View
214
Download
0
Category
Preview:
Citation preview
Data Protection: Security from the Inside Out
Fred Langston, CISSP
Global Product Manager
VeriSign, Enterprise Security Services
December 3, 2007
2
Introduction
+ Data-centric security starts from the smallest elements – the data
itself
+ So, do we really have good definition of ‘data’ when it comes to
security? Consider the “value” and “impact” of an adverse event:▪ Regulatory impacts▪ Monetary impact of loss▪ Direct costs associated with loss▪ Recreation of data if lost▪ Loss of CIA – Confidentiality, Integrity and Availability
+ In essence, we must “know” our data intimately and how it’s used,
valued, and protected
+ From this knowledge, we can create a framework for security that
focuses on the most valuable asset – the data itself
3
Today’s Headlines – December 3, 2007
+ Data theft touches 150,000 Massachusetts seniors▪ Senior citizens who participate in a Massachusetts insurance program have
received word that their personal information may have fallen into the hands of an identity thief.
+ UK government accuses Chinese of IT espionage▪ The British intelligence agency MI5 has warned 300 U.K. business concerns that
their IT systems are under attack by Chinese state organizations.
+ Attackers exploiting unpatched QuickTime flaw. ▪ Please note that the people attempting to compromise your system do work
weekends: The QuickTime vulnerability for which proof-of-concept code was revealed Thursday went into full attack mode over the weekend, with two campaigns underway.
+ DBA Admits to Theft of 8.5M Records▪ A former senior database administrator at a subsidiary of Fidelity National
Information Services last week pleaded guilty to stealing some 8.5 million customer records and selling them to data brokers.
4
What are the causes of breaches?
+ Poor identity management
+ Poorly secured wireless
+ Unsecured physical assets
+ Application vulnerabilities
+ Lack of monitoring logs and IDS
+ Network architecture flaws; flat networks
+ Data leakage into the DMZ, spreadsheets, and access
databases
5
Store Less Data
+ What do you NEED to store?▪ What data is available to you?▪ What are the business and legal needs?▪ Where do you need to store this?▪ What is the risk associated?
+ Ask the hard questions!▪ Why do you need this?▪ What would you do without it?
+ What to do with risk?▪ Accept it (and face fines!)▪ Mitigate it▪ Insure it
6
Data Security Problem #1 – Where’s the Beef, er, Data?!
Data centric security starts by knowing:
+ What data is
+ What its value is
+ How to classify the data
+ Where the data:▪ Ingresses and egresses the
enterprise▪ Is stored ▪ Is processed▪ Is transmitted▪ Is retained▪ Is archived▪ Is destroyed
7
Simple Solutions to Difficult Challenges
+ Understand your Data Flows▪ How many know their data flow
end to end?▪ File shares – Word, Excel, and
Access!!▪ Laptops & mobile devices
+ What about systems and
application failures and crashes?▪ Dump files, Core dumps▪ Live Memory▪ Debugging extracts
+ Store Less Data ▪ You don’t have to secure what
you don’t have
+ Create a Data Protection
Framework!
8
Data Protection Frameworks
+ Data identification and valuation▪ BIA ▪ Statement of Acceptable Risk▪ Policy
+ Data classification▪ Policy▪ Awareness of policy▪ Implementation maturity
+ Data mapping and flow analysis
+ Data-centric risk analysis or regulatory compliance gap analysis
+ Sensitive data minimization
+ Create data protection control standards based on:▪ Storage, transmission, and processing of data▪ Value of data▪ Regulatory of business impact of data breach
9
Map your Data Flows
10
Practical Tips for Avoiding Data Breaches
+ Address App & Net Vulnerabilities▪ Do you know the real risk?
+ Improve Security Awareness▪ People ARE the weakest link!
+ Monitor Systems for Intrusions▪ Monitor to Stop and Prevent
+ Filter outbound data based on
data classification
+ Segment Networks▪ Still the most effective way to
reduce attack surface
+ Encrypt, encrypt, encrypt!
+ Manage the Encryption keys
properly
11
Encrypt any Stored Data
+ Why is encryption so hard?▪ Legacy systems, more problems than encryption ▪ Most platforms have some solution▪ Key management still is a massive problem
+ What are my options?▪ Retrofit applications▪ Use an encryption appliance▪ Use a database that supports encryption▪ Render unreadable without encryption (truncation, tokenization,
hashing)
+ The Dangers of Encryption▪ Approach encryption enterprise wide and create a sound strategy▪ Keep in mind, encryption is needed elsewhere, not just around one
system▪ Pesky data flows are required again!
12
Address Vulnerabilities
+ Assess Applications▪ 45% of all Internet-based attacks
occur at the application layer
+ Identify Poorly Coded Web Apps▪ Perform code review or
application testing to ensure code is secure
+ Perform Quarterly Scans▪ And be sure to include
applications
+ Implement Strict SDLC Processes▪ Try tracking vulnerabilities by
developer
13
Security Awareness & Training
+ People are your weakest security
link!▪ Users do not take password
controls seriously▪ Administrators tend to be bad
offenders
+ Ongoing awareness training helps
keep application vulnerabilities
down
+ Proper training allows associates
to find and disclose sensitive data▪ SSNs, DL, Account numbers▪ Laptops▪ Large data storage areas▪ Excel and Access
14
Monitor Systems for Intrusions & Anomalies
+ Intrusion Detection/Prevention Strategies
+ Look for renegade egress devices like unauthorized wireless APs
+ Focus on an enterprise-wide logging and log management strategy
+ Implement Strict SDLC Processes
15
Segmentation and Access Controls
+ Network Segmentation▪ Is anyone else tired of hearing this suggestion?▪ Why is it so critical?
+ What are additional benefits?▪ Resilience to Internal DoS▪ Centralized security*
+ Multi-Level Access Controls▪ 802.1x, is it finally ready?▪ VPNs (IPSec and SSL)▪ Centralized Identity Management▪ Wireless
16
Final Thoughts and Future Considerations
+ Data protection is a continual process - think of data protection as a journey, not a project, and manage it that way
+ Other things to think of▪ Mergers and Acquisitions▪ New business lines▪ Global Operations
+ Wireless and Mobile Payments▪ SIM Based payments▪ Chip & Pin, Not Exempt!▪ Devices such as iPhones
+ Use data protection to fuel security program development throughout your enterprise
+ THERE IS NO SILVER BULLET!
17
Questions + Answers
Thank You
Fred Langston, CISSP
FLangston@VeriSign.com
(425) 765-3330
For general information on VeriSign’s Security Services
please email JMonahan@VeriSign.com or call (303) 886-1281
Recommended