Post on 16-Oct-2021
Data Security, personal DMV data
Welcome toInformation Security Talk Show
Please record your attendance usingthe Sign In Sheet.....
Moderator: Jerry DikeDMV Consultant
jldike@aol.com 512-751-0574
June 23, 2014, 3:30 – 5 p.m.
3
Expert & Experienced Panelists:
Mike Wyatt, Deloitte
David Ulmer, NC
Dean Clemons, HP
Kevin Shwedo, SC
Data Security, personal DMV data
Why states are under attack by cyber actors ?
Changing nature of Info Security as a Discipline ( Prevention is foundational)
Critical: Detection, Containment, & Correction
9
Policy, Procedure & Awareness
Physical
Perimeter
Internal Network
Application
Data
Host
Contrary to
popular belief,
this is not an IT
issue.
The business
owns the data.
This is a team
event!
• Access control
• Monitoring
• Masking
• Auditing
• Threat and
vulnerability
management
10
Access Control• Do you have access controls on applications, databases, file shares, and
reports with sensitive data?
• Do you have an accurate inventory of current, valid users and a recurring process for validation of access to systems with sensitive data?
Incident Detection & Response• Do you have an Incident Response Plan? Has it been tested?
• you have baseline activity?
• Can you detect unauthorized users gaining access?
• Can you detect fraud and misuse for authorized users?
• Do you have a secure audit trail (e.g. who, what, when, how)?
Risk Dimensions – A Team Effort
11
Data Loss Prevention• First, do you have a classification system for data?
• Is sensitive data in transit encrypted? All of it all the time? Does it get resent?
• Do you have a comprehensive inventory of sensitive information?
• Can you detect unusual patterns against databases?
• Can you determine data theft when it is happening and stop it?
• Are there unknown destinations for sensitive data? Do you know where your data is?
Policy & Contracts• Have you removed all PII data from development & test environments, training material, etc.
• Do you have separation of duties? Can unauthorized users access Production?
• Do your contracts effectively cover:
data handling, disposition, retention, usage & redistribution rights, breach liability, etc.?
data elements, frequency, method of transfer, SLA, costs, etc.?
(Continued)
12
System(s)PII (SSN, DL,
etc.)Credit Cards
ProtectedHealth
Information
Financial Data (e.g. Banking & account
information)
System 1
System 2
System 3
System 4
System 5
System 6
System 7
System 8
Map Systems with Targeted Data
13
Practical Lessons from the Past Few Years
Classifying data is really hard work
What elements, by themselves are restricted?
What combination of elements are restricted?
When in doubt, what do you want masked?
Managing data effectively requires specialized skills and training
Managing data is never ending. The bad guys are smart, and getting more sophisticated. Risk cannot be eliminated, but can be managed
Cybersecurity trends and attack methods
Key Points
Hacking
Weak/stolen Credentials
Malware
Social Tactics
Physical Attacks
• Users are a key weakness
• Social tactics increased 4-fold in the last year
• Most intrusions are rated as “low difficulty”
• Most intrusions are discovered by outsiders
• Most intrusions took MONTHS to discover
Insider Threats
Security challenges and threats are increasing
• Staff lack the necessary skills and bandwidth
• Need for 24x7 global management
• Protecting data at rest, in motion, and in use
• Fragmented systems and procedures
•Embracing new ways of collaborating and delivering IT
Traditional security controls are not enough
Network
Protection
Perimeter
Protection
Server
Protection
Application
Protection
Endpoint
Protection
Intellectual property
Personaldata
Businessdata
Attacker
Prevention is important, detection is critical
Enterprise security governance
• Risk management framework
• Appoint a security executive
• Convene a security council
• Acquire security expertise
• Conduct security training
• Information sharing
• Develop security metrics
• Incident response capabilities
Continuous risk management framework
Step 6
MONITORSecurity Controls
Step 1
CATEGORIZEInformation
SystemsStep 2
SELECTSecurity Controls
Step 5
AUTHORIZEInformation
Systems
Step 3
IMPLEMENTSecurity ControlsStep 4
ASSESSSecurity Controls
Process Overview
RiskManagementFramework
Starting Point
Repeat as necessary
NIST Special Publication 800-37
Strategy summary to reduce your risk
Focus on five areas • Reduce the attack surface• Improve threat intelligence
• Improve monitoring and detection capabilities
• Proactively test your security posture• Develop incident response capabilities
24
Kevin Shwedo, SC
Kevin will be talking from his notes about his experiences in DMV data privacy issues.
25
Thank you for attending
Please record your attendance usingthe Sign In Sheet
Moderator: Jerry Dikejldike@aol.comDMV Consultant
512-751-0574