Information Security in the Age of Wikileaks


Published on

Presentation focused on new threats to information security and what you can do about them.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Thank AITP for having me.
  • That means read, update, write, delete.
  • Everyone wants their data to be consistent. No one wants their checking account balance or their mortgage balance to fluctuate day to day unless they are writing checks. You don’t want your resume on Monster to change unless you change it.
  • You want your information and data to be there when you need it. Ever go to your favorite website only to be told “Under maintenance, please check back later”. Imagine you go to Gmail one day and ALL of your email is gone. You have a “welcome to Gmail” message and that’s it. That’s what happened to 144,000 gmail users a few months back.
  • I only put this slide up because this website is what got a lot of businesses and government agencies thinking about their information security.
  • would require companies to notify consumers in clear language when their data is being collected and oblige them to keep that information safe from hackers. The bill, if it becomes law, would require companies to tell consumers why data was being collected, whom it would be shared with and how it would be safeguarded. (GrahamLeachBliley?)Epsilon marketing data breach – how many got emails?RedflagProgram Clarification: The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program to detect the warning signs — or "red flags" — of identity theft in their day-to-day operations.Huge compliance implications particularly for large national or international organizations
  • As we have moved from agrarian to industrial to knowledge and service based economy, IP has become our most important asset collectivelyIP isn’t new but it’s importance and value may not be readily recognized by most companiesBig exception – Coca-Cola. The formula has remained secret for 125 years.
  • Employee is at son’s soccer game. Project team sends an email. If employee can access email via mobile device, question gets answered almost immediately – no delayIf employee cannot get email – decision is delayed until next business dayIf employee is hourly and is answering email after hours that employee may be eligible for overtime.
  • Easy to conceal – high capacity1 Gb894,784 pages of plaintext (1,200 characters) 4,473 books (200 pages or 240,000 characters) 341 digital pictures (with 3MB average file size) 256 MP3 audio files (with 4MB average file size)1 Tb916,259,689 pages of plaintext (1,200 characters) 4,581,298 books (200 pages or 240,000 characters) 349,525 digital pictures (with 3MB average file size) 262,144 MP3 audio files (with 4MB average file size) 1,613 650MB CD's 233 4.38GB DVD'sNot only for extraction of data – can also be used as keyloggers
  • WiFi is everywhereNow a theory that it is killing honey beesSure makes it easy to communicate
  • Social MediaDo your employees have the right to post whatever they want on Facebook, Twitter, etc.?Not a lot of legal precedentLabor law is biggest area of concernEmployee rights vs. employer rights – free speech, IP protection, etc.
  • Governance – you can’t walk down the hall and ask who has access. Can’t walk down the hall to get help. Where is your data? Is your data in USA? Europe? India? South America? Privacy laws are different in those countries..As CP grows, roles and resp. will change? Will you be aware of changes as they occur? Multi tenancy – virtualization means your data and infrastructure may be on shared physical devices. Processors, Disk drives, network segments. Complexity in virtualization increases risk of mistakes.Recent issue with major US bank whereby customers with similar last names were able to log in and see info for others due to database glitch. Easy for this to occur in the cloud as well.Commingling – SaaS works by sharing the app and infrastructure. How will your data be segregated? Separate database? Key database field? How will this impact your ability to move your data? Data deletion – change providers, transfer data to new provider, what happens to data at old provider. In many cases it may be mixed in with other customers (, Bullhorn, etc.) Will CP really go to trouble to fully delete all your records? Or merely deactivate them? If you don’t pay your bill, can the CP delete your app, data, etc.?Legal-If your data is on a shared SAN with another customer whose data gets subpoenaed, will agency make copy for you to continue using your data? Probably not….. Will probably result in downtime.
  • Acceptance means you better have a good response and recovery programTransfer – cyber insurance becoming quite popularDifferent from business interuption insuranceMitigate – develop controls in line with risks using cost/benefit analysis
  • MSSP – think of it as “cloud based security” DLP – very complex systems intended to reduce the threat of wikileaksHighly process orientedHighly dependent on data classification and security architectureCyberinsuranceBusiness interuption insurance will not cover costs associated with data breachYou are still in businessCosts can be astronomicalPrivacy and security liabilityCrisis managementCyber extortionMedia or web content liability
  • These are the basics of information securityInexpensive, effective, largely ignoredNo silver bullet
  • - Without a written document all you really have is hearsay. If policies are formalized and integrated into organizational culture, then any non-compliance can be dealt with according to pre-established guidelines that the employee has signed off on. - Policies help ensure consistent behavior by clearly communicating what is acceptable, clearly assigning responsibility and, equally important, defining the consequences of non-compliance. - empower security staff to enforce management intent that may not be popular with system users. How many times have you thanked the security team for implementing firewall rules that don’t allow you to check Facebook several times a day? - Must be updated! does your organization have a formal policy regarding the use of internet data storage like Google docs or Microsoft Windows Live? What about a policy regarding the use of USB memory sticks? Does your company or organization have a formal policy regarding the use of unsecured wi-fi networks using your company laptop? All of these are examples of recent technology trends that have created new security threats. Most organizations have not updated their policies to address these new threats.
  • Defining data classifications allows relative value to be placed on different types of data. It also helps to reduce the likelihood of unauthorized theft or disclosure of data since confidential and secret data should be better protected.
  • It does not make economic sense to protect product marketing brochures that are available on the company website at the same level as draft merger and acquisition contracts.If you spend too little, you risk loss or disclosure of information as a result of inadequate security. If you spend too much, you are wasting money that could be spent in other areas such as updating plant and equipment or at the very least, having a negative impact on productivity as employees waste time navigating unnecessary security measures and recovering overly complex forgotten passwords.How much is the Coca-cola formula worth? How much would they spend to protect it?What is your company’s IP worth? What would a data breach cost your company?
  • People are different and have different goals and objectives, many of which are not concerned with maintaining the security of an organization’s data. If the CFO’s Administrative Assistant has been told that the auditors “have to have this spreadsheet in their email by 5pm”, but the corporate email system won’t allow the attachment because it is too large, he will use whatever means necessary to accomplish that objective. Security be damned. He may use his personal email that has no size restrictions on attachments. He may place the spreadsheet out on Google docs in order to share it with the auditor. He may place the spreadsheet on a USB memory stick and hand it to the auditor. All of these methods may be in direct violation of the security policies (if they exist). Security policies have to be constantly reinforced with training and real world examples in order to be effective. Otherwise they are soon forgotten, like the chemistry formulas memorized the night before a test.
  • Information Security in the Age of Wikileaks

    1. 1. Information Security<br />In the Age of Wikileaks<br />David Barton<br />Principal, UHY LLP<br />
    2. 2. Objectives<br />Basics of Information Security<br />New Threats<br />New Techniques<br />Back to Basics<br />2<br />© 2011 UHY LLP<br />
    3. 3. Basics of Information Security<br />Confidentiality<br />Integrity<br />Availability<br />3<br />© 2011 UHY LLP<br />
    4. 4. Basics of Information Security<br />Confidentiality<br />Ensuring information is accessible only to those authorized to have access<br />4<br />© 2011 UHY LLP<br />
    5. 5. Basics of Information Security<br />Integrity<br />assurance that data is consistent, certified and can be reconciled<br />cannot be modified without detection<br />5<br />© 2011 UHY LLP<br />
    6. 6. Basics of Information Security<br />Availability<br />Ensuring information is accessible and ready to use s<br />6<br />© 2011 UHY LLP<br />
    7. 7. Wikileaks<br />international non-profit organization that publishes submissions of private, secret, and classified media from anonymous sources<br />Founded 2006 <br />Became household name October 2010 when they published 400,000 documents related to Iraq war<br />7<br />© 2011 UHY LLP<br />
    8. 8. What’s New <br />New privacy legislation<br />IP more important than ever<br />Mobile computing<br />Data storage<br />Wireless computing<br />Social Media<br />Cloud Computing<br />8<br />© 2011 UHY LLP<br />
    9. 9. What’s New <br />New privacy legislation almost daily<br />April 2011 – Kerry and McCain introduce federal consumer privacy bill <br />December 8, 2010, the U.S. House of Representatives approved the Social Security Number Protection Act of 2010 (S. 3789)<br />December 18, 2010, President Obama signed into law the Red Flag Program Clarification Act.<br />California and Massachusetts have very strong personal information privacy laws, other states following <br />9<br />© 2011 UHY LLP<br />
    10. 10. What’s New <br />Intellectual Property<br />Estimated value of more than $5 trillion<br />Over 33% of value of all US corporations<br />Includes:<br />Software<br />Music & film<br />Patents<br />Formulas<br />10<br />© 2011 UHY LLP<br />
    11. 11. What’s New <br />Mobile computing<br />Employee owned smartphones will represent over half of business smartphones shipped by 2013<br />54% of employees already use their own mobile devices for business purposes (sanctioned or not)1<br /> 2/3 of IT organizations say maintaining security for mobile is primary concern2<br />11<br />1 – Yankee Group Survey 2 – CIO / Computerworld survey<br />© 2011 UHY LLP<br />
    12. 12. What’s New <br />Data Storage<br />Cell phones can store many gigabytes<br />iPod can be used as a portable drive<br />USB flash drives – 128 gig are common<br />Cloud – google docs, amazon, etc.<br /> USB portable drives – 2 Terabytes the size of pack of cigarettes<br />12<br />© 2011 UHY LLP<br />
    13. 13. What’s New <br />Wireless computing<br />Over the air transmission of all kinds of data including IP<br />Almost ubiquitous<br />Dec ‘95 – 13%<br />Dec ‘10 – 96%<br />Public access is not always secure<br />13<br />© 2011 UHY LLP<br />
    14. 14. What’s New <br />Social Media – you must protect against:<br />Disclosure of confidential data<br />Solicitation of employees<br />Solicitation of customers<br />Defamation<br />Negative publicity<br />14<br />© 2011 UHY LLP<br />
    15. 15. What’s New <br />Cloud Computing<br />Loss of governance (control) – no longer fully aware of who has access, where data is, roles/responsibilities<br />Multi-tenancy – not an issue in private computing<br />Commingling – will your data be mixed in with other clients? How will it be segregated?<br />Ineffective data deletion – if you change providers does your data get destroyed?<br />Legal issues – if Company A has their data subpoenaed and your data is also on the same physical device, what happens to your data?<br />15<br />© 2011 UHY LLP<br />
    16. 16. What to Do???<br />Risk can be:<br />Accepted (no action taken)<br />Transferred (bonding, insurance)<br />Mitigated (create controls)<br />16<br />© 2011 UHY LLP<br />
    17. 17. New Techniques<br />MSSP – Managed Security Service Providers<br />Remote perimeter management<br />Managed security monitoring<br />Content filtering<br />Penetration testing<br />DLP – Data Leak Prevention<br />Cyberinsurance<br />17<br />© 2011 UHY LLP<br />
    18. 18. Back to Basics<br />Policies, policies, policies<br />Data classification<br />Invest in security<br />Training<br />18<br />© 2011 UHY LLP<br />
    19. 19. Policies<br />Why are policies important?<br />They ensure upper management involvement <br />They outline expectations <br />Best and least expensive way to communicate<br />They are a permanent record of organization’s intent<br />They enable enforcement<br />19<br />© 2011 UHY LLP<br />
    20. 20. Data Classification<br />Public or non-classified<br />Internal use – only for use inside the organization<br />Confidential – should be strongly protected against unauthorized use and disclosure<br />Secret – very limited access with very strong protection<br />20<br />© 2011 UHY LLP<br />
    21. 21. Invest in Security<br />Appropriate security spend depends on data classification<br />Understand cost / benefit<br />Invest more to protect top secret data<br />Invest less to protect public or internal data<br />21<br />© 2011 UHY LLP<br />
    22. 22. Train your People<br />22<br />People are the weakest link<br />Everyone is different<br />Goals and objectives don’t always align<br />“Why” is important<br />Not enough to know what the policy is<br />Also need to know why it is in place<br />Lots of examples help reinforce<br />Train often<br />People forget so they have to be reminded<br />New threats everyday<br />
    23. 23. Questions?<br />23<br />
    24. 24. David Barton, Principal<br />UHY LLP<br />Five Concourse Parkway<br />Suite 2430<br />Atlanta, GA 30328<br />678-602-4490<br />24<br />