Date post: | 09-Feb-2017 |
Category: |
Government & Nonprofit |
Upload: | donald-e-hester |
View: | 418 times |
Download: | 6 times |
©2016 Maze & Assoc ia tes 1
Cyber-security for Local Governments
SAMFOG
©2016 Maze & Assoc ia tes 2
©2016 Maze & Assoc ia tes 3
PresenterDonald E. Hester, CISA, CRISC, CAP CISSPIS Audit [email protected]
Blog: www.LearnSecurity.orgFacebook: facebook.com\LearnSec
©2016 Maze & Assoc ia tes 4
The Problem
Albert Gonzalez, 28
With accomplices, he was involved in data breaches of most of the major data breaches: Heartland, Hannaford Bros., 7-Eleven, T.J. Maxx, Marshalls, BJ’s Wholesale Club, OfficeMax, Barnes & Noble, Sports Authority, Dave & Busters, Boston Market, Forever 21, DSW and others.
The public trusts that we will keep their information safe
from crooks like these.
©2016 Maze & Assoc ia tes 5
Who is behind data breaches?• 70% from external agents• 48% caused by insiders• 11% implicated business partners• 27% involved multiple parties
Source:
©2016 Maze & Assoc ia tes 6
Data Loss Trends
Number of incidents per year.Source:
©2016 Maze & Assoc ia tes 7
What do you think the trend has been since 2010?
©2016 Maze & Assoc ia tes 12
Incidents by organization type. Where do you think local
government rates?
©2016 Maze & Assoc ia tes 14
What state has the most data breaches?
©2016 Maze & Assoc ia tes 16
Top Concerns1. Securing the IT environment 2. Managing and retaining data 3. Managing IT risk and compliance 4. Ensuring privacy 5. Enabling decision support and analytics 6. Managing System Implementations 7. Preventing and responding to computer fraud 8. Governing and managing IT investment/spending 9. Leveraging emerging technologies 10.Managing vendors and service providers
http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/TopTechnologyInitiatives/Pages/2013TTI.aspx
Orange text are all PCI related
©2016 Maze & Assoc ia tes 17
IT Control Environment
©2016 Maze & Assoc ia tes 18
IT Governance
Determine
Objectives
Assess Risk
Apply Controls
Assess Controls Monitor
©2016 Maze & Assoc ia tes 19
©2016 Maze & Assoc ia tes 20
Risk Assessment Activities• The identification of objectives relevant to the
reduction of errors, policy violations, fraud, or noncompliance.
• Monitor and respond to this increase in risk• The Information Technology (IT) department
should periodically identify and communicate risks for which employees should be particularly vigilant.
• Changes in software should be subject to extensive evaluation and testing in order to identify and manage risks associated with use.
Source: Internal Control Guidelines California Local Agencies 2015 SCO
©2016 Maze & Assoc ia tes 21
Apply Controls “Control activities are the policies and procedures that help ensure that management directives are carried out. Control activities, whether within IT or manual systems, have various objectives and are applied at various organizational and functional levels.”
Source: AICPA’s Auditing Standard AU-C §315.A91
©2016 Maze & Assoc ia tes 22
IT Control Standards Although there is no required IT standard for local governments, The National Institute of Standards and Technology (NIST) encourages state, local and tribal governments to consider the use of NIST guidelines, as appropriate.
By adopting NIST standards the local government demonstrates due diligence in designing and implementing appropriate controls around its information systems.
©2016 Maze & Assoc ia tes 23
Recommendation National Institute of Standards and Technology NIST SP 800-53 rev. 4
Moderate risk system as defined by NIST SP 800-60
Risk Management Framework (RMF)
©2016 Maze & Assoc ia tes 24
Does outsourcing our financial application eliminate the risks in the IT Control Environment?
©2016 Maze & Assoc ia tes 25
What is Cloud Computing? The “Cloud” Buzz word Overused cliché Ill defined Many different definitions Marketing term All hype The “unknown path” Service provider “____-as-a-service” Nebulous
©2016 Maze & Assoc ia tes 26
Definition
“..[a] model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, services) that can be provisioned and released with minimal management effort or service provider interactions.” NIST & Cloud Security Alliance
A utility model of technology delivery.
©2016 Maze & Assoc ia tes 27
Cloud Definitions Cloud Service Provider (CSP)
entity that offers one or more cloud services in one or more deployment models
Cloud Service Offering (CSO) the actual IaaS/PaaS/SaaS solution available from a CSP
a CSP may provide several different CSOs
©2016 Maze & Assoc ia tes 28
Reasons
Efficiency
Agility
Innovation
©2016 Maze & Assoc ia tes 29
Cloud Provider Benefits (NIST SP 800-144) They will have specialized staff The platform will typically be more uniform They have the ability to scale and add redundancy Better backup and recovery May support a greater number of mobile devices Data may be centralized and not on laptops
©2016 Maze & Assoc ia tes 30
Cloud Risks Where’s My Data? The Bad Divorce Trust but Verify “I thought you knew” I didn’t think of that Clarify Consider Expectations, Put it in Writing Compatibility
©2016 Maze & Assoc ia tes 31
Where’s My Data? In the information age your key asset is information. Some information requires protection
(Credit Card Data, Student Records, SSN, etc…) Your information could be anywhere in the world You may loss access to your data (availability)
ISP failure Service provider failure Failure to pay (service provider stops access)
©2016 Maze & Assoc ia tes 32
The Bad Divorce “Vendor Lock” All relationships come to an end
Let you down, had a breach, SLA performance etc… The company fails/gets sold Introductory pricing or it goes up over time
Transition to new vendor or in-source How will you get your data back?
Lack of Portability between PaaS Clouds Example, something built for Google won’t work for SharePoint or
Amazon Get a prenup – get it in the contract up front
©2016 Maze & Assoc ia tes 33
Trust but Verify Assurance How do you know they are protecting your data?
Not everyone is treated the same by service providers Disclosure concerning security posture 3rd party independent verification (audit/assessment)
SAS 70 / SSAE 16 SysTrust / WebTrust ISO 27001 Certification Audit / Assessment MOU/MOA & ISA
©2016 Maze & Assoc ia tes 34
“I thought you knew” Cloud systems are typically more complex
This may create a larger attack surface Breach Notification When do you want to know about a data breach? (Data that you are legal obligated to protect)
Typical contracts give wide latitude for service providers Actual verses possible breach Timeliness of notification
©2016 Maze & Assoc ia tes 35
I didn’t think of that Dependencies
Infrastructure – Internet Authentication management (SSO) Operational budget Greater dependency on 3rd parties
Other considerations Complex legal issues Multi-tenancy Transborder data flow Jurisdiction and Regulation Support for Forensics
©2016 Maze & Assoc ia tes 36
Clarify What do they mean by “Cloud” Establish clear responsibilities and accountability Your expectations Cost of compensating controls What will happen with billing disputes Will your data be in a multi-tenant environment What controls will you have
©2016 Maze & Assoc ia tes 37
Consider The reputation of the service provider
Track record of issues Large or small, likelihood of change Vendor ‘supply chain management’ issues
The reliability of the service or technology Is the technology time tested Competency of cloud provider
Typically you have no control over upgrades and changes Training for staff
©2016 Maze & Assoc ia tes 38
Compatibility When will they upgrade their service?
Will they be ready when you are ready for an upgrade of dependent software
Will you be ready when they are ready to upgrade Browser-based Risks and Risk Remediation What software will be required on the client side?
Java Flash Active-X Silverlight HTML 5
©2016 Maze & Assoc ia tes 39
New Attack Vectors Hypervisor complexity Data leakage (multi-tenant environment) Man in the Middle Browser vulnerabilities Mobile device vulnerabilities
©2016 Maze & Assoc ia tes 40
Service Agreements Service Level Agreement (SLA)
Some are predefined and non-negotiable Some are negotiable (typically cost more)
Terms of Service May cover privacy Breach notification Licensing Acceptable use (What you can and can’t do) Limitations on liability (Typically in the favor of the service provider) Modifications of the terms of service (Do you want this?) Data ownership
©2016 Maze & Assoc ia tes 41
Traditional Risks No Matter Where You Go Insider threat,
Instead of your staff it is their staff Access control
How can you control and monitor? Authentication
Another logon or SSO Data sanitation
Is your data really deleted? Others????
©2016 Maze & Assoc ia tes 42
Could Provider Controls
©2016 Maze & Assoc ia tes 43
What to do? Careful planning before engagement Understand the technical aspects of the solution Make sure it will meet your needs (security and
privacy) Maintain accountability
Define data location restrictions Ensure laws and regulations are met Make sure they can support electronic discovery and forensics
Follow NIST and Cloud Security Alliance guidance
©2016 Maze & Assoc ia tes 44
Resources Cloud Security Alliance
cloudsecurityalliance.org NIST SP 800-144 Guidelines on Security and Privacy in Public Cloud
Computing NIST SP 800-145 The NIST Definition of Cloud Computing NIST SP 800-146 Cloud Computing Synopsis and Recommendations Federal Cloud Computing Strategy, February 2011 CIO.gov DoD Cloud Computing Security Requirements Guide (CC SRG) ISACA: Cloud Computing Management Audit/Assurance Program, 2010