Massachusetts Digital Government Summit
Navigating Privacy and Security
Paul Laurent, J.D., M.S., CISSP – Security & Compliance Solutions
paul.laurent@oracle.com – http://delicious.com/paul.laurent
An Introduction:
Why is it so difficult to balance
security & privacy?
• The “Long Tail” of Cybercrime
• Increased interest & exposure
• Complexity of IT
• More attack vectors
• Governance Gone Wild!
• Reading the Alphabet Soup
The Strong Push for Internal Controls:
Private Sector Woes
The “Long Tail” of CyberCrime
What Accounts for the Long Tail?
• Financial Incentives
• Low Barriers to Entry
• Automation
Financial Incentives
• Commoditization of Human Identity…
Financial Incentives
• Inherent Value of Data
• Lines of Credit (well…before October it was)
• Prevalence of Online Transactions and
Processes
• Data and Metadata Useful for Corroborating
Other Uses
Financial Incentives
• Black sites & Underground Economy
• Anonymous, Low-risk Outlets for Stolen
Credentials and Data
• Communication and Networking Draw “Highest
Bidder” Prices
• “DBA Training”
Low Barriers to Entry
• Toolkits
•
•
•
•
No Coding, OS, Network Experience Needed
Configurable, Plug-n-Play
For Free, For Sale, For Recruiting
Jeanson James Ancheta
• “I learned some more VB, but I still suck @ it”
Low Barriers to Entry
• Automation
• Massive Infection Vectors Through
Vulnerability Searching
• Leverage Google as an Infection Tool
• “Security Through Obscurity” = Fatal
Low Barriers to Entry
• CrimeWare-as-a-Service (ASP Model)
• Primarily Relies On “Bulletproof Hosting”
• Requires Far Less Tact and Covert Activity,
Relies More On Anonymous CrimeWare
Servers Largely Unreachable By Law
Enforcement*
Why is it so difficult to balance
security/compliance?
• The “Long Tail” of Cybercrime
• More reason to attack
• Complexity of IT
• More attack vectors
• Governance Gone Wild!
• Reading the Alphabet Soup
An Evolution
Client-Server Architecture
Distributed System
The Internet Cloud
Cloud’s Relation To “Web & E2.0”
• What Exactly IS Web/Enterprise 2.0???
• SLATES
•
•
•
•
•
•
Search
Links
Authoring
Tags
Extensions
Signals
• Web 2.0 is about “touch”
and interaction
So What?
Clausewitz Says:
(Paul paraphrases)
COMPLEXITY IS BAD
Web Service/Web 2.0 Perspective:
Security Perspective:
The Results
Why is it so difficult to balance
security/compliance?
• The “Long Tail” of Cybercrime
• More reason to attack
• Complexity of IT
• More attack vectors
• Governance Gone Wild!
• Reading the Alphabet Soup
• The Good News!
Another Evolution:
1386 Ramifications:
• 44 Other states adopt in whole or in part
• MGL 93H (SB 173)
• Game Changer
• “Public Sector ROI”
• 3 Federal initiatives to codify
• Personal Data Privacy & Security Act
• Notification of Risk to Personal Data Act
• Federal Agency Data Breach Protection Act
• Common Law
• Bell v. Michigan Council
Evolution of Internal Controls:
•
•
•
•
Role Based Provisioning
Separation of Duties
InfoSec Appointees
Risk Assessments
Governance:
• Sarbanes-Oxley Act
• Gramm-Leach-Bliley Act
• Health Insurance Portability &
Accountability Act
HIPAA into HITECH:
• Increased auditing and enforcement
• Before: Atlanta’s Piedmont Hospital
• 42 questions
• 10 days
• Before: Provident – First CAP & Fines
• NOW: The HITECH factor
About PCI:
• Clarity
• How-To’s for implementation/testing
• Authoritative Source
• Accounts for Enterprise Realities
• 12 Requirements or Domains
• Differing levels of security
• PAN, CVV, internal/external, etc.
• Protecting “Crown Jewels”
• Gaining Traction & Mindshare
• v1.2 ~ 125 changes, almost all “clarifications”
• Growing scope – attestation, OWASP, WEP
Client-Server Architecture
Distributed System
Good News:
• We know where compliance is heading
The Next 1386?
NRS 597.970
Good News:
• We know where compliance is heading
• Leverage frameworks & best practices
The Gravity of Governance
Overlap in Frameworks & Compliance
• Compliance concerns
HIPAA
PCI
SB 1386 (HB 1633)
Industry Specific (SOX, IRS
1075, FERPA, CFR 28, etc…)
• Frameworks
•
•
•
•
•
ISO 27001/2
ITIL
COSO/COBIT
FISMA (NIST 800-53)
CMMI and others…
Security Controls Sophistication
•
•
•
•
Best Practice Framework
Most frameworks cover 75-85%
of the same technology controls
Most Laws (PCI, HIPAA, etc.)
Written To Address Limited
Issues In This Range
Likely finding of legal negligence
below this threshold
Most IT Shops Are Here
(limited, informal controls)
No Security Governance
Comparison:
PCI DSS v1.2
(Requirements)
NIST 800-53
(Domains)
Build and Maintain a
Secure Network (1, 2)
Sys/Svc Acquisition (SA)
Sys/Comm Protection (SC)
Protect Cardholder Data
(3, 4)
Sys & Info Integrity (SI),
Media Protection (MP)
Implement Strong Access
Control Measures (7, 8, 9)
Access Controls (AC)
Ident/Authentication (IA)
Regularly Monitor & Test
Networks (10, 11)
Audit & Accountability
(AU)
Maintain an Information
Security Policy (12)
Awareness and Training
(AT)
Good News:
• We know where compliance is heading
• Leverage frameworks & best practices
• Utilize partnerships to our advantage
“Grassroots”
• People
• Process
• Partners
• States/Agencies
• Vendors
• Thought Leaders
• NIST
• PCI