Data Protection: Security from the Inside Out

Fred Langston, CISSP

Global Product Manager

VeriSign, Enterprise Security Services

December 3, 2007

2

Introduction

+ Data-centric security starts from the smallest elements – the data

itself

+ So, do we really have good definition of ‘data’ when it comes to

security? Consider the “value” and “impact” of an adverse event:▪ Regulatory impacts▪ Monetary impact of loss▪ Direct costs associated with loss▪ Recreation of data if lost▪ Loss of CIA – Confidentiality, Integrity and Availability

+ In essence, we must “know” our data intimately and how it’s used,

valued, and protected

+ From this knowledge, we can create a framework for security that

focuses on the most valuable asset – the data itself

3

Today’s Headlines – December 3, 2007

+ Data theft touches 150,000 Massachusetts seniors▪ Senior citizens who participate in a Massachusetts insurance program have

received word that their personal information may have fallen into the hands of an identity thief.

+ UK government accuses Chinese of IT espionage▪ The British intelligence agency MI5 has warned 300 U.K. business concerns that

their IT systems are under attack by Chinese state organizations.

+ Attackers exploiting unpatched QuickTime flaw. ▪ Please note that the people attempting to compromise your system do work

weekends: The QuickTime vulnerability for which proof-of-concept code was revealed Thursday went into full attack mode over the weekend, with two campaigns underway.

+ DBA Admits to Theft of 8.5M Records▪ A former senior database administrator at a subsidiary of Fidelity National

Information Services last week pleaded guilty to stealing some 8.5 million customer records and selling them to data brokers.

4

What are the causes of breaches?

+ Poor identity management

+ Poorly secured wireless

+ Unsecured physical assets

+ Application vulnerabilities

+ Lack of monitoring logs and IDS

+ Network architecture flaws; flat networks

+ Data leakage into the DMZ, spreadsheets, and access

databases

5

Store Less Data

+ What do you NEED to store?▪ What data is available to you?▪ What are the business and legal needs?▪ Where do you need to store this?▪ What is the risk associated?

+ Ask the hard questions!▪ Why do you need this?▪ What would you do without it?

+ What to do with risk?▪ Accept it (and face fines!)▪ Mitigate it▪ Insure it

6

Data Security Problem #1 – Where’s the Beef, er, Data?!

Data centric security starts by knowing:

+ What data is

+ What its value is

+ How to classify the data

+ Where the data:▪ Ingresses and egresses the

enterprise▪ Is stored ▪ Is processed▪ Is transmitted▪ Is retained▪ Is archived▪ Is destroyed

7

Simple Solutions to Difficult Challenges

+ Understand your Data Flows▪ How many know their data flow

end to end?▪ File shares – Word, Excel, and

Access!!▪ Laptops & mobile devices

+ What about systems and

application failures and crashes?▪ Dump files, Core dumps▪ Live Memory▪ Debugging extracts

+ Store Less Data ▪ You don’t have to secure what

you don’t have

+ Create a Data Protection

Framework!

8

Data Protection Frameworks

+ Data identification and valuation▪ BIA ▪ Statement of Acceptable Risk▪ Policy

+ Data classification▪ Policy▪ Awareness of policy▪ Implementation maturity

+ Data mapping and flow analysis

+ Data-centric risk analysis or regulatory compliance gap analysis

+ Sensitive data minimization

+ Create data protection control standards based on:▪ Storage, transmission, and processing of data▪ Value of data▪ Regulatory of business impact of data breach

9

Map your Data Flows

10

Practical Tips for Avoiding Data Breaches

+ Address App & Net Vulnerabilities▪ Do you know the real risk?

+ Improve Security Awareness▪ People ARE the weakest link!

+ Monitor Systems for Intrusions▪ Monitor to Stop and Prevent

+ Filter outbound data based on

data classification

+ Segment Networks▪ Still the most effective way to

reduce attack surface

+ Encrypt, encrypt, encrypt!

+ Manage the Encryption keys

properly

11

Encrypt any Stored Data

+ Why is encryption so hard?▪ Legacy systems, more problems than encryption ▪ Most platforms have some solution▪ Key management still is a massive problem

+ What are my options?▪ Retrofit applications▪ Use an encryption appliance▪ Use a database that supports encryption▪ Render unreadable without encryption (truncation, tokenization,

hashing)

+ The Dangers of Encryption▪ Approach encryption enterprise wide and create a sound strategy▪ Keep in mind, encryption is needed elsewhere, not just around one

system▪ Pesky data flows are required again!

12

Address Vulnerabilities

+ Assess Applications▪ 45% of all Internet-based attacks

occur at the application layer

+ Identify Poorly Coded Web Apps▪ Perform code review or

application testing to ensure code is secure

+ Perform Quarterly Scans▪ And be sure to include

applications

+ Implement Strict SDLC Processes▪ Try tracking vulnerabilities by

developer

13

Security Awareness & Training

+ People are your weakest security

link!▪ Users do not take password

controls seriously▪ Administrators tend to be bad

offenders

+ Ongoing awareness training helps

keep application vulnerabilities

down

+ Proper training allows associates

to find and disclose sensitive data▪ SSNs, DL, Account numbers▪ Laptops▪ Large data storage areas▪ Excel and Access

14

Monitor Systems for Intrusions & Anomalies

+ Intrusion Detection/Prevention Strategies

+ Look for renegade egress devices like unauthorized wireless APs

+ Focus on an enterprise-wide logging and log management strategy

+ Implement Strict SDLC Processes

15

Segmentation and Access Controls

+ Network Segmentation▪ Is anyone else tired of hearing this suggestion?▪ Why is it so critical?

+ What are additional benefits?▪ Resilience to Internal DoS▪ Centralized security*

+ Multi-Level Access Controls▪ 802.1x, is it finally ready?▪ VPNs (IPSec and SSL)▪ Centralized Identity Management▪ Wireless

16

Final Thoughts and Future Considerations

+ Data protection is a continual process - think of data protection as a journey, not a project, and manage it that way

+ Other things to think of▪ Mergers and Acquisitions▪ New business lines▪ Global Operations

+ Wireless and Mobile Payments▪ SIM Based payments▪ Chip & Pin, Not Exempt!▪ Devices such as iPhones

+ Use data protection to fuel security program development throughout your enterprise

+ THERE IS NO SILVER BULLET!

17

Questions + Answers

Thank You

Fred Langston, CISSP

FLangston@VeriSign.com

(425) 765-3330

For general information on VeriSign’s Security Services

please email JMonahan@VeriSign.com or call (303) 886-1281