Data Security For Compliance 2
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,764
On Slideshare
1,733
From Embeds
31
Number of Embeds
3

Actions

Shares
Downloads
77
Comments
0
Likes
1

Embeds 31

http://www.software.co.il 24
http://www.slideshare.net 6
http://www.lmodules.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Data security for compliance - Best practices & implementation Licensed under the Creative Commons Attribution License Danny Lieberman dannyl@controlpolicy.com www.controlpolicy.com
  • 2. Why?
    • “ I don't need data security, we outsource our IT to one of the big banks”
    • “ We've never had a data leak incident”
    • “ You can't estimate asset value”
    • “ PCI DSS doesn't specify DLP”
    • “ We can't classify assets”
    • “ We use Scan Watch.....”
    • True quotes, real people.
  • 3. Agenda
    • Introduction
    • Defining project objectives
    • Implementation and planning
    • Case study
  • 4. I. Introduction
  • 5. Objectives for this talk
    • Understand
      • How data security fits into current compliance regulation.
      • How to use value-based metrics
      • Data security threat modeling
      • Best practices for project planning
      • Best practices for implementation
  • 6. What the heck is data security?
    • Security
      • Ensure we can survive & add value
        • Physical, information, systems, people
    • Data security
      • Protect data assets directly in all realms
  • 7. Data security technology model Data Warehouse Document Server Session Detection point Decoders Policies Interception Countermeasures Management Provisioning Events Reporting Policies Forensics Received: from [172.16.1.35] (-80-230-224- Message ID:<437C5FDE.9080> “Send me more files today .
  • 8. Data security countermeasures mitigate
    • Internally launched attacks on data that result in data leaks, breach of integrity or data availability
      • Unlike virus.
      • Your problem.
      • Not someone else.
  • 9. Introduction Compliance and data security
  • 10. Data security regulation
    • Data security regulation; 3 flavors:
      • Industry: PCI DSS 1.2
        • Protect the card associations
        • Asset orientation
      • Vendor-neutral: ISO27001,2/4
        • Protect the organization
        • Security orientation
      • Government: SOX, GLBA, HIPAA, State
        • Protect consumer
        • Management orientation
  • 11. PCI DSS 1.2.1
    • Applicable – when a business stores payment card data.
      • “ .. .encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally ”
    • Asset:
      • PAN, Name, Expiry, Mag Stripe, CVV, PIN
  • 12. PCI DSS 1.2
    • Grepping the standard:
      • Threat - 3
        • Once as “software threats”
      • People vulnerabilities – 0
      • Malicious individual - 1
      • Network – 40 times
      • Software – 45
        • 12 anti-virus
      • Audit - 7
  • 13. Grokking
    • &quot;There isn't any software! Only different internal states of hardware”
      • It's a shame programmers don't grok better.&quot;
  • 14. PCI DSS 1.2
    • Grokking the standard
      • Don't store PAN or
      • Render it unreadable or
      • Implement “compensating controls”
        • For example: use sudo to track Linux logins that are not managed in a central LDAP repository.
  • 15. ISO27000
    • Applicable to all companies
    • IS27001 – ISM, comprehensive set of security controls
    • ISO27002 – ISM best practices
    • ISO27004 – Security metrics
        • Draft 12/2009.
  • 16. ISO27001
    • Grepping the standard:
      • Threat - 4
        • First: employees, contractors, third-parties
      • People vulnerabilities – 7
      • Malicious code - 3
      • Network – 16 times
      • Software – 30
        • 0 anti-virus
      • Audit - 9
  • 17. ISO27001
    • Grokking the standard
      • A well-constructed security taxonomy
        • Wraps controls in a straight-jacket
        • Like PCI DSS
      • Forces organizations to engage in continuous assessment
        • Not continuous improvement
        • Like SOX
  • 18. Sarbanes-Oxley
    • SOX
      • Auditor independence
      • Corporate governance
      • Internal control assessment (404)
      • Enhanced financial disclosure (302)
    • Public Company Accounting Oversight Board (PCAOB)
      • Oversee, regulate, inspect &
      • Discipline accounting firms as auditors
  • 19. Sarbanes-Oxley
    • Applicable – US publicly traded firms
    • 404 – assessment of internal controls
      • Top down risk assessment
        • Understand the flow of transactions, including IT aspects, sufficient enough to identify points at which a misstatement could arise
        • Fraud
  • 20. Sarbanes-Oxley
    • Grepping 404
      • Threat - 0
      • People vulnerabilities - 0
      • Malicious code – 0
      • Network – 0
      • Software – 0
      • Audit – 1
  • 21. Sarbanes-Oxley
    • Grokking the law
      • Assess internal control and procedures of
      • the issuer for financial reporting.
        • SOX didn't prevent the latest crisis &
        • Mark-to-market was part of SOX
      • But
      • SOX is law.
  • 22. HIPAA
    • Privacy Rule
      • Disclose PHI to patients within 30 days
      • Track disclosures, policies, procedures
        • Paper and digital assets
    • Security Rule
      • Digital assets
      • Controls
        • Administrative, Technical, Physical
    • US Federal Gov adopted NIST RMF
      • See SP 800-66 Rev. 1
  • 23. HIPAA
    • Applicable
      • Health-care providers
      • Health-care information networks
  • 24. HIPAA
    • Grepping
      • Threat - 1
      • People vulnerabilities - 3
      • Malicious code – 0
      • Network – 0
      • Computerized systems – 2
      • Unauthorized use, access, disclosure - 3
      • Audit – 20
  • 25. HIPAA
    • Grokking
      • Person who maintains or transmits PHI shall maintain reasonable safeguards:
        • Integrity and confidentiality
        • Protect against any reasonably anticipated
          • Threats or hazards to the security or integrity of the information;
          • Unauthorized uses or disclosures of the information;
          • Ensure compliance
  • 26. Interim conclusions
    • PCI - data security,without risk analysis.
    • SOX - risk analysis, not data security.
    • HIPAA - data security and risk analysis (if you follow NIST guidelines).
  • 27. Question and Answer Where does DLP fit into compliance?
    • Invaluable tool for providing visibility and monitoring inbound/outbound transactions
    • Monitoring that provides input into the risk analysis process required by compliance regulation like SOX and HIPAA.
    • Provable security for compliance standards like PCI DSS 1.2 and ISO 27000
  • 28. II. Defining Project Objectives
  • 29. Enforce business process
    • Compliance is about enforcing business process.
      • PCI DSS: Get the transaction authorized without getting the data stolen
      • SOX: Sufficiency of internal controls for financial reporting
      • HIPAA: Disclose PHI to patients without leaks to unauthorized parties
    “ If the internal control system is implemented only to prevent fraud and comply with laws and regulations, then an important opportunity is missed.“ “ The same internal controls can also be used to systematically improve businesses, particularly in regard to effectiveness and efficiency.” COSO – Industry Consortium to improve internal controls
  • 30. Compliance drivers and constraints
    • Accountability
    • Risk analysis
    • Provable security
    • Costs
    • Politics
  • 31. Accountability
    • The main charter of SOX
    • Non-compliant firms may be held accountable for data breaches
      • PCI DSS
        • Fines, Revocation of processing rights
      • ISO 2700x
        • Not
      • SOX, GLBA, HIPAA, State Privacy
        • Infrequent
  • 32. Examples
    • PCI DSS: Heartland Payment Systems
      • April 2008
        • PCI DSS compliant
      • Jan 2009
        • Size of breach unknown
        • Malicious code in the payment systems
      • December 2009
        • Class action suit dismissed
      • Jan 2010
        • $60M settlement to VISA
  • 33. Examples
    • HIPAA: CVS Caremark
      • Feb 2009
        • Agreed to pay $2.25 million to settle a federal investigation into allegations that it violated HIPAA privacy regulations
        • Pharmacy employees threw pill bottles with patient information into the trash.
  • 34. Compliance and risk analysis
    • HIPAA
      • Federal agencies - NIST Risk analysis & management methodology
    • PCI DSS
      • Not specified
    • SOX
      • Requires top down risk assessment
      • You can choose your own methodology
  • 35. Risk analysis: Base classes
    • Assets
    • Vulnerabilities
    • Threats
    • Countermeasures
  • 36. Risk analysis: data security threat model (*) Metrics Asset value, Threat damage to asset, Threat probability Value at Risk =Threat Damage to Asset x Asset Value x Threat Probability (*) PTA -Practical threat analysis risk model
  • 37. Provable security
    • Always, usually, kind of ....
      • PCI DSS
        • 1/Q for Level 1 merchant
        • 1/Year for Level 2-4
        • Pushes out to acquirers, QSA
      • HIPAA
        • Not specified in the law (believe it or not)
      • SOX
        • Annual audit
  • 38. Provable security
    • Network DLP in a monitoring role
    • Or as a last line of defense for PAN leakage in clear text
  • 39. Costs
    • SOX is expensive
      • ~ 1% of the US GDP
      • The SEC makes you do it
    • PCI is expensive
      • “ 71% of companies don’t consider PCI as strategic though 79% had experienced a breach” ( Ponemon Institute – June 09)
      • The golden rule
  • 40. Politics IT – data security is “very important” ...Forrester Management board – fraud/data theft can maim or destroy the company ...Sarbanes-Oxley
  • 41. III. Project planning and preparation
  • 42. 4 steps of Planning
    • Define the problem
    • Set a hypothesis
    • Measure pain
    • Prove your hypothesis
    The Scientific Method
  • 43. Typical data security implementation
    • Buy technology and services
    • Classify assets
    • Data at rest
    • Data in motion
    • Fail
  • 44. Why you lose control Why you lose control Why companies fail at DLP
    • Issues unclear
      • Many vendors have DLP technology
        • Non-product differentiation
    • Divided camps
      • Nobody answers all requirements
        • Need a political sponsor
    • Loss of momentum
      • No business pain
      • No power sponsors
  • 45. Typical DLP project - valley of death Month 1 Month 12-18 Month 5 Logical &rational Emotional & Political IT Requirements Capabilities Presentation Compliance requirements Evaluate alternatives Close Project Meet vendors Talk to analysts Losing control
  • 46. Step 1 – Define the problem
    • Identify key business processes.
      • PCI DSS: new customer provisioning
      • SOX: produce the 10Q at end of quarter
      • HIPAA: provide PHI to patients with BPO
    nBusinessProceses << nDocumentFormats
  • 47. Step 2 – Set a business pain hypotheses
    • Prove 2 hypotheses:
      • Data loss is happening now.
      • A cost effective solution exists that reduces risk to acceptable levels.
  • 48. H1: Data loss is happening
    • What keeps you awake at night?
    • What data types and volumes of data leave the network?
    • Who is sending sensitive information out of the company?
    • Where is the data going?
    • What network protocols have the most events?
    • What are the current violations of company AUP?
  • 49. H2: A cost effective solution exists
    • Value of information assets on PCs, servers & mobile devices?
    • What is the Value at Risk?
    • Are security controls supporting the information behavior you want (sensitive assets stay inside, public assets flow freely, controlled assets flow quickly)
    • How much do your current security controls cost?
    • How do you compare with other companies in your industry?
    • How would risk change if you added, modified or dropped security controls?
  • 50. Step 3 – Measure data security metrics
    • Dimensions
      • organization, channel and content
    • Typical metrics
      • % of employees that signed the AUP
      • % Webmail traffic/all mail traffic
      • % Office files by Webmail/Employees
      • No. of revenue transactions
      • Cost of security for operational/revenue syst ems
      • Cost of security for customer service systems
      • Cost of security for FnA syst ems
      • Value of assets in Euro
      • Total value at risk of assets
  • 51. Why do we need metrics?
    • Recognize this?
    The easy part of information security (running the appliance, discovering vulnerabilities, fixing things and producing reports) Ignores the hard stuff; quantification and prioritization of your actions based on financial value of assets and measurement of threat impact Ignorance is never better than knowledge Enrico Fermi
  • 52. Anything can be measured All exact science is based on approximation. If a man tells you he knows a thing exactly, then you can be safe in inferring that you are speaking to an inexact man. Bertrand Russell
  • 53. Why bother quantifying risk?
    • Why not qualitative metrics?
    • When was the last time a customer paid a “qualitative price” ?
  • 54. Measurement methods
    • Hand sampling
      • Small samples of employees, routers...
        • The “Rule of 5”
    • Expert estimates
      • The CFO
        • Pros at asset valuation
    • Test equipment
  • 55. DLP Test equipment Data Warehouse Document Server Session Detection point Decoders Policies Interception Countermeasures Management Provisioning Events Reporting Policies Forensics Received: from [172.16.1.35] (-80-230-224- Message ID:<437C5FDE.9080> “Send me more files today .
  • 56. Step 4 – Prove/Disprove hypotheses Metrics Asset value, Threat damage to asset, Threat probability Value at Risk =Threat Damage to Asset x Asset Value x Threat Probability (*) PTA -Practical threat analysis risk model
  • 57. IV. Project Implementation
  • 58. Assumptions
    • L2 content interception
    • Bi-directional
    • Policy-based
      • Organization entity: IP/LDAP/AD
      • Channel entity: TCP/IP envelope
      • Content entity: recursive c/a
    • Detect structured content
  • 59. 4 implementation layers
    • Network topology
    • Interception points
    • Policy
    • Forensics
  • 60. Layer 1 - Network topology
    • We will consider 3 basic network topologies:
      • IT Operations
      • Trusted insiders
      • Application services
  • 61. IT Operations - PCI DSS 1.2, HIPAA Server Land User Land 10.1.1.x 192.168.5.x 10.1.2.x 192.168.4.x Sensor Management Oracle SMB AD/ Open LDAP Web Mail Clients
  • 62. Trusted insiders - HIPAA User Land Sensor Management The Internet Clients Facebook LinkedIn MySpace Gmail Yahoo! Proxies Blogs competitors
  • 63. Customer/partner facing services Server Land Web application services PHP, ASP, JSP… Clients Sensor 10.1.1.x 192.168.5.x 10.1.2.x 192.168.4.x Management Oracle DB2 SMB AD Web Mail Middle tier Web server Third-party
  • 64. Layer 2 – Interception points
  • 65. Layer 2 – Interception guidelines
    • Intercept inside network for internal data leakage
    • Intercept at perimeter for outbound or inbound data security violations
    • Network taps are preferable to using switch mirror ports
      • Better performance
      • Can aggregate
  • 66. Layer 3 – Policy, object view
    • Policy := ChannelRules + OrganizationalRules + ContentRules
    • For example:
      • PCI_DSSPolicy = ContentRules
        • ContentRules = Detect tuples:
          • {PAN, name}
          • {PAN, CVV}
          • {PAN, SSN, name}
          • {PAN, name,phoneNumber}
  • 67. Layer 3 – Policy, crime view
    • Means
      • Multiple accounts
    • Opportunity
      • Multiple channels
    • Intent
      • Jérôme Kerviel
      • Albert Gonzales
  • 68. Policy development
    • Use your system as test equipment
      • Write a fingerprint
      • Wrap it with a rule
      • Alert, drop or block
      • Create a policy
      • Update sensor
    • Business process use cases
      • Not content classification
  • 69. Detect structured content
    • Detect PII, PHI
      • Think about SQL queries…
      • Credit card identification algorithm
      • PII (personally identifiable information) ‏
      • Custom structures
        • e.g. system billing records…
  • 70. Use case – PCI DSS
    • PII and PublicWebSiteServers
    • MarketingDataShare and PaymentFTP
    • LDAP and PII and WindowsServers and Size > 5MB
  • 71. Use case - HIPAA
    • DBA and “SELECT id_number FROM patient_accountmaster” and NOT “WHERE”
    • PHI and telnet
  • 72. Layer 4 - Forensics
    • Must be able to retrieve original files and session envelope
  • 73. PCI DSS Forensics
  • 74. V. Case study
  • 75. SOX
    • Customer must perform IT security as part of the annual SOX audit
      • We will see how we use threat modeling to take data we collected and prioritize the implementation
  • 76. Problem definition – SOX IT compliance
    • Risk management
      • Monitored and managed?
    • Policies and procedures
      • Adequate?
      • Up to date?
      • Understood
    • Controls
      • Implemented and effective?
    • Performance
      • Compliance met?
      • Issues with third party relationships?
  • 77. Project objective 1- Coherence
    • Impossible to take right decision when intelligence is in silos
      • FBI investigates
      • CIA analyzes
      • No one bothered to discuss impact of Saudis learning to fly but not how to land planes.
  • 78. Project objective 2 - Sustainability
    • Senior executives must lead:
      • Recycle controls and policies
      • Don't throw out previous work
      • Abstain from NIH
  • 79. Measurement
    • Face to face interviews with 10 – 20 employees
    • Collect data using network DLP appliance
    • Valuate assets with CFO, CTO, IPR and CIO inputs
    • Run threat model and iterate with CFO, IPR, CTO and CIO
  • 80. Key Business processes
    • End of quarter reporting
    • Contractors in Far East that have access to company IP
    • Software deployment process
  • 81. Metrics
    • Two week sample period
      • No. notebooks lost/stolen - 1/month
      • No. employees who signed AUP - 0
      • Web mail traffic vs. Exchange traffic – 35% of all traffic was Web mail.
      • No. of new project IP documents < 10 off authorized channel.
      • Oracle apps downtime - 0 during 7 years
  • 82. SOX Threat model
    • See the Practical Threat Analysis model
  • 83. Conclusions
    • Data security is a powerful tool for compliance when used properly
    • Assure and improve business processes not classify and discover data
    • Risk analysis is central to success
    • 4 step planning process
    • 5 layer implementation
  • 84. Questions?