Service Delivery Operations

BBCON 2014

Ron Rainville – VP/Service Delivery Operations

2

Overview• Today’s Landscape

• What is Blackbaud doing?• Protection thru technology• Protection thru people• Protection thru certifications• Protection thru process

Blackbaud Confidential2

3

Today’s LandscapeBreaches in the News

• Banks• Massive bank hack: What you need to know - CNN

• Retailers• Home Depot hack could lead to $3 billion in fake charges –

CBS News• Target store chain security breach

• Healthcare• There is an epidemic of medical identity theft – USA Today

• Universities• Ex-contractor says he hacked into U-Md. databases to alert

others to security flaws – Washington Post• Governments

• U.S. Probes Hacking of Government Computers at Personnel Agency – The Wall Street Journal

Breaches in the News• Banks

• Massive bank hack: What you need to know - CNN• Retailers

• Home Depot hack could lead to $3 billion in fake charges – CBS News

• Target store chain security breach• Healthcare

• There is an epidemic of medical identity theft – USA Today• Universities

• Ex-contractor says he hacked into U-Md. databases to alert others to security flaws – Washington Post

• Governments• U.S. Probes Hacking of Government Computers at Personnel

Agency – The Wall Street Journal

4

Theft has been Automated and Targeted

A variety of adversaries• Script Kiddies• Organized Crime• Nation States

The value of targeted data is rising• Cardholder data• Personally Identifiable Information (“PII”)• Protected Health Information (“PHI”)• Social network handles (Twitter, Facebook)

5

Attack VectorsZero-Day Vulnerabilities

• Vulnerabilities discovered by criminals within software, sold in Black Markets to the highest bidder

Social Engineering• Targeted campaigns against key resources within an

organization for the purpose of gaining access to confidential information

Insider Threat• Disgruntled employees looking to get even• User mistakes (e.g. bringing data home)

Best source for statistics: Verizon Data Breach Investigations Report

6

How Do Large Credit Card Breaches Happen?

The Advanced Persistent Threat (“APT”)

Recon Infiltration Delivery & Exploitation Exfiltration Monetization

Reconnaissance

Adversaries probe targets for holes and vulnerabilities and/or steal credentials Infiltration

Exploit these weaknesses to get inside

Delivery & Exploitation

Hook malware into processing streams

Exfiltration

Get data out as quietly as possible

Monetization

Data sold on the black market

This can occur over months at a time

7

ImpactReputational

• Brand damage• Customers will seek alternative choices

Financial and Liability• Stock price tumbles• Cost of data breach• Legal issues• Post-mortem audits – regulatory (e.g. HIPAA) or

contractual (PCI)

So What is Blackbaud Doing?

9

Protection thru TechnologyStrong Perimeter

• Firewalls• IDS Control• DDoS• 2FA

Access Control• Granted on an as needed basis• Role separation

Password/Account Management

Environment Awareness• Log and activity monitoring

Data Centers• All tier III+ certified

No Special cases

10

Protection thru PeopleBlackbaud Security Team

• Dedicated to Security – complete focus• All personal heavily trained• High level of visibility

Training• All employees receive security training – social engineering & best practices – annually and

NEO• ITIL training

Certifications • CISSP, GISM, GSEC, CCNA, CNSS, DoD 85

Partnerships • PCI/SOC: Brightline CPAs • Pen-testing: Praetorian (annual rotation)• PCI validation scans: Qualys • Ethical hacking and forensics: eMagined Security Consultants

Vendor Management • all service providers we use are required to meet or exceed our security standards

11

Protection thru Certifications

PCI – Credit Card• PCI level 1 – Annual Event, Brightline

SSAE16 – PII, Best Practices – risk mitigation• SOC2, Level 2: based on Security, Availability, Confidentiality

principles - Brightline• SOC1, Level 2: based on Financial Reporting for Ledger based

products - Brightline

ITIL Based• Annual Security Audit – 3rd Party, eMagined Security

• Policy validation and Perimeter testing• Internal LAN – Ethical hacking; Credentialed and non-

Credentialed

12

Protection thru ProcessSecurity Patching – all platforms

• Monthly and on-demand• Heartbleed, Shellshock

Change Management• Rigorous process• Completely documented• Multi-level management approval

Event and Incident Management• Complete log and event monitoring and response• 7X24 NOCC• eMagined on retainer and used often – false positives

Security Testing• Vulnerability management (monthly)• Penetration testing / ethical hacking (annually and after major changes)

After all that…

Are we completely Protected?