DATA BREACHES: SIMPLY THE COST OF DOING BUSINESS Joel Cardella
BSIDES DETROIT 2015: Data breaches cost of doing business
Aug 15, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
DATA BREACHES: SIMPLY THE COST
OF DOING BUSINESS
Joel Cardella
Who am I?
Joel Cardella Over 20 years in IT in various capacities
– infrastructure operations & data centers, sales support, network ops, security
Email: [email protected] Twitter: @JoelConverses
Fear, Uncertainty and Doubt (FUD) can no longer be the fait accompli of the security world to try and drive good security decisions.
fait ac·com·pliˈfet əkämˈplē,ˈfāt/nouna thing that has already happened or been decided before those affected hear about it, leaving them with no option but to accept."the results were presented to shareholders as a fait accompli"
http://securityintelligence.com/cost-of-a-data-breach-2015/#.ValJ7vlVhBc
• The average cost paid for each lost or stolen record containing sensitive and confidential information increased 6 percent, jumping from $145 in 2014 to $154 in 2015.
• The lowest cost per lost or stolen record is in the transportation industry, at $121, and the public sector, at $68.
• On the other hand, the retail industry’s average cost increased dramatically, from $105 last year to $165.
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Number of records
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Data sensitivity
http://daveshackleford.com/
http://daveshackleford.com/
http://daveshackleford.com/
http://daveshackleford.com/
http://daveshackleford.com/
Michael Lynton, CEO of Sony Entertainment Inc
In a December [2014] interview with National Public Radio, Lynton insisted his company was “extremely well prepared for conventional cybersecurity,” but faced “the worst cyberattack in U.S. history.” He has repeatedly described it as a “highly sophisticated attack.” Sony Pictures provided written responses to questions through Robert Lawson, its chief spokesman. He says Lynton has no plans to fire or discipline anyone. The CEO’s reasoning rests on the belief that because Sony’s assailant was a foreign government, with far more resources than a renegade band of hackers, what happened was unstoppable. The studio simply faced an unfair fight.
http://fortune.com/sony-hack-part-1/
If the data represents you, you are the owner.
The company hosting it, or collecting it, or buying it from a clearinghouse is merely the custodian. And as a custodian they have fiduciary responsibilities to that data, but they also have financial obligations to their investors and shareholders.
So, in that equation, Mr and Mrs Data Owner suffer the downside of risk.
WHAT NOT TO DO
These are all things I tried and did not succeed with
Don’t refer to security as an insurance model
Don’t use standards that don’t map to your industry, or use apples & oranges comparisons
Don’t confuse compliance with security, and don’t discuss them in the same context – separate the words and define them differently
WHAT TO DO?
What do we do? Pivot
This can be (sometimes should be) very obvious Understand what your ROI is
E.g. If the penalty for non-compliance is $X, then we spend $Y to offset it
X < Y = Positive ROIX > Y = Negative ROIX = Y = ROI needs to be evaluated
Other ROI can be more complex, and need their own models
What to do?
Treat Cybersecurity as a Business RiskAnd start referring to it as business risk
○ Example: SGRCAsk how your business assess risk and
pattern a model that follows it – show execs what they are used to seeing
Engage your peers and superiors on risk topics – use what is in the media as a conversation starter
This is where ROI begins
What to do?
Build the path to awareness by your leadershipPrepare reports on what’s going on in the
industry around you – execs love to know how they are ding compared to those around them
Start with the next level manager, or managers in other departments – sometimes it’s a journey not a ladder
This is where ROI is discussed
What to do? Learn from the past mistakes of others This is where ROI is proven Example of Sony:
Sony’s email-retention policy left up to seven years of old messages on servers, unencrypted
The company was essentially using email for long-term storage of business records, contracts, and documents saved in case of litigation.
An array of sensitive information—including user names and passwords for IT administrators—was kept in unprotected spreadsheets and Word files with names like “Computer Passwords.”
What to do?
Be prepared! Know your data and know what it takes to protect it – but let someone else make the risk decision on itThis requires emotional detachment!This is where ROI is defended
What to do?
Network! Network! Network!Come to community meetups and consCome to local group meetings (#misec)Engage on Twitter, or other social mediumsForum discussionsAsk questions, share infoSWIPEThis is where ROI can be enhanced
Functional Area Key functions How we achieve it Business value
Security • Ensure proper controls for systems and data access
• Ensure Confidentiality of business data
• Ensure business data is resistant to unauthorized change
• Investment in security technologies
• Multi-layer defensive strategy• Segregation of duties controls
in SAP and other business critical systems and applications
• Ensure logical separation of critical data
• Business can operate within acceptable tolerance of risk
• Enterprise “crown jewels” are protected from malicious threats
• Confidence in data is increased, business decisions have greater value
Governance • Ensure global and regional directives and standards are in place for all NASC and relevant business processes
• Global ISMS participation• Policy creation and
documentation• Reviewing and approving
standards and practices
• Ensures the effective and efficient use of IT Security in enabling the business to achieve its goals
• Ensures alignment with global governance
Risk • Reduce enterprise risk• Stay abreast of new risks and
threats• Business continuity planning
and system availability planning
• Ongoing risk assessments for both IT and business
• Continually manage threats in constantly changing threat landscape
• Proactively test systems for vulnerabilities
• Investment in risk technologies
• Business continuity planning for recovery of data and continuation of business in disaster situations
• Business can run with reduced risk, allowing more innovation and growth
• Newly emerging threats can be dealt with more quickly
• Recovery capabilities for outage situations can be dealt with quickly, allowing for minimal business interruption
Compliance • Ensure compliance activities for regional and global directives are met
• Ensure Legal mandates are met
• ICS activities• Interfacing with IT, global and
business auditors on all audits• Interfacing with Legal• Ensure follow up on audit
findings
• Internal Controls Systems mandates are met
• Legal mandates are met• Understanding of audit risks
and findings, help with mitigation
Critical Success Factors • Confidentiality, Integrity and Availability of data is managed to business expectation
• Providing cost effective security controls and risk mitigation
• Proactively addressing security improvements and mitigations where required
• Improve recovery capability
Key Activities • Managing audit findings as a tool for improving security posture and maturity
• Execute control activities for governance and compliance• Continually assess risk and validate mitigations and
controls• Disaster/continuity planning and recovery planning• Assess vulnerabilities, mitigate and manage emerging
threats
Key interfaces • Global IT security• Project management• Regional and global auditors• External auditors (E&Y, PwC)• Legal, both regional and global• Corporate Communications• Business units, all LOBs and process areas• Executive management• IT Security community
Guiding Principles 1. Focus on the Business2. Comply with Relevant Legal and Regulatory
Requirements3. Evaluate Current and Future Information Threats4. Adopt a Risk-based Approach5. Protect Classified Information & Ensure Proper Use
26
Layered security modelPerimeter defense (hardware firewall, intrusion detection)
End User
Access Controls
Critical
business data
Hardware, restricts network access from the internet
Software to restrict access, patching to deal with known vulnerabilities
End user awareness training, strong passwords, dual factor authentication
Services partner watches all network activity, looks for suspicious activity
Anti-virus blocks known threats
Access controls restrict access to the critical systems, manage SOD conflicts
Final thoughts Remember, your job is to LOWER the risks of
doing business. Do so using positive ROI. Emotionally detach yourself from the things that
drive you nuts as an infosec admin or manager. Understand you are there as an advisor, a
counselor. When you make decisions in this capacity, you become trusted. You are no longer a gatekeeper. Gatekeeper = compliance.
But keep in mind: your business can do business without security. It’s high risk, but if the benefits outweigh the risks…
Who am I?
Joel Cardella Over 20 years in IT in various capacities
– infrastructure operations & data centers, sales support, network ops, security
Email: [email protected] Twitter: @JoelConverses
Related Documents
