Common Data Protection Pitfalls –And How You Can Avoid Them

Common Data Protection Pitfalls &How You Can Avoid Them

Common Data Protection Pitfalls –And How You Can Avoid Them Jim Maloney, Cyber Risk Strategies, LLC

Mark Evertz, Tripwire, Inc.September 28, 2010

IT SECURITY & COMPLIANCE AUTOMATION

Today’s Speakers

Jim Maloney

CEO

Cyber Risk Strategies, LLC

Mark Evertz

Security Solutions Manager

Tripwire, Inc.

44 Cyber Risk Strategies, LLC

AgendaThe data protection challenge and common pitfallsData protection objectivesTripwire data protection scenariosA glimpse into the futureFive actions for improved data protection


The data protection challenge

Controls

Complex external threats

Changing business requirements

Growing compliance obligations

Increasing data volumes and distribution

Systems

Data


More data, everywhere

Disturbing trends from IDC Digital Universe report…

Last year (2009) the amount of data in the ‘Digital Universe’ grew by 62% to nearly 800,000 petabytes (1 petabyte = 1 million gigabytes).

By 2020, the Digital Universe will be 44 times larger than as it was in 2009 – 35 trillion gigabytes.

Nearly 75% of the Digital Universe is a copy – only 25% is unique.

While enterprise-generated data accounts for 20% of the Digital Universe, enterprises are liable for 80% of the data that is created (the majority created by end-users).

By 2020, more than a third of all the information in the Digital Universe will either live in or pass through the ‘cloud.’


Increasing scope of data

Customer Data Internal Data System Data

Personal data Business plans Firewall configurations

Financial data Intellectual property Router configurations

Health records Customer lists Platform configurations

Cardholder details Employee lists Accounts & Permissions

Criminal records Contracts Event logs


System data, too?

System data (configurations, settings and log files) can be the pathway to compromising customer and internal data

Hackers increasingly exploit configuration weaknesses and programming errors in order to steal information from computer systems.

There is also a trend towards ‘anti-forensics’ - criminals tampering with or deleting logs to hamper detection and investigations.

2010 Verizon Data Breach Investigations Report


Pitfall No. 1 – Data awareness

Where is you data?

How is it classified?

Who has access to it?


Many compliance obligations

Compliance Item Primary Locale Industry Data Focus

UK Data Protection Act United Kingdom All Customer Data

Data Protection Directive European Union All Customer Data

Privacy and Electronic Communications

European Union All Customer Data

Federal Information Security Management Act

United States US Federal Agencies System Data

Privacy Act of 1974 United States US Federal Agencies Customer Data

Health Insurance Portability Act

United States HealthCustomer data (Health Care)

HITECH Act United States HealthCustomer Data (Health Care)

Identity Theft Red Flags Rule

United States FinancialCustomer Data (Identity Information)

Gramm-Leach-Bliley Act United States FinancialCustomer Data (Financial Information)

Payment Card Industry Data Security Standard

AllFirms that are part of the credit card processing cycle

Customer Data (Cardholder and Sensitive Authentication Data)


Breach notification laws

Another facet of compliance is the body of laws related to breach notification.

The first breach notification law was passed in 2003 (California SB 1386) in response to concerns about the rise in identity theft.

Forty-six states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches.

Breach notification is indirectly focused on data protection by requiring disclosure of data breaches to those impacted individuals.

Trying to avoid the potential impact on brand and reputation provides additional motivation for a business to prevent data breaches.


Pitfall No. 2 – A compliance nightmare

Training

Audits

TechnologyPolicies

BCP

IRP

Laws and regulations

Standard of due care

Industry standards Best

practices


External threats

Life keeps getting better for the CISO :-)

Advanced, persistent threats

Targeted, adaptive malware

Social engineering via new channels


Advanced persistent threats

An attack directed at targets with a low profile over a prolonged duration.

The purpose of the attack is looking to gather valuable intelligence data and continued access to compromised systems.

Typically involves malware to gain access and control. The attack typically uses an interactive, “low-and-slow” approach.


Targeted, adaptive malware

Use of a botnet to deliver malware to a large number of specific targets.

Purpose is to harvest financial account and credit card information for direct use or for sale.

A botnet control center distributes and monitors the installation and effectiveness of malware.

The malware is rapidly updated and redistributed.


Social engineering via new channels

Sending a message creating a sense of urgency or with an enticing offer.

Purpose is too harvest identity and account information or to deliver malware.

Messages, links, attachments and web site are crafted to look like they are from the legitimate organization. User provides account information and/or receives malware.

Expanding beyond email (phishing) to include vishing, SMSishing, IM, Facebook, Twitter.


Who is being targeted?



What data is being targeted?



Pitfall No. 3 – Lack of situational awareness

New threats

New vulnerabilities

New business initiatives

New information technology

New security products and services


The (d)evolution of information security

1970 1980 1990 2000

Information

Computers

Internal Networks

External Networks

Applications

Clouds

2010

User Behavior


Pitfall No. 4 – Loss of focus on information security

We started out focused on information security

Wandered through an OSI-like system stack

And now we’re in the clouds :-)


Data protection objectives

These objectives still make sense…

Confidentiality – preventing unauthorized disclosure of sensitive information

Integrity – preventing unauthorized modification of systems and information

Availability – preventing disruption of service and information access

Accountability - the ability to determine who (or what) is responsible for the result of an action

Enhancing Security & Compliance in a Data DelugeMark EvertzSeptember 2010


VulnerabilityAssessment

Switches& RoutersFirewalls, IDS & IPSDatabasesApplications

Must Make Better Use Of Existing Data

“We consistently find that nearly 90% of the time logs are available but discovery

[of breaches] via log analysis remains under 5% ”

2010


Raw Log Data

Events of Interest!

change event

log event

Am I Secure? Is Policy Impacted?

Improved Data Protection:Correlation of Change Events & Log Events


Example: Correlating Log & Change Events

5 failed logins

Logging turned off

Host not generating events

Windows event log cleared

Login successful

Policy test fails


Tripwire – Homepages - Dashboards


Attack in Progress? FTP Publishing Enabled…


FTP Publishing Failed Test – Actual Value (Auto 2)


Clicking Node – Allows Log Center View


FTP Publishing – Log Center Query Results

Who

WhatWhen Where


Query Further on “myUser” – Who is this???


History of myUser Account – Creation to threat!


Raw Event Data – Returned From Log Center


Normalized/Readable Data Returned By Log Center


Tripwire VIA: IT Security & Compliance Automation

Correlate to Bad Changes

Correlate to Suspicious Events

Policy EngineEvent Database


VISIBILITY Across the entire IT infrastructure

INTELLIGENCEEnable better, faster decisions

AUTOMATIONReduce manual, repetitive tasks

37

Tripwire VIA


The future of data protection

More customer, internal and system data, in more locations.

Will need visibility of the current status, locations and change activity related to data to make this environment more manageable and secure.

Protecting data irrespective of its location will enable the distribution of data while maintaining the required level of protection.

Intelligent controls for data protection should follow the data instead of being dependent upon the data’s current environment.

More emphasis on recognizing patterns of acceptable and unacceptable user and system behavior.

A behavioral-based approach can make monitoring, detection and response more scalable.

Data protection controls that automatically adapt to new situations.

Design systems that are self-healing and more resilient.


Improved data protection - today

Critical data inventory – Inventory and track the locations of critical data, how it is being used and by whom.

Integrated requirements – Identify and consolidate all relevant data protection compliance obligations.

Situational awareness – Establish a situational awareness process for monitoring external threats and internal changes to the business that could have an impact on data protection.

Controls framework – Adopt and adapt a controls framework. Define a service catalog and service owners. Implement baseline controls.

Risk assessment – Assess data protection controls (people, process and technology) against compliance obligations, external threats and internal business needs. Update as needed.


Thank you

If you have any questions, please feel free to contact me…

Jim Maloney ( jmaloney @ cyberriskstrategies.com )

www.tripwire.comTripwire Americas: 1.800.TRIPWIRETripwire EMEA: +44 (0) 20 7382 5420Tripwire Japan: +812.53206.8610Tripwire Singapore: +65 6733 5051Tripwire Australia-New Zealand: +61 (0) 402 138 980

THANK YOU!

Mark Evertz Security Solutions Manager

Direct: 503.269. 2639E-mail : [email protected]