spiritualists, magicians and security vendors
DESCRIPTION
After a journey through the history of spiritualists and homeopaths, and the magicians that debunk them, Chris reveals six tips for privacy officers to use when dealing with information security vendors and professionals.TRANSCRIPT
![Page 1: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/1.jpg)
1
Spiritualists, Magicians and Security Vendors
Gaining an Advantage in Security and Privacy
ICE Conference5 November 2012 – Edmonton
Chris Hammond-ThrasherAssociate Director, Consulting
Security, Privacy and ComplianceFujitsu Canada
![Page 2: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/2.jpg)
2
![Page 3: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/3.jpg)
3
![Page 4: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/4.jpg)
4
![Page 5: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/5.jpg)
5
![Page 6: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/6.jpg)
6
![Page 7: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/7.jpg)
7
![Page 8: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/8.jpg)
8
![Page 9: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/9.jpg)
9
![Page 10: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/10.jpg)
10
![Page 11: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/11.jpg)
11
![Page 12: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/12.jpg)
12
Active ingredient:Anas Barbariae Hepatis et Cordis extractum 200C
![Page 13: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/13.jpg)
14
![Page 14: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/14.jpg)
15
![Page 15: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/15.jpg)
16
![Page 16: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/16.jpg)
17
Worm.Win32.Flame Hits in 1 Week – March 2012
![Page 17: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/17.jpg)
18
![Page 18: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/18.jpg)
19
![Page 19: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/19.jpg)
20
Six Steps to Computer Security
For IT Professionals“How To Not Fall for the Hype”
![Page 20: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/20.jpg)
#1 Why Is There No P in SDLC?
Recently it has become popular to plan to address security requirements through all phases of the IT system lifecycle – from planning to operationalization. This is commonly referred to as the “Secure Development Lifecycle” or SDLC. However, privacy requirements are not the same as information security requirements. What if privacy needs were also considered in all phases?
21
![Page 21: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/21.jpg)
22
#2 Threat /Countermeasure
Threat modeling is a staple item in security engineering. Put briefly, threat modeling entails describing all of the threats that you plan to defend against (the threat model), followed by planning a suite of countermeasures to manage all of the identified threats. For privacy professionals, the problem is that the threat models created by security professionals often miss significant privacy threats. It can be valuable to create a privacy threat model.
![Page 22: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/22.jpg)
23
OWASP Risk Model
![Page 23: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/23.jpg)
24
Criminal
Message
forgery
APTPlainte
xt messag
es
Cannot detect forged
messages
ESB DoS
Customer $
Message
logging
Message
signatures
Message encryptio
n
Fraud detecti
on
ThreatAgents
AttackVectors
SecurityWeaknesses
SecurityControls
TechnicalImpacts
BusinessImpacts
Insider
Message
sniffing
Fraudulent
message
Cannot detect fraud
messages
Network zones
Data Loss
Prevention
Personal Info
disclosed
Funds transferr
ed
Enterprise service disruptio
n
Reputational capital
Privacy complian
ce breach
End-point
validation
![Page 24: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/24.jpg)
25
#3 And You Log That, Right?
Security and system administrators need to understand event logging requirements from both a security and privacy perspective. They need to know exactly which data elements need to be logged and the length of time that these logs need to be retained. Privacy logging requirements alone can make the difference in selecting one solution over another. Do not wait until it is too late to understand the business’ logging needs.
![Page 25: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/25.jpg)
26
#4 Show Me!
If you are serious about protecting privacy, you cannot take a security vendor’s word that something works the way it is supposed to. You cannot even go by the word of your organization’s own security and system administrators – you must test and you must audit. And testing and auditing should not be limited to prevention – do not wait for an incident to occur before you find out that you do not have the information required to support the investigation.
![Page 26: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/26.jpg)
27
#5 Plan for Failure
The cornerstone of safety engineering is planning for systems to fail. Security and privacy professionals can influence system design and configuration so that when breaches inevitably occur, the resulting damage can be minimized. Model, test and audit defensive failures. Design detective controls that facilitate the detection of security failures.
![Page 27: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/27.jpg)
28
#6 You Can’t Break It, I Can’t Break It, but What About the Guy in the Fedora?
Of course, most privacy professionals are not skilled hackers. Did you know that neither are most security professionals? Both your vendors and your security team will tell you that everything is setup securely and that they have run their scanning tools and have not found any weaknesses. However, you really do not know if the information in your charge is safe until you hire external security auditors. This can be an intimidating prospect, but it is the only way to be sure.
![Page 28: Spiritualists, magicians and security vendors](https://reader033.vdocuments.us/reader033/viewer/2022061114/54623ed5b4af9f531c8b46b1/html5/thumbnails/28.jpg)
Chris Hammond-ThrasherAssociate Director, ConsultingSecurity, Privacy and ComplianceFujitsu Canada
[email protected]@thrashor