security matters - knowing the risks

global payment acceptance Security Matters - 30th June 2011 1 Security Matters - 29th June 2011 1 Safe & Sound - 29th March 2011 1

Security Matters - Knowing the risks... From Compliance to risk management… Is it finally all coming together?

Leading the way in secure payments

Neira Jones Head of Payment Security Barclaycard Global Payment Acceptance 30th June 2011

global payment acceptance Security Matters - 30th June 2011 2

News round up…

Sony Lulzsec

Citigroup Lush

Epsilon RSA

Lockheed Martin

Dropbox

Travelodge

Data breaches have almost become a statistical certainty

ESSEX

Wordpress

global payment acceptance

Companies feel under pressure to meet compliance deadlines of one type or another.

Panic to implement solutions they believe will address the most visible, urgent or potentially costly to ignore regulation looming on the horizon.

With requirements evolving, companies find themselves with discrete solutions for PCI DSS, Data Protection, FSA, SOX and others.

Many businesses are now on their 2nd or 3rd cycle of trying to automate processes related to compliance with specific policies, industry standards, and government regulations.

RESULT:

–  Some successes with initial projects, but short lived, and costly. –  Suppliers often guilty of perpetrating a vicious circle by describing their offering as the next “silver

bullet” (expensive to maintain and impossible to integrate or scale) –  Investments in infosec more difficult to secure as sustainability can’t be demonstrated to the Board. –  COMPLIANCE IN SILOS

Security Matters - 30th June 2011 3

Panic!


It’s war Jim, but not as we know it...

Today’s cybercrime industry has evolved and automated itself to improve efficiency, scalability, and profitability with a clear intent on obtaining information that can be monetised. The hackers’ best friends are businesses with inadequate and often outdated information security practices. Cybercrime/ data protection not high on the Board’s agenda. But... Governance & Risk Management are familiar to the Board.


From compliance to risk management...

Compliance is about providing evidence that controls are in place and is a tactical exercise to ensure business continuity.

Compliance is not inherently risk aware, nor is it economically sensitive.

Too much emphasis on compliance can actually increase risk by giving people a false sense of security.

By connecting control – i.e. compliance - to risk, businesses can achieve major improvements in their enterprise risk management initiative.


It’s all about risk...

the identification, assessment and prioritisation of risks

followed by coordinated and economical application of resources

to minimise, monitor, and control the probability and/or impact of unfortunate events.

Only 4% of breaches assessed in the Verizon Business Data Breach Investigation Report 2011(DBIR 2011) required difficult and expensive protective measures.


Happy 10th Birthday SQL Injection!!!


And now for the science...

Malware represented 80% of all data lost in 2010 and within that case load, 81% was performed via SQL injections.

Hacking represented 89% of records stolen and 76% of these were due to lax password management and authentication procedures.

Most data breaches are not discovered by the organisation suffering the attack.

The Verizon DBIR 2011 further claimed that 87% of attacks could be prevented using simple, proactive measures.


Seeing the wood from the trees...

The 2011 Verizon DBIR concluded that being prepared remains the best defense against security breaches.

Organisations still remain slow in detecting and responding to incidents.

Most organisations that have suffered a breach will have evidence of it in their logs, but these often get overlooked due to a lack of staff, tools or processes.


One step at a time...

Are my employees taking information outside of the organisation? How can they do this?

Can I limit access to this information to only those who need it?

What types of attackers would be interested in infiltrating my systems? What would they seek? Why?

If any web server was compromised, how difficult would it be for an attacker to work its way to those systems containing information? How easy would it be to take this information out?

How quickly would I know this has happened? How quickly can I stop it?

How quickly do I need to respond to the market?


Threat/ scenario modelling is only practiced by a few organisations


We’re all in it together…

When card data is stole, consumers are protected...

When identities are stolen, it’s personal and it goes viral...


Public social concerns...

Preventing crime 94%

Protecting personal information 94%

NHS 88%

Equal rights 88%

Improving education 87%

National security 87%

Environmental issues 87%

Protecting freedom of speech 85%

Source: ICO Annual Track 2008


To gain understanding and trust, businesses will promote how they safeguard their customers personal information. Investment in information security will be driven by business reality.


What can we learn?

Lesson 1: Understand your risk profile

Lesson 2: Make risk management your objective, compliance will come naturally.

Lesson 3: Avoid quick fixes and silos (i.e. don’t panic!)

Lesson 4: Automate (i.e. Move into BAU and use GRC)

Lesson 5: Educate (and then do it again...)


In the months and years to come, we can expect increased scrutiny of corporate risk management practices. In response to this, businesses will strive to understand their risk profiles and whether the risks taken are within the enterprise’s risk appetite and tolerance thresholds.


Barclaycard Risk Reduction Programme

Over the past 8 months, Barclaycard and IRM plc have researched and developed a risk reduction programme.

PCI DSS is a good information security framework.

Use PCI DSS controls in the context of a recognised risk management framework (i.e. ISO 27001, Cobit, ITIL, CLAS, etc.)

The first step is a risk assessment.


Asset classification (asset value)

WEIGHT NAME Examples

5 Critical Information, systems or personnel required for the continued operation of the entire enterprise.

4 High Information and systems that must be protected under regulatory or industry compliance requirements. Personnel with access to this data.

3 Medium Information and systems that must be protected as they hold sensitive internal data. Personnel with access to this data.

2 Low Information and systems used in the daily operation of the business but individually not critical. Personnel with access to this data.

1 Public Information in the public domain, systems that are publically accessible.


Risk Weight (likelihood)

WEIGHT NAME DEFINITION

5 Critical Most vulnerable areas according to industry profile – Lack of control in this area can result in serious data loss/ fraud and will generally be in violation of industry requirements.

4 Severe Lack of control over implementation of security policies could lead to a serious risk being introduced. This denotes lack of transition to BAU processes for security.

3 High Lack of ownership over implemented security policies could lead to a serious risk being introduced. This denotes lack of control over implemented BAU processes for security.

2 Medium Control failure in this area would result in a breach of internal security processes but other controls are mitigating this risk.

1 Low Control failure in this area requires immediate or timely attention and process in place to deal with it according to risk appetite.


Actual Status

WEIGHT NAME DEFINITION

5 Critical Complete absence of any control leaving key assets unprotected or an identified breach.

Considered ‘Not in Place’ for PCI DSS.

4 Major Non-Conformity Controls are defined and implemented but are degraded to such an extent that the provide little or no protection.


3 Minor Non-Conformity Controls are defined an implemented but are not uniform in their application or have some defects that need attention.


2 Room for Improvement

Controls are defined, implemented and effective. Identified some areas that could be considered for improvement.

Considered ‘Room for Improvement’ for PCI DSS.

1 Satisfactory Controls are defined, implemented and effective. No further recommendations.

Considered ‘In Place’ for PCI DSS.


Invariably, compliance will become a by-product of risk management.


Don’t spend £100 protecting a £1 asset, know your risk, fix the basics first, and be prepared…

Neira Jones Head of Payment Security Barclaycard, Global Payment Acceptance [email protected]

http://uk.linkedin.com/pub/neira-jones/0/7a5/140

neirajones

security matters - knowing the risks

Economy & Finance