Upload
chris-hammond-thrasher
View
600
Download
1
Embed Size (px)
DESCRIPTION
After a journey through the history of spiritualists and homeopaths, and the magicians that debunk them, Chris reveals six tips for privacy officers to use when dealing with information security vendors and professionals.
Citation preview
1
Spiritualists, Magicians and Security Vendors
Gaining an Advantage in Security and Privacy
ICE Conference5 November 2012 – Edmonton
Chris Hammond-ThrasherAssociate Director, Consulting
Security, Privacy and ComplianceFujitsu Canada
2
3
4
5
6
7
8
9
10
11
12
Active ingredient:Anas Barbariae Hepatis et Cordis extractum 200C
14
15
16
17
Worm.Win32.Flame Hits in 1 Week – March 2012
18
19
20
Six Steps to Computer Security
For IT Professionals“How To Not Fall for the Hype”
#1 Why Is There No P in SDLC?
Recently it has become popular to plan to address security requirements through all phases of the IT system lifecycle – from planning to operationalization. This is commonly referred to as the “Secure Development Lifecycle” or SDLC. However, privacy requirements are not the same as information security requirements. What if privacy needs were also considered in all phases?
21
22
#2 Threat /Countermeasure
Threat modeling is a staple item in security engineering. Put briefly, threat modeling entails describing all of the threats that you plan to defend against (the threat model), followed by planning a suite of countermeasures to manage all of the identified threats. For privacy professionals, the problem is that the threat models created by security professionals often miss significant privacy threats. It can be valuable to create a privacy threat model.
23
OWASP Risk Model
24
Criminal
Message
forgery
APTPlainte
xt messag
es
Cannot detect forged
messages
ESB DoS
Customer $
Message
logging
Message
signatures
Message encryptio
n
Fraud detecti
on
ThreatAgents
AttackVectors
SecurityWeaknesses
SecurityControls
TechnicalImpacts
BusinessImpacts
Insider
Message
sniffing
Fraudulent
message
Cannot detect fraud
messages
Network zones
Data Loss
Prevention
Personal Info
disclosed
Funds transferr
ed
Enterprise service disruptio
n
Reputational capital
Privacy complian
ce breach
End-point
validation
25
#3 And You Log That, Right?
Security and system administrators need to understand event logging requirements from both a security and privacy perspective. They need to know exactly which data elements need to be logged and the length of time that these logs need to be retained. Privacy logging requirements alone can make the difference in selecting one solution over another. Do not wait until it is too late to understand the business’ logging needs.
26
#4 Show Me!
If you are serious about protecting privacy, you cannot take a security vendor’s word that something works the way it is supposed to. You cannot even go by the word of your organization’s own security and system administrators – you must test and you must audit. And testing and auditing should not be limited to prevention – do not wait for an incident to occur before you find out that you do not have the information required to support the investigation.
27
#5 Plan for Failure
The cornerstone of safety engineering is planning for systems to fail. Security and privacy professionals can influence system design and configuration so that when breaches inevitably occur, the resulting damage can be minimized. Model, test and audit defensive failures. Design detective controls that facilitate the detection of security failures.
28
#6 You Can’t Break It, I Can’t Break It, but What About the Guy in the Fedora?
Of course, most privacy professionals are not skilled hackers. Did you know that neither are most security professionals? Both your vendors and your security team will tell you that everything is setup securely and that they have run their scanning tools and have not found any weaknesses. However, you really do not know if the information in your charge is safe until you hire external security auditors. This can be an intimidating prospect, but it is the only way to be sure.
Chris Hammond-ThrasherAssociate Director, ConsultingSecurity, Privacy and ComplianceFujitsu Canada
[email protected]@thrashor