Securing Your Secured
Data
Tuesday April 9th 2013
Roshan Mohammed
CipherQuest (Trinidad) Limited
AGENDA
Perception of Information Risk
What Data are we Protecting and Why?
Infrastructure Security
Application Security
Cloud Security
Auditing
Perception of Information Risk
Perception of Information Risk
Caribbean Incidents 2013
Mar 20 Barbados FirstCaribbean Bank Records hacked
Mar 11 Bahamas Hackers spark credit card chaos
Feb 20 Jamaica Hackers attack at least four state bodies
Feb 6 Jamaica Hackers said to be found with DPP files
Feb 6 Barbados Barbados police investigating missing data on oil industry
Jan 26 Jamaica Digicel Hacked
Jan 25 Jamaica Hackers on the loose
Quoted mainly from the Trinidad Guardian - http://m.guardian.co.tt/business-guardian/2013-03-11/caribbean-cyberattacks-rise
Perception of Information Risk
• Theft of intellectual
property
• Lost/Stolen data backup
tapes
• Stolen Computers
• Web site defacement and
compromise
• Identity Theft
• Voice Data Interception
• Blackmail from data thefts
• Wireless network intrusions
• Stolen or weak passwords
• Failed data backups
• Weak physical security
checks
What does this mean?
1. Incidents can happen anywhere – including us here in the
Caribbean
2. Incidents can happen to anyone in any industry
3. We face the same risks as international companies, but we
have less resources to allocate to risk management
4. Greater demand for integration with suppliers and business
partners, and thus greater demand for security compliance.
5. Greater option for service channels to customers – e-
commerce, m-commerce etc, and thus greater protection
from security measures.
The Usual Solutions?
Business Services – Do more with less
Voice over IP,
Virtualization,
Shared Services and Cloud
Services,
Social Media, Mobile Computing
and
X-Commerce.
Security Protection – Do more with
less
Infrastructure Security
Applications Security
Cloud Security
Data Loss Protection
Auditing and Intelligence
Auditing and
Forensics
What Data are we Protecting?
Document and Classify Business Information (Asset Classification)
1. Organization wide agreement of asset criticality (Derived from ISO 31000
practices) using existing organization risk assessment processes (if available).
2. Compliance with industry standard (ISO/IEC 27000:2009)
3. Repeatable, Measureable, Objective Metrics (as far as possible)
4. Integrated into management operational and reporting processes.
5. Maintenance of Asset List
Why are we Protecting?
• Financial Loss
• Operational Impact
• Environmental Impact
• Reputation
• Legal
Perception of Information Risk
What are we Protecting and Why?
Infrastructure Security
Application Security
Cloud Security
Auditing
Infrastructure
Security
Infrastructure Security
The study of infrastructure security looks at
the architecture of organizational information
technology networks at the very lowest levels
to not only ensure that those layers are secure,
but that they can support security
requirements at the higher levels.
Infrastructure Security
Foundation
Perimeter Walls
Secured Doors and
Windows
Perimeter Fencing
Pet Protection
Safes and Vaults
Alarms and CCTV
Family
Friends
Contractors
Strange Visitors
Unwanted Visitors
Infrastructure Security
Defense in Depth
A concept in which
multiple layers of security
controls (defense) are
placed throughout a
network. Its intent is to
provide redundancy in the
event a security incident.
Each layer is more secure
than the outer layer.
Infrastructure Security
Risks
• Heterogenous devices
connected to your network
• Not under the full control of
IT Department
• No control of where the
devices were connected to
before or what malware is on
them
Infrastructure Security – BYOD
Benefits
• Reduced cost of IT
acquisition and ownership
• Cost Savings
• Reduced Expenditure
Security
• Must manage how these
devices connect to the
corporate network
• Must find an alternative
method of control for what
is on the devices (AV,
sandboxing etc)
• Critical element in preparing
organizations to adopt new
technologies such as e-commerce
and m-commerce.
• Mitigates against internal risk
sources as well as external risk
sources.
• Compliance - Allows control of
internal and external users
throughout the full 7 layer OSI
stack.
• Redundancy of Controls
• Facilitation of full spectrum
logging and auditing functions
Infrastructure Security – Benefits
Gap/Risk Assessments
• Identify and classify organizational data
• Determine how its being protected today
• Identify gaps against industry standards / best
practice (ethical hacking)
• Develop a short to medium term mitigation strategy
which feeds into the strategic technology plans of the
organization.
Guidance
Local and regional vendors and consultants
Online - ISO/IEC 27000:2009
Infrastructure Security - How
Perception of Information Risk
What are we Protecting and Why?
Infrastructure Security
Application Security
Cloud Security
Auditing
Application Security
Software Vendor Patches issued
for 2013
Adobe 59
Microsoft 27
SAP 72
Oracle 33
• Database Applications Security
• Web Applications Security
• E-Commerce Application
Security
• Mobile Applications Security
Application security encompasses measures taken
throughout the application's life-cycle to prevent
vulnerabilities through flaws in the design, development,
deployment, upgrade, or maintenance of the
application.
New Malware Attacks Smartphones
(4Feb2013)
Application Security
13,000 different kinds of mobile
malware found for 2012
Zeus-in-the-Mobile (Zitmo) banking
trojan evolving into a botnet
(26Mar2013)
• Our local mobile penetration rate is 142%
• Increased sale of smart phones, tables and
notebooks
• WiFi hotspots
• 4G Technology
• Low broadband costs (http://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-divide April 7th
2013)
Application Security
http://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-dividehttp://www.guardian.co.tt/business/2013-04-07/mobile-phones-bridging-tt%E2%80%99s-digital-divide
Application Security
Encrypting data and
forcing the
organization to pay
for its decryption.
Increase in incidents
even in the mobile
and BYOD space.
Application Security - Ransomeware
Application Security
Perception of Information Risk
What are we Protecting and Why?
Infrastructure Security
Application Security
Cloud Security
Auditing
“Ultimately, you can outsource responsibility but you can't outsource accountability” (European Network and Information Security Agency ENISA) XaaS Software as a Service Security as a Service Infrastructure as a Service Data as a Service Platform as a Service Are you satisfied your data will be secure in the“cloud? • Security certification: ISO 27001, SAS 70 • Access controls, data recoverability, data breaches • Right to Audit • Location of Data
Cloud Security
• Achieve economies of scale
• Reduce spending on technology
• Globalize your workforce on the cheap
• Reduce capital costs
• Improve accessibility
• Monitor projects more effectively
• Less personnel training is needed
• Minimize licensing new software
• Improve flexibility
• ….
Cloud Security - Benefits
• Who has access to your data?
• Standards Compliance – is your provider
worthy of your business?
• Data Location and jurisdictional regulations
• Data Segregation – is your data separate?
• Recovery and service level agreements
• Investigative Support
• Scalability and long term viability –
protection of data in event of a buy out or
bankruptcy.
Cloud Security - Risks
Gap/Risk Assessments
• Identify and classify organizational data
• Determine how its being protected today
• Identify gaps against industry standards / best
practice and
• Develop a short to medium term mitigation strategy
which feeds into the strategic technology plans of the
organization.
Cloud Security - How
• Board of Directors
• Chief Executive Officer
• Chief Financial Officer
• Legal / General Counsel
• Chief Auditor (http://www.coso.org/documents/Cloud%20Computing%20Thought%20Paper.pdf)
Note: Chief Information Officer or Chief Security Officer
perform support roles, not decision making.
Cloud Security - Responsibility
http://www.coso.org/documents/Cloud Computing Thought Paper.pdfhttp://www.coso.org/documents/Cloud Computing Thought Paper.pdf
What to outsource?
• Benefits
• Quantifiable and Measurable
• Risks
• Based upon Organizational Standards
• Or International Standards and best practices
Cloud Security – What?
Which cloud service provider?
• Location
• Regulations
• Standards in use internally
• Are they registered and self governing
• What access do you as a customer have?
Cloud Security – Where?
Cloud Security - Governance
www.cloudsecurityalliance.org
• SLAs
• Controls derived from best practice
• Regular Testing (Ethical Hacking)
• Monitoring
• Auditing
• Backup and Recovery
• Facility Security
• Compliance – ISO 27000, CoBIT, PCIDSS, ISO
31000 …
Cloud Security – Processes & Monitoring
Perception of Information Risk
What are we Protecting and Why?
Infrastructure Security
Application Security
Cloud Security
Auditing
You can’t manage what you don’t
measure.
• TJ MAXX - July 2005 to December 2006
• Nortel Networks suffered a security breach that for almost a decade gave
attackers access to executive network accounts, technical papers,
employee emails and other sensitive documents
Auditing
Security Incident and Events Monitoring (SIEM)
Windows Logs
Unix Logs
Firewall and Security Devices
Databases
Applications
Door Sensors
CCTV
Data Centers
Log Analysis and Correlation
Auditing
Outsourcing
In-House development using off the shelf applications
Automatic Alerting via exception monitoring
OS Monitoring
Administrator logins at midnight
Failed sequential logins
Application Monitoring
Startup/Shutdown
Database Admin Logons
Transactional Monitoring
Transactions over value $X
Sequential Transactions
Auditing
• Identify Reason(s) for auditing
• Identify log sources
• Identify vendor who meets needs
• Training
• Absolutely required
• No out of the box setup / no auto learning
Auditing - HOW
Thank You