View
1.200
Download
7
Category
Preview:
DESCRIPTION
הרצאה מתוך כנס אבטחת מידע של היריחון סטאטוס 18.11.2010
Citation preview
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 1
Shahar Geiger Maor, CISSP Senior Analyst at STKI
shahar@stki.info www.shaharmaor.blogspot.com
Information Security Trendsin Israel
18.11.2010
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 2
Presentation’s Agenda
General Trends
Cloud Security
Data-Centric Security
Mobile Security
Regulations: PCI
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 3
Presentation’s Agenda
General Trends
Cloud Security
Data-Centric Security
Mobile Security
Regulations: PCI
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 4
Information Security: Israeli Market Size (M$)
2009 changes 2010 changes 2011 changes 2012
Security Software 85.0 23.53% 105.0 4.76% 110.0 9.09% 120.0
GRC & BCP
50.0 50.00% 75.0 9.33% 82.0 9.76% 90.0
Security VAS
85.0 11.76% 95.0 8.42% 103.0 6.80% 110.0
totals 25.00% 7.27% 8.47%220.0 275.0 295.0 320.0
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 5
Information Security Spendings
1. Usually very “dynamic”2. Crisis/regulation driven instead of policy driven3. Part of budget may be embedded within other IT
units\ projects
Approximately 5% of IT budget*
* Including manpower
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 6
Security Staffing Ratios
Organization Type Ratios of Security Personnel (Israel)
Average Public Sector 0.15% of Total Users“Sensitive” Public Sector 0.5% of Total Users
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 7
Information Security “Threatscape”
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 8
The Web is Dead!
http://www.wired.com/magazine/2010/08/ff_webrip/
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 9
Is Technology Good or Bad?
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 10
Israel: a Security Empire
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 11
Real Empire!!
Source: http://search.dainfo.com/israel_hitech/Template1/Pages/StartSearchPage.aspx
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 12
Local Security Vendors and CISO’s Decision Making
CISO is usually
considering
technology, local support
and price
Is a local soluti
on available?
Most chance it will
be among
last three
bidders
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 13
What’s on the CISO’s Agenda?(STKI Index 2010)
EPS/mobile14%
Market/Trends13%
Access/Au-thentication
12%Network Sec
12%
GW10%
DCS9%
DB/DC SEC9%
Vendor/Product
8%
Regulations7%
SIEM/SOC3%
Miscellaneous2%
Encryption1%
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 14
Presentation’s Agenda
General Trends
Cloud Security
Data-Centric Security
Mobile Security
Regulations: PCI
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 15
Cloud Security
Source: http://csrc.nist.gov/groups/SNS/cloud-computing/
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 16
Is Cloud Security Important??
http://www.thepeople.co.il/Index.asp?CategoryID=82&ArticleID=1281
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 17
How Does Cloud Computing Affect the “Security Triad”?
Confidentiality
IntegrityAvailability
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 18
Cloud Risk Assessment
Probability
Impact
LOSS OF GOVERNANCE COMPLIANCE
CHALLENGESRISK FROM
CHANGES OF JURISDICTION
ISOLATION FAILURE
CLOUD PROVIDER MALICIOUS INSIDER -
ABUSE OF HIGH PRIVILEGE ROLES
MANAGEMENT INTERFACE COMPROMISE (MANIPULATION,
AVAILABILITY OF INFRASTRUCTURE)
INSECURE OR INEFFECTIVE
DELETION OF DATA
NETWORK MANAGEMENT
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment/
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 19
Cloud Security: What’s Missing?
Standards & Regulations
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 20
Presentation’s Agenda
General Trends
Cloud Security
Data-Centric Security
Mobile Security
Regulations: PCI
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 21
Data-Centric Security
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 22
Incidents by Vector (2009)
http://datalossdb.org/statistics
DL
PI
RM
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 23
The Relative Seriousness of IT Security Threats
Source: Computer Economics
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 24
DLP Scenario in Israel
No Data Classification
Poor Security Policy
Project is a failure
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 25
What Should be Done in Order to Succeed?
Look for your assets!Classify and label!Discover and protect confidential data wherever it is stored or used
Monitor all data usageAutomate policy enforcementSafeguard employee privacy
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 26
Presentation’s Agenda
General Trends
Cloud Security
Data-Centric Security
Mobile Security
Regulations: PCI
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 27
Y 2010 - Going Mobile!
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 28
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 29
Real Mobility is Coming to the Enterprise
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 30
Mobile Security: What worries CISOs?
Internal users: No central management How to protect corporate data on device? Device’s welfare ???
External users: Sensitive traffic interception Masquerading\ Identity theft
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 31
Mobile Security: What Do CISOs want?
1. Manage SMDs as if they were another
endpoint
2. Protecting business information on your
device
3. Multi-platform support
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 32
Presentation’s Agenda
General Trends
Cloud Security
Data-Centric Security
Mobile Security
Regulations: PCI
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 33
NetworkNetworkDSL Router
POS
Serv
er
POS
Term
inal
s
Requirement 1Requirement 2Requirement 3Requirement 4Requirement 5Requirement 6Requirement 7
Polic
ies
Requirement 8Requirement 9Requirement 10Requirement 11
3rd Party Scan Vendor
Requirement 12
PIN
Pad
s
PCI-DSS -Challenges
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 34
What is the Incentive?
Source: http://datalossdb.org/statistics?timeframe=all_time (2000-2010)
• Data loss incidents2,754
• Credit-card related data loss396 (35%)
• How?Hack (48%)
• CCN compromised297,704,392• …CCNs\Incident 751,779• Actual $$$ loss…?
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 35
Israeli PCI: Market Status (May 2010)
PCI “Newborns”
Gap Analysis
PCI work plan (Prioritized Approach?)
1-4 Milestones4+ Milestones
Financial Sector
Telco\Services Sector
Retail\Whole sale\Manu’ Sector
Healthcare Sector
PCI Compliance
You are here
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 36
PCI Challenges: The “New trend Syndrome”
“Am I the first one to implement this solution?”
“Are there any other references? ”
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 37
PCI Challenges: Customer Experience
System heterogeneity –Sensitive data is scattered
around in all sorts of formats
Main-Frame and other legacy systems –how is it
possible to protect sensitive data without changing
the source code?
What happened to risk management??? (PCI vs. SOX)
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 38
PCI Challenges: Customer Experience 2
“My DB does not support PCI” –the “Upgrade vs. pay the fine” dilemma
“Index token is cheaper than other alternatives” –True or false?
Inadequate knowledge of the QSAs?
Who audit the auditors?
should be
answered by the
PCI Council
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 39
PCI Challenges -The PCI paradox
PCI compliance
1 security patch is missing
A data loss incident occurs…
An investigation
starts
Remember that security
patch?
Your Text hereYour Text here
Shahar Maor’s work Copyright 2010 @STKI Do not remove source or attribution from any graphic or portion of graphic 40
Thank You!
Visit my Blog: shaharmaor.blogspot.com
Recommended