Compliance Awareness

3,203 views
2,918 views

Published on

Organizations face numerous compliance requirements and information security practices provide an easy and effective means to achieve these goals.

Published in: Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,203
On SlideShare
0
From Embeds
0
Number of Embeds
64
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • 10/06/10
  • 10/06/10
  • 10/06/10
  • 10/06/10
  • 10/06/10
  • 10/06/10
  • 10/06/10
  • 10/06/10
  • 10/06/10
  • 10/06/10
  • 10/06/10
  • 10/06/10
  • 10/06/10
  • 10/06/10
  • 10/06/10
  • 10/06/10
  • 10/06/10
  • 10/06/10
  • 10/06/10
  • 10/06/10
  • 10/06/10
  • 10/06/10
  • 10/06/10
  • 10/06/10
  • 10/06/10
  • 10/06/10
  • The movie “Shooter” gives a classic example. A US Marine sharpshooter is brought back from retirement to help prevent the assassination of the US President. The President is visiting three cities and they want him to identify the venue where the killer may make the attempt. The hero checks out the three cities, the President’s program, the venues and the surroundings and comes up with his recommendation. Turns out that the guys who had called him back wanted to kill the President and the movie is about how they use his intelligence and then frame him. Of course, eventually, he thinks like them and kills them all. 10/06/10
  • The movie “Shooter” gives a classic example. A US Marine sharpshooter is brought back from retirement to help prevent the assassination of the US President. The President is visiting three cities and they want him to identify the venue where the killer may make the attempt. The hero checks out the three cities, the President’s program, the venues and the surroundings and comes up with his recommendation. Turns out that the guys who had called him back wanted to kill the President and the movie is about how they use his intelligence and then frame him. Of course, eventually, he thinks like them and kills them all. 10/06/10
  • Compliance Awareness

    1. 1. Awareness Program on Compliance in the Era of Technology Dinesh Bareja <version 1.0> Public Document 1 
    2. 2. Agenda <version 1.0> Public Document <ul><li>Compliance Today </li></ul><ul><li>Business Risks </li></ul><ul><li>Evolving Security and Compliance landscape </li></ul><ul><li>Technology and IT value for business </li></ul><ul><li>Incidents and Security related industry information </li></ul><ul><li>Snapshot of Global Compliance requirements over time </li></ul><ul><li>Extracting Compliance ROI </li></ul><ul><li>Suggested Safeguards (unified framework) </li></ul><ul><li>Common regulatory reqmts (standards, etc) </li></ul><ul><li>The technology solution </li></ul><ul><li>Compliance spotlight – PCI-DSS </li></ul><ul><li>Leverage the technology solution </li></ul><ul><li>VA/PT </li></ul><ul><li>Continuous VA and Monitoring </li></ul><ul><li>List of Tools </li></ul><ul><li>Why VA/PT </li></ul><ul><li>Web App Security, Secure Coding </li></ul>
    3. 3. Compliance Today <version 1.0> Public Document <ul><li>Technology is constantly evolving providing new tools and methods to tackle the increasing information and compliance overload </li></ul>Much of the increase in cost is due to duplication of regulation and ambiguous or inconsistent rules - Securities Industry Association, 2006 <ul><li>Organizations have numerous Compliance requirements which keep growing by the day / hour / minute ! </li></ul><ul><ul><li>Regulatory </li></ul></ul><ul><ul><li>Standards / Best Practice Frameworks </li></ul></ul><ul><ul><li>Industrial, Contractual, etc. </li></ul></ul>
    4. 4. Compliance Today <version 1.0> Public Document <ul><li>Compliance with Compliance requirements takes up too much resources </li></ul><ul><li>Compliance initiatives are considered “Projects” (e.g. SOX / PCI project) but these are continuous processes (benefits are not realized) </li></ul><ul><li>Technology solutions will leverage Compliance efforts to enable Governance and Risk Management leading to Business gains (productivity, cost-savings) </li></ul>Compliance must be part of your organization DNA Regulatory Compliance is not just a legal requirement but a critical business function .
    5. 5. Business Risks <ul><li>Operational risk </li></ul><ul><ul><li>Physical damage/theft </li></ul></ul><ul><ul><li>Services not available </li></ul></ul><ul><li>Market risk </li></ul><ul><ul><li>Lost customers </li></ul></ul><ul><ul><li>Global partners </li></ul></ul><ul><li>Legal risk </li></ul><ul><ul><li>SLAs </li></ul></ul><ul><ul><li>Lawsuits </li></ul></ul><ul><li>Regulatory </li></ul><ul><ul><li>Compliance </li></ul></ul><ul><li>Financial Risk </li></ul><ul><ul><li>Claims and losses </li></ul></ul><ul><ul><li>Quantification of information assets/impact </li></ul></ul><version 1.0> Public Document <ul><li>Information on your network </li></ul><ul><li>Databases </li></ul><ul><li>Intellectual Property </li></ul><ul><li>Financial Information </li></ul><ul><li>Personally Identifiable Information </li></ul><ul><li>Reputation & Market Value </li></ul>What is at Risk
    6. 6. <version 1.0> Public Document
    7. 7. Technology and Information Made People Smarter <ul><li>Google </li></ul><ul><li>Luhn’s algorithm (to validate any credit card) </li></ul><ul><li>VB based basic key loggers </li></ul><ul><li>Web based IP tools, DNS network tools, traceroute etc </li></ul><ul><li>Network tools </li></ul><ul><ul><li>Nmap </li></ul></ul><ul><ul><li>Nessus etc…. All available online </li></ul></ul><ul><li>Password cracking tools </li></ul><version 1.0> Public Document
    8. 8. <version 1.0> Public Document
    9. 9. Incidents (2000-2007) <ul><li>According to Attrition Data Loss Archive and Database and FlowingData, following are the 10 largest data breaches since 2000 (http://flowingdata.com/2008/03/14/10-largest-data-breaches-since-2000-millions-affected/) </li></ul><ul><li>Is there a trend? Yes, numbers are growing! </li></ul><version 1.0> Public Document
    10. 10. Are we safe in 2008? <ul><li>UK Government Depts. reported loss of 29 million records in last one year (August 2008) </li></ul><ul><li>Countrywide Financial Corp. – possible all 2 million records were sold (August 2008) </li></ul><ul><li>If sensitive data only includes SSNs and financial account data and not date of birth and email ids then should we decide Facebook’s 80 million records as a data breach? (July 2008) </li></ul><ul><li>Bank of New York Mellon, PA – as many as 4.5 million customer records are thought to be compromised (March 2008) </li></ul><ul><li>Compass Bank – 1 million (March 2008) </li></ul><ul><li>Hannaford Bros. supermarket chain – 4.2 million (March 2008) </li></ul><ul><li>Trend – Numbers are still growing! </li></ul><version 1.0> Public Document
    11. 11. Some Facts <ul><li>Who are behind these breaches: </li></ul><ul><ul><li>External sources including past employees </li></ul></ul><ul><ul><li>Insiders </li></ul></ul><ul><ul><li>Business partners </li></ul></ul><ul><ul><li>Multiple parties </li></ul></ul><ul><li>How these breaches are caused </li></ul><ul><ul><li>Business process errors or no policy/procedural controls </li></ul></ul><ul><ul><li>Hacking and intrusions including malicious code </li></ul></ul><ul><ul><li>System/Application vulnerabilities including for those patches already exist </li></ul></ul><ul><ul><li>Physical threats </li></ul></ul><ul><li>Mostly……… </li></ul><ul><ul><li>Victims don’t know that breach has occurred or more often aware of the criticality of the data/information </li></ul></ul><ul><ul><li>Mostly breaches are opportunistic in nature </li></ul></ul><ul><ul><li>More than 90% breaches are avoidable </li></ul></ul><version 1.0> Public Document
    12. 12. Some Insights – drivers for security spend <version 1.0> Public Document By 2008, more than 75% of large and midsize companies will purchase new compliance management, monitoring, and automation solutions. By 2009, compliance will grow to 14.2% of IT budget from 12% in 2006. Source: Gartner 2007
    13. 13. <version 1.0> Public Document
    14. 14. Common Regulatory Reqmts / Standards / Frameworks / Guidelines <ul><li>Clause 49 (SEBI Guideline, Government of India) </li></ul><ul><li>CTCL </li></ul><ul><li>ISO:27001 – 2005 </li></ul><ul><ul><li>133 Control objectives </li></ul></ul><ul><li>PCI-DSS </li></ul><ul><ul><li>12 requirements </li></ul></ul><ul><li>CobiT </li></ul><ul><li>NERC-CIP </li></ul><ul><li>BS:25999 </li></ul><ul><li>ITIL </li></ul><ul><li>Data Protection Act </li></ul><ul><li>IT Act and applicable Criminal / Civil legislation </li></ul><version 1.0> Public Document <ul><li>HIPAA/GLBA </li></ul><ul><li>Sarbanes Oxley </li></ul><ul><li>Basel II </li></ul><ul><li>PCAOB </li></ul><ul><li>SAS 70 </li></ul><ul><li>Privacy Laws (e.g.PIPEDA) </li></ul><ul><li>… many more….. </li></ul>
    15. 15. Extracting Compliance ROI <ul><li>Organizations must plan beyond Compliance </li></ul><ul><ul><li>Better Security means reduced / managed risk </li></ul></ul><ul><ul><li>Managed (reduced) risk means better business </li></ul></ul><ul><ul><li>Operational efficiencies result from compliance efforts </li></ul></ul><ul><ul><li>Approach Compliance as a as a business process, not as requirement / overhead </li></ul></ul><ul><ul><li>Use learning to shorten future compliance cycles </li></ul></ul><ul><ul><li>Identify opportunities to build unified compliance ecosystem </li></ul></ul><ul><ul><li>Lead the organization to Industry certifications resulting in higher brand value </li></ul></ul><ul><li>Eliminate the risk of penalties for non-compliance </li></ul><ul><li>Address multiple compliance requirements in a unified approach </li></ul><version 1.0> Public Document
    16. 16. Suggested Safeguards <version 1.0> Public Document
    17. 17. Suggested Safeguards <version 1.0> Public Document
    18. 18. <version 1.0> Public Document
    19. 19. Technology Solution <ul><li>Systems must be developed providing a risk based approach that is aligned with Business, Regulatory and Contractual requirements </li></ul><ul><li>Leverage technology and co-ordinate Security spend with Compliance with the overall objective achieve Governance (automation) </li></ul><ul><li>Technology practices to enable proactive security Risk management </li></ul><ul><ul><li>Vulnerability Assessment / Penetration Testing (VA/PT) </li></ul></ul><ul><ul><li>Web Application Security (AppSec) </li></ul></ul><ul><ul><li>Code Review </li></ul></ul><ul><ul><li>Continuous Vulnerability Management </li></ul></ul><ul><ul><li>Managed Security Services </li></ul></ul><version 1.0> Public Document
    20. 20. Compliance Spotlight : PCI – Data Security Standard <version 1.0> Public Document
    21. 21. <ul><li>Requirement 5 and 6 (Maintain Vulnerability Management Program) </li></ul><ul><ul><li>Stay Current on versions (Anti Virus, Patches, Systems, Configuration) </li></ul></ul><ul><ul><li>Monitor Custom Web applications </li></ul></ul><ul><ul><li>SDLC (do we practice secure coding) </li></ul></ul><ul><ul><li>Invest in automated tools </li></ul></ul><ul><ul><li>Secure Audit Logs </li></ul></ul><ul><li>Requirement 10 and 11 (Regularly Monitor & Test Networks) </li></ul><ul><ul><li>Monitor Systems for Intrusions and Anomalies </li></ul></ul><ul><ul><li>Implement Reporting and Analysis Tools </li></ul></ul><ul><ul><li>Centralize and Secure Data </li></ul></ul>Compliance Spotlight : PCI-DSS <version 1.0> Public Document ISO:27001 – A.12.6 Technical Vulnerability Management <ul><li>ISO:27001 – A.15 Compliance </li></ul><ul><li>Compliance with Legal Requirements </li></ul><ul><li>Compliance with Security Policies, and standards and technical compliance </li></ul>
    22. 22. Leverage the Technology Solution <version 1.0> Public Document
    23. 23. Leverage the Technology Solution <version 1.0> Public Document Results allow the organization to compare findings against known vulnerabilities and prioritize remediation by implementing controls. Provides a health report on the organization security posture. All Standards, Regulations, Frameworks recommend (or require) Network Assessments as an essential practice. Helps determine whether the controls are in fact preventing the vulnerability from actually endangering the network. A well-executed penetration test can identify the most critical holes in an organization’s defensive net; including the holes exploited by social engineering. pen tests are best used as a way to get an extra set of eyes on a network after major system upgrades. Vulnerability Assessment (VA) Penetration Testing (PT)
    24. 24. Leverage the Technology Solution <version 1.0> Public Document Provides a 24 x 7 x 365 watch on network traffic and is available as a Managed Security Service. Traffic is monitored and events (incidents) are correlated against updated industry Common Vulnerability & Exposure (CVE) database. Reports are available online to client via a web interface which will provide information about the threat(s) and remediation plans. Continuous Vulnerability Monitoring and Assessment
    25. 25. VA/PT <version 1.0> Public Document Undertaken by qualified professionals Methodology includes use of automated tools augmented with manual skills Meet regulatory requirements (PCI-DSS, HIPAA, GLBA, PIPEDA, etc.) Organizations can realize their true security level Measure IT security effectiveness Identify and remediate potential breach points reducing security risk and liability Benchmark / baseline security posture Certifications Certified Vulnerability Assessor (CVA) (Secure Matrix - DNV) CEH (EC Council) CISSP (ISC2) certifications in Forensics, Fraud (Secure Matrix) Commonly used Tools for VA/PT (commercial / open source) Nessus, GFI Languard (c), Nmap; Metasploit, Canvas (c), etc.
    26. 26. List of Tools (indicative) <version 1.0> Public Document Vulnerability Assessment Nessus Nessus is one of the most popular and widely used vulnerability assessment scanner with nearly 14,000 plugins. GFI Languard GFI Languard is a commercial vulnerability assessment scanner with neat reporting capabilities. Netcat Netcat is a network debugging and exploration tool Hping This tool is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities. This is to map out firewall rulesets. Nikto A comprehensive webserver scanner Sam Spade Windows network query tool Web Inspect Web Application Scanner Firewalk An Advanced traceroute tool Penetration Testing Metasploit Framework This is a framework to deploy vulnerability exploits and payloads. Securematrix has created a database of nearly 100 exploits in this framework Canvas A Commercial Penetration Testing tool Core Impact A Commercial Penetration Testing tool SAINT A commercial Penetration Testing tool CenZic A Commercial Web application testing tool John the ripper powerful, flexible, and fast multi-platform password hash cracker THC Hydra A Fast network authentication cracker which support many different services Dsniff A suite of powerful network auditing and penetration-testing tools Solarwinds Network discovery/monitoring/attack tools
    27. 27. Why VA/PT <version 1.0> Public Document <ul><li>To catch a thief….. You have to think like one. </li></ul><ul><li>You hack into your network to do a Vulnerability Assessment (VA), identifying “vulnerabilities” in the same manner as they may be visible to an intruder like open ports. </li></ul><ul><li>Following up a VA is the Penetration Test – you are taking advantage of the ‘vulnerabilities’ by “penetrating” the network. </li></ul><ul><li>When you test all IP addresses that are visible to the outside world you can get answers to sticky questions like: </li></ul><ul><ul><ul><li>Can an intruder hop on to the conference room network ? </li></ul></ul></ul><ul><ul><ul><li>Is it possible for the intruder to connect to the database server ? </li></ul></ul></ul><ul><ul><ul><li>What can you do (that which no one wants an intruder to do!) ?? </li></ul></ul></ul>
    28. 28. <version 1.0> Public Document Thank You

    ×