CIO Summit: Data Security in a Mobile World
•
0 likes•377 views
Tips, trends, and case studies on how successful associations and not-for-profits are dealing with data security issues in a mobile world.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (19)
Similar to CIO Summit: Data Security in a Mobile World
Similar to CIO Summit: Data Security in a Mobile World (20)
Recently uploaded
Recently uploaded (20)
CIO Summit: Data Security in a Mobile World
- 2. Agenda • Welcome and Introductions – David Riffle, Sr. Director, ASI • Information Security Threats and Strategies – Mark Breland, Sr. Product Engineering Exec., ASI • What You Need to Know about PCI Compliance – David Johnson, Systems Engineer, Trustwave
- 3. Agenda • Why the Era of CRM is Over – Brent Sitton, Product Marketing Manager, ASI – Bruce Ryan, CIO, Florida Bankers Association – Artesha Moore, CIO, Association for Professionals in Infection Control and Epidemiology • Closing Remarks
- 15. Agenda • Security breaches today • Attack vector mitigation • Secure web implementation • Penetration testing • ASI Corporate Security Initiative
- 16. Security Breaches Today • By the numbers…in the US 2005 to April 2014 – Recorded breaches = 4,455 – Records exposed = 626,327,451 – Cost per record = $188 – Total cost = $117.8B • Breach attack patterns – 52% of stolen data due to “hacktivism” – 40% of breaches incorporated malware – Malicious or criminal attacks that exploit negligence or system glitches
- 17. Security Breaches Today • Primary data breach targets… – Financial – Retail – Government • 43% of all companies experienced a data breach in the last year – Of these, 27% had no response plan in place – 80% had root cause in employee negligence • Membership organizations emerging – Controversial missions/philosophies – Play to self‐anointed judgment of “hacktivists” – Least likely to have protections in place
- 18. Security Breaches Today • Cyber risk and liability – Target® breach of 2013…40M compromised records, potential company liability of $90/exposed record = $3.6B – Target ® directors and officers also facing derivative suits – Home Depot ® breach of 2014…56M compromised PCI records, liability to exceed $3B – JPMorgan Chase breach of 2014…83M compromised PII accounts – Anthem breach of 2015…80M compromised PHI records – Data loss not typically covered under corporate insurance policies…cyber liability insurance required to cover corporate costs of a breach
- 19. Security Breaches Today • Cyber risk and liability – Brand value drops 17‐31% after a breach – Data loss not typically covered under corporate insurance policies…cyber liability insurance required to cover corporate costs of a breach – Software vendors mostly protected by liability limits clauses in their EULAs – Custom developed software and software implementation is another story… – Any technology company associated with a breach is open to litigation
- 20. Security Breaches Today • Why NPOs should be concerned – Larger budgets/revenues are attractive – Mission statements draw hostile attention – Greater need for online service provision – Growing IT complexity to maintain operating efficiency and maximize member benefits – Increasing reliance on 3rd party cloud/hosting service providers
- 21. Security Breaches Today • One breach, 6 investigations… – Internal investigation – Shareholders vs. Directors and Officers – Card brand vs. Company – Federal Government vs. Company – State Government vs. Company – Law Enforcement vs. Attacker
- 22. Security Breaches Today • Weak credentials – Default credential provisioning – Susceptible to brute force attacks • System misconfiguration – Accidental exposure of administrative consoles – Stood up systems outside of policy – Firewall errors/complexity • Service/Software vulnerability – Heartbleed, Shellshock – Third party software • Web application vulnerability – Most commonly exploited – Custom code developed without security • Social engineering – Phishing, link clicking
- 24. Attack Vector Mitigation ‐ Business • Identify and understand your business risks as regards likely channels of attack • Educate Board and senior management on responsibilities and effectively managing cyber security risk • Proactively secure data, systems, policies, and procedures in advance…plan, Plan, PLAN • Gather and share cyber attack intelligence internally and among industry peers
- 25. Attack Vector Mitigation ‐ Business • Train staff and elevate cyber security awareness • Engage outside help when needed • Ensure compliance with all regulatory and certification security requirements • Respond clearly and deliberately to any critical incident…focus on maintaining stakeholder confidence • Benchmark your cyber security program in relation to your peers
- 27. Secure Web Implementation • Protect each site with a valid SSL certificate and HTTPS protocol • Isolate web servers in the DMZ zone • Protect services in the Trusted zone • Disallow non‐VPN or non‐direct RDP access to any server
- 28. Secure Web Implementation • GreenSQL ‐ a unified, ready‐to‐use database security solution for all organizations. Easy to install, use and maintain – Hides and secures databases – Monitors all incoming and outgoing SQL queries – Alerts and blocks signature‐based query attacks – Maintains database security policy in real‐time – Protects against known and unknown database exploits
- 31. Penetration Testing • Process to identify security vulnerabilities in a web application or site by evaluating the system or network with various malicious techniques • Various end targets… – Full web site (Amazon, Google, iMIS customer) – Web application product (iMIS 20 out‐of‐the‐box) • Various forms… – Social engineering – Application security – Physical penetration
- 32. Penetration Testing • Automated testing tools – Pros – covers a lot of ground very fast, cost efficient, consistent and repeatable, best suited for rapidly evolving web applications – Cons – can frequently flag false positives, only as good as the latest signature database of known exploits • Adaptive (manual) testing techniques – Pros – follows the black hat mindset, uncovers application‐specific combinatorial vulnerabilities, leverages non‐related tools, much more rigorous – Cons – labor‐intensive, not easily repeatable, money sink
- 33. Penetration Testing • ASI committed to conducting self penetration testing – iMIS 20‐100/200 and 20‐300 platforms – Integral to pre‐EA/GA regression testing – Employ Netsparker tool as a start, will likely expand to others • ASI engaged independent penetration testing services in 2014 – Currently GA iMIS 20‐100 and 20‐300 platforms – Adaptive pen testing techniques and methodology – No critical vulnerabilities found – Secure coding practices strongly recommended
- 34. ASI Corporate Security Initiative • Formed mid‐2013 to address the issue of iMIS running as a secure web application for the benefit of our customers • Focused on three areas to mitigate our risk exposure with the use of the iMIS product – Web application product development – Site implementation – Cloud services • Phase 1 complete, Phase 2 emphasis on establishing a corporate ASI Security Assurance Plan with associated policies/procedures
- 35. Resources • Articles – Verizon 2014 Data Breach Investigations Report ‐ www.verizonenterprise.com/DBIR/2014/ – https://www.owasp.org/index.php/ASP.NET_Misconfigurations – http://weblogs.asp.net/dotnetstories/archive/2009/10/24/five‐common‐ mistakes‐in‐the‐web‐config‐file.aspx – http://csae‐trillium.tv/cyber‐security‐canadas‐profit‐organizations‐attack‐ certain‐loss/ • Best Practices – OWASP ‐ www.owasp.org/index.php/Main_Page – NIST ‐ www.nist.gov/cyberframework/upload/cybersecurity‐framework‐ 021214.pdf – www.imiscommunity.com/system/files/SecurityWebImplBestPractices.pdf – www.imiscommunity.com/system/files/SecurityWebDevBestPractices.pdf
- 37. Summary • What is PCI? • What has changed in PCI‐DSS v3? • Scope Adjustment + Segment and Pentesting • Hosted Payment Pages Clarification • Sampling • POS Security • Tips & Tricks • What’s Next?
- 39. WHAT IS THE PCI DSS? • The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements designed to protect cardholder data • Cardholder data is any personally identifiable data associated with a cardholder, including: – Primary Account Number – Expiry Date – Name • All merchants accepting debit/credit cards must comply with the PCI DSS at all times
- 41. PCI DSS v3 Changes Definitions of Change Change Type Definition Number of Changes Clarification Clarifies intent of requirement. Ensures that concise wording in the standard portrays the desired intent of requirements. 74 changes Additional guidance Explanation, definition and/or instruction to increase understanding or provide further information or guidance on a particular topic. 5 changes Evolving Requirement Changes to ensure that the standards are up to date with emerging threats and changes in the market. 19 changes
- 42. PCI DSS Version 3.0 • Specifically, scoping has been clarified to indicate that system components include, “Any component or device located within or connected to the [cardholder data environment].” • The new language also states that the “PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment • Additionally, a new requirement has been added requiring that if segmentation is used, “penetration testing procedures are designed to test all segmentation methods to confirm they are operational and effective, and isolate all out‐of‐scope systems from in‐scope systems.” • As further clarity, the standard states that, “To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the CDE such that even if the out‐of‐scope system component was compromised it could not impact the security of the CDE.” • The additional focus on connected systems likely expands (potentially greatly) the number of systems considered in‐scope for many organizations. For example, in most networks using Windows Activity Directory security, a compromise of systems outside the CDE could impact the CDE and then could be considered in‐scope for the PCI assessment. Most Notable Changes (1/4) A Higher Bar to Achieve “Segmentation”
- 43. PCI DSS Version 3.0 • PCI DSS 3.0 offers a new definition of system components: “System components include systems that may impact the security of the CDE (for example web redirection servers).” • Up until now, web servers had been considered out‐of‐scope if they used iFrames, hosted payment pages or other redirection technologies to prevent cardholder data from touching the merchant’s systems. • Under the new standard, all of these servers fall in‐scope and, due to the new segmentation requirement, likely bring the rest of a company’s network into scope as well. • The only “out” for companies that lack the ability to ensure the security of web servers internally remains fully outsourcing the web infrastructure. Most Notable Changes (2/4) Hosted Payment Pages Are No Longer A “silver bullet”
- 45. PCI DSS Version 3.0 • In response to recent attacks in which POS devices have been physically modified to capture card holder data, there is a new set of control requirements around physical security for POS devices. • First, merchants must maintain an inventory of POS devices, which must be identified in detail, including the location and serial number of each device. • Additionally, POS devices must be inspected periodically for tampering, and employees at POS locations must be trained in how to detect and prevent device tampering Most Notable Changes (4/4) Greater Security Around POS Physical Controls
- 46. PCI DSS Version 3.0 • Annual Pentesting – Internal & External Network (qualified internal/external resource) • Segmentation must be verified – Applications (qualified internal/external resource) • Vulnerability Scanning – Internal (ASV or Self) – External (ASV only) • Default Passwords – must be changed • Security Education – pretty much everyone – Role appropriate. Additional Major Changes or Key Areas
- 47. Tips & Tricks 1. Read the PCI‐DSS v3. 2. Leverage your entire employee base. 3. Read InfoSec News. 4. Keep the conversation going. 5. Be able to show proof. 6. Stay on top of documentation. 7. Standardize and remove risk. 8. Know your compliance anniversary date. 9. Start your assessment early. 10.Establish your current Merchant Level.
- 48. What’s Next? Things to pay attention to in the near future • InfoSec companies expect an increase in CHD theft ahead of EMV 2015 integration deadline in the USA. • Employee and Business process security • P2PE – it’s new and still in the works
- 53. Complex Integrations Disparate Products & Vendors High Cost of Ownership Designed for Staff + =A ‘Half-Cycle’ Approach Disparate Systems = A Risky Approach
- 55. New Programs and Services • Survey method – Misleading Indications – Qualitative, not Quantitative • Full Implementation – Fraught with Risk
- 58. Learning Organization Learning – Validate your ideas using the scientific method • Hypothesize • Build Pilot • Measure • Learn
- 59. Engagement Management • Integrate Web and Data Quickly • Flexibility to adapt to deliver new services • Complete 360° view of your constituents in ONE system • Interact with constituents on Any Device • Measure member interaction
- 60. Pilot Project in iMIS • Community Service Groups – Notify targeted group – Collect information – Match them to volunteer event – See the measurable results
- 64. Learning with an EMS • Integrate Web and Data Quickly • Flexibility to adapt to deliver new services • Complete 360° view of your constituent in ONE system • Interact with constituents on Any Device • Measure interaction
- 67. About APIC Mission: Create a safer world through the prevention of infection. • Over 15,000 members from variety of practice settings within healthcare • 120 domestic and international chapters • 11 special interest groups (similar to Technical Councils) • Over 50% growth in past few years • Diverse membership with varying needs
- 68. Challenge In 2005, APIC wanted to grow, yet, systems were not in place • AMS out of date, inaccurate • No true web integration • Culture not supportive Membership growth is not possible without engagement
- 69. Growth Leads to Challenges • Variable practice settings with varying needs • High % retiring in 5 years • Decreased time and increased demands impact member participation • Ever‐changing regulations and need for new guidelines
- 70. Member Engagement Means... • Ease of access to features • Integration of all technologies with AMS • Enhancing customer experience
- 71. Engagement Strategy • Strengthen our AMS to enable greater connectivity to online resources • Get an accurate picture of our members using metrics and data • Increase capacity by automating routine tasks • Work with vendors to integrate 3rd party add‐ons to expand program offerings Change internal culture to embrace both IT and member services
- 72. Engagement Strategy Using data to make decisions: • Identifying key members groups • Tracking member activity and performance • Identifying new leaders • Integrating with new platforms
- 73. Engagement Strategy • Open lines of communication between frontline staff, IT and leaders • Provide training to empower staff to act • Promote innovation at all levels • Connect personal goals with organizational goals • Be open to new ideas
- 74. Embracing Technology... • Plan must support your strategic plan • Strong infrastructure is essential • Knowledgeable staff to help educate members • Develop partnership with vendors
- 76. Results
- 77. Results: New Leaders • Using customized tables to create a database within existing structure • Using scoring in social media to identify new leaders • Using web analytics to understand member content needs
- 82. Florida Bankers Association Founded in 1888 in support of Florida’s FDIC insured banks and financial institutions. – 22 Staff Members – Advocacy – Education – Membership – Associate Membership • Vendors – Endorsed Partner Program • Products – Other Services • Career Center, Fraudnet, Capwiz and more…
- 84. Our Goal with iMIS 20 • 100% Retention of Members • Staff Productivity • More Efficient Member and Client Experience
- 85. Solution: iMIS 20 • CRM & CMS in one system • Events, product sales, accounting, etc. in one system • Offline/Online transactions in one system • Total web integration
- 86. Results iMIS 20 • Time Savings: Supporting one application instead of 5+ • Cost Savings: Paying for one application instead of 5+! • Reporting: Happy staff! • Ease of Use: One application vs. 5+ (Happy staff!!) • Member Engagement!
- 89. • Be Prepared
- 90. Lessons Learned • Massive change in communication is an opportunity to grow and thrive – Social networking ‐ You Tube – Mobility ‐ Personalization – Communities of Interests ‐ Data Capture • C Level Executives must lead this transition