Massachusetts Digital Government Summit Navigating Privacy and Security Paul Laurent, J.D., M.S., CISSP – Security & Compliance Solutions paul . laurent @oracle.com – http://delicious.com/paul.laurent
Dec 20, 2015
Massachusetts Digital Government SummitNavigating Privacy and Security
Paul Laurent, J.D., M.S., CISSP – Security & Compliance [email protected] – http://delicious.com/paul.laurent
Why is it so difficult to balance security & privacy?
• The “Long Tail” of Cybercrime• Increased interest & exposure
• Complexity of IT• More attack vectors
• Governance Gone Wild!• Reading the Alphabet Soup
Financial Incentives
• Inherent Value of Data• Lines of Credit (well…before October it was)• Prevalence of Online Transactions and
Processes• Data and Metadata Useful for Corroborating
Other Uses
Financial Incentives• Black sites & Underground Economy• Anonymous, Low-risk Outlets for Stolen
Credentials and Data• Communication and Networking Draw “Highest
Bidder” Prices• “DBA Training”
Low Barriers to Entry• Toolkits• No Coding, OS, Network Experience Needed• Configurable, Plug-n-Play• For Free, For Sale, For Recruiting• Jeanson James Ancheta
• “I learned some more VB, but I still suck @ it”
Low Barriers to Entry• Automation• Massive Infection Vectors Through
Vulnerability Searching• Leverage Google as an Infection Tool• “Security Through Obscurity” = Fatal
Low Barriers to Entry• CrimeWare-as-a-Service (ASP Model)• Primarily Relies On “Bulletproof Hosting”• Requires Far Less Tact and Covert Activity,
Relies More On Anonymous CrimeWare Servers Largely Unreachable By Law Enforcement*
Why is it so difficult to balance security/compliance?
• The “Long Tail” of Cybercrime• More reason to attack
• Complexity of IT• More attack vectors
• Governance Gone Wild!• Reading the Alphabet Soup
Cloud’s Relation To “Web & E2.0”
• What Exactly IS Web/Enterprise 2.0???
• SLATES• Search• Links• Authoring• Tags• Extensions• Signals
• Web 2.0 is about “touch” and interaction
Why is it so difficult to balance security/compliance?
• The “Long Tail” of Cybercrime• More reason to attack
• Complexity of IT• More attack vectors
• Governance Gone Wild!• Reading the Alphabet Soup• The Good News!
1386 Ramifications:• 44 Other states adopt in whole or in part• MGL 93H (SB 173)
• Game Changer• “Public Sector ROI”
• 3 Federal initiatives to codify• Personal Data Privacy & Security Act• Notification of Risk to Personal Data Act• Federal Agency Data Breach Protection Act
• Common Law• Bell v. Michigan Council
Evolution of Internal Controls:
• Role Based Provisioning• Separation of Duties• InfoSec Appointees• Risk Assessments
Governance:• Sarbanes-Oxley Act• Gramm-Leach-Bliley Act• Health Insurance Portability &
Accountability Act
HIPAA into HITECH:• Increased auditing and enforcement• Before: Atlanta’s Piedmont Hospital• 42 questions• 10 days
• Before: Provident – First CAP & Fines• NOW: The HITECH factor
About PCI:• Clarity• How-To’s for implementation/testing• Authoritative Source
• Accounts for Enterprise Realities• 12 Requirements or Domains• Differing levels of security
• PAN, CVV, internal/external, etc.• Protecting “Crown Jewels”
• Gaining Traction & Mindshare• v1.2 ~ 125 changes, almost all “clarifications”• Growing scope – attestation, OWASP, WEP
The Gravity of Governance Overlap in Frameworks & Compliance
• Compliance concerns• HIPAA• PCI• SB 1386 (HB 1633)• Industry Specific (SOX, IRS
1075, FERPA, CFR 28, etc…)
• Frameworks• ISO 27001/2• ITIL• COSO/COBIT• FISMA (NIST 800-53)• CMMI and others… No Security Governance
Most Laws (PCI, HIPAA, etc.) Written To Address Limited
Issues In This Range
Sec
uri
ty C
on
tro
ls S
op
his
tica
tio
n
Likely finding of legal negligence below this threshold
Most IT Shops Are Here (limited, informal controls)
Best Practice Framework
Most frameworks cover 75-85% of the same technology controls
PCI DSS v1.2(Requirements)
NIST 800-53(Domains)
Build and Maintain a Secure Network (1, 2)
Sys/Svc Acquisition (SA)
Sys/Comm Protection (SC)
Protect Cardholder Data (3, 4)
Sys & Info Integrity (SI), Media Protection (MP)
Implement Strong Access Control Measures (7, 8, 9)
Access Controls (AC)
Ident/Authentication (IA)
Regularly Monitor & Test Networks (10, 11)
Audit & Accountability (AU)
Maintain an Information Security Policy (12)
Awareness and Training (AT)
Comparison:
Good News:• We know where compliance is heading• Leverage frameworks & best practices• Utilize partnerships to our advantage