Mike HagerEnterprise Security AdvisorUnisys Corporation

It’s All About The Data

Threats Today Include

• A belief on the part of senior management that there are no serious threats directed at their company.

• Terrorist acts

• Natural disasters

• Criminal Acts

• Network Attacks

– Inside attacks

– Outside attacks

– Viruses/Malicious

The World We Live In Today

• General Internet attack trends are showing a 64% annual rate of growth.

• The average company experienced 32 attacks per week over the past 6 months.

• Two out of five companies that are hit by a disaster go out of business within 5 years.

• Gartner report indicates that average cost for network downtime is $42,000 per hour.

www.securitystats.com

Top 10 Management Mistakes Addressing Data Security

10. Believe that information security and disaster recovery are important issues, but believe they are important issues for someone else to handle.

9. Pretend the problem will go away if you simply ignore it.

8. Rely primarily on a perimeter protection..

7. Fail to realize the value of their information and organizational reputations.

6. Believe that it will never happen to them.

10 Top Management Mistakes Addressing Data Security

5. Fail to understand the relationship between information security and disaster recovery and the business.

4. Use technology as a fix and not a solution.

3. Address security as an afterthought i.e.; something we can add later.

• Look at security as an expense not an investment.

1. Fail to develop a system of Information Classification and establishment of minimum protection requirements for each level of classified data.

What Has Been Our Approach?

Building Bigger and More Complex WallsBuilding Bigger and More Complex Walls

We Have Created the M & M Effect

Where Do You Begin?

You begin by identifying what to protect.

If you don’t know what to protect, how do you know how to protect it?

Without knowing what to protect you end up either over-protecting or under-protecting your valuable, critical and sensitive information. Neither of which is a “good thing”.

Companies must engageengage in sound business and security practices that afford critical and sensitive information adequate protection resulting in an acceptable level of risk against loss, improper use, compromise, unauthorized alteration or modification.

Element IElement IElement IElement I

Element IIElement II

Protection programs must be flexible and capable of addressing all information protection needs in the ever changing business and technical environment.

Element IIIElement III

Protection programs must be focused on actual threats. Strategies must be developed that are based on sound business practices.

Element IVElement IV

Protection programs must ensure the confidentiality and integrity of critical systems and sensitive information, while ensuring its availability to those who need it to perform their assigned duties and tasks.

Element IVElement IV

Federal Regulation Impact On Security

New HIPAA & SEC regulations based on the Gramm-Leach-Bliley Act and Sarbanes-Oxley, require that we adopt policies and procedures reasonably designed to:

1.1. Insure the security and confidentiality of customer records Insure the security and confidentiality of customer records and information.and information.

2.2. Protect against any anticipated threat or hazard to the Protect against any anticipated threat or hazard to the security and integrity of customer records and information.security and integrity of customer records and information.

3.3. Protect against unauthorized acts as to the use of customer Protect against unauthorized acts as to the use of customer records or information that could result in substantial harm or records or information that could result in substantial harm or inconvenience to any customer.inconvenience to any customer.

Information Security - Key Questions

• Do you have a system of Information Classification that outlines minimum protection requirements for each level of data?

• Do you have a network security strategy that addresses a layered approach to protection?

• Do you know where all sensitive Data resides?

• Have you identified who can asses the data?

• Have you identified how to protect the data during transmission?

• Have you identified how to protect the data stored in your network?

Network Protection Strategy

A well-conceived network protection strategy should take a layered approach. At a minimum it should include three layers of protection:

• The Gateway Layer - Answers the question," Can I come in?”

•The Control Layer - Answers the question “Where can I go?”

•The Data Layer - Answers the question “What can I do?”

Data Protection Strategy

Layered ApproachLayered Approach

Gateway Layer

Control Layer

Data Layer

The Gateway Layer

Answers the question “Can I come in?”

Allows you to address how access is gained to your networks:

• Firewalls

• Intrusion Detection Systems

• Modems

• Remote Access such as VPN and ExtraNets

• User authentication methods

Gateway Layer Considerations

• Do you rely solely on the “password” as your method of authentication to protect critical data and systems.

• Have you tested your password strength with a password crackers such as “l0pht Crack”?

• Keep in mind that the Gateway level protection does little to protect against the insider threat.

Benefits of Completing The Gateway Layer

• Eliminates reliance on “passwords” as the only means of protection thus eliminating risk and liabilities.

• Sets the architectural foundation for future e-business.

• Provides foundation for secure remote access.

• Provides your company with the ability to identify and react to all attacks directed at our networks from outside the company.

The Control Layer

Answers the question, “Where can I go?”

• Is your security access control program implement a role based security model?

• Do these roles identify exactly what each employee has and can have access to?

Bottom Line: Do you really know who has access to what, and can you control it?

Control Layer Considerations

• Is your Access Control model/and or Strategy based on a business need to know?

• Have you identified who should and can have your sensitive Data?

• Have you considered the Implementation of a strategy and tools that will allow you to effectively identify and manage a “Role Based” access control model.

Benefits of The Control Layer

• Provides you with the ability to manage access administration across heterogeneous environments.

• Allows you to quickly turn-on and turn-off access.

• Replaces your current traditional “paper trail” of access requests with fast and accurate electronic workflow approach.

• Provides an audit trail and strong security by consolidating all access information into a single database.

• Provides you with the means to quickly set up access for new applications implemented by the company.

Benefits of The Control Layer

• Provides an audit trail and strong security by consolidating all access information into a single database.

• Provides you with the means to quickly set up access for new applications implemented by the company.

• Takes control of the management of access within your applications and networks.

• Increase productivity by eliminating all but a single password for the majority of users

The Data Layer

Answers the question, “What can I do?”

Do you have the methodology to identify and restrict the abilities of each user:

1. Can all users read all data?

2. Can all users modify all data?

3. Can all users delete all data?

4. Can you restrict access based on a users role what each can do?

Components of the Data Layer

• Use of strong Passwords to protect data

• Use of Encryption to protect sensitive data

• Use of Digital Rights Management

• PKI as a solution to access control

• Smart Cards and Tokens to access data

Incident Response

All Data is Subject to Compromise and Loss!

The ability to identify that you are being attacked, containment of the attacker and having the ability to terminate the attackers access can limit the amount of damage that can be caused. These are key elements and are essential in surviving an attack.

Remember

More Security Doesn’t Always Make You More Secure…More Security Doesn’t Always Make You More Secure…

Better Planning and Management Better Planning and Management DoesDoes

Managing the Risks

The world has changed dramatically based on the events of the past few years. We have learned that building more and higher walls by themselves do little in ensuring that critical and sensitive data receives adequate protection. We now must look not only at how we protect our networks but how we protect the actual data.

Remember – Its All About The DataIts All About The Data

When it comes to addressing our When it comes to addressing our business risks, we never plan to fail. business risks, we never plan to fail.

We just fail to plan!We just fail to plan!

Closing Thought

Questions?David “Mike” Hager

Enterprise Security AdvisorUnisys.

David.Hager@Unisys.com

Remember It’s All About The Data