Your're Special (But Not That Special)
0 likes66 views
This document provides guidance on data governance and security best practices. It discusses that data has become the most valuable resource, similar to how oil was in the last century. It advises that those working in data governance are among the most important roles. It cautions against implementing security controls just for the sake of it and recommends understanding requirements and risks first. It also emphasizes the importance of data classification and defining roles and responsibilities within an organization's data governance strategy. The document stresses that simply having more security is not always better and can sometimes make things worse if usability is not considered. It concludes by noting that every failure provides an opportunity to learn and that asking "why" is the most important word in business.
Your're Special (But Not That Special)
- 1. YOU'RE SPECIAL (BUT NOT THAT SPECIAL) DON’T DO SECURITY STUFF (JUST BECAUSE) & THE MOST IMPORTANT WORD IN BUSINESS (WHY) Sandy Dunn, CISO Blue Cross of Idaho June 7, 2018 pm 1
- 2. You’re Special Don’t Do Security Stuff Data Governance Hot Potato The Most Important Word in Business *** Disclaimer *** This presentation views and opinions are my own, and do not represent the views or endorsement of my employer Blue Cross of Idaho. All the information is publicly available. Topics 2
- 3. Data is to this century what oil was to the last one: a driver of growth and change. Flows of data have created new infrastructure, new businesses, new monopolies, new politics and—crucially—new economics. Digital information is unlike any previous resource; it is extracted, refined, valued, bought and sold in different ways. It changes the rules for markets and it demands new approaches from regulators. Many a battle will be fought over who should own, and benefit from, data. https://www.economist.com/briefing/2017/05/06/data-is-giving-rise-to-a-new-economy You’re Special Thank you for inviting me to speak to the Northwest Data Governance Networking meeting Let’s face it, data governance people are the most important people in the organization. You manage what is the “new oil” 3
- 4. Chief Information Security Officer (CISO) • Sheriff – tickets when people break the law (policy), run law breakers out of town, or at least restrict their access • Evangelist – More important part of the role is “evangelizing” deputizing every person in your organization into the security team. • Fierce protector of the organization, network, customers, assets • Direct communication to business leadership on risk, impact, (As a security team we must always think and act as a service to business, we can be the best security team on the planet but if we don’t keep business success as the very top objective then nobody has a job. 4
- 5. “You’re either a learning organization or you’re losing to somebody who is” Andrew Shafer • I hit the wall of “Crisis fatigue” Comparing cybersecurity incident crisis fatigue to being a villager where the boy cried wolf, not only are you not running to see if there is a wolf, you actually hope there is one, and he will eat the sheep, so you can see your family, and get some sleep. • Determined to understand how to improve efficiency • In the Goal Al states they have 4 priorities of orders, Hot, Very Hot, Red Hot, and DO IT NOW 5
- 6. Mine worker x-rayed for diamond check 1954 But NotThat Special • Think about looking outside of the development, data, and software world for building process and controls. • People have been creating process and controls for workers who required access to valuables for centuries. I’m not suggesting you require everyone be x-rayed like what is shown in this picture, but I am encouraging you to change the paradigm, leverage the experiences from history and drive creative solutions at your organization. • How do producers from around the world manage to consistently deliver, safe food into grocery stores (for the most part) statistically pretty amazing ! • If there is a health risk, what is the process to identify, communicate, and protect consumers ? Can we learn or replicate? Picture reference https-3A__rarehistoricalphotos.com_mine-2Dworker-2Dx-2Drayed- 2Ddiamond-2Dcheck-2D1954_&d=DwMBaQ&c=NdSJ4ILlWpqW3- KBBqEbZ68qQuJ1JYIOBIexwqzU- qw&r=W5Rjnie4gKpHnLTKlYr9pJwYMQKBvKRm1dVVMZrxq6s&m=regfud8HICSfZzHV4tncw- I0QUFAkq4GXyyszgrJuXo&s=JL6WCn7x6yn0K4090nX5IJOh-k-1Nj8J6TMuT1v9nIE&e= 6
- 7. Don’t Do Security Stuff Just Because • Learn from code signing (and those who survived it) • What, Who, How • Avoid a $2000.00 fence for an $800.00 cow • Reduce the attack surface • No production data in dev or test • Only as strong as the weakest link. • Understand the trade offs • Data Governance / key management headache • Can restriction of granular access can be mitigated by better detective controls • Recovery from back up harder • Keys in back up • Usability • If they’re rogue they are crossing county lines • There have been benefits from MS requiring all windows packages to be signed, but not as much as there should be • Limited rigor in the process around code signing and ensuring trusted process on what was signed • Lack of rigor around protecting the private key, keys stolen and then malicious code trusted • Revoking the key never happens, if a key does happen to be revoked, no way to retro revoke. Can only revoke from current time stamp forward. • One size does not fit all • The first three questions I ask is “What do we need to protect, who do we need to protect it from how do we protect it? • Security is understanding requirements and putting controls in place that meet requirements (no magic fairy dust required to “hack” and no magic fairy dust to prevent) • With news lines screaming, and panicky questions from management, the hyperbole around security can pull you in but security investment needs to be a business risk and impact discussion. • Sometimes the risk can’t be justified to the investment, make sure everyone agrees, have a paper trail • Security is only as strong as the weakest link.. There is no value in mading15 character 7
- 8. passwords, but then not having policy that makes it a requirement employees must adhere to. • Understand the trade offs • The longer the encryption key the more application performance slows down • The more difficult or cumbersome security policy or process is the higher likelihood people will skirt, escalate, or avoid the right way. Putting 5 locks on a door that induvial use multiple times a day make it more likely someone will just get angry and prop the door open. 7
- 9. Be Afraid of WhatYou Don’t See Exiftool Microsoft Documents Adobe PDF Browser Fingerprinting Hidden Metadata in files can be an inconspicuous way that sensitive data is leaking from your organization 8
- 10. Data Governance Business Owner Legal / Compliance / Enterprise Risk Data Governance Cybersecurity Data Stewardship Identify data roles & responsibility Define Requirements SME Audit / Enforce Structured / Unstructured Own process / workflow Requirements How Find / Enforce Data Classification Public Restricted Confidential Do Define Monitor use Enforce Implement Controls Data Quality Only Good Data Enforce Requirements How Data Management Building the full data lifecycle Do Requirements How Protect • Who creates the data? • Who owns the data? • Who has responsibility for the data? • Who Uses the data • Who routes it 9
- 11. Why ? Why is the most important word in business Deming reminds us you don’t change culture you change behavior and culture is the result Celebrate every failure because it provides the opportunity to identify and swarm the problem 10
- 12. Summary • Data is the new currency • Opportunity to learn from the past • Think through security controls • Think through Data Governance • Think through security controls, more not always better, sometimes worse (remember the 5 locks) • Think through Data Governance, no organization will be exactly the same, there are too many variables that impact the strategy. 11
- 13. Links toTools and Papers Test Browser Fingerprint https://amiunique.org/ Protect against browser fingerprint https://amiunique.org/tools Exiftool – view metadata on files https://www.sno.phy.queensu.ca/~phil/exiftool/ Remove hidden files Adobe PDF https://helpx.adobe.com/acrobat/using/removing-sensitive- content-pdfs.html Remove hidden files Microsoft https://support.office.com/en-us/article/remove-hidden- data-and-personal-information-by-inspecting-documents- presentations-or-workbooks-356b7b5d-77af-44fe-a07f- 9aa4d085966f Web Browser Fingerprinting Article https://www.1and1.com/digitalguide/online-marketing/web- analytics/browser-fingerprints-tracking-without-cookies/ White Paper Web Browser Fingerprinting http://cs.ucsb.edu/~vigna/publications/2013_SP_cookieless. pdf 12
- 14. Questions ? 13