Wednesday, October 12, 11 - Na.eventscloud
1y ago
16 Views
1 Downloads
6.14 MB
44 Pages
Report/dmca
Download PDF

Transcription

Wednesday, October 12, 11

Protecting the InformationInfrastructure:Why CIOs and CSOs areBecoming Mission-CriticalBusiness PartnersSNW Fall 2011Jay McLaughlin, CISSPChief Security Officer, Q2ebankingWednesday, October 12, 11

DISCLAIMERThe materials, thoughts, comments, ideasand opinions expressed throughout thispresentation are entirely my own and donot necessarily represent the thoughts oropinions of my employer (past or present).Wednesday, October 12, 11

AGENDA Information.the lifeblood of an organization Events involving loss of data are rising - whois to blame? Mitigating our vulnerabilities A shift to Information-Centric Security Developing critical partnerships across theorganizationWednesday, October 12, 11

Informationis thelifeblood of organizations, and considereda critical factor in a company’s effectivepursuit of its business goals and success.Wednesday, October 12, 11

Informationis not onlyvaluable to an organization but also to.Wednesday, October 12, 11

WHAT ARE WE TRYING TOPROTECT?Regulated information is the type of data most often thought ofwhen the subject of information protection is raised. Includes personally identifiable information (PII) of individuals, suchas social security numbers, bank and credit card numbers andmedical records. A great deal of public outrage, lawsuits, fines andloss of brand trust can accompany the compromising of thisinformation.Confidential information may involve marketing plans, financialprojections, sales reports and M&A discussions. Breaches on this information can range from public embarrassmentto catastropheIntellectual property (IP) is arguably the most critical type ofinformation.Wednesday, October 12, 11 According to the FBI, 600 billion worth of intellectual property isstolen every year in the U.S Companies tend to focus on regulated data while doingcomparatively little to secure the IP that is critical to their business.

Setting the Stage - Recent Attacks– Defense Contractors»Lockheed Martin»Northrop Grumman»L-3– Commercial Organizations»SONY»GOOGLE– Security Firms»RSA»Barracuda Networks»HB Gary Federal»Comodo / Digitar– Government»United States DoD»Texas Comptroller’s OfficeWednesday, October 12, 11

It gets worse.Source: Scientific American, “Data Theft: Hackers Attack”, Oct 2011Wednesday, October 12, 11

Change in TacticsWednesday, October 12, 11 Highlighted that in 2010,the largest number ofdata breach incidentsoccurred, yet the volumeof records droppedsignificantly Criminals are engagingin small, opportunisticattacks rather than largescale, difficult attacksusing relatively lowsophistication attacks topenetrate organizations.

Will your organization be on this list?Wednesday, October 12, 11 University of Texas: 688 students' and prospective students' personalinformation accessed by employees after configuration error made dataavailable on intranet Blackpool Coastal Housing: 80 tenants' names, addresses, nationalinsurance numbers, telephone numbers and confidential care planstransferred to employee's home computer where they were accessible toothers Guilford County Tax Dept: 1,000 taxpayers' SSNs, names andaddresses, and images of checks paid were accessible on internet Bright House Networks: Customer names, addresses, phone numbersand account numbers exposed in unauthorized access California State Assembly: 50 employees' personal information mayhave been acquired by hacker Montgomery County Dept of Job and Family Svcs: Names and SocialSecurity numbers of 1,200 individuals seeking agency assistance wereon lost thumb drive

Organizations aresloppyWednesday, October 12, 11

Overly Confident?Ninth Annual Global Information Security Survey9,600-plus business and technology execssurveyed, 43 percent identify themselves assecurity frontrunners and believe they havea sound security strategy and are executingit ecurity-survey/giss.jhtmxWednesday, October 12, 11

Source: Information Security Magazine, October 2010Wednesday, October 12, 11

CIOs: Call to ActionWednesday, October 12, 11 Delivery of effectivetechnology solutionsto external customersand internalconstituents Maximizing thevalue of technologyinvestments toimprove businessperformance Reducing relatedoperational costsacross businessunits Increasing agility ofthe organization,enabling it to adaptto changing needs

Roles of the CSO ENABLE AUDIT ENFORCE EDUCATEWednesday, October 12, 11

Influencing Behavior Education is critical Security awareness is astart.but not good enough “Behavioral change” is requiredWednesday, October 12, 11

Wednesday, October 12, 11

Overly Confident?To a fault. “.we haven’t been attacked before”“.why would someone target our company?”“.we undergo routine internal/external audits”Why do we remiss security? CIOs and C-Level executives often don’t hearabout security until an incident occurs CIOs are value-focused managers Wednesday, October 12, 11is security NOT viewed AS value-adding?

Source: Scientific American, “Data Theft: Hackers Attack”, Oct 2011Wednesday, October 12, 11

.in fact, we are spending moreon security solutions to protectour information systemsWednesday, October 12, 11

.but we’re not makinginvestments in our processesManagementSecurityPhysicalWednesday, October 12, 11Operational

COMPLIANCEWednesday, October 12, 11

ComplianceSecurity This isn’t about checking the box Compliance Defined: conformity in fulfilling officialrequirements.standardIt is thethat is theproblem, not the compliance with thestandard.Wednesday, October 12, 11

CSOs tend to fixate on building an“EXCELLENT”information security programWednesday, October 12, 11

Where does the CSO fit in?Wednesday, October 12, 11

The BusinessProblemTopology Wednesday, October 12, 11Security is new to theexecutive tableSecurity discussions intoday’s enterprise tend tobe focused on thequalitative aspectsinstead of the quantitativeCSOs speak a languagethat is NOT understoodby others executivesCSOs struggle withcreating awareness andchanging behaviors

But, Security is often viewed as aBOTTLENECKWednesday, October 12, 11

The “R” WordWednesday, October 12, 11 Developing those criticalRELATIONSHIPS withinthe organization WALK A MILEBreaking down thewalls.we’re all fighting thesame battle

Wednesday, October 12, 11

Current Environment Regulations and compliance requirements aredemanding more time and attention Regulators and auditors including PCI-DSS, GLBA, SOX/404, HIPAA, etc. are demanding more executive time andattentionWednesday, October 12, 11 Greater interest from CIOs and other businessstakeholders regarding information security Routine communication around informationsecurity, compliance, investment and risk iscritical.but challenging.

Management nagersLEADERSHIP PHILOSOPHIESRISK MITIGATIONtranslates toVALUEWednesday, October 12, 11

Effective Risk Managers? Generally, human beings struggle at managingrisk We often overestimate risks that are highlyvisible or catastrophic and underestimate therisks that are slower to develop or not easilyseen CIOs tend to overestimate risks that they haveless control over, and underestimate the risksthat they have more control overex: flying an airplane vs driving a carWednesday, October 12, 11

Assessing Risk Engagement of business Top-Down Approach,ranking information assets Business Impact Analysis Quantitative vs. QualitativeWednesday, October 12, 11

Understanding RiskRisk Management involves identifying threatsand applying mitigating controls to effectivelyreduce the risk of those threats: RISK (THREAT x VULNERABILITY)COUNTERMEASURES Multiple by VALUE for quantitativeControls can mitigate risk .but can rarely fully eliminate riskWednesday, October 12, 11

Calculating Loss Expectancy The annualized loss expectancy (ALE) is theproduct of the annual rate of occurrence(ARO) and the single loss expectancy (SLE)Mathematically expressed: ALE ARO * SLE- calculating SLEWednesday, October 12, 11SLE AV * EF Suppose than an asset is valued at 100,000,and the exposure factor (EF) for this asset is25%. The SLE then, is (25% * 100,000), or 25,000. For an annual rate of occurrence of 1, theannualized loss expectancy is (1 * 25,000)

Applying CountermeasuresOur Approach is CRITICALCOUNTERMEASURESGNORWTHREATSWednesday, October 12, 11 Focus efforts on the mitigating the ACTUALvulnerabilities that are specific to the organization Avoid industry marketing FUD

Defense By Layer Acknowledges that reliance on any singlecontrol or mitigating factor is not sufficient This approach is commonly recommendedScenario: Protecting Hosted Customer Datafrom an external attacker Wednesday, October 12, 11Database tables are encryptedRole-based access levels are appliedData Storage Encryption

Paradigm ShiftInformation-Centric Security Emphasizes security of the INFORMATIONitself.rather than the security of networks, systems,and applications. 4 Principles:1. Information (data) must be self describing and defending.2. Policies and controls must account for business context.3. Information must be protected as it moves fromstructured to unstructured, in and out of applications, andchanging business context.4. Policies must work consistently through the differentdefensive layers and technologies we implement.Source: Rich Mogull, CEO/Principal Analyst, SecurosisWednesday, October 12, 11

Developing A Strategy Creating an information protection strategy– understanding the business and its specific needs for informationprotection.– defining a set of objectives to deliver quick wins and address longterm goals. Locating and classifying the information thatmeans the most– An impact analysis should be performed to identify the informationwith the greatest impact to strategic, tactical and operationalobjectives. Weaving information protection into the fabricof the organization Developing the necessary capabilities toprotect their information assets– Organizations need to determine the technologies and processesthat best support their information protection objectivesSource: Dr. Alastair MacWillson, Security Week Aug 2011Wednesday, October 12, 11

SummaryWednesday, October 12, 11 Educate by establishing a foundation forcommunication (e.g. metrics, scorecards) Embrace an information-centric approach Security is NOT perfect, and it requiresACCOUNTABILITY START with the BASICSPlay offense (ACT vs. REACT)Leverage leading edge technology thatenables agility within the organization

Be PreparedThe future ain’t what itused to be.- Yogi Berra, New York YankeesWednesday, October 12, 11

QUESTIONS?Wednesday, October 12, 11

THANK esday, October 12, 11

Defense By Layer Acknowledges that reliance on any single control or mitigating factor is not sufficient This approach is commonly recommended Scenario: Protecting Hosted Customer Data from an external attacker Database tables are encrypted Role-based access levels are applied Data Storage Encryption Wednesday, October 12, 11

Related Books

Heritage at Deer Creek Heritage Newsletter

Heritage at Deer Creek Heritage Newsletter

Telecommunications Consulting Services RFP - HCPSS

Telecommunications Consulting Services RFP - HCPSS

Sat prep black book second edition pdf free full version without

Sat prep black book second edition pdf free full version without

Strauss Manor - j.b5z

Strauss Manor - j.b5z

Request for Proposal (RFP) For Procurement of Cloud Services

Request for Proposal (RFP) For Procurement of Cloud Services

Waikerie Lutheran Primary School Newsletter

Waikerie Lutheran Primary School Newsletter

Upcoming - d2y1pz2y630308.cloudfront

Upcoming - d2y1pz2y630308.cloudfront

Wednesday October 14, PSAT /NMSQT - A Free Test and .

Wednesday October 14, PSAT /NMSQT - A Free Test and .

49836 Federal Register /Vol. 83, No. 192/Wednesday, October 3, 2018 .

49836 Federal Register /Vol. 83, No. 192/Wednesday, October 3, 2018 .

Wednesday, October 12, 2022 - ohsu.edu

Wednesday, October 12, 2022 - ohsu.edu

HTML5 & CSS3 - dsi.unive.it

HTML5 & CSS3 - dsi.unive.it

PopularTags

Recent Views