DataCentric Security and your users Michelle Drolet, CEO October 20, 2011,

17
DataCentric Security and your users Michelle Drolet, CEO October 20, 2011,

Transcript of DataCentric Security and your users Michelle Drolet, CEO October 20, 2011,

DataCentric Security and your users

Michelle Drolet, CEO

October 20, 2011,

Discussion topics

• What is “datacentric security?”

• Overview

– Risk management, Threat management, Compliance management

– Compliance

– Overall security plan, program, architecture, organizational security posture, awareness/training, communications

• Q&A

A “textbook” definition

• Security –

Developing, implementing and maintaining a program and plans to protect the confidentiality, integrity, and availability (and authentication or accountability) of information assets, thereby enabling the organization to carry out its mission.

The information security triad:

C/I/A and sometimes +A** + A = Accountability or Authentication

Some unfortunate “infosec” realities

• Anyone connecting to the Internet – with any device – is under constant “cyberattack” by:

– Organized cybercriminals, “hacktivists,” nation-states conducting “cyberwarfare,”

– Attack toolkits with users guides are readily available to anyone – no technical background required

• Malware has grown in number of variants, sophistication, targets and motivation

– Conventional wisdom no longer valid, such as “only visit well-known and respected sites”

– 80% of malware was served up by “legitimate” websites (Sophos)

• Attack surfaces have increased dramatically with the introductions of new consumer gadgets:

– iPhone/Android, iPod Touch, iPad and other tablets, rogue WAPs, unsecured WiFi, user-owned devices, lost or stolen devices, etc.

Some unfortunate “infosec” realities (cont’d)

• Compliance requirements continue to become more onerous – and have more enforcement “teeth”

– HITECH for Business Associates, MA 201 CMR 17.00, and others

– Data breaches at non-compliant organizations will result in regulatory audit, civil and even criminal penalties

– Regulatory legalese is lengthy and complex; requirements are ambiguous and/or overlapping

– All organizations – regardless of size – must demonstrate due diligence and make every effort to comply

– Compliance AND non-compliance can “break the bank” for SMBs

• Social networks, fake AV, other scams fool users into click-jacking or Trojan schemes – even home burglary and other crimes due to information over-sharing

DataCentric Security

• 1st Management buy in

• 2nd Develop a repeatable program

• 3rd Document

• 4th Get Users on board

• 5th Test controls and test again

Towerwall’s 4E Methodology

Evaluate Establish Educate Enforce

People, Process, Technology

Use case: DataCentric Security “the beginning”

Evaluate • Data inventory and classification

• Infrastructure and desktop utilization reviews

• IT asset and configuration management

• Compliance

• Other organizational / cultural issues

What are the expected risks/benefits to implement a data security program?

Use case: DataCentric Security and the Program

Establish • Administrative

• Policies

• Physical

• Technical

What controls are needed to realize the benefits and mitigate the risks for a data protection

program?

Use case: Users and DataCentric Security

Educate • Expectations of workforce member behaviors documented in ppolicies, procedures, processes

• Violation sanctions / disciplinary actions

• Reporting suspicious behaviors / incidents / risks

• Practicing “safe computing” habits

What knowledge and behaviors does the organization expect the workforce to understand and apply to

daily work activities?

Use case: DataCentric Security

Enforce • What do the administrative, physical and technical controls tell us about required v. actual behaviors?

• Logging and monitoring

• Required disclosure reporting

• Incident response and related processes

• Other compliance and cultural issues

What options does the organization have for protecting data in a VM and/or cloud environment?

Risk Management

• Assess current risks relative to your information assets;

• Compare those risks to your information security program;

• Identify gaps or overlaps (under- or over-investment) in your existing information security program;

• Develop and implement a plan to remediate risks, and align your security program is aligned with your current needs;

• Re-assess and remediate at least annually – and anytime a substantive business model, compliance, or information asset-related change occurs.

Compliance Management

• Internal compliance (company-mandated policies and procedures);

• External compliance (regulatory mandates);

• Internal IP / trade secret classification and labeling (optional);

• Regular assessments, remediation, scanning, audit reporting, etc.

Putting it all together

• Management buy in

• Determine what needs to be protected

• Poke holes

• Establish a security roadmap

• Remediate

• User Awareness

• Continued vigilance

= Success

Quote of the day

"People are the weakest link. You can have the best technology, firewalls, intrusion detection

systems, biometric devices - and somebody can call an unsuspecting employee. That's all she

wrote, baby. They got everything."

- Kevin Mitnick, author “The Art of Deception”

and other Social Engineering classics

Q&A

Comments? Questions?

Putting it all together

• Towerwall and its strategic partners offer consulting services and products that simplify unwieldy issues:

– Vulnerability scans and sophisticated penetration tests (include social engineering/spear phishing components)

– Regulations are boiled down to digestible lists of requirements

– Gap analyses provide recommendations and relative risk priorities

• Towerwall’s applies its 4E methodology to every engagement

• Please visit our new web site at www.towerwall.com for more information on the products/services we offer