Awareness Program on Compliance in the Era of Technology

1
Awareness Program on Compliance in the Era of
Technology

• ICAI, Mumbai
• October 19, 2008

u
2
Agenda

1. Compliance Today
2. Business Risks
3. Evolving Security and Compliance landscape
4. Technology and IT value for business
5. Incidents and Security related industry
   information
6. Snapshot of Global Compliance requirements over
   time
7. Extracting Compliance ROI
8. Suggested Safeguards (unified framework)
9. Common regulatory reqmts (standards, etc)

• The technology solution
• Compliance spotlight PCI-DSS
• Leverage the technology solution
• VA/PT
• Continuous VA and Monitoring
• List of Tools
• Why VA/PT
• Web App Security, Secure Coding

3
Compliance Today

• Organizations have numerous Compliance
  requirements which keep growing by the day / hour
  / minute !
• Regulatory
• Standards / Best Practice Frameworks
• Industrial, Contractual, etc.

Much of the increase in cost is due to
duplication of regulation and ambiguous or
inconsistent rules -Securities Industry
Association, 2006

• Technology is constantly evolving providing new
  tools and methods to tackle the increasing
  information and compliance overload

4
Compliance Today

• Compliance with Compliance requirements takes up
  too much resources
• Compliance initiatives are considered Projects
  (e.g. SOX / PCI project) but these are
  continuous processes (benefits are not realized)
• Technology solutions will leverage Compliance
  efforts to enable Governance and Risk Management
  leading to Business gains (productivity,
  cost-savings)

Compliance must be part of your organization
DNA Regulatory Compliance is not just a legal
requirement but a critical business function.
5
Business Risks
What is at Risk

• Operational risk
• Physical damage/theft
• Services not available
• Market risk
• Lost customers
• Global partners
• Legal risk
• SLAs
• Lawsuits
• Regulatory
• Compliance
• Financial Risk
• Claims and losses
• Quantification of information assets/impact

• Information on your network
• Databases
• Intellectual Property
• Financial Information
• Personally Identifiable Information
• Reputation Market Value

6
(No Transcript)
7
Technology and Information Made People Smarter

• Google
• Luhns algorithm (to validate any credit card)
• VB based basic key loggers
• Web based IP tools, DNS network tools, traceroute
  etc
• Network tools
• Nmap
• Nessus etc. All available online
• Password cracking tools

8
(No Transcript)
9
Incidents (2000-2007)

• According to Attrition Data Loss Archive and
  Database and FlowingData, following are the 10
  largest data breaches since 2000
  (http//flowingdata.com/2008/03/14/10-largest-data
  -breaches-since-2000-millions-affected/)

• Is there a trend? Yes, numbers are growing!

10
Are we safe in 2008?

• UK Government Depts. reported loss of 29 million
  records in last one year (August 2008)
• Countrywide Financial Corp. possible all 2
  million records were sold (August 2008)
• If sensitive data only includes SSNs and
  financial account data and not date of birth and
  email ids then should we decide Facebooks 80
  million records as a data breach? (July 2008)
• Bank of New York Mellon, PA as many as 4.5
  million customer records are thought to be
  compromised (March 2008)
• Compass Bank 1 million (March 2008)
• Hannaford Bros. supermarket chain 4.2 million
  (March 2008)
• Trend Numbers are still growing!

11
Some Facts

• Who are behind these breaches
• External sources including past employees
• Insiders
• Business partners
• Multiple parties
• How these breaches are caused
• Business process errors or no policy/procedural
  controls
• Hacking and intrusions including malicious code
• System/Application vulnerabilities including for
  those patches already exist
• Physical threats
• Mostly
• Victims dont know that breach has occurred or
  more often aware of the criticality of the
  data/information
• Mostly breaches are opportunistic in nature
• More than 90 breaches are avoidable

12
Some Insights drivers for security spend
By 2008, more than 75 of large and midsize
companies will purchase new compliance
management, monitoring, and automation
solutions. By 2009, compliance will grow to
14.2 of IT budget from 12 in 2006. Source
Gartner 2007
13
(No Transcript)
14
Common Regulatory Reqmts /Standards / Frameworks
/ Guidelines

• HIPAA/GLBA
• Sarbanes Oxley
• Basel II
• PCAOB
• SAS 70
• Privacy Laws (e.g.PIPEDA)
• many more..

• Clause 49 (SEBI Guideline, Government of India)
• CTCL
• ISO27001 2005
• 133 Control objectives
• PCI-DSS
• 12 requirements
• CobiT
• NERC-CIP
• BS25999
• ITIL
• Data Protection Act
• IT Act and applicable Criminal / Civil
  legislation

15
Extracting Compliance ROI

• Organizations must plan beyond Compliance
• Better Security means reduced / managed risk
• Managed (reduced) risk means better business
• Operational efficiencies result from compliance
  efforts
• Approach Compliance as a as a business process,
  not as requirement / overhead
• Use learning to shorten future compliance cycles
• Identify opportunities to build unified
  compliance ecosystem
• Lead the organization to Industry certifications
  resulting in higher brand value
• Eliminate the risk of penalties for
  non-compliance
• Address multiple compliance requirements in a
  unified approach

16
Suggested Safeguards
17
Suggested Safeguards
18
(No Transcript)
19
Technology Solution

• Systems must be developed providing a risk based
  approach that is aligned with Business,
  Regulatory and Contractual requirements
• Leverage technology and co-ordinate Security
  spend with Compliance with the overall objective
  achieve Governance (automation)
• Technology practices to enable proactive security
  Risk management
• Vulnerability Assessment / Penetration Testing
  (VA/PT)
• Web Application Security (AppSec)
• Code Review
• Continuous Vulnerability Management
• Managed Security Services

20
Compliance Spotlight PCI Data Security
Standard
21
Compliance Spotlight PCI-DSS

• Requirement 5 and 6 (Maintain Vulnerability
  Management Program)
• Stay Current on versions (Anti Virus, Patches,
  Systems, Configuration)
• Monitor Custom Web applications
• SDLC (do we practice secure coding)
• Invest in automated tools
• Secure Audit Logs
• Requirement 10 and 11 (Regularly Monitor Test
  Networks)
• Monitor Systems for Intrusions and Anomalies
• Implement Reporting and Analysis Tools
• Centralize and Secure Data

• ISO27001 A.15 Compliance
• Compliance with Legal Requirements
• Compliance with Security Policies, and standards
  and technical compliance

ISO27001 A.12.6 Technical Vulnerability
Management
22
Leverage the Technology Solution
23
Leverage the Technology Solution
Results allow the organization to compare
findings against known vulnerabilities and
prioritize remediation by implementing controls.
Provides a health report on the organization
security posture. All Standards, Regulations,
Frameworks recommend (or require) Network
Assessments as an essential practice.
Helps determine whether the controls are in fact
preventing the vulnerability from actually
endangering the network. A well-executed
penetration test can identify the most critical
holes in an organizations defensive net
including the holes exploited by social
engineering. pen tests are best used as a way to
get an extra set of eyes on a network after major
system upgrades.
24
Leverage the Technology Solution
Provides a 24 x 7 x 365 watch on network traffic
and is available as a Managed Security Service.
Traffic is monitored and events (incidents) are
correlated against updated industry Common
Vulnerability Exposure (CVE) database.
Reports are available online to client via a
web interface which will provide information
about the threat(s) and remediation plans.
25
VA/PT
Undertaken by qualified professionals
Methodology includes use of automated tools
augmented with manual skills Meet regulatory
requirements (PCI-DSS, HIPAA, GLBA, PIPEDA, etc.)
Organizations can realize their true security
level Measure IT security effectiveness
Identify and remediate potential breach points
reducing security risk and liability Benchmark /
baseline security posture Certifications
Certified Vulnerability Assessor (CVA) (Secure
Matrix - DNV) CEH (EC Council) CISSP
(ISC2) certifications in Forensics, Fraud
(Secure Matrix) Commonly used Tools for VA/PT
(commercial / open source) Nessus, GFI Languard
(c), Nmap Metasploit, Canvas (c), etc.
26
List of Tools (indicative)
Vulnerability Assessment Vulnerability Assessment
Nessus Nessus is one of the most popular and widely used vulnerability assessment scanner with nearly 14,000 plugins.
GFI Languard GFI Languard is a commercial vulnerability assessment scanner with neat reporting capabilities.
Netcat Netcat is a network debugging and exploration tool
Hping This tool is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities. This is to map out firewall rulesets.
Nikto A comprehensive webserver scanner
Sam Spade Windows network query tool
Web Inspect Web Application Scanner
Firewalk An Advanced traceroute tool
Penetration Testing Penetration Testing
Metasploit Framework This is a framework to deploy vulnerability exploits and payloads. Securematrix has created a database of nearly 100 exploits in this framework
Canvas A Commercial Penetration Testing tool
Core Impact A Commercial Penetration Testing tool
SAINT A commercial Penetration Testing tool
CenZic A Commercial Web application testing tool
John the ripper powerful, flexible, and fast multi-platform password hash cracker
THC Hydra A Fast network authentication cracker which support many different services
Dsniff A suite of powerful network auditing and penetration-testing tools
Solarwinds Network discovery/monitoring/attack tools
27
Why VA/PT

• To catch a thief.. You have to think like one.
• You hack into your network to do a Vulnerability
  Assessment (VA), identifying vulnerabilities in
  the same manner as they may be visible to an
  intruder like open ports.
• Following up a VA is the Penetration Test you
  are taking advantage of the vulnerabilities by
  penetrating the network.
• When you test all IP addresses that are visible
  to the outside world you can get answers to
  sticky questions like
• Can an intruder hop on to the conference room
  network ?
• Is it possible for the intruder to connect to the
  database server ?
• What can you do (that which no one wants an
  intruder to do!) ??

28
Presented by
Dinesh Bareja CISA, CISM, ITIL, IPR, ERM, BS
7799 (Imp LA) - Senior Vice President Email
dinesh_at_securematrix.in
Information Security professional, having more
than 11 years of experience in technology in
commercial, operational, functional and Project
Management roles on multiple large and small
projects in global and domestic
markets.   Experienced in establishing ISMS
(Information Security Management System),
planning and implementation of large scale CobiT
implementation, ISO 27001, Risk Management,
BCP/DR, BIA, Asset Management, Incident Mgt,
Governance and Compliance among others.   He is
also member of ISACA, OCEG, iTSMF and co-founder
of Canadian Honeynet Project and Open Security
Alliance among others.
29
Contact Information
Registered Office Mumbai 12 Oricon House, 14, K. Dubash Marg Fort, Mumbai 400 001 Tel 91 22 3253 7579 Fax91 22 2288 6152 Email info_at_securematrix.in Registered Office Mumbai 12 Oricon House, 14, K. Dubash Marg Fort, Mumbai 400 001 Tel 91 22 3253 7579 Fax91 22 2288 6152 Email info_at_securematrix.in
Technology Centre Pune Trident Towers 2nd Floor, Pashan Road Bavdhan, Pune - 411021 Email info_at_securematrix.in Technology Centre Chennai Plot No. 1, Door No. 5, Venkateshwara Street, Dhanalakshmi Colony, Vadapalani, Chennai 600026 Email info_at_securematrix.in
Dubai P O Box 5207 Dubai Email dubai_at_securematrix.in London 16-20 Ealing Road Wembley Middlesex Hao 4TL Email london_at_securematrix.in
Bahrain Atlanta
30
Thank You ICAI, Mumbai