1 / 45

Massachusetts Digital Government Summit Navigating Privacy and Security

Massachusetts Digital Government Summit Navigating Privacy and Security. Paul Laurent, J.D., M.S., CISSP – Security & Compliance Solutions paul.laurent@oracle.com – http://delicious.com/paul.laurent. An Introduction:. Why is it so difficult to balance security & privacy?.

mya
Download Presentation

Massachusetts Digital Government Summit Navigating Privacy and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Massachusetts Digital Government SummitNavigating Privacy and Security Paul Laurent, J.D., M.S., CISSP – Security & Compliance Solutions paul.laurent@oracle.com – http://delicious.com/paul.laurent

  2. An Introduction:

  3. Why is it so difficult to balance security & privacy? • The “Long Tail” of Cybercrime • Increased interest & exposure • Complexity of IT • More attack vectors • Governance Gone Wild! • Reading the Alphabet Soup

  4. The Strong Push for Internal Controls:Private Sector Woes

  5. The “Long Tail” of CyberCrime

  6. What Accounts for the Long Tail? • Financial Incentives • Low Barriers to Entry • Automation

  7. Financial Incentives • Commoditization of Human Identity…

  8. Financial Incentives • Inherent Value of Data • Lines of Credit (well…before October it was) • Prevalence of Online Transactions and Processes • Data and Metadata Useful for Corroborating Other Uses

  9. Financial Incentives • Black sites & Underground Economy • Anonymous, Low-risk Outlets for Stolen Credentials and Data • Communication and Networking Draw “Highest Bidder” Prices • “DBA Training”

  10. Low Barriers to Entry • Toolkits • No Coding, OS, Network Experience Needed • Configurable, Plug-n-Play • For Free, For Sale, For Recruiting • Jeanson James Ancheta • “I learned some more VB, but I still suck @ it”

  11. Low Barriers to Entry • Automation • Massive Infection Vectors Through Vulnerability Searching • Leverage Google as an Infection Tool • “Security Through Obscurity” = Fatal

  12. Low Barriers to Entry • CrimeWare-as-a-Service (ASP Model) • Primarily Relies On “Bulletproof Hosting” • Requires Far Less Tact and Covert Activity, Relies More On Anonymous CrimeWare Servers Largely Unreachable By Law Enforcement*

  13. Why is it so difficult to balance security/compliance? • The “Long Tail” of Cybercrime • More reason to attack • Complexity of IT • More attack vectors • Governance Gone Wild! • Reading the Alphabet Soup

  14. An Evolution

  15. Client-Server Architecture

  16. Distributed System

  17. The Internet Cloud

  18. Cloud’s Relation To “Web & E2.0” • SLATES • Search • Links • Authoring • Tags • Extensions • Signals • What Exactly IS Web/Enterprise 2.0??? • Web 2.0 is about “touch” and interaction

  19. So What?

  20. Clausewitz Says: (Paul paraphrases) COMPLEXITY IS BAD

  21. Web Service/Web 2.0 Perspective:

  22. Security Perspective:

  23. The Results

  24. Why is it so difficult to balance security/compliance? • The “Long Tail” of Cybercrime • More reason to attack • Complexity of IT • More attack vectors • Governance Gone Wild! • Reading the Alphabet Soup • The Good News!

  25. Another Evolution:

  26. 1386 Ramifications: • 44 Other states adopt in whole or in part • MGL 93H (SB 173) • Game Changer • “Public Sector ROI” • 3 Federal initiatives to codify • Personal Data Privacy & Security Act • Notification of Risk to Personal Data Act • Federal Agency Data Breach Protection Act • Common Law • Bell v. Michigan Council

  27. Evolution of Internal Controls: • Role Based Provisioning • Separation of Duties • InfoSec Appointees • Risk Assessments Governance: • Sarbanes-Oxley Act • Gramm-Leach-Bliley Act • Health Insurance Portability & Accountability Act

  28. HIPAA into HITECH: • Increased auditing and enforcement • Before: Atlanta’s Piedmont Hospital • 42 questions • 10 days • Before: Provident – First CAP & Fines • NOW: The HITECH factor

  29. About PCI: • Clarity • How-To’s for implementation/testing • Authoritative Source • Accounts for Enterprise Realities • 12 Requirements or Domains • Differing levels of security • PAN, CVV, internal/external, etc. • Protecting “Crown Jewels” • Gaining Traction & Mindshare • v1.2 ~ 125 changes, almost all “clarifications” • Growing scope – attestation, OWASP, WEP

  30. Client-Server Architecture

  31. Distributed System

  32. Good News: • We know where compliance is heading

  33. The Next 1386?

  34. NRS 597.970

  35. Good News: • We know where compliance is heading • Leverage frameworks & best practices

  36. The Gravity of GovernanceOverlap in Frameworks & Compliance Best Practice Framework • Compliance concerns • HIPAA • PCI • SB 1386 (HB 1633) • Industry Specific (SOX, IRS 1075, FERPA, CFR 28, etc…) • Frameworks • ISO 27001/2 • ITIL • COSO/COBIT • FISMA (NIST 800-53) • CMMI and others… Most frameworks cover 75-85% of the same technology controls Most Laws (PCI, HIPAA, etc.) Written To Address Limited Issues In This Range Security Controls Sophistication Likely finding of legal negligence below this threshold Most IT Shops Are Here (limited, informal controls) No Security Governance

  37. Comparison:

  38. Good News: • We know where compliance is heading • Leverage frameworks & best practices • Utilize partnerships to our advantage

  39. “Grassroots” • People • Process • Partners • States/Agencies • Vendors • Thought Leaders • NIST • PCI

More Related