DataCentric Security and your users Michelle Drolet, CEO October 20, 2011,
Discussion topics • What is “datacentric security?” • Overview • Risk management, Threat management, Compliance management • Compliance • Overall security plan, program, architecture, organizational security posture, awareness/training, communications • Q&A
A “textbook” definition • Security – Developing, implementing and maintaining a program and plans to protect the confidentiality, integrity, and availability (and authentication or accountability) of information assets, thereby enabling the organization to carry out its mission. The information security triad: C/I/A and sometimes +A* * + A = Accountability or Authentication
Some unfortunate “infosec” realities • Anyone connecting to the Internet – with any device – is under constant “cyberattack” by: • Organized cybercriminals, “hacktivists,” nation-states conducting “cyberwarfare,” • Attack toolkits with users guides are readily available to anyone – no technical background required • Malware has grown in number of variants, sophistication, targets and motivation • Conventional wisdom no longer valid, such as “only visit well-known and respected sites” • 80% of malware was served up by “legitimate” websites (Sophos) • Attack surfaces have increased dramatically with the introductions of new consumer gadgets: • iPhone/Android, iPod Touch, iPad and other tablets, rogue WAPs, unsecured WiFi, user-owned devices, lost or stolen devices, etc.
Some unfortunate “infosec” realities (cont’d) • Compliance requirements continue to become more onerous – and have more enforcement “teeth” • HITECH for Business Associates, MA 201 CMR 17.00, and others • Data breaches at non-compliant organizations will result in regulatory audit, civil and even criminal penalties • Regulatory legalese is lengthy and complex; requirements are ambiguous and/or overlapping • All organizations – regardless of size – must demonstrate due diligence and make every effort to comply • Compliance AND non-compliance can “break the bank” for SMBs • Social networks, fake AV, other scams fool users into click-jacking or Trojan schemes – even home burglary and other crimes due to information over-sharing
DataCentric Security • 1st Management buy in • 2nd Develop a repeatable program • 3rd Document • 4th Get Users on board • 5th Test controls and test again
Towerwall’s 4E Methodology Evaluate Establish Educate Enforce People, Process, Technology
Use case: DataCentric Security “the beginning” Evaluate • Data inventory and classification • Infrastructure and desktop utilization reviews • IT asset and configuration management • Compliance • Other organizational / cultural issues • What are the expected risks/benefits to implement a data security program?
Use case: DataCentric Security and the Program Establish • Administrative • Policies • Physical • Technical • What controls are needed to realize the benefits and mitigate the risks for a data protection program?
Use case: Users and DataCentric Security Educate • Expectations of workforce member behaviors documented in ppolicies, procedures, processes • Violation sanctions / disciplinary actions • Reporting suspicious behaviors / incidents / risks • Practicing “safe computing” habits • What knowledge and behaviors does the organization expect the workforce to understand and apply to daily work activities?
Use case: DataCentric Security Enforce • What do the administrative, physical and technical controls tell us about required v. actual behaviors? • Logging and monitoring • Required disclosure reporting • Incident response and related processes • Other compliance and cultural issues • What options does the organization have for protecting data in a VM and/or cloud environment?
Risk Management • Assess current risks relative to your information assets; • Compare those risks to your information security program; • Identify gaps or overlaps (under- or over-investment) in your existing information security program; • Develop and implement a plan to remediate risks, and align your security program is aligned with your current needs; • Re-assess and remediate at least annually – and anytime a substantive business model, compliance, or information asset-related change occurs.
Compliance Management • Internal compliance (company-mandated policies and procedures); • External compliance (regulatory mandates); • Internal IP / trade secret classification and labeling (optional); • Regular assessments, remediation, scanning, audit reporting, etc.
Putting it all together • Management buy in • Determine what needs to be protected • Poke holes • Establish a security roadmap • Remediate • User Awareness • Continued vigilance = Success
Quote of the day "People are the weakest link. You can have the best technology, firewalls, intrusion detection systems, biometric devices - and somebody can call an unsuspecting employee. That's all she wrote, baby. They got everything." - Kevin Mitnick, author “The Art of Deception” and other Social Engineering classics
Q&A Comments? Questions?
Putting it all together • Towerwall and its strategic partners offer consulting services and products that simplify unwieldy issues: • Vulnerability scans and sophisticated penetration tests (include social engineering/spear phishing components) • Regulations are boiled down to digestible lists of requirements • Gap analyses provide recommendations and relative risk priorities • Towerwall’s applies its 4E methodology to every engagement • Please visit our new web site at www.towerwall.com for more information on the products/services we offer