Data Security For Compliance 2

Data security for compliance - Best practices & implementation Licensed under the Creative Commons Attribution License Danny Lieberman dannyl@controlpolicy.com www.controlpolicy.com

Why?
“ I don't need data security, we outsource our IT to one of the big banks”
“ We've never had a data leak incident”
“ You can't estimate asset value”
“ PCI DSS doesn't specify DLP”
“ We can't classify assets”
“ We use Scan Watch.....”
True quotes, real people.

Agenda
Introduction
Defining project objectives
Implementation and planning
Case study

I. Introduction

Objectives for this talk
Understand
How data security fits into current compliance regulation.
How to use value-based metrics
Data security threat modeling
Best practices for project planning
Best practices for implementation

What the heck is data security?
Security
Ensure we can survive & add value
Physical, information, systems, people
Data security
Protect data assets directly in all realms

Data security technology model Data Warehouse Document Server Session Detection point Decoders Policies Interception Countermeasures Management Provisioning Events Reporting Policies Forensics Received: from [172.16.1.35] (-80-230-224- Message ID:<437C5FDE.9080> “Send me more files today .

Data security countermeasures mitigate
Internally launched attacks on data that result in data leaks, breach of integrity or data availability
Unlike virus.
Your problem.
Not someone else.

Introduction Compliance and data security

Data security regulation
Data security regulation; 3 flavors:
Industry: PCI DSS 1.2
Protect the card associations
Asset orientation
Vendor-neutral: ISO27001,2/4
Protect the organization
Security orientation
Government: SOX, GLBA, HIPAA, State
Protect consumer
Management orientation

PCI DSS 1.2.1
Applicable – when a business stores payment card data.
“ .. .encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally ”
Asset:
PAN, Name, Expiry, Mag Stripe, CVV, PIN

PCI DSS 1.2
Grepping the standard:
Threat - 3
Once as “software threats”
People vulnerabilities – 0
Malicious individual - 1
Network – 40 times
Software – 45
12 anti-virus
Audit - 7

Grokking
"There isn't any software! Only different internal states of hardware”
It's a shame programmers don't grok better."

PCI DSS 1.2
Grokking the standard
Don't store PAN or
Render it unreadable or
Implement “compensating controls”
For example: use sudo to track Linux logins that are not managed in a central LDAP repository.

ISO27000
Applicable to all companies
IS27001 – ISM, comprehensive set of security controls
ISO27002 – ISM best practices
ISO27004 – Security metrics
Draft 12/2009.

ISO27001
Grepping the standard:
Threat - 4
First: employees, contractors, third-parties
People vulnerabilities – 7
Malicious code - 3
Network – 16 times
Software – 30
0 anti-virus
Audit - 9

ISO27001
Grokking the standard
A well-constructed security taxonomy
Wraps controls in a straight-jacket
Like PCI DSS
Forces organizations to engage in continuous assessment
Not continuous improvement
Like SOX

Sarbanes-Oxley
SOX
Auditor independence
Corporate governance
Internal control assessment (404)
Enhanced financial disclosure (302)
Public Company Accounting Oversight Board (PCAOB)
Oversee, regulate, inspect &
Discipline accounting firms as auditors

Sarbanes-Oxley
Applicable – US publicly traded firms
404 – assessment of internal controls
Top down risk assessment
Understand the flow of transactions, including IT aspects, sufficient enough to identify points at which a misstatement could arise
Fraud

Sarbanes-Oxley
Grepping 404
Threat - 0
People vulnerabilities - 0
Malicious code – 0
Network – 0
Software – 0
Audit – 1

Sarbanes-Oxley
Grokking the law
Assess internal control and procedures of
the issuer for financial reporting.
SOX didn't prevent the latest crisis &
Mark-to-market was part of SOX
But
SOX is law.

HIPAA
Privacy Rule
Disclose PHI to patients within 30 days
Track disclosures, policies, procedures
Paper and digital assets
Security Rule
Digital assets
Controls
Administrative, Technical, Physical
US Federal Gov adopted NIST RMF
See SP 800-66 Rev. 1

HIPAA
Applicable
Health-care providers
Health-care information networks

HIPAA
Grepping
Threat - 1
People vulnerabilities - 3
Malicious code – 0
Network – 0
Computerized systems – 2
Unauthorized use, access, disclosure - 3
Audit – 20

HIPAA
Grokking
Person who maintains or transmits PHI shall maintain reasonable safeguards:
Integrity and confidentiality
Protect against any reasonably anticipated
Threats or hazards to the security or integrity of the information;
Unauthorized uses or disclosures of the information;
Ensure compliance

Interim conclusions
PCI - data security,without risk analysis.
SOX - risk analysis, not data security.
HIPAA - data security and risk analysis (if you follow NIST guidelines).

Question and Answer Where does DLP fit into compliance?
Invaluable tool for providing visibility and monitoring inbound/outbound transactions
Monitoring that provides input into the risk analysis process required by compliance regulation like SOX and HIPAA.
Provable security for compliance standards like PCI DSS 1.2 and ISO 27000

II. Defining Project Objectives

Enforce business process
Compliance is about enforcing business process.
PCI DSS: Get the transaction authorized without getting the data stolen
SOX: Sufficiency of internal controls for financial reporting
HIPAA: Disclose PHI to patients without leaks to unauthorized parties
“ If the internal control system is implemented only to prevent fraud and comply with laws and regulations, then an important opportunity is missed.“ “ The same internal controls can also be used to systematically improve businesses, particularly in regard to effectiveness and efficiency.” COSO – Industry Consortium to improve internal controls

Compliance drivers and constraints
Accountability
Risk analysis
Provable security
Costs
Politics

Accountability
The main charter of SOX
Non-compliant firms may be held accountable for data breaches
PCI DSS
Fines, Revocation of processing rights
ISO 2700x
Not
SOX, GLBA, HIPAA, State Privacy
Infrequent

Examples
PCI DSS: Heartland Payment Systems
April 2008
PCI DSS compliant
Jan 2009
Size of breach unknown
Malicious code in the payment systems
December 2009
Class action suit dismissed
Jan 2010
$60M settlement to VISA

Examples
HIPAA: CVS Caremark
Feb 2009
Agreed to pay $2.25 million to settle a federal investigation into allegations that it violated HIPAA privacy regulations
Pharmacy employees threw pill bottles with patient information into the trash.

Compliance and risk analysis
HIPAA
Federal agencies - NIST Risk analysis & management methodology
PCI DSS
Not specified
SOX
Requires top down risk assessment
You can choose your own methodology

Risk analysis: Base classes
Assets
Vulnerabilities
Threats
Countermeasures

Risk analysis: data security threat model (*) Metrics Asset value, Threat damage to asset, Threat probability Value at Risk =Threat Damage to Asset x Asset Value x Threat Probability (*) PTA -Practical threat analysis risk model

Provable security
Always, usually, kind of ....
PCI DSS
1/Q for Level 1 merchant
1/Year for Level 2-4
Pushes out to acquirers, QSA
HIPAA
Not specified in the law (believe it or not)
SOX
Annual audit

Provable security
Network DLP in a monitoring role
Or as a last line of defense for PAN leakage in clear text

Costs
SOX is expensive
~ 1% of the US GDP
The SEC makes you do it
PCI is expensive
“ 71% of companies don’t consider PCI as strategic though 79% had experienced a breach” ( Ponemon Institute – June 09)
The golden rule

Politics IT – data security is “very important” ...Forrester Management board – fraud/data theft can maim or destroy the company ...Sarbanes-Oxley

III. Project planning and preparation

4 steps of Planning
Define the problem
Set a hypothesis
Measure pain
Prove your hypothesis
The Scientific Method

Typical data security implementation
Buy technology and services
Classify assets
Data at rest
Data in motion
Fail

Why you lose control Why you lose control Why companies fail at DLP
Issues unclear
Many vendors have DLP technology
Non-product differentiation
Divided camps
Nobody answers all requirements
Need a political sponsor
Loss of momentum
No business pain
No power sponsors

Typical DLP project - valley of death Month 1 Month 12-18 Month 5 Logical &rational Emotional & Political IT Requirements Capabilities Presentation Compliance requirements Evaluate alternatives Close Project Meet vendors Talk to analysts Losing control

Step 1 – Define the problem
Identify key business processes.
PCI DSS: new customer provisioning
SOX: produce the 10Q at end of quarter
HIPAA: provide PHI to patients with BPO
nBusinessProceses << nDocumentFormats

Step 2 – Set a business pain hypotheses
Prove 2 hypotheses:
Data loss is happening now.
A cost effective solution exists that reduces risk to acceptable levels.

H1: Data loss is happening
What keeps you awake at night?
What data types and volumes of data leave the network?
Who is sending sensitive information out of the company?
Where is the data going?
What network protocols have the most events?
What are the current violations of company AUP?

H2: A cost effective solution exists
Value of information assets on PCs, servers & mobile devices?
What is the Value at Risk?
Are security controls supporting the information behavior you want (sensitive assets stay inside, public assets flow freely, controlled assets flow quickly)
How much do your current security controls cost?
How do you compare with other companies in your industry?
How would risk change if you added, modified or dropped security controls?

Step 3 – Measure data security metrics
Dimensions
organization, channel and content
Typical metrics
% of employees that signed the AUP
% Webmail traffic/all mail traffic
% Office files by Webmail/Employees
No. of revenue transactions
Cost of security for operational/revenue syst ems
Cost of security for customer service systems
Cost of security for FnA syst ems
Value of assets in Euro
Total value at risk of assets

Why do we need metrics?
Recognize this?
The easy part of information security (running the appliance, discovering vulnerabilities, fixing things and producing reports) Ignores the hard stuff; quantification and prioritization of your actions based on financial value of assets and measurement of threat impact Ignorance is never better than knowledge Enrico Fermi

Anything can be measured All exact science is based on approximation. If a man tells you he knows a thing exactly, then you can be safe in inferring that you are speaking to an inexact man. Bertrand Russell

Why bother quantifying risk?
Why not qualitative metrics?
When was the last time a customer paid a “qualitative price” ?

Measurement methods
Hand sampling
Small samples of employees, routers...
The “Rule of 5”
Expert estimates
The CFO
Pros at asset valuation
Test equipment

DLP Test equipment Data Warehouse Document Server Session Detection point Decoders Policies Interception Countermeasures Management Provisioning Events Reporting Policies Forensics Received: from [172.16.1.35] (-80-230-224- Message ID:<437C5FDE.9080> “Send me more files today .

Step 4 – Prove/Disprove hypotheses Metrics Asset value, Threat damage to asset, Threat probability Value at Risk =Threat Damage to Asset x Asset Value x Threat Probability (*) PTA -Practical threat analysis risk model

IV. Project Implementation

Assumptions
L2 content interception
Bi-directional
Policy-based
Organization entity: IP/LDAP/AD
Channel entity: TCP/IP envelope
Content entity: recursive c/a
Detect structured content

4 implementation layers
Network topology
Interception points
Policy
Forensics

Layer 1 - Network topology
We will consider 3 basic network topologies:
IT Operations
Trusted insiders
Application services

IT Operations - PCI DSS 1.2, HIPAA Server Land User Land 10.1.1.x 192.168.5.x 10.1.2.x 192.168.4.x Sensor Management Oracle SMB AD/ Open LDAP Web Mail Clients

Trusted insiders - HIPAA User Land Sensor Management The Internet Clients Facebook LinkedIn MySpace Gmail Yahoo! Proxies Blogs competitors

Customer/partner facing services Server Land Web application services PHP, ASP, JSP… Clients Sensor 10.1.1.x 192.168.5.x 10.1.2.x 192.168.4.x Management Oracle DB2 SMB AD Web Mail Middle tier Web server Third-party

Layer 2 – Interception points

Layer 2 – Interception guidelines
Intercept inside network for internal data leakage
Intercept at perimeter for outbound or inbound data security violations
Network taps are preferable to using switch mirror ports
Better performance
Can aggregate

Layer 3 – Policy, object view
Policy := ChannelRules + OrganizationalRules + ContentRules
For example:
PCI_DSSPolicy = ContentRules
ContentRules = Detect tuples:
{PAN, name}
{PAN, CVV}
{PAN, SSN, name}
{PAN, name,phoneNumber}

Layer 3 – Policy, crime view
Means
Multiple accounts
Opportunity
Multiple channels
Intent
Jérôme Kerviel
Albert Gonzales

Policy development
Use your system as test equipment
Write a fingerprint
Wrap it with a rule
Alert, drop or block
Create a policy
Update sensor
Business process use cases
Not content classification

Detect structured content
Detect PII, PHI
Think about SQL queries…
Credit card identification algorithm
PII (personally identifiable information) ‏
Custom structures
e.g. system billing records…

Use case – PCI DSS
PII and PublicWebSiteServers
MarketingDataShare and PaymentFTP
LDAP and PII and WindowsServers and Size > 5MB

Use case - HIPAA
DBA and “SELECT id_number FROM patient_accountmaster” and NOT “WHERE”
PHI and telnet

Layer 4 - Forensics
Must be able to retrieve original files and session envelope

PCI DSS Forensics

V. Case study

SOX
Customer must perform IT security as part of the annual SOX audit
We will see how we use threat modeling to take data we collected and prioritize the implementation

Problem definition – SOX IT compliance
Risk management
Monitored and managed?
Policies and procedures
Adequate?
Up to date?
Understood
Controls
Implemented and effective?
Performance
Compliance met?
Issues with third party relationships?

Project objective 1- Coherence
Impossible to take right decision when intelligence is in silos
FBI investigates
CIA analyzes
No one bothered to discuss impact of Saudis learning to fly but not how to land planes.

Project objective 2 - Sustainability
Senior executives must lead:
Recycle controls and policies
Don't throw out previous work
Abstain from NIH

Measurement
Face to face interviews with 10 – 20 employees
Collect data using network DLP appliance
Valuate assets with CFO, CTO, IPR and CIO inputs
Run threat model and iterate with CFO, IPR, CTO and CIO

Key Business processes
End of quarter reporting
Contractors in Far East that have access to company IP
Software deployment process

Metrics
Two week sample period
No. notebooks lost/stolen - 1/month
No. employees who signed AUP - 0
Web mail traffic vs. Exchange traffic – 35% of all traffic was Web mail.
No. of new project IP documents < 10 off authorized channel.
Oracle apps downtime - 0 during 7 years

SOX Threat model
See the Practical Threat Analysis model

Conclusions
Data security is a powerful tool for compliance when used properly
Assure and improve business processes not classify and discover data
Risk analysis is central to success
4 step planning process
5 layer implementation

Questions?

http://www.software.co.il	21
http://www.slideshare.net	6
http://www.lmodules.com	1

Data Security For Compliance 2

by Software Associates on Jan 28, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

3 Embeds 28

Statistics

Data Security For Compliance 2 — Presentation Transcript