1

ComplianceV

Best Practice IDC - September 2014

Today’s threat intensive landscape means we are facing ever increasing demands to meet the Security Requirements of the environment in which

we operate. In trying to meet those requirements, Is it enough to be

2

Compliant with RegulationsCompliant with Regulations

Implement Best PracticeImplement Best Practice

Or should we strive to

3

Do not specify in detail the security measures that a data controller or data processor must have in place.

The Data Protection Acts

What are the Regulations?

DP regulations place an obligation on data controllers to have “Appropriate Security MeasuresAppropriate Security Measures" in place to

prevent unauthorised access to the data.

Common Criteria of I.T. Security EvaluationInternational Security Standard, combines US, EU, Canadian Standards.Discusses security using a set of concepts and terminology. However, these concepts are quite general and are not intended to restrict the security problems to which the CC applies.

HearthlandHearthland

This industry has a Data Security Standard, PCI DSS, to which companies must comply. Hearthland had PCI DSS Certification

Even with Compliance Certification, they were breached. Which lead to a suspension from the industry, and a fine of $60 Million.

4

When damage analyses, loss of creditability, When damage analyses, loss of creditability, future damage prevention were taken into future damage prevention were taken into

account the cost more than doubled. account the cost more than doubled.

Is a company that operates in the Payment Card Industry. They have complex high-performance ICT systems.

It transpired that the cost of the breach far exceeded $60 Million.

5

Target’s data breach last year (Nov 2013), resulted in the loss of personal information for 70 million customers.

The retailer said on Aug. 5 that it expected a cost of The retailer said on Aug. 5 that it expected a cost of $148 million in the second quarter to cover most of $148 million in the second quarter to cover most of the remaining breach-related claims. the remaining breach-related claims.

Target Profit Falls as retailer continues to pay for data breach

That brings Target's total expenses from

the breach thus far to $235 million.

6

In an environment such as those described, can you or your Business afford not to make every effort to:

ManageManagethe growing number of threats to our systems and networks?

PreventPreventContainContain

They called on businesses to

Build military-style "situational awareness" into their networks saying that many companies in this country can't tell the difference between normal and abnormal functioning".

7

UK Government UK Government RecommendationsRecommendations

UK companies have been told by Government ministers to

Increase their efforts in the battle against cybercrime after agovernment study showed industrial espionage and Intellectual

Property theft were costing the economy STG17 billion a year

8

• Intruder Detection Systems• Unified Threat Management• Code Analyses & Vulnerability Detection• Requirements on Portable Media• Audit Trails

What Can We Do?

Best Practice goes beyond basic requirements and seeks to prevent the threats by being Proactive.

A critical element of all security preparations isan Incident Response Plan

Intruder Intruder Detection SystemsDetection Systems

9

An intruder detection system (IDS) acts as an internal alarm system that monitors and reports on malicious activities on a network.

These systems know what normal system activity looks like, and can determine when abnormal activity occurs.

IDSs monitor network traffic for distinctive patterns associated with attacks on servers

or for traffic patterns well outside the norm for a particular network.

10

Many IDS systems can also respond to a detected threat by attempting to prevent it from succeeding.

They use several response techniques, such as reconfiguring the firewall, or changing the attack's content.

Without this type of monitoring, we only know something is wrong when we learn that all our client details have been stolen, or large amounts of data destroyed, i.e.

When it’s Too Late

Intruder Intruder Detection SystemsDetection Systems

Unified Threat Unified Threat ManagementManagement

11

Most companies will have various security devices deployed throughout their networks, including the following.

Firewall Firewall

Antivirus Antivirus

Anti-spam Anti-spam

Web ProtectionWeb Protection

WiFi ProtectionWiFi Protection

Content filteringContent filtering

A problem that can exists here is, that these products may not be operating in an integrated manner. This can give rise to gaps in security provision.

12

Unified Threat Unified Threat ManagementManagement

UTM provides Joined-Up Security Management.

• With UTM, rather than deploying multiple systems that handle individual functions, you can now deploy a single appliance that manages all you Security Requirements.

• UTMs offer consolidated reporting on the state of a network and associated infrastructure. Not so with separate systems.

• Many UTM providers allow the client to customise their provision as best suits their needs, i.e. deploy only what is necessary for your organisation, or remote deployment.

Code Analyses &Code Analyses &Vulnerability DetectionVulnerability Detection

Most organisations use add-on applications, developed in-house or from third-party providers, to support their main software systems, i.e. to assist in the provision of a full suite of functionality.

We all test these applications prior to release, however in many cases our tests focus mostly on issues like “Does it Work” or “Can it Handle Incorrect Input”, etc.

13

Our testing may not give enough attention to possible security vulnerabilities within these apps.

Code Analyses &Code Analyses &Vulnerability DetectionVulnerability Detection

Even small errors in design can create critical vulnerabilities that allow hackers to breach the system. Typically, there would be hundreds of vulnerabilities introduced during the design and coding process.

14

To address this, many organisations are implementing To address this, many organisations are implementing Secure Development LifecyclesSecure Development Lifecycles

SDL analyses each line of code for Security Correctness, not business logic. SDL Verifies that functions such as Authentication, Data Logging, Encryption, are implemented correctly from a security perspective.

With code analysis, critical vulnerabilities can be eliminated.

15

With Mobility comes an increase in inherent dangers, i.e. loss, theft, or compromise of Mobile Devices.

Data Protection Commissioner There is no excuse for any organisation placing

personal data on a portable device without securing that device properly.

Portable Media & Data Protection

DP says it is not possible to be prescriptive about the standard of encryption required on particular devices, however 256 bit wholedisk encryption is viewed as an acceptable standard. 

Memory wipe capability should also be presentMemory wipe capability should also be present

Audit TrailsAudit Trails

Security Policies are undermined if the system cannot provide information on network activity. Systems should record:

16

It should also record activities such as, failed attempts to Log on, attempts to access additional parts of the network, etc.

• What users are Logged on• The time and location of Log on / Log out• What files were accessed• File alterations, and by who• File uploads, downloads, deletions.

Incident Incident Response Response PlanPlan

How to determine if you have suffered a data breach  Who must be informed in the event of data loss Who is responsible for dealing with an incident The actions to be taken in such a situation Backup & Recovery Procedures

17

Even with the best designed systems, breaches can occur. A critical part of any security policy is the measures to be taken in the event of a breach. A Incident Response Plan will typically specify:

Incident Response Plans should also have the approval of the Data Commissioner's Office.

18

It’s is not just random attempts at overcoming security on It’s is not just random attempts at overcoming security on some network or system. Many attacks are carried out on some network or system. Many attacks are carried out on

specific targets because of the data they holdspecific targets because of the data they hold..

Some organisations, in particular those in the Financial Some organisations, in particular those in the Financial Industry, are subject to constant vulnerability probing.Industry, are subject to constant vulnerability probing.

“ “ It's not a question of whether you will be breached, It's not a question of whether you will be breached, but when, and how you respond to it.” but when, and how you respond to it.”

““Adhering to checklists does not build security into the Adhering to checklists does not build security into the organization. It gives a false sense of reliance that security organization. It gives a false sense of reliance that security

has been achieved through a piece of paper.” has been achieved through a piece of paper.”