SlideShare a Scribd company logo

Privacies are Coming

Download as PPTX, PDF
Ernest Staats
Ernest Staats

How do we separate hype from useful information in Cyber Security? As Congress is debating a National privacy law, and several states have privacy and breach reporting laws, how will that impact our workload? Privacy starts with good cyber-hygiene. We will look at how we can leverage the focus on Privacy to address standards for: Firewall and network Configs, Cloud security Protocols and ports that need attention Authentication best practices Server and network rights Password rules

Technology
1 of 29
THE PRIVACIES ARE COMING! THE PRIVACIES ARE COMING! Ernest Staats MSIA, CISSP, CEH… estaats@Networkpaladin.org https://networkpaladin.org
LEGAL DISCLAIMER: Nothing in this handout or presentation constitutes legal advice. The information in this presentation was compiled from sources believed to be reliable for informational purposes only. Any and all information contained herein is not intended to constitute legal advice. You should consult with your own attorneys when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication including any information, methods or safety suggestions contained herein.
RETHINK CYBERSECURITY • Check List Compliance & Security Doesn't Work • Attacks are cross departmental • Can not protect what you do no know • (DATA MAP- Where is personal data?) • Without Active Ownership and Management Cyber Security is a joke • If not Culture -- it inculcates company to true Cyber Risk CIS /SANS first 5 controls will give you 85% reduction in risk
“LIVING OFF THE LAND” • “Living off the land” • Windows 10 PowerShell, WMI, the Windows Scripting Host • Microsoft Office “macros”
IOT HACKED DEVICES AND PORTS
1. Non business impact when determining courses of action 2. Lack cross-organizational considerations and buy-in 3. Limited data classification 4. Ill-defined processes (aka “pre-thought use cases”) 5. Lack of defined checklists or step-by-step procedures, 6. Ill-defined event and incident taxonomy between responders 7. No defined thresholds between events and incidents 8. No pre-determined (aka “pre-canned”) external communications Top Cyber Incident Pain Points
Efficiently and Effectively manage our cyber risks? Unacceptable Risk Level Acceptable Risk Level CYBERSECURITY RISK MANAGEMENT
THE ANSWER Leverage Industry Best Practices National Institute of Standards and Technology (NIST) NIST Cybersecurity Framework, NIST Risk Management Framework http://www.nist.gov/ 1 Center for Internet Security (CIS) CIS Critical Security Controls http://www.cisecurity.org/ 2 International Organization for Standardization (ISO) ISO 27000-series publications http://www.iso.org/ 3 CySAFE Combines NIST, CIS, and ISO taking best of each without duplication Edits: https://drive.google.com/drive/folders/12UWZiE2JGLeM86t_4ddvXmxz5U810q07?usp=sharin g 4
RISK MANAGEMENT SHOULD: • Support the strategic objectives • Enhance institutional decision-making • Create a “risk-aware” culture • Reduce operational surprises and losses • Assure greater business continuity • Improve use of funding by aligning resources with objectives • Bridge departmental silos Observe: Identify Risk Orient: Categorize & Prioritize Decide: Select & Implement Controls Act: Manage, Assess, & Monitor
MY TYPICAL RECOMMENDATIONS • Know what is being leaked IoT Shadow IT • Train Users • Monitor and Log Everything • Pick a frame work (NIST OR CIS OR CySAFE) • Check Firewall ports (Outgoing) • Assess & Document your world https://drive.google.com/file/d/1_irHSd7pgY_ciP8Sjg51YOcd1S8mjciZ/view?usp=shar ing
MORE EFFECTIVE IT • Empower IT through conversations • Use partner and leader terminology • Define contribution metrics • Find Root (Toyota “5-Whys”) • Technology is a tool, not a purpose • Create a wall of pride • Try device-free meetings • Control interruptions • Find time to daydream
SELF ASSESSMENT: “CYSAFE” OR CIS TOP 20 CySafe: https://drive.google.com/drive/folders/12UWZiE2JGLeM86t_4ddvXmxz5U810q07?usp=s haring CIS Top 20: https://drive.google.com/drive/folders/1QSU4WyBrpg4DFzGhwUS4eIPjFckzv3Nh?usp=sh aring
DESIGN: DATA PRIVACY (1/2) •Impact of GDPR on financial services – •PCI FAQ – •Reading level calculator – (also MS Office tools) Additional resourcesWhere should I go to understand critical regulation? How can I check whether my disclosures work? •Industry •Local •Multinational •Ask them •Reading level calculator
DATA PRIVACY (2/2) What does “good” look like when it comes to data privacy? Overall Best Practices Capture Usage Retention & Erasure Be extremely transparent People don’t typically read disclosures • Always obtain consent to access and use personal data • When obtaining consent, think of the people – easy to read, jargon- free, mobile friendly • Share how providing data helps the them – • High-level and detailed versions • Tell customers what data will be retained, for how long, and in what form: - De-identified vs. identified - Single data pull vs. ongoing feed - Physical vs. electronic Keep all data confidential Especially with personal data, maintaining confidentiality preserves trust • Check personal disclosures of data acquired from partners • Highlight confidentiality when acquiring data • Be particularly careful with identity • Proactively notify people when sharing their data with 3rd parties • Only use the data for its intended purpose – • Upon erasure, ensure data is completely deleted across where it’s stored – incl. with partners, redundant servers, etc. Let customers “own” their data Whether or not this is legally the case. To maintain their trust, act as if their data is their own • Where possible, allow people to opt-out of specific data access • Where possible, allow people to opt-out of specific data uses – • Have a process for people to request updates to, correction of, or erasure of their information • Have a process to withdraw consent Take, keep, and use only what’s valuable All data carries risk, • Don’t collect all data for all people – identify the pieces which drive the most value, and don’t collect the rest • Be particularly conscious of regulation when using sensitive classifications • “Sunshine test” • Set a retention policy for customer data – • Have a “what data should we keep” process
SOFTWARE SECURITY •OWASP Top 10 2017 •Balancing speed & security •Security 101 for startups •Security testing types •Security fatigue Additional resources How do I balance speed and security? What types of security testing should I be using? •Focus on the right level of technical security for your stage •See “Balancing Speed & Security” article  •Automated – before you deploy •Black box 2x/year •White box every 2years What are the most common & dangerous software security risks? •See OWASP Top 10 article 
INFRASTRUCTURE SECURITY (1/2) •Full Infrastructure Checklist •AWS security features and AWS security best practices whitepaper •Azure security features •Cisco Checklist •OWASP Top 10 2017 Additional resourcesIs outsourcing infrastructure or insourcing more secure? If I do outsource how can I ensure I’m protected? •Often, outsourcing will be best •Specific situations may change this •Cloud providers offer: -Logging and monitoring with controls -Identity & access management -Encryption of data at-rest •See the “AWS Security features” 
INFRASTRUCTURE SECURITY (2/2) What are some general best-practices for infrastructure security? General infrastructu re • Enable cloud infrastructure default security options • Back up data at minimum daily, but limit redundancies • Encrypt data while at rest and while in-transit • Periodically purge data • Have a BC/DR technology solution and plan • Implement patches for known vulnerabilities as soon as possible Passwords & network access • Use a password manager • Password reset • Tiered access levels • Require a secure VPN Scanning & monitoring • Implement a simple logging function • Include relevant data • Create lockout thresholds
PARTNER MANAGEMENT •Best practices to reduce third-party cybersecurity risk •Approaching data security in a fintech- friendly world •Steps to mitigate 3rd party cybersecurity threats Additional resourcesSteps for partner vetting •Pre-contract checks -What are their encryption practice? -Have they ever had a breach? -Service-level agreements (SLAs) -SLAs should be included in data policy -Ability to audit & request specific security standardsHow do I ensure my partner management is successful? •Learn from partners’ suggestions •Continuous monitoring & review Vendor Industry Templates: https://drive.google.com/drive/folders/1MOe15AjF_WRN9IZ10yQefpXDOYfvd8VK?usp =sharing
CULTURE What does a best in class data protection culture look like? Key beliefs Practices to reinforce All of users need to be aware and careful of Security issues • Data protection newsletter – - Current events – share one article and how it relates to the company - Employee highlight – public recognition for those who surface issues • Accountable executive for data protection is not just responsible for technology - Have non-technical (i.e. not IT) people train employees on data protection Be open and transparent • Celebrate employees who surface issues – publicly recognize people • Don’t punish people Data protection is an ongoing effort • Blame-free post-mortems • Ongoing “security tracker” More sharing = more risk • Limit partner integrations
DATA MANAGEMENT •Security 101 for startups •What is social engineering? Additional resources What are some best practice processes for data protection? Development • Regular penetration testing (3-6mo black box, 12mo white box) • Security review as part of SDLC Hiring and firing • Do reference checks on developers and employees • Ensure digital “locks changed” when employees leave Reviews • Hold regular data protection reviews (quarterly) Miscellaneous • Do not use USB drives • Encourage auto-lock of laptops (after 5 minutes) • Have automatic locks on your office doors and server rooms • Train employees to not use risky websites
TRAINING What content should I include in my data protection trainings? All staff • Our data security culture - Why it’s important - Key processes to prevent + report issues - Key components of the data policy - Role-based guidelines - Initial data privacy training • Types of threats and how we mitigate • Key data elements • To be conducted on a regular basis • Regular trainings: • After a breach: - Cover post-mortem of breach's - Opportunity for Q&A Engineerin g, IT, Data science In addition to the above: • Legislative & regulatory environment • Communication & feedback loops • Where security sits in all processes • Roles & responsibilities • Monitoring and maintenance • Updates to data architecture and procedures • Changing Data security procedures • Legislative or regulatory changes ONBOARDING ONGOING
Identification & Risk Assessment Containment & Resolution Evaluation & Improvement BREACH RESPONSE (1/3) •Data breaches 101 •Detailed guide for cybersecurity event recovery Additional resourcesWhat is a data security breach? What should be included in a security breach response plan? • Understand extent of breach • Assess risks from breach • Form team to lead resolution • Contain breach, limit damage • Review causes of breach • Understand consequences • Make process, tech changes Communication • Plan and execute communication to employees and external parties 21 4 3 •What is a Breach? •Can be done locally or remotely
Identification & Risk Assessment Containment & Resolution Evaluation & Improvement BREACH RESPONSE (2/3) • Understand extent of breach - What personal data - What was the cause - How many people • Assess risks from breach - What potential for harm - Strategic & financial risks? - Legal or compliance risks? - Reputational risks? - Financial risks? • Form team to lead resolution - Who will be accountable - Employees needed? - How often will the team meet? • Contain breach, limit damage - Are we still vulnerable? - What systems changes? - What process changes - How to recover data? • Review causes of breach – “post- mortem” - Vulnerabilities enabled the breach - What other similar vulnerabilities? • Understand consequences - What consequences occurred • Make process, tech changes - Tech solutions or process changes - Need to modify our data policy - What training is needed? - What is the cost to make these changes • Initial identification of severity may be incomplete, so be thorough • Key people to include on team: - Executive - Legal counsel • Don’t limit evaluation and improvements • Blame-free post-mortems • Include people from across the What are best practices in each phase of a breach response? Best practices 21 3 Keyquesitons
BREACH RESPONSE (3/3) What communication is appropriate at each stage of breach response? External Intern al 4 Identification & Risk Assessment Containment & Resolution Evaluation & Improvement • Understand extent of breach • Assess risks from breach • Form team to lead resolution • Contain breach, limit damage • Review causes of breach • Understand consequences • Make process, tech changes • Notify groups who interact with external parties; • Include critical teams - C-Suite, Legal, Technology, PR (if applicable) - Board of directors • Communicate to employees • Provide regular updates to leadership, legal until issues are resolved • Post-mortem is non- punitive • Include description of what happened • Communicate about process and technology changes • Be careful about what you communicate • Speak to all relevant external parties • Always review with legal • When you communicate, include all key information - Data involved - Action taken - Specific and clear advice • Provide ongoing
FACTORS THAT CAN CAUSE FAILURE Complexity (Overlapping Solutions) Focus on Technology (Bright Shiny Object Disease) Lack of Understanding of Risk (Fear vs Reality) Lack of Cyber Security Staff
DELIVERABLES Firewall & Network setups https://drive.google.com/drive/folders/1FDKjOi8MPxXTuBZ4MtJZQMf9tcfPkz44?usp= sharing Cloud security https://drive.google.com/drive/folders/1MOe15AjF_WRN9IZ10yQefpXDOYfvd8VK?usp =sharing Protocols and ports that need attention https://drive.google.com/file/d/1_irHSd7pgY_ciP8Sjg51YOcd1S8mjciZ/view?usp=shar ing Authentication best practices: https://drive.google.com/file/d/1TyMTbghiOSqtuZv7c- CqmurPiqcPdRpV/view?usp=sharing Server and network rights https://drive.google.com/file/d/130tcLpGBPE2Q4aYjknG7xaiIkK0CJPsq/view?usp=sha ring Servers: https://drive.google.com/file/d/197jsrcHo4Izx9pWw7nv3dj01BIf0LiNl/view?usp=shari
TOOL TIME: Root Folder on G-Drive https://drive.google.com/drive/folders/1t4zZbe3bZb7yuZFNRZnSYOpfru_uzHpP?usp=s haring Throughput Testing https://drive.google.com/drive/folders/1qcGAwBGfRB8-BV34kZjY6uPE- _gK9qL6?usp=sharing Network Mapping resources https://drive.google.com/drive/folders/1FDKjOi8MPxXTuBZ4MtJZQMf9tcfPkz44?usp=s haring CySafe: https://drive.google.com/drive/folders/12UWZiE2JGLeM86t_4ddvXmxz5U810q07?usp= sharing CIS top 20 https://drive.google.com/drive/folders/1QSU4WyBrpg4DFzGhwUS4eIPjFckzv3Nh?usp=s haring 3rd Party Vendor Vetting:
MORE EFFECTIVE IT • Empower IT through conversations • Use partner and leader terminology • Define contribution metrics • Find Root (Toyota “5-Whys”) • Technology is a tool, not a purpose • Create a wall of pride • Try device-free meetings • Control interruptions • Find time to daydream
MY TYPICAL RECOMMENDATIONS • Know what is being leaked IoT Shadow IT • Train Users • Monitor and Log Everything • Pick a frame work (NIST OR CIS OR CySAFE) • Check Firewall ports (Outgoing) • Assess & Document your world https://drive.google.com/file/d/1_irHSd7pgY_ciP8Sjg51YOcd1S8mjciZ/view?usp=shar ing

Recommended

Privacies are coming
Privacies are comingPrivacies are coming
Privacies are comingErnest Staats
 
The BYOD Security Battleground
The BYOD Security BattlegroundThe BYOD Security Battleground
The BYOD Security BattlegroundWatchful Software
 
Data Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowData Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowRoger Hagedorn
 
Mind the gap
Mind the gapMind the gap
Mind the gapRoger Hagedorn
 
Security initiatives here and down under
Security initiatives here and down underSecurity initiatives here and down under
Security initiatives here and down underRoger Hagedorn
 
Cultivating security in the small nonprofit
Cultivating security in the small nonprofitCultivating security in the small nonprofit
Cultivating security in the small nonprofitRoger Hagedorn
 
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...North Texas Chapter of the ISSA
 
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNorth Texas Chapter of the ISSA
 

Recommended

Privacies are coming
Privacies are comingPrivacies are coming
Privacies are comingErnest Staats
 
The BYOD Security Battleground
The BYOD Security BattlegroundThe BYOD Security Battleground
The BYOD Security BattlegroundWatchful Software
 
Data Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowData Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowRoger Hagedorn
 
Mind the gap
Mind the gapMind the gap
Mind the gapRoger Hagedorn
 
Security initiatives here and down under
Security initiatives here and down underSecurity initiatives here and down under
Security initiatives here and down underRoger Hagedorn
 
Cultivating security in the small nonprofit
Cultivating security in the small nonprofitCultivating security in the small nonprofit
Cultivating security in the small nonprofitRoger Hagedorn
 
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...North Texas Chapter of the ISSA
 
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNorth Texas Chapter of the ISSA
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNorth Texas Chapter of the ISSA
 
Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Anton Chuvakin
 
Aaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & DefenseAaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & DefenseJason Luttrell, CISSP, CISM
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRTAPNIC
 
Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsInfonaligy
 
How Network Data Loss Prevention is Implemented
How Network Data Loss Prevention is ImplementedHow Network Data Loss Prevention is Implemented
How Network Data Loss Prevention is ImplementedJerry Paul Acosta
 
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss ProtectionGabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protectioncentralohioissa
 
The 5 ws of Cyber Security
The 5 ws of Cyber SecurityThe 5 ws of Cyber Security
The 5 ws of Cyber SecurityMisha Hanin
 
7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations7 Habits of Highly Secure Organizations
7 Habits of Highly Secure OrganizationsHelpSystems
 
International Conference on Cyber Security, Hide and Go Seek
International Conference on Cyber Security, Hide and Go SeekInternational Conference on Cyber Security, Hide and Go Seek
International Conference on Cyber Security, Hide and Go SeekDavid Knox
 
Rothke effective data destruction practices
Rothke effective data destruction practicesRothke effective data destruction practices
Rothke effective data destruction practicesBen Rothke
 
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the WarGary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the Warcentralohioissa
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityPriyanka Aash
 
The Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeThe Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeBen Rothke
 
Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title) Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title) Coastal Pet Products, Inc.
 
What do I really need to do to STAY compliant with PCI DSS?
What do I really need to do to STAY compliant with PCI DSS?What do I really need to do to STAY compliant with PCI DSS?
What do I really need to do to STAY compliant with PCI DSS?Anton Chuvakin
 
CISO's first 100 days
CISO's first 100 daysCISO's first 100 days
CISO's first 100 daysMichaelSadeghiPhDABD
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsAndrew S. Baker (ASB)
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
Cloud Security: A Business-Centric Approach in 12 Steps
Cloud Security: A Business-Centric Approach in 12 StepsCloud Security: A Business-Centric Approach in 12 Steps
Cloud Security: A Business-Centric Approach in 12 StepsOmar Khawaja
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 

More Related Content

What's hot

NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNorth Texas Chapter of the ISSA
 
Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Anton Chuvakin
 
Aaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & DefenseAaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & DefenseJason Luttrell, CISSP, CISM
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRTAPNIC
 
Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsInfonaligy
 
How Network Data Loss Prevention is Implemented
How Network Data Loss Prevention is ImplementedHow Network Data Loss Prevention is Implemented
How Network Data Loss Prevention is ImplementedJerry Paul Acosta
 
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss ProtectionGabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protectioncentralohioissa
 
The 5 ws of Cyber Security
The 5 ws of Cyber SecurityThe 5 ws of Cyber Security
The 5 ws of Cyber SecurityMisha Hanin
 
7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations7 Habits of Highly Secure Organizations
7 Habits of Highly Secure OrganizationsHelpSystems
 
International Conference on Cyber Security, Hide and Go Seek
International Conference on Cyber Security, Hide and Go SeekInternational Conference on Cyber Security, Hide and Go Seek
International Conference on Cyber Security, Hide and Go SeekDavid Knox
 
Rothke effective data destruction practices
Rothke effective data destruction practicesRothke effective data destruction practices
Rothke effective data destruction practicesBen Rothke
 
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the WarGary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the Warcentralohioissa
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityPriyanka Aash
 
The Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeThe Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeBen Rothke
 
Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title) Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title) Coastal Pet Products, Inc.
 
What do I really need to do to STAY compliant with PCI DSS?
What do I really need to do to STAY compliant with PCI DSS?What do I really need to do to STAY compliant with PCI DSS?
What do I really need to do to STAY compliant with PCI DSS?Anton Chuvakin
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsAndrew S. Baker (ASB)
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
Cloud Security: A Business-Centric Approach in 12 Steps
Cloud Security: A Business-Centric Approach in 12 StepsCloud Security: A Business-Centric Approach in 12 Steps
Cloud Security: A Business-Centric Approach in 12 StepsOmar Khawaja
 

What's hot (20)

NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
 
Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008
 
Aaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & DefenseAaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & Defense
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
 
Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control Systems
 
How Network Data Loss Prevention is Implemented
How Network Data Loss Prevention is ImplementedHow Network Data Loss Prevention is Implemented
How Network Data Loss Prevention is Implemented
 
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss ProtectionGabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
 
The 5 ws of Cyber Security
The 5 ws of Cyber SecurityThe 5 ws of Cyber Security
The 5 ws of Cyber Security
 
7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations
 
International Conference on Cyber Security, Hide and Go Seek
International Conference on Cyber Security, Hide and Go SeekInternational Conference on Cyber Security, Hide and Go Seek
International Conference on Cyber Security, Hide and Go Seek
 
Rothke effective data destruction practices
Rothke effective data destruction practicesRothke effective data destruction practices
Rothke effective data destruction practices
 
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the WarGary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
 
Why Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum SecurityWhy Zero Trust Yields Maximum Security
Why Zero Trust Yields Maximum Security
 
The Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeThe Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - Rothke
 
Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title) Big Data, Security Intelligence, (And Why I Hate This Title)
Big Data, Security Intelligence, (And Why I Hate This Title)
 
What do I really need to do to STAY compliant with PCI DSS?
What do I really need to do to STAY compliant with PCI DSS?What do I really need to do to STAY compliant with PCI DSS?
What do I really need to do to STAY compliant with PCI DSS?
 
CISO's first 100 days
CISO's first 100 daysCISO's first 100 days
CISO's first 100 days
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and Tools
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
Cloud Security: A Business-Centric Approach in 12 Steps
Cloud Security: A Business-Centric Approach in 12 StepsCloud Security: A Business-Centric Approach in 12 Steps
Cloud Security: A Business-Centric Approach in 12 Steps
 

Similar to Privacies are Coming

A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
Privacy for tech startups
Privacy for tech startups Privacy for tech startups
Privacy for tech startups Marc Gallardo
 
Tsc2021 cyber-issues
Tsc2021 cyber-issuesTsc2021 cyber-issues
Tsc2021 cyber-issuesErnest Staats
 
Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015Community IT Innovators
 
Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Scott Carlson
 
Cyber Security and Healthcare
Cyber Security and HealthcareCyber Security and Healthcare
Cyber Security and HealthcareJonathon Coulter
 
Data Loss Prevention in O365
Data Loss Prevention in O365Data Loss Prevention in O365
Data Loss Prevention in O365Don Daubert
 
Security For Free
Security For FreeSecurity For Free
Security For Freegwarden
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON
 
Web Security Overview
Web Security OverviewWeb Security Overview
Web Security OverviewNoah Jaehnert
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation Technology Society Nepal
 
Lecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss PreventionLecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss PreventionNicholas Davis
 
Data Classification And Loss Prevention
Data Classification And Loss PreventionData Classification And Loss Prevention
Data Classification And Loss PreventionNicholas Davis
 
Lecture data classification_and_data_loss_prevention
Lecture data classification_and_data_loss_preventionLecture data classification_and_data_loss_prevention
Lecture data classification_and_data_loss_preventionNicholas Davis
 
TLabs - deutsche telekom
TLabs - deutsche telekomTLabs - deutsche telekom
TLabs - deutsche telekomChristina Azzam
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Claus Cramon Houmann
 
Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control DBmaestro - Database DevOps
 

Similar to Privacies are Coming (20)

A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
Privacy for tech startups
Privacy for tech startups Privacy for tech startups
Privacy for tech startups
 
Tsc2021 cyber-issues
Tsc2021 cyber-issuesTsc2021 cyber-issues
Tsc2021 cyber-issues
 
Presentation 10.pptx
Presentation 10.pptxPresentation 10.pptx
Presentation 10.pptx
 
Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015
 
Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?
 
Cyber Security and Healthcare
Cyber Security and HealthcareCyber Security and Healthcare
Cyber Security and Healthcare
 
Data Loss Prevention in O365
Data Loss Prevention in O365Data Loss Prevention in O365
Data Loss Prevention in O365
 
Security For Free
Security For FreeSecurity For Free
Security For Free
 
Security Analytics Beyond Cyber
Security Analytics Beyond CyberSecurity Analytics Beyond Cyber
Security Analytics Beyond Cyber
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
 
Web Security Overview
Web Security OverviewWeb Security Overview
Web Security Overview
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & process
 
Lecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss PreventionLecture Data Classification And Data Loss Prevention
Lecture Data Classification And Data Loss Prevention
 
Data Classification And Loss Prevention
Data Classification And Loss PreventionData Classification And Loss Prevention
Data Classification And Loss Prevention
 
Lecture data classification_and_data_loss_prevention
Lecture data classification_and_data_loss_preventionLecture data classification_and_data_loss_prevention
Lecture data classification_and_data_loss_prevention
 
TLabs - deutsche telekom
TLabs - deutsche telekomTLabs - deutsche telekom
TLabs - deutsche telekom
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
 
Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control
 

More from Ernest Staats

Information security trends and steps for (OSAC) Middle East divsion
Information security trends and steps for (OSAC) Middle East divsion Information security trends and steps for (OSAC) Middle East divsion
Information security trends and steps for (OSAC) Middle East divsion Ernest Staats
 
IT Staff NDA Template Employee Confidentiality Agreement
IT Staff NDA Template Employee Confidentiality AgreementIT Staff NDA Template Employee Confidentiality Agreement
IT Staff NDA Template Employee Confidentiality AgreementErnest Staats
 
Cy safe 2.0_workbook
Cy safe 2.0_workbookCy safe 2.0_workbook
Cy safe 2.0_workbookErnest Staats
 
Parenting and the media challenge
Parenting and the media challengeParenting and the media challenge
Parenting and the media challengeErnest Staats
 
How to use technology in ministry & parenting
How to use technology in ministry & parentingHow to use technology in ministry & parenting
How to use technology in ministry & parentingErnest Staats
 
Idwg bimonthly security exchange cyber only section
Idwg bimonthly security exchange cyber only sectionIdwg bimonthly security exchange cyber only section
Idwg bimonthly security exchange cyber only sectionErnest Staats
 
Data Detox Kit Optimized
Data Detox Kit Optimized Data Detox Kit Optimized
Data Detox Kit Optimized Ernest Staats
 
GDPR Benefits and a Technical Overview
GDPR Benefits and a Technical OverviewGDPR Benefits and a Technical Overview
GDPR Benefits and a Technical OverviewErnest Staats
 
Compter Forensics Intro for Students
Compter Forensics Intro for Students Compter Forensics Intro for Students
Compter Forensics Intro for Students Ernest Staats
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Ernest Staats
 
Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3Ernest Staats
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
Harbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vidHarbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vidErnest Staats
 
Securely Erase your Device
Securely Erase your DeviceSecurely Erase your Device
Securely Erase your DeviceErnest Staats
 
Border crossing mobile social media life-saving security tips
Border crossing mobile social media life-saving security tipsBorder crossing mobile social media life-saving security tips
Border crossing mobile social media life-saving security tipsErnest Staats
 
Social & mobile security
Social & mobile securitySocial & mobile security
Social & mobile securityErnest Staats
 
Social mobile safety
Social mobile safetySocial mobile safety
Social mobile safetyErnest Staats
 
Using social media to boost your ministrys online presence
Using social media to boost your ministrys online presence Using social media to boost your ministrys online presence
Using social media to boost your ministrys online presence Ernest Staats
 
Social media How to Step by Step
Social media How to Step by StepSocial media How to Step by Step
Social media How to Step by StepErnest Staats
 

More from Ernest Staats (20)

Information security trends and steps for (OSAC) Middle East divsion
Information security trends and steps for (OSAC) Middle East divsion Information security trends and steps for (OSAC) Middle East divsion
Information security trends and steps for (OSAC) Middle East divsion
 
IT Staff NDA Template Employee Confidentiality Agreement
IT Staff NDA Template Employee Confidentiality AgreementIT Staff NDA Template Employee Confidentiality Agreement
IT Staff NDA Template Employee Confidentiality Agreement
 
Cy safe 2.0_workbook
Cy safe 2.0_workbookCy safe 2.0_workbook
Cy safe 2.0_workbook
 
Parenting and the media challenge
Parenting and the media challengeParenting and the media challenge
Parenting and the media challenge
 
How to use technology in ministry & parenting
How to use technology in ministry & parentingHow to use technology in ministry & parenting
How to use technology in ministry & parenting
 
Idwg bimonthly security exchange cyber only section
Idwg bimonthly security exchange cyber only sectionIdwg bimonthly security exchange cyber only section
Idwg bimonthly security exchange cyber only section
 
Data Detox Kit Optimized
Data Detox Kit Optimized Data Detox Kit Optimized
Data Detox Kit Optimized
 
GDPR Benefits and a Technical Overview
GDPR Benefits and a Technical OverviewGDPR Benefits and a Technical Overview
GDPR Benefits and a Technical Overview
 
Compter Forensics Intro for Students
Compter Forensics Intro for Students Compter Forensics Intro for Students
Compter Forensics Intro for Students
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
 
Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3Why security is the kidney not the tail of the dog v3
Why security is the kidney not the tail of the dog v3
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
Harbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vidHarbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vid
 
Securely Erase your Device
Securely Erase your DeviceSecurely Erase your Device
Securely Erase your Device
 
Border crossing mobile social media life-saving security tips
Border crossing mobile social media life-saving security tipsBorder crossing mobile social media life-saving security tips
Border crossing mobile social media life-saving security tips
 
Social & mobile security
Social & mobile securitySocial & mobile security
Social & mobile security
 
Social mobile safety
Social mobile safetySocial mobile safety
Social mobile safety
 
Using social media to boost your ministrys online presence
Using social media to boost your ministrys online presence Using social media to boost your ministrys online presence
Using social media to boost your ministrys online presence
 
Social media How to Step by Step
Social media How to Step by StepSocial media How to Step by Step
Social media How to Step by Step
 

Recently uploaded

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Recently uploaded (20)

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 

Privacies are Coming

  • 1. THE PRIVACIES ARE COMING! THE PRIVACIES ARE COMING! Ernest Staats MSIA, CISSP, CEH… estaats@Networkpaladin.org https://networkpaladin.org
  • 2. LEGAL DISCLAIMER: Nothing in this handout or presentation constitutes legal advice. The information in this presentation was compiled from sources believed to be reliable for informational purposes only. Any and all information contained herein is not intended to constitute legal advice. You should consult with your own attorneys when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication including any information, methods or safety suggestions contained herein.
  • 3. RETHINK CYBERSECURITY • Check List Compliance & Security Doesn't Work • Attacks are cross departmental • Can not protect what you do no know • (DATA MAP- Where is personal data?) • Without Active Ownership and Management Cyber Security is a joke • If not Culture -- it inculcates company to true Cyber Risk CIS /SANS first 5 controls will give you 85% reduction in risk
  • 4. “LIVING OFF THE LAND” • “Living off the land” • Windows 10 PowerShell, WMI, the Windows Scripting Host • Microsoft Office “macros”
  • 5. IOT HACKED DEVICES AND PORTS
  • 6. 1. Non business impact when determining courses of action 2. Lack cross-organizational considerations and buy-in 3. Limited data classification 4. Ill-defined processes (aka “pre-thought use cases”) 5. Lack of defined checklists or step-by-step procedures, 6. Ill-defined event and incident taxonomy between responders 7. No defined thresholds between events and incidents 8. No pre-determined (aka “pre-canned”) external communications Top Cyber Incident Pain Points
  • 7. Efficiently and Effectively manage our cyber risks? Unacceptable Risk Level Acceptable Risk Level CYBERSECURITY RISK MANAGEMENT
  • 8. THE ANSWER Leverage Industry Best Practices National Institute of Standards and Technology (NIST) NIST Cybersecurity Framework, NIST Risk Management Framework http://www.nist.gov/ 1 Center for Internet Security (CIS) CIS Critical Security Controls http://www.cisecurity.org/ 2 International Organization for Standardization (ISO) ISO 27000-series publications http://www.iso.org/ 3 CySAFE Combines NIST, CIS, and ISO taking best of each without duplication Edits: https://drive.google.com/drive/folders/12UWZiE2JGLeM86t_4ddvXmxz5U810q07?usp=sharin g 4
  • 9. RISK MANAGEMENT SHOULD: • Support the strategic objectives • Enhance institutional decision-making • Create a “risk-aware” culture • Reduce operational surprises and losses • Assure greater business continuity • Improve use of funding by aligning resources with objectives • Bridge departmental silos Observe: Identify Risk Orient: Categorize & Prioritize Decide: Select & Implement Controls Act: Manage, Assess, & Monitor
  • 10. MY TYPICAL RECOMMENDATIONS • Know what is being leaked IoT Shadow IT • Train Users • Monitor and Log Everything • Pick a frame work (NIST OR CIS OR CySAFE) • Check Firewall ports (Outgoing) • Assess & Document your world https://drive.google.com/file/d/1_irHSd7pgY_ciP8Sjg51YOcd1S8mjciZ/view?usp=shar ing
  • 11. MORE EFFECTIVE IT • Empower IT through conversations • Use partner and leader terminology • Define contribution metrics • Find Root (Toyota “5-Whys”) • Technology is a tool, not a purpose • Create a wall of pride • Try device-free meetings • Control interruptions • Find time to daydream
  • 12. SELF ASSESSMENT: “CYSAFE” OR CIS TOP 20 CySafe: https://drive.google.com/drive/folders/12UWZiE2JGLeM86t_4ddvXmxz5U810q07?usp=s haring CIS Top 20: https://drive.google.com/drive/folders/1QSU4WyBrpg4DFzGhwUS4eIPjFckzv3Nh?usp=sh aring
  • 13. DESIGN: DATA PRIVACY (1/2) •Impact of GDPR on financial services – •PCI FAQ – •Reading level calculator – (also MS Office tools) Additional resourcesWhere should I go to understand critical regulation? How can I check whether my disclosures work? •Industry •Local •Multinational •Ask them •Reading level calculator
  • 14. DATA PRIVACY (2/2) What does “good” look like when it comes to data privacy? Overall Best Practices Capture Usage Retention & Erasure Be extremely transparent People don’t typically read disclosures • Always obtain consent to access and use personal data • When obtaining consent, think of the people – easy to read, jargon- free, mobile friendly • Share how providing data helps the them – • High-level and detailed versions • Tell customers what data will be retained, for how long, and in what form: - De-identified vs. identified - Single data pull vs. ongoing feed - Physical vs. electronic Keep all data confidential Especially with personal data, maintaining confidentiality preserves trust • Check personal disclosures of data acquired from partners • Highlight confidentiality when acquiring data • Be particularly careful with identity • Proactively notify people when sharing their data with 3rd parties • Only use the data for its intended purpose – • Upon erasure, ensure data is completely deleted across where it’s stored – incl. with partners, redundant servers, etc. Let customers “own” their data Whether or not this is legally the case. To maintain their trust, act as if their data is their own • Where possible, allow people to opt-out of specific data access • Where possible, allow people to opt-out of specific data uses – • Have a process for people to request updates to, correction of, or erasure of their information • Have a process to withdraw consent Take, keep, and use only what’s valuable All data carries risk, • Don’t collect all data for all people – identify the pieces which drive the most value, and don’t collect the rest • Be particularly conscious of regulation when using sensitive classifications • “Sunshine test” • Set a retention policy for customer data – • Have a “what data should we keep” process
  • 15. SOFTWARE SECURITY •OWASP Top 10 2017 •Balancing speed & security •Security 101 for startups •Security testing types •Security fatigue Additional resources How do I balance speed and security? What types of security testing should I be using? •Focus on the right level of technical security for your stage •See “Balancing Speed & Security” article  •Automated – before you deploy •Black box 2x/year •White box every 2years What are the most common & dangerous software security risks? •See OWASP Top 10 article 
  • 16. INFRASTRUCTURE SECURITY (1/2) •Full Infrastructure Checklist •AWS security features and AWS security best practices whitepaper •Azure security features •Cisco Checklist •OWASP Top 10 2017 Additional resourcesIs outsourcing infrastructure or insourcing more secure? If I do outsource how can I ensure I’m protected? •Often, outsourcing will be best •Specific situations may change this •Cloud providers offer: -Logging and monitoring with controls -Identity & access management -Encryption of data at-rest •See the “AWS Security features” 
  • 17. INFRASTRUCTURE SECURITY (2/2) What are some general best-practices for infrastructure security? General infrastructu re • Enable cloud infrastructure default security options • Back up data at minimum daily, but limit redundancies • Encrypt data while at rest and while in-transit • Periodically purge data • Have a BC/DR technology solution and plan • Implement patches for known vulnerabilities as soon as possible Passwords & network access • Use a password manager • Password reset • Tiered access levels • Require a secure VPN Scanning & monitoring • Implement a simple logging function • Include relevant data • Create lockout thresholds
  • 18. PARTNER MANAGEMENT •Best practices to reduce third-party cybersecurity risk •Approaching data security in a fintech- friendly world •Steps to mitigate 3rd party cybersecurity threats Additional resourcesSteps for partner vetting •Pre-contract checks -What are their encryption practice? -Have they ever had a breach? -Service-level agreements (SLAs) -SLAs should be included in data policy -Ability to audit & request specific security standardsHow do I ensure my partner management is successful? •Learn from partners’ suggestions •Continuous monitoring & review Vendor Industry Templates: https://drive.google.com/drive/folders/1MOe15AjF_WRN9IZ10yQefpXDOYfvd8VK?usp =sharing
  • 19. CULTURE What does a best in class data protection culture look like? Key beliefs Practices to reinforce All of users need to be aware and careful of Security issues • Data protection newsletter – - Current events – share one article and how it relates to the company - Employee highlight – public recognition for those who surface issues • Accountable executive for data protection is not just responsible for technology - Have non-technical (i.e. not IT) people train employees on data protection Be open and transparent • Celebrate employees who surface issues – publicly recognize people • Don’t punish people Data protection is an ongoing effort • Blame-free post-mortems • Ongoing “security tracker” More sharing = more risk • Limit partner integrations
  • 20. DATA MANAGEMENT •Security 101 for startups •What is social engineering? Additional resources What are some best practice processes for data protection? Development • Regular penetration testing (3-6mo black box, 12mo white box) • Security review as part of SDLC Hiring and firing • Do reference checks on developers and employees • Ensure digital “locks changed” when employees leave Reviews • Hold regular data protection reviews (quarterly) Miscellaneous • Do not use USB drives • Encourage auto-lock of laptops (after 5 minutes) • Have automatic locks on your office doors and server rooms • Train employees to not use risky websites
  • 21. TRAINING What content should I include in my data protection trainings? All staff • Our data security culture - Why it’s important - Key processes to prevent + report issues - Key components of the data policy - Role-based guidelines - Initial data privacy training • Types of threats and how we mitigate • Key data elements • To be conducted on a regular basis • Regular trainings: • After a breach: - Cover post-mortem of breach's - Opportunity for Q&A Engineerin g, IT, Data science In addition to the above: • Legislative & regulatory environment • Communication & feedback loops • Where security sits in all processes • Roles & responsibilities • Monitoring and maintenance • Updates to data architecture and procedures • Changing Data security procedures • Legislative or regulatory changes ONBOARDING ONGOING
  • 22. Identification & Risk Assessment Containment & Resolution Evaluation & Improvement BREACH RESPONSE (1/3) •Data breaches 101 •Detailed guide for cybersecurity event recovery Additional resourcesWhat is a data security breach? What should be included in a security breach response plan? • Understand extent of breach • Assess risks from breach • Form team to lead resolution • Contain breach, limit damage • Review causes of breach • Understand consequences • Make process, tech changes Communication • Plan and execute communication to employees and external parties 21 4 3 •What is a Breach? •Can be done locally or remotely
  • 23. Identification & Risk Assessment Containment & Resolution Evaluation & Improvement BREACH RESPONSE (2/3) • Understand extent of breach - What personal data - What was the cause - How many people • Assess risks from breach - What potential for harm - Strategic & financial risks? - Legal or compliance risks? - Reputational risks? - Financial risks? • Form team to lead resolution - Who will be accountable - Employees needed? - How often will the team meet? • Contain breach, limit damage - Are we still vulnerable? - What systems changes? - What process changes - How to recover data? • Review causes of breach – “post- mortem” - Vulnerabilities enabled the breach - What other similar vulnerabilities? • Understand consequences - What consequences occurred • Make process, tech changes - Tech solutions or process changes - Need to modify our data policy - What training is needed? - What is the cost to make these changes • Initial identification of severity may be incomplete, so be thorough • Key people to include on team: - Executive - Legal counsel • Don’t limit evaluation and improvements • Blame-free post-mortems • Include people from across the What are best practices in each phase of a breach response? Best practices 21 3 Keyquesitons
  • 24. BREACH RESPONSE (3/3) What communication is appropriate at each stage of breach response? External Intern al 4 Identification & Risk Assessment Containment & Resolution Evaluation & Improvement • Understand extent of breach • Assess risks from breach • Form team to lead resolution • Contain breach, limit damage • Review causes of breach • Understand consequences • Make process, tech changes • Notify groups who interact with external parties; • Include critical teams - C-Suite, Legal, Technology, PR (if applicable) - Board of directors • Communicate to employees • Provide regular updates to leadership, legal until issues are resolved • Post-mortem is non- punitive • Include description of what happened • Communicate about process and technology changes • Be careful about what you communicate • Speak to all relevant external parties • Always review with legal • When you communicate, include all key information - Data involved - Action taken - Specific and clear advice • Provide ongoing
  • 25. FACTORS THAT CAN CAUSE FAILURE Complexity (Overlapping Solutions) Focus on Technology (Bright Shiny Object Disease) Lack of Understanding of Risk (Fear vs Reality) Lack of Cyber Security Staff
  • 26. DELIVERABLES Firewall & Network setups https://drive.google.com/drive/folders/1FDKjOi8MPxXTuBZ4MtJZQMf9tcfPkz44?usp= sharing Cloud security https://drive.google.com/drive/folders/1MOe15AjF_WRN9IZ10yQefpXDOYfvd8VK?usp =sharing Protocols and ports that need attention https://drive.google.com/file/d/1_irHSd7pgY_ciP8Sjg51YOcd1S8mjciZ/view?usp=shar ing Authentication best practices: https://drive.google.com/file/d/1TyMTbghiOSqtuZv7c- CqmurPiqcPdRpV/view?usp=sharing Server and network rights https://drive.google.com/file/d/130tcLpGBPE2Q4aYjknG7xaiIkK0CJPsq/view?usp=sha ring Servers: https://drive.google.com/file/d/197jsrcHo4Izx9pWw7nv3dj01BIf0LiNl/view?usp=shari
  • 27. TOOL TIME: Root Folder on G-Drive https://drive.google.com/drive/folders/1t4zZbe3bZb7yuZFNRZnSYOpfru_uzHpP?usp=s haring Throughput Testing https://drive.google.com/drive/folders/1qcGAwBGfRB8-BV34kZjY6uPE- _gK9qL6?usp=sharing Network Mapping resources https://drive.google.com/drive/folders/1FDKjOi8MPxXTuBZ4MtJZQMf9tcfPkz44?usp=s haring CySafe: https://drive.google.com/drive/folders/12UWZiE2JGLeM86t_4ddvXmxz5U810q07?usp= sharing CIS top 20 https://drive.google.com/drive/folders/1QSU4WyBrpg4DFzGhwUS4eIPjFckzv3Nh?usp=s haring 3rd Party Vendor Vetting:
  • 28. MORE EFFECTIVE IT • Empower IT through conversations • Use partner and leader terminology • Define contribution metrics • Find Root (Toyota “5-Whys”) • Technology is a tool, not a purpose • Create a wall of pride • Try device-free meetings • Control interruptions • Find time to daydream
  • 29. MY TYPICAL RECOMMENDATIONS • Know what is being leaked IoT Shadow IT • Train Users • Monitor and Log Everything • Pick a frame work (NIST OR CIS OR CySAFE) • Check Firewall ports (Outgoing) • Assess & Document your world https://drive.google.com/file/d/1_irHSd7pgY_ciP8Sjg51YOcd1S8mjciZ/view?usp=shar ing