new zealand privacy week 2014 technology and privacy forums · verizon 2014 data breach...
Post on 12-Aug-2020
1 Views
Preview:
TRANSCRIPT
Reasonable Security 1
Reasonable Security - What does that look like?
David Shaw Principal Consultant (Advisory), APJ - Pacific
New Zealand Privacy Week 2014 Technology and Privacy Forums
What ‘Reasonable’ means
Having sound judgement; fair and sensible
Based on good sense
Able to reason logically
(Of a price or product) not too expensive
Reasonable Security 2
www.oxforddictionaries.com/definition/english/reasonable
Reasonable Security 3
Guidance on ‘Reasonable’ from OAIC – (Office of the Australian Information Commissioner)
Reasonable Security 4
Governance
ICT security
Data breach
Physical security
Personnel security and training
Workplace policies
Information lifecycle Monitoring and review
Whitelisting and blacklisting
Software security
Access
Encryption
Network security
Testing
Backing up
Communications security
Software Security – Simple Questions!
Reasonable Security 5
Security software deployment to all network components?
Latest versions of software and applications in use?
Patches and security updates to applications and operating up to date?
Operating system latest version, updates, fixes, enhancements installed?
Security software up to date?
Unwanted system functions disabled?
Applications and web browsers configured for maximum security?
Email attachments scanned before they are opened?
Files scanned and checked for abnormalities at workstation level?
Security measures for web applications?
Security and Privacy
Reasonable Security 6
Information Security
Privacy
Other mandates for compliance
Risk
Reasonable Security 7
We will bankrupt ourselves in the vain
search for absolute security.
Reasonable Security 8
Dwight D. Eisenhower (1890–1969)
34th President of the United States
Does risk management of information security influence business owners?
Reasonable Security 9
Gartner Global Risk Management Survey 2013
General perception
Reasonable Security 10
Spending More
Stopping Less
What is Risk?
Reasonable Security 11
A
T V
Asset
Vulnerability
Threat
What is Risk?
Reasonable Security 12
A
T V
A
O S
Negative Positive
Security architecture
Reasonable Security 13
http://www.opensecurityarchitecture.org
Security architecture
Reasonable Security 14
http://www.opensecurityarchitecture.org
Security Architecture
Controls
IT System and Data Assets
Risk
Business Process
Policies
Laws and Regulations
Standards and Guidance
Security architecture
Reasonable Security 15
http://www.opensecurityarchitecture.org
Security Architecture
Controls
IT System and Data Assets
Risk
Policies
Laws and Regulations
Standards and Guidance
Business Process
Assurance
Controls
Reasonable Security 16
People
Process
Technology
Information-centric model
Reasonable Security 17 17
POLICY COMPLIANCE IDENTITY REMEDIATION REPORTING
INFORMATION GOVERNANCE
DISCOVERY OWNERSHIP THREATS CLASSIFICATION
INFORMATION INTELLIGENCE
INFORMATION INFRASTUCTURE
PHYSICAL | VIRTUAL | MOBILE | CLOUD
SECURITY ENDPOINT MGMT
BACKUP & ARCHIVING
STORAGE MGMT
AVAILABILITY
Security Capabilities
Reasonable Security 18
Performance
Reasonable Security 19
Start
Reconn
Incursion
Discovery
Capture & Exfiltrate
Detection
Fix
Recent History
Symantec Internet Security Threat Report 19 (ISTR)
Reasonable Security
Recent History
Reasonable Security
Symantec Internet Security Threat Report 19 (ISTR)
Recent History
Reasonable Security
Verizon 2014 Data Breach Investigations Report (DBIR)
Recent History
Reasonable Security 23
Verizon 2014 Data Breach Investigations Report
(DBIR)
Analysis of 2400+ breach cases from VERIS Community database
Realised Threats
Reasonable Security 24
Source: www.veriscommunity.net
Timeline: Compromise to Discovery
• 26% internal, user report
• 2.6% internal, audit
• 0.95% internal, log review
Discovery Method
• 0.47% internal, NIDS
• 0.47% internal, security alarm
Analysis of 2400+ breach cases from VERIS Community database
Performance of breached entities
Reasonable Security 25
Source: www.veriscommunity.net
Analysis of 2400+ breach cases; from VERIS Community database
Performance of breached entities
Reasonable Security 26
Source: www.veriscommunity.net
Reasonable Security 27
Thank you!
Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Reasonable Security 28
David Shaw
David_Shaw@symantec.com
+61 (0) 414 457 602
top related