360° OF IT COMPLIANCE

Threats & Countermeasures

Mark JenningsSymQuest Group, Inc.

Mjennings@symquest.com

What is Compliance?From a business perspective, compliance is simply the act of meeting the standards associated with regulatory requirements within your industry.

Compliance within these regulations typically extends beyond the handling of digital data.

Compliance is really about being a responsible custodian of Protected information.

Protected InformationExamples of Personally Identifiable Information (PII)

Name Address Phone numbers Fax Numbers Email addresses Social Security Numbers Date of Birth Medical Record Numbers

Health Plan ID Numbers Dates of Treatment Account Numbers License Numbers Vehicle Identifiers IP addresses Biometric Identifiers (fingerprints,

retinal scans, etc) Full face photos

Recent IncidentsTarget

40 Million debit and credit cards exposed $67M settlement Damaged Target’s reputation CEO resigned

Sony Pictures Email stolen and leaked Digital content stolen Computers disabled

U.S. Office of Personnel Management Over 18 Million Employee records stolen Director resigns

Ramifications of a BreachHIPAA

Potential fines - $50,000 per violation up to $1.5M Potential Jail sentences – Up to 10 years Inclusion on HHS “Wall of Shame”

PCI Fines Monetary settlements with card services providers Suspension of Card Services

THREATS

External Cyber Attack Direct attempt to

infiltrate a company or organization

Distributed Denial of Service (DDoS) Attack

Broadcast Viruses and Worms

Source: Akamai Technologies

Internal Security Breaches• The Disgruntled Employee

• The “Entrepreneurial” Employee

• The Curious Employee

Social EngineeringSocial Engineering takes advantage of an employee’s willingness

to trust, desire to be helpful, or simply their ignorance.

Examples of Social Engineering Impersonating IT Very convincing but rogue emails The old “Lost USB stick” trick

Mobile Computing The rise of laptops, tablets, and smartphones The desire to work from anywhere The “Bring you own Device” (BYOD) trend

Problems How secure is the data on the mobile device? What other applications are in use on the device? Can you control the flow of corporate data on those devices? Can you control the protection of those devices (antivirus, anti-malware,

web filtering)? Are these devices using public wifi and, if so, are your employees

protecting those communications properly?

Untrained Employees

Most of the threats above can be magnified by employees that are not aware of the threats.

Employees are not aware of the security protocols

Employees are not aware of the warning signs

Employees are not aware of the regulations

System Failure

A system failure can create multiple problems

Inability to service clients, customers, or patients

Recovery time

Data Loss

Catastrophic Event In the event of a major disaster are you prepared to resume

business in a reasonable timeframe?

Can you recover your data?

What is your plan?

Are your employees (or at least your managers) aware of the plan?

Catastrophic Event

COUNTERMEASURES

Countermeasures for Compliance

Many of the regulatory standards require implementation of countermeasures for each of these threats

In some cases these are specific requirements In other cases the requirements are broad

Examples The HIPAA Security Rule includes “required” requirements

and “addressable” requirements PCI may require different levels of auditing based on the

volume or type of credit card transactions

Countermeasure ConceptsLayered Security Model

Each threat can occur at various “layers” within the network Make sure that you have adequate controls at each layer to thwart

particular threats: Email Filtering Web filtering Firewall Network Access Control/Wireless Security Network Security monitoring Operating system security patches Anti Virus/Anti Malware Application Security Patches Employee Education

Countermeasures for External Cyber Attacks

Reduce your public “footprint”

Employ email filtering

Employ web filtering

Countermeasures for Internal Security Breaches

Review your internal security practices

Know where information is stored and who has access to it

Maintain an audit trail

Countermeasures for Social Engineering Establish policies and procedures

Never give out your password to ANYONE. Verify the identity of anyone attempting to perform a transaction with

you. Acceptable Use Policies

Implement employee identifiers Badges Name tags

Employee training Educate employees on the policies and procedures Provide training on the fundamentals of safe computing

Countermeasures for Mobile Computing Employ Mobile Device Management (MDM)

Employ 2-factor authentication

Ensure mobile users are using encrypted means to communicate with the organization

Ensure data is encrypted on the local device

Countermeasures for Untrained Employees

1. Never divulge your password…to anyone2. Lock your screen when you are away from your PC3. Scrutinize the email addresses of senders4. Do not open emails from people you do not know5. Be very careful clicking on hyperlinks embedded in emails6. Use a PIN to access your smartphone or tablet7. Never leave your laptop, smartphone, or tablet unattended in a public

space8. Report the loss of a laptop, smartphone, or tablet immediately9. Be wary of public wifi10. Report any security incident (email scam, suspicious behavior, etc.) to

your IT administrator immediately

Top Ten Things your employees should know about safe computing

Countermeasures for System Failure

Redundant System Design

Recovery server

Virtualization with redundant hosts and shared storage

Good backup strategy

Practice the 3-2-1 Rule

Countermeasures for Catastrophic Disaster Develop a plan

Determine your Recovery Time Objective (RTO) Determine your Recovery Point Objective (RPO)

Plan your recovery strategy in accordance with your RTO/RPO

Document the plan

Communicate the plan

Exercise the plan

Cloud Options Software as a Service (SaaS) systems

Only the specific software and data is hosted by provider Data contained within hosted software system is protect by provider Difficult to integrate with other systems

Infrastructure as a Service (IaaS) Entire systems are hosted within vendors data center All data within the hosted systems (excluding mobile devices) is

protected by provider Typically requires IT expertise in house to manage

IaaS with a Managed Service Provider (MSP) All systems are hosted within vendors data center Mobile devices and end user support is managed by the MSP

Cloud Options

Advantages of the Cloud Systems are maintained by IT professionals

Systems implemented using industry standard best practices Systems run on enterprise-class equipment Systems are hosted in enterprise class facilities

Air handling Battery backup Redundant communications lines Generators Physical Security

Systems (should be) Redundant Redundant data centers

Systems are protected by Multilayered Security

The SymQuest Cloud Two completely redundant and replicated data centers in South

Burlington, VT and Portland, Maine Hosted clients receive a completely segregated Virtual Network with

dedicated virtual servers and an independent firewall Full service management of hosted servers and workstations

Backup Patching Replication AV/AM

Management of on-premises equipment 99.9% uptime Service Level Agreement Compliance assistance

SymQuest will provide documentation to auditors upon request to assist you in proving compliance

Final Thoughts Security and compliance is a complex topic

The IT industry is only going to become more complex

The use of managed IT services, either on premise or in the cloud, does not absolve an organization of its regulatory responsibilities but it does ensure that trained and dedicated professionals are in charge of that aspect of the business.

In the event of an audit an IT Managed service provider should be able to assist you in proving compliance

Having a professional managed services team should put the organization in a better position to defend against common threats, however …

there is no 100%.

THANK YOUMark JenningsDirector of Sales | Network Solutionsmjennings@SymQuest.com (802)-658-9836 Let’s Connect