Security & Compliance in the Cloud Standards, Security & Proactively Managing Governance, Risk & Compliance NORTH TEXAS CHAPTER DALLAS / FT.WORTH Friday, June 28 , 2013 FC Dallas Stadium 9200 World Cup Way , Suite 202, Frisco, TX Key Note Speaker - Chad M. Lawler, Ph.D. Director of Consulting, Cloud Computing Hitachi Consulting
48
Embed
Security & Compliance in the Cloud - Proactively Managing Governance, Risk & Compliance
Security & Compliance in the Cloud - Standards, Security & Proactively Managing Governance, Risk & Compliance Key Note Address by Chad M. Lawler, Ph.D. Cloud Security Alliance - North Texas Chapter Friday, June 28, 2013
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Security & Compliance in the Cloud S t a n d a r d s , S e c u r i t y & P r o a c t i v e l y M a n a g i n g G o v e r n a n c e ,
R i s k & C o m p l i a n c e
NORTH TEXAS
CHAPTER
DALLAS / FT.WORTH
F r i d a y , J u n e 2 8 , 2 0 1 3
F C D a l l a s S t a d i u m 9 2 0 0 W o r l d C u p W a y ,
S u i t e 2 0 2 , F r i s c o , T X
K e y N o t e S p e a k e r -
C h a d M . L a w l e r, P h . D. D i r e c t o r o f C o n s u l t i n g ,
C l o u d C o m p u t i n g
H i t a c h i C o n s u l t i n g
2
Goals & Overview of Today‟s Discussion Goals
Awareness
Encourage Focus on Security, Governance & Compliance
Create Broad Awareness & Provide Education
Focus on Best Practices
For Risk Security Mitigation, Regulatory Compliance & Governance
Overview of Cloud Security Alliance (CSA) & Research Areas
Overview
Cloud is Changing Business & IT - New IT Landscape
1. Yahoo Japan - the identity details of up to 22 million users may have been compromised when attackers hacked into its computer systems.
2. Washington State Court System - May 2013- Exposed 160,000 social security numbers from a cyber attack on servers operated by the Washington state court system
3. Federal Reserve - May 2013- Federal Reserve Security Breach of undisclosed information. Anonymous exploited a zero-day exploit in Adobe ColdFusion .
4. Alabama Criminal Justice Information Center - May 2013- Anonymous Hack posts 4,000 Bank Exec Credentials, login & contact info, & IP addresses
5. LivingSocial.com - April 2013 - Security breach that has exposed names, e-mail addresses and password data for up to 50 million of its users.
6. Twitter - February 2013 - 250,000 accounts hacked in security breach & hackers access usernames, email addresses and passwords in 'sophisticated' operation
7. US Army Corps of Engineers’ National Inventory of Dams (NID) - Cyber intrusion into sensitive information on vulnerabilities of 8,100 major dams in the US by Chinese cyber warriors
8. Wyndham Hotels - Announced in 2012, began in 2008- Over $10.6 million in credit card transactions made fraudulently. The most egregious security breach of 2012. Federal Trade
Commission brought a lawsuit against Wyndham Hotels.
9. Zappos – Jan 2012, - hackers compromise over 24 million records which included user names, phone numbers, email addresses, partial credit card numbers, and encrypted passwords.
10. LinkedIn/eHarmony - June 2012 - 8 Million Passwords Taken.
11. Last.fm - In mid-2012 - hackers had exploited lax security to make off with millions of user passwords.
12. Medicaid - March 30, 2012,, hackers broke into a Utah Department of Health, Medicaid server , exposing 280,000 residents' Social Security numbers & health data of 500,000 residents.
13. Sutter Physicians Services – 2011 - 3.3 million patients' medical details stolen- stored in encrypted format . Data from both Sutter Physicians Services and Sutter Medical Foundation was
breached in November - when a thief stole a desktop computer
14. Sony's PlayStation Network - Date: April 20, 2011 - Over 100 million PlayStation Network accounts hacked; Sony is said to have lost millions while the site was down for a month, faced
an ongoing customer relations fallout and class-action lawsuits over its failure to protect over 100 million user records.
15. ESTsoft - July-August 2011 - Personal information of 35 million South Koreans exposed after hackers breached the security of a popular software provider.
16. Tricare and SAIC – Sept 2011. 5.1 million people’s records breached. Backup tapes containing SAIC (Science Applications International Corporation) data were stolen from the car of a
Tricare employee. with data on current and retired members of the armed services and families. Led to a $4.9 billion lawsuit being filed.
17. Nasdaq – 2011 - attackers breached a cloud-based Nasdaq system designed to facilitate boardroom-level communications for 10,000 senior executives
18. Yahoo - 2011 - 450,000 user names and passwords stolen. Hackers broke into a Yahoo subdomain by sending commands through an inadequately secured URL and managed to steal files
from Yahoo’s Contributor Network. Shockingly, these files were not encrypted and were instead stored in plain text.
19. Epsilon - March 2011 - Exposed names and e-mails of millions of customers stored in more than 108 retail stores plus several huge financial firms
20. RSA Security - Date: March 2011 - 40 million employee records stolen. Breached the systems of EMC's RSA in April, stealing information relating to its SecurID system RSA ultimately traced
the attack to an unnamed nation state, and revealed that the exploit had relied on a very low-tech spear-phishing attack.
21. Stuxnet - Sometime in 2010, but origins date to 2007 - Attack Iran's nuclear power program, serves as a template for real-world intrusion and service disruption
22. VeriSign - Throughout 2010 - Impact: Undisclosed information stolen
23. Gawker Media - December 2010 - Compromised e-mail addresses and passwords of about 1.3 million users on popular blogs like Lifehacker, Gizmodo, and Jezebel, plus the theft of the
source code for Gawker's custom-built content management system.
24. Google/ Yahoo / Silicon Valley companies - Mid-2009 – Stolen intellectual property - In an act of industrial espionage, the Chinese government launched a massive and unprecedented
attack on Google, Yahoo, and dozens of other Silicon Valley companies.
25. US Military Networks - 2008 cyberattack “Worst breach of U.S. military computers in history" and "the most significant breach of U.S. military computers ever.” Pentagon spent 14
months cleaning military networks. “It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown
adversary,”- William J. Lynn 3d, Deputy Secretary of Defense. Led to creation of the US Cyber Command.
26. Heartland Payment Systems - March 2008 - Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartland's data systems.
Security Incidents Since 2008…? Too Many to List
16
Texas Comptrollers 3.5 Million Record Breach
Source: Cyber Risk Remains a Serious Threat Facing Public Entities http://www.netdiligence.com/files/Public%20Entity%20Cyber%20Risk-061512.pdf
D m i t r i A l p e r o v i t c h , V i c e P r e s i d e n t o f
T h r e a t R e s e a r c h , M c A f e e , 2 0 11
23
Operation Red October
Operation Red October - January 11, 2013
Kaspersky Lab research report which identified a cyber-espionage campaign targeting diplomatic, governmental and scientific research organizations in several countries for at least five years.
Attackers gathered sensitive documents from the compromised organizations, which included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment.
Designs for many of the nation’s most sensitive advanced weapons systems have been stolen and compromised by Chinese hackers.
Designs Stolen:
Patriot missile system, known as PAC-3;
an Army system for shooting down ballistic missiles, known as the Terminal High Altitude Area Defense, or THAAD
The Navy's Aegis ballistic-missile defense system
F/A-18 fighter jet,
The V-22 Osprey, the Black Hawk helicopter
The Navy’s new Littoral Combat Ship
The most expensive weapons system ever built - the F-35 Joint Strike Fighter, on track to cost about $1.4 trillion, stolen by Chinese Cyberhackers in 2007.
Drone video systems, nanotechnology, tactical data links and electronic warfare systems also compromised.
Defense Contractors include: Boeing, Lockheed Martin, Raytheon and Northrop Grumman.
Be Proactive in Working to Mitigate Liabilities & Risks
CSA - Research & Standards Resources , Educa t ion & Bes t Prac t i ces
www.cloudsecurityalliance.org
About the Cloud Security Alliance
• Global, not-for-profit organization
• Over 33,000 individual members, 150 corporate members, 60 chapters
• Building best practices and a trusted cloud ecosystem • Research
• Education
• Certification
• Advocacy of prudent public policy
• Innovation, Transparency, GRC, Identity
“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
The Future of IT Is Cloud & Mobile - With Increasing Control in the Hands of End Users
Security is More Important than Ever - Risks & Liabilities from Security Threats are Substantial
You Must Take a Proactive Approach to Security
Security Must Be a Major Investment for All Organizations & Begins with Education
Build A Framework of Policies, Procedures & Security Technologies to Reduce Risks/Liabilities
Start Today! - CSA Can Help with an Array of Free Valuable Guides & Resources
44
Revealed: Operation Shady Rat - McAfee http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf
Operation Red October - Kapersky Labs http://www.securelist.com/en/blog/785/The_Red_October_Campaign_An_Advanced_Cyber_Espionage_Network_Targeting_Diplomatic_and_Government_Agencies
DoD Defense Science Board Task Force Report: Resilient Military Systems and the Advanced Cyber Threat http://www.acq.osd.mil/dsb/reports/ResilientMilitarySystems.CyberThreat.pdf
Cyber-Security: The vexed question of global rules - Security & Defense Agenda (SDA) http://www.mcafee.com/us/resources/reports/rp-sda-cyber-security.pdf
The Global State of Information Security Survey 2013 http://www.pwc.com/gx/en/consulting-services/information-security-survey/download.jhtml