E-Discovery

1
Massachusetts Digital Government
SummitNavigating Privacy and Security
Paul Laurent, J.D., M.S., CISSP Security
Compliance Solutions paul.laurent_at_oracle.com
http//delicious.com/paul.laurent
2
An Introduction
3
Why is it so difficult to balance security
privacy?

• The Long Tail of Cybercrime
• Increased interest exposure
• Complexity of IT
• More attack vectors
• Governance Gone Wild!
• Reading the Alphabet Soup

4
The Strong Push for Internal ControlsPrivate
Sector Woes
5
The Long Tail of CyberCrime
6
What Accounts for the Long Tail?

• Financial Incentives
• Low Barriers to Entry
• Automation

7
Financial Incentives

• Commoditization of Human Identity

8
Financial Incentives

• Inherent Value of Data
• Lines of Credit (wellbefore October it was)
• Prevalence of Online Transactions and Processes
• Data and Metadata Useful for Corroborating Other
  Uses

9
Financial Incentives

• Black sites Underground Economy
• Anonymous, Low-risk Outlets for Stolen
  Credentials and Data
• Communication and Networking Draw Highest
  Bidder Prices
• DBA Training?

10
Low Barriers to Entry

• Toolkits
• No Coding, OS, Network Experience Needed
• Configurable, Plug-n-Play
• For Free, For Sale, For Recruiting
• Jeanson James Ancheta
• I learned some more VB, but I still suck _at_ it

11
Low Barriers to Entry

• Automation
• Massive Infection Vectors Through Vulnerability
  Searching
• Leverage Google as an Infection Tool
• Security Through Obscurity Fatal

12
Low Barriers to Entry

• CrimeWare-as-a-Service (ASP Model)
• Primarily Relies On Bulletproof Hosting
• Requires Far Less Tact and Covert Activity,
  Relies More On Anonymous CrimeWare Servers
  Largely Unreachable By Law Enforcement

13
Why is it so difficult to balance
security/compliance?

• The Long Tail of Cybercrime
• More reason to attack
• Complexity of IT
• More attack vectors
• Governance Gone Wild!
• Reading the Alphabet Soup

14
An Evolution
15
(No Transcript)
16
Client-Server Architecture
17
Distributed System
18
The Internet Cloud
19
(No Transcript)
20
Clouds Relation To Web E2.0

• What Exactly IS Web/Enterprise 2.0???

• SLATES
• Search
• Links
• Authoring
• Tags
• Extensions
• Signals

• Web 2.0 is about touch and interaction

21
So What?
22
Clausewitz Says
(Paul paraphrases)
COMPLEXITY IS BAD
23
Web Service/Web 2.0 Perspective
24
Security Perspective
25
The Results
26
Why is it so difficult to balance
security/compliance?

• The Long Tail of Cybercrime
• More reason to attack
• Complexity of IT
• More attack vectors
• Governance Gone Wild!
• Reading the Alphabet Soup
• The Good News!

27
Another Evolution
28
(No Transcript)
29
1386 Ramifications

• 44 Other states adopt in whole or in part
• MGL 93H (SB 173)
• Game Changer
• Public Sector ROI
• 3 Federal initiatives to codify
• Personal Data Privacy Security Act
• Notification of Risk to Personal Data Act
• Federal Agency Data Breach Protection Act
• Common Law
• Bell v. Michigan Council

30
Evolution of Internal Controls

• Role Based Provisioning
• Separation of Duties
• InfoSec Appointees
• Risk Assessments

• Governance
• Sarbanes-Oxley Act
• Gramm-Leach-Bliley Act
• Health Insurance Portability Accountability Act

31
HIPAA into HITECH

• Increased auditing and enforcement
• Before Atlantas Piedmont Hospital
• 42 questions
• 10 days
• Before Provident First CAP Fines
• NOW The HITECH factor

32
(No Transcript)
33
About PCI

• Clarity
• How-Tos for implementation/testing
• Authoritative Source
• Accounts for Enterprise Realities
• 12 Requirements or Domains
• Differing levels of security
• PAN, CVV, internal/external, etc.
• Protecting Crown Jewels
• Gaining Traction Mindshare
• v1.2 125 changes, almost all clarifications
• Growing scope attestation, OWASP, WEP

34
Client-Server Architecture
35
Distributed System
36
(No Transcript)
37
Good News

• We know where compliance is heading

38
The Next 1386?
39
NRS 597.970
40
Good News

• We know where compliance is heading
• Leverage frameworks best practices

41
The Gravity of Governance Overlap in Frameworks
Compliance

• Compliance concerns
• HIPAA
• PCI
• SB 1386 (HB 1633)
• Industry Specific (SOX, IRS 1075, FERPA, CFR 28,
  etc)
• Frameworks
• ISO 27001/2
• ITIL
• COSO/COBIT
• FISMA (NIST 800-53)
• CMMI and others

Best Practice Framework
Most frameworks cover 75-85 of the same
technology controls
Most Laws (PCI, HIPAA, etc.) Written To Address
Limited Issues In This Range
Security Controls Sophistication
Likely finding of legal negligence below this
threshold
Most IT Shops Are Here (limited, informal
controls)
No Security Governance
42
Comparison
PCI DSS v1.2(Requirements) NIST 800-53(Domains)
Build and Maintain a Secure Network (1, 2) Sys/Svc Acquisition (SA) Sys/Comm Protection (SC)
Protect Cardholder Data (3, 4) Sys Info Integrity (SI), Media Protection (MP)
Implement Strong Access Control Measures (7, 8, 9) Access Controls (AC) Ident/Authentication (IA)
Regularly Monitor Test Networks (10, 11) Audit Accountability (AU)
Maintain an Information Security Policy (12) Awareness and Training (AT)
43
Good News

• We know where compliance is heading
• Leverage frameworks best practices
• Utilize partnerships to our advantage

44
Grassroots

• People
• Process
• Partners
• States/Agencies
• Vendors
• Thought Leaders
• NIST
• PCI

45
(No Transcript)