Security, Privacy, and You:A Report on Today’s Industry Best Practices
James Stanger, PhDSr. Director Product DevelopmentCompTIA
APRIL 20, 2016
John PescatoreSANS
2Copyright (c) 2016 CompTIA Properties, LLC. Al l Rights Reserved. | CompTIA.org
A little housekeeping
Continuing Education
This webinar is good for (1) CEU credit towards A+, Network+, Security+ & CASP.
After the webinar, you may click on the "Proof of Participation" widget to download a certificate which may be uploaded to your candidate account for activity credit.
Recording
This webinar is being recorded.
You are muted by default, please ask all questions in the Q&A section.
Survey & Feedback
We want your feedback! Please complete brief survey at the completion of the webinar.
Tweet with Us! @CompTIA#LongLiveIT, #CompTIAWebinar, #CompTIAcertified
On-Demand
Webinar presentation slides and recording link will be available after the webinar.
Q&A & Group Chat
Got a question? Use the Q&A widget
Also, you can chat with other event attendees in the Group Chat widget!
3Copyright (c) 2016 CompTIA Properties, LLC. Al l Rights Reserved. | CompTIA.org
The technology world is awash in controversy concerning security and privacy. Players in the discussion include today’s governments, all major technology vendors, and any company interested in using the Internet of Things.
Agenda
Mission and exciting projects
Introduction to SANS
Issues | Concerns | Policies & Regulations
Security and Privacy
1
2
Encryption | Implications the IT pros
Technologies and Skills3
Q&A4
James StangerSenior Director, Products, CompTIA
Responsible for determining CompTIA’s product roadmap.
• Authority in open source, security, web technologies and blogging
John PescatoreDirector, SANS
Over 30 years of experience in computer, network and information security
• Was a Security Engineer for the U.S. Secret Service and the National Security Agency.
Our Presenters
CERTIFICATIONS
Largest Provider of Vendor-Neutral IT
Certifications
“Three of the “Top 10 Certifications That Help IT
Workers Get Jobs” are CompTIA certifications.”*
ASSOCIATION
4,000+ IT Channel Providers & Partners
A non-profit trade association with more than 4,000
members and business partners. Our members drive our programs through their
participation in CompTIA communities, research
studies, events, sharing of best practices and more.
PHILANTHROPY
Creating IT Futures Foundation
A 501(c)(3) charitable organization that creates on-
ramps for successful IT careers, serving individuals who are underrepresented in IT and
lacking in opportunities to be successful in IT, including veterans, youth, and the
unemployed.
ADVOCACY
Public Policy & ReformOur advocacy division
encourages collaboration and advancing of legislation that allows the private sector to develop new products and
services, find solutions and sell them in the global marketplace.
* Source: The Dice Report, February 2012
The voice of the world’s information technology (IT) industry and over 1.5 million IT pros.
6
CompTIA Advanced
Security Practitioner
(CASP)
MASTERY LEVEL
Healthcare IT
Cloud Essentials
SPECIALTY
IT Fundamentals
CyberSecure
BEST PRACTICES
A+
CDIA+
Cloud+
CTT+
Linux+
Mobility+
Network+
Project+
Security+
Server+
PROFESSIONAL-LEVEL
COMPTIA CERTIFICATIONS
A Quick Overview
7Copyright (c) 2016 CompTIA Properties, LLC. Al l Rights Reserved. | CompTIA.org
A skills-based look at the roadmap
7
We certify essential skills for the entire IT department “ecosystem”
Systems AnalystMobility Engineer
Security EngineerIA Technician
Project Manager
Help DeskIT Support Technician
Field Technician
Operating system support
Network Technician
COMPTIA CERTIFICATIONS
9Copyright (c) 2016 CompTIA Properties, LLC. Al l Rights Reserved. | CompTIA.org
Can’t Renovate the House If the Foundation is RottenS O U R C E : U N I V E R S I T Y O F M A S S A C H U S E T T S
Process Focus
• Secure Applications
• IT Operations
• Access Controls
• Records Retention
Technology Focus
• Top 20 Critical Security Controls
People Focus
• Risk Management
• Policy / Program
• Marketing & Communications
• Awareness Training
UMass Information Security Program
ISO 27002 Foundation Critical Cyber-security Controls
Policy, Legal, and Regulatory Framework(UMass Security Policy, WISP, Mass Privacy, PCI, SOX, HIPAA, FERPA, …)
Management & Communications (MGT)
General Computer Controls (GCC)
Cyber-securityControls (CSC)
10Copyright (c) 2016 CompTIA Properties, LLC. Al l Rights Reserved. | CompTIA.org
It all starts with safetyS E C U R I T Y & P R I V A C Y
SAFETY:Relative freedom from danger, risk, or threat of harm, injury, or loss to personnel and/or property, whether caused deliberately or by accident. See also security.
SECURITY:The prevention of an protection against assault, damage, fire, fraud, invasion of privacy, theft, unlawful entry, and other such occurrences caused by deliberate action. See also safety.
PRIVACY: In general, the right to be free from secret surveillance and to determine whether, when, how, and to whom, one’s personal or organizational information is to be revealed.
11Copyright (c) 2016 CompTIA Properties, LLC. Al l Rights Reserved. | CompTIA.org
Cybersecurity & Privacy
• Delivering privacy essentially means enforcing information owners rights around the use of their information:• Confidentiality
• Integrity
• Availability
• However, the definition of those rights depends on:• Laws/regulations/norms
• Owners’ expectations
• Squirrels!
• Audit/certification• Someone else is doing it
CYA
• Address lack of control and abundance promises/claims
• Early warning if something is going wrong
Visibility
Extension of existing security
controls to prevent harm
Testing of new approaches
Go back to CYA
Hierarchy of Security/Privacy Needs
• Encryption is not privacy penicillin• Hard to do well, easy to do badly
• Key management and trustable directories
• The starting point is really access control:• Opt-in vs. Opt-out
• Need to know vs. need to share
• Strong authentication!
• The old firewall mantra still applies: “Deny all access except that which is specifically allowed.”
Real World Privacy Issues
• All societies constantly adjust the balance point between personal rights and national priorities – every new technology opens gaps
• “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety” – Benjamin Franklin, 1755
• See Communications Assistance to Law Enforcement Act, as opposed to the Clipper Chip
Personal Safety vs. National Safety
Privacy is not dead – we are just failing to deliver the security needed to meet privacy needs in the Internet age.
There is no single definition of privacy – country by country at best.
Basic security hygiene is “Get Ready”
Opt-in vs Opt-out is “Get Set”
Access controls are “Go”
Encryption isn’t the only form of access control, isn’t even always the best but…
To make gains in both security and privacy, every upgrade/transition should move towards stronger authentication and more encryption of stored data.
Bottom Line
16Copyright (c) 2016 CompTIA Properties, LLC. Al l Rights Reserved. | CompTIA.org
Security | Privacy | AnonymityTHE BIG PICTURE
SECURITY:Freedom from risk or danger
ANONYMITY:unidentifiable in one’s actions
PRIVACY:Control over
one’s PII
SECURITY:Pope-mobile; Bullet-proof
vests
ANONYMITY:Riding the bus during rush-hour; Paying
with cash.
PRIVACY:Students
whispering in class
17Copyright (c) 2016 CompTIA Properties, LLC. Al l Rights Reserved. | CompTIA.org
What is the big deal?G O V E R N M E N T S , P H O N E P R O V I D E R S , E N C R Y P T I O N , A N D P O L I C Y
18Copyright (c) 2016 CompTIA Properties, LLC. Al l Rights Reserved. | CompTIA.org
Why are companies so interested in protecting your privacy?
“91% of American adults say that consumers have lost control over how personal information is collected and used by companies.”
- Privacy and Cybersecurity: Key findings from Pew Research
19Copyright (c) 2016 CompTIA Properties, LLC. Al l Rights Reserved. | CompTIA.org
Experiences With Data Loss
41%
35%
24%
0% 10% 20% 30% 40% 50% 60% 70%
No/Don't know
Yes, probably
Yes, definitely
Source: CompTIA International IT Security Trends | Overa l l results, n=1,509 and n=850 who had a loss
Many are aware of their company experiencing some type of loss of confidential data through carelessness or negligence in the past 12 months.
Types of Data Lost
• Employee data• Financial data• Customer records• Intellectual property
Top Areas Where ManagersPlan to Improve DLP
• Mobile file encryption• Two-step authentication• Spyware prevention• Device safety policy
enforcement/creation
20Copyright (c) 2016 CompTIA Properties, LLC. Al l Rights Reserved. | CompTIA.org
Do we have the right to be forgotten?
21Copyright (c) 2016 CompTIA Properties, LLC. Al l Rights Reserved. | CompTIA.org
Privacy and Data Protection by CountryD a t a P r i v a c y H e a t M a p : h t t p : / / h e a t m a p. f o r r e s t e r t o ol s . c om /
23Copyright (c) 2016 CompTIA Properties, LLC. Al l Rights Reserved. | CompTIA.org
How does basic encryption work?D I V I N G I N T O E N C R Y P T I O N
24Copyright (c) 2016 CompTIA Properties, LLC. Al l Rights Reserved. | CompTIA.org
Mobile devicesD I V I N G I N T O E N C R Y P T I O N
25Copyright (c) 2016 CompTIA Properties, LLC. Al l Rights Reserved. | CompTIA.org
Encryption LayersD I V I N G I N T O E N C R Y P T I O N
AttacksP: PhysicalL: Logical
A: Admin ChallengesD: DevelopC: Compatibility
S: Platform SupportF: Feature loss * Limited
Data-at-Rest Encryption Layer
US Regulatory Guidance
Market Adoption Attacks Mitigated Deployment Challenges
Application-level No Low P, L, A D, C, F
Database-level No Low P, L, A* S, C
File and folder Yes* Medium P, L, A S
Storage volume No Medium P S
Backup media No Medium P S
End user device Yes High P S
KEY
Figure: Encryption in the IT Stack
26Copyright (c) 2016 CompTIA Properties, LLC. Al l Rights Reserved. | CompTIA.org
W H A T A R E T H E I M P LI CA TI O N S ?