continuous assurance using data threat modeling · •facebook prime example of privacy scandals...
TRANSCRIPT
![Page 1: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/1.jpg)
1
Continuous Assurance Using Data Threat Modeling
Fouad Khalil, Vice President of ComplianceSecurityScorecard
![Page 2: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/2.jpg)
2
Agenda• What’s new?• All about the Data• Background• Current state• Regulatory perspective• Threat Modeling Case Study• Continuous Assurance• Putting all this into practice• Q & A
![Page 3: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/3.jpg)
3
Latest Headlines• Facebook prime example of privacy scandals (dating back to
2005) most recent potential $1.6B fine – Ireland Data Regulator• British Airways PCI compliant but breached…• Bupa fined for malicious insider privacy breach (£175,000 by UK
regulators for “systematic data protection failures”)• Google exposed private data of 1000s of Google+ users. Still
under investigation.
![Page 4: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/4.jpg)
4
A Quick Look Ahead• Connected clouds (private, public, hybrid)• Blockchain finally understood but a mess• Data analytics Machine Learning AI• GDPR Global trend – companies measured
by compliance• Economy boom into 2019 but 2020 is a bit
questionable
![Page 5: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/5.jpg)
5
Are We Exposed?• 45% of IoT buyers concerned about security (Bain & Co)
• 90% say IoT devices pose moderate to significant risk (Bain & Co)
• IoT market size expected to reach $457B by 2020 (Growthenabler)
• SaaS application security architectures are broken
• New Compliance requirements and penalties drive pain level higher
• So many open or misconfigured servers in the cloud (Tesla, Walmart)
![Page 6: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/6.jpg)
6
![Page 7: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/7.jpg)
7
![Page 8: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/8.jpg)
8
Best example of protected data? GDPR of course!!
Basic Information:• Beliefs, thoughts, political
allegiance, etc.• Credentials (for
authentication)• Preferences and interests.
Financial Information:• Accounts, financial status• Ownership, structures• Transactions, patterns• Credit history
Social Information:• Professional, career• Criminal record• Public life• Family and relationships• Social network• Private communications
Real Time Data:• Device-dependent tracking• Contact information• Location-based, e.g.
geotagging• Behavioral, i.e. usage
patterns.
Added Information:• Unique or semi-unique identifiers• Ethnicity• Sexual preferences• Behavioral patterns• Age, health, geography etc.• Medical / health• Physical data
Historical Information:• Individual life experience• Notable events• Patterns allowing inference• Etc.
![Page 9: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/9.jpg)
9
SIG
GDPR
NY DFSCA Privacy
HIPAA
ISO27K
SAMA
HiTrust
NIST 800-171
ISAE 3402SOC2
NERC CIP
NESA
NIST CSF
PCI DSS
TISAX
EU Cyber Cert
CSA CMM
TruSight
MASPII legislations
DRAFTDigital Data Governance
CPS 234
Ghana Cyber Policy
Data Protection Regs
Cybersecurity law
Digital Privacy Act
NIST 800-53
FedRamp
PSD2
COBIT5
![Page 10: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/10.jpg)
10
Background – All About the Data• Enterprise competitiveness, regulatory considerations, process
maturity• Data key consideration to manage and monitor risk• Manage changes to minimize risk• Applying application threat modeling principles to data• Methodically analyze applications to identify and map threats in
post-prod – Take an attacker’s viewpoint.
![Page 11: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/11.jpg)
11
All About the Data
Competition
Regulations
Customer Engagements
Pursuit of new Markets
Maturity &
Resiliency
Factor in everything of significance
The DATA!!
![Page 12: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/12.jpg)
12
What Data changes to monitor• Continuous changes impact level of risk to data• Changes in context, environmental factors and threat landscape • What data changes to monitor (listing a few)
o How the data is usedo How data is protected (new, changed or removed controls)o Threats of which data is likely to be exposedo New or modified business activities change impact if a compromise
may now occur
![Page 13: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/13.jpg)
13
Adopt a Hacker’s view• Fairly easy to understand why • Enterprises want to know how to realize the hacker’s vision• Attacker sees data as a target accessible through a number of
pathways• Data is profit for hackers and breach potential for us• Threat modeling exercise can help systematically evaluate an
application• Application threat modeling discipline has developed as an
application security strategy
![Page 14: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/14.jpg)
14
How Does Application Threat Modeling help?
• Assists in developing applications that are robust, resilient and hardened
• Maps the threats applications might encounter in production• Enables addressing threats and monitoring conditions impacting data
over time• Enable better tracking of changes in data that impact risk• Provides better visibility into data that intersects with the supply
chain• Enterprises use this model to understand state of data (stored,
transmitted or processed).
![Page 15: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/15.jpg)
15
The Current State• Best to understand exiting conditions that pertain to data
• Two parallel transformations that make a thorny problemo Practical challenges in data management as data proliferateso Legal, regulatory and other mandatory requirements that govern how data is (or can
be) used• Practical challenges – how data is stored, processed an transmitted is changing:o Data consolidation: Denser data due to new data processing methods and increased
analytical capabilities.o Data ubiquity: Data becoming more pervasive - spreads throughout the enterpriseo Data expansion: Data becoming more plentiful.o Processing parallelization: Data increasingly being processed in parallel
![Page 16: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/16.jpg)
16
Beyond the current state• Organizations are witnessing transformations depending on business
activities, industry and regulatory constraints.
• Organizations with even an accurate and solid inventory of assets, may have less clear idea of data processing.
• Poor data inventory leads to challenges ranging from resources and time and the problem data tends to compound over time.
• Enterprises become more externalized (supply chain) challenges may compound as new players come into play
![Page 17: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/17.jpg)
17
Regulatory requirements add to challenges• Several regulations and standards impact data in difficult ways
• GDPR pertains to data that intersects with operations performed in EU
• CA first state to enact GDPR like Privacy law
• Breach disclosure requirements specify the what, how and when to notify of a breach
• Industry specific standards add to the challenge such as PCI DSS, HIPAA, HITECH.
![Page 18: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/18.jpg)
18
Threat Modeling Case StudyObjectives:
1. Case Study Example based on by Antonio Fontes (Threat Modeling, Detecting Web Application Threats Before Coding)
2. Understand the concept of Threat Modeling3. Build an actionable Threat Model4. Know when to build a threat model and how to
document it
![Page 19: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/19.jpg)
19
Threat Model Case StudyNewspaper that uses standard news distribution channel• They host a website on which articles are posted all day by the
online editor• They Distribute a printed journal every day of the week.• Content on the website is free• The printed version is sold
![Page 20: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/20.jpg)
20
Threat Model Case Study - Continued• The company has decided to also sell an electronic edition of the
newspaper• Access to the content must be restricted to authorized customers• The team is designing a feature to enable users to authenticate
to access their account for payment.• The board is worried about the threats associated with this
decision.
![Page 21: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/21.jpg)
21
Threat Modeling StepsUnderstand the application
• Review Business Requirements • Comprehend application configuration (technologies,
architecture, functionalities components)• Role of application in the organization• Be Clear on the objective/drivers
o Stay complianto Protect against hackerso Never want system to be compromisedo Protect user privacyo Avoid system downtime
![Page 22: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/22.jpg)
22
Threat Modeling StepsUnderstand the application…
• What are the use cases (how is the application used)?
• How are users authenticated?
• Understand the data classification
• Understand the data flow…especially financial flow
![Page 23: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/23.jpg)
23
Threat Modeling StepsIdentify Potential Threat Sources
• Based on what we know who might be interested in compromising the system
• Perform research to identify other sources (media, business owners, users)
• List all potential Threatso Hackerso Untrained employeeso Disgruntled employeeso Governmento And so on...
![Page 24: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/24.jpg)
24
Threat Modeling StepsIdentify Major Threat Sources
• Identify Threat Triggers• Understand complete scenario• Understand the likelihood• Understand the impact• Finalize major threat model
o Threat, Source, Description of attack
![Page 25: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/25.jpg)
25
Threat Modeling StepsIdentify Controls
• Document Threat with identified sources and attack description• Develop controls to mitigation the likelihood and impact of the threat
o Ensure controls are designed effectively
• Make recommendation on controls and prioritization
o Based on asset criticality and threat likelihood and impact
![Page 26: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/26.jpg)
26
Threat Model - SampleThreat Source Description Likelihood ControlDenial of Service Attack
Hacker perpetrator seeks to make a system unavailable by disrupting services of a host connected to the Internet
Stealing Intellectual Property
Disgruntled Employee
Copying data due to authorized access
Stealing Customer Data
Competitor Social Engineering attack
![Page 27: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/27.jpg)
27
Continuous Assurance• Case study shows how data can be used to analyze threats
• We need to move to continuous assurance understanding of the threats
• Point-in-time view compared to continuous auditing (ongoing validation)
• Continuous monitoring provides near real-time status of security controls
• Continuous assurance notifies of changes that impact threats to data
![Page 28: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/28.jpg)
28
Continuous view (KRIs)• We need something to measure• Perform that measurement in an ongoing way• A retailer has different risks to measure than a bank• First step is to determine what to measure• Map out the threats of greatest risk• Set up and monitor the security controls to mitigate these risks• Automation is key – such as data shared with supply chain
![Page 29: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/29.jpg)
29
Putting all this into practice• What KRI to use to measure control efficiencies?• How will enterprises know about changes impacting threats to
data?• How to evaluate control performance at 3rd, Nth parties?• How to stay informed of changes at the supply chain?• Who owns and maintains the continuous view?• Amount of effort enterprises are prepared to invest in this?
![Page 30: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/30.jpg)
30
In Conclusion• Continuous assurance makes risk decisions easier• Start small with narrow scope and build from there• Determine approach that is best for you• Enterprises struggling with data protection greatly benefit from
threat modeling• No hidden problems go unexamined• Near real-time view of what hackers see• Flexible approach that works for every environment
![Page 31: Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals (dating back to 2005) most recent potential $1.6B fine – Ireland Data Regulator](https://reader030.vdocuments.mx/reader030/viewer/2022041004/5ea80a6ad2ff986a1f3d02ee/html5/thumbnails/31.jpg)
31
Questions?