data security: what every leader needs to know
DESCRIPTION
TRANSCRIPT
Data Security:What every leader needs to know
Roger Hagedorn
Security Consultant•CISSP - Certified Information Systems Security Professional•GIAC Security Essentials (GSEC)
Member:•(ISC)2 Twin Cities Area Chapter (isc2tc.org) •Upper Midwest Security Alliance (UMSA) – Board Member
Agenda
• Roger’s 5 Key Components of a Security Program
• What Can You Do Now?
• How to Tell You’ve Been Breached
• Action Steps if Breached
Please feel free to ask questions at any time. This session is for you.
More Introductions
• Who are you and what brings you to this presentation?
• What are your security concerns?
Why Are We Here?
Security Breaches so far in 2013:
Approximately 10.6 million records compromised and 483 breaches reported.
According to statistics compiled by the Privacy Rights Clearinghouse
http://www.darkreading.com/database/lessons-learned-from-4-major-data-breach/240164264
Why Are We Here?
According to the Verizon 2013 Data Breach Investigations Report (DBIR), organizations with fewer than 100 employees comprised 31% of data breach incidents investigated in 2012.
http://www.verizonenterprise.com/DBIR/2013/
Why Are We Here?
Why do people hack?
•Notoriety—basic intrusions, early viruses
•Fame—creative or widespread malware
•Financial—theft and damage
•Political Reasons—hactivism
•National Interests—spying
Why Are We Here?
The “Professionalization” of CyberCrime in the form of large, organized criminal syndicates
•Exploit auction houses (WabiSabiLabi)
•Forums and IRC (#Vxers, cybermafia.cc)
•Botnet rental (5socks.net)
•Identity auctions (76service)
http://money.cnn.com/2011/07/27/technology/organized_cybercrime/ /
Why Are We Here?
A Common Misconception:
“Our organization would never be a target of hackers.”
– We do good work– We’re too small to be noticed– We have nothing of value
Why Are We Here?
What small organizations may not realize:– Hackers use automated tools. They don’t
pick their targets; they find vulnerabilities.– All organizations have things of value:
• Computing power (botnets)• Email contacts (other potential victims)• Personal information (identity theft)
Why We Are Here
This situation makes us all a target.
Key Components of a Security Program
Key Components of a Security Program
No. 1 is you.
Key Components of a Security Program
Support from upper management is critical. Without that, no program or initiative will be fully successful. But with it, work processes can be adjusted, staff can learn, funds can be obtained, and attitudes can change.
Key Components of a Security Program
No. 2 is Data.
https://www.icts.uiowa.edu/content/integrated-repositories-data-marts
Key Components of a Security Program
An in-depth understanding of an organization’s data and how it’s protected.
Compare the “Good Old Days” to today. . .
Key Components of a Security Program
http://education-portal.com/academy/lesson/what-is-cloud-computing-definition-advantages-disadvantages.html#lesson
Key Components of a Security Program
http://education-portal.com/academy/lesson/what-is-cloud-computing-definition-advantages-disadvantages.html#lesson
Intermission
Plucked from the Sept. 27 headlines:
Last week's arrest of eight men in connection with a £1.3 million ($2.08 million) bank heist carried out with a remote-control device they had the brass to plug into a Barclays branch computer
http://nakedsecurity.sophos.com/2013/09/21/bank-robbers-pose-as-it-guys-rig-device-to-slurp-1-3m-from-barclays/
Intermission
Plucked from the Sept. 27 headlines:
The arrest of 12 men in connection with a scheme to boobytrap computers at Santander, one of the UK's largest banks, by rigging the same type of remote-control device found in Barclays - devices that enable remote bank robbery.
http://nakedsecurity.sophos.com/2013/09/13/12-arrested-as-uk-cops-foil-santander-bank-heist-plot/
Key Components of a Security Program
That in-depth understanding of your organization’s data must include where it is stored, how it is classified—e.g., public, in-house only, confidential—who can access it, and how this is being monitored.
Key Components of a Security Program
It is not enough to safeguard important data—from HR-related data to financial information, and especially Personal Health Information—it is necessary to be able to demonstrate that appropriate controls are in place and effective.
Key Components of a Security Program
No. 3 is IT.
Now many people consider information security an IT issue, which it is not because it involves much more than IT, but it is true that hardware and software controls are a significant part of any security system.
Key Components of a Security Program
But if your organization has one IT admin,this is a challenge. Security is important but only part of the job. There’s no dedicated security analyst. There’s no way IT can monitor everything. And it’s easy to waste time on logs and events that aren’t important. So what to monitor?
Key Components of a Security Program
• Active Directory and Servers
• Firewall
• Wireless access points
• Anti-Malware
• In-house applications
• Data storage (file server, NAS or whatever)
• Any cloud services?
Key Components of a Security Program
Also part of IT’s role in security is the implementation of some basic practices:
• user accounts• strong passwords• locking screen-savers• use a firewall and VPN• update operating systems
and applications
• WPA2 encryption for WiFi• separate guest WiFi• encrypt data• dispose of data• policies
See the SANS Institute’s 20 Security Controls
Key Components of a Security Program
No. 4 is Policies and Procedures.
The scope and key elements of an overall security policy need to be developed by a team that pulls from several areas of the organization, so that the diversity of divisions, end-users, and procedures are accounted for.
Key Components of a Security Program
Then, from this broad basis, more granular policies and procedures need to be developed to deal with specific aspects of the enterprise.
Key Components of a Security Program
Example Policies:
•Computing Acceptable Use
•Remote Access
•Password Usage
•Data Retention and Destruction
•Flashdrive Usage
•Cloud Storage
Key Components of a Security Program
Once the policies and procedures are in place, they need to be regularly checked in order to verify that they are being followed and that they actually provide the security controls needed; if not, then they will have to be revised. And all policies and procedures need to be revised on a regular basis, generally annually.
Key Components of a Security Program
No. 5 is Staff Involvement, especially because staff are sometimes the weakest link but can also be the first line of defense.
Key Components of a Security Program
Offer training programs, newsletters, brown bag lunch sessions, posters, campaigns, informational lectures, news updates, and the like. While regulations like HIPAA mandate formal trainings, experience suggests that a combination of approaches works best.
What Can You Do Now?
Invest in prevention—implement Defense-in-Depth
Educate your staff
Prepare an Incident Response Plan
Test your systems
Whitelist applications
How to Tell You’ve Been Breached
The top indicators are:
•Unusual Outbound Network Traffic
•Anomalies in Privileged User Account Activity
•Geographical Irregularitieshttp://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise/240162469?itc=edit_in_body_cross
Action Steps if Breached
• Identify the Attack*
• Quarantine the Damage**
• Disinfect
• Employ your Communication Strategy
• Re-secure the Network• If you are lucky. Most learn from outside sources after the fact.** But first ask if this is actionable; if so, consult a forensic specialist
And remember to
Recap• Roger’s 5 Key Components:
– Support from Upper Management
– Know your Data
– IT Controls and Monitoring
– Policies and Procedures
– Staff Involvement
• What Can You Do Now?
• How to Tell You’ve Been Breached
• Action Steps if Breached
Q and A
• Thanks very much for your attention.
• Any questions or commnents?
Roger HagedornEmail: [email protected]: www.cultivatingsecurity.com
Information Security Resources
The SANS Institute’s 20 Security Controlshttp://www.sans.org/critical-security-controls/
Information Security Policy Templateshttp://www.sans.org/security-resources/policies/
The Australian Government’s 35 Controlshttp://www.dsd.gov.au/infosec/top35mitigationstrategies.htm
The Center for Internet Securityhttp://www.cisecurity.org
Ten Steps to Planning an Effective Cyber-Incident Responsehttp://blogs.hbr.org/2013/07/ten-steps-to-planning-an-effect/
Information Security Resources
Top 15 Indicators Of Compromisehttp://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise/240162469?itc=edit_in_body_cross
SonicWALL Phishing IQ Testhttp://www.sonicwall.com/furl/phishing/
Sophos 1-Minute Security Tips for the Workplacehttp://www.youtube.com/playlist?list=PLD88EACF404839195