datacentric security and your users
Post on 05-Jan-2016
43 Views
Preview:
DESCRIPTION
TRANSCRIPT
DataCentric Security and your users
Michelle Drolet, CEO
October 20, 2011,
Discussion topics
• What is “datacentric security?”
• Overview
– Risk management, Threat management, Compliance management
– Compliance
– Overall security plan, program, architecture, organizational security posture, awareness/training, communications
• Q&A
A “textbook” definition
• Security –
Developing, implementing and maintaining a program and plans to protect the confidentiality, integrity, and availability (and authentication or accountability) of information assets, thereby enabling the organization to carry out its mission.
The information security triad:
C/I/A and sometimes +A** + A = Accountability or Authentication
Some unfortunate “infosec” realities
• Anyone connecting to the Internet – with any device – is under constant “cyberattack” by:
– Organized cybercriminals, “hacktivists,” nation-states conducting “cyberwarfare,”
– Attack toolkits with users guides are readily available to anyone – no technical background required
• Malware has grown in number of variants, sophistication, targets and motivation
– Conventional wisdom no longer valid, such as “only visit well-known and respected sites”
– 80% of malware was served up by “legitimate” websites (Sophos)
• Attack surfaces have increased dramatically with the introductions of new consumer gadgets:
– iPhone/Android, iPod Touch, iPad and other tablets, rogue WAPs, unsecured WiFi, user-owned devices, lost or stolen devices, etc.
Some unfortunate “infosec” realities (cont’d)
• Compliance requirements continue to become more onerous – and have more enforcement “teeth”
– HITECH for Business Associates, MA 201 CMR 17.00, and others
– Data breaches at non-compliant organizations will result in regulatory audit, civil and even criminal penalties
– Regulatory legalese is lengthy and complex; requirements are ambiguous and/or overlapping
– All organizations – regardless of size – must demonstrate due diligence and make every effort to comply
– Compliance AND non-compliance can “break the bank” for SMBs
• Social networks, fake AV, other scams fool users into click-jacking or Trojan schemes – even home burglary and other crimes due to information over-sharing
DataCentric Security
• 1st Management buy in
• 2nd Develop a repeatable program
• 3rd Document
• 4th Get Users on board
• 5th Test controls and test again
Towerwall’s 4E Methodology
Evaluate Establish Educate Enforce
People, Process, Technology
Use case: DataCentric Security “the beginning”
Evaluate • Data inventory and classification
• Infrastructure and desktop utilization reviews
• IT asset and configuration management
• Compliance
• Other organizational / cultural issues
What are the expected risks/benefits to implement a data security program?
Use case: DataCentric Security and the Program
Establish • Administrative
• Policies
• Physical
• Technical
What controls are needed to realize the benefits and mitigate the risks for a data protection
program?
Use case: Users and DataCentric Security
Educate • Expectations of workforce member behaviors documented in ppolicies, procedures, processes
• Violation sanctions / disciplinary actions
• Reporting suspicious behaviors / incidents / risks
• Practicing “safe computing” habits
What knowledge and behaviors does the organization expect the workforce to understand and apply to
daily work activities?
Use case: DataCentric Security
Enforce • What do the administrative, physical and technical controls tell us about required v. actual behaviors?
• Logging and monitoring
• Required disclosure reporting
• Incident response and related processes
• Other compliance and cultural issues
What options does the organization have for protecting data in a VM and/or cloud environment?
Risk Management
• Assess current risks relative to your information assets;
• Compare those risks to your information security program;
• Identify gaps or overlaps (under- or over-investment) in your existing information security program;
• Develop and implement a plan to remediate risks, and align your security program is aligned with your current needs;
• Re-assess and remediate at least annually – and anytime a substantive business model, compliance, or information asset-related change occurs.
Compliance Management
• Internal compliance (company-mandated policies and procedures);
• External compliance (regulatory mandates);
• Internal IP / trade secret classification and labeling (optional);
• Regular assessments, remediation, scanning, audit reporting, etc.
Putting it all together
• Management buy in
• Determine what needs to be protected
• Poke holes
• Establish a security roadmap
• Remediate
• User Awareness
• Continued vigilance
= Success
Quote of the day
"People are the weakest link. You can have the best technology, firewalls, intrusion detection
systems, biometric devices - and somebody can call an unsuspecting employee. That's all she
wrote, baby. They got everything."
- Kevin Mitnick, author “The Art of Deception”
and other Social Engineering classics
Q&A
Comments? Questions?
Putting it all together
• Towerwall and its strategic partners offer consulting services and products that simplify unwieldy issues:
– Vulnerability scans and sophisticated penetration tests (include social engineering/spear phishing components)
– Regulations are boiled down to digestible lists of requirements
– Gap analyses provide recommendations and relative risk priorities
• Towerwall’s applies its 4E methodology to every engagement
• Please visit our new web site at www.towerwall.com for more information on the products/services we offer
top related