Massachusetts Digital Government Summit Navigating Privacy and Security Paul Laurent, J.D., M.S., CISSP – Security & Compliance Solutions [email protected]@oracle.com.

Massachusetts Digital Government SummitNavigating Privacy and Security

Paul Laurent, J.D., M.S., CISSP – Security & Compliance [email protected] – http://delicious.com/paul.laurent

An Introduction:

Why is it so difficult to balance security & privacy?

• The “Long Tail” of Cybercrime• Increased interest & exposure

• Complexity of IT• More attack vectors

• Governance Gone Wild!• Reading the Alphabet Soup

The Strong Push for Internal Controls:Private Sector Woes

The “Long Tail” of CyberCrime

What Accounts for the Long Tail?

• Financial Incentives• Low Barriers to Entry• Automation

Financial Incentives• Commoditization of Human Identity…

Financial Incentives

• Inherent Value of Data• Lines of Credit (well…before October it was)• Prevalence of Online Transactions and

Processes• Data and Metadata Useful for Corroborating

Other Uses

Financial Incentives• Black sites & Underground Economy• Anonymous, Low-risk Outlets for Stolen

Credentials and Data• Communication and Networking Draw “Highest

Bidder” Prices• “DBA Training”

Low Barriers to Entry• Toolkits• No Coding, OS, Network Experience Needed• Configurable, Plug-n-Play• For Free, For Sale, For Recruiting• Jeanson James Ancheta

• “I learned some more VB, but I still suck @ it”

Low Barriers to Entry• Automation• Massive Infection Vectors Through

Vulnerability Searching• Leverage Google as an Infection Tool• “Security Through Obscurity” = Fatal

Low Barriers to Entry• CrimeWare-as-a-Service (ASP Model)• Primarily Relies On “Bulletproof Hosting”• Requires Far Less Tact and Covert Activity,

Relies More On Anonymous CrimeWare Servers Largely Unreachable By Law Enforcement*

Why is it so difficult to balance security/compliance?

• The “Long Tail” of Cybercrime• More reason to attack

• Complexity of IT• More attack vectors

• Governance Gone Wild!• Reading the Alphabet Soup

An Evolution

Client-Server Architecture

Distributed System

The Internet Cloud

Cloud’s Relation To “Web & E2.0”

• What Exactly IS Web/Enterprise 2.0???

• SLATES• Search• Links• Authoring• Tags• Extensions• Signals

• Web 2.0 is about “touch” and interaction

So What?

Clausewitz Says:(Paul paraphrases)

COMPLEXITY IS BAD

Web Service/Web 2.0 Perspective:

Security Perspective:

The Results

Why is it so difficult to balance security/compliance?

• The “Long Tail” of Cybercrime• More reason to attack

• Complexity of IT• More attack vectors

• Governance Gone Wild!• Reading the Alphabet Soup• The Good News!

Another Evolution:

1386 Ramifications:• 44 Other states adopt in whole or in part• MGL 93H (SB 173)

• Game Changer• “Public Sector ROI”

• 3 Federal initiatives to codify• Personal Data Privacy & Security Act• Notification of Risk to Personal Data Act• Federal Agency Data Breach Protection Act

• Common Law• Bell v. Michigan Council

Evolution of Internal Controls:

• Role Based Provisioning• Separation of Duties• InfoSec Appointees• Risk Assessments

Governance:• Sarbanes-Oxley Act• Gramm-Leach-Bliley Act• Health Insurance Portability &

Accountability Act

HIPAA into HITECH:• Increased auditing and enforcement• Before: Atlanta’s Piedmont Hospital• 42 questions• 10 days

• Before: Provident – First CAP & Fines• NOW: The HITECH factor

About PCI:• Clarity• How-To’s for implementation/testing• Authoritative Source

• Accounts for Enterprise Realities• 12 Requirements or Domains• Differing levels of security

• PAN, CVV, internal/external, etc.• Protecting “Crown Jewels”

• Gaining Traction & Mindshare• v1.2 ~ 125 changes, almost all “clarifications”• Growing scope – attestation, OWASP, WEP

Client-Server Architecture

Distributed System

Good News:• We know where compliance is heading

The Next 1386?

NRS 597.970

Good News:• We know where compliance is heading• Leverage frameworks & best practices

The Gravity of Governance Overlap in Frameworks & Compliance

• Compliance concerns• HIPAA• PCI• SB 1386 (HB 1633)• Industry Specific (SOX, IRS

1075, FERPA, CFR 28, etc…)

• Frameworks• ISO 27001/2• ITIL• COSO/COBIT• FISMA (NIST 800-53)• CMMI and others… No Security Governance

Most Laws (PCI, HIPAA, etc.) Written To Address Limited

Issues In This Range

Sec

uri

ty C

on

tro

ls S

op

his

tica

tio

n

Likely finding of legal negligence below this threshold

Most IT Shops Are Here (limited, informal controls)

Best Practice Framework

Most frameworks cover 75-85% of the same technology controls

PCI DSS v1.2(Requirements)

NIST 800-53(Domains)

Build and Maintain a Secure Network (1, 2)

Sys/Svc Acquisition (SA)

Sys/Comm Protection (SC)

Protect Cardholder Data (3, 4)

Sys & Info Integrity (SI), Media Protection (MP)

Implement Strong Access Control Measures (7, 8, 9)

Access Controls (AC)

Ident/Authentication (IA)

Regularly Monitor & Test Networks (10, 11)

Audit & Accountability (AU)

Maintain an Information Security Policy (12)

Awareness and Training (AT)

Comparison:

Good News:• We know where compliance is heading• Leverage frameworks & best practices• Utilize partnerships to our advantage

“Grassroots”

• People• Process• Partners• States/Agencies• Vendors• Thought Leaders

• NIST• PCI