Strategies & Tactics for Data Security - PowerPoint Presentation

Slide1

Strategies & Tactics for Data Security

Panel Discussion David Lewis, OperationsInc; Patrick Manzo, Monster; Steve Roosa, Holland & Knight; Andy Hibel, HigherEdJobs

2015

IAEWS Fall CongressSlide2

Data Security?IAEWS Fall CongressSlide3

2015 MasterCard Security Survey

Being Pick Pocketed 46%Home Being Robbed 59%Email Being Hacked 62%Financial Info Stolen 77%Check Financial Info on Public Networks 39%“Rarely if at All” Change Passwords for Financial Info46%IAEWS Fall Congress

Concerned About

BehaviorsSlide4

Naked . . . But Secure . . .IAEWS Fall Congress

55% of Americans Would Prefer Naked Leaked Pictures Than Financial DataSlide5

Matter of TrustIAEWS Fall CongressSlide6

Distinguishing Security v. Privacy

6Slide7

Privacy Issues—Intentional Collection, Use, and Sharing

Privacy Involves the Consequences of Collection, Use, and Sharing of Data (Especially Personally Identifiable Information) with:Advertisers and marketing companiesAnalytics companiesHosted solutionsSocial network functions3rd party service providersOther users

Other businessesData brokers

7Slide8

Security Issues—When Things Break

Unintended or Unauthorized Access/Disclosure:MalwareStolen passwordsExploits of vulnerabilities (e.g., Heartbleed)Insider data theftRemote hacks and network intrusionInjection attacks against databases8Slide9

Technical Safeguards, Protections, CountermeasuresIntrusion detection systems

LoggingFirewalls2FAAnti-VirusSanitizing database inputsEncryption in transitEncryption at restSecure coding practices9Slide10

Incident Response PlansTrain on themUpdate them

Must be short enough to be actionableCommunications should maintain privilegeInvolve: Legal, PR, and Information SecurityHave breach counsel and response vendor vetted and selected in advance10Slide11

The Cloud…

11Slide12

Cloud ServicesDetermine if you can even use a cloud solution based on legal requirements.

If you don’t encrypt data before it is sent to the cloud, the cloud provider technically has physical access to the dataHave your security team compare the security procedures you follow internally to those of the cloud, and identify any shortcomings on the part of the cloud provider.Push back against cloud providers on termsAWS v. AzureBegin with the end in mind: intercloud transition12Slide13

Managing 3rd Party Risk

Contractual ConstraintsIndemnityRight to auditInsurance requirementsReps and WarrantiesIncident Response provisionsStatic code analysis for 3rd party vulnerabilitiesCompliance with OWASP ASVS Level 2 (see next slide)Other due diligence13Slide14

OWASP’s Standards Are Excellent (O

pen Web Application Security Project)ASVS – Application Security Verification Standard ProjectThe primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection

.

https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.

pdf

14Slide15

15Slide16

16Slide17

Conclusion - Contact Info

Write Down Something You Will Do As First StepDavid Lewis, OperationsInc dlewis@operationsinc.comPatrick Manzo, Monster Patrick.Manzo@monster.comSteve Roosa, Holland & Knight steven.roosa@hklaw.com Andy Hibel, HigherEdJobs ahibel@higheredjobs.com

IAEWS Fall Congress