This document provides an overview of IT security essentials and data security best practices. It discusses common data security concerns, including access controls, encryption, APIs, auditing and more. Specific frameworks and standards are also reviewed, such as PCI DSS, NIST and ISO. The document outlines steps for conducting a risk assessment and implementing controls. It emphasizes quick wins can be achieved through controls in areas like access management, encryption, patching and monitoring. Overall the document serves to educate about the threat landscape, compliance obligations and how to establish an effective data security program.
12. - 12 -
DATA SECURITY CONCERNS
Access Controls (both Physical and Logical)
Data Jurisdiction
Data Backup, Recovery and Destruction (Exit Strategy)
eDiscovery and Legal Hold issues
Audit frequency and responsibilities
Co-mingling of data
Insecure interfaces and APIs (application development)
Insufficient due diligence by cloud provider
Shared technology vulnerabilities (Denial of Service attacks)
Data breach response and forensics
Poor or no encryption of sensitive data
Account or service hijacking
Readiness for cloud services - every cloud service is different, each
one must be evaluated individually
13. - 13 -
LEGAL CONCERNS
COMPLIANCE
Application ownership can be unclear
Regulatory controls for cloud (HITECT, PCI, GLBA, FERPA, HIPAA)
Data return/destruction at the end of contracts
Lack of SLA’s – slow or no service
Lack of recourse for lost data
Jurisdictional issues (data stored across multiple states or countries)
e-Discovery and legal hold issues (data stored across multiple servers)
Breach notification timeframes and forensics in a shared environment
Client vs. Cloud Provider responsibilities
Subcontracting and third parties
17. - 17 -
DATA BREACHES
• SnapChat – 4.5 million compromised names and phone
numbers
• Kickstarter – 5.6 million victims
• Korean Telecom – One of the year’s largest breaches affected
12 million customers
• Heartbleed – First of three open-source vulnerabilities in 2014
• eBay – Database of 145 million customers compromised
18. - 18 -
• PF Chang’s
• Energetic Bear – Cyber spying operation targeted the energy
industry
• Cybervor – 1.2 billion compromised credentials
• iCloud – Celebrity accounts hacked
• Sandword – Attached a Windows vulnerability
• Sony Pictures Entertainment – Highest-profile hack of the
year
• Inception Framework – Cyber-Espionage attached targeted
the public sector
DATA BREACHES
19. - 19 -
• 75% say their organizations are as or more vulnerable to
malicious code attacks and security breaches compared with
a year ago. And in the face of a crushing skills shortage, 40%
subsist on no more than 5% of the IT budget.
• "Managing the complexity of security" reclaimed the No. 1
spot among 10 challenges facing the respondents to our
security survey, all from organizations with 100 or more
employees
INSIDER THREAT
Source: InformationWeek 2014 Strategic Security Survey
20. - 20 -
• 58% see an infected personal device connecting to the
corporate network as a top endpoint security concern, making
it the No. 1 response, ahead of phishing and lost devices
• 56% say cyber-criminals pose the greatest threat to their
organizations this year, the top answer, ahead of authorized
users and employees at 49%
• 23% have experienced a security breach or espionage in the
past year
INSIDER THREAT
Source: InformationWeek 2014 Strategic Security Survey
21. - 21 -
Source: SpectorSoft Insider Threat Survey Report
INSIDER THREAT SURVEY
53% of enterprise respondents have
discovered that employees use
company-issued devices to send
company information to personal
email and cloud-based file-sharing
accounts such as Yahoo! or Gmail
and cloud-based file sharing accounts
such as Box, DropBox or Hightail
(419 enterprise respondents)
23% of end-user employee respondents
reported that they transfer corporate
information using Box, DropBox or Hightail
(200 end-user employee respondents)
22. - 22 -
INSIDER THREAT SURVEY
Source: SpectorSoft Insider Threat Survey Report
33% of end-user employee
respondents reported that they
transfer corporate information via
personal Yahoo! and Gmail accounts
(200 end-user employee respondents)
49% of enterprise respondents have
discovered that employees are
copying corporate data to USB flash
storage devices (419 enterprise
respondents)
23. - 23 -
MANAGER ISSUES
CURRENT RISK
• 55% of risk managers feel they have not dedicated enough
resources to combat the evolution of hacking techniques
• 76% of risk managers feel the biggest risk of cloud technology
is the loss of confidentiality of information
Source: The Hartford Steam Boiler Inspection and Insurance
Company (HSB) Cyber Risk Survey
24. - 24 -
SMALL BUSINESSES
THREATS TO
Small businesses can be forced to close down due to a
data breach
Four common company weak points:
1. Intrusion detection software
2. Encryption of private data
3. Patch management
4. Vendor mismanagement
Source: PropertyCasualty360.com
28. - 28 -
RISK ASSESSMENT
Understand organizational
risks
Key risk prioritization Identify high risk areas
• Gain an understanding of the high
risk areas and underlying rationales
by conducting interviews with
members of Senior Management,
Legal and your Trust Advisors
• Identify key risks based on the
threats and vulnerabilities relevant to
the organization and ranked these
items based upon on their overall
impact (environment, system and
technical analysis) and expected
likelihood of occurrence.
• Identified the top risks to the
Company based on inherent risk
ranking.
Threat Categories A B C D E
External attack 2 3
Internal misuse and abuse 6 2
Theft 2
System malfunction 2 1
Service interruption 1 5
Customer 4
Information Risk Ratings: A-Verify High, B-High, C-Medium, D-Low, E-Very Low
29. - 29 -
CONTROL FRAMEWORKS
• CSA Star – Cloud Security Alliance
• COBIT – Control Objectives for Information and Related Technology
• FEDRAMP – Federal Risk and Authorization Management Program
• FISMA – Federal Information Security Management Act
• HIPAA – Health Insurance Portability and Accountability Act
• ISO – International Organization for Standardization
• ITIL – Information Technology Infrastructure Library
• PCI DSS – Payment Card Industry Data Security Standard
• NIST – National Institute of Standards and Technology
• SOC 2 (AT 101) – Service Organization Control Reports
30. - 30 -
SECURITY STANDARDS
PCI DATA
Build and
Maintain a
Secure
Network
1. Install and maintain a firewall
configuration to protect cardholder data
2. Do not use vendor-supplied defaults for
system passwords and other security
parameters
Protect
Cardholder
Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data
across open, public networks
Maintain a
Vulnerability
Management
Program
5. Use and regularly update anti-virus
software or programs
6. Develop and maintain secure systems
and applications
31. - 31 -
SECURITY STANDARDS
PCI DATA
Implement
Strong
Access
Control
Measures
7. Restrict access to cardholder data by
business need to know
8. Assign a unique ID to each person with
computer access
9. Restrict physical access to cardholder data
Regularly
Monitor and
Test Networks
10. Track and monitor all access to network
resources and cardholder data
11. Regularly test security systems and
processes
Maintain an
Information
Security
Policy
12. Maintain a policy that addresses
information security for all personnel
32. - 32 -
VALIDATE
Independent auditor assessments and attestations
• Review of policies and administrative procedures
• Inspection of configurations and settings
• Testing of manual procedures
• Observation of control activities
34. - 34 -
WHAT CAN I DO FIRST?
• 40% of the
controls
determined to
be most
effective
against data
breaches fall
into the “Quick
Win” Category
Source: Verizon 2015 Data Breach Investigation Report
[With the mass proliferation of technology and the Internet of Things, this should be no surprise and will not be trending downward any time soon.]
[This is reason number one to implement a REAL BYOD program.]
[The big breaches reported this year all involved outsiders taking advantage of insiders. I’d really recommend company’s reconsider what technology employees actually need as opposed to want for starters.]
[Additional data suggests that only about 33% of all breaches are even reported to law enforcement. It’s safe to assume that of all entities out there, 67% are unaware, negligent, incompetent and or willful; take your pick!]
53% of 419 enterprise respondents report employees using Dropbox, Google Drive, or some other file sharing scheme
23% of 200 end user respondents report the same
What does all this mean? Ask audience for their thoughts.
49% report employees using USB flash storage
Out of 200 end-user employee respondents
33% transfer corporate data using personal email accounts i.e.