pulling the plug
TRANSCRIPT
8/8/2019 Pulling the PLUG
http://slidepdf.com/reader/full/pulling-the-plug 1/27
Pulling the PLUGPulling the PLUGHow HIPAA protected the patients
medical data but not their lives
8/8/2019 Pulling the PLUG
http://slidepdf.com/reader/full/pulling-the-plug 2/27
Who Am I?Who Am I?
Understanding ComplianceUnderstanding Compliance
ProPro--Con(Con(pliancepliance))
The real worldThe real world
8/8/2019 Pulling the PLUG
http://slidepdf.com/reader/full/pulling-the-plug 3/27
A Little about me . . . . A Little about me . . . .Chris NickersonChris Nickerson
Employment History:
Founder, Lares
Director ,Security Services Alternative Technology
Team Lead, KPMG
Lead Security Architect /Compliance Mgr., Sprint
Sr. Security Architect, Shook Hardy & Bacon
US NAVY
Professional Certifications:
CISSP
CISA
ISO 17799
NSA IAM
CCNA
Security Stuff
Created Risk Management and CSO structure for many fortune 500
Created Global Compliance /Penetration testing practices
Contributor to Social-Engineer.org
InformIT,Ethical Hacker.net, Author Syngress/Elsiver
Other media stuff (CSO,InfoSec,Forbes,etc..)
8/8/2019 Pulling the PLUG
http://slidepdf.com/reader/full/pulling-the-plug 4/27
8/8/2019 Pulling the PLUG
http://slidepdf.com/reader/full/pulling-the-plug 5/27
SarbanesSarbanes--Oxley Oxley Implement controls toImplement controls to
Protect the validity of Protect the validity of
Financial reporting Financial reporting
8/8/2019 Pulling the PLUG
http://slidepdf.com/reader/full/pulling-the-plug 6/27
PCIPCIImplement controls toImplement controls to
Protect Credit Card DataProtect Credit Card Data
8/8/2019 Pulling the PLUG
http://slidepdf.com/reader/full/pulling-the-plug 7/27
HITECHHITECHImplement controls ORImplement controls OR You You
will have towill have to disclosedisclose thatthat
PHI was compromisedPHI was compromised
8/8/2019 Pulling the PLUG
http://slidepdf.com/reader/full/pulling-the-plug 8/27
HIP AA HIP AA Implement controls toImplement controls to
Protect PHIProtect PHI
8/8/2019 Pulling the PLUG
http://slidepdf.com/reader/full/pulling-the-plug 9/27
Awesome!Now that we have compliance we are more secure«
right?
8/8/2019 Pulling the PLUG
http://slidepdf.com/reader/full/pulling-the-plug 10/27
W rong..
CostCost Per incidentPer incident 2006 - $168,000
2007 - $320,424
2008 - $500,000
20092009-- $710,000$710,000
20102010-- estest 1.5M+1.5M+
8/8/2019 Pulling the PLUG
http://slidepdf.com/reader/full/pulling-the-plug 11/27
SomeSome newnew Stats on AttackStats on AttackO Financial fraud: 19.5 percent, over 12 percent
last year (avg: $450,000)
O Malware Infection: 64.3 percent, over 50
percent last year;O Password Sniffing: 17.3 percent, over 9 percent
last year
O Our heads are in ´THE CLOUDSµ and now undermajor fire. (ec2 botnets)
O
And already 900 Million records compromised in2009-2010*Stats from CSI 2009 and Verizon 2010 survey
8/8/2019 Pulling the PLUG
http://slidepdf.com/reader/full/pulling-the-plug 12/27
Industry Targets
8/8/2019 Pulling the PLUG
http://slidepdf.com/reader/full/pulling-the-plug 13/27
If thats true?What has compliance done for us?
8/8/2019 Pulling the PLUG
http://slidepdf.com/reader/full/pulling-the-plug 14/27
Thank You compliance!O What HAS it done for us?
O Made corporations aware of the risk outthere
O
Added some teeth to make the risk a bitmore tangible
O Given credit to the IT team as businesssupport and financial support, not justanother expense
O Driven global awareness of interconnectedsystems
8/8/2019 Pulling the PLUG
http://slidepdf.com/reader/full/pulling-the-plug 15/27
Thank You compliance!O What else.. HAS it done for us?
O Gave you the budget to get some security flaws
fixed
O TRULY increased the security of MANY
organizations
O Given all of us ´Security Evangelistsµ something
more to preach about =o)
O What else? (this is where u tell me« I·m bias!)
8/8/2019 Pulling the PLUG
http://slidepdf.com/reader/full/pulling-the-plug 16/27
_______ you compliance!
O What it has ALSO done
O Allowed IT departments to spend money on issues that
aren't related to security (because they put SEC in title.)
O Provided a safety blanket (that people hide under ) that
provides no REAL protection
O Created a LEMON security market
O Misdirected security funding
O Eliminated focused corporate protection strategies in
place of compliance strategiesO Allowed companies to have a scapegoat WHEN they get
hacked
8/8/2019 Pulling the PLUG
http://slidepdf.com/reader/full/pulling-the-plug 17/27
_______ you compliance!
O What it has ALSO done
O Misdirected security funding (80% of
resources to 5% of the environment)
O Eliminated focused corporate protection
strategies in place of compliance strategies
O Allowed companies to have a scapegoat
WHEN they get hacked
8/8/2019 Pulling the PLUG
http://slidepdf.com/reader/full/pulling-the-plug 18/27
W hy doesnt it work?
O Well« we have a bunch of problems
O 1) We are not using what we have effectively
O 2) We don·t have our eyes on the right prize
O 3) We are using trainers who have never been in a fight toteach us how to win a war
O 4) We are playing sheep
O 5) We are not using the most valuable resource we have.
COMMUNITY
O 6) Because there is no one who REALLY wants it to.
*biggest industry world wide is crime.
O 7) Oh yea« our enemy has no rules
8/8/2019 Pulling the PLUG
http://slidepdf.com/reader/full/pulling-the-plug 19/27
Prove itProve it
8/8/2019 Pulling the PLUG
http://slidepdf.com/reader/full/pulling-the-plug 20/27
Slot machines?
8/8/2019 Pulling the PLUG
http://slidepdf.com/reader/full/pulling-the-plug 21/27
W hat? I thought u were here
f or leg amputation, not A CLf ix
8/8/2019 Pulling the PLUG
http://slidepdf.com/reader/full/pulling-the-plug 22/27
Crash (cash) Cart!
8/8/2019 Pulling the PLUG
http://slidepdf.com/reader/full/pulling-the-plug 23/27
Crash (cash) Cart!
8/8/2019 Pulling the PLUG
http://slidepdf.com/reader/full/pulling-the-plug 24/27
Compliance vs Security
8/8/2019 Pulling the PLUG
http://slidepdf.com/reader/full/pulling-the-plug 25/27
Take awaysO Chris is a bully
O We don·t like him
O Don·t let him in your building
O «if I get up and leave now maybe he wont
notice..
8/8/2019 Pulling the PLUG
http://slidepdf.com/reader/full/pulling-the-plug 26/27
R E AL TakeawaysO Focus on the BIG PICTURE
O Think ´ Outside the checkboxµ
O Use compliance as a vehicle, not adestination
O Look for how it effects the WHOLE
organization, not just the audit
O Protect what matters most
8/8/2019 Pulling the PLUG
http://slidepdf.com/reader/full/pulling-the-plug 27/27
Success is not final, failure isSuccess is not final, failure isnot fatal: it is the courage tonot fatal: it is the courage tocontinue that counts.continue that counts.
Winston ChurchillWinston Churchill