Your SlideShare is downloading. ×
SANS WhatWorks - Compliance & DLP
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

SANS WhatWorks - Compliance & DLP

671
views

Published on

Presentation given by Nick Selby, Trident Risk Management at SANS WhatWorks in Data Leakage Prevention, New Orleans, 2010

Presentation given by Nick Selby, Trident Risk Management at SANS WhatWorks in Data Leakage Prevention, New Orleans, 2010

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
671
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Brian Krebs on the increasing levels of data loss through paper.
  • In July, 2002, Mayor Bloomberg raised the tax on cigarettes in New York City to ensure that they would have a minimum sales price of $7.50 a pack. This was done, he said, to spare the city the expense of thousands of smoking-related deaths and illnesses each year. The city backed this up with smoking cessation education, programs and support. Smoking has declines 27% in New York City since the tax was introduced; Smoking related deaths are down from more than 200 per 100,000 in 2002 to about 160 per 100,000 in 2007. Teen smoking fell from 18% of New York City teenagers in 2001 to 8.5% in 2007.
  • Transcript

    • 1. Sleeping With The Enemy:
      Better Living Through Hacking Compliance (budgets)
      Or
      Navigating the Corridors of the
      Compliance Industrial Complex
      January, 2010
    • 2. In a nutshell
      Compliance != Security
      A selection of frothy rants about PCI in particular, then
      “But Nick? What can I, a mere infosec professional, do?”;
      A New and Improved Way to Articulate Risk;
      Scattered throughout: Propaganda, crypto-advertising for TRM (when you engage TRM as a consultant, you and your boss become measurably more attractive to the opposite sex.)
    • 3. Compliance != Security
      Compliance == Compliance
      Are you
      {compliant|secure}
      like this guy is {compliant|secure} ?
    • 4. Compliance & DLP
      What the hell does a rant about compliance have to do with DLP?
      Well, if you’re like most infosec professionals,
      You’re tasked with reducing data loss; and
      You’re tasked with increasing compliance tasks and reducing audit dings for, you know, everything
      I aver these goals are in conflict
    • 5. DLP is not a Technology Issue
      Ironically, this is being presented at a conference called, WhatWorks in DLP
      Note, ladies and gentlemen, the Red Square of Death.
      Image: The 451 Group, Mind The Data Gap, June 2008, http://www.the451group.com
    • 6. Why Rulesets Exist
      Ruleset writers aren’t evil, but they are reactive
      SOX, HIPAA, PCI – all were in response to a specific problem
      All attempt to raise the level of overall “security”
      How they do so is the problem
      Some rulesets are less cynical than others
    • 7. PCI on PCI
      “The PCI Security Standards Council’s mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.”
    • 8. “Not worthless.”
      “I do not believe the PCI Standards are worthless; in the absence of other requirements, they do serve some purpose. But I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure. It is not, and the credit card companies acknowledge that.”
      -Rep. Yvette D Clarke (D-N.Y.)
      chairwoman of the Subcommittee On Emerging Threats, Cybersecurity and Science and Technology,
      Committee on Homeland Security
    • 9. The PCI Dilemma
      PCI says it wants to, “Raise the bar” by setting forth some highly specific tasks and standards.
      Unfortunately they were specific to a paradigm gone by, and those who don’t comply get fined and hassled
      For offloading risk from card brands, PCI has raised the bar.
      For data security, not only has PCI not, “raised the floor,” in fact it’s substantially lowered the ceiling
      Because it is expensive in terms of money and resources, PCI is not the minimum standard, it’s the maximum effort that many organizations make.
    • 10. Why Compliance is InfoSec’s Problem
      As punishment for making everything so complicated, information security professionals have been saddled with compliance management.
    • 11. OK, here’s really why…
      Enron. Yelling.
      SOX.
      “Oh, crap – who’s going to deal with this? Hey! Information Security!”
    • 12. The CEO should do better
      The CEO who lets the Security organization become the compliance department has abdicated to the government and Payment Card Industry his responsibility to understand and manage organizational risk.
      That is a fiduciary breach of his responsibility to shareholders. In addition to firing his ass, this should also be a floggable offense.
    • 13. Here’s why present-day implementations of PCI are not just not good for security, but why they’re antithetical to good security.
    • 14. Setting The Bar … at 1984
      We’re in an Orwellian IT universe, and criminals are Big Brother
      They have better configuration management data on us than our own information security groups.
      They know exactly what we’re doing because PCI tells them what we’re doing.
      They have rapidly evolving and advanced persistent threats, new generations of attack tools and a wildly changed attack paradigm
      We have anti-virus and IDS/IPS and firewalls
    • 15. When Rules & Taxes Matter
      When government wishes to discourage behavior, they have options:
      They can shunt it off to someone else (“Faith Based Community Initiatives,” etc
      They can tax it
      They can legislate it
      Taxes and legislation clearly discourage behaviors…
    • 16. Smoking in New York City
      March, 2003: Smoking banned at NYC restaurants, bars, nightclubs
    • 17. Smoking deaths in NYC
    • 18. Teen Smoking Rates in NYC
      * no data available for 2007
    • 19. Now, let’s look at how well PCI has
      worked to prevent loss of PII
    • 20. Records Lost….
      2006:
      PCI 1.1
      PCI 1.0
      2008:
      PCI 1.2
    • 21. Records Lost….
      SEPT 2006:
      PCI 1.1
      DEC 2004:
      PCI 1.0
      OCT 2008:
      PCI 1.2
    • 22. Records Lost Per Breach
    • 23. An opposing view
    • 24. A retort
      “From all accounts it appears that many of the murders and drug-smuggling operations can be attributed to the Mafia. What would the world look like if we ignored their crimes when measuring the success of policing efforts?”
    • 25. Statistics Manipulation
      Of course, I’m being intellectually dishonest with my statistics on PCI.
      In the slides about smoking we deal with known and proved risks and threats.
      The PCI council behaves as if it is too, but security is a dynamic, transactional environment comprising constantly evolving technology. PCI makes specific statements about security which are suspect at any point in time let alone in a continuum, and pretends it’s delivering consistent effect against a static equation.
      Logicians call this behavior, “Stupid.”
      Okay, they call it “Confounded thinking.”
    • 26. The Trouble With PCI
      SOX, HIPAA, etc made their goals clear and the means vague. This caused confusion, but the market sorted it out.
      PCI is a compilation of a hunches on how to prevent breaches: the specific means to the desired end (that is, to offload risk onto merchants).
      How about not confusing the means and end? Just punish the failure to secure data, and let the free market figure out how best to prevent breaches.
    • 27. PCI is a Protection Racket by a Cabal.
      Ponemon 2009 PCI DSS Compliance Study:
      71% of companies don’t treat PCI as a strategic initiative
      79% have experienced a data breach
      56% don’t believe PCI compliance improves their data security posture
      60 % say they can’t achieve PCI compliance
      Recent studies say 30% of the IT security budget is spent on PCI compliance
      Let’s call it 20%. TWENTY PERCENT. Plus, when you’re breached, you got your fines and your publicity hit. That’s a regressive, unofficial tax for which we get back nothing. And the card brands get to offload risk onto merchants.
    • 28. If we’re gonna tax, let’s tax…
      D’OH!TAX Fun Fact: This tax will hit many banks!
      D’OH!TAX
      THE
      a. $1,000 per record breached;
      b. Raises $250,000,000,000 for deficit reduction – WHAT bailout?;
      c. Replaces all PCI requirements;
      d. All other fines & reporting requirements still apply
    • 29. While I’m in Fantasy Land…
      I also want a pony.
    • 30. What is to be done?
    • 31. First of all…
      Join the rebel alliance.
      Don’t let a dismal failure be held up as a success:
      Loose lips sink ships - let’s sink one: be vocal about PCI failures and how they affect your job, your happiness and your effectiveness as an info-security pro.
      Because if you don’t speak up, other rule-writers will hold up PCI as the model of how this stuff should be done.
    • 32. Be Constructive
      Rather than berate something which isn’t going away, let’s work to change these arbitrarily objective compliance overviews like PCI into subjective risk analysis tools.
      Let’s be wiser about how we look at PCI and use it as a lever to free up budget funds for things that we, as security professionals, believe will positively impact the bottom line.
    • 33. Then…
      Reduce the suck.
      Work the system as best you can.
      Question – loudly – things that seem like window-dressing. Ask, “What is the intent of this?”
      Use compliance requirements to justify spending on sensible things, like greatly expanding pen testing, or setting up an incident response workbench.
    • 34. Compensating Controls
      If you are not engaged deeply with your QSA in substantive conversations regarding compensating controls, you either don’t care, or:
      You don’t understand your environment;
      You don’t understand the requirements; and
      You are wasting lots of money on PCI.
      You pay those people.
      Make them work for you.
    • 35. Let’s Get Back To Basics
    • 36. “If you can’t measure, you can’t improve.”
      Well, yeah, but…
      Right now, we’re counting things that help the vendors sell us stuff.
      Not only do we count these things, we let vendors tell us how important one is relative to another!
      It’s fine to count things, but if you’re counting the things that matter to the vendors, not to your business, you’re not doing yourself any favors
      According to this, everything’s getting better! Awesome!
    • 37. Every business is different
      A fashion house can’t tell a media firm what’s important; hell, one media firm can’t tell another what’s important.
      This is not just cross industry – it’s true in the same company three months later!
      Each pen tester, each auditor will have different results even in the same company
    • 38. This is so not news
      Andy Jaquith, Dan Geer, Betsy Nichols, et al have been talking about this for a wicked-long time.
      Yet in conversations around the country, the counting thing is still mainly based on :
      • Threats – viruses and naval-gazing thereof;
      • 39. Vulns – and the relative terror thereof
    • Metrics Must Be Business Focused
      Count business processes.
      Count internal communications traffic volume.
      Count internal-to-external traffic volume
      Count incident response time.
      Count to learn what you care about.
      Then count what you care about.
      Don’t conflate risk and threat – don’t count threats and call the resultant pool of metrics a collection of risk.
    • 40. Articulating Risk
      How do you articulate risk?
      Doctors listen most to mom’s statements like, “Something’s just not right.”
      Say to your CIO, “This feels icky”
      How Icky? On a scale of 1 to eeew!
      Eeeeeeew
      A little
    • 41. An Example
      PCI 12.2 talks about internal and external pen testing teams. There is great bang-for-buck setting up internal pen-testing team:
      To talk to pen testers
      To test patches, controls
      To enumerate hosts, processes, workflows
      To understand your environment
      To understand and positively affect config management
    • 42. Pick Your Battles
      Find out what you care about
      Attach your team to revenue producing projects
      Use PCI and compliance as a lever the budget
      Speak in terms of risk, not threat
      Count metrics that speak in dollars and time
      Yell when compliance makes you do something dumb or hate your job
    • 43. Questions?
      Contact us:
      Nick Selby, Managing Director
      nick.selby [ at] tridentrm.com
      Paul Davis, Chief Security Officer
      paul.davis[at ]tridentrm.com
      Clint Bruce, Chairman
      c.Bruce (at ) trg-ltd.com

    ×