Mike Hager Enterprise Security Advisor Unisys Corporation It’s All About The Data
Threats Today Include A belief on the part of senior management that there are no serious threats directed at their company. Terrorist acts Natural disasters Criminal Acts Network Attacks –Inside attacks –Outside attacks –Viruses/Malicious
The World We Live In Today General Internet attack trends are showing a 64% annual rate of growth. The average company experienced 32 attacks per week over the past 6 months. Two out of five companies that are hit by a disaster go out of business within 5 years. Gartner report indicates that average cost for network downtime is $42,000 per hour.
Top 10 Management Mistakes Addressing Data Security 10. Believe that information security and disaster recovery are important issues, but believe they are important issues for someone else to handle. 9.Pretend the problem will go away if you simply ignore it.. 8.Rely primarily on a perimeter protection. 7.Fail to realize the value of their information and organizational reputations. 6. Believe that it will never happen to them.
10 Top Management Mistakes Addressing Data Security 5. Fail to understand the relationship between information security and disaster recovery and the business. 4. Use technology as a fix and not a solution. 3.Address security as an afterthought i.e.; something we can add later. 2.Look at security as an expense not an investment. 1.Fail to develop a system of Information Classification and establishment of minimum protection requirements for each level of classified data.
What Has Been Our Approach? Building Bigger and More Complex Walls
We Have Created the M & M Effect
Where Do You Begin? You begin by identifying what to protect. If you don’t know what to protect, how do you know how to protect it? Without knowing what to protect you end up either over-protecting or under-protecting your valuable, critical and sensitive information. Neither of which is a “good thing”.
engage Companies must engage in sound business and security practices that afford critical and sensitive information adequate protection resulting in an acceptable level of risk against loss, improper use, compromise, unauthorized alteration or modification. Element I
Element II Protection programs must be flexible and capable of addressing all information protection needs in the ever changing business and technical environment.
Element III Protection programs must be focused on actual threats. Strategies must be developed that are based on sound business practices.
Element IV Protection programs must ensure the confidentiality and integrity of critical systems and sensitive information, while ensuring its availability to those who need it to perform their assigned duties and tasks. Element IV
Federal Regulation Impact On Security New HIPAA & SEC regulations based on the Gramm- Leach-Bliley Act and Sarbanes-Oxley, require that we adopt policies and procedures reasonably designed to: 1.Insure the security and confidentiality of customer records and information. 2.Protect against any anticipated threat or hazard to the security and integrity of customer records and information. 3.Protect against unauthorized acts as to the use of customer records or information that could result in substantial harm or inconvenience to any customer.
Information Security - Key Questions Do you have a system of Information Classification that outlines minimum protection requirements for each level of data? Do you have a network security strategy that addresses a layered approach to protection? Do you know where all sensitive Data resides? Have you identified who can asses the data? Have you identified how to protect the data during transmission? Have you identified how to protect the data stored in your network?
Network Protection Strategy A well-conceived network protection strategy should take a layered approach. At a minimum it should include three layers of protection: The Gateway Layer - Answers the question," Can I come in?” The Control Layer - Answers the question “Where can I go?” The Data Layer - Answers the question “What can I do?”
Data Protection Strategy Layered Approach Gateway Layer Control Layer Data Layer
The Gateway Layer Answers the question “Can I come in?” Allows you to address how access is gained to your networks: Firewalls Intrusion Detection Systems Modems Remote Access such as VPN and ExtraNets User authentication methods
Gateway Layer Considerations Do you rely solely on the “password” as your method of authentication to protect critical data and systems. Have you tested your password strength with a password crackers such as “l0pht Crack”? Keep in mind that the Gateway level protection does little to protect against the insider threat.
Benefits of Completing The Gateway Layer Eliminates reliance on “passwords” as the only means of protection thus eliminating risk and liabilities. Sets the architectural foundation for future e-business. Provides foundation for secure remote access. Provides your company with the ability to identify and react to all attacks directed at our networks from outside the company.
The Control Layer Answers the question, “Where can I go?” Is your security access control program implement a role based security model? Do these roles identify exactly what each employee has and can have access to? Bottom Line: Do you really know who has access to what, and can you control it?
Control Layer Considerations Is your Access Control model/and or Strategy based on a business need to know? Have you identified who should and can have your sensitive Data? Have you considered the Implementation of a strategy and tools that will allow you to effectively identify and manage a “Role Based” access control model.
Benefits of The Control Layer Provides you with the ability to manage access administration across heterogeneous environments. Allows you to quickly turn-on and turn-off access. Replaces your current traditional “paper trail” of access requests with fast and accurate electronic workflow approach. Provides an audit trail and strong security by consolidating all access information into a single database. Provides you with the means to quickly set up access for new applications implemented by the company.
Benefits of The Control Layer Provides an audit trail and strong security by consolidating all access information into a single database. Provides you with the means to quickly set up access for new applications implemented by the company. Takes control of the management of access within your applications and networks. Increase productivity by eliminating all but a single password for the majority of users
The Data Layer Answers the question, “What can I do?” Do you have the methodology to identify and restrict the abilities of each user: 1. Can all users read all data? 2. Can all users modify all data? 3. Can all users delete all data? 4. Can you restrict access based on a users role what each can do?
Components of the Data Layer Use of strong Passwords to protect data Use of Encryption to protect sensitive data Use of Digital Rights Management PKI as a solution to access control Smart Cards and Tokens to access data
Incident Response All Data is Subject to Compromise and Loss! The ability to identify that you are being attacked, containment of the attacker and having the ability to terminate the attackers access can limit the amount of damage that can be caused. These are key elements and are essential in surviving an attack.
Remember More Security Doesn’t Always Make You More Secure… Better Planning and Management Does
Managing the Risks The world has changed dramatically based on the events of the past few years. We have learned that building more and higher walls by themselves do little in ensuring that critical and sensitive data receives adequate protection. We now must look not only at how we protect our networks but how we protect the actual data. Its All About The Data Remember – Its All About The Data
When it comes to addressing our business risks, we never plan to fail. We just fail to plan! Closing Thought
Questions? David “Mike” Hager Enterprise Security Advisor Unisys. Remember It’s All About The Data