Data Security For Compliance 2
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Data Security For Compliance 2

on

  • 1,741 views

Data security for compliance -

Data security for compliance -
Best practices & implementation

Statistics

Views

Total Views
1,741
Views on SlideShare
1,710
Embed Views
31

Actions

Likes
1
Downloads
77
Comments
0

3 Embeds 31

http://www.software.co.il 24
http://www.slideshare.net 6
http://www.lmodules.com 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Data Security For Compliance 2 Presentation Transcript

  • 1. Data security for compliance - Best practices & implementation Licensed under the Creative Commons Attribution License Danny Lieberman dannyl@controlpolicy.com www.controlpolicy.com
  • 2. Why?
    • “ I don't need data security, we outsource our IT to one of the big banks”
    • “ We've never had a data leak incident”
    • “ You can't estimate asset value”
    • “ PCI DSS doesn't specify DLP”
    • “ We can't classify assets”
    • “ We use Scan Watch.....”
    • True quotes, real people.
  • 3. Agenda
    • Introduction
    • Defining project objectives
    • Implementation and planning
    • Case study
  • 4. I. Introduction
  • 5. Objectives for this talk
    • Understand
      • How data security fits into current compliance regulation.
      • How to use value-based metrics
      • Data security threat modeling
      • Best practices for project planning
      • Best practices for implementation
  • 6. What the heck is data security?
    • Security
      • Ensure we can survive & add value
        • Physical, information, systems, people
    • Data security
      • Protect data assets directly in all realms
  • 7. Data security technology model Data Warehouse Document Server Session Detection point Decoders Policies Interception Countermeasures Management Provisioning Events Reporting Policies Forensics Received: from [172.16.1.35] (-80-230-224- Message ID:<437C5FDE.9080> “Send me more files today .
  • 8. Data security countermeasures mitigate
    • Internally launched attacks on data that result in data leaks, breach of integrity or data availability
      • Unlike virus.
      • Your problem.
      • Not someone else.
  • 9. Introduction Compliance and data security
  • 10. Data security regulation
    • Data security regulation; 3 flavors:
      • Industry: PCI DSS 1.2
        • Protect the card associations
        • Asset orientation
      • Vendor-neutral: ISO27001,2/4
        • Protect the organization
        • Security orientation
      • Government: SOX, GLBA, HIPAA, State
        • Protect consumer
        • Management orientation
  • 11. PCI DSS 1.2.1
    • Applicable – when a business stores payment card data.
      • “ .. .encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally ”
    • Asset:
      • PAN, Name, Expiry, Mag Stripe, CVV, PIN
  • 12. PCI DSS 1.2
    • Grepping the standard:
      • Threat - 3
        • Once as “software threats”
      • People vulnerabilities – 0
      • Malicious individual - 1
      • Network – 40 times
      • Software – 45
        • 12 anti-virus
      • Audit - 7
  • 13. Grokking
    • &quot;There isn't any software! Only different internal states of hardware”
      • It's a shame programmers don't grok better.&quot;
  • 14. PCI DSS 1.2
    • Grokking the standard
      • Don't store PAN or
      • Render it unreadable or
      • Implement “compensating controls”
        • For example: use sudo to track Linux logins that are not managed in a central LDAP repository.
  • 15. ISO27000
    • Applicable to all companies
    • IS27001 – ISM, comprehensive set of security controls
    • ISO27002 – ISM best practices
    • ISO27004 – Security metrics
        • Draft 12/2009.
  • 16. ISO27001
    • Grepping the standard:
      • Threat - 4
        • First: employees, contractors, third-parties
      • People vulnerabilities – 7
      • Malicious code - 3
      • Network – 16 times
      • Software – 30
        • 0 anti-virus
      • Audit - 9
  • 17. ISO27001
    • Grokking the standard
      • A well-constructed security taxonomy
        • Wraps controls in a straight-jacket
        • Like PCI DSS
      • Forces organizations to engage in continuous assessment
        • Not continuous improvement
        • Like SOX
  • 18. Sarbanes-Oxley
    • SOX
      • Auditor independence
      • Corporate governance
      • Internal control assessment (404)
      • Enhanced financial disclosure (302)
    • Public Company Accounting Oversight Board (PCAOB)
      • Oversee, regulate, inspect &
      • Discipline accounting firms as auditors
  • 19. Sarbanes-Oxley
    • Applicable – US publicly traded firms
    • 404 – assessment of internal controls
      • Top down risk assessment
        • Understand the flow of transactions, including IT aspects, sufficient enough to identify points at which a misstatement could arise
        • Fraud
  • 20. Sarbanes-Oxley
    • Grepping 404
      • Threat - 0
      • People vulnerabilities - 0
      • Malicious code – 0
      • Network – 0
      • Software – 0
      • Audit – 1
  • 21. Sarbanes-Oxley
    • Grokking the law
      • Assess internal control and procedures of
      • the issuer for financial reporting.
        • SOX didn't prevent the latest crisis &
        • Mark-to-market was part of SOX
      • But
      • SOX is law.
  • 22. HIPAA
    • Privacy Rule
      • Disclose PHI to patients within 30 days
      • Track disclosures, policies, procedures
        • Paper and digital assets
    • Security Rule
      • Digital assets
      • Controls
        • Administrative, Technical, Physical
    • US Federal Gov adopted NIST RMF
      • See SP 800-66 Rev. 1
  • 23. HIPAA
    • Applicable
      • Health-care providers
      • Health-care information networks
  • 24. HIPAA
    • Grepping
      • Threat - 1
      • People vulnerabilities - 3
      • Malicious code – 0
      • Network – 0
      • Computerized systems – 2
      • Unauthorized use, access, disclosure - 3
      • Audit – 20
  • 25. HIPAA
    • Grokking
      • Person who maintains or transmits PHI shall maintain reasonable safeguards:
        • Integrity and confidentiality
        • Protect against any reasonably anticipated
          • Threats or hazards to the security or integrity of the information;
          • Unauthorized uses or disclosures of the information;
          • Ensure compliance
  • 26. Interim conclusions
    • PCI - data security,without risk analysis.
    • SOX - risk analysis, not data security.
    • HIPAA - data security and risk analysis (if you follow NIST guidelines).
  • 27. Question and Answer Where does DLP fit into compliance?
    • Invaluable tool for providing visibility and monitoring inbound/outbound transactions
    • Monitoring that provides input into the risk analysis process required by compliance regulation like SOX and HIPAA.
    • Provable security for compliance standards like PCI DSS 1.2 and ISO 27000
  • 28. II. Defining Project Objectives
  • 29. Enforce business process
    • Compliance is about enforcing business process.
      • PCI DSS: Get the transaction authorized without getting the data stolen
      • SOX: Sufficiency of internal controls for financial reporting
      • HIPAA: Disclose PHI to patients without leaks to unauthorized parties
    “ If the internal control system is implemented only to prevent fraud and comply with laws and regulations, then an important opportunity is missed.“ “ The same internal controls can also be used to systematically improve businesses, particularly in regard to effectiveness and efficiency.” COSO – Industry Consortium to improve internal controls
  • 30. Compliance drivers and constraints
    • Accountability
    • Risk analysis
    • Provable security
    • Costs
    • Politics
  • 31. Accountability
    • The main charter of SOX
    • Non-compliant firms may be held accountable for data breaches
      • PCI DSS
        • Fines, Revocation of processing rights
      • ISO 2700x
        • Not
      • SOX, GLBA, HIPAA, State Privacy
        • Infrequent
  • 32. Examples
    • PCI DSS: Heartland Payment Systems
      • April 2008
        • PCI DSS compliant
      • Jan 2009
        • Size of breach unknown
        • Malicious code in the payment systems
      • December 2009
        • Class action suit dismissed
      • Jan 2010
        • $60M settlement to VISA
  • 33. Examples
    • HIPAA: CVS Caremark
      • Feb 2009
        • Agreed to pay $2.25 million to settle a federal investigation into allegations that it violated HIPAA privacy regulations
        • Pharmacy employees threw pill bottles with patient information into the trash.
  • 34. Compliance and risk analysis
    • HIPAA
      • Federal agencies - NIST Risk analysis & management methodology
    • PCI DSS
      • Not specified
    • SOX
      • Requires top down risk assessment
      • You can choose your own methodology
  • 35. Risk analysis: Base classes
    • Assets
    • Vulnerabilities
    • Threats
    • Countermeasures
  • 36. Risk analysis: data security threat model (*) Metrics Asset value, Threat damage to asset, Threat probability Value at Risk =Threat Damage to Asset x Asset Value x Threat Probability (*) PTA -Practical threat analysis risk model
  • 37. Provable security
    • Always, usually, kind of ....
      • PCI DSS
        • 1/Q for Level 1 merchant
        • 1/Year for Level 2-4
        • Pushes out to acquirers, QSA
      • HIPAA
        • Not specified in the law (believe it or not)
      • SOX
        • Annual audit
  • 38. Provable security
    • Network DLP in a monitoring role
    • Or as a last line of defense for PAN leakage in clear text
  • 39. Costs
    • SOX is expensive
      • ~ 1% of the US GDP
      • The SEC makes you do it
    • PCI is expensive
      • “ 71% of companies don’t consider PCI as strategic though 79% had experienced a breach” ( Ponemon Institute – June 09)
      • The golden rule
  • 40. Politics IT – data security is “very important” ...Forrester Management board – fraud/data theft can maim or destroy the company ...Sarbanes-Oxley
  • 41. III. Project planning and preparation
  • 42. 4 steps of Planning
    • Define the problem
    • Set a hypothesis
    • Measure pain
    • Prove your hypothesis
    The Scientific Method
  • 43. Typical data security implementation
    • Buy technology and services
    • Classify assets
    • Data at rest
    • Data in motion
    • Fail
  • 44. Why you lose control Why you lose control Why companies fail at DLP
    • Issues unclear
      • Many vendors have DLP technology
        • Non-product differentiation
    • Divided camps
      • Nobody answers all requirements
        • Need a political sponsor
    • Loss of momentum
      • No business pain
      • No power sponsors
  • 45. Typical DLP project - valley of death Month 1 Month 12-18 Month 5 Logical &rational Emotional & Political IT Requirements Capabilities Presentation Compliance requirements Evaluate alternatives Close Project Meet vendors Talk to analysts Losing control
  • 46. Step 1 – Define the problem
    • Identify key business processes.
      • PCI DSS: new customer provisioning
      • SOX: produce the 10Q at end of quarter
      • HIPAA: provide PHI to patients with BPO
    nBusinessProceses << nDocumentFormats
  • 47. Step 2 – Set a business pain hypotheses
    • Prove 2 hypotheses:
      • Data loss is happening now.
      • A cost effective solution exists that reduces risk to acceptable levels.
  • 48. H1: Data loss is happening
    • What keeps you awake at night?
    • What data types and volumes of data leave the network?
    • Who is sending sensitive information out of the company?
    • Where is the data going?
    • What network protocols have the most events?
    • What are the current violations of company AUP?
  • 49. H2: A cost effective solution exists
    • Value of information assets on PCs, servers & mobile devices?
    • What is the Value at Risk?
    • Are security controls supporting the information behavior you want (sensitive assets stay inside, public assets flow freely, controlled assets flow quickly)
    • How much do your current security controls cost?
    • How do you compare with other companies in your industry?
    • How would risk change if you added, modified or dropped security controls?
  • 50. Step 3 – Measure data security metrics
    • Dimensions
      • organization, channel and content
    • Typical metrics
      • % of employees that signed the AUP
      • % Webmail traffic/all mail traffic
      • % Office files by Webmail/Employees
      • No. of revenue transactions
      • Cost of security for operational/revenue syst ems
      • Cost of security for customer service systems
      • Cost of security for FnA syst ems
      • Value of assets in Euro
      • Total value at risk of assets
  • 51. Why do we need metrics?
    • Recognize this?
    The easy part of information security (running the appliance, discovering vulnerabilities, fixing things and producing reports) Ignores the hard stuff; quantification and prioritization of your actions based on financial value of assets and measurement of threat impact Ignorance is never better than knowledge Enrico Fermi
  • 52. Anything can be measured All exact science is based on approximation. If a man tells you he knows a thing exactly, then you can be safe in inferring that you are speaking to an inexact man. Bertrand Russell
  • 53. Why bother quantifying risk?
    • Why not qualitative metrics?
    • When was the last time a customer paid a “qualitative price” ?
  • 54. Measurement methods
    • Hand sampling
      • Small samples of employees, routers...
        • The “Rule of 5”
    • Expert estimates
      • The CFO
        • Pros at asset valuation
    • Test equipment
  • 55. DLP Test equipment Data Warehouse Document Server Session Detection point Decoders Policies Interception Countermeasures Management Provisioning Events Reporting Policies Forensics Received: from [172.16.1.35] (-80-230-224- Message ID:<437C5FDE.9080> “Send me more files today .
  • 56. Step 4 – Prove/Disprove hypotheses Metrics Asset value, Threat damage to asset, Threat probability Value at Risk =Threat Damage to Asset x Asset Value x Threat Probability (*) PTA -Practical threat analysis risk model
  • 57. IV. Project Implementation
  • 58. Assumptions
    • L2 content interception
    • Bi-directional
    • Policy-based
      • Organization entity: IP/LDAP/AD
      • Channel entity: TCP/IP envelope
      • Content entity: recursive c/a
    • Detect structured content
  • 59. 4 implementation layers
    • Network topology
    • Interception points
    • Policy
    • Forensics
  • 60. Layer 1 - Network topology
    • We will consider 3 basic network topologies:
      • IT Operations
      • Trusted insiders
      • Application services
  • 61. IT Operations - PCI DSS 1.2, HIPAA Server Land User Land 10.1.1.x 192.168.5.x 10.1.2.x 192.168.4.x Sensor Management Oracle SMB AD/ Open LDAP Web Mail Clients
  • 62. Trusted insiders - HIPAA User Land Sensor Management The Internet Clients Facebook LinkedIn MySpace Gmail Yahoo! Proxies Blogs competitors
  • 63. Customer/partner facing services Server Land Web application services PHP, ASP, JSP… Clients Sensor 10.1.1.x 192.168.5.x 10.1.2.x 192.168.4.x Management Oracle DB2 SMB AD Web Mail Middle tier Web server Third-party
  • 64. Layer 2 – Interception points
  • 65. Layer 2 – Interception guidelines
    • Intercept inside network for internal data leakage
    • Intercept at perimeter for outbound or inbound data security violations
    • Network taps are preferable to using switch mirror ports
      • Better performance
      • Can aggregate
  • 66. Layer 3 – Policy, object view
    • Policy := ChannelRules + OrganizationalRules + ContentRules
    • For example:
      • PCI_DSSPolicy = ContentRules
        • ContentRules = Detect tuples:
          • {PAN, name}
          • {PAN, CVV}
          • {PAN, SSN, name}
          • {PAN, name,phoneNumber}
  • 67. Layer 3 – Policy, crime view
    • Means
      • Multiple accounts
    • Opportunity
      • Multiple channels
    • Intent
      • Jérôme Kerviel
      • Albert Gonzales
  • 68. Policy development
    • Use your system as test equipment
      • Write a fingerprint
      • Wrap it with a rule
      • Alert, drop or block
      • Create a policy
      • Update sensor
    • Business process use cases
      • Not content classification
  • 69. Detect structured content
    • Detect PII, PHI
      • Think about SQL queries…
      • Credit card identification algorithm
      • PII (personally identifiable information) ‏
      • Custom structures
        • e.g. system billing records…
  • 70. Use case – PCI DSS
    • PII and PublicWebSiteServers
    • MarketingDataShare and PaymentFTP
    • LDAP and PII and WindowsServers and Size > 5MB
  • 71. Use case - HIPAA
    • DBA and “SELECT id_number FROM patient_accountmaster” and NOT “WHERE”
    • PHI and telnet
  • 72. Layer 4 - Forensics
    • Must be able to retrieve original files and session envelope
  • 73. PCI DSS Forensics
  • 74. V. Case study
  • 75. SOX
    • Customer must perform IT security as part of the annual SOX audit
      • We will see how we use threat modeling to take data we collected and prioritize the implementation
  • 76. Problem definition – SOX IT compliance
    • Risk management
      • Monitored and managed?
    • Policies and procedures
      • Adequate?
      • Up to date?
      • Understood
    • Controls
      • Implemented and effective?
    • Performance
      • Compliance met?
      • Issues with third party relationships?
  • 77. Project objective 1- Coherence
    • Impossible to take right decision when intelligence is in silos
      • FBI investigates
      • CIA analyzes
      • No one bothered to discuss impact of Saudis learning to fly but not how to land planes.
  • 78. Project objective 2 - Sustainability
    • Senior executives must lead:
      • Recycle controls and policies
      • Don't throw out previous work
      • Abstain from NIH
  • 79. Measurement
    • Face to face interviews with 10 – 20 employees
    • Collect data using network DLP appliance
    • Valuate assets with CFO, CTO, IPR and CIO inputs
    • Run threat model and iterate with CFO, IPR, CTO and CIO
  • 80. Key Business processes
    • End of quarter reporting
    • Contractors in Far East that have access to company IP
    • Software deployment process
  • 81. Metrics
    • Two week sample period
      • No. notebooks lost/stolen - 1/month
      • No. employees who signed AUP - 0
      • Web mail traffic vs. Exchange traffic – 35% of all traffic was Web mail.
      • No. of new project IP documents < 10 off authorized channel.
      • Oracle apps downtime - 0 during 7 years
  • 82. SOX Threat model
    • See the Practical Threat Analysis model
  • 83. Conclusions
    • Data security is a powerful tool for compliance when used properly
    • Assure and improve business processes not classify and discover data
    • Risk analysis is central to success
    • 4 step planning process
    • 5 layer implementation
  • 84. Questions?