Securing Your Secured

Data

Tuesday April 9th 2013

Roshan Mohammed

CipherQuest (Trinidad) Limited

AGENDA

Perception of Information Risk

What Data are we Protecting and Why?

Infrastructure Security

Application Security

Cloud Security

Auditing

Perception of Information Risk

Perception of Information Risk

Caribbean Incidents 2013

Mar 20 Barbados FirstCaribbean Bank Records hacked

Mar 11 Bahamas Hackers spark credit card chaos

Feb 20 Jamaica Hackers attack at least four state bodies

Feb 6 Jamaica Hackers said to be found with DPP files

Feb 6 Barbados Barbados police investigating missing data on oil industry

Jan 26 Jamaica Digicel Hacked

Jan 25 Jamaica Hackers on the loose

Quoted mainly from the Trinidad Guardian - http://m.guardian.co.tt/business-guardian/2013-03-11/caribbean-cyberattacks-rise

Perception of Information Risk

• Theft of intellectual

property

• Lost/Stolen data backup

tapes

• Stolen Computers

• Web site defacement and

compromise

• Identity Theft

• Voice Data Interception

• Blackmail from data thefts

• Wireless network intrusions

• Stolen or weak passwords

• Failed data backups

• Weak physical security

checks

What does this mean?

1. Incidents can happen anywhere – including us here in the

Caribbean

2. Incidents can happen to anyone in any industry

3. We face the same risks as international companies, but we

have less resources to allocate to risk management

4. Greater demand for integration with suppliers and business

partners, and thus greater demand for security compliance.

5. Greater option for service channels to customers – e-

commerce, m-commerce etc, and thus greater protection

from security measures.

The Usual Solutions?

Business Services – Do more with less

Voice over IP,

Virtualization,

Shared Services and Cloud

Services,

Social Media, Mobile Computing

and

X-Commerce.

Security Protection – Do more with

less

Infrastructure Security

Applications Security

Cloud Security

Data Loss Protection

Auditing and Intelligence

Auditing and

Forensics

What Data are we Protecting?

Document and Classify Business Information (Asset Classification)

1. Organization wide agreement of asset criticality (Derived from ISO 31000

practices) using existing organization risk assessment processes (if available).

2. Compliance with industry standard (ISO/IEC 27000:2009)

3. Repeatable, Measureable, Objective Metrics (as far as possible)

4. Integrated into management operational and reporting processes.

5. Maintenance of Asset List

Why are we Protecting?

• Financial Loss

• Operational Impact

• Environmental Impact

• Reputation

• Legal

Perception of Information Risk

What are we Protecting and Why?

Infrastructure Security

Application Security

Cloud Security

Auditing

Infrastructure

Security

Infrastructure Security

The study of infrastructure security looks at

the architecture of organizational information

technology networks at the very lowest levels

to not only ensure that those layers are secure,

but that they can support security

requirements at the higher levels.

Infrastructure Security

Foundation

Perimeter Walls

Secured Doors and

Windows

Perimeter Fencing

Pet Protection

Safes and Vaults

Alarms and CCTV

Family

Friends

Contractors

Strange Visitors

Unwanted Visitors

Infrastructure Security

Defense in Depth

A concept in which

multiple layers of security

controls (defense) are

placed throughout a

network. Its intent is to

provide redundancy in the

event a security incident.

Each layer is more secure

than the outer layer.

Infrastructure Security

Risks

• Heterogenous devices

connected to your network

• Not under the full control of

IT Department

• No control of where the

devices were connected to

before or what malware is on

them

Infrastructure Security – BYOD

Benefits

• Reduced cost of IT

acquisition and ownership

• Cost Savings

• Reduced Expenditure

Security

• Must manage how these

devices connect to the

corporate network

• Must find an alternative

method of control for what

is on the devices (AV,

sandboxing etc)

• Critical element in preparing

organizations to adopt new

technologies such as e-commerce

and m-commerce.

• Mitigates against internal risk

sources as well as external risk

sources.

• Compliance - Allows control of

internal and external users

throughout the full 7 layer OSI

stack.

• Redundancy of Controls

• Facilitation of full spectrum

logging and auditing functions

Infrastructure Security – Benefits

Gap/Risk Assessments

• Identify and classify organizational data

• Determine how its being protected today

• Identify gaps against industry standards / best

practice (ethical hacking)

• Develop a short to medium term mitigation strategy

which feeds into the strategic technology plans of the

organization.

Guidance

Local and regional vendors and consultants

Online - ISO/IEC 27000:2009

Infrastructure Security - How

Perception of Information Risk

What are we Protecting and Why?

Infrastructure Security

Application Security

Cloud Security

Auditing

Application Security

Software Vendor Patches issued

for 2013

Adobe 59

Microsoft 27

SAP 72

Oracle 33

• Database Applications Security

• Web Applications Security

• E-Commerce Application

Security

• Mobile Applications Security

Application security encompasses measures taken

throughout the application's life-cycle to prevent

vulnerabilities through flaws in the design, development,

deployment, upgrade, or maintenance of the

application.

New Malware Attacks Smartphones

(4Feb2013)

Application Security

13,000 different kinds of mobile

malware found for 2012

Zeus-in-the-Mobile (Zitmo) banking

trojan evolving into a botnet

(26Mar2013)

• Our local mobile penetration rate is 142%

• Increased sale of smart phones, tables and

notebooks

• WiFi hotspots

• 4G Technology

• Low broadband costs (http://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-divide April 7th

2013)

Application Security

http://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-divide

Application Security

Encrypting data and

forcing the

organization to pay

for its decryption.

Increase in incidents

even in the mobile

and BYOD space.

Application Security - Ransomeware

Application Security

Perception of Information Risk

What are we Protecting and Why?

Infrastructure Security

Application Security

Cloud Security

Auditing

“Ultimately, you can outsource responsibility but you can't outsource accountability” (European Network and Information Security Agency ENISA) XaaS Software as a Service Security as a Service Infrastructure as a Service Data as a Service Platform as a Service Are you satisfied your data will be secure in the“cloud? • Security certification: ISO 27001, SAS 70 • Access controls, data recoverability, data breaches • Right to Audit • Location of Data

Cloud Security

• Achieve economies of scale

• Reduce spending on technology

• Globalize your workforce on the cheap

• Reduce capital costs

• Improve accessibility

• Monitor projects more effectively

• Less personnel training is needed

• Minimize licensing new software

• Improve flexibility

• ….

Cloud Security - Benefits

• Who has access to your data?

• Standards Compliance – is your provider

worthy of your business?

• Data Location and jurisdictional regulations

• Data Segregation – is your data separate?

• Recovery and service level agreements

• Investigative Support

• Scalability and long term viability –

protection of data in event of a buy out or

bankruptcy.

Cloud Security - Risks

Gap/Risk Assessments

• Identify and classify organizational data

• Determine how its being protected today

• Identify gaps against industry standards / best

practice and

• Develop a short to medium term mitigation strategy

which feeds into the strategic technology plans of the

organization.

Cloud Security - How

• Board of Directors

• Chief Executive Officer

• Chief Financial Officer

• Legal / General Counsel

• Chief Auditor (http://www.coso.org/documents/Cloud%20Computing%20Thought%20Paper.pdf)

Note: Chief Information Officer or Chief Security Officer

perform support roles, not decision making.

Cloud Security - Responsibility

http://www.coso.org/documents/Cloud Computing Thought Paper.pdfhttp://www.coso.org/documents/Cloud Computing Thought Paper.pdf

What to outsource?

• Benefits

• Quantifiable and Measurable

• Risks

• Based upon Organizational Standards

• Or International Standards and best practices

Cloud Security – What?

Which cloud service provider?

• Location

• Regulations

• Standards in use internally

• Are they registered and self governing

• What access do you as a customer have?

Cloud Security – Where?

Cloud Security - Governance

www.cloudsecurityalliance.org

• SLAs

• Controls derived from best practice

• Regular Testing (Ethical Hacking)

• Monitoring

• Auditing

• Backup and Recovery

• Facility Security

• Compliance – ISO 27000, CoBIT, PCIDSS, ISO

31000 …

Cloud Security – Processes & Monitoring

Perception of Information Risk

What are we Protecting and Why?

Infrastructure Security

Application Security

Cloud Security

Auditing

You can’t manage what you don’t

measure.

• TJ MAXX - July 2005 to December 2006

• Nortel Networks suffered a security breach that for almost a decade gave

attackers access to executive network accounts, technical papers,

employee emails and other sensitive documents

Auditing

Security Incident and Events Monitoring (SIEM)

Windows Logs

Unix Logs

Firewall and Security Devices

Databases

Applications

Door Sensors

CCTV

Data Centers

Log Analysis and Correlation

Auditing

Outsourcing

In-House development using off the shelf applications

Automatic Alerting via exception monitoring

OS Monitoring

Administrator logins at midnight

Failed sequential logins

Application Monitoring

Startup/Shutdown

Database Admin Logons

Transactional Monitoring

Transactions over value $X

Sequential Transactions

Auditing

• Identify Reason(s) for auditing

• Identify log sources

• Identify vendor who meets needs

• Training

• Absolutely required

• No out of the box setup / no auto learning

Auditing - HOW

Thank You