Download - Protecting the Information Infrastructure
![Page 1: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/1.jpg)
Wednesday, October 12, 11
![Page 2: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/2.jpg)
Protecting the Information Infrastructure:
Why CIOs and CSOs are Becoming Mission-Critical
Business Partners
SNW Fall 2011
Jay McLaughlin, CISSPChief Security Officer, Q2ebanking
Wednesday, October 12, 11
![Page 3: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/3.jpg)
DISCLAIMERThe materials, thoughts, comments, ideas and opinions expressed throughout this presentation are entirely my own and do not necessarily represent the thoughts or opinions of my employer (past or present).
Wednesday, October 12, 11
![Page 4: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/4.jpg)
AGENDA• Information..the lifeblood of an organization
• Events involving loss of data are rising - who is to blame?
• Mitigating our vulnerabilities
• A shift to Information-Centric Security
• Developing critical partnerships across the organization
Wednesday, October 12, 11
![Page 5: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/5.jpg)
Information is the lifeblood of organizations, and considered a critical factor in a company’s effective pursuit of its business goals and success.
Wednesday, October 12, 11
![Page 6: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/6.jpg)
Information is not only valuable to an organization…but also to...
Wednesday, October 12, 11
![Page 7: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/7.jpg)
WHAT ARE WE TRYING TO PROTECT?
Regulated information is the type of data most often thought of when the subject of information protection is raised.
• Includes personally identifiable information (PII) of individuals, such as social security numbers, bank and credit card numbers and medical records. A great deal of public outrage, lawsuits, fines and loss of brand trust can accompany the compromising of this information.
Confidential information may involve marketing plans, financial projections, sales reports and M&A discussions.
• Breaches on this information can range from public embarrassment to catastrophe
Intellectual property (IP) is arguably the most critical type of information.
• According to the FBI, $600 billion worth of intellectual property is stolen every year in the U.S
• Companies tend to focus on regulated data while doing comparatively little to secure the IP that is critical to their business.
Wednesday, October 12, 11
![Page 8: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/8.jpg)
Setting the Stage - Recent Attacks–Defense Contractors
»Lockheed Martin»Northrop Grumman»L-3
–Commercial Organizations»SONY»GOOGLE
–Security Firms»RSA»Barracuda Networks »HB Gary Federal»Comodo / Digitar
–Government»United States DoD»Texas Comptroller’s Office
Wednesday, October 12, 11
![Page 9: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/9.jpg)
It gets worse...
Source: Scientific American, “Data Theft: Hackers Attack”, Oct 2011
Wednesday, October 12, 11
![Page 10: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/10.jpg)
Change in Tactics• Highlighted that in 2010,
the largest number of data breach incidents occurred, yet the volume of records dropped significantly
• Criminals are engaging in small, opportunistic attacks rather than large-scale, difficult attacks using relatively low sophistication attacks to penetrate organizations.
Wednesday, October 12, 11
![Page 11: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/11.jpg)
Will your organization be on this list?
• University of Texas: 688 students' and prospective students' personal information accessed by employees after configuration error made data available on intranet
• Blackpool Coastal Housing: 80 tenants' names, addresses, national insurance numbers, telephone numbers and confidential care plans transferred to employee's home computer where they were accessible to others
• Guilford County Tax Dept: 1,000 taxpayers' SSNs, names and addresses, and images of checks paid were accessible on internet
• Bright House Networks: Customer names, addresses, phone numbers and account numbers exposed in unauthorized access
• California State Assembly: 50 employees' personal information may have been acquired by hacker
• Montgomery County Dept of Job and Family Svcs: Names and Social Security numbers of 1,200 individuals seeking agency assistance were on lost thumb drive
Wednesday, October 12, 11
![Page 12: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/12.jpg)
Organizations are
sloppy
Wednesday, October 12, 11
![Page 13: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/13.jpg)
Overly Confident?Ninth Annual Global Information Security Survey
9,600-plus business and technology execs surveyed, 43 percent identify themselves as security frontrunners and believe they have a sound security strategy and are executing it effectively.
http://www.pwc.com/gx/en/information-security-survey/giss.jhtmx
Wednesday, October 12, 11
![Page 14: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/14.jpg)
Source: Information Security Magazine, October 2010
Wednesday, October 12, 11
![Page 15: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/15.jpg)
CIOs: Call to Action
• Delivery of effective technology solutions to external customers and internal constituents
• Maximizing the value of technology investments to improve business performance
• Increasing agility of the organization, enabling it to adapt to changing needs
• Reducing related operational costs across business units
Wednesday, October 12, 11
![Page 16: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/16.jpg)
Roles of the CSO
• ENABLE
• AUDIT
• ENFORCE
• EDUCATE
Wednesday, October 12, 11
![Page 17: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/17.jpg)
Influencing Behavior
• Education is critical
• Security awareness is a start...but not good enough
• “Behavioral change” is required
Wednesday, October 12, 11
![Page 18: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/18.jpg)
Wednesday, October 12, 11
![Page 19: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/19.jpg)
Overly Confident?To a fault...
• “...we haven’t been attacked before”
• “...why would someone target our company?”
• “...we undergo routine internal/external audits”
Why do we remiss security?
• CIOs and C-Level executives often don’t hear about security until an incident occurs
• CIOs are value-focused managers
• is security NOT viewed AS value-adding?
Wednesday, October 12, 11
![Page 20: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/20.jpg)
Source: Scientific American, “Data Theft: Hackers Attack”, Oct 2011
Wednesday, October 12, 11
![Page 21: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/21.jpg)
...in fact, we are spending more on security solutions to protect
our information systems
Wednesday, October 12, 11
![Page 22: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/22.jpg)
Security
Physical
Management
Operational
...but we’re not making investments in our processes
Wednesday, October 12, 11
![Page 23: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/23.jpg)
COMPLIANCE
Wednesday, October 12, 11
![Page 24: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/24.jpg)
Compliance Security
• Compliance Defined
: conformity in fulfilling official requirements.
• This isn’t about checking the box
It is the standard that is the problem, not the compliance with the standard.
Wednesday, October 12, 11
![Page 25: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/25.jpg)
CSOs tend to fixate on building an “EXCELLENT”
information security program
Wednesday, October 12, 11
![Page 26: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/26.jpg)
Where does the CSO fit in?
Wednesday, October 12, 11
![Page 27: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/27.jpg)
The Business Problem Topology
• Security is new to the executive table
• Security discussions in today’s enterprise tend to be focused on the qualitative aspects instead of the quantitative
• CSOs speak a language that is NOT understood by others executives
• CSOs struggle with creating awareness and changing behaviors
Wednesday, October 12, 11
![Page 28: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/28.jpg)
But, Security is often viewed as a BOTTLENECK
Wednesday, October 12, 11
![Page 29: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/29.jpg)
The “R” Word
• Developing those critical RELATIONSHIPS within the organization
• WALK A MILE
• Breaking down the walls...we’re all fighting the same battle
Wednesday, October 12, 11
![Page 30: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/30.jpg)
Wednesday, October 12, 11
![Page 31: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/31.jpg)
Current Environment
• Regulations and compliance requirements are demanding more time and attention• Regulators and auditors including PCI-DSS, GLBA, SOX/
404, HIPAA, etc. are demanding more executive time and attention
• Greater interest from CIOs and other business stakeholders regarding information security
• Routine communication around information security, compliance, investment and risk is critical...but challenging.
Wednesday, October 12, 11
![Page 32: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/32.jpg)
Management Differences
RISK MITIGATION translates to
VALUE
Risk-focused
managers
Value-focused
managers
CSOCIO
LEADERSHIP PHILOSOPHIES
Wednesday, October 12, 11
![Page 33: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/33.jpg)
Effective Risk Managers?
• Generally, human beings struggle at managing risk
• We often overestimate risks that are highly visible or catastrophic and underestimate the risks that are slower to develop or not easily seen
• CIOs tend to overestimate risks that they have less control over, and underestimate the risks that they have more control over
ex: flying an airplane vs driving a car
Wednesday, October 12, 11
![Page 34: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/34.jpg)
Assessing Risk
• Engagement of business
• Top-Down Approach, ranking information assets
• Business Impact Analysis
• Quantitative vs. Qualitative
Wednesday, October 12, 11
![Page 35: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/35.jpg)
Understanding Risk Risk Management involves identifying threats and applying mitigating controls to effectively reduce the risk of those threats:
• Multiple by VALUE for quantitative
• Controls can mitigate risk…
...but can rarely fully eliminate risk
• RISK=(THREAT x VULNERABILITY)
COUNTERMEASURES
Wednesday, October 12, 11
![Page 36: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/36.jpg)
Calculating Loss Expectancy• The annualized loss expectancy (ALE) is the
product of the annual rate of occurrence (ARO) and the single loss expectancy (SLE)
Mathematically expressed: ALE = ARO * SLE
-> calculating SLE SLE = AV * EF
• Suppose than an asset is valued at $100,000, and the exposure factor (EF) for this asset is 25%. The SLE then, is (25% * $100,000), or $25,000.
• For an annual rate of occurrence of 1, the annualized loss expectancy is (1 * $25,000)
Wednesday, October 12, 11
![Page 37: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/37.jpg)
Applying Countermeasures
Our Approach is CRITICAL
THREATS
COUNTERMEASURES
WRONG
• Focus efforts on the mitigating the ACTUAL vulnerabilities that are specific to the organization
• Avoid industry marketing FUD
Wednesday, October 12, 11
![Page 38: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/38.jpg)
Defense By Layer
• Acknowledges that reliance on any single control or mitigating factor is not sufficient
• This approach is commonly recommended
Scenario: Protecting Hosted Customer Data from an external attacker
• Database tables are encrypted
• Role-based access levels are applied
• Data Storage Encryption
Wednesday, October 12, 11
![Page 39: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/39.jpg)
Paradigm ShiftInformation-Centric Security
• Emphasizes security of the INFORMATION itself...rather than the security of networks, systems, and applications.
• 4 Principles:
1. Information (data) must be self describing and defending.
2.Policies and controls must account for business context.
3. Information must be protected as it moves from structured to unstructured, in and out of applications, and changing business context.
4.Policies must work consistently through the different defensive layers and technologies we implement.
Source: Rich Mogull, CEO/Principal Analyst, Securosis
Wednesday, October 12, 11
![Page 40: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/40.jpg)
Developing A Strategy• Creating an information protection strategy
– understanding the business and its specific needs for information protection.
– defining a set of objectives to deliver quick wins and address long-term goals.
• Locating and classifying the information that means the most– An impact analysis should be performed to identify the information
with the greatest impact to strategic, tactical and operational objectives.
• Weaving information protection into the fabric of the organization
• Developing the necessary capabilities to protect their information assets– Organizations need to determine the technologies and processes
that best support their information protection objectives
Source: Dr. Alastair MacWillson, Security Week Aug 2011
Wednesday, October 12, 11
![Page 41: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/41.jpg)
Summary
• Educate by establishing a foundation for communication (e.g. metrics, scorecards)
• Embrace an information-centric approach
• Play offense (ACT vs. REACT)
• Leverage leading edge technology that enables agility within the organization
• Security is NOT perfect, and it requires ACCOUNTABILITY
• START with the BASICS
Wednesday, October 12, 11
![Page 42: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/42.jpg)
The future ain’t what it used to be.
- Yogi Berra, New York Yankees
Be Prepared
Wednesday, October 12, 11
![Page 43: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/43.jpg)
QUESTIONS?
Wednesday, October 12, 11
![Page 44: Protecting the Information Infrastructure](https://reader034.vdocument.in/reader034/viewer/2022052619/5552f3aeb4c90584028b4c3f/html5/thumbnails/44.jpg)
@jaymclaughlin
linkedin.com/in/mclaughlinjay
THANK YOU
Wednesday, October 12, 11