Upload
shahar-geiger-maor
View
1.005
Download
0
Embed Size (px)
DESCRIPTION
Citation preview
Risk, Regulations and Data Protection Shahar Geiger Maor, Senior Analyst
Scan me to your contacts:
www.shaharmaor.blogspot.com http://www.facebook.com/shahar.maor http://twitter.com/shaharmaor
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 2
What is Risk?
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 3
Risk Management…
3
• Risk management is present in all aspects of life
• It is about the everyday trade-off between an expected reward and a
potential danger
• It is universal, in the sense - it refers to human behaviour in the
decision making process
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 4
No
Risk…
No
Gain!
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 5 5
Benefits of Risk Management
Better service
delivery
Supports strategic
And
Business planning
More efficient
use of
resources
Quick grasp
of new
opportunities
Reassures
stakeholders
Promotes
continual
improvement Helps focus
internal audit
programme
increased
certainty
and fewer
surprises
Potential benefits
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 6
• ERM is an ongoing process
• ERM is an Integral part of how an organization operates
• ERM applies to all organizations, not just financial organizations.
• Risk applies broadly to all things threatening the achievement of
organizational objectives
• Risk is not limited to threats, but also refers to opportunities.
• The goal of an organization is not “risk mitigation”, but seeking an
appropriate “risk-return position ”.
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 7
Regulations –The Olympic Minimum Syndrome
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 8
When Regulation is a Good Idea…
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 9
SOX
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 10
Ultimate Liability
Countrywide’s Angelo Mozilo, Bear Stearns’ Jimmy Cayne, Lehman Brothers’ Dick Fuld, and Merrill Lynch’s John Thain
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 11
Security Echo-System: Key Roles
Senior Management
Custodian
Users Data
owners
CISO
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 12
PCI-DSS: Israeli Market and Challenges
Network DSL Router
PO
S Se
rver
PO
S Te
rmin
als
Requirement 1
Requirement 2
Requirement 3
Requirement 4
Requirement 5
Requirement 6
Requirement 7
Polic
ies
Requirement 8
Requirement 9
Requirement 10
Requirement 11
3rd Party
Scan Vendor
Requirement 12
PIN
Pad
s
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 13
Information Security “Threatscape”
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 14
Social Engineering
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 15
Social Engineering
Preventing social engineering: • Verify identity • Do not give out passwords • Do not give out employee information • Do not follow commands from unverified
sources • Do not distribute dial-in phone numbers to
any computer system except to valid users • Do not participate in telephone surveys
Reacting to social engineering: • Use Caller ID to document phone number • Take detailed notes • Get person’s name/position • Report incidents
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 16
Phishing
• A social engineering scam • A scam that uses email or websites to deceive you
into disclosing sensitive information • How does it work?
– You receive an email or pop-up message – The message usually says that you need to update or
validate your account information – It might threaten some dire consequence if you don’t
respond – The message directs you to a bogus website – You type sensitive info….and that’s it…
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 17
Technologies Categorization 2010\2011
Using Implementing Looking
Mar
ket
Cu
rio
sity
Market Maturity
Major
Changes
IT Project
Cyber Warfare
Size of figure =
complexity/
cost of project
Mobile Sec
DLP \IRM
“Social” Security
Cloud Security
Network Security
Application Security
Endpoint Security
Security
Management
Source: STKI
Data Protection
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 18
Cyber-Warfare
http://edmahoney.wordpress.com/2010/01/13/cyber-war-home-theater/
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 19
Mobile sec
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 20
“Social Security”
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 21
Data Centric Approach
Build a wall – “perimeter security”
“Business of Security” – Security is built into the business process
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 22
Data Security Domain
Source: Securosis
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 23
EPS/mobile 14%
Market/Trends 13%
Access/Authentication 12%
Network Sec 12%
GW 10%
DCS 9%
DB/DC SEC 9%
Vendor/Product 8%
Regulations 7%
SIEM/SOC 3%
Miscellaneous 2%
Encryption 1%
Source: STKI
STKI Index-2010\2011 –Top Queries to STKI
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 24
Internal vs. External Human Threats
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 25
Leakage Mitigation in Israel
Awareness\Methodology
IRM\Vaulting\Mail Protection
DB protection
GW protection
Encryption
Device Control
Endpoint DLP
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 26
Protect your data
• Access Management • Entitlement Management • Network Segregation
• Server/Endpoint Hardening • USB/Media
Encryption/Device Control • Database Encryption • DAM • Storage Encryption • Application Encryption • Email Filtering
• Data Loss Prevention- Network
• Data Loss Prevention- Endpoint
• Data Loss Prevention- Storage
• Full Drive Encryption • USB/Media
Encryption/Device Control • Enterprise Digital Rights
Management • Data Masking • Entitlement Management
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 27
Top Insights
• Most organizations still rely heavily on “traditional” security controls like system hardening, email filtering, access management, and network segregation to protect data.
• Most organizations see unstructured data storage as their main security concern
• Most organizations must meet at least 1 regulatory or contractual compliance requirement.
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 28
Top Insights –con…
• Many organizations tend “not to touch” their prod DB.
Using this technology
52%
Evaluating\Not using 48%
DB protection: Estimated Technology Penetration
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 29
Identity and Access Management
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 30
Identity and Access Management
this is where most activity occurs
– Leper ColonyA keep away!!!
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 31
Thank you! Download this presentation: