyber Security Framework and 800-53 Adjusting Controls Aetna makes 30 changes to controls each month 1. 2. OR … it’s the New Normal!
- 25. #RSAC routhj@aetna.com 860 273-7488 Chairman National Health Information Sharing & Analysis Center Board member FS-ISAC ISE Award winner 2014 Healthcare