TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Â
Gdpr action plan - ISSA
1. Do You Have a Roadmap for EU
GDPR Compliance?
Ulf Mattsson,
CTO Security Solutions Atlantic BT
2. Ulf Mattsson
Inventor of more than 55 Issued US Patents
Industry Involvement:
âą PCI DSS - PCI Security Standards Council
Encryption & Tokenization Task Forces, Cloud &
Virtualization SIGs
âą IFIP - International Federation for Information Processing
âą CSA - Cloud Security Alliance
âą ANSI - American National Standards Institute
ANSI X9 Tokenization Work Group
âą NIST - National Institute of Standards and Technology
NIST Big Data Working Group
âą User Groups
Security: ISACA & ISSA
Databases: IBM & Oracle
2
14. Ransomware are Getting Worse
âą The cyber security solutions that are in place today are somewhat effective
âą But a significant proportion of decision makers report that their problems
with phishing
âą Ransomware are getting worse over time
âą For most of the cyber security capabilities that organizations have
deployed to combat these threats, the majority of decision makers report
they are not highly effective
Source: Osterman Research, Inc., 2017
14
28. The GDPR Institute
Helping you resolve YOUR GDPR Challenge
& Maximise the GDPR Opportunity
A Members Owned Not-for-Profit Organisation
www.gdpr.institute
28
41. GDPR Case Studies
41
âą US and Spain â customer data
âą Italy, Germany and more â financial data
âą Germany â outsourcing
âą Sweden â PII data
42. GDPR Simplified into 12 blocks
1. Legitimate basis for data: organizations must know and be able to prove that processing has a legitimate purpose.
2. Information you hold: organization should keep data only in so far as necessary.
3. Individuals rights: individuals (customerâŠ) have the right to ask questions about their personal data.
4. Consent: there should be explicit and clear consent for processing of personal data.
5. ChildrenÂŽs data: explicit consent of the childâs parents (or guardian) for minors less than 16 years of age.
6. Privacy notices: Organizations must transparently state their approach to personal data protection in a privacy notice.
7. Data breaches: Organizations must maintain a data breach register and, data subject should be informed within 72
hours.
8. Privacy by design: Mechanisms to protect personal data should be incorporated in design of new systems and
processes.
9. Privacy impact assessment: organization must conduct a privacy impact assessment to review the impact and
possible risks.
10. Data Protection Officers: organization should assess the need to assign a Data Protection Officer.
11. Third parties: The controller of personal data has the responsibility to ensure that personal data is protect
12. Awareness: To create awareness among your staff about key principles on data protection, conduct regular training.
To know more read my book https://goo.gl/HMDRfk
43. Webcast title : EU GDPR Details
âą Duration : 60 min
âą Date & Time : Oct 25 2017 10:00 am
âą Timezone : United States - New York
âą Webcast URL : https://www.brighttalk.com/webcast/14723/269681
45. Protect Sensitive Cloud Data
Internal Network Administrator
Attacker
Remote
User
Internal User
Public Cloud
Examples
Each sensitive
field is protectedEach
authorized
field is in
clear
Cloud Gateway
45
Data Security Agents, including encryption, tokenization or masking of fields or files (at transit
and rest)
SecDevOps
The issue is
INTENTIONAL use of
UNSANCTIONED
public cloud storage
for ease of use for
corporate data
46. Securing Big Data - Examples of Security Agents
Import de-identified
data
Export identifiable data
Export audit for
reporting
Data protection at
database,
application, file
Or in a
staging area
HDFS (Hadoop Distributed File System)
Pig (Data Flow) Hive (SQL) Sqoop
ETL Tools BI Reporting RDBMS
MapReduce
(Job Scheduling/Execution System)
OS File System
Big Data
Data Security Agents, including encryption, tokenization or
masking of fields or files (at transit and rest)
46
SecDevOps
47. Virtual Machines
Docker
Data Security Agents, including encryption, tokenization or masking of fields or files (at transit and
rest)
Source: http://www.slideshare.net/GiacomoVacca/docker-from-scratch
SecDevOps
SecDevOps
47
Welcome to my session and Thank you for inviting me
FinTech - Wikipedia
https://en.wikipedia.org/wiki/Financial_technology
Financial technology, also known as FinTech, is an industry composed of companies that use new technology and innovation to leverage available resources in .
Cyber Risk Management in 2017: Challenges & Recommendations
With cyber attacks on the rise, securing your data is more imperative than ever. In future, organizations will face severe penalties if their data isnât robustly secured. This will have a far reaching impact for how businesses deal with security in terms of managing their cyber risk.
Join this presentation to learn the cyber security controls prescribed by regulation, how this impacts compliance, and how cyber risk management helps CISOs understand the degree these controls are in place and where to prioritize their cyber dollars and ensure they are not at risk for fines.
Viewers will learn:
- The latest cybercrime trends and targets
- Trends in board involvement in cybersecurity
- How to effectively manage the full range of enterprise risks
- How to protect against ransomware
- Visibility into third party risk
- Data security metrics
Will Your Data Be Sold?
May 12 2017, 3:13 p.m.
IN MID-APRIL, an arsenal of powerful software tools apparently designed by the NSA to infect and control Windows computers was leaked by an entity known only as the âShadow Brokers.â Not even a whole month later, the hypothetical threat that criminals would use the tools against the general public has become real, and tens of thousands of computers worldwide are now crippled by an unknown party demanding ransom.
An infected NHS computer in Britain Gillian Hann
The malware worm taking over the computers goes by the names âWannaCryâ or âWanna Decryptor.â It spreads from machine to machine silently and remains invisible to users until it unveils itself as so-called ransomware, telling users that all their files have been encrypted with a key known only to the attacker and that they will be locked out until they pay $300 to an anonymous party using the cryptocurrency Bitcoin. At this point, oneâs computer would be rendered useless for anything other than paying said ransom. The price rises to $600 after a few days; after seven days, if no ransom is paid, the hacker (or hackers) will make the data permanently inaccessible (WannaCry victims will have a handy countdown clock to see exactly how much time they have left).
Ransomware is not new; for victims, such an attack is normally a colossal headache. But todayâs vicious outbreak has spread ransomware on a massive scale, hitting not just home computers but reportedly health care, communications infrastructure, logistics, and government entities.
Reuters said that âhospitals across England reported the cyberattack was causing huge problems to their services and the public in areas affected were being advised to only seek medical care for emergencies,â and that âthe attack had affected X-ray imaging systems, pathology test results, phone systems and patient administration systems.â
The worm has also reportedly reached universities, a major Spanish telecom, FedEx, and the Russian Interior Ministry. In total, researchers have detected WannaCry infections in over 57,000 computers across over 70 countries (and counting â these things move extremely quickly).
View image on TwitterView image on Twitter
Follow
ïŒïŒïŒą @dodicin
A ransomware spreading in the lab at the university
7:24 AM - 12 May 2017
1,711 1,711 Retweets 1,340 1,340 likes
According to experts tracking and analyzing the worm and its spread, this could be one of the worst-ever recorded attacks of its kind. The security researcher who tweets and blogs as MalwareTech told The Intercept, âIâve never seen anything like this with ransomware,â and âthe last worm of this degree I can remember is Conficker.â Conficker was a notorious Windows worm first spotted in 2008; it went on to infect over 9 million computers in nearly 200 countries.
Most importantly, unlike previous massively replicating computer worms and ransomware infections, todayâs ongoing WannaCry attack appears to be based on an attack developed by the NSA, code-named ETERNALBLUE. The U.S. software weapon would have allowed the spy agencyâs hackers to break into potentially millions of Windows computers by exploiting a flaw in how certain versions of Windows implemented a network protocol commonly used to share files and to print. Even though Microsoft fixed the ETERNALBLUE vulnerability in a March software update, the safety provided there relied on computer users keeping their systems current with the most recent updates. Clearly, as has always been the case, many people (including in government) are not installing updates. Before, there would have been some solace in knowing that only enemies of the NSA would have to fear having ETERNALBLUE used against them â but from the moment the agency lost control of its own exploit last summer, thereâs been no such assurance. Today shows exactly whatâs at stake when government hackers canât keep their virtual weapons locked up. As security researcher Matthew Hickey, who tracked the leaked NSA tools last month, put it, âI am actually surprised that a weaponized malware of this nature didnât spread sooner.â
Screenshot of an infected computer via Avast.
The infection will surely reignite arguments over whatâs known as the Vulnerabilities Equity Process, the decision-making procedure used to decide whether the NSA should use a security weakness it discovers (or creates) for itself and keep it secret, or share it with the affected companies so that they can protect their customers. Christopher Parsons, a researcher at the University of Torontoâs Citizen Lab, told The Intercept plainly: âTodayâs ransomware attack is being made possible because of past work undertaken by the NSA,â and that âideally it would lead to more disclosures that would improve the security of devices globally.â
But even if the NSA were more willing to divulge its exploits rather than hoarding them, weâd still be facing the problem that too many people really donât seem to care about updating their software. âMalicious actors exploit years old vulnerabilities on a routine basis when undertaking their operations,â Parsons pointed out. âThereâs no reason that more aggressive disclose of vulnerabilities through the VEP would change such activities.â
A Microsoft spokesperson provided the following comment:
Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt. In March, we provided a security update which provides additional protections against this potential attack. Those who are running our free antivirus software and have Windows updates enabled, are protected. We are working with customers to provide additional assistance.
Update: May 12, 2017, 3:45 p.m.
This post was updated with a comment from Microsoft.
Update: May 12, 2017, 4:10 p.m.
This post was updated with a more current count of the number of affected countries.
Will You Ever Get Your Data Back?
SPONSOR OF THIS WHITE PAPER
KnowBe4 is the worldâs most popular integrated Security Awareness Training and
Simulated Phishing platform. Realizing that the human element of security was being
seriously neglected, KnowBe4 was created to help organizations manage the problem
of social engineering through a comprehensive new-school awareness training
approach.
Risk Assessment. We evaluate your digital footprint and infrastructure to find and resolve vulnerabilities in your network, databases, applications, storage, and other infrastructure.
Data Security. We map the flow of data across your digital footprint, applications environment, library framework, source code, and storage to pinpoint risks before they turn into attacks.
Secure Hosting. We create dynamic, cloud-based environments with inside-out security controls to protect your systems and storage from attacks and other service disruptions.
Application Security. We practice âsecure by designâ discipline in our software development. This protects your custom applications by automating secure coding standards and testing at every step.
Integrated Tools. We architect holistic security solutions that integrate traditionally siloed tools to give you a lean and flexible security stackâreducing the effects of tools sprawl and wasted level of effort.
Monitoring and Contingency Plans. We monitor your systems, applications, and digital interactions for threats and architect back-up capabilities to quickly restore service if a breach occurs.
https://www.atlanticbt.com/services/cybersecurity/
Risk Assessment. We evaluate your digital footprint and infrastructure to find and resolve vulnerabilities in your network, databases, applications, storage, and other infrastructure.
Data Security. We map the flow of data across your digital footprint, applications environment, library framework, source code, and storage to pinpoint risks before they turn into attacks.
Secure Hosting. We create dynamic, cloud-based environments with inside-out security controls to protect your systems and storage from attacks and other service disruptions.
Application Security. We practice âsecure by designâ discipline in our software development. This protects your custom applications by automating secure coding standards and testing at every step.
Integrated Tools. We architect holistic security solutions that integrate traditionally siloed tools to give you a lean and flexible security stackâreducing the effects of tools sprawl and wasted level of effort.
Monitoring and Contingency Plans. We monitor your systems, applications, and digital interactions for threats and architect back-up capabilities to quickly restore service if a breach occurs.
https://www.atlanticbt.com/services/cybersecurity/
Risk Assessment. We evaluate your digital footprint and infrastructure to find and resolve vulnerabilities in your network, databases, applications, storage, and other infrastructure.
Data Security. We map the flow of data across your digital footprint, applications environment, library framework, source code, and storage to pinpoint risks before they turn into attacks.
Secure Hosting. We create dynamic, cloud-based environments with inside-out security controls to protect your systems and storage from attacks and other service disruptions.
Application Security. We practice âsecure by designâ discipline in our software development. This protects your custom applications by automating secure coding standards and testing at every step.
Integrated Tools. We architect holistic security solutions that integrate traditionally siloed tools to give you a lean and flexible security stackâreducing the effects of tools sprawl and wasted level of effort.
Monitoring and Contingency Plans. We monitor your systems, applications, and digital interactions for threats and architect back-up capabilities to quickly restore service if a breach occurs.
https://www.atlanticbt.com/services/cybersecurity/
The reason for high interest is based on the Cloud Gateway Benefits
Example
Eliminates the threat of third parties exposing your sensitive information
Delivers a secure and uncompromised SaaS user experienceÂ
Identifies malicious activity and proves compliance to third parties and detailed audit trails
Eases cloud adoption process and acceptance
Product is transparent and has close to 0% overhead impact
Simplifies compliance requirements
Ability to outsource a portion of your IT security requirements
Eliminates data residency concerns and requirements
Greatly reduces cloud application security risk
Enables partner access to your sensitive data
Controls cloud security from the enterprise
Protects your business from third party access
Data protection at database, application or file
Data protection in a staging area
3. Volume encryption in Hadoop
4. Hbase, Pig, Hive, Flume and Scope using protection API
5. MapReduce using protection API
6. File and folder encryption in HDFS
8. Export de-identified data
7. Import de-identified data
9. Export identifiable data
10. Export audit s for reporting
Examples of Services That Can Fill The Gap
Security Services
Audit & Assessment Services
Application Security Consulting
Managed Vulnerability Scanning
Security Tools Implementation
Virtual CISO
Application Services
Application Hosting  & Cloud Migration           Â
IT Consulting & Information Architecture
Software Development & User Experience Design