BSIDES DETROIT 2015: Data breaches cost of doing business
Download as PPTX, PDF2 likes921 views
Joel Cardella has over 20 years of experience in IT, including infrastructure operations, data centers, sales support, network operations, and security. He provides his email and Twitter contact information. The document discusses using a risk-based approach to cybersecurity and focusing on reducing risks to the business using positive return on investment. It provides examples of security strategies and a layered security model.
![Michael Lynton, CEO of Sony Entertainment Inc
In a December [2014] interview with National Public Radio, Lynton insisted
his company was āextremely well prepared for conventional
cybersecurity,ā but faced āthe worst cyberattack in U.S. history.ā He has
repeatedly described it as a āhighly sophisticated attack.ā Sony Pictures
provided written responses to questions through Robert Lawson, its chief
spokesman. He says Lynton has no plans to fire or discipline anyone. The
CEOās reasoning rests on the belief that because Sonyās assailant was a
foreign government, with far more resources than a renegade band of
hackers, what happened was unstoppable. The studio simply faced an
unfair fight.
http://fortune.com/sony-hack-part-1/](https://image.slidesharecdn.com/databreachescostofdoingbusiness-150720160329-lva1-app6892/85/BSIDES-DETROIT-2015-Data-breaches-cost-of-doing-business-13-320.jpg)
BSIDES DETROIT 2015: Data breaches cost of doing business
- 2. Who am I? ļ Joel Cardella ļ Over 20 years in IT in various capacities ā infrastructure operations & data centers, sales support, network ops, security ļ Email: [email protected] ļ Twitter: @JoelConverses
- 3. Fear, Uncertainty and Doubt (FUD) can no longer be the fait accompli of the security world to try and drive good security decisions. fait acĀ·comĀ·pli Ėfet ÉkƤmĖplÄ,ĖfÄt/ noun a thing that has already happened or been decided before those affected hear about it, leaving them with no option but to accept. "the results were presented to shareholders as a fait accompli"
- 4. http://securityintelligence.com/cost-of-a-data-breach-2015/#.ValJ7vlVhBc ā¢ The average cost paid for each lost or stolen record containing sensitive and confidential information increased 6 percent, jumping from $145 in 2014 to $154 in 2015. ā¢ The lowest cost per lost or stolen record is in the transportation industry, at $121, and the public sector, at $68. ā¢ On the other hand, the retail industryās average cost increased dramatically, from $105 last year to $165.
- 13. Michael Lynton, CEO of Sony Entertainment Inc In a December [2014] interview with National Public Radio, Lynton insisted his company was āextremely well prepared for conventional cybersecurity,ā but faced āthe worst cyberattack in U.S. history.ā He has repeatedly described it as a āhighly sophisticated attack.ā Sony Pictures provided written responses to questions through Robert Lawson, its chief spokesman. He says Lynton has no plans to fire or discipline anyone. The CEOās reasoning rests on the belief that because Sonyās assailant was a foreign government, with far more resources than a renegade band of hackers, what happened was unstoppable. The studio simply faced an unfair fight. http://fortune.com/sony-hack-part-1/
- 14. If the data represents you, you are the owner. The company hosting it, or collecting it, or buying it from a clearinghouse is merely the custodian. And as a custodian they have fiduciary responsibilities to that data, but they also have financial obligations to their investors and shareholders. So, in that equation, Mr and Mrs Data Owner suffer the downside of risk.
- 16. These are all things I tried and did not succeed with ļ Donāt refer to security as an insurance model ļ Donāt use standards that donāt map to your industry, or use apples & oranges comparisons ļ Donāt confuse compliance with security, and donāt discuss them in the same context ā separate the words and define them differently
- 18. What do we do? ļ Pivot ļ This can be (sometimes should be) very obvious ļ Understand what your ROI is ļ E.g. If the penalty for non-compliance is $X, then we spend $Y to offset it ļ X < Y = Positive ROI ļ X > Y = Negative ROI ļ X = Y = ROI needs to be evaluated ļ Other ROI can be more complex, and need their own models
- 19. What to do? ļ Treat Cybersecurity as a Business Risk ļ And start referring to it as business risk ā Example: SGRC ļ Ask how your business assess risk and pattern a model that follows it ā show execs what they are used to seeing ļ Engage your peers and superiors on risk topics ā use what is in the media as a conversation starter ļ This is where ROI begins
- 20. What to do? ļ Build the path to awareness by your leadership ļ Prepare reports on whatās going on in the industry around you ā execs love to know how they are ding compared to those around them ļ Start with the next level manager, or managers in other departments ā sometimes itās a journey not a ladder ļ This is where ROI is discussed
- 21. What to do? ļ Learn from the past mistakes of others ļ This is where ROI is proven ļ Example of Sony: ļ Sonyās email-retention policy left up to seven years of old messages on servers, unencrypted ļ The company was essentially using email for long-term storage of business records, contracts, and documents saved in case of litigation. ļ An array of sensitive informationāincluding user names and passwords for IT administratorsā was kept in unprotected spreadsheets and Word files with names like āComputer Passwords.ā
- 22. What to do? ļ Be prepared! Know your data and know what it takes to protect it ā but let someone else make the risk decision on it ļ This requires emotional detachment! ļ This is where ROI is defended
- 23. What to do? ļ Network! Network! Network! ļ Come to community meetups and cons ļ Come to local group meetings (#misec) ļ Engage on Twitter, or other social mediums ļ Forum discussions ļ Ask questions, share info ļ SWIPE ļ This is where ROI can be enhanced
- 24. Functional Area Key functions How we achieve it Business value Security ā¢ Ensure proper controls for systems and data access ā¢ Ensure Confidentiality of business data ā¢ Ensure business data is resistant to unauthorized change ā¢ Investment in security technologies ā¢ Multi-layer defensive strategy ā¢ Segregation of duties controls in SAP and other business critical systems and applications ā¢ Ensure logical separation of critical data ā¢ Business can operate within acceptable tolerance of risk ā¢ Enterprise ācrown jewelsā are protected from malicious threats ā¢ Confidence in data is increased, business decisions have greater value Governance ā¢ Ensure global and regional directives and standards are in place for all NASC and relevant business processes ā¢ Global ISMS participation ā¢ Policy creation and documentation ā¢ Reviewing and approving standards and practices ā¢ Ensures the effective and efficient use of IT Security in enabling the business to achieve its goals ā¢ Ensures alignment with global governance Risk ā¢ Reduce enterprise risk ā¢ Stay abreast of new risks and threats ā¢ Business continuity planning and system availability planning ā¢ Ongoing risk assessments for both IT and business ā¢ Continually manage threats in constantly changing threat landscape ā¢ Proactively test systems for vulnerabilities ā¢ Investment in risk technologies ā¢ Business continuity planning for recovery of data and continuation of business in disaster situations ā¢ Business can run with reduced risk, allowing more innovation and growth ā¢ Newly emerging threats can be dealt with more quickly ā¢ Recovery capabilities for outage situations can be dealt with quickly, allowing for minimal business interruption Compliance ā¢ Ensure compliance activities for regional and global directives are met ā¢ Ensure Legal mandates are met ā¢ ICS activities ā¢ Interfacing with IT, global and business auditors on all audits ā¢ Interfacing with Legal ā¢ Ensure follow up on audit findings ā¢ Internal Controls Systems mandates are met ā¢ Legal mandates are met ā¢ Understanding of audit risks and findings, help with mitigation
- 25. Critical Success Factors ā¢ Confidentiality, Integrity and Availability of data is managed to business expectation ā¢ Providing cost effective security controls and risk mitigation ā¢ Proactively addressing security improvements and mitigations where required ā¢ Improve recovery capability Key Activities ā¢ Managing audit findings as a tool for improving security posture and maturity ā¢ Execute control activities for governance and compliance ā¢ Continually assess risk and validate mitigations and controls ā¢ Disaster/continuity planning and recovery planning ā¢ Assess vulnerabilities, mitigate and manage emerging threats Key interfaces ā¢ Global IT security ā¢ Project management ā¢ Regional and global auditors ā¢ External auditors (E&Y, PwC) ā¢ Legal, both regional and global ā¢ Corporate Communications ā¢ Business units, all LOBs and process areas ā¢ Executive management ā¢ IT Security community Guiding Principles 1. Focus on the Business 2. Comply with Relevant Legal and Regulatory Requirements 3. Evaluate Current and Future Information Threats 4. Adopt a Risk-based Approach 5. Protect Classified Information & Ensure Proper Use
- 26. Layered security model 26 Perimeter defense (hardware firewall, intrusion detection) Managed security services, security threat detection Windows Firewall, patching (software) Anti-Virus Measures End User Access Controls Critical business data Hardware, restricts network access from the internet Software to restrict access, patching to deal with known vulnerabilities End user awareness training, strong passwords, dual factor authentication Services partner watches all network activity, looks for suspicious activity Anti-virus blocks known threats Access controls restrict access to the critical systems, manage SOD conflicts
- 27. Final thoughts ļ Remember, your job is to LOWER the risks of doing business. Do so using positive ROI. ļ Emotionally detach yourself from the things that drive you nuts as an infosec admin or manager. ļ Understand you are there as an advisor, a counselor. When you make decisions in this capacity, you become trusted. You are no longer a gatekeeper. Gatekeeper = compliance. ļ But keep in mind: your business can do business without security. Itās high risk, but if the benefits outweigh the risksā¦
- 28. Who am I? ļ Joel Cardella ļ Over 20 years in IT in various capacities ā infrastructure operations & data centers, sales support, network ops, security ļ Email: [email protected] ļ Twitter: @JoelConverses