1

Spiritualists, Magicians and Security Vendors

Gaining an Advantage in Security and Privacy

ICE Conference5 November 2012 – Edmonton

Chris Hammond-ThrasherAssociate Director, Consulting

Security, Privacy and ComplianceFujitsu Canada

chris.hammond-thrasher@ca.fujitsu.com

2

3

4

5

6

7

8

9

10

11

12

Active ingredient:Anas Barbariae Hepatis et Cordis extractum 200C

14

15

16

17

Worm.Win32.Flame Hits in 1 Week – March 2012

18

19

20

Six Steps to Computer Security

For IT Professionals“How To Not Fall for the Hype”

#1 Why Is There No P in SDLC?

Recently it has become popular to plan to address security requirements through all phases of the IT system lifecycle – from planning to operationalization. This is commonly referred to as the “Secure Development Lifecycle” or SDLC. However, privacy requirements are not the same as information security requirements. What if privacy needs were also considered in all phases?

21

22

#2 Threat /Countermeasure

Threat modeling is a staple item in security engineering. Put briefly, threat modeling entails describing all of the threats that you plan to defend against (the threat model), followed by planning a suite of countermeasures to manage all of the identified threats. For privacy professionals, the problem is that the threat models created by security professionals often miss significant privacy threats. It can be valuable to create a privacy threat model.

23

OWASP Risk Model

24

Criminal

Message

forgery

APTPlainte

xt messag

es

Cannot detect forged

messages

ESB DoS

Customer $

Message

logging

Message

signatures

Message encryptio

n

Fraud detecti

on

ThreatAgents

AttackVectors

SecurityWeaknesses

SecurityControls

TechnicalImpacts

BusinessImpacts

Insider

Message

sniffing

Fraudulent

message

Cannot detect fraud

messages

Network zones

Data Loss

Prevention

Personal Info

disclosed

Funds transferr

ed

Enterprise service disruptio

n

Reputational capital

Privacy complian

ce breach

End-point

validation

25

#3 And You Log That, Right?

Security and system administrators need to understand event logging requirements from both a security and privacy perspective. They need to know exactly which data elements need to be logged and the length of time that these logs need to be retained. Privacy logging requirements alone can make the difference in selecting one solution over another. Do not wait until it is too late to understand the business’ logging needs.

26

#4 Show Me!

If you are serious about protecting privacy, you cannot take a security vendor’s word that something works the way it is supposed to. You cannot even go by the word of your organization’s own security and system administrators – you must test and you must audit. And testing and auditing should not be limited to prevention – do not wait for an incident to occur before you find out that you do not have the information required to support the investigation.

27

#5 Plan for Failure

The cornerstone of safety engineering is planning for systems to fail. Security and privacy professionals can influence system design and configuration so that when breaches inevitably occur, the resulting damage can be minimized. Model, test and audit defensive failures. Design detective controls that facilitate the detection of security failures.

28

#6 You Can’t Break It, I Can’t Break It, but What About the Guy in the Fedora?

Of course, most privacy professionals are not skilled hackers. Did you know that neither are most security professionals? Both your vendors and your security team will tell you that everything is setup securely and that they have run their scanning tools and have not found any weaknesses. However, you really do not know if the information in your charge is safe until you hire external security auditors. This can be an intimidating prospect, but it is the only way to be sure.

Chris Hammond-ThrasherAssociate Director, ConsultingSecurity, Privacy and ComplianceFujitsu Canada

chris.hammond-thrasher@ca.fujitsu.com@thrashor