Reasonable Security 1

Reasonable Security - What does that look like?

David Shaw Principal Consultant (Advisory), APJ - Pacific

New Zealand Privacy Week 2014 Technology and Privacy Forums

What ‘Reasonable’ means

Having sound judgement; fair and sensible

Based on good sense

Able to reason logically

(Of a price or product) not too expensive

Reasonable Security 2

www.oxforddictionaries.com/definition/english/reasonable

Reasonable Security 3

Guidance on ‘Reasonable’ from OAIC – (Office of the Australian Information Commissioner)

Reasonable Security 4

Governance

ICT security

Data breach

Physical security

Personnel security and training

Workplace policies

Information lifecycle Monitoring and review

Whitelisting and blacklisting

Software security

Access

Encryption

Network security

Testing

Backing up

Communications security

Software Security – Simple Questions!

Reasonable Security 5

Security software deployment to all network components?

Latest versions of software and applications in use?

Patches and security updates to applications and operating up to date?

Operating system latest version, updates, fixes, enhancements installed?

Security software up to date?

Unwanted system functions disabled?

Applications and web browsers configured for maximum security?

Email attachments scanned before they are opened?

Files scanned and checked for abnormalities at workstation level?

Security measures for web applications?

Security and Privacy

Reasonable Security 6

Information Security

Privacy

Other mandates for compliance

Risk

Reasonable Security 7

We will bankrupt ourselves in the vain

search for absolute security.

Reasonable Security 8

Dwight D. Eisenhower (1890–1969)

34th President of the United States

Does risk management of information security influence business owners?

Reasonable Security 9

Gartner Global Risk Management Survey 2013

General perception

Reasonable Security 10

Spending More

Stopping Less

What is Risk?

Reasonable Security 11

A

T V

Asset

Vulnerability

Threat

What is Risk?

Reasonable Security 12

A

T V

A

O S

Negative Positive

Security architecture

Reasonable Security 13

http://www.opensecurityarchitecture.org

Security architecture

Reasonable Security 14

http://www.opensecurityarchitecture.org

Security Architecture

Controls

IT System and Data Assets

Risk

Business Process

Policies

Laws and Regulations

Standards and Guidance

Security architecture

Reasonable Security 15

http://www.opensecurityarchitecture.org

Security Architecture

Controls

IT System and Data Assets

Risk

Policies

Laws and Regulations

Standards and Guidance

Business Process

Assurance

Controls

Reasonable Security 16

People

Process

Technology

Information-centric model

Reasonable Security 17 17

POLICY COMPLIANCE IDENTITY REMEDIATION REPORTING

INFORMATION GOVERNANCE

DISCOVERY OWNERSHIP THREATS CLASSIFICATION

INFORMATION INTELLIGENCE

INFORMATION INFRASTUCTURE

PHYSICAL | VIRTUAL | MOBILE | CLOUD

SECURITY ENDPOINT MGMT

BACKUP & ARCHIVING

STORAGE MGMT

AVAILABILITY

Security Capabilities

Reasonable Security 18

Performance

Reasonable Security 19

Start

Reconn

Incursion

Discovery

Capture & Exfiltrate

Detection

Fix

Recent History

Symantec Internet Security Threat Report 19 (ISTR)

Reasonable Security

Recent History

Reasonable Security

Symantec Internet Security Threat Report 19 (ISTR)

Recent History

Reasonable Security

Verizon 2014 Data Breach Investigations Report (DBIR)

Recent History

Reasonable Security 23

Verizon 2014 Data Breach Investigations Report

(DBIR)

Analysis of 2400+ breach cases from VERIS Community database

Realised Threats

Reasonable Security 24

Source: www.veriscommunity.net

Timeline: Compromise to Discovery

• 26% internal, user report

• 2.6% internal, audit

• 0.95% internal, log review

Discovery Method

• 0.47% internal, NIDS

• 0.47% internal, security alarm

Analysis of 2400+ breach cases from VERIS Community database

Performance of breached entities

Reasonable Security 25

Source: www.veriscommunity.net

Analysis of 2400+ breach cases; from VERIS Community database

Performance of breached entities

Reasonable Security 26

Source: www.veriscommunity.net

Reasonable Security 27

Thank you!

Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Reasonable Security 28

David Shaw

David_Shaw@symantec.com

+61 (0) 414 457 602