Post on 09-Jun-2015
description
Datos personales y riesgos digitales
Casandra
Ambientes digitales
• Windows XP Service Pack 2 • 12 de agosto, 2004 • Por primera vez, Microsoft
habilito de forma predeterminada un firewall de software
• Cuando las características de seguridad se habilitaron, muchas aplicaciones dejaron de funcionar
Confidencialidad Disponibilidad
Default Close Default Open
1 de julio, 2003
Según la ley, las partes afectadas deben revelar cualquier violación de la seguridad de los datos personales a cualquier residente de California, cuya información personal no fue cifrada, y razonablemente se cree que ha sido adquirida por una persona no autorizada.
SB1386, California
Fugas de información recientes
40 millones de registros
Entre 45 y 94 millones
de registros
4.2 millones de
registros
100 millones de
datos de tarjetas
Las Tecnologías de seguridad de
información se triplican cada 6 años
Usamos estrategias de ataque y
contra ataque, espionaje y
contra espionaje
En 1990, las ventas
de la enciclopedia
Britannica logro el
record de ventas…
$650 millones de
dólares
Físico vs Digital
Una Enciclopedia Britannica se
vendía desde $1,500 y hasta en $2,200 USD
Una enciclopedia en CD-ROM se
vendía desde $50 y hasta $70 USD
Físico vs Digital
El cambio de paradigma
Robo físico
Robo digital
¿Cuánto cuesta
el robo digital,
por año?
34 Sm4rt Security
Services
CONFIDENCIAL
¿1 millón de dólares?
¿1 billón de dólares?
1 trillón de dólares
por año
Robo digital
1trillón de dólares
por año en pérdidas,
con crecimiento del
300% anual
¿Por qué la seguridad de
los datos digitales
es una preocupación
creciente?
El Riesgo de seguridad
ha incrementado por 4
aspectos
1. Velocidad
Antes tomaba días o semanas para compartir información
¡Ahora es instantáneo!
2. Dispersión
Las mismas personas que mantenían tus secretos…
… son ahora los principales difusores de tu información personal
durante los segundos finales del superbowl, los fans enviaron
4,064 tweets por segundo
•EN 2010 EXISTIAN 50 millones DE T WEETS POR DÍA
•A INICIOS DE 2011,140 millones DE T WEETS POR DÍA
•HOY,350 millones DE T WEETS
POR DÍA
3. Persistencia
Solíamos controlar, restringir el acceso y destruir físicamente las copias de nuestros
datos personales
52 Sm4rt Security
Services
CONFIDENCIAL
4. Agrupación
Nuestros
archivos solían ser
difíciles de acceder
Ahora están todos agrupados y
disponibles en todo el
mundo
Ahora, si eres visto en un estado inconveniente…
…tu novia tendrá acceso a la información al momento…
…así como sus amigas…
…probablemente ¡para siempre!
Necesitamos aceptar los riesgos
Los riesgos potenciales son
infinitos
Los ambientes son altamente dinámicos
Las Piezas cambian sin previo aviso
Las reglas cambian constantemente
Los jugadores cambian
El Fin justifica los Medios
En la prevención del Riesgo Intencional
Nada menos
que asegurar
todos los vectores es suficiente
Las Defensas deben ser Optimizadas
Optimizar la velocidad
Optimizar los Recursos
3 Tipos de Riesgo Digital
1. Accidental
2. Oportunistico
3. Intencional 3. Intencional
1 1 p 1
1
momento
1 dispositivo
1
canal
Autenticada
c/x factores
Riesgo
Intencional
Riesgo
Accidental
Rela
ció
n / c
one
xió
n
∞
0
Redundancia
Disponibilidad
Filtrado
Confidencialidad
Integridad Amenaza
Externa
Impacto
Interno
Peor
Esfuerzo
Mejor
Esfuerzo
Riesgo
Oportunista
Suma de
Esfuerzos
86
Necesitamos usar la analogía médica
101
1 1 p 1
1
momento
1 dispositivo
1
canal
Autenticada
c/x factores
Riesgo
Intencional
Riesgo
Accidental
Rela
ció
n / c
one
xió
n
∞
0
Redundancia
Disponibilidad
Filtrado
Confidencialidad
Integridad Amenaza
Externa
Impacto
Interno
Peor
Esfuerzo
Mejor
Esfuerzo
Riesgo
Oportunista
Suma de
Esfuerzos
Tres Vectores para gestionar Riesgo
Valor
para terceros
Anonimidad
de los terceros
Accesibilidad
para terceros
Risk Analysis
Weak password storage protocol
Absence of robust password policy
Absence of data entry validation for web applications
Existing applications with vulnerable remote support
Weak wireless ciphered communication protocol
Absence of operating system security configuration
Impact
Always
Possibl
e
Almost
never
Insignificant Medium Very high
Pro
ba
bili
ty
Main Risks
Not Viable Nice To Have
Quick Hits Strategic
Effort
High
Moderate
Minimum
Minor Medium Major
Positiv
e Im
pact of
Imple
menta
tion
Strategic
Quick Hits
Security configuration guidelines for applications
Security configuration guidelines for operating systems
Migration of passwords storage protocols
Password Policy
Secure application development process
Migration of remote support protocol
Migration of wireless communication protocol
Action Plan
Vulnerability patches and updates process
Security configuration guidelines for applications
Secure application development process
Security configuration guidelines for operating systems
Migration of password storage protocols
Migration of remote support protocols
Recommendations for Sustainability
Secure change process administration
Risk administration process
Policies and Configuration Guidelines
Superior Technologies
Password policy
Governance
Processes and Roles
User controls
Network controls
Application controls
Data level controls
Host controls
Migration of wireless communication protocols
Recommendations
Q1
Security configuration guidelines for applications
Password policy
Security configuration guidelines for operating system
Migration to robust remote support protocols
Migration of password storage
Secure change process administration
Risk Administration Implementation
Vulnerability patches and updates process administration
Secure application development implementation
Q2 Q3 Q4 Q1 Q2 Q3 Q4
2012 2013
Migration of wireless communication protocol
Mitigation Roadmap
Demystifying the
Privacy Implementation Process
Data Value (IVA) Legal & Regulatory Requirements (PIA)
Data Categories Data Categories
Asset Inventory
Policy Generation
Controls, Standards, Procedures
Implementation & Audit
Business Process Analysis Data Lifecycle Inventory
Business Process Analysis
• Identification of applicable Law
Data Value (IVA) Legal & Regulatory Requirements (PIA)
Data Categories Data Categories
Asset Inventory
Policy Generation
Controls, Standards, Procedures
Implementation & Audit
Business Process Analysis Data Lifecycle Inventory
Issuers
•Legislators
•Regulators
•Organizations
Obligations
•Laws
•Norms
• Industry Standards
•Contracts
Auditors
•Authorities
•Organizations
Business Process Analysis
• Stakeholder Information acquisition
– Types of data
– Internal and external data flows
– Purpose of treatment
– Information systems and security measures
– Retention policies
Data Value (IVA) Legal & Regulatory Requirements (PIA)
Data Categories Data Categories
Asset Inventory
Policy Generation
Controls, Standards, Procedures
Implementation & Audit
Business Process Analysis Data Lifecycle Inventory
Data Lifecycle Inventory
Data Value (IVA) Legal & Regulatory Requirements (PIA)
Data Categories Data Categories
Asset Inventory
Policy Generation
Controls, Standards, Procedures
Implementation & Audit
Business Process Analysis Data Lifecycle Inventory
Data Reception
Purpose of Use
Information Systems and
Storage
3rd Parties Involved
Data Retention
Data Destruction
Privacy Legal & Regulatory Requirements (PIA)
1. Legal & Regulatory
– Contracts
– Clauses
– Privacy notices
– Authorizations
– Jurisdictions
– Other regulations • Money laundering
• Sectorial
• Etc.
Data Value (IVA) Legal & Regulatory Requirements (PIA)
Data Categories Data Categories
Asset Inventory
Policy Generation
Controls, Standards, Procedures
Implementation & Audit
Business Process Analysis Data Lifecycle Inventory
Privacy Legal & Regulatory Requirements (PIA)
2. Technical
– Authentication & authorization
– Access control
– Incident log
– Removable media and document management
– Security copies
– Recovery tests
– Physical Access
Data Value (IVA) Legal & Regulatory Requirements (PIA)
Data Categories Data Categories
Asset Inventory
Policy Generation
Controls, Standards, Procedures
Implementation & Audit
Business Process Analysis Data Lifecycle Inventory
Privacy Legal & Regulatory Requirements (PIA) 3. Organizational
– Data privacy officer
– Roles and responsibilities
– Policies, procedures and standards
– Notifications to authorities
– Audits
– Compliance and evidence
Data Value (IVA) Legal & Regulatory Requirements (PIA)
Data Categories Data Categories
Asset Inventory
Policy Generation
Controls, Standards, Procedures
Implementation & Audit
Business Process Analysis Data Lifecycle Inventory
Legal & Regulatory Data Categories • High Risk
– Syndicate Affiliation – Health – Sexual life – Beliefs – Racial Origin
• Medium Risk – Financial Profile – Personal Fines – Credit Scoring – Tax Payment Information
• Basic Risk – Personal Identifying
Information – Employment
Data Value (IVA) Legal & Regulatory Requirements (PIA)
Data Categories Data Categories
Asset Inventory
Policy Generation
Controls, Standards, Procedures
Implementation & Audit
Business Process Analysis Data Lifecycle Inventory
External Economic Data Value (IVA)
• Black Market Value – Sale price
• News Value – Newspaper
– Magazines
– Television
• Competition – Market Value
– Brand Value
– Political Value
• Authorities – Fines
Data Value (IVA) Legal & Regulatory Requirements (PIA)
Data Categories Data Categories
Asset Inventory
Policy Generation
Controls, Standards, Procedures
Implementation & Audit
Business Process Analysis Data Lifecycle Inventory
Data Value Categories
Lvl Value Classification Example
4 > $10M Secret
CC Magnetic Strip,
PIN number, User &
Password
3 $100K -
$10M Confidential
Name, Address,
Credit History,
Account Statements
2 $1,000 -
$100K Private
Bank Account
Numbers,
Pre-published
Marketing Info
1 $0 - $1,000 Public
Published
Marketing
Information
Data Value (IVA) Legal & Regulatory Requirements (PIA)
Data Categories Data Categories
Asset Inventory
Policy Generation
Controls, Standards, Procedures
Implementation & Audit
Business Process Analysis Data Lifecycle Inventory
Asset Inventory
Asset
Legal &
Regulatory
level
Data
Value
level
Most
Sensitive
Data
Applicable
Policy
Applicable
Controls
DB1
L&R
Medium
Risk
Secret Application
Passwords
1. Secret
Data Policy
1. Oracle
Secret Data
Standard
App5
L&R
High
Risk
Confidential
Payment
Card
Number
1. L&R High
Risk Policy
1. J2EE High
Security
Standard
2. Application
Confidential
Data Mgmt
Standard
Srvr3
L&R
Medium
Risk
Private
Client
Account
Data
1. Private
Data Policy
2. L&R
Medium
Risk Policy
1. Solaris 10
Medium
Hardening
Standard
Data Value (IVA) Legal & Regulatory Requirements (PIA)
Data Categories Data Categories
Asset Inventory
Policy Generation
Controls, Standards, Procedures
Implementation & Audit
Business Process Analysis Data Lifecycle Inventory
Policy Generation
How should this data be: – generated? – stored? – transferred? – processed? – accessed? – backed-up? – destroyed? – monitored?
• How should we react and escalate an incident or breach?
• How will we punish compliance?
Data Value (IVA) Legal & Regulatory Requirements (PIA)
Data Categories Data Categories
Asset Inventory
Policy Generation
Controls, Standards, Procedures
Implementation & Audit
Business Process Analysis Data Lifecycle Inventory
Controls, Standards & Procedures
• Controls are defined and mapped for each policy level
– Technical Standards
– Procedures
– Compensatory Controls
Data Value (IVA) Legal & Regulatory Requirements (PIA)
Data Categories Data Categories
Asset Inventory
Policy Generation
Controls, Standards, Procedures
Implementation & Audit
Business Process Analysis Data Lifecycle Inventory
DB2 HP/UX J2EE Oracle
High Risk
Med Risk
Low Risk
Controls, Standards & Procedures
Data Value (IVA) Legal & Regulatory Requirements (PIA)
Data Categories Data Categories
Asset Inventory
Policy Generation
Controls, Standards, Procedures
Implementation & Audit
Business Process Analysis Data Lifecycle Inventory
Norms Controls
Implementation & Audit
Data Value (IVA) Legal & Regulatory Requirements (PIA)
Data Categories Data Categories
Asset Inventory
Policy Generation
Controls, Standards, Procedures
Implementation & Audit
Business Process Analysis Data Lifecycle Inventory
Best Practices
Controls
ASSETS NETWORKS COMUNIC.
Evidence
I.ACT D.SEG CONTRACT
Laws and Regulations
LOPD SOX LSSI
PROCESSES
APPLICATIONS
PEOPLE
Implementation & Audit
Data Value (IVA) Legal & Regulatory Requirements (PIA)
Data Categories Data Categories
Asset Inventory
Policy Generation
Controls, Standards, Procedures
Implementation & Audit
Business Process Analysis Data Lifecycle Inventory