Embed Size (px)
Citation preview
Data Security in a Mobile World
Agenda
• Welcome and Introductions– David Riffle, Sr. Director, ASI
• Information Security Threats and Strategies– Mark Breland, Sr. Product Engineering Exec., ASI
• What You Need to Know about PCI Compliance – David Johnson, Systems Engineer, Trustwave
Agenda
• Why the Era of CRM is Over– Brent Sitton, Product Marketing Manager, ASI– Bruce Ryan, CIO, Florida Bankers Association– Artesha Moore, CIO, Association for Professionals in Infection Control and Epidemiology
• Closing Remarks
…1800 clients across 25 countries and 6 continents…
… ASI and iMIS focus on being prepared to help minimize the
risk of a security breach
Many organizations have higher data risk due to multiple systems
The era of CRM is over.
Data Security used to be a lot more simple…
…than it is today.
Data Security in a Mobile World
Security…Vulnerabilities, Mitigation, and Defensive Measures
Mark BrelandSenior Product Engineering Executive
Agenda
• Security breaches today• Attack vector mitigation• Secure web implementation• Penetration testing• ASI Corporate Security Initiative
Security Breaches Today
• By the numbers…in the US 2005 to April 2014– Recorded breaches = 4,455– Records exposed = 626,327,451– Cost per record = $188– Total cost = $117.8B
• Breach attack patterns– 52% of stolen data due to “hacktivism”– 40% of breaches incorporated malware– Malicious or criminal attacks that exploit negligence or system glitches
Security Breaches Today• Primary data breach targets…
– Financial– Retail– Government
• 43% of all companies experienced a data breach in the last year– Of these, 27% had no response plan in place– 80% had root cause in employee negligence
• Membership organizations emerging– Controversial missions/philosophies– Play to self‐anointed judgment of “hacktivists”– Least likely to have protections in place
Security Breaches Today• Cyber risk and liability
– Target® breach of 2013…40M compromised records, potential company liability of $90/exposed record = $3.6B
– Target ® directors and officers also facing derivative suits– Home Depot ® breach of 2014…56M compromised PCI records, liability to exceed $3B
– JPMorgan Chase breach of 2014…83M compromised PII accounts
– Anthem breach of 2015…80M compromised PHI records– Data loss not typically covered under corporate insurance policies…cyber liability insurance required to cover corporate costs of a breach
Security Breaches Today
• Cyber risk and liability– Brand value drops 17‐31% after a breach– Data loss not typically covered under corporate insurance policies…cyber liability insurance required to cover corporate costs of a breach
– Software vendors mostly protected by liability limits clauses in their EULAs
– Custom developed software and software implementation is another story…
– Any technology company associated with a breach is open to litigation
Security Breaches Today
• Why NPOs should be concerned– Larger budgets/revenues are attractive– Mission statements draw hostile attention– Greater need for online service provision– Growing IT complexity to maintain operating efficiency and maximize member benefits
– Increasing reliance on 3rd party cloud/hosting service providers
Security Breaches Today
• One breach, 6 investigations…– Internal investigation– Shareholders vs. Directors and Officers– Card brand vs. Company– Federal Government vs. Company– State Government vs. Company– Law Enforcement vs. Attacker
Security Breaches Today• Weak credentials
– Default credential provisioning– Susceptible to brute force attacks
• System misconfiguration– Accidental exposure of administrative consoles– Stood up systems outside of policy– Firewall errors/complexity
• Service/Software vulnerability– Heartbleed, Shellshock– Third party software
• Web application vulnerability– Most commonly exploited– Custom code developed without security
• Social engineering– Phishing, link clicking
Security Breaches Today
Web security today is both a proactive and reactive process…one must be fully prepared in both aspects to survive in the current threat
environment.
Attack Vector Mitigation ‐ Business
• Identify and understand your business risks as regards likely channels of attack
• Educate Board and senior management on responsibilities and effectively managing cyber security risk
• Proactively secure data, systems, policies, and procedures in advance…plan, Plan, PLAN
• Gather and share cyber attack intelligence internally and among industry peers
Attack Vector Mitigation ‐ Business
• Train staff and elevate cyber security awareness• Engage outside help when needed• Ensure compliance with all regulatory and certification security requirements
• Respond clearly and deliberately to any critical incident…focus on maintaining stakeholder confidence
• Benchmark your cyber security program in relation to your peers
Secure Web Implementation
Secure Web Implementation
• Protect each site with a valid SSL certificate and HTTPS protocol
• Isolate web servers in the DMZ zone• Protect services in the Trusted zone• Disallow non‐VPN or non‐direct RDP access to any server
Secure Web Implementation
• GreenSQL ‐ a unified, ready‐to‐use database security solution for all organizations. Easy to install, use and maintain– Hides and secures databases– Monitors all incoming and outgoing SQL queries– Alerts and blocks signature‐based query attacks– Maintains database security policy in real‐time– Protects against known and unknown database exploits
Secure Web Implementation
– GreenSQL is located between the iMIS application and the database, inspecting all access, including queries and database responses. This ensures complete coverage for securing, monitoring and masking of sensitive information stored in databases.
Trusted
Secure Web Implementation
• Recommended GreenSQL deploymentDatabase Server
Green SQL
iMIS Application Server
Internal iMIS Clients
DMZ
Web Servers
Public (web browsers)
Registrants (web
browsers)
Firewall
Firewall
Penetration Testing
• Process to identify security vulnerabilities in a web application or site by evaluating the system or network with various malicious techniques
• Various end targets…– Full web site (Amazon, Google, iMIS customer)– Web application product (iMIS 20 out‐of‐the‐box)
• Various forms…– Social engineering– Application security– Physical penetration
Penetration Testing
• Automated testing tools– Pros – covers a lot of ground very fast, cost efficient, consistent and repeatable, best suited for rapidly evolving web applications
– Cons – can frequently flag false positives, only as good as the latest signature database of known exploits
• Adaptive (manual) testing techniques– Pros – follows the black hat mindset, uncovers application‐specific combinatorial vulnerabilities, leverages non‐related tools, much more rigorous
– Cons – labor‐intensive, not easily repeatable, money sink
Penetration Testing
• ASI committed to conducting self penetration testing– iMIS 20‐100/200 and 20‐300 platforms– Integral to pre‐EA/GA regression testing– Employ Netsparker tool as a start, will likely expand to others
• ASI engaged independent penetration testing services in 2014– Currently GA iMIS 20‐100 and 20‐300 platforms– Adaptive pen testing techniques and methodology– No critical vulnerabilities found– Secure coding practices strongly recommended
ASI Corporate Security Initiative
• Formed mid‐2013 to address the issue of iMIS running as a secure web application for the benefit of our customers
• Focused on three areas to mitigate our risk exposure with the use of the iMIS product– Web application product development– Site implementation– Cloud services
• Phase 1 complete, Phase 2 emphasis on establishing a corporate ASI Security Assurance Plan with associated policies/procedures
Resources• Articles
– Verizon 2014 Data Breach Investigations Report ‐www.verizonenterprise.com/DBIR/2014/
– https://www.owasp.org/index.php/ASP.NET_Misconfigurations– http://weblogs.asp.net/dotnetstories/archive/2009/10/24/five‐common‐
mistakes‐in‐the‐web‐config‐file.aspx– http://csae‐trillium.tv/cyber‐security‐canadas‐profit‐organizations‐attack‐
certain‐loss/• Best Practices
– OWASP ‐ www.owasp.org/index.php/Main_Page– NIST ‐ www.nist.gov/cyberframework/upload/cybersecurity‐framework‐
021214.pdf– www.imiscommunity.com/system/files/SecurityWebImplBestPractices.pdf– www.imiscommunity.com/system/files/SecurityWebDevBestPractices.pdf
Crash Course: PCI v3David Johnson – System Engineer
Summary
• What is PCI?• What has changed in PCI‐DSS v3?• Scope Adjustment + Segment and Pentesting• Hosted Payment Pages Clarification• Sampling• POS Security• Tips & Tricks• What’s Next?
Who We Are WHO WE ARECompany facts and figuresSERVING
GLOBAL
GROWING
INNOVATING
over 3 MILLION subscribers
with over 1,100 EMPLOYEESemployees in 26 countries
over 56 patents granted / pending
VULNERABILITY MANAGEMENT Global Threat Database feeding Big Data back‐end
THREAT MANAGEMENTIntegrated portfolio of technologies delivering comprehensive protection
COMPLIANCE MANAGEMENT Leading provider of cloud delivered IT‐GRC services
WHAT IS THE PCI DSS?
• The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements designed to protect cardholder data
• Cardholder data is any personally identifiable data associated with a cardholder, including:– Primary Account Number– Expiry Date– Name
• All merchants accepting debit/credit cards must comply with the PCI DSS at all times
What has changed from PCI v2 – v3?...
PCI DSS v3 ChangesDefinitions of ChangeChange Type Definition Number of Changes
Clarification Clarifies intent of requirement. Ensures that concise wording in the standard portrays the desired intent of requirements.
74 changes
Additional guidance
Explanation, definition and/or instruction to increase understanding or provide further information or guidance on a particular topic.
5 changes
Evolving Requirement
Changes to ensure that the standards are up to date with emerging threats and changes in the market.
19 changes
PCI DSS Version 3.0
• Specifically, scoping has been clarified to indicate that system components include, “Any component or device located within or connected to the [cardholder data environment].”
• The new language also states that the “PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment
• Additionally, a new requirement has been added requiring that if segmentation is used, “penetration testing procedures are designed to test all segmentation methods to confirm they are operational and effective, and isolate all out‐of‐scope systems from in‐scope systems.”
• As further clarity, the standard states that, “To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the CDE such that even if the out‐of‐scope system component was compromised it could not impact the security of the CDE.”
• The additional focus on connected systems likely expands (potentially greatly) the number of systems considered in‐scope for many organizations. For example, in most networks using Windows Activity Directory security, a compromise of systems outside the CDE could impact the CDE and then could be considered in‐scope for the PCI assessment.
Most Notable Changes (1/4)A Higher Bar to Achieve “Segmentation”
PCI DSS Version 3.0
• PCI DSS 3.0 offers a new definition of system components: “System components include systems that may impact the security of the CDE (for example web redirection servers).”
• Up until now, web servers had been considered out‐of‐scope if they used iFrames, hosted payment pages or other redirection technologies to prevent cardholder data from touching the merchant’s systems.
• Under the new standard, all of these servers fall in‐scope and, due to the new segmentation requirement, likely bring the rest of a company’s network into scope as well.
• The only “out” for companies that lack the ability to ensure the security of web servers internally remains fully outsourcing the web infrastructure.
Most Notable Changes (2/4)Hosted Payment Pages Are No Longer A “silver bullet”
PCI DSS Version 3.0Most Notable Changes (3/4)Larger Samples Are Required
• The new standard requires larger samples. Specifically, “Samples of system components must include every type and combination that is in use. For example, where applications are sampled, the sample must include all versions and platforms for each type of application.”
• For merchants undergoing a third party assessment or Level 1 merchants that self assess, the level of effort in the validation process is likely to increase.
PCI DSS Version 3.0
• In response to recent attacks in which POS devices have been physically modified to capture card holder data, there is a new set of control requirements around physical security for POS devices.
• First, merchants must maintain an inventory of POS devices, which must be identified in detail, including the location and serial number of each device.
• Additionally, POS devices must be inspected periodically for tampering, and employees at POS locations must be trained in how to detect and prevent device tampering
Most Notable Changes (4/4)Greater Security Around POS Physical Controls
PCI DSS Version 3.0• Annual Pentesting
– Internal & External Network (qualified internal/external resource)• Segmentation must be verified
– Applications (qualified internal/external resource)• Vulnerability Scanning
– Internal (ASV or Self)– External (ASV only)
• Default Passwords – must be changed• Security Education – pretty much everyone
– Role appropriate.
Additional Major Changes or Key Areas
Tips & Tricks1. Read the PCI‐DSS v3.2. Leverage your entire employee base.3. Read InfoSec News.4. Keep the conversation going.5. Be able to show proof.6. Stay on top of documentation.7. Standardize and remove risk.8. Know your compliance anniversary date.9. Start your assessment early.10.Establish your current Merchant Level.
What’s Next?Things to pay attention to in the near future
• InfoSec companies expect an increase in CHD theft ahead of EMV 2015 integration deadline in the USA.
• Employee and Business process security
• P2PE – it’s new and still in the works
Why the Era of CRM is Over
Brent SittonProduct Marketing Manager
Why the Era of CRM is Over
Complex Integrations Disparate Products & Vendors High Cost of Ownership
Designed for Staff
+ =A ‘Half-Cycle’ Approach
Disparate Systems = A Risky Approach
Engagement Management System
New Programs and Services
• Survey method– Misleading Indications– Qualitative, not Quantitative
• Full Implementation– Fraught with Risk
Software Project Failure
Standish CHAOS Report on Software Projects
1994 ‐ 16% Successful
2013 – 39% Successful
Just Do It!
Put your products on the web and customers will come…
Learning OrganizationLearning – Validate your ideas using the
scientific method
• Hypothesize• Build Pilot• Measure• Learn
Engagement Management
• IntegrateWeb and Data Quickly• Flexibility to adapt to deliver new services• Complete 360° view of your constituents in ONE system
• Interact with constituents on Any Device• Measure member interaction
Pilot Project in iMIS
• Community Service Groups– Notify targeted group– Collect information– Match them to volunteer event– See the measurable results
Demonstration
Collect New Information
Notify Members
Measure Results
Learning with an EMS
• IntegrateWeb and Data Quickly• Flexibility to adapt to deliver new services• Complete 360° view of your constituent in ONE system
• Interact with constituents on Any Device• Measure interaction
Learning OrganizationiMIS RiSE enables your organization to LEARN
from customers’ actions and behavior, understanding what they VALUE
Ushering in the ENDof the CRM era
Associations for Professionals in Infection Control and Epidemiology
Artesha Moore, CAEVice President, Membership, Education, and Technology
About APICMission: Create a safer world through the prevention of infection.
• Over 15,000 members from variety of practice settings within healthcare
• 120 domestic and international chapters
• 11 special interest groups (similar to Technical Councils)
• Over 50% growth in past few years• Diverse membership with varying
needs
ChallengeIn 2005, APIC wanted to grow, yet, systems were not in place
• AMS out of date, inaccurate• No true web integration• Culture not supportive
Membership growth is not possible without engagement
Growth Leads to Challenges• Variable practice settings with varying needs
• High % retiring in 5 years
• Decreased time and increased demands impact member participation
• Ever‐changing regulations and need for new guidelines
Member Engagement Means...• Ease of access to features
• Integration of all technologies with AMS
• Enhancing customer experience
Engagement Strategy • Strengthen our AMS to enable greater connectivity to online resources
• Get an accurate picture of our members using metrics and data
• Increase capacity by automating routine tasks• Work with vendors to integrate 3rd party add‐ons to expand program offerings
Change internal culture to embrace both IT and member services
Engagement Strategy Using data to make decisions:• Identifying key members groups
• Tracking member activity and performance
• Identifying new leaders
• Integrating with new platforms
Engagement Strategy • Open lines of communication between frontline staff, IT and leaders
• Provide training to empower staff to act
• Promote innovation at all levels
• Connect personal goals with organizational goals
• Be open to new ideas
Embracing Technology...• Plan must support your strategic plan
• Strong infrastructure is essential
• Knowledgeable staff to help educate members
• Develop partnership with vendors
Enhancements Lead to New PossibilitiesAs APIC's database and web resources evolved, staff focused on more ways to get and keep members engaged.
Results
Results: New Leaders• Using customized tables to create a database within existing structure
• Using scoring in social media to identify new leaders
• Using web analytics to understand member content needs
Results: Growth
41+% Membership Growth
"The single most important thing to remember about any enterprise is that there are no results inside its walls. The result of a business is a
satisfied customer."
Zig Ziglar, Sales and motivational speaker and writer
Contact Information
Artesha Moore, CAEVice President, Membership, Education, and Technology
Florida Bankers Association
Bruce RyanDBA and Web Manager
Florida Bankers AssociationFounded in 1888 in support of Florida’s FDIC insured banks and financial institutions.
– 22 Staff Members– Advocacy– Education– Membership– Associate Membership
• Vendors– Endorsed Partner Program
• Products– Other Services
• Career Center, Fraudnet, Capwiz and more…
Challenge: Disparate ApplicationsSchools DB
Member DB
Accounting DB
Reports
Our Goal with iMIS 20
• 100% Retention of Members
• Staff Productivity
• More Efficient Member and Client Experience
Solution: iMIS 20• CRM & CMS in one system
• Events, product sales, accounting, etc. in one system
• Offline/Online transactions in one system
• Total web integration
Results iMIS 20• Time Savings: Supporting one application instead of 5+
• Cost Savings: Paying for one application instead of 5+!
• Reporting: Happy staff!• Ease of Use: One application vs. 5+ (Happy staff!!)
• Member Engagement!
Results iMIS 20
Accounting DB
Reports
Wrap Up
David RiffleSenior Director
Advanced Solutions International, Inc.
• Be Prepared
Lessons Learned
• Massive change in communication is an opportunity to grow and thrive– Social networking ‐ You Tube– Mobility ‐ Personalization– Communities of Interests ‐ Data Capture
• C Level Executives must lead this transition
Multiple systems increase the complexity of securing data
Engagement Management System
Albert Einstein
Insanity: “doing the same thing over and over again and expecting different
results.”
The era of CRM is over.
http://bit.ly/ASISuccess
Success Assessment
96
Wrap Up
David RiffleSenior Director
Advanced Solutions International, Inc.
