data security for compliance 2
DESCRIPTION
Data security for compliance -Best practices & implementationTRANSCRIPT
Licensed under the Creative Commons Attribution LicenseDanny Lieberman
[email protected] www.controlpolicy.com
Data security for compliance -Best practices & implementation
Why?
“I don't need data security, we outsource our IT to one of the big banks”
“We've never had a data leak incident”
“You can't estimate asset value”
“PCI DSS doesn't specify DLP”
“We can't classify assets”
“We use Scan Watch.....”
True quotes, real people.
Agenda
I.Introduction
II.Defining project objectives
III.Implementation and planning
IV.Case study
I. Introduction
Objectives for this talk
• Understand– How data security fits into current
compliance regulation.– How to use value-based metrics– Data security threat modeling– Best practices for project planning– Best practices for implementation
What the heck is data security?
• Security– Ensure we can survive & add value
• Physical, information, systems, people
• Data security– Protect data assets directly in all realms
Data Warehouse
Document Server
Session
Detection point
Decoders
Policies
Interception
Countermeasures
Received: from [172.16.1.35] (-80-230-224- Message ID:<437C5FDE.9080>
“Send me morefiles today.
Management
Provisioning
Events
Reporting
Policies
Forensics
Data security technology model
Data security countermeasures mitigate
• Internally launched attacks on data that result in data leaks, breach of integrity or data availability
– Unlike virus.– Your problem.– Not someone else.
Introduction
Compliance and data security
Data security regulation
• Data security regulation; 3 flavors:– Industry: PCI DSS 1.2
• Protect the card associations• Asset orientation
– Vendor-neutral: ISO27001,2/4• Protect the organization• Security orientation
– Government: SOX, GLBA, HIPAA, State• Protect consumer• Management orientation
PCI DSS 1.2.1
• Applicable – when a business stores payment card data.
– “...encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally”
• Asset:– PAN, Name, Expiry, Mag Stripe, CVV, PIN
PCI DSS 1.2
• Grepping the standard:– Threat - 3
• Once as “software threats”
– People vulnerabilities – 0– Malicious individual - 1– Network – 40 times– Software – 45
• 12 anti-virus
– Audit - 7
Grokking
• "There isn't any software! Only different internal states of hardware”
– It's a shame programmers don't grok better."
PCI DSS 1.2
• Grokking the standard– Don't store PAN or– Render it unreadable or– Implement “compensating controls”
• For example: use sudo to track Linux logins that are not managed in a central LDAP repository.
ISO27000
• Applicable to all companies• IS27001 – ISM, comprehensive set of
security controls• ISO27002 – ISM best practices• ISO27004 – Security metrics
• Draft 12/2009.
ISO27001
• Grepping the standard:– Threat - 4
• First: employees, contractors, third-parties
– People vulnerabilities – 7– Malicious code - 3– Network – 16 times– Software – 30
• 0 anti-virus
– Audit - 9
ISO27001
• Grokking the standard– A well-constructed security taxonomy
• Wraps controls in a straight-jacket• Like PCI DSS
– Forces organizations to engage in continuous assessment
• Not continuous improvement• Like SOX
Sarbanes-Oxley
• SOX– Auditor independence– Corporate governance– Internal control assessment (404)– Enhanced financial disclosure (302)
• Public Company Accounting Oversight Board (PCAOB)
– Oversee, regulate, inspect & – Discipline accounting firms as auditors
Sarbanes-Oxley
• Applicable – US publicly traded firms• 404 – assessment of internal controls
– Top down risk assessment• Understand the flow of transactions,
including IT aspects, sufficient enough to identify points at which a misstatement could arise
• Fraud
Sarbanes-Oxley
• Grepping 404– Threat - 0 – People vulnerabilities - 0– Malicious code – 0– Network – 0– Software – 0– Audit – 1
Sarbanes-Oxley
• Grokking the law– Assess internal control and procedures ofthe issuer for financial reporting.
• SOX didn't prevent the latest crisis &• Mark-to-market was part of SOX
– But– SOX is law.
HIPAA
• Privacy Rule– Disclose PHI to patients within 30 days– Track disclosures, policies, procedures
• Paper and digital assets
• Security Rule– Digital assets– Controls
• Administrative, Technical, Physical
• US Federal Gov adopted NIST RMF– See SP 800-66 Rev. 1
HIPAA
• Applicable– Health-care providers– Health-care information networks
HIPAA
• Grepping– Threat - 1 – People vulnerabilities - 3– Malicious code – 0– Network – 0– Computerized systems – 2– Unauthorized use, access, disclosure - 3– Audit – 20
HIPAA
• Grokking– Person who maintains or transmits PHI
shall maintain reasonable safeguards:• Integrity and confidentiality• Protect against any reasonably
anticipated– Threats or hazards to the security or
integrity of the information; – Unauthorized uses or disclosures of
the information; – Ensure compliance
Interim conclusions
• PCI - data security,without risk analysis.
• SOX - risk analysis, not data security.• HIPAA - data security and risk analysis
(if you follow NIST guidelines).
Question and Answer
Where does DLP fit into compliance?
1. Invaluable tool for providing visibility and monitoring inbound/outbound transactions
2. Monitoring that provides input into the riskanalysis process required by compliance regulation like SOX and HIPAA.
3. Provable security for compliance standardslike PCI DSS 1.2 and ISO 27000
II. Defining Project Objectives
Enforce business process
• Compliance is about enforcing business process.
– PCI DSS: Get the transaction authorized without getting the data stolen
– SOX: Sufficiency of internal controls for financial reporting
– HIPAA: Disclose PHI to patients without leaks to unauthorized parties
“If the internal control system is implemented only to prevent fraud and comply with laws and regulations, then an important opportunity is missed.“
“The same internal controls can also be used to systematically improve businesses, particularly in regard to effectiveness and efficiency.”
COSO – Industry Consortium to improve internal controls
Compliance drivers and constraints
• Accountability• Risk analysis• Provable
security• Costs• Politics
Accountability
• The main charter of SOX • Non-compliant firms may be held
accountable for data breaches– PCI DSS
• Fines, Revocation of processing rights
– ISO 2700x• Not
– SOX, GLBA, HIPAA, State Privacy• Infrequent
Examples
• PCI DSS: Heartland Payment Systems– April 2008
• PCI DSS compliant
– Jan 2009 • Size of breach unknown• Malicious code in the payment systems
– December 2009• Class action suit dismissed
– Jan 2010• $60M settlement to VISA
Examples
• HIPAA: CVS Caremark– Feb 2009
• Agreed to pay $2.25 million to settle a federal investigation into allegations that it violated HIPAA privacy regulations
• Pharmacy employees threw pill bottles with patient information into the trash.
Compliance and risk analysis
• HIPAA– Federal agencies - NIST Risk analysis &
management methodology
• PCI DSS– Not specified
• SOX– Requires top down risk assessment– You can choose your own methodology
Risk analysis: Base classes
• Assets• Vulnerabilities• Threats• Countermeasures
Risk analysis: data security threat model(*)
MetricsAsset value, Threat damage to asset,Threat probability
Value at Risk=Threat Damage to Asset x Asset Value x Threat Probability
(*)PTA -Practical threat analysis risk model
Provable security
• Always, usually, kind of ....– PCI DSS
• 1/Q for Level 1 merchant• 1/Year for Level 2-4• Pushes out to acquirers, QSA
– HIPAA• Not specified in the law (believe it or not)
– SOX• Annual audit
Provable security
• Network DLP in a monitoring role• Or as a last line of defense for PAN
leakage in clear text
Costs
• SOX is expensive – ~ 1% of the US GDP– The SEC makes you do it
• PCI is expensive– “71% of companies don’t consider PCI as
strategic though 79% had experienced a breach” (Ponemon Institute – June 09)
– The golden rule
Politics
IT – data security is “very important”...Forrester
Management board – fraud/data theft can maim or destroy the company...Sarbanes-Oxley
III. Project planning and preparation
4 steps of Planning
1. Define the problem2. Set a hypothesis3. Measure pain 4. Prove your hypothesis
The Scientific Method
Typical data security implementation
• Buy technology and services• Classify assets• Data at rest• Data in motion• Fail
Why you lose controlWhy you lose control
Why companies fail at DLP
• Issues unclear– Many vendors have DLP technology
• Non-product differentiation
• Divided camps– Nobody answers all requirements
• Need a political sponsor
• Loss of momentum– No business pain– No power sponsors
Typical DLP project - valley of death
Month 1 Month 12-18Month 5
Logical &rational
Emotional & Political
IT Requirements
CapabilitiesPresentation
Compliance requirements
Evaluatealternatives
Close
Project
Meetvendors
Talk toanalysts
Losing control
Step 1 – Define the problem
• Identify key business processes.– PCI DSS: new customer provisioning– SOX: produce the 10Q at end of
quarter – HIPAA: provide PHI to patients with BPO
nBusinessProceses << nDocumentFormats
Step 2 – Set a business pain hypotheses
• Prove 2 hypotheses:– Data loss is happening now.– A cost effective solution exists that
reduces risk to acceptable levels.
H1: Data loss is happening
• What keeps you awake at night?
• What data types and volumes of data leave the network?
• Who is sending sensitive information out of the company?
• Where is the data going?
• What network protocols have the most events?
• What are the current violations of company AUP?
H2: A cost effective solution exists
• Value of information assets on PCs, servers & mobile devices?
• What is the Value at Risk?
• Are security controls supporting the information behavior you want (sensitive assets stay inside, public assets flow freely, controlled assets flow quickly)
• How much do your current security controls cost?
• How do you compare with other companies in your industry?
• How would risk change if you added, modified or dropped security controls?
Step 3 – Measure data security metrics
• Dimensions– organization, channel and content
• Typical metrics– % of employees that signed the AUP
– % Webmail traffic/all mail traffic
– % Office files by Webmail/Employees
– No. of revenue transactions
– Cost of security for operational/revenue systems– Cost of security for customer service systems
– Cost of security for FnA systems
– Value of assets in Euro
– Total value at risk of assets
Why do we need metrics?
• Recognize this?The easy part of information security (running the appliance, discovering vulnerabilities, fixing things and producing reports)
Ignores the hard stuff; quantification and prioritization of your actions based on financial value of assets and measurement of threat impact
Ignorance is never better than knowledge
Enrico Fermi
Anything can be measured
All exact science is based on approximation.
If a man tells you he knows a thing exactly, then you can be safe in inferring that you are speaking to an inexact man.
Bertrand Russell
Why bother quantifying risk?
• Why not qualitative metrics?
When was the last time a customer paid a “qualitative price” ?
Measurement methods
• Hand sampling– Small samples of employees, routers...
• The “Rule of 5”
• Expert estimates– The CFO
• Pros at asset valuation
• Test equipment
Data Warehouse
Document Server
Session
Detection point
Decoders
Policies
Interception
Countermeasures
Received: from [172.16.1.35] (-80-230-224- Message ID:<437C5FDE.9080>
“Send me morefiles today.
Management
Provisioning
Events
Reporting
Policies
Forensics
DLP Test equipment
Step 4 – Prove/Disprove hypotheses
MetricsAsset value, Threat damage to asset,Threat probability
Value at Risk=Threat Damage to Asset x Asset Value x Threat Probability
(*)PTA -Practical threat analysis risk model
IV. Project Implementation
Assumptions
• L2 content interception• Bi-directional• Policy-based
– Organization entity: IP/LDAP/AD– Channel entity: TCP/IP envelope– Content entity: recursive c/a
• Detect structured content
4 implementation layers
1. Network topology2. Interception points3. Policy4. Forensics
Layer 1 - Network topology
• We will consider 3 basic network topologies:
– IT Operations– Trusted insiders– Application services
IT Operations - PCI DSS 1.2, HIPAA
Server Land
User Land
OracleSMBAD/Open LDAP
WebMail
Clients
10.1.1.x 192.168.5.x 10.1.2.x192.168.4.x
Sensor
Management
Trusted insiders - HIPAA
User LandClients
Sensor
Management
The Internet
LinkedIn MySpaceGmail
Yahoo!
Proxies
Blogs
competitors
Customer/partner facing services
Server Land
Web applicationservices
Oracle
DB2
SMBAD
WebMail
PHP, ASP, JSP…
Clients
Sensor
10.1.1.x 192.168.5.x 10.1.2.x192.168.4.x
Middle tier
Management
Web server
Third-party
Layer 2 – Interception points
Layer 2 – Interception guidelines
• Intercept inside network for internal data leakage
• Intercept at perimeter for outbound or inbound data security violations
• Network taps are preferable to using switch mirror ports
– Better performance– Can aggregate
Layer 3 – Policy, object view
• Policy := ChannelRules + OrganizationalRules + ContentRules
• For example:– PCI_DSSPolicy = ContentRules
• ContentRules = Detect tuples:– {PAN, name}– {PAN, CVV}– {PAN, SSN, name}– {PAN, name,phoneNumber}
Layer 3 – Policy, crime view
• Means– Multiple
accounts
• Opportunity– Multiple
channels
• Intent– Jérôme Kerviel– Albert Gonzales
Policy development
• Use your system as test equipment– Write a fingerprint– Wrap it with a rule– Alert, drop or block– Create a policy– Update sensor
• Business process use cases– Not content classification
Detect structured content
• Detect PII, PHI– Think about SQL queries…– Credit card identification algorithm– PII (personally identifiable information)– Custom structures
• e.g. system billing records…
Use case – PCI DSS
• PII and PublicWebSiteServers • MarketingDataShare and PaymentFTP• LDAP and PII and WindowsServers and
Size > 5MB
Use case - HIPAA
• DBA and “SELECT id_number FROM patient_accountmaster”and NOT “WHERE”
• PHI and telnet
Layer 4 - Forensics
• Must be able to retrieve original files and session envelope
PCI DSS Forensics
V. Case study
SOX
• Customer must perform IT security as part of the annual SOX audit
– We will see how we use threat modeling to take data we collected and prioritize the implementation
Problem definition – SOX IT compliance
• Risk management– Monitored and managed?
• Policies and procedures– Adequate? – Up to date?– Understood
• Controls– Implemented and effective?
• Performance– Compliance met?– Issues with third party relationships?
Project objective 1- Coherence
• Impossible to take right decision when intelligence is in silos
– FBI investigates
– CIA analyzes
– No one bothered to discuss impact of Saudis learning to fly but not how to land planes.
Project objective 2 - Sustainability
• Senior executives must lead:
– Recycle controls and policies
– Don't throw out previous work
– Abstain from NIH
Measurement
• Face to face interviews with 10 – 20 employees
• Collect data using network DLP appliance
• Valuate assets with CFO, CTO, IPR and CIO inputs
• Run threat model and iterate with CFO, IPR, CTO and CIO
Key Business processes
• End of quarter reporting• Contractors in Far East that have
access to company IP• Software deployment process
Metrics
• Two week sample period– No. notebooks lost/stolen - 1/month– No. employees who signed AUP - 0– Web mail traffic vs. Exchange traffic –
35% of all traffic was Web mail.– No. of new project IP documents
< 10 off authorized channel.– Oracle apps downtime -
0 during 7 years
SOX Threat model
• See the Practical Threat Analysis model
Conclusions
• Data security is a powerful tool for compliance when used properly
• Assure and improve business processes not classify and discover data
• Risk analysis is central to success• 4 step planning process• 5 layer implementation
Questions?