Your SlideShare is downloading. ×
0
Common sense in security
Common sense in security
Common sense in security
Common sense in security
Common sense in security
Common sense in security
Common sense in security
Common sense in security
Common sense in security
Common sense in security
Common sense in security
Common sense in security
Common sense in security
Common sense in security
Common sense in security
Common sense in security
Common sense in security
Common sense in security
Common sense in security
Common sense in security
Common sense in security
Common sense in security
Common sense in security
Common sense in security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Common sense in security

219

Published on

Common Sense in Security first presented at PCI London in 2011.

Common Sense in Security first presented at PCI London in 2011.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
219
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Protecting Clients’ Assets and Brand Reputation Common Sense in Security PCI London 2011
  • 2. Introductions Protecting Clients’ Assets and Brand Reputation Peter Bassill Founder of Hedgehog Security 6 Year CISO of Gala Coral Group 15 Years of Information Security experience ISACA Security Board Member Creator of the free PCI-DSS application for Splunk ISACA Information Systems Audit and Control Association Independent, non-profit, global association, Engages in development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems.
  • 3. Todays Big Challenges Dynamic Threat Environment Protecting Clients’ Assets and Brand Reputation Internal and external threat environment not improving Attacks becoming more targeted Attacks becoming more sophisticated, targeting applications as well as networks Regulatory Pressures Regulatory: PCI-DSS, PA-DSS Basel II Sarbanes- Oxley Data Protection Organised criminal gangs taking over from teenage hackers and “script kiddies” HIPAA Networks becoming more porous to meet changing needs of business Many, many others 24x7 monitoring and protection becoming mandatory to protect company information assets SEC Shareholder value Brand and reputation Cost Efficiencies Security management as operational cost, subject to same rigour as rest of IT Risk based approach essential to justify security investment Efficiency and cost effectiveness to ensure positive impact on P&L Integration of security management across enterprise to reduce costs and optimise effectiveness Scarcity and cost of IT security talent
  • 4. Protecting Clients’ Assets and Brand Reputation Dynamic Threat Environment & PCI
  • 5. Does eCrime cause a breach? Protecting Clients’ Assets and Brand Reputation eCrime? Really? Originally hackers and ‘script kiddies’ seeking headlines and notoriety would attack you Evidence of organised crime Botnets for hire Direct action groups Disgruntled employee Employee accidents
  • 6. Employee Accidents Data Breaches* Identities Exposed* Protecting Clients’ Assets and Brand Reputation 1% 7% 1% 7% 8% 1% 4% Theft/Loss 17% Insecure Policy Hacking Hacking Insider Insecure Policy Unknown 48% Theft/Loss Insider Fraud 21% Unknown 22% Fraud 66% *source: Symantec
  • 7. Protecting Clients’ Assets and Brand Reputation Elastic Technology & Borders PCI Scope
  • 8. View of the Attacked Perimeter Attacks by Volume Attacks by Category Protecting Clients’ Assets and Brand Reputation 1400000 1200000 Desktop Operating System 30 Server Operating 25 Other 20 System 15 10 1110 9 5 End of Life Storage Applicance 20 6 Operating System 4 1000000 800000 600000 400000 200000 0 1 2 3 4 5 6 FY10 7 8 9 10 11 12 13 Network Appliance Office Application 30 FY11 28 Other Application
  • 9. Protecting Clients’ Assets and Brand Reputation User Centric Attacks
  • 10. Protecting Clients’ Assets and Brand Reputation What will be next? Exposing Your Data Exposing Your Security
  • 11. Protecting Clients’ Assets and Brand Reputation Regulatory Pressures?
  • 12. Common Sense & Standards Standards are like opinions, everyone has one! Protecting Clients’ Assets and Brand Reputation Why use PCI as a corporate baseline PCI-DSS is a really great security baseline Apply the standard to everything, substitute ‘Card’ for ‘PII’ Tailor it to your business Brand it Make it catchy your marketing department loves your budget. Have a legal lunch In-house lawyers are people too If you have legal on your side, your force is strong Bake it into every contract you enter into
  • 13. Common Sense & Standards You have your standard, now Audit against it Protecting Clients’ Assets and Brand Reputation Auditing standard against “Our Safe Standard” Audit internally, where do you think you are – Stick in the sand Make a plan – How do we get better Create your own auditor workbooks Incorporate all your regulatory audits into your audit Engage externally, where do they think you are Publish your findings. People can’t fix what they don’t know is broken Use you results as a new baseline Wait six months and start over
  • 14. Common Sense & Standards Don’t be your own worst enemy Protecting Clients’ Assets and Brand Reputation When your audit shows cracks Prioritise remediation Remember, every risk also has a benefit Don’t beat people up over it Find the positive in the audit outcome and focus on it We do {x} really well
  • 15. Common Sense & Standards Regulatory Control Audits? Protecting Clients’ Assets and Brand Reputation Plan your annual audits with your auditors Clearly define what you expect from them Get clauses in the contract and statement of works Run your own It’s always nice to know you will pass Always feed your results back into your own audit standards Compare your finding with the external auditors Ask yourself why they are different!
  • 16. Common Sense & Standards Penetration Testing Protecting Clients’ Assets and Brand Reputation Plan your annual audits with your chosen testing firm Clearly define what you expect from them But give them enough leeway to be attackers Test Thoroughly Don’t let them onsite until they have achieve that themselves Each test cycle should be based on the previous results Don’t let them just run tools, you can do that yourself Request a short copy report with only the pertinent details
  • 17. Protecting Clients’ Assets and Brand Reputation Cost Efficiencies
  • 18. Cost Efficiencies Spend Protecting Clients’ Assets and Brand Reputation Do it tactically Do I really need that support? Can I consolidate? Will this really reduce our workload Example: Rapid7’s Nexpose combined with Metasploit saved our team 9 man days effort in each month. If you don’t know what is out there, ask. Re-negotiate every renewal Security is a business unit, watch your P&L.
  • 19. Security Awareness Protecting Clients’ Assets and Brand Reputation Highest return on investment for IS Artificially increase the Security team head count Incidents are identified earlier leading to less potential loss Incidents are resolved significantly quicker And yes, users are able to write passwords down and be safe Be warned though More awareness training returns more incidents
  • 20. Security Awareness Protecting Clients’ Assets and Brand Reputation Planning a campaign Engage with your marketeers Make it fun Use as many communication paths as you can Posters Email Podcasts Workshops Lunch and learns Roadshows Be warned though It’s a little addictive
  • 21. Protecting Clients’ Assets and Brand Reputation 5 Top Tips
  • 22. 5 Top Tip Understand your Execs; It isn't Social Engineering Protecting Clients’ Assets and Brand Reputation If your scared of your auditor, FIRE THEM! Find an auditor you can embrace and that wants to help you Stop selling FUD to the business owners Steak to your acquirer's PCI team, REGULARLY Do the PCI ISA training course
  • 23. Protecting Clients’ Assets and Brand Reputation Thank you peter.bassill@hedgehogsecurity.co.uk Peter Bassill, ISACA Security Board Member
  • 24. Protecting Clients’ Assets and Brand Reputation Links Penetration Testing Vulnerability Management Compliance Management

×