DataCentric Security and your users

Michelle Drolet, CEO

October 20, 2011,

Discussion topics

• What is “datacentric security?”

• Overview

– Risk management, Threat management, Compliance management

– Compliance

– Overall security plan, program, architecture, organizational security posture, awareness/training, communications

• Q&A

A “textbook” definition

• Security –

Developing, implementing and maintaining a program and plans to protect the confidentiality, integrity, and availability (and authentication or accountability) of information assets, thereby enabling the organization to carry out its mission.

The information security triad:

C/I/A and sometimes +A** + A = Accountability or Authentication

Some unfortunate “infosec” realities

• Anyone connecting to the Internet – with any device – is under constant “cyberattack” by:

– Organized cybercriminals, “hacktivists,” nation-states conducting “cyberwarfare,”

– Attack toolkits with users guides are readily available to anyone – no technical background required

• Malware has grown in number of variants, sophistication, targets and motivation

– Conventional wisdom no longer valid, such as “only visit well-known and respected sites”

– 80% of malware was served up by “legitimate” websites (Sophos)

• Attack surfaces have increased dramatically with the introductions of new consumer gadgets:

– iPhone/Android, iPod Touch, iPad and other tablets, rogue WAPs, unsecured WiFi, user-owned devices, lost or stolen devices, etc.

Some unfortunate “infosec” realities (cont’d)

• Compliance requirements continue to become more onerous – and have more enforcement “teeth”

– HITECH for Business Associates, MA 201 CMR 17.00, and others

– Data breaches at non-compliant organizations will result in regulatory audit, civil and even criminal penalties

– Regulatory legalese is lengthy and complex; requirements are ambiguous and/or overlapping

– All organizations – regardless of size – must demonstrate due diligence and make every effort to comply

– Compliance AND non-compliance can “break the bank” for SMBs

• Social networks, fake AV, other scams fool users into click-jacking or Trojan schemes – even home burglary and other crimes due to information over-sharing

DataCentric Security

• 1st Management buy in

• 2nd Develop a repeatable program

• 3rd Document

• 4th Get Users on board

• 5th Test controls and test again

Towerwall’s 4E Methodology

Evaluate Establish Educate Enforce

People, Process, Technology

Use case: DataCentric Security “the beginning”

Evaluate • Data inventory and classification

• Infrastructure and desktop utilization reviews

• IT asset and configuration management

• Compliance

• Other organizational / cultural issues

What are the expected risks/benefits to implement a data security program?

Use case: DataCentric Security and the Program

Establish • Administrative

• Policies

• Physical

• Technical

What controls are needed to realize the benefits and mitigate the risks for a data protection

program?

Use case: Users and DataCentric Security

Educate • Expectations of workforce member behaviors documented in ppolicies, procedures, processes

• Violation sanctions / disciplinary actions

• Reporting suspicious behaviors / incidents / risks

• Practicing “safe computing” habits

What knowledge and behaviors does the organization expect the workforce to understand and apply to

daily work activities?

Use case: DataCentric Security

Enforce • What do the administrative, physical and technical controls tell us about required v. actual behaviors?

• Logging and monitoring

• Required disclosure reporting

• Incident response and related processes

• Other compliance and cultural issues

What options does the organization have for protecting data in a VM and/or cloud environment?

Risk Management

• Assess current risks relative to your information assets;

• Compare those risks to your information security program;

• Identify gaps or overlaps (under- or over-investment) in your existing information security program;

• Develop and implement a plan to remediate risks, and align your security program is aligned with your current needs;

• Re-assess and remediate at least annually – and anytime a substantive business model, compliance, or information asset-related change occurs.

Compliance Management

• Internal compliance (company-mandated policies and procedures);

• External compliance (regulatory mandates);

• Internal IP / trade secret classification and labeling (optional);

• Regular assessments, remediation, scanning, audit reporting, etc.

Putting it all together

• Management buy in

• Determine what needs to be protected

• Poke holes

• Establish a security roadmap

• Remediate

• User Awareness

• Continued vigilance

= Success

Quote of the day

"People are the weakest link. You can have the best technology, firewalls, intrusion detection

systems, biometric devices - and somebody can call an unsuspecting employee. That's all she

wrote, baby. They got everything."

- Kevin Mitnick, author “The Art of Deception”

and other Social Engineering classics

Q&A

Comments? Questions?

Putting it all together

• Towerwall and its strategic partners offer consulting services and products that simplify unwieldy issues:

– Vulnerability scans and sophisticated penetration tests (include social engineering/spear phishing components)

– Regulations are boiled down to digestible lists of requirements

– Gap analyses provide recommendations and relative risk priorities

• Towerwall’s applies its 4E methodology to every engagement

• Please visit our new web site at www.towerwall.com for more information on the products/services we offer