If you think that data breaches only happen to the big guys, think again. Risk is everywhere, accountability is uncertain, and liability is not well defined. Worse yet, every breach can be attributed to one single commonality (and it’s not what you might think). Learn the keys to protecting your organization’s financial, payroll, ERP and other sensitive data with these best practices.
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
ERP in the Time of Breaches - Best Practices for Data Security
1. ERP in the Time of Breaches
Protect Yourself with the Right
Governance, Risk and Compliance
2. • The Role of Information
Security
• IT Security Conundrums
• Best Practices for Security
• How Providers can Alleviate
Concerns
• Q&A
3. Today’s Presenter
Greg Pierce
• Chief Cloud Officer, Concerto Cloud
Services
• Pioneer in Enterprise Cloud Computing
• Veteran business leader and entrepreneur
with over 20 years experience
• Helps businesses transform through the use
of disruptive technologies
5. Goal of Information Security
Administrative, Technical and
Physical Controls work
together to ensure the
confidentiality, integrity
and availability (CIA) of
critical systems and
confidential information
6. Information
Security is a goal
- we must
continually strive for
it with no guarantee
of achievement.
IT Security Conundrum One
13. Security Has Everyone’s Attention
APR SEPTMAY JUN JUL AUG OCT NOV DEC JAN FEB MAR APR SEPTMAY JUN JUL AUG
$70MM Records
Stolen
$40MM Credit & Debit
Nov 15 – Dec 15, 2013$56MM Credit &
Debit
Apr - Sept, 2013
$76MM of $83MM
Accounts Stolen
July14 – Sept 2014
2013 2014
$9000
Credit & Debit
14. The Target Breach – How did they do it?
• Compromised HVAC contractor likely via a phishing email
– Used free version of anti-malware that lacked real-time protection
– Malware stole credentials to Target supplier portal
• Portal
– Not properly segmented on the network from other critical systems
– Lacked two-factor authentication
– Supplier/Vendor info was public, so attackers used this info for social
engineering attack (HVAC contractor)
– Supplier/Vendor ecosystem lacked security awareness training( best
practice, etc…)
• Took advantage of Monitoring system’s default username and password
– Installed “RAM Scrapping” Malware on POS System
– Disguised communications as legitimate monitoring traffic
– Exfiltration of data was sent to an FTP server in Russia of the course of two
days
15. Target Breach - By the numbers
• 70 million – # of records stolen
• 40 million - # of Credit/Debit
cards stolen
• 100 million - $ they will spend
upgrading payment terminals
• 46% - percentage drop in profits
at Target in the fourth quarter of
2013, compared with the year
before
• 53.7 million - The income that
hackers likely generated from the
sale of 2 million cards stolen from
Target and sold at the mid-range
price of $26.85
• ZERO – Chief Information
Security Officer (CISO) or Chief
Security Officer (CSO) jobs at
Target
16. The Target Breach – Why they got away
“Target was certified as meeting the
standard for the payment card industry (PCI)
in September 2013. Nonetheless, we
suffered a data breach. As a result, we are
conducting an end-to-end review of our
people, processes and technology to
understand our opportunities to improve
data security”
Gregg Steinhafel, CEO
17. The Target Breach – Why they got away
• Failure or lack of established process and procedure
– Security systems rapidly detected the security event but
there was no response by IT
• Weakness in the architecture of the Supplier portal
– Insufficient oversight during the planning and implement
phase allowed logical connectivity to sensitive systems
and data– Architectural review board?
– Infrequent assessment against systems to understand
their impact on Information Security?
• Lack of security awareness training
18. Users are the Common Link
• Trojans – software
downloads - Kaaza
• Viruses – Emails
• Zombies or Botnets
• Phishing (Identity Theft)
• Spywaresource
http://www.pcworld.com/article/2010527/f
orrester-report-finds-most-data-breaches-
are-caused-by-employees.html
“Application users are
most often the
determining factor in
whether or not a
security breach occurs”
19. What can we learn?
A breach can
happen to any
company of
any size and
any industry –
learning from
others is
critical.
21. Best Practice One: Holistic Planning
Security is a Holistic Program
– Process (not a project)
Never 100%
– Risk Management
Improve Security Posture
– Changing Security Landscape
Threats (motives)
Countermeasures
22. Best Practice Two: Building Awareness
• Security awareness is the knowledge, skill and attitude an individual possesses
regarding the protection of information assets.
• Being Security Aware means you understand
that there is the potential for some people to
deliberately or accidentally steal, damage,
or misuse your account, computer or the
data stored on your computer.
• Awareness of the risks and available
safeguards is the first line of defense
for the security of information,
systems and networks.
“Application users are
most often the determining
factor in whether or not a
security breach occurs”
– source
http://www.pcworld.com/article/2010527/forrester-
report-finds-most-data-breaches-are-caused-by-
employees.html
23. Security Awareness Includes
• Information about how to
Protect
Detect
React
• Knowledge, Skill and Attitude
The What
The How
The Why
• Culture Change
24. Best Practice Three: Encryption
Data in Use, Data in Motion, and Data at
Rest - Ensure encryption for ALL classes of data
25. Best Practice Four: Layered Structure
A High Level Summary of Security Layers include:
• Centralized and automated anti-malware and OS patching
• Identity management
• True network segmentation and isolation from ingress to egress at layer 2
and 3
• Data in-motion encryption by default
• Multiple firewall segments operating at layer 1-7 of the OSI stack
• State-of-the-art IDPS solution monitored and managed 24x7 by a dedicated
security operations center (SOC)
• Reverse Proxy services
• “Other” confidential and proprietary security mechanisms and practices
• Intelligent, multi-point syslog solution
30. The Market Has Gone to the Clouds
• 45% of companies
plan to move ERP
to the cloud in the
next 5 years
• Other studies state
that market is
moving even faster
than predicted here
31. The Cloud Changes Everything
…Except
Security
Ensure hosting/cloud solution
is subject to IT audit with your
IT security team.
Is your hosting/cloud solution subject to
internal IT audit with your IT security team?
32. Not All Clouds Are Equal
• ISC2 and CSA have partnered to offer a new
Cloud Security Certification
– SecurityWeek: ISC and CSA Partner for
Certification offering
• Amazon S3 Poor Configuration Puts Sensitive
Data at Risk
– SecurityWeek: Amazon Puts S3 Data At Risk
• Web Application Attack Challenge Cloud and On-
Premise Infrastructures
– SecurityWeek: Web Application Attacks Increase
• Trust in the Cloud?
– SecurityWeek: Lieberman: IT Doesn't Trust the
Cloud
34. How Cloud Providers Can Address Concerns
• Transparency/Control Over Datacenter/Data Locality/Security Audibility
• Verifiable End-to-end Encryption – Data in Transit
• Industry/Government Regulation Compliance
• Proven Tools and Control with Restricted Access
• Control Over Security/Encryption
• Dedicated Resources/Data Isolation
• Provide Proven References
• Industry Standards for Data Privacy and Security
• Explicit Contractual Responsibilities for Service Levels/Security
• Provider Certification Standards
• Region/Country Specific Datacenter Locations
35. Things to Remember
Ensure the security and
privacy of your Cloud
application with:
The Right Cloud for the Right
Application
Compliance
IDS/IPS
Protection for Data at Rest
36. • Simplicity for Complex Applications. Concerto was designed to
meet the toughest regulatory challenges and the most complex
demands – and has earned an industry leading customer
retention rate as a result.
• Comprehensive Channel Enablement Services. Innovative private
and hybrid cloud and business transformation services help
channel partners go to market quickly.
• Recognized Cloud Provider for Microsoft Applications. Concerto
Cloud is the go-to cloud provider for Microsoft applications and
is recognized as Microsoft’s ISV of the Year for Cloud Services.
The Cloud That’s Up to Your Challenge
Controls can be administrative, technical or physical
Thoughts on title – the current, or something like demystifying Information Security, or The Information Security Conundrum
Tanya lets put some good graphics here on setting expectation or maybe the light at the end of the tunnel never being attainable.
Thoughts on title – the current, or something like demystifying Information Security, or The Information Security Conundrum
Tanya lets put some good graphics here on setting expectation or maybe the light at the end of the tunnel never being attainable.
Thoughts on title – the current, or something like demystifying Information Security, or The Information Security Conundrum
Tanya lets put some good graphics here on setting expectation or maybe the light at the end of the tunnel never being attainable.
Thoughts on title – the current, or something like demystifying Information Security, or The Information Security Conundrum
Tanya lets put some good graphics here on setting expectation or maybe the light at the end of the tunnel never being attainable.
Thoughts on title – the current, or something like demystifying Information Security, or The Information Security Conundrum
Tanya lets put some good graphics here on setting expectation or maybe the light at the end of the tunnel never being attainable.
Tanya? Thoughts on title?
Home Depot 56MM Credit and Debit cards between April and Sept
Target 70MM records stolen of which 40MM were credit and debit cards – Nov 27th 2013 – Dec 15th 2013
JMC 76MM of 83MM estimated 83MM accounts July – Sept 2014 (they knew about it in July but disclosed in Sept)
Chick-Fil-A Dec 2013-Sept 2014 – 9,000 Credit/Debit Cards.
This is a good opportunity to pause and drive home a point – ask the audience to be honest and by a show of hands, how many of them see these numbers and think this would never happen to their firm because they are not Target. Then ask how many of them think the HVAC firm felt the same way.
Tanya add a blob that says “Application users are most often the determining factor in whether or not a security breach occurs” – source http://www.pcworld.com/article/2010527/forrester-report-finds-most-data-breaches-are-caused-by-employees.html
Trojans – software downloads - Kaaza
Viruses – Emails
Zombies or Botnets
Phishing (Identity Theft)
Spyware
Most incidents are unintentional and can be avoided.
Kim – do something here that represents that people, process and procedure form a strong triangle of security, or complete circle, etc.
Hoping Pete can use these and change/alter them
Like the circles. Would like to save them out separately so we can easily plug and play when there are changes. - DONE