Pulling the PLUG

8/8/2019 Pulling the PLUG

http://slidepdf.com/reader/full/pulling-the-plug 1/27

Pulling the PLUGPulling the PLUGHow HIPAA protected the patients

medical data but not their lives



Who Am I?Who Am I?

Understanding ComplianceUnderstanding Compliance

ProPro--Con(Con(pliancepliance))

The real worldThe real world



A Little about me . . . . A Little about me . . . .Chris NickersonChris Nickerson

Employment History:

Founder, Lares

Director ,Security Services Alternative Technology

Team Lead, KPMG

Lead Security Architect /Compliance Mgr., Sprint

Sr. Security Architect, Shook Hardy & Bacon

US NAVY

Professional Certifications:

CISSP

CISA

ISO 17799

NSA IAM

CCNA

Security Stuff

Created Risk Management and CSO structure for many fortune 500

Created Global Compliance /Penetration testing practices

Contributor to Social-Engineer.org

InformIT,Ethical Hacker.net, Author Syngress/Elsiver

Other media stuff (CSO,InfoSec,Forbes,etc..)



SarbanesSarbanes--Oxley Oxley Implement controls toImplement controls to

Protect the validity of Protect the validity of

Financial reporting Financial reporting



PCIPCIImplement controls toImplement controls to

Protect Credit Card DataProtect Credit Card Data



HITECHHITECHImplement controls ORImplement controls OR You You

will have towill have to disclosedisclose thatthat

PHI was compromisedPHI was compromised



HIP AA HIP AA Implement controls toImplement controls to

Protect PHIProtect PHI



Awesome!Now that we have compliance we are more secure«

right?



W rong..

CostCost Per incidentPer incident 2006 - $168,000

2007 - $320,424

2008 - $500,000

20092009-- $710,000$710,000

20102010-- estest 1.5M+1.5M+



SomeSome newnew Stats on AttackStats on AttackO Financial fraud: 19.5 percent, over 12 percent

last year (avg: $450,000)

O Malware Infection: 64.3 percent, over 50

percent last year;O Password Sniffing: 17.3 percent, over 9 percent

last year

O Our heads are in ´THE CLOUDSµ and now undermajor fire. (ec2 botnets)

O

And already 900 Million records compromised in2009-2010*Stats from CSI 2009 and Verizon 2010 survey



Industry Targets



If thats true?What has compliance done for us?



Thank You compliance!O What HAS it done for us?

O Made corporations aware of the risk outthere

O

Added some teeth to make the risk a bitmore tangible

O Given credit to the IT team as businesssupport and financial support, not justanother expense

O Driven global awareness of interconnectedsystems



Thank You compliance!O What else.. HAS it done for us?

O Gave you the budget to get some security flaws

fixed

O TRULY increased the security of MANY

organizations

O Given all of us ´Security Evangelistsµ something

more to preach about =o)

O What else? (this is where u tell me« I·m bias!)



_______ you compliance!

O What it has ALSO done

O Allowed IT departments to spend money on issues that

aren't related to security (because they put SEC in title.)

O Provided a safety blanket (that people hide under ) that

provides no REAL protection

O Created a LEMON security market

O Misdirected security funding

O Eliminated focused corporate protection strategies in

place of compliance strategiesO Allowed companies to have a scapegoat WHEN they get

hacked



_______ you compliance!

O What it has ALSO done

O Misdirected security funding (80% of

resources to 5% of the environment)

O Eliminated focused corporate protection

strategies in place of compliance strategies

O Allowed companies to have a scapegoat

WHEN they get hacked



W hy doesnt it work?

O Well« we have a bunch of problems

O 1) We are not using what we have effectively

O 2) We don·t have our eyes on the right prize

O 3) We are using trainers who have never been in a fight toteach us how to win a war

O 4) We are playing sheep

O 5) We are not using the most valuable resource we have.

COMMUNITY

O 6) Because there is no one who REALLY wants it to.

*biggest industry world wide is crime.

O 7) Oh yea« our enemy has no rules



Prove itProve it



Slot machines?



W hat? I thought u were here

f or leg amputation, not A CLf ix



Crash (cash) Cart!



Compliance vs Security



Take awaysO Chris is a bully

O We don·t like him

O Don·t let him in your building

O «if I get up and leave now maybe he wont

notice..



R E AL TakeawaysO Focus on the BIG PICTURE

O Think ´ Outside the checkboxµ

O Use compliance as a vehicle, not adestination

O Look for how it effects the WHOLE

organization, not just the audit

O Protect what matters most



Success is not final, failure isSuccess is not final, failure isnot fatal: it is the courage tonot fatal: it is the courage tocontinue that counts.continue that counts.

Winston ChurchillWinston Churchill

Pulling the PLUG

Documents

Transcript of Pulling the PLUG