Awareness Program on Compliance
in the Era of Technology
ICAI, Mumbai
October 19, 2008
u
1
Public Document
<version 1.0>
Agenda
1.
2.
3.
Compliance Today
Business Risks
Evolving Security and Compliance
landscape
Technology and IT value for business
Incidents and Security related
industry information
Snapshot of Global Compliance
requirements over time
Extracting Compliance ROI
Suggested Safeguards (unified
framework)
Common regulatory reqmts
(standards, etc)
4.
5.
6.
7.
8.
9.
2
10. The technology solution
11. Compliance spotlight – PCIDSS
12. Leverage the technology
solution
13. VA/PT
14. Continuous VA and
Monitoring
15. List of Tools
16. Why VA/PT
17. Web App Security, Secure
Coding
Public Document
<version 1.0>
Compliance Today
• Organizations have numerous Compliance
requirements which keep growing by the day / hour
/ minute !
– Regulatory
– Standards / Best Practice Frameworks
– Industrial, Contractual, etc.
• Technology is constantly evolving
providing new tools and methods to
tackle the increasing information and
compliance overload
3
Public Document
Much of the
increase in cost
is due to
duplication of
regulation and
ambiguous or
inconsistent rules
-Securities Industry
Association, 2006
<version 1.0>
Compliance Today
Compliance with Compliance requirements takes up
too much resources
Compliance initiatives are considered “Projects” (e.g.
SOX / PCI project) but these are continuous
processes (benefits are not realized)
Technology solutions will leverage Compliance
efforts to enable Governance and Risk Management
leading to Business gains (productivity, cost-savings)
•
•
•
Compliance must be part of your organization DNA
Regulatory Compliance is not just a legal requirement but
a critical business function.
4
Public Document
<version 1.0>
Business Risks
Operational risk



Physical damage/theft
Services not available
Market risk



Lost customers
Global partners
Legal risk



SLAs
Lawsuits
What is at Risk






Information on your network
Databases
Intellectual Property
Financial Information
Personally Identifiable
Information
Reputation & Market Value
Regulatory


Compliance
Financial Risk



5
Claims and losses
Quantification of information assets/impact
Public Document
<version 1.0>
6
Public Document
<version 1.0>
Technology and Information
Made People Smarter

Google

Luhn’s algorithm (to validate any credit card)

VB based basic key loggers

Web based IP tools, DNS network tools, traceroute etc

Network tools

Nmap

Nessus etc…. All available online
Password cracking tools

7
Public Document
<version 1.0>
8
Public Document
<version 1.0>
Incidents (2000-2007)

According to Attrition Data Loss Archive and Database and FlowingData,
following are the 10 largest data breaches since 2000
(http://flowingdata.com/2008/03/14/10-largest-data-breaches-since-2000-millions-affected/)

9
Is there a trend? Yes, numbers are growing!
Public Document
<version 1.0>
Are we safe in 2008?






UK Government Depts. reported loss of 29 million records in last one year
(August 2008)
Countrywide Financial Corp. – possible all 2 million records were sold
(August 2008)
If sensitive data only includes SSNs and financial account data and not date
of birth and email ids then should we decide Facebook’s 80 million records
as a data breach? (July 2008)
Bank of New York Mellon, PA – as many as 4.5 million customer records
are thought to be compromised (March 2008)
Compass Bank – 1 million (March 2008)
Hannaford Bros. supermarket chain – 4.2 million (March 2008)

10
Trend – Numbers are still growing!
Public Document
<version 1.0>
Some Facts


Who are behind these breaches:

External sources including past employees

Insiders

Business partners

Multiple parties
How these breaches are caused

Business process errors or no policy/procedural controls

Hacking and intrusions including malicious code

System/Application vulnerabilities including for those patches already exist

Physical threats


Victims don’t know that breach has occurred or more often aware of the criticality of the
data/information

Mostly breaches are opportunistic in nature

11
Mostly………
More than 90% breaches are avoidable
Public Document
<version 1.0>
Some Insights – drivers for security spend
By 2008, more than 75% of large and
midsize companies will purchase new
compliance management, monitoring, and
automation solutions.
By 2009, compliance will grow to 14.2% of
IT budget from 12% in 2006.
Source: Gartner 2007
12
Public Document
<version 1.0>
13
Public Document
<version 1.0>
Common Regulatory Reqmts /
Standards / Frameworks / Guidelines



Clause 49 (SEBI Guideline,
Government of India)
CTCL
ISO:27001 – 2005









133 Control objectives

PCI-DSS




12 requirements
CobiT
NERC-CIP
BS:25999
ITIL
Data Protection Act
IT Act and applicable Criminal /
Civil legislation
14


HIPAA/GLBA
Sarbanes Oxley
Basel II
PCAOB
SAS 70
Privacy Laws (e.g.PIPEDA)
… many more…..
Public Document
<version 1.0>
Extracting Compliance ROI

Organizations must plan beyond Compliance









Better Security means reduced / managed risk
Managed (reduced) risk means better business
Operational efficiencies result from compliance efforts
Approach Compliance as a as a business process, not as requirement / overhead
Use learning to shorten future compliance cycles
Identify opportunities to build unified compliance ecosystem
Lead the organization to Industry certifications resulting in higher brand value
Eliminate the risk of penalties for non-compliance
Address multiple compliance requirements in a unified approach
15
Public Document
<version 1.0>
Suggested Safeguards
16
Public Document
<version 1.0>
Suggested Safeguards
17
Public Document
<version 1.0>
18
Public Document
<version 1.0>
Technology Solution



Systems must be developed providing a risk based approach
that is aligned with Business, Regulatory and Contractual
requirements
Leverage technology and co-ordinate Security spend with
Compliance with the overall objective achieve Governance
(automation)
Technology practices to enable proactive security Risk
management





19
Vulnerability Assessment / Penetration Testing (VA/PT)
Web Application Security (AppSec)
Code Review
Continuous Vulnerability Management
Managed Security Services
Public Document
<version 1.0>
Compliance Spotlight :
PCI – Data Security Standard
20
Public Document
<version 1.0>
Compliance Spotlight :
PCI-DSS

Requirement 5 and 6 (Maintain Vulnerability Management Program)






Stay Current on versions (Anti Virus, Patches, Systems, Configuration)
Monitor Custom Web applications
SDLC (do we practice secure coding)
Invest in automated tools
Secure Audit Logs
Requirement 10 and 11 (Regularly Monitor & Test Networks)



Monitor Systems for Intrusions and Anomalies
Implement Reporting and Analysis Tools
Centralize and Secure Data
ISO:27001 – A.12.6 Technical
Vulnerability Management
21
ISO:27001 – A.15 Compliance
-Compliance with Legal Requirements
-Compliance with Security Policies,
and standards and technical
compliance
Public Document
<version 1.0>
Leverage the Technology Solution
Technology Practices for Compliance
providing proactive Risk Management
Continuous Vulnerability Monitoring and
Assessment
Vulnerability
Assessment (VA)
22
Penetration Testing
(PT)
Secure Application
Development
(Coding) Practices
Web Application
Security
Assessment
Public Document
<version 1.0>
Leverage the Technology Solution
Vulnerability
Assessment (VA)
Penetration
Testing
(PT)
23
Results allow the organization to compare findings
against known vulnerabilities and prioritize
remediation by implementing controls.
Provides a health report on the organization security
posture.
All Standards, Regulations, Frameworks recommend
(or require) Network Assessments as an essential
practice.
Helps determine whether the controls are in fact
preventing the vulnerability from actually endangering
the network.
A well-executed penetration test can identify the most
critical holes in an organization’s defensive net;
including the holes exploited by social engineering.
pen tests are best used as a way to get an extra set of
eyes on a network after major system upgrades.
Public Document
<version 1.0>
Leverage the Technology Solution
Continuous
Vulnerability
Monitoring and
Assessment
Provides a 24 x 7 x 365 watch on network traffic and
is available as a Managed Security Service. Traffic is
monitored and events (incidents) are correlated
against updated industry Common Vulnerability &
Exposure (CVE) database.
Reports are available online to client via a web
interface which will provide information about the
threat(s) and remediation plans.
24
Public Document
<version 1.0>
VA/PT
Undertaken by qualified professionals
Methodology includes use of automated tools augmented with manual skills
Meet regulatory requirements (PCI-DSS, HIPAA, GLBA, PIPEDA, etc.)
Organizations can realize their true security level
Measure IT security effectiveness
Identify and remediate potential breach points reducing security risk and liability
Benchmark / baseline security posture
Certifications
Certified Vulnerability Assessor (CVA) (Secure Matrix - DNV)
CEH (EC Council)
CISSP (ISC2)
certifications in Forensics, Fraud (Secure Matrix)
Commonly used Tools for VA/PT (commercial / open source)
Nessus, GFI Languard (c), Nmap; Metasploit, Canvas (c), etc.
25
Public Document
<version 1.0>
List of Tools (indicative)
Vulnerability Assessment
Nessus
Nessus is one of the most popular and widely used vulnerability assessment scanner with nearly 14,000 plugins.
GFI Languard
GFI Languard is a commercial vulnerability assessment scanner with neat reporting capabilities.
Netcat
Netcat is a network debugging and exploration tool
Hping
This tool is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard
utilities. This is to map out firewall rulesets.
Nikto
A comprehensive webserver scanner
Sam Spade
Windows network query tool
Web Inspect
Web Application Scanner
Firewalk
An Advanced traceroute tool
Penetration Testing
Metasploit Framework
This is a framework to deploy vulnerability exploits and payloads. Securematrix has created a database of nearly 100 exploits in this
framework
Canvas
A Commercial Penetration Testing tool
Core Impact
A Commercial Penetration Testing tool
SAINT
A commercial Penetration Testing tool
CenZic
A Commercial Web application testing tool
John the ripper
powerful, flexible, and fast multi-platform password hash cracker
THC Hydra
A Fast network authentication cracker which support many different services
Dsniff
A suite of powerful network auditing and penetration-testing tools
Solarwinds
Network discovery/monitoring/attack tools
26
Public Document
<version 1.0>
Why VA/PT




27
To catch a thief…..You have to think like one.
You hack into your network to do a Vulnerability Assessment (VA),
identifying “vulnerabilities” in the same manner as they may be visible to
an intruder like open ports.
Following up a VA is the Penetration Test – you are taking advantage of
the ‘vulnerabilities’ by “penetrating” the network.
When you test all IP addresses that are visible to the outside world you
can get answers to sticky questions like:
 Can an intruder hop on to the conference room network ?
 Is it possible for the intruder to connect to the database server ?
 What can you do (that which no one wants an intruder to do!) ??
Public Document
<version 1.0>
Presented by
Dinesh Bareja
CISA, CISM, ITIL, IPR, ERM, BS: 7799 (Imp & LA)
- Senior Vice President
Email: dinesh@securematrix.in
Information Security professional, having more
than 11 years of experience in technology in
commercial, operational, functional and Project
Management roles on multiple large and small
projects in global and domestic markets.
Experienced in establishing ISMS (Information
Security Management System), planning and
implementation of large scale CobiT®
implementation, ISO: 27001, Risk Management,
BCP/DR, BIA, Asset Management, Incident Mgt, Governance and Compliance among others.
He is also member of ISACA, OCEG, iTSMF and co-founder of Canadian Honeynet Project
and Open Security Alliance among others.
28
Public Document
<version 1.0>
Contact Information
Registered Office
Mumbai:
12 Oricon House, 14, K. Dubash Marg
Fort, Mumbai 400 001
Tel: +91 22 3253 7579; Fax:+91 22 2288 6152; Email: info@securematrix.in
Technology Centre
Pune:
Trident Towers
2nd Floor, Pashan Road
Bavdhan, Pune - 411021
Email: info@securematrix.in
Technology Centre
Chennai:
Plot No. 1, Door No. 5, Venkateshwara Street,
Dhanalakshmi Colony, Vadapalani,
Chennai – 600026
Email: info@securematrix.in
Dubai:
P O Box 5207
Dubai
Email: dubai@securematrix.in
London:
16-20 Ealing Road
Wembley Middlesex Hao 4TL
Email: london@securematrix.in
Bahrain * Atlanta
29
Public Document
<version 1.0>
Thank You
ICAI, Mumbai
30
Public Document
<version 1.0>