Application Security Business Risk and Data Protection Gregory Neuhaus Assistant Commissioner Disaster Recovery

1
Application SecurityBusiness Risk and Data
ProtectionGregory NeuhausAssistant
Commissioner Disaster Recovery
2

• Agenda
• Application Security- How Much is Enough?
• Business Risk
• Examples of Business Vulnerabilities
• Data Classification and Protection
• What Can Be Done?
• Lesson Learned

3

• Business Risk Know Your Business
• Reputation of your organization Your
  organization makes the news Goal of treats -
  Sabotage, Retaliation, Financial gain, Celebrity
• Impact to critical functions within you
  organization What are your Business Contingency
  and Disaster Recovery plans for the asset?
• Impact to client services How will you provide
  services?
• Loss of productivity and/or financial loss Is
  the application key to employee work or financial
  viability of your organization?
• Employees with excessive rights or access to
  confidential data The threat is from within!
• Data loss or breach You need to classify data?
• Regulatory Compliance What is your
  legal/regulatory liability?

4

• Application Security is Not Just an IT problem
• Its an organizational problem
• What are your Risk Factors?
• Do you accept the risk?
• What are the legal ramifications?
• How will this effect the services you provide?
• What is your data worth?
• Who are your high risk users?

5

• Examples of Business Vulnerabilities
• Ohio data breach
• A 22-year-old intern was given the responsibility
  of safeguarding the personal information of
  thousands of state employees, a security
  procedure that ended up backfiring.The names
  and Social Security numbers of all 64,000 Ohio
  state employees were stolen last weekend from a
  state agency intern who left a backup data
  storage device in his car
• Horizon Blue Cross Blue Shield (Newark, NJ)
• More than 300,000 members names, Social Security
  numbers and other personal information were
  contained on a laptop computer that was stolen.
  The laptop was being taken home by an employee
  who regularly works with member data. 300,000

6

• Examples of Business Vulnerabilities
• Nebraskas Treasure Office
• A hacker broke into a child-support computer
  system and may have obtained names, Social
  Security numbers and other information (such as
  tax identification numbers) for 9,000 businesses.
  309,000 individuals affected
• TJ stores (TJX), including TJMaxx, Marshalls,
  Winners, HomeSense, AJWright, TKMaxx, The TJX
  Companies Inc.experienced an "unauthorized
  intrusion" into its computer systems that process
  and store customer transactions, including
  credit card, debit card, check, and merchandise
  return transactions. They discovered the
  intrusion mid-December 2006. Transaction data
  from 2003 as well as mid-May through December
  2006 may have been accessed, along with
  45,700,000 credit and debit card account numbers

7

• Application Security- Risk Mitigation What Can
  Be Done?
• Understand your Business Risk
• The data belongs to the business, not IT. Take
  ownership.
• Understand who has access and what can they
  access?
• Can you download data from your application?
• Designing/follow a security policy
• Implement a security policy with proper security
  tools, procedures and best practices.
• Use National Institute of Standards and
  Technology (NIST) http//www.nist.gov/
• Audit and enforce the security policy

8

• Does your organization have a Chief Information
  Security official?
• Establish a security incident response process
  team.
• Develop Business Contingency and Disaster
  Recovery plans for the application
• Protect sensitive data through encryption and
  data classification
• Follow good change management procedures
• Test Test Test!

9

• NYC Data Classification

NYC.GOV/INFOSEC
10

• Real world example of a data breach
• Scenario City, public - facing applications had
  a application security flaw that exposed client
  information
• Why Application was extensively modified
  compromising the base security of the application
• Impact Application was taken off web site.
  Project was re-evaluated by oversights. Project
  was moved to another agency. Need to send a
  letter to all users of the application.
  Termination of senior project manager.

11

• Lessons Learned
• Testing Security testing is very important on
  applications with sensitive data, resulting in
  penetration testing for applications. Security
  scenarios should be part of unit, system and user
  testing. Exercise all user and administrator
  functions.
• System Design Establish a formal accreditation
  process as part of the system design lifecycle.
  Plan security and deal with security issues as
  part of planning, not as last minute
  implementation items. This saves time and money.

12

• Questions and Answers