Date post: | 18-Jul-2015 |
Category: |
Technology |
Upload: | concerto-cloud-services |
View: | 190 times |
Download: | 5 times |
• The Role of Information
Security
• IT Security Conundrums
• Best Practices for Security
• How Providers can Alleviate
Concerns
• Q&A
Today’s Presenter
Greg Pierce
• Chief Cloud Officer, Concerto Cloud
Services
• Pioneer in Enterprise Cloud Computing
• Veteran business leader and entrepreneur
with over 20 years experience
• Helps businesses transform through the use
of disruptive technologies
Goal of Information Security
Administrative, Technical and
Physical Controls work
together to ensure the
confidentiality, integrity
and availability (CIA) of
critical systems and
confidential information
Information
Security is a goal
- we must
continually strive for
it with no guarantee
of achievement.
IT Security Conundrum One
IT Security Conundrum Three
Spending
more (without
other security
processes) can deliver a false sense of security.
IT Security Conundrum Three
IT Security Conundrum Four
YOU are the
target -regardless of
your industry
vertical or
company size.
IT Security Conundrum Five
It is easy to drive the wrong behavior from your users.
Education is key and policies can’t be too restrictive.
Information Security Domains
1. Access Control 2. Application Security 3. Business Continuity and Disaster Recovery
Planning 4. Cryptography 5. Information Security and Risk Management 6. Legal, Regulations, Compliance and
Investigations 7. Operations Security 8. Physical (Environmental) Security 9. Security Architecture and Design 10. Telecommunications and Network Security
Security Has Everyone’s Attention
APR SEPTMAY JUN JUL AUG OCT NOV DEC JAN FEB MAR APR SEPTMAY JUN JUL AUG
$70MM Records
Stolen
$40MM Credit & Debit
Nov 15 – Dec 15, 2013$56MM Credit &
Debit
Apr - Sept, 2013
$76MM of $83MM
Accounts Stolen
July14 – Sept 2014
2013 2014
$9000
Credit & Debit
The Target Breach – How did they do it?
• Compromised HVAC contractor likely via a phishing email
– Used free version of anti-malware that lacked real-time protection
– Malware stole credentials to Target supplier portal
• Portal
– Not properly segmented on the network from other critical systems
– Lacked two-factor authentication
– Supplier/Vendor info was public, so attackers used this info for social
engineering attack (HVAC contractor)
– Supplier/Vendor ecosystem lacked security awareness training( best
practice, etc…)
• Took advantage of Monitoring system’s default username and password
– Installed “RAM Scrapping” Malware on POS System
– Disguised communications as legitimate monitoring traffic
– Exfiltration of data was sent to an FTP server in Russia of the course of two
days
Target Breach - By the numbers
• 70 million – # of records stolen
• 40 million - # of Credit/Debit cards stolen
• 100 million - $ they will spend upgrading payment terminals
• 46% - percentage drop in profits at Target in the fourth quarter of 2013, compared with the year before
• 53.7 million - The income that hackers likely generated from the sale of 2 million cards stolen from Target and sold at the mid-range price of $26.85
• ZERO – Chief Information Security Officer (CISO) or Chief Security Officer (CSO) jobs at Target
The Target Breach – Why they got away
“Target was certified as meeting the standard for the payment card industry (PCI) in September 2013. Nonetheless, we suffered a data breach. As a result, we are conducting an end-to-end review of our people, processes and technology to understand our opportunities to improve data security”
Gregg Steinhafel, CEO
The Target Breach – Why they got away
• Failure or lack of established process and procedure
– Security systems rapidly detected the security event but
there was no response by IT
• Weakness in the architecture of the Supplier portal
– Insufficient oversight during the planning and implement
phase allowed logical connectivity to sensitive systems
and data– Architectural review board?
– Infrequent assessment against systems to understand
their impact on Information Security?
• Lack of security awareness training
Users are the Common Link
• Trojans – software downloads - Kaaza
• Viruses – Emails
• Zombies or Botnets
• Phishing (Identity Theft)
• Spywaresource
http://www.pcworld.com/article/2010527/forrester-report-finds-most-data-breaches-are-caused-by-employees.html
“Application users are most often the determining factor in whether or not a security breach occurs”
What can we learn?
A breach can happen to any company of any size and any industry –learning from others is
critical.
Best Practice One: Holistic Planning
Security is a Holistic Program
– Process (not a project)
Never 100%
– Risk Management
Improve Security Posture
– Changing Security Landscape
Threats (motives)
Countermeasures
Best Practice Two: Building Awareness
• Security awareness is the knowledge, skill and attitude an individual possesses
regarding the protection of information assets.
• Being Security Aware means you understand
that there is the potential for some people to
deliberately or accidentally steal, damage,
or misuse your account, computer or the
data stored on your computer.
• Awareness of the risks and available
safeguards is the first line of defense
for the security of information,
systems and networks.
“Application users are
most often the determining
factor in whether or not a
security breach occurs”– source
http://www.pcworld.com/article/2010527/forrester-
report-finds-most-data-breaches-are-caused-by-
employees.html
Security Awareness Includes
• Information about how to
Protect
Detect
React
• Knowledge, Skill and Attitude
The What
The How
The Why
• Culture Change
Best Practice Three: Encryption
Data in Use, Data in Motion, and Data at
Rest - Ensure encryption for ALL classes of data
Best Practice Four: Layered Structure
A High Level Summary of Security Layers include:
• Centralized and automated anti-malware and OS patching
• Identity management
• True network segmentation and isolation from ingress to egress at layer 2 and 3
• Data in-motion encryption by default
• Multiple firewall segments operating at layer 1-7 of the OSI stack
• State-of-the-art IDPS solution monitored and managed 24x7 by a dedicated security operations center (SOC)
• Reverse Proxy services
• “Other” confidential and proprietary security mechanisms and practices
• Intelligent, multi-point syslog solution
The Market Has Gone to the Clouds
• 45% of companies
plan to move ERP
to the cloud in the
next 5 years
• Other studies state
that market is
moving even faster
than predicted here
The Cloud Changes Everything
…Except
SecurityEnsure hosting/cloud solution
is subject to IT audit with your
IT security team.
Is your hosting/cloud solution subject to internal IT audit with your IT security team?
Not All Clouds Are Equal
• ISC2 and CSA have partnered to offer a new Cloud Security Certification– SecurityWeek: ISC and CSA Partner for
Certification offering
• Amazon S3 Poor Configuration Puts Sensitive Data at Risk– SecurityWeek: Amazon Puts S3 Data At Risk
• Web Application Attack Challenge Cloud and On-Premise Infrastructures– SecurityWeek: Web Application Attacks Increase
• Trust in the Cloud?– SecurityWeek: Lieberman: IT Doesn't Trust the
Cloud
How Cloud Providers Can Address Concerns
• Transparency/Control Over Datacenter/Data Locality/Security Audibility
• Verifiable End-to-end Encryption – Data in Transit
• Industry/Government Regulation Compliance
• Proven Tools and Control with Restricted Access
• Control Over Security/Encryption
• Dedicated Resources/Data Isolation
• Provide Proven References
• Industry Standards for Data Privacy and Security
• Explicit Contractual Responsibilities for Service Levels/Security
• Provider Certification Standards
• Region/Country Specific Datacenter Locations
Things to Remember
Ensure the security and
privacy of your Cloud
application with:
The Right Cloud for the Right
Application
Compliance
IDS/IPS
Protection for Data at Rest
• Simplicity for Complex Applications. Concerto was designed to
meet the toughest regulatory challenges and the most complex
demands – and has earned an industry leading customer
retention rate as a result.
• Comprehensive Channel Enablement Services. Innovative private
and hybrid cloud and business transformation services help
channel partners go to market quickly.
• Recognized Cloud Provider for Microsoft Applications. Concerto
Cloud is the go-to cloud provider for Microsoft applications and
is recognized as Microsoft’s ISV of the Year for Cloud Services.
The Cloud That’s Up to Your Challenge