Data Protection: Security from the Inside Out

1
Data Protection Security from the Inside Out

• Fred Langston, CISSP
• Global Product Manager
• VeriSign, Enterprise Security Services
• December 3, 2007

2
Introduction

• Data-centric security starts from the smallest
  elements the data itself
• So, do we really have good definition of data
  when it comes to security? Consider the value
  and impact of an adverse event
• Regulatory impacts
• Monetary impact of loss
• Direct costs associated with loss
• Recreation of data if lost
• Loss of CIA Confidentiality, Integrity and
  Availability
• In essence, we must know our data intimately
  and how its used, valued, and protected
• From this knowledge, we can create a framework
  for security that focuses on the most valuable
  asset the data itself

3
Todays Headlines December 3, 2007

• Data theft touches 150,000 Massachusetts seniors
• Senior citizens who participate in a
  Massachusetts insurance program have received
  word that their personal information may have
  fallen into the hands of an identity thief.
• UK government accuses Chinese of IT espionage
• The British intelligence agency MI5 has warned
  300 U.K. business concerns that their IT systems
  are under attack by Chinese state organizations.
• Attackers exploiting unpatched QuickTime flaw.
• Please note that the people attempting to
  compromise your system do work weekends The
  QuickTime vulnerability for which
  proof-of-concept code was revealed Thursday went
  into full attack mode over the weekend, with two
  campaigns underway.
• DBA Admits to Theft of 8.5M Records
• A former senior database administrator at a
  subsidiary of Fidelity National Information
  Services last week pleaded guilty to stealing
  some 8.5 million customer records and selling
  them to data brokers.

4
What are the causes of breaches?

• Poor identity management
• Poorly secured wireless
• Unsecured physical assets
• Application vulnerabilities
• Lack of monitoring logs and IDS
• Network architecture flaws flat networks
• Data leakage into the DMZ, spreadsheets, and
  access databases

5
Store Less Data

• What do you NEED to store?
• What data is available to you?
• What are the business and legal needs?
• Where do you need to store this?
• What is the risk associated?
• Ask the hard questions!
• Why do you need this?
• What would you do without it?
• What to do with risk?
• Accept it (and face fines!)
• Mitigate it
• Insure it

6
Data Security Problem 1 Wheres the Beef, er,
Data?!

• Data centric security starts by knowing
• What data is
• What its value is
• How to classify the data
• Where the data
• Ingresses and egresses the enterprise
• Is stored
• Is processed
• Is transmitted
• Is retained
• Is archived
• Is destroyed

7
Simple Solutions to Difficult Challenges

• Understand your Data Flows
• How many know their data flow end to end?
• File shares Word, Excel, and Access!!
• Laptops mobile devices
• What about systems and application failures and
  crashes?
• Dump files, Core dumps
• Live Memory
• Debugging extracts
• Store Less Data
• You dont have to secure what you dont have
• Create a Data Protection Framework!

8
Data Protection Frameworks

• Data identification and valuation
• BIA
• Statement of Acceptable Risk
• Policy
• Data classification
• Policy
• Awareness of policy
• Implementation maturity
• Data mapping and flow analysis
• Data-centric risk analysis or regulatory
  compliance gap analysis
• Sensitive data minimization
• Create data protection control standards based
  on
• Storage, transmission, and processing of data
• Value of data
• Regulatory of business impact of data breach

9
Map your Data Flows
10
Practical Tips for Avoiding Data Breaches

• Address App Net Vulnerabilities
• Do you know the real risk?
• Improve Security Awareness
• People ARE the weakest link!
• Monitor Systems for Intrusions
• Monitor to Stop and Prevent
• Filter outbound data based on data classification
• Segment Networks
• Still the most effective way to reduce attack
  surface
• Encrypt, encrypt, encrypt!
• Manage the Encryption keys properly

11
Encrypt any Stored Data

• Why is encryption so hard?
• Legacy systems, more problems than encryption
• Most platforms have some solution
• Key management still is a massive problem
• What are my options?
• Retrofit applications
• Use an encryption appliance
• Use a database that supports encryption
• Render unreadable without encryption (truncation,
  tokenization, hashing)
• The Dangers of Encryption
• Approach encryption enterprise wide and create a
  sound strategy
• Keep in mind, encryption is needed elsewhere, not
  just around one system
• Pesky data flows are required again!

12
Address Vulnerabilities

• Assess Applications
• 45 of all Internet-based attacks occur at the
  application layer
• Identify Poorly Coded Web Apps
• Perform code review or application testing to
  ensure code is secure
• Perform Quarterly Scans
• And be sure to include applications
• Implement Strict SDLC Processes
• Try tracking vulnerabilities by developer

13
Security Awareness Training

• People are your weakest security link!
• Users do not take password controls seriously
• Administrators tend to be bad offenders
• Ongoing awareness training helps keep application
  vulnerabilities down
• Proper training allows associates to find and
  disclose sensitive data
• SSNs, DL, Account numbers
• Laptops
• Large data storage areas
• Excel and Access

14
Monitor Systems for Intrusions Anomalies

• Intrusion Detection/Prevention Strategies
• Look for renegade egress devices like
  unauthorized wireless APs
• Focus on an enterprise-wide logging and log
  management strategy
• Implement Strict SDLC Processes

15
Segmentation and Access Controls

• Network Segmentation
• Is anyone else tired of hearing this suggestion?
• Why is it so critical?
• What are additional benefits?
• Resilience to Internal DoS
• Centralized security
• Multi-Level Access Controls
• 802.1x, is it finally ready?
• VPNs (IPSec and SSL)
• Centralized Identity Management
• Wireless

16
Final Thoughts and Future Considerations

• Data protection is a continual process - think of
  data protection as a journey, not a project, and
  manage it that way
• Other things to think of
• Mergers and Acquisitions
• New business lines
• Global Operations
• Wireless and Mobile Payments
• SIM Based payments
• Chip Pin, Not Exempt!
• Devices such as iPhones
• Use data protection to fuel security program
  development throughout your enterprise
• THERE IS NO SILVER BULLET!

17
Questions Answers
18
Thank You

• Fred Langston, CISSP
• FLangston_at_VeriSign.com
• (425) 765-3330

For general information on VeriSigns Security
Services please email JMonahan_at_VeriSign.com or
call (303) 886-1281