Risk, regulation and data protection

Risk, Regulations and Data Protection Shahar Geiger Maor, Senior Analyst

Scan me to your contacts:

www.shaharmaor.blogspot.com http://www.facebook.com/shahar.maor http://twitter.com/shaharmaor

http://www.shaharmaor.blogspot.com/

http://www.shaharmaor.blogspot.com/

http://www.facebook.com/shahar.maor



http://twitter.com/shaharmaor

http://twitter.com/shaharmaor

Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 2

What is Risk?


Risk Management…

3

• Risk management is present in all aspects of life

• It is about the everyday trade-off between an expected reward and a

potential danger

• It is universal, in the sense - it refers to human behaviour in the

decision making process


No

Risk…

No

Gain!

Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 5 5

Benefits of Risk Management

Better service

delivery

Supports strategic

And

Business planning

More efficient

use of

resources

Quick grasp

of new

opportunities

Reassures

stakeholders

Promotes

continual

improvement Helps focus

internal audit

programme

increased

certainty

and fewer

surprises

Potential benefits


• ERM is an ongoing process

• ERM is an Integral part of how an organization operates

• ERM applies to all organizations, not just financial organizations.

• Risk applies broadly to all things threatening the achievement of

organizational objectives

• Risk is not limited to threats, but also refers to opportunities.

• The goal of an organization is not “risk mitigation”, but seeking an

appropriate “risk-return position ”.


Regulations –The Olympic Minimum Syndrome


When Regulation is a Good Idea…


SOX


Ultimate Liability

Countrywide’s Angelo Mozilo, Bear Stearns’ Jimmy Cayne, Lehman Brothers’ Dick Fuld, and Merrill Lynch’s John Thain


Security Echo-System: Key Roles

Senior Management

Custodian

Users Data

owners

CISO


PCI-DSS: Israeli Market and Challenges

Network DSL Router

PO

S Se

rver

PO

S Te

rmin

als

Requirement 1

Requirement 2

Requirement 3

Requirement 4

Requirement 5

Requirement 6

Requirement 7

Polic

ies

Requirement 8

Requirement 9

Requirement 10

Requirement 11

3rd Party

Scan Vendor

Requirement 12

PIN

Pad

s


Information Security “Threatscape”

http://www.bizarrebytes.com/wp-content/uploads/2011/01/Sean-Connery-007.jpg


Social Engineering


Social Engineering

Preventing social engineering: • Verify identity • Do not give out passwords • Do not give out employee information • Do not follow commands from unverified

sources • Do not distribute dial-in phone numbers to

any computer system except to valid users • Do not participate in telephone surveys

Reacting to social engineering: • Use Caller ID to document phone number • Take detailed notes • Get person’s name/position • Report incidents


Phishing

• A social engineering scam • A scam that uses email or websites to deceive you

into disclosing sensitive information • How does it work?

– You receive an email or pop-up message – The message usually says that you need to update or

validate your account information – It might threaten some dire consequence if you don’t

respond – The message directs you to a bogus website – You type sensitive info….and that’s it…


Technologies Categorization 2010\2011

Using Implementing Looking

Mar

ket

Cu

rio

sity

Market Maturity

Major

Changes

IT Project

Cyber Warfare

Size of figure =

complexity/

cost of project

Mobile Sec

DLP \IRM

“Social” Security

Cloud Security

Network Security

Application Security

Endpoint Security

Security

Management

Source: STKI

Data Protection


Cyber-Warfare

http://edmahoney.wordpress.com/2010/01/13/cyber-war-home-theater/


Mobile sec


“Social Security”


Data Centric Approach

Build a wall – “perimeter security”

“Business of Security” – Security is built into the business process


Data Security Domain

Source: Securosis


EPS/mobile 14%

Market/Trends 13%

Access/Authentication 12%

Network Sec 12%

GW 10%

DCS 9%

DB/DC SEC 9%

Vendor/Product 8%

Regulations 7%

SIEM/SOC 3%

Miscellaneous 2%

Encryption 1%

Source: STKI

STKI Index-2010\2011 –Top Queries to STKI


Internal vs. External Human Threats


Leakage Mitigation in Israel

Awareness\Methodology

IRM\Vaulting\Mail Protection

DB protection

GW protection

Encryption

Device Control

Endpoint DLP


Protect your data

• Access Management • Entitlement Management • Network Segregation

• Server/Endpoint Hardening • USB/Media

Encryption/Device Control • Database Encryption • DAM • Storage Encryption • Application Encryption • Email Filtering

• Data Loss Prevention- Network

• Data Loss Prevention- Endpoint

• Data Loss Prevention- Storage

• Full Drive Encryption • USB/Media

Encryption/Device Control • Enterprise Digital Rights

Management • Data Masking • Entitlement Management


Top Insights

• Most organizations still rely heavily on “traditional” security controls like system hardening, email filtering, access management, and network segregation to protect data.

• Most organizations see unstructured data storage as their main security concern

• Most organizations must meet at least 1 regulatory or contractual compliance requirement.


Top Insights –con…

• Many organizations tend “not to touch” their prod DB.

Using this technology

52%

Evaluating\Not using 48%

DB protection: Estimated Technology Penetration


Identity and Access Management


Identity and Access Management

this is where most activity occurs

– Leper ColonyA keep away!!!

http://en.wikipedia.org/wiki/Leprosarium


Thank you! Download this presentation: