Risk, Regulations and                 Data Protection                        Shahar Geiger Maor, Senior Analyst           ...
What is Risk?Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of gr...
Risk Management…• Risk management is present in all aspects of life• It is about the everyday trade-off between an expecte...
NoRisk…                                                   No                                                   Gain!   Sha...
Benefits of Risk Management                                                    increased                                  ...
• ERM is an ongoing process• ERM is an Integral part of how an organization operates• ERM applies to all organizations, no...
Regulations –The Olympic Minimum Syndrome      Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution...
When Regulation is a Good Idea…   Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any gra...
SOXShahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic   9
Ultimate LiabilityCountrywide’s Angelo Mozilo, Bear Stearns’ Jimmy Cayne, Lehman Brothers’ Dick Fuld, and Merrill Lynch’s ...
Security Echo-System: Key Roles                                                    Senior                                 ...
PCI-DSS:                             Israeli Market and Challenges                                                        ...
Information Security “Threatscape”    Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any...
Social EngineeringShahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion ...
Social EngineeringPreventing social engineering:• Verify identity• Do not give out passwords• Do not give out employee inf...
Phishing• A social engineering scam• A scam that uses email or websites to deceive you  into disclosing sensitive informat...
Technologies Categorization 20102011                                                                                      ...
Cyber-Warfarehttp://edmahoney.wordpress.com/2010/01/13/cyber-war-home-theater/Shahar Maor’s work Copyright 2011 @STKI Do n...
Mobile secShahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graph...
“Social Security”Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion o...
Data Centric ApproachBuild a wall – “perimeter                                               “Business of Security” – Secu...
Data Security Domain                                          Source: SecurosisShahar Maor’s work Copyright 2011 @STKI Do ...
STKI Index-20102011                          –Top Queries to STKI                    SIEM/SOC Miscellaneous               ...
Internal vs. External Human Threats    Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from an...
Leakage Mitigation in Israel                                AwarenessMethodology                                     IRMVa...
Protect your data•   Data Loss Prevention-    Network•   Data Loss Prevention-    Endpoint•   Data Loss Prevention-    Sto...
Top Insights• Most organizations still rely heavily on  “traditional” security controls like system  hardening, email filt...
Top Insights –con…• Many organizations tend “not to touch” their prod DB.        DB protection: Estimated Technology Penet...
Identity and Access Management   Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any grap...
Identity and Access Management                                                this is where most                          ...
Thank you!                         Download this presentation:Shahar Maor’s work Copyright 2011 @STKI Do not remove source...
Upcoming SlideShare
Loading in …5
×

Risk, regulation and data protection

1,069 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,069
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
30
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Risk, regulation and data protection

  1. 1. Risk, Regulations and Data Protection Shahar Geiger Maor, Senior Analyst Scan me to your contacts:www.shaharmaor.blogspot.com http://www.facebook.com/shahar.maor http://twitter.com/shaharmaor
  2. 2. What is Risk?Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 2
  3. 3. Risk Management…• Risk management is present in all aspects of life• It is about the everyday trade-off between an expected reward and a potential danger• It is universal, in the sense - it refers to human behaviour in the decision making process 3 Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 3
  4. 4. NoRisk… No Gain! Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 4
  5. 5. Benefits of Risk Management increased certainty Supports strategic and fewer Better service And surprises delivery Business planning More efficient Quick grasp use of of new Potential benefits resources opportunities Promotes Reassures continual stakeholders Helps focus improvement internal audit programme 5 Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 5
  6. 6. • ERM is an ongoing process• ERM is an Integral part of how an organization operates• ERM applies to all organizations, not just financial organizations.• Risk applies broadly to all things threatening the achievement of organizational objectives• Risk is not limited to threats, but also refers to opportunities.• The goal of an organization is not “risk mitigation”, but seeking an appropriate “risk-return position.” Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 6
  7. 7. Regulations –The Olympic Minimum Syndrome Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 7
  8. 8. When Regulation is a Good Idea… Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 8
  9. 9. SOXShahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 9
  10. 10. Ultimate LiabilityCountrywide’s Angelo Mozilo, Bear Stearns’ Jimmy Cayne, Lehman Brothers’ Dick Fuld, and Merrill Lynch’s John Thain Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 10
  11. 11. Security Echo-System: Key Roles Senior Management CISO Custodian Data Users owners Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 11
  12. 12. PCI-DSS: Israeli Market and Challenges Requirement 1 Requirement 2 POS Terminals Requirement 3PIN Pads DSL Router Requirement 4 Network Requirement 5 Requirement 6 Requirement 7 3rd Party Requirement 8 Scan Vendor Requirement 9 Policies Requirement 10 POS Server Requirement 11 Requirement 12 Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 12
  13. 13. Information Security “Threatscape” Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 13
  14. 14. Social EngineeringShahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 14
  15. 15. Social EngineeringPreventing social engineering:• Verify identity• Do not give out passwords• Do not give out employee information• Do not follow commands from unverified sources• Do not distribute dial-in phone numbers to any computer system except to valid users• Do not participate in telephone surveys Reacting to social engineering: • Use Caller ID to document phone number • Take detailed notes • Get person’s name/position • Report incidents Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 15
  16. 16. Phishing• A social engineering scam• A scam that uses email or websites to deceive you into disclosing sensitive information• How does it work? – You receive an email or pop-up message – The message usually says that you need to update or validate your account information – It might threaten some dire consequence if you don’t respond – The message directs you to a bogus website – You type sensitive info….and that’s it… Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 16
  17. 17. Technologies Categorization 20102011 Cyber Warfare “Social” Market Curiosity Security Mobile Sec IT Project Major Changes DLP IRM Size of figure = Application complexity/ Security Cloud cost of project Security Security Endpoint Management Security Data Network Protection Security Using Implementing Looking Market Maturity Source: STKI Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 17
  18. 18. Cyber-Warfarehttp://edmahoney.wordpress.com/2010/01/13/cyber-war-home-theater/Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 18
  19. 19. Mobile secShahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 19
  20. 20. “Social Security”Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 20
  21. 21. Data Centric ApproachBuild a wall – “perimeter “Business of Security” – Security security” is built into the business process Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 21
  22. 22. Data Security Domain Source: SecurosisShahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 22
  23. 23. STKI Index-20102011 –Top Queries to STKI SIEM/SOC Miscellaneous Encryption Regulations 3% 2% 1% 7%Vendor/Product EPS/mobile 8% 14% Market/Trends DB/DC SEC 13% 9% Access/Authenti DCS cation 9% 12% GW Network Sec 10% 12% Source: STKI Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 23
  24. 24. Internal vs. External Human Threats Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 24
  25. 25. Leakage Mitigation in Israel AwarenessMethodology IRMVaultingMail Protection DB protection GW protection Encryption Device Control Endpoint DLPShahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 25
  26. 26. Protect your data• Data Loss Prevention- Network• Data Loss Prevention- Endpoint• Data Loss Prevention- Storage• Full Drive Encryption • Access Management• USB/Media • Entitlement Management Encryption/Device Control • Network Segregation• Enterprise Digital Rights • Server/Endpoint Hardening Management • USB/Media• Data Masking Encryption/Device Control• Entitlement Management • Database Encryption • DAM • Storage Encryption • Application Encryption • Email Filtering Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 26
  27. 27. Top Insights• Most organizations still rely heavily on “traditional” security controls like system hardening, email filtering, access management, and network segregation to protect data.• Most organizations see unstructured data storage as their main security concern• Most organizations must meet at least 1 regulatory or contractual compliance requirement. Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 27
  28. 28. Top Insights –con…• Many organizations tend “not to touch” their prod DB. DB protection: Estimated Technology Penetration EvaluatingNot Using this using technology 48% 52% Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 28
  29. 29. Identity and Access Management Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 29
  30. 30. Identity and Access Management this is where most activity occurs A Leper Colony – keep away!!! Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 30
  31. 31. Thank you! Download this presentation:Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 31

×