Instructor Introduction

Instructor Introduction

Leighton R. Johnson, III

CISA, CISSP, CISM, MBCI, CSSLP, CIFI, CFCP, CAP, CRISC

SC-ISACA Chapter Instructor

Member: IEEE, ACM, ASIS, ISSA, IISFA, ISACA, ISC2, CSA, BCI, InfraGard, OSE

Background

 Leighton Johnson, the CTO of ISFMT (Information Security & Forensics Management Team), has presented computer security and forensics classes and seminars all across the United States and Europe.

 He has over 38 years experience in Computer Security, Software Development and Communications Equipment Operations & Maintenance; Primary focus areas include computer security,

information operations & assurance, software system development life cycle focused on modeling & simulation systems, systems

engineering and integration activities, database administration, business process & data modeling

Securing Big Data

 _{Every day 2.5 exabytes of data are generated from new}

and traditional sources including climate sensors,

social media sites, digital pictures & videos, purchase transaction records, cellphone GPS signals, and more.

 _{Big data environments allow organizations to}

aggregate more and more data—much of which is

financial, personal, intellectual property or other types of sensitive data.

 _{The data is both unstructured and structured; huge}

amounts exist in systems and often it is real-time live data.

What is Big Data?

 Big data is the combination of any type of data—structured and unstructured—such as text, sensor data, audio, video, clickstreams, log files and more

Areas of Interest

 The Big Data areas of concern to auditors and

security professionals include:

 Sensitive data discovery and classification

 Data access and change controls.

 Real-time data activity monitoring and auditing

 Data protection

 Data loss prevention

 Vulnerability management

Big Data Components

 3 V’s

 _Velocity

 Speed of data in and out

 Volume

 Increasing amount of data

 _Variety

Big Data Sources

 Structured Data

 _{RDBMS – based}

 Unstructured Data

 _{Real-time data feeds}  _{Social Media sources}

Big Data Usage

 Science and research

 Government

 Corporation/Private Sector  Retail

 Wal-Mart – 1M transactions per hour  Amazon – 3 DBs online

 7.8 TB, 18.5 TB, and 24.7 TB

 _Healthcare

 _{Energy/Smart Grid}  _Others

Big 3 Big Data Users

 Marketing Trend Analysis

 Retail Sales Analysis

Big Data Impacts & Benefits

 _Governance

 What Data should be Included

 _Planning

 Process of collecting and organizing outcomes

 Utilization

 Becoming information “mavens”

 _Assurance

 Data Quality

 _Privacy

Big Data Security Uses

 Big Data Security-based analysis can be used to:

 Detect probable threats based on current vulnerabilities,

 Provide analysis of identity and access activities,

 Correlate events and alerts, and

 Provide meaningful insights into the effectiveness of remediation of security incidents

 Identify patterns of anomalies to normal behavioral performance, operations and configuration states,

Security of Big Data

 Secure data, collect it, and then aggregate to evaluate to total

 _{Obtain visibility of all data - Collection}  Understand the context - Integration

Big Data Security Correlation

 Analysis capabilities

 Incident Response capabilities  Data Breach capabilities

 Data Recovery capabilities

 _{Disaster Recovery capabilities}  _{Forensics capabilities}

Compliance and Big Data

 Issues

 _Volume

 Complexity

 _{Lack of consistent structure}

 _{Need to isolate the compliance-sensitive} portions of data from total

Compliance Issue Example

 _{Create multiple data sets and put them in the same}

location,

 Allows technology to cross-integrate that information.

 _{Potential new information that needs new controls.}

 For instance, List of clients and it’s benign  Add marketing information from a third-party

 Now have a new data set.

 Then link in other information

 Now possible to have PII which requires compliance and protection

Statutory & Regulatory Needs

 Scope  Location  _{Transnational Considerations}  _{Privacy Considerations}  Downstream Liabilities

Big Data Regulatory Issues

 Regulatory Considerations  _HIPAA  SOX  _GLBA  EU rules  _FACTA  FERPA  _PCI-DSS

Regulatory Issue – Example 1

 HIPAA/HITECH

 _{Consequences of non-compliance are potentially} severe, including both civil and criminal penalties  _{Two ways to control keep data secure from}

release

 Encryption  Destruction

Regulatory Issue – Example 2

 PCI-DSS

 _{An industry-wide framework for protecting} consumer credit card data.

 _{Any company that stores, processes or transmits} credit card data must comply with PCI-DSS by properly securing and protecting the data

Big Data & Cloud Legal Issues

 Where is the data?

 _{Cloud server locations}

 Legal status vary from country to country.

 “Despite the global feel of the cloud, some countries’ laws will

be involved when it’s time to sue to get back data or to demonstrate compliance with privacy rules.”

ISACA’s 5 Key Questions for Big

Data Privacy and Security

 _{Can the company trust its sources of Big Data?}

 What information is the company collecting without

exposing the enterprise to legal and regulatory battles?

 _{How will the company protect its sources, processes}

and decisions from theft and corruption?

 _{What policies are in place to ensure that employees}

keep stakeholder information confidential during and after employment?

 _{What actions are company taking that creates trends}

Securing Big Data Focal Points

 Security Architecture  _{Infrastructure Components}  Hardware  Software  _{Computational Algorithms}  “Real-Time” Analytics  _{Data Itself} 25

Questions for Securing Big Data

 Data Fits Into Organization – How?

 _{Data is Classified – How?}

 Search Algorithms are Controlled – How?

 Data is Accessed – How and By Whom?

 _{Data is Reported Out – How and To Whom?}

 Data is Updated - How Often and By What

Process?

What Data Needs Securing



Structured Data Sources



Unstructured Data Sources



“Real-time” Data Feeds



“Time-sensitive” Data



Meta-Data about the Data

Structured Data Sources



Local Databases



Spreadsheets and Office Documents



Data Warehouses



Partner Data



Data Brokers

Standard Database Security

 Data

 Schemas

 Meta-data

 Files, Folders, Interfaces

 Transaction Logs

 ISACA has many documents covering various

RDBMS

ISACA Sources - Examples

 Security, Audit and Control Features Oracle

Database, 3rd Edition

 _{Social Media Audit/Assurance Program}  _{Personally Identifiable Information (PII)}

Audit/Assurance Program

 _{MySQL Server Audit/Assurance Program}

 _{Microsoft SQL Server Database Audit/Assurance}

Program

 _{IT Tactical Management Audit/Assurance Program}

COBIT based reviews

 Evaluate, Direct and Monitor  Align, Plan and Organize

 Build, Acquire and Implement

 Deliver, Service and Support

Structured Data Review

 Files and Folders

 Databases

 Spreadsheets and Office Documents

 Data Warehouses

 Type

Structured Data - 1

 Standard database security efforts

 _Data

 Schemas

 _Meta-data

Structured Data - 2

 Standard Interface reviews

 _Logs

 Transactions

Database Security Auditing

 Can relate to the timestamps that apply to the update time of a row in a relational table

being inspected and tested for validity in order to verify the actions of a database user.

 May also focus on identifying transactions within a database system or application that indicate evidence of wrongdoing, such as fraud.

Database Security Issues

 Change Management for schemas and formats

 Transaction Logging

Unstructured Data Sources - 1

 Social Media feeds

 _{Facebook, Twitter, LinkedIn, etc.}

 “Non-transactional” Data structures  _{Blogs And Chats}

 _{Collaborative Environment}

 _{Machine to Machine (M2M) data}

 _{IoT data}

 Sensor Data Feeds – i.e. GPS Data

Unstructured Data Sources - 2

 E-Mail/Documents/Spreadsheets

 Social Media feeds

 _{Facebook, Twitter, LinkedIn, etc.}

 _{News and Real-time Data feeds}

Social Media Security Practices

 _{Authentication of social media evidence can present significant}

challenges

 Collection by screen shots, printouts or raw html feeds from an archive tool.

 _{Capture Techniques Documented}

 Properly collected, preserved, searched and presented

 _{Metadata Search Criteria for Each Investigation}  _{Proper Chain of Custody}

 Associated metadata is preserved

Twitter Security

 Twitter RSS feed  Undocumented...  http://api.twitter.com/1/statuses/user_timeline.rss?screen_name=Michell eObama  http://api.twitter.com/1/statuses  /user_timeline.rss?screen_name=MichelleObama  Twitter API. Every user has a unique #

 id: 409486555, screenname: MichelleObama  Names may change! Twitter ID unique!

Facebook Security

 Facebook...

 Profile Information, Location, Photos...  Text and Links, Checkins

 Friends / Close Friends / Family  Apps

 Pages  Groups

Facebook Security (cont.)

 Why???  Criminal reasons  Missing Persons  Infidelity  Malware

 Scams, Fraud, Human trafficking…  Child Pornography

LinkedIn Security

 LinkedIn User Profiles

 http://www.linkedin.com/in/assist

 http://www.linkedin.com/profile/view?id=3480686  LinkedIn Company Profiles

 LinkedIn Groups  Advanced Search

 http://www.linkedin.com/search?trk=advsrch  Premium Accounts

E-Mail Issues

 Structures and Format Differences

 Storage Requirements

Visualization efforts

 Attempts to Visualize Data using various visualization techniques

Big Data Areas for Audits and

Security

 Data Sources

 “Real-time” Data Feeds

 “Time-sensitive” Data

 Meta-Data about the Data

 _{Data Users}

 _{Data Access}

Big Data Challenges to Security

 Rapid response times needs

 Non-consistency of data structures

How to Determine What to Secure

 Sources  Timing  Structures  Compliance Needs  _{One Way}

 _{Examine Data Itself Forensically}

Network Components

 Device Logs

 Transactional Logs

Security Itself

 Areas Within Environment

 Transactional Logs

 Network Activity

 Edge / Boundaries

 _{Access Attack Vectors}

What To Look For - 1

 _{Missing data}

 either some or all of the data missing.

 Data out of range

 results range from 0-100. A value of 300 is out of valid range.

 Another example is if data can vary in range, but has historically been within a particular range, a value outside that range might be reviewed.

 _{Duplicate data}

 multiple observations for the same occurrence.

 Invalid data

 Wrong or incorrect data.

 _{Bad format data}

 Fields that should be formatted in a particular manner are not.

 For example date fields that should be in ddmmyy format are recorded as ddmmmyyyy.

What to Look For – 2

 Unformatted data

 _{Data that should have been recorded in a particular}

format, such as an address where the street name and number goes in one area, the city goes in another, the country in still another and the post or zip code in yet another.

 If all the information is combined in one field, this makes processing difficult.

 Incomplete data

 _{files or records within a file that have missing fields}

What To Look For - 3

 Patterns of anomalies to normal behavioral performance,

 _{IT operations and configuration states,}  _{Capacity and forecast of IT resources}

Securing Big Data - What To Do

 Access Controls

 Encryption Controls

 _{Audit Controls}

What To Do - Access

 Internal and external authentication

 Object permission management in Structured

Databases

 _{Extra controls for AC in data feeds}

What To Do - Encryption

 Transparent data encryption for all objects and data

 _{File-level and block-level encryption}

 ETE Encryption for all “moving” data

What To Do - Audit

 Auditing of all user activity/changes

 Watch the Input for Malicious or Inadvertent alterations

 _{Log Management criteria – who can change}

What To Do - Governance

 Data Security Laws in Location – possible compliance issues ensure policies cover this

 _{Who is watching the watchers? Have a}

monitoring activity in place

 _{Reporting to Senior Executives and BOD –}

What To Do - Summary

 Watch the Input for Malicious or Inadvertent alterations

 Change of Audit Logs is “red flag”

 _{Oversight in Privacy and Compliance areas} have significant legal results – watch these closely

Summary

 _{Identify redundant, obsolete, and trivial data in}

gathered data locations

 _{Detect personal data where possible}

 Exercise classification and processing activities

on a data set

 Activate forensics actions when and where

needed

 Review which data files will be affected by a