6 Who wants my data?19th February 2013: APT1: Exposing One of China's Cyber Espionage UnitsMandiant tracked Comment Crew for 6yrs identifying 141 attacks called APT 13000 indicators (domain, IP, MD5) to identify attack source all led to Pudong district of Shanghai, outside HQ of unit 61398Comment Crew launched RSA attackthe volume and sophistication of the attacks so intense that they threaten the fundamental relationship between Washington and Beijing.Unit of the People’s Liberation Army, tasked with ”computer network operations”.
7 Who else wants my data? Utah Data Center Every cell phone call in Bahamas “archived”Call records of almost everyone inside the United States “collected”Gmail “backdoor access”, Microsoft encryption weakened, denies data center accessRSA received $10 million to weaken encryptionTruecrypt mysteriously goes offline
8 Next Generation attacks Google's security team reported Heartbleed on April 1Affects OpenSSL17% of the Internet's secure web servers were vulnerable,at time of disclosure on 7th AprilBug deemed as catastrophic, and incidents included:Canada Revenue Agency, Community Health Systems (US),Massive password changes required including Akamai,Ars Technica, Bitbucket, BrandVerity, Freenode, GitHub, Mojang, Mumsnet, Pinterest, Reddit, SourceForge, Tumblr, etc...Shellshock: 'bigger than Heartbleed' 25 September 2014!April 2014Key PointsCannot govern what you don’t understand – and remember the goal of IIG is to mask the complexity of this new era of computingThe way to start is understand what you currently have and mapping that to an enterprise view of dataInteresting StoryCatchy StatementClient StoriesIn order to define a governance strategy and a process to achieve your organization’s goal, you first have to understand what you have. Without this, you cannot create an effective plan that will support your organization. This process begins with understanding the web of information represented in your enterprise applications and databases. You must understand:- where the data exists and what data elements there are- what relationships exists within systems- what complex relationships exists across and between systems- You have to understand the complex relationships because- where is sensitive data locatedMany organizations rely on documentation (which is often out-dated) or on system/application experts for this information. Sometimes, this information is built into application logic and is not apparent to anyone the hidden relationships that might be enforced behind the scenes.Think about it as a using a current map to understand your heterogeneous landscape – very similar to driving in an automobile and trying to get from point A to point B. You would not use a map from 20 years ago because the road infrastructure has probably changed. Would you just start driving without any idea of the roads to take, how you are going to plan your stops for a long trip and knowing what risky areas of town you should avoid? Navigating data is the same concept.It’s all about time, cost and risk. Trying to manually understand this information (or using the ‘spot check’ approach) can you lead you down the wrong path resulting in many lost hours in the future including potentially delays for project deployment.An automated result can produce tremendous savings. For example, doing in one week what can take 10 people 10 months.The solutions necessary for the process by which we locate and understand the data relationships:Locate and inventory the databases across the enterpriseAgain, you can’t govern data if you don’t know where it resides. So ensure your solution can help you discover and document the data entities and the databases that reside in the enterprise.Define business objects* across heterogeneous databases & applicationsUnderstand how data is related across the enterprise to better deploy new functionality and ensure that the complete business object is captured when archiving data.Define enterprise-standard data modelsFor example, set up in your data model to estimate database growth capacity to determine when to archive historical dataUnderstand transformation rules to discover data relationshipsFor example if you ever were to retire an application, you need to understand the underlying business logic to ensure you capture the needed related data to ensure your archived files make sense (See example of this in slide 15)Understand relationships required for identifying sensitive data – simple, embedded or compound.How is sensitive data related to other areas across the enterprise? Ensure it’s protected everywhere, consistently.Define and document the privacy & masking rules and propagate to ensure sensitive data will be protectedHow is that data going to be used? Who should have access to it and why?And as you mask sensitive data in one table, how do you ensure all related data elements are masked with the same information, keeping the referential integrity of the test data?Leverage unified scheme builder to create prototypes before deploymentWhen you think about managing data across it’s lifecycle, at some point, you may need to retire applications and consolidate the data. By pre-testing the data that needs to be consolidated, you can ensure developers can update and/or deploy applications or new functionality with confidence.
9 What about South Africa? Bank card details leaked - PASA“There are indications at this stage that only a limited number of card details have been accessed by outside organisations, and as a result limited fraud has been perpetrated" – Payment Association of South Africa, CEO Walter Volke“The card data emanating from these online transactions seems to have been stored in a manner which does not meet the stringent security standards expected by PASA” There was no need for “undue concern”November
10 What about South Africa? Dexter infects Point of Sale terminalsPASA, card schemes and SA’s major banks have taken immediate steps to prevent a further leakage of card details because of a security lapse at a company processing transactions.“All the fast-food retailers have been cleaned out as far as possible, and certainly no one will be out of pocket [as the banks will honour losses].”Unique variant used in SA, original emerged in December 2012.How did the data get out? & who is liable?October
11 (i.e. may reasonably be expected to affect the company's stock price) Designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.Should review, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents, if the costs or consequences with one or more known incidents or the risk of potential incidents represent a material event(i.e. may reasonably be expected to affect the company's stock price)Estimate the impact of cyber incidents and the consequences of failing to implement adequate security. Go beyond privacy, to key operational issues
12 Where is the Risk? Market risk: Credit Risk: Dealstream collapse in 2008VOX telecom exposure of R30 millionSingle Stock Futures gives ABSA R1.4 billion liabilityCredit Risk:Standard Bank vehicle finance: R504m impairment loss inFY to June 2014African Bank: R6.4 billionWhat about cyber crime losses and risk exposure?SABRIC estimates R480 million card fraud losses in 2013
13 Are you ready for a Security Breach? ConclusionPayment systems are top target of attacksNew threat environment:Next generation systemic vulnerabilitiesShellshock: 'bigger than Heartbleed'25 September 2014!Encryption is no longer safe?Changing legal frameworkNew legal implications for data breachesAre you ready for a Security Breach?