Data Security, personal DMV data

Welcome toInformation Security Talk Show

Please record your attendance usingthe Sign In Sheet.....

Moderator: Jerry DikeDMV Consultant

jldike@aol.com 512-751-0574

June 23, 2014, 3:30 – 5 p.m.

Data Security, personal DMV data

3

Expert & Experienced Panelists:

Mike Wyatt, Deloitte

David Ulmer, NC

Dean Clemons, HP

Kevin Shwedo, SC

Data Security, personal DMV data

4

Almost City

Council

Age 18,

Waxahachie

Data Security, personal DMV data

Why states are under attack by cyber actors ?

Changing nature of Info Security as a Discipline ( Prevention is foundational)

Critical: Detection, Containment, & Correction

6

Secure, Vigilant, Resilient

Practical Recommendations:

For improving agencies security posture

7

David Ulmer, NC DOT CIO

Information SecurityA Practical View

Globally Targeted Data

100%

1

9

Policy, Procedure & Awareness

Physical

Perimeter

Internal Network

Application

Data

Host

Contrary to

popular belief,

this is not an IT

issue.

The business

owns the data.

This is a team

event!

• Access control

• Monitoring

• Masking

• Auditing

• Threat and

vulnerability

management

10

Access Control• Do you have access controls on applications, databases, file shares, and

reports with sensitive data?

• Do you have an accurate inventory of current, valid users and a recurring process for validation of access to systems with sensitive data?

Incident Detection & Response• Do you have an Incident Response Plan? Has it been tested?

• you have baseline activity?

• Can you detect unauthorized users gaining access?

• Can you detect fraud and misuse for authorized users?

• Do you have a secure audit trail (e.g. who, what, when, how)?

Risk Dimensions – A Team Effort

11

Data Loss Prevention• First, do you have a classification system for data?

• Is sensitive data in transit encrypted? All of it all the time? Does it get resent?

• Do you have a comprehensive inventory of sensitive information?

• Can you detect unusual patterns against databases?

• Can you determine data theft when it is happening and stop it?

• Are there unknown destinations for sensitive data? Do you know where your data is?

Policy & Contracts• Have you removed all PII data from development & test environments, training material, etc.

• Do you have separation of duties? Can unauthorized users access Production?

• Do your contracts effectively cover:

data handling, disposition, retention, usage & redistribution rights, breach liability, etc.?

data elements, frequency, method of transfer, SLA, costs, etc.?

(Continued)

12

System(s)PII (SSN, DL,

etc.)Credit Cards

ProtectedHealth

Information

Financial Data (e.g. Banking & account

information)

System 1

System 2

System 3

System 4

System 5

System 6

System 7

System 8

Map Systems with Targeted Data

13

Practical Lessons from the Past Few Years

Classifying data is really hard work

What elements, by themselves are restricted?

What combination of elements are restricted?

When in doubt, what do you want masked?

Managing data effectively requires specialized skills and training

Managing data is never ending. The bad guys are smart, and getting more sophisticated. Risk cannot be eliminated, but can be managed

14

Dean Clemons, HP Sr Mgr, Cybersecurity Solutions

Cybersecurity trends and attack methods

Key Points

Hacking

Weak/stolen Credentials

Malware

Social Tactics

Physical Attacks

• Users are a key weakness

• Social tactics increased 4-fold in the last year

• Most intrusions are rated as “low difficulty”

• Most intrusions are discovered by outsiders

• Most intrusions took MONTHS to discover

Insider Threats

Security challenges and threats are increasing

• Staff lack the necessary skills and bandwidth

• Need for 24x7 global management

• Protecting data at rest, in motion, and in use

• Fragmented systems and procedures

•Embracing new ways of collaborating and delivering IT

Traditional security controls are not enough

Network

Protection

Perimeter

Protection

Server

Protection

Application

Protection

Endpoint

Protection

Intellectual property

Personaldata

Businessdata

Attacker

Prevention is important, detection is critical

Enterprise security governance

• Risk management framework

• Appoint a security executive

• Convene a security council

• Acquire security expertise

• Conduct security training

• Information sharing

• Develop security metrics

• Incident response capabilities

Continuous risk management framework

Step 6

MONITORSecurity Controls

Step 1

CATEGORIZEInformation

SystemsStep 2

SELECTSecurity Controls

Step 5

AUTHORIZEInformation

Systems

Step 3

IMPLEMENTSecurity ControlsStep 4

ASSESSSecurity Controls

Process Overview

RiskManagementFramework

Starting Point

Repeat as necessary

NIST Special Publication 800-37

Measure the maturity of your security program

People

Policy

ProcessProof Product

Strategy summary to reduce your risk

Focus on five areas • Reduce the attack surface• Improve threat intelligence

• Improve monitoring and detection capabilities

• Proactively test your security posture• Develop incident response capabilities

22

Kevin Shwedo, ExDir, SC DMV

23

"PowerPoint is the Rodney Dangerfield of software. It gets

no respect ! "

24

Kevin Shwedo, SC

Kevin will be talking from his notes about his experiences in DMV data privacy issues.

25

Thank you for attending

Please record your attendance usingthe Sign In Sheet

Moderator: Jerry Dikejldike@aol.comDMV Consultant

512-751-0574

26

Questions for Presenters