doc format
TRANSCRIPT
Awareness Program on Compliance in the Era of
Technology
ICAI, MumbaiOctober 19, 2008
<version 1.0> Public Document1
Agenda
<version 1.0> Public Document
1. Compliance Today
2. Business Risks
3. Evolving Security and Compliance landscape
4. Technology and IT value for business
5. Incidents and Security related industry information
6. Snapshot of Global Compliance requirements over time
7. Extracting Compliance ROI
8. Suggested Safeguards (unified framework)
9. Common regulatory reqmts (standards, etc)
2
10. The technology solution
11. Compliance spotlight – PCI-DSS
12. Leverage the technology solution
13. VA/PT
14. Continuous VA and Monitoring
15. List of Tools
16. Why VA/PT
17. Web App Security, Secure Coding
Compliance Today
<version 1.0> Public Document3
• Technology is constantly evolving providing new tools and methods to tackle the increasing information and compliance overload
Much of the increase in cost is due to duplication of regulation and ambiguous or inconsistent rules
-Securities Industry Association, 2006
• Organizations have numerous Compliance requirements which keep growing by the day / hour / minute !– Regulatory– Standards / Best Practice Frameworks – Industrial, Contractual, etc.
Compliance Today
<version 1.0> Public Document4
• Compliance with Compliance requirements takes up too much resources
• Compliance initiatives are considered “Projects” (e.g. SOX / PCI project) but these are continuous processes (benefits are not realized)
• Technology solutions will leverage Compliance efforts to enable Governance and Risk Management leading to Business gains (productivity, cost-savings)Compliance must be part of your organization DNA
Regulatory Compliance is not just a legal requirement but a critical business function.
Business Risks Operational risk
Physical damage/theft Services not available
Market risk Lost customers Global partners
Legal risk SLAs Lawsuits
Regulatory Compliance
Financial Risk Claims and losses Quantification of information
assets/impact
<version 1.0> Public Document5
Information on your network
Databases Intellectual Property Financial Information Personally Identifiable
Information Reputation & Market
Value
What is at Risk
<version 1.0> Public Document6
Technology and Information Made People Smarter
Luhn’s algorithm (to validate any credit card)
VB based basic key loggers
Web based IP tools, DNS network tools, traceroute etc
Network tools
Nmap
Nessus etc…. All available online
Password cracking tools
<version 1.0> Public Document7
<version 1.0> Public Document8
Incidents (2000-2007)
According to Attrition Data Loss Archive and Database and FlowingData, following are the 10 largest data breaches since 2000 (http://flowingdata.com/2008/03/14/10-largest-data-breaches-since-2000-millions-affected/)
Is there a trend? Yes, numbers are growing!
<version 1.0> Public Document9
Are we safe in 2008? UK Government Depts. reported loss of 29 million records in
last one year (August 2008) Countrywide Financial Corp. – possible all 2 million records were
sold (August 2008) If sensitive data only includes SSNs and financial account data
and not date of birth and email ids then should we decide Facebook’s 80 million records as a data breach? (July 2008)
Bank of New York Mellon, PA – as many as 4.5 million customer records are thought to be compromised (March 2008)
Compass Bank – 1 million (March 2008) Hannaford Bros. supermarket chain – 4.2 million (March 2008)
Trend – Numbers are still growing!
<version 1.0> Public Document10
Some Facts Who are behind these breaches:
External sources including past employees Insiders Business partners Multiple parties
How these breaches are caused Business process errors or no policy/procedural controls Hacking and intrusions including malicious code System/Application vulnerabilities including for those patches already
exist Physical threats
Mostly……… Victims don’t know that breach has occurred or more often aware of the
criticality of the data/information Mostly breaches are opportunistic in nature
More than 90% breaches are avoidable <version 1.0> Public Document11
Some Insights – drivers for security spend
<version 1.0> Public Document12
By 2008, more than 75% of large and midsize companies will purchase new compliance management, monitoring, and automation solutions.
By 2009, compliance will grow to 14.2% of IT budget from 12% in 2006.
Source: Gartner 2007
<version 1.0> Public Document13
Common Regulatory Reqmts /Standards / Frameworks / Guidelines
<version 1.0> Public Document14
Clause 49 (SEBI Guideline, Government of India)
CTCL ISO:27001 – 2005
133 Control objectives PCI-DSS
12 requirements CobiT NERC-CIP BS:25999 ITIL Data Protection Act IT Act and applicable
Criminal / Civil legislation
HIPAA/GLBA Sarbanes Oxley Basel II PCAOB SAS 70 Privacy Laws (e.g.PIPEDA) … many more…..
Extracting Compliance ROI
<version 1.0> Public Document15
Organizations must plan beyond Compliance Better Security means reduced / managed risk Managed (reduced) risk means better business Operational efficiencies result from compliance efforts Approach Compliance as a as a business process, not as
requirement / overhead Use learning to shorten future compliance cycles Identify opportunities to build unified compliance ecosystem Lead the organization to Industry certifications resulting in higher
brand value
Eliminate the risk of penalties for non-compliance Address multiple compliance requirements in a unified
approach
<version 1.0> Public Document16
Suggested Safeguards
<version 1.0> Public Document17
Suggested Safeguards
<version 1.0> Public Document18
Technology Solution
<version 1.0> Public Document19
Systems must be developed providing a risk based approach that is aligned with Business, Regulatory and Contractual requirements
Leverage technology and co-ordinate Security spend with Compliance with the overall objective achieve Governance (automation)
Technology practices to enable proactive security Risk management Vulnerability Assessment / Penetration Testing (VA/PT) Web Application Security (AppSec) Code Review Continuous Vulnerability Management Managed Security Services
Compliance Spotlight :PCI – Data Security Standard
<version 1.0> Public Document20
Requirement 5 and 6 (Maintain Vulnerability Management Program) Stay Current on versions (Anti Virus, Patches, Systems,
Configuration) Monitor Custom Web applications SDLC (do we practice secure coding) Invest in automated tools Secure Audit Logs
Requirement 10 and 11 (Regularly Monitor & Test Networks) Monitor Systems for Intrusions and Anomalies Implement Reporting and Analysis Tools Centralize and Secure Data
<version 1.0> Public Document21
Compliance Spotlight :PCI-DSS
ISO:27001 – A.12.6 Technical Vulnerability Management
ISO:27001 – A.15 Compliance-Compliance with Legal Requirements-Compliance with Security Policies, and standards and technical compliance
<version 1.0> Public Document22
Leverage the Technology Solution
<version 1.0> Public Document23
Leverage the Technology Solution
Vulnerability Assessment
(VA)
Penetration Testing
(PT)
Results allow the organization to compare findings against known vulnerabilities and prioritize remediation by implementing controls. Provides a health report on the organization security posture. All Standards, Regulations, Frameworks recommend (or require) Network Assessments as an essential practice. Helps determine whether the controls are in fact preventing the vulnerability from actually endangering the network. A well-executed penetration test can identify the most critical holes in an organization’s defensive net; including the holes exploited by social engineering. pen tests are best used as a way to get an extra set of eyes on a network after major system upgrades.
<version 1.0> Public Document24
Leverage the Technology Solution
Continuous Vulnerability Monitoring
and Assessment
Provides a 24 x 7 x 365 watch on network traffic and is available as a Managed Security Service. Traffic is monitored and events (incidents) are correlated against updated industry Common Vulnerability & Exposure (CVE) database.
Reports are available online to client via a web interface which will provide information about the threat(s) and remediation plans.
<version 1.0> Public Document25
VA/PT
Undertaken by qualified professionals Methodology includes use of automated tools augmented with manual skillsMeet regulatory requirements (PCI-DSS, HIPAA, GLBA, PIPEDA, etc.) Organizations can realize their true security level Measure IT security effectiveness Identify and remediate potential breach points reducing security risk and liability Benchmark / baseline security posture
Certifications Certified Vulnerability Assessor (CVA) (Secure Matrix -
DNV)CEH (EC Council)CISSP (ISC2)certifications in Forensics, Fraud (Secure Matrix)
Commonly used Tools for VA/PT (commercial / open source)Nessus, GFI Languard (c), Nmap; Metasploit, Canvas (c),
etc.
<version 1.0> Public Document26
Vulnerability Assessment
Nessus Nessus is one of the most popular and widely used vulnerability assessment scanner with nearly 14,000 plugins.
GFI Languard GFI Languard is a commercial vulnerability assessment scanner with neat reporting capabilities.
Netcat Netcat is a network debugging and exploration tool
Hping This tool is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities. This is to map out firewall rulesets.
Nikto A comprehensive webserver scanner
Sam Spade Windows network query tool
Web Inspect Web Application Scanner
Firewalk An Advanced traceroute tool
Penetration Testing
Metasploit Framework This is a framework to deploy vulnerability exploits and payloads. Securematrix has created a database of nearly 100 exploits in this framework
Canvas A Commercial Penetration Testing tool
Core Impact A Commercial Penetration Testing tool
SAINT A commercial Penetration Testing tool
CenZic A Commercial Web application testing tool
John the ripper powerful, flexible, and fast multi-platform password hash cracker
THC Hydra A Fast network authentication cracker which support many different services
Dsniff A suite of powerful network auditing and penetration-testing tools
Solarwinds Network discovery/monitoring/attack tools
List of Tools (indicative)
<version 1.0> Public Document27
Why VA/PT
To catch a thief….. You have to think like one. You hack into your network to do a Vulnerability
Assessment (VA), identifying “vulnerabilities” in the same manner as they may be visible to an intruder like open ports.
Following up a VA is the Penetration Test – you are taking advantage of the ‘vulnerabilities’ by “penetrating” the network.
When you test all IP addresses that are visible to the outside world you can get answers to sticky questions like:
Can an intruder hop on to the conference room network ?
Is it possible for the intruder to connect to the database server ?
What can you do (that which no one wants an intruder to do!) ??
Presented by
<version 1.0> Public Document28
Dinesh BarejaCISA, CISM, ITIL, IPR, ERM, BS: 7799 (Imp &
LA)
- Senior Vice President
Email: [email protected] Security professional, having more than 11 years of experience in technology in commercial, operational, functional and Project Management roles on multiple large and small projects in global and domestic markets. Experienced in establishing ISMS (Information Security Management System), planning and implementation of large scale CobiT® implementation, ISO: 27001, Risk Management,
BCP/DR, BIA, Asset Management, Incident Mgt, Governance and Compliance among others. He is also member of ISACA, OCEG, iTSMF and co-founder of Canadian Honeynet Project and Open Security Alliance among others.
Contact Information
Registered OfficeMumbai:
12 Oricon House, 14, K. Dubash MargFort, Mumbai 400 001
Tel: +91 22 3253 7579; Fax:+91 22 2288 6152; Email: [email protected]
Technology CentrePune:
Trident Towers2nd Floor, Pashan RoadBavdhan, Pune - 411021
Email: [email protected]
Technology CentreChennai:
Plot No. 1, Door No. 5, Venkateshwara Street, Dhanalakshmi Colony, Vadapalani,
Chennai – 600026Email: [email protected]
Dubai:P O Box 5207
DubaiEmail: [email protected]
London:16-20 Ealing Road
Wembley Middlesex Hao 4TLEmail: [email protected]
<version 1.0> Public Document29
Bahrain * Atlanta
<version 1.0> Public Document30
Thank You
ICAI, Mumbai