security, privacy, and you -...

Security, Privacy, and You:A Report on Today’s Industry Best Practices

James Stanger, PhDSr. Director Product DevelopmentCompTIA

APRIL 20, 2016

John PescatoreSANS

2Copyright (c) 2016 CompTIA Properties, LLC. Al l Rights Reserved. | CompTIA.org

A little housekeeping

Continuing Education

This webinar is good for (1) CEU credit towards A+, Network+, Security+ & CASP.

After the webinar, you may click on the "Proof of Participation" widget to download a certificate which may be uploaded to your candidate account for activity credit.

Recording

This webinar is being recorded.

You are muted by default, please ask all questions in the Q&A section.

Survey & Feedback

We want your feedback! Please complete brief survey at the completion of the webinar.

Tweet with Us! @CompTIA#LongLiveIT, #CompTIAWebinar, #CompTIAcertified

On-Demand

Webinar presentation slides and recording link will be available after the webinar.

Q&A & Group Chat

Got a question? Use the Q&A widget

Also, you can chat with other event attendees in the Group Chat widget!


The technology world is awash in controversy concerning security and privacy. Players in the discussion include today’s governments, all major technology vendors, and any company interested in using the Internet of Things.

Agenda

Mission and exciting projects

Introduction to SANS

Issues | Concerns | Policies & Regulations

Security and Privacy

1

2

Encryption | Implications the IT pros

Technologies and Skills3

Q&A4

James StangerSenior Director, Products, CompTIA

Responsible for determining CompTIA’s product roadmap.

• Authority in open source, security, web technologies and blogging

John PescatoreDirector, SANS

Over 30 years of experience in computer, network and information security

• Was a Security Engineer for the U.S. Secret Service and the National Security Agency.

Our Presenters

CERTIFICATIONS

Largest Provider of Vendor-Neutral IT

Certifications

“Three of the “Top 10 Certifications That Help IT

Workers Get Jobs” are CompTIA certifications.”*

ASSOCIATION

4,000+ IT Channel Providers & Partners

A non-profit trade association with more than 4,000

members and business partners. Our members drive our programs through their

participation in CompTIA communities, research

studies, events, sharing of best practices and more.

PHILANTHROPY

Creating IT Futures Foundation

A 501(c)(3) charitable organization that creates on-

ramps for successful IT careers, serving individuals who are underrepresented in IT and

lacking in opportunities to be successful in IT, including veterans, youth, and the

unemployed.

ADVOCACY

Public Policy & ReformOur advocacy division

encourages collaboration and advancing of legislation that allows the private sector to develop new products and

services, find solutions and sell them in the global marketplace.

* Source: The Dice Report, February 2012

The voice of the world’s information technology (IT) industry and over 1.5 million IT pros.

6

CompTIA Advanced

Security Practitioner

(CASP)

MASTERY LEVEL

Healthcare IT

Cloud Essentials

SPECIALTY

IT Fundamentals

CyberSecure

BEST PRACTICES

A+

CDIA+

Cloud+

CTT+

Linux+

Mobility+

Network+

Project+

Security+

Server+

PROFESSIONAL-LEVEL

COMPTIA CERTIFICATIONS

A Quick Overview


A skills-based look at the roadmap

7

We certify essential skills for the entire IT department “ecosystem”

Systems AnalystMobility Engineer

Security EngineerIA Technician

Project Manager

Help DeskIT Support Technician

Field Technician

Operating system support

Network Technician

COMPTIA CERTIFICATIONS

Security and Privacy


Can’t Renovate the House If the Foundation is RottenS O U R C E : U N I V E R S I T Y O F M A S S A C H U S E T T S

Process Focus

• Secure Applications

• IT Operations

• Access Controls

• Records Retention

Technology Focus

• Top 20 Critical Security Controls

People Focus

• Risk Management

• Policy / Program

• Marketing & Communications

• Awareness Training

UMass Information Security Program

ISO 27002 Foundation Critical Cyber-security Controls

Policy, Legal, and Regulatory Framework(UMass Security Policy, WISP, Mass Privacy, PCI, SOX, HIPAA, FERPA, …)

Management & Communications (MGT)

General Computer Controls (GCC)

Cyber-securityControls (CSC)


It all starts with safetyS E C U R I T Y & P R I V A C Y

SAFETY:Relative freedom from danger, risk, or threat of harm, injury, or loss to personnel and/or property, whether caused deliberately or by accident. See also security.

SECURITY:The prevention of an protection against assault, damage, fire, fraud, invasion of privacy, theft, unlawful entry, and other such occurrences caused by deliberate action. See also safety.

PRIVACY: In general, the right to be free from secret surveillance and to determine whether, when, how, and to whom, one’s personal or organizational information is to be revealed.


Cybersecurity & Privacy

• Delivering privacy essentially means enforcing information owners rights around the use of their information:• Confidentiality

• Integrity

• Availability

• However, the definition of those rights depends on:• Laws/regulations/norms

• Owners’ expectations

• Squirrels!

• Audit/certification• Someone else is doing it

CYA

• Address lack of control and abundance promises/claims

• Early warning if something is going wrong

Visibility

Extension of existing security

controls to prevent harm

Testing of new approaches

Go back to CYA

Hierarchy of Security/Privacy Needs

• Encryption is not privacy penicillin• Hard to do well, easy to do badly

• Key management and trustable directories

• The starting point is really access control:• Opt-in vs. Opt-out

• Need to know vs. need to share

• Strong authentication!

• The old firewall mantra still applies: “Deny all access except that which is specifically allowed.”

Real World Privacy Issues

• All societies constantly adjust the balance point between personal rights and national priorities – every new technology opens gaps

• “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety” – Benjamin Franklin, 1755

• See Communications Assistance to Law Enforcement Act, as opposed to the Clipper Chip

Personal Safety vs. National Safety

Privacy is not dead – we are just failing to deliver the security needed to meet privacy needs in the Internet age.

There is no single definition of privacy – country by country at best.

Basic security hygiene is “Get Ready”

Opt-in vs Opt-out is “Get Set”

Access controls are “Go”

Encryption isn’t the only form of access control, isn’t even always the best but…

To make gains in both security and privacy, every upgrade/transition should move towards stronger authentication and more encryption of stored data.

Bottom Line


Security | Privacy | AnonymityTHE BIG PICTURE

SECURITY:Freedom from risk or danger

ANONYMITY:unidentifiable in one’s actions

PRIVACY:Control over

one’s PII

SECURITY:Pope-mobile; Bullet-proof

vests

ANONYMITY:Riding the bus during rush-hour; Paying

with cash.

PRIVACY:Students

whispering in class


What is the big deal?G O V E R N M E N T S , P H O N E P R O V I D E R S , E N C R Y P T I O N , A N D P O L I C Y


Why are companies so interested in protecting your privacy?

“91% of American adults say that consumers have lost control over how personal information is collected and used by companies.”

- Privacy and Cybersecurity: Key findings from Pew Research


Experiences With Data Loss

41%

35%

24%

0% 10% 20% 30% 40% 50% 60% 70%

No/Don't know

Yes, probably

Yes, definitely

Source: CompTIA International IT Security Trends | Overa l l results, n=1,509 and n=850 who had a loss

Many are aware of their company experiencing some type of loss of confidential data through carelessness or negligence in the past 12 months.

Types of Data Lost

• Employee data• Financial data• Customer records• Intellectual property

Top Areas Where ManagersPlan to Improve DLP

• Mobile file encryption• Two-step authentication• Spyware prevention• Device safety policy

enforcement/creation


Do we have the right to be forgotten?


Privacy and Data Protection by CountryD a t a P r i v a c y H e a t M a p : h t t p : / / h e a t m a p. f o r r e s t e r t o ol s . c om /


How does basic encryption work?D I V I N G I N T O E N C R Y P T I O N


Mobile devicesD I V I N G I N T O E N C R Y P T I O N


Encryption LayersD I V I N G I N T O E N C R Y P T I O N

AttacksP: PhysicalL: Logical

A: Admin ChallengesD: DevelopC: Compatibility

S: Platform SupportF: Feature loss * Limited

Data-at-Rest Encryption Layer

US Regulatory Guidance

Market Adoption Attacks Mitigated Deployment Challenges

Application-level No Low P, L, A D, C, F

Database-level No Low P, L, A* S, C

File and folder Yes* Medium P, L, A S

Storage volume No Medium P S

Backup media No Medium P S

End user device Yes High P S

KEY

Figure: Encryption in the IT Stack


W H A T A R E T H E I M P LI CA TI O N S ?

Certification.CompTIA.org

Thank YouTime for a little Q&A

security, privacy, and you -...

Documents