Code Red: Protecting Your Enterprise and Securing Your Data
description
Transcript of Code Red: Protecting Your Enterprise and Securing Your Data
Video | What Happened • Directions to the A/V team - Please play from the
beginning and cut it at 1:25…..
• Video – http://www.youtube.com/watch?v=3FelJwb4NCM
Theresa Payton © 2013 All Rights Reserved
Uber Connected?| What to Watch? 6 Billion people
have mobile phones
The number of networked devices = the globe’s population
Internet connectivity ubiquitous!
Uber Connected?| What to Watch? 1 Minute just went by…what happened? 639,800
GB was transferred…
135 Botnet Infec>ons
1,300 new mobile users
Intel: What Happens in an Internet Minute? Posted By Krystal Temple March 13, 2012.
204 million emails sent
20 New vic>ms of iden>ty theF
100+ LinkedIn accounts added
20 million photo views 30 hours of video uploaded (+1.3M views)
100,000 new tweets 277,000 Facebook logins
Memory Check| Current State of Affairs
What were you doing 243 days ago?
Current State of Affairs| Incoming!
Something is discovered every 90 seconds.
What is it?
Breach Discovery| Bold New Approach Needed
M-‐Trends 2013, Mandiant
37%
63%
Booming Economy? Where? Russia’s Cyber Crime…but it’s other places too.
Latest estimated value of the country's cyber crime market is now $2.3 billion almost double from the prior
year’s $1.2B
Current State of Affairs
9
$1.8 billion of that is from what? You guessed it…Online fraud via banking malware,
phishing, and spam
Source: State and Trends of the Russian Digital Crime Market Released April 2012
Current State of Affairs| Assumptions
For IT risk and security, staffing levels should be between 5% and 12% of your total staff but many organizations have < 3%.
Chris Byrne, Gartner Security and Risk Summit, 2012
Current State of Affairs| Industry Challenges
What Keeps Me Up At Night? Businesses in a recent survey indicated:
50%+ : $/time not justified by the threat.
75% : less than 3 hours per year and almost half offer zero
47% -‐ Recovery Plans are Dilbert Style!
6 out of 10 – go ahead and talk to strangers (unsecured WiFi) National Cyber Security Alliance and Visa poll: business’ cyber security practices & attitudes
Black Swan | Risk Management Convincing others to prepare to invest in an event that will “never” happen
• “Zero Risk” does not exist but “Managed Risk” does • Making security the business enabler vs. productivity roadblock
Black Swan | Risk Management “Senior living providers are
at particular risk because of the nature of the information they store on residents”
John Atkinson, Managing Partner at The
Willis Group Holdings
Black Swan | Risk Management “Over the weekend of November 17-18,
2012, five laptops were stolen from Riderwood’s physical therapy offices.”
On the hard drive? Unencrypted patient names, visits, addresses and policy numbers Lessons Learned: Data storage on hard drives Encrypting files
Black Swan | Risk Management
HHS reason for heFy fine? Unencrypted data, did not do regular risk assessments
January 2013 “…the Hospice of North Idaho became HHS’s first facility with fewer
than 500 residents to be fined for a patient information data breach, saddling the hospice a whopping $50,000 bill.”
Stolen? Laptop (in 2010) Lessons Learned: Data storage on hard drives Delete files you do not need anymore Schedule periodic risk assessments Encrypting files
Black Swan | Risk Management HITECH Act requirement Organizations that have personal
health information (PHI) must have a plan of action in the event they did experience a security breach
And…Regulated by HIPAA? Breach reports to multiple outlets: Department of Health and Human Services
the media affected individuals.
Does Spending=Secure?| Invalid Assumptions
Case Study: Target Corp. and Oracle Corp.
Hacking contest for large companies
Target spends about 1/2 as much on security annually as Oracle
Results?
Target was more difficult to hack
Yurcan, Bryan. Panel Discussion: The Role of the Bank CIO. Bank Systems & Technology: October 20, 2011 Kapner, Suzanne. Hackers Press the ‘Schmooze’ Button. WSJ: October 31, 2011
Current State of Affairs| Innovation
How A Happy Meal = Better Security!
A case study in innovation.
5 Tech Trends | Enormous Implications
BYOD –without CYA creates BYOB The new 4 letter word is SMIT Who knew cybercriminals were so
“socially minded”? Malware morphs beyond
detection awareness Why the Cloud could be your
“Father’s Oldsmobile” and when will we get Big Data analytics ?
BYOD
SMIT
SO SOCIAL!
MORPH TO THE MAX PO
RSC
HE
WR
APPER
DAT
A M
APS
DIGITAL ASSETS
Top Digital Assets?| Actions
Security and Privacy Settings
BYOD access…hmmm
Cloud?
Free Wi-Fi at Your Peril
What protections do you have for the “POTUS and VP” assets?
Plan of Attack| 5 Step Plan
Training
Policies and Procedures
Prac4cing Digital Doomsday
Technology Tuning
Security in the Supply Chain
80/20 Rule| 2 Steps = Biggest Impact
Best Practices & Improved Security Policies
Informed, Aware & Engaged Employees
Technology Improvements
Gov’t Regulation & Law Enforcement
58% 20% 18% 4%
2012 Bit9 Cyber Security Research Report
Back at the Office| Actions Basics Top Digital Assets – Who are they? Training Policies and Procedures Patches Configurations Hardening Encryption of PHI emails Encryption of data
Back at the Office| Actions
Password protect
Never loan devices or WiFi
Treat old devices and back up informa>on like gold
Timeout feature
4 TIPS TO REMEMBER
Back at the Office| Actions Next Phase Incident Management Disaster Recovery Digital Disaster Technology Tuning Supply Chain Review
Back at the Office| Actions
• Check the box! DANGER! Trap: Focusing on
regulatory compliance instead of comprehensive
security.
• Looks good but is it safe? A lack of security features
consistently built into elderly care and health care
systems.
• 411 Breakdown: Capability gap for sharing
information on cybersecurity and other issues.
• No Measurements: Lack of metrics for evaluating
cybersecurity.
Next Steps | Let’s Get to Work!
5 Things… • Training – just say NO to CBT only • Document IT AND End User policies and procedures • Where will your team get stuck during the digital
doomsday exercise? • 90% of our clients last year had the core technology they
needed but… • You are the weakest link? No!
Next Steps | Practice Makes Perfect Here’s your next staff meeting agenda Current State Assessment – Spend Dedicated Time Discussing: What security measures are in place? What do they protect? How vulnerable are you? How vulnerable are your clients? What client communication and response plans exist? Do you test incident management plans using plausible scenarios? Options Analysis What could be done within the next 90 days to improve security? How would your company respond to losing intellectual property,
internal emails posted on a public website, or worse? How can each security layer be enhanced, at what cost and at what
impact to productivity?
Next Steps | Practice Makes Perfect
Staff Meeting - Practice the Disaster Name Your Worst Digital Nightmare: Digital death, what happened? Go around the room and ask the team to tell you the
escalation plan and their list of actions. Do you know who to call? Do you know what to do? How do you stop the bad guys from taking more? Do you need outside help? Time yourself…how long does it take before you create a
plan of action?
Next Steps | Practice Makes Perfect
Supply Chain Security – 8 Vendor Checkpoints Information Security Identity Management Endpoint and Server Security Gateway and Network Security Web and Application Security Physical and Personnel Security Security Management Intellectual Property, Customer Information, and Financial
Transaction Security
Next Steps | Practice Makes Perfect
Supply Chain Security –Vendor Must Answer: Chain of Custody Least Privilege Access Separation of Duties Tamper Resistance and Evidence Persistent Compliance Management Code Testing and Verification Trusted and Vetted Staff
Next Steps | Cloud in your future?
Draw up the Pre-Nup First! When you “break up” what are their sanitization policies so
you get your data back and they don’t have your digital footprints?
Need a “Go to guide”? Try NIST: NIST Cloud Computing Reference Architecture SP 500-292