Subido por Flavio H. Díaz Portela

La seguridad cibernetica para el 2020 1578520121

Anuncio
Cyber
Chief
Cybersecurity
2020
Top Trends Shaping
Management
Priorities
INTERVIEW: Deidre Diamond,
CEO at CyberSN and brainbabe.org,
"There's a perfect storm in cybersecurity"
Ed.8
Cyber
Chief
Ed. 8
Magazine
2019 was an action-packed year for cybersecurity, marked
by significant new data privacy regulations as well as mega-breaches and massive fines. What will 2020 bring?
This edition of Cyber Chief Magazine reveals the important
trends that will determine how organizations address cybersecurity challenges in 2020, and shares strategies that will
help you prepare for the threats and seize the opportunities.
The Cyber Chief team
[email protected]
Contents
Cybersecurity:
Facts and Figures
4
Extra Security
18
How to reduce cybersecurity
complexity and successfully
manage risks
22
The ultimate list of data security
solutions for protecting sensitive
data
28
Establishing efficient data
governance processes
to add business value
Data security successes and failures
in 2019
95 %
of cloud security failures
will be the customer’s fault
Gartner
Focus
6
Top IT priorities for 2020
10
Data privacy trends, issues
and сoncerns for 2020
Analysis
14
Mitigating the risk of ransomware attacks
in the public sector
First-Hand Experience
32
“A perfect storm in cybersecurity”,
interview with Deidre Diamond,
founder and CEO at CyberSN and
brainbabe.org
Cybersecurity: Facts and Figures
Data security successes and failures
in 2019
Data security
$
$
Data privacy
$124
107
BILLION
COUNTRIES
Global investment
in information security
in 2019
have enacted legislation to
protect data and privacy
Gartner
United Nations Conference
on Trade and Development
$
Largest data protection fines
Equifax
Marriott, Inc.
$121M
$198K
British Airways
Google
PwC
$575M
$224M
Active Assurances
$57M
$165K
Lexology.com
Breaches
5,183
breaches
reported
7.9B
records
exposed
IN THE FIRST
9 MONTHS OF 2019
Data Breach QuickView Report
What to expect in 2020
Data security
Data privacy
95 %
Regulations coming into force
of cloud security failures
will be the customer’s fault
Gartner
January 1
8
“CCPA Readiness: Second Wave,”
Iapp, OneTrust
$6T
6
$3T
Privacy classaction lawsuits
will increase by
2
0
2015
2021
2019 Official Annual Cybercrime Report,
Cybersecurity Ventures
TOP
August 15
Organizations don’t expect to be in full
compliance with the CCPA until July 1.
Cybercrime damage
worldwide will double
4
CCPA California LGPD Brazil
projects
for CISO/security
officers
Data security
90 %
Cybersecurity awareness
among employees
62 %
Data privacy
59 %
2020 Netwrix IT Trends Report
300 %
2020 Predictions, Forrester
Data protection strategy
Top initiative for executives:
Enterprise data strategy
Advanced organizations will
double their data strategy budget
40% of companies will launch
data literacy programs for all users
2020 Predictions, Forrester
Focus
Top
IT Priorities
for 2020
Ryan Brooks
Cybersecurity Expert, Netwrix Product Evangelist
In October 2019, Netwrix asked IT pros to name
Although data privacy didn’t make the medal
the five IT projects that will be their top priorities
podium, it was named by 43% of respondents.
in 2020. We got feedback from 846 respondents
Moreover, it boasted a strong showing among
worldwide. This is what we learned from their re-
organizations of all sizes and verticals. With the
sponses.
explosion of compliance regulations focused on
data privacy, such as the GDPR and the CCPA,
According to the Netwrix IT Trends 2020 report,
data privacy is likely to be a top IT priority for the
data security takes the gold medal as the dominant
next several years.
priority for 2020. It was named by 74% of respondents — including 90% of CISOs and security officers, regardless of their organization’s size, vertical
or location. This is no surprise, given the rising numexperts to combat them.
These same factors also likely contribute to automation of manual processes winning the silver medal in the survey. Increased automation
was cited by 53% of respondents, including 57%
of large businesses. Automation helps organizations boost the productivity and effectiveness
of their current IT and cybersecurity talent.
IT
2020
ber of breaches and the shortage of cybersecurity
TRENDS
Report
The bronze medal goes to raising cybersecurity
awareness, which was cited by 51% of respondents. Organizations recognize the importance
of effecting a cultural shift among employees,
both IT and non-IT. Surprisingly, this trend is
even stronger among SMBs than large enterprises; 60% of SMBs say they will focus on train-
Learn More
ing staff about cybersecurity hygiene.
7
TOP 5
IT PRIORITIES
74 %
DATA SECURITY
53%
AUTOMATION OF MANUAL PROCESSES
51%
CYBER SECURITY AWARENESS AMONG EMPLOYEES
43%
DATA PRIVACY
37%
CLOUD MIGRATION
№1
PRIORITY
BY ORGANIZATION SIZE
SMBs
Raising cybersecurity
awareness among
employees (60%)
TOP
LARGE Automation of manual
ENTERPRISES processes (57%)
TRENDS
FOR CISOs
90%
Data security
2020 Netwrix IT Trends Report
62%
Cyber security
awareness among
employees
43%
Data privacy
Top IT Priorities for 2020
KEY FINDINGS BY THE NUMBERS
74 %
of organizations named
data security as their top
IT priority for 2020.
54 %
of respondents plan to focus on
automating manual tasks.
43 %
of organizations
mentioned data privacy
as their top goal.
52 %
of them are subject to
privacy regulations.
33 %
ONLY
20 %
of organizations plan to focus on addressing the skills
shortage through education
of existing IT personnel or
talent acquisition.
of organizations intend to
focus on digital transformation,
integrating their existing
solutions and cloud migration
projects; these goals are
mostly relevant for larger
organizations.
Focus
Data Privacy
Trends, Issues
and Concerns
for 2020
Ryan Brooks
Cybersecurity Expert, Netwrix Product Evangelist
One defining feature of 2019 was an increasing
Exactly why is data privacy important? It is import-
focus on data privacy around the world, includ-
ant to consumers because a breach of personal
ing a variety of new government regulations. Data
information can damage an individual’s funda-
privacy is a hot topic because cyber attacks are
mental rights and freedoms, including the risk of
increasing in size, sophistication and cost. Accen-
identity theft and other types of fraud. But data
ture reports that the average cost of cybercrime
privacy concerns are also important to organiza-
has increased 72% in the last five years, reaching
tions. Any unauthorized collection, careless pro-
US$13.0 million in 2018.
cessing or inadequate protection of personal data
introduces multiple risks. In particular, organiza-
In this article, we will talk about pressing data
tions that fail to comply with privacy requirements
privacy issues and how they can influence your
are at risk of steep fines, lawsuits and other pen-
business.
alties. The CCPA, for example, grants the private
right of action if a breach occurs and data was
Why is data privacy
important?
not encrypted or anonymized, and GDPR fines
can reach 20 million euros or 4% of a company’s
global annual turnover for the preceding financial
year. Authorities can even ban the business from
processing personal data in the future.
The recent focus on privacy concerns is driven by
numerous cyber security attacks that led to mas-
These severe consequences for noncompliance
sive breaches of personal data. In response, reg-
are perhaps the strongest driver for rising privacy
ulations designed to strengthen consumer priva-
awareness among organizations. Organizations
cy protection have been developed in countries
have to take privacy into account before they use
around the world, from the U.S. to India to Aus-
an individual’s data, for example, by selling cus-
tralia. The EU’s GDPR (General Data Protection
tomers’ personal data to third parties To meet
Regulation) in particular has had an important im-
modern compliance requirements and satisfy
pact. In addition, many individual states in the U.S.
consumers, all organizations have to take steps to
have adopted their own privacy protection laws,
protect the healthcare records, financial data and
such as the CCPA (California Consumer Privacy
other personally identifiable information (PII) they
Act), and their number is still growing. We should
process and store against cyber attacks.
expect more legislative activities in the future, as
Congress is working to implement a U.S. federal
data privacy law.
11
A focus on data privacy is
a differentiator
Defending against supply chain
attacks
Apart from legal sanctions, organizations face
One key trend for the coming year will be
reputational risks if they fail to ensure data priva-
third-party risk management. While breaches at
cy protection. To maintain customer trust today, a
large enterprises dominate the headlines, their
company must demonstrate that data privacy is
supply chains are an attractive target for hackers
one of its core values. Indeed, while many busi-
as well, because of their digital connections to
nesses still view privacy policies as a set-and-
larger enterprises.
forget legal routine, the consumer’s attitude has
changed. According to PwC research, only 25%
Therefore, companies need to ensure that their
of consumers believe most companies handle
partners, suppliers, re-sellers, and service pro-
their personal data responsibly.
viders are protecting data properly. For example, the GDPR requires working only with third
As people become more aware of the loose han-
parties that demonstrate they have measures
dling of their data by social networks, tech giants
in place to protect personal data. According-
and governments, implementing strong control
ly, organizations need to take a risk-based ap-
over handling of personal information is becom-
proach to evaluating partners and vendors, and
ing a powerful business advantage. According
establish agreements about topics such as data
to Gartner, brands that put in place user-level
breach notification obligations and cooperation
control of marketing data will reduce custom-
in fulfilling data subject requests.
er churn by 40% and increase lifetime value by
25% in 2023. Thus, companies will be working to
meet the transparency bar by ensuring they can
explain why they collect and share specific data,
The importance of employee training
will grow
as well as prove that they have properly asked
consumers for permission and notified them
One key trend for 2020 will be efforts to increase
about data collection and processing.
data privacy awareness — organizations will be
focusing on teaching staff about sensitive data
security and data management policies. Creating a privacy- and security-aware culture is a
requirement of many cybersecurity regulations.
12
Educating people about their rights and obligations — and regularly testing their adherence to
your information privacy policy — is critical to security and compliance.
Conclusion
The coming years will undoubtedly bring new
regulations with more stringent requirements
and steeper penalties. However, there is no reason to delay implementing core best practices.
Indeed, if you want to avoid appearing in the
next big data breach headline, it is vital to start
managing your risks now and make privacy a
fundamental part of your DNA.
Achieve,
Maintain
and Prove
Compliance
Learn More
13
Analysis
Mitigating
the Risk of
Ransomware
Attacks in the
Public Sector
Ryan Brooks
Cybersecurity Expert, Netwrix Product Evangelist
Ransomware attacks were on the rise around the
of digital records and turn away new patients.
world in 2019. In the U.S. alone, more than 620
Similarly, more than 50 educational organiza-
government entities, public institutions, health-
tions experienced ransomware attacks last year,
care service providers, school districts, colleges
forcing some of them to delay the beginning of
and universities had their data held hostage.
the academic year for thousands of students
These relentless attacks have interrupted ev-
and their families; one district paid $88,000 for
eryday life in U.S. cities by massively disrupting
the decryption key after negotiating the payout
municipal operations, emergency and medical
down from $176,000.
services, and educational institutions.
Second, many governmental agencies and
Why governmental
agencies and public
institutions are
a primary target
Attackers target public institutions for several
key reasons. First, they are more likely to pay
up. After all, the goal of a ransomware attack
is to disrupt operations badly enough and long
enough that the organization will pay the ransom. According to Coveware, a typical ransomware incident lasts for 9.6 days — an eternity
for any governmental organization and public
institution under the constant pressure of public scrutiny because so many people depend on
its services. For example, DCH Health Systems,
a network of Alabama hospitals, paid an undisclosed sum to attackers after encryption of critical files forced staff to use paper copies instead
public institutions lack the resources to protect against cyber attacks in general and ransomware in particular. Many of them, especially smaller organizations, use managed service
providers (MSPs) to help with IT operations,
which often requires granting the MSPs elevated privileges. This provides an additional entry
point for attackers, who target the MSP and distribute their ransomware to many of its clients
at once. For instance, a single threat actor attacked 23 Texas government organizations using this attack path.
Of course, some municipalities refuse to pay
ransom, which is the strategy recommended
by many law enforcement agencies. Baltimore,
for instance, declined to pay over $75.000 in
bitcoin to an attacker and instead decided to
recover the data from backups. Even so, the
financial damage can be significant. Baltimore
estimates the cost of the malware attack at $18
million, which includes not just remediation but
hardening of the environment against future attacks.
15
How government
and public
institutions
are responding
to ransomware
attacks
LEGISLATION.
The U.S. Senate passed the DHS Cyber Hunt and
Incident Response Teams Act, which authorizes
the Department of Homeland Security to send
teams to help private and public entities battle
ransomware attacks.
CYBERSECURITY INSURANCE.
In November 2019, the city of Baltimore approved the purchase of $20 million in cyber
liability insurance to cover any additional disruptions to the city’s networks in 2020. Cyber liability insurance will typically pay the ransom and
other extortion-related expenses, as well as recovery costs for restoring or replacing programs
and data.
MANDATORY TRAINING.
After a coordinated attack on 23 Texas government organizations, the state announced it
16
would require annual cybersecurity training for
government employees. Dozens of other states
are requiring security awareness programs as
well. By teaching cybersecurity best practices,
these programs aim to install proper habits and
procedures for protecting information resources.
Strategies for
mitigating the risk
of ransomware
There is no reason to believe that any organization can block all ransomware attacks. But there
are ways to minimize the damage of ransomware
infections. For example, when ransomware hit
Louisiana state government systems in November 2019, the state was able to quickly detect the
attack and neutralize it before it caused serious
damage — because back in December 2017, the
state had established procedures for dealing
with cyber attacks and the agencies were prepared.
The following measures can help you limit the
impact of a ransomware attack:
Take regular, comprehensive backups and
keep them secure. Good backups are probably the best answer to the question, “How
do I recover from a ransomware attack?” Reg-
Monitor user behavior. To spot ransomware
ularly back up all critical information, and keep
in a timely manner, audit activity around data
the backups isolated from your network.
and set up alerts on abnormal spikes in file
activity, which are indicative of ransomware
Use network segmentation and intrusion
prevention technologies. Segment your network to block ransomware from spreading.
Use network access controls, firewalls, virtual local area networks (VLANs) and other
techniques for intrusion prevention.
Properly configure your web filter, firewall
and antivirus software to block access to
malicious websites and scan all files that are
downloaded.
Properly configure access to shared folders. If you use shared network folders, create a separate network share for each user.
Since malware spreads using its victim’s access rights, make sure that access is restricted to the fewest users and systems possible.
Otherwise, the infection of one computer can
lead to the encryption of all documents in all
folders on the network.
Enforce least privilege access. More broadly, limit the damage ransomware can do by
minimizing privileges based on each user’s
job requirements and performing periodic assessments to ensure adherence to the
principle of least privilege.
in progress.
Conduct
regular
employee
awareness
training. People are the weakest link in your
security, and their mistakes can cost the organization a fortune. Therefore, invest in raising security awareness through comprehensive training tailored to the specific groups of
users accessing your network.
Increase attention to supply chain security. Third-party risk management should get
more attention. The recent attacks on Texas
cities through MSPs are the first sign of this
new threat vector, but it will become increasingly popular as public agencies increase
cloud adoption as mandated by the Federal
Cloud Computing Strategy.
Conclusion
A final tip: Don’t pay ransom. Paying ransom helps
make these attacks a viable “business model” for
the perpetrators. By establishing healthy habits,
you can mitigate the risk of ransomware causing
serious damage and recover without engaging
with the attackers.
17
Extra Security
How to Reduce
Cybersecurity
Complexity and
Successfully
Manage Risks
Matt Middleton-Leal
General Manager EMEA, CISSP
Managing cyber risks is an increasingly difficult
challenge. Even as businesses generate more
and more data and adopt new technologies and
processes, cybercriminals are busy developing
new attack strategies and more sophisticated
malware. It is little wonder that the number of
data breaches has increased by 67% over the
last five years, as reported in a study by Accen-
1. Make
cybersecurity
a strategic
business goal.
ture and the Ponemon Institute. Indeed, security
sprawl and its impact on risks management are
Organizations often consider cybersecurity to be
constantly discussed at industry events such as
a technology issue rather than a business con-
Infosecurity Europe 2019, demonstrating that
cern. This perspective leads IT teams to invest
the professional community is quite concerned
in hot technologies to address urgent security
about how to efficiently manage cyber risk to-
issues, rather than take a strategic approach to
day.
cybersecurity. Moreover, there is often a lack
of effective communication between the IT de-
In my line of work, I get to speak with dozens
partment and C-level management; neither side
of companies every month, all of which spend
knows how to articulate their needs and work
considerable time and money in pursuit of en-
together to reach a decision that supports busi-
terprise data security. The following are the
ness goals. As a result, organizations purchase
best practices that I have seen help these or-
siloed solutions, increasing complexity and mak-
ganizations successfully manage cybersecurity
ing it even more difficult for IT teams to manage
risks in complex IT environments.
cyber risks.
BEST PRACTICES
Organizations should change this underlying mindset and establish a dialog between IT
teams and non-IT management. One goal of
this dialog should be to better prioritize security investments. A person responsible for IT security should provide line-of-business leaders
with risk information, highlighting the areas that
19
are the most risky. This will enable the business
guest reservation database, which was merged
leaders to prioritize investments and give the IT
with Marriott’s reservation system after the ac-
department a defined direction for future invest-
quisition. Another example is Equifax, whose ag-
ment. The second objective of the dialog should
gressive growth strategy resulted in a complex
be to integrate security throughout all the or-
IT environment with custom-built legacy systems.
ganization’s business processes. This involves
This made IT security especially challenging and
many different areas, from the development of
led to the highly publicized data breach.
adequate security policies in accordance with
a security-by-design framework to educating
employees and establishing a security-centric
culture. Only through such conversations can
organizations align cybersecurity with business
strategy and ensure that security acts as a business enabler rather than a roadblock.
BEST PRACTICES
Organizations that maintain a unified security
posture rather than siloed systems have a better chance of detecting vulnerabilities and data
breaches in their early stages, when the damage
is entirely preventable. To achieve this, organizations should regularly inventory their systems,
2. Maintain a unified
security posture.
A critical strategy for reducing cybersecurity
complexity is unifying your security posture. Organic growth, mergers and acquisitions (M&A),
and other business changes often leave behind
a fragmented set of security tools and a hodgepodge of legacy IT systems that likely contain
vulnerabilities. A textbook example of M&A cyber
risk is Marriott, which recently reported a massive data breach that began years earlier at Star-
delete duplicate technologies and replace standalone solutions with cross-system applications.
This approach will provide IT teams with a birdseye view of risks across the IT infrastructure and
simplify risk management.
3. Identify your
most sensitive data
and monitor activity
around it.
wood, a chain Marriott acquired, evidently without properly taking an inventory of its IT assets.
Experts predict that by 2020, 83% of enterprise
The attackers had gained access to the Starwood
workloads will be in the cloud. Therefore, there
20
will be more and more data flowing between
on board, IT teams struggle to combat evolving
on-premises and public, private or hybrid cloud
cyber threats and meet increasingly tough com-
storages. Any sensitive data, such as PII, PCI or
pliance regulations, especially when they are al-
PHI, that pops up in any insecure location will be
ready overwhelmed by mundane daily tasks like
vulnerable to both insider and outsider threats,
resolving user lockouts, resetting passwords, and
which can result in data breaches and fines for
keeping systems and applications patched. As a
non-compliance.
result, IT departments cannot effectively manage
cyber risks.
BEST PRACTICES
To avoid security incidents, organizations should
regularly locate the data they have, classify it according to its sensitivity and implement security
controls consistently, starting with the most sensitive data. It is crucial to regularly assess and mitigate data risks like improper configuration and
access settings. It is also essential to monitor activity around sensitive data and get alerts about
anomalous behavior so suspicious sessions can
be terminated quickly.
BEST PRACTICES
Automating as many routine tasks as possible
will free up IT teams to focus on more strategic
matters, such as keeping abreast of the threat
landscape, improving cyber risk management,
and reducing the time to detect and respond to
incidents. Moreover, enabling existing staff to be
more effective will help the organization weather
the current shortage of skilled cybersecurity professionals.
4. Empower IT teams
to be proactive
rather than reactive.
Conclusion
Perhaps one of the most difficult challenges in
first steps are to align technology to your busi-
protecting against cyber threats is the scarcity of
ness; regularly inventory your security solutions
cybersecurity talent. (ISC)2 predicts that Europe
to ensure integration and remove duplication;
will face a shortfall of 350,000 cybersecurity
secure your most important data first; and auto-
professionals by 2022. Without skilled people
mate routine tasks to improve IT team efficiency.
There is no doubt that both data volumes and
IT system complexity will continue to grow. The
best way to mitigate the associated cybersecurity risks is to follow proven best practices. Great
21
Extra Security
Extra Security
Top 12
Data Security
Solutions to
Protect Your
Sensitive
Information
Ilia Sotnikov
Jeff Melnik
Manager Solutions Engineering
Data breaches are all over the news, and organi-
Tools like Netwrix Data Classification make data
zations are acutely aware that even if they have
discovery and classification easier and more ac-
achieved PCI compliance or SOX compliance,
curate.
new compliance regulations like the GDPR demand more stringent data security controls. To
help you improve your security and compliance
posture, we have put together a list of the top 12
2. Firewall
data security solutions for protecting sensitive
A firewall is one of the first lines of defense for a
data and passing audits.
network because it isolates one network from an-
1. Data Discovery
and Classification
other. Firewalls exclude undesirable traffic from
entering the network. In addition, you can open
only certain ports, which gives hackers less room
to maneuver to get in or download your data. Depending on the organization’s firewall policy, the
firewall might completely disallow some traffic
In order to protect your data effectively, you need
or all traffic, or it might perform a verification on
to know exactly what sensitive information you
some or all of the traffic.
have. A data discovery and classification solution
will scan your data repositories for the types of
Firewalls can be standalone systems or included
data you consider important, based on industry
in other infrastructure devices, such as routers
standards or your custom requirements (such as
or servers. You can find both hardware and soft-
PCI DSS data, GDPR data and IP), sort it into cat-
ware firewall solutions.
egories and clearly label it with a digital signature
denoting its classification. You can use those labels to focus your data security resources and
implement controls that protect data in accordance with its value to the organization. If data
is modified, its classification can be updated.
3. Backup
and recovery
However, controls should be in place to prevent
A backup and recovery solution helps organiza-
users from falsifying the classification level; for
tions protect themselves in case data is deleted
example, only authorized users should be able
or destroyed. All critical business assets should
to downgrade the classification of data.
be duplicated periodically to provide redundancy
23
so that if there is a server failure, accidental de-
sessions that appear to violate security settings.
letion or malicious damage from ransomware or
An IPS offers detection capabilities but can also
other attacks, you can restore your data quickly.
terminate sessions that are deemed malicious,
4. Antivirus
Antivirus software is one of the most widely adopted security tools for both personal and commercial use. There are many different antivirus
software vendors in the market, but they all use
pretty much the same techniques to detect malicious code, namely signatures and heuristics.
Antivirus solutions help to detect and remove
trojans, rootkits and viruses that can steal, modify
or damage your sensitive data.
5. Intrusion
Detection and
Prevention Systems
(IDS/IPS)
but usually these are limited to very crude and
obvious attacks such as DDoS. There is almost
always an analytical step between alert and action — security admins assess whether the alert
is a threat, whether the threat is relevant to them,
and whether there’s anything they can do about
it. IPS and IDS are a great help with data protection because they can stop a hacker from getting
into your file servers using exploits and malware,
but these solutions require good tuning and analysis before making a session drop decision on an
incoming alert.
6. Security
Information and
Event Management
(SIEM)
Security information and event management
Traditional intrusion detection systems (IDS) and
(SIEM) solutions provide real-time analysis of se-
intrusion prevention systems (IPS) perform deep
curity logs that are recorded by network devic-
packet inspection on network traffic and log po-
es, servers and software applications. Not only
tentially malicious activity. An IDS can be config-
do SIEM solutions aggregate and correlate the
ured to evaluate system event logs, look at sus-
events that come in, but they can perform event
picious network activity, and issue alerts about
deduplication: removing multiple reports on the
24
same instance and then act based on alert and
should be granted in strict accordance with the
trigger criteria. It also usually provides analytics
principle of least privilege. An access control list
toolkit that will help you find only those events
(ACL) specifies who can access what resource
that you currently need such as events related
and at what level. It can be an internal part of
to data security. SIEM solutions are vital for data
an operating system or application. ACLs can
security investigations.
be based on whitelists or blacklists. A whitelist
is a list of items that are allowed; a blacklist lists
7. Data Loss
Prevention (DLP)
Data loss prevention systems monitor workstations, servers and networks to make sure that
sensitive data is not deleted, removed, moved
or copied. They also monitor who is using and
transmitting data to spot unauthorized use.
8. Access Control
In most cases, users should not be allowed to
copy or store sensitive data locally; instead, they
should be forced to manipulate the data remotely. Moreover, sensitive data should ideally never
things that are prohibited. In the file management
process, whitelist ACLs are used more commonly, and they are configured at the file system level. For example, in Microsoft Windows, you can
configure NTFS permissions and create NTFS access control lists from them. You can find more information about how to properly configure NTFS
permissions in this list of NTFS permissions management best practices. Remember that access
controls should be implemented in every application that has role-based access control (RBAC);
examples include Active Directory groups and
delegation.
9. Cloud Security
Solutions
be stored on a portable system of any kind. All
systems should require a login of some kind, and
Individuals and enterprises tend to collect and
should have conditions set to lock the system if
store more and more data. This has led to direct
questionable usage occurs.
attached storage (DAS), network area storage
(NAS), storage area networks (SAN) and now
In addition, sensitive files should be accessed
cloud storage. Cloud storage enables you to
only by authorized personnel. User permissions
store more and more data and let your provider
25
worry about scaling issues instead of local ad-
to sensitive information and associated permis-
ministrators.
sions is critical. By using historical information
to understand how sensitive data is being used,
Despite these benefits, from a security stand-
who is using it, and where it is going, you can
point, cloud storage can be troublesome. You
build effective and accurate policies the first time
need to be sure the cloud provider can adequate-
and anticipate how changes in your environment
ly protect your data, as well as make sure you
might impact security. This process can also help
have proper redundancy, disaster recovery, and
you identify previously unknown risks. There are
so on. Make sure that you encrypt the data, back
third-party tools that simplify change manage-
it up, and implement as much control as possible.
ment and auditing of user activity, such as Netwrix Auditor.
You can get help from cloud security providers
that sell security as a service (SECaaS), a subscription-based business model in which a large
11. Data Encryption
service provider integrates its security services
into a corporate infrastructure and makes them
Data encryption is very important when you have
available on a subscription basis. No on-premise
top secret files that you don’t want to be read
hardware is needed by the subscriber, and the
even if they are stolen. Network sniffing and oth-
services offered can include such things as au-
er hacker attacks targeted on stealing informa-
thentication, antivirus, antimalware/spyware, and
tion is so common that passwords, credit card
intrusion detection. In this way, SECaaS can serve
numbers and other sensitive information can be
as a buffer against many online threats.
stolen over unencrypted protocols. Encrypted
communication protocols provide a solution to
10. Auditing
this lack of privacy. For example, without Secure
To protect your sensitive information properly,
inconvenient or insecure.
Sockets Layer (SSL) encryption, credit card transactions at popular websites would be either very
you also need to audit changes in your systems
and attempts to access critical data. For example,
Although private data can be protected by cryp-
any account that exceeds the maximum number
tographic algorithms, encryption can also be
of failed login attempts should automatically be
used by hackers. Expensive network intrusion
reported to the information security administra-
detection systems designed to sniff network traf-
tor for investigation. Being able to spot changes
fic for attack signatures are useless if the attack-
26
er is using an encrypted communication channel.
down so that it cannot be removed from the area.
Often, the encrypted web access provided for
Also, a lock should be placed so that the case
customer security is used by attackers because
cannot be opened up, exposing the internals of
it is difficult to monitor. Therefore, all critical data
the system; otherwise, hard drives or other sen-
should be encrypted while at rest or in transit
sitive components that store data could be re-
over the network.
moved and compromised. It’s also good practice
to implement a BIOS password to prevent attack-
Portable systems should also use encrypted
ers from booting into other operating systems
disk solutions if they will hold important data of
using removable media.
any kind. For desktop systems that store critical
or proprietary information, encrypting the hard
Another enterprise data leakage instrument is a
drives will help avoid the loss of critical informa-
smartphone with a camera that can take high-res-
tion. In addition to software-based encryption,
olution photos and videos and record good-qual-
hardware-based encryption can be applied.
ity sound. It is very hard to protect your docu-
Within the advanced configuration settings on
ments from insiders with these mobile devices or
some BIOS configuration menus, you can choose
detect a person taking a photo of a monitor or
to enable or disable a Trusted Platform Module
whiteboard with sensitive data, but you should
(TPM) — chip that can store cryptographic keys,
have a policy that disallows camera use in the
passwords or certificates. A TPM can be used to
building.
assist with hash key generation and to help protect smartphones and others devices in addition
Monitoring all critical facilities in your company
to PCs.
by video cameras with motion sensors and night
vision is essential for spotting unauthorized peo-
12. Physical
Security
ple trying to steal your data via direct access to
your file servers, archives or backups, as well as
spotting people taking photos of sensitive data in
restricted areas.
Each person’s workspace area and equipment
Physical security is often overlooked in discus-
should be secure before being left unattended.
sions about data security. Having a poor physical
For example, check doors, desk drawers and
security policy could lead to a full compromise
windows, and don’t leave papers on your desk.
of your data. Each workstation should be locked
27
Extra Security
Establishing
Efficient Data
Governance
Processes to Add
Business Value
Matt Middleton-Leal
General Manager EMEA, CISSP
28
These days, organizations are awash with more
data than ever before. The challenges this presents are compounded by evolving regulatory
changes such as the General Data Protection
Regulation (GDPR), which has necessitated significant changes when it comes to the storage
and handling of EU citizens’ data.
Today’s CIOs face a common challenge to establish an information governance program that
What makes
a value-driven
information
governance
program?
will enable the organization to embrace the data-driven era, while maintaining IT security and
ensuring compliance during its implementation.
The success of an information governance
program requires collaboration from the entire
C-Suite, with CIOs, CISOs, chief data officers
(CDO), and chief compliance officers taking a
strategic role. If organizations assign this task to
the CDO only, it may not lead to the desired effect, as they often lack the necessary authority
and resources.
In fact, Gartner predicted that 90% of enterprises will have hired a CDO by 2019 to unlock the
value of their information assets, but just half
will be considered a success in this regard.
The concept of information governance emerged
from compliance, where the former concerns
data protection and retention according to specific standards. However, as volumes of data increase in the data-driven era, information governance has evolved to include the management
of other types of data, including non-sensitive.
A recent report by The Compliance, Governance
and Oversight Counsel found that 60% of corporate data has no “business, legal or regulatory
value.” If an organization is flooded with information, it complicates the protection of sensitive
data, boosts storage costs, and hinders an employee’s ability to locate necessary information
among thousands of files. A holistic information
governance program tackles all these issues and
provides businesses with analytical insights and
value.
29
organizations handle their data. Here are a few
Visibility into enterprise content is a fundamental
aspect of value-driven information governance.
It includes the ability to discover various types of
data, classify it effectively and precisely, as well
as to define ROT files across critical data sources. This empowers IT teams to clean up unnecessary data, to enhance records management, and
to improve search capability. Such an approach
can be applied to critical business areas, and
metrics can be set based on their performance
measures.
For example, analysts from Osterman Research
suggest storage costs, user productivity, and
costs of eDiscovery process as metrics, calculating that effective information governance can
save an organization of 2,500 employees $52.8
Tips for
implementing
effective
information
governance
The implementation of a proper information governance program can present a headache for
CIOs and CISOs, as it changes the ways in which
30
best practice tips for success:
Establish metrics
To establish actionable metrics as well as to set
timely goals, it is important to calculate costs thoroughly. To evaluate storage costs, businesses
should include costs of terabytes used, the cost
of labor required to manage systems, as well as
the cost of space to house them.
They should consider the average size of emails,
number of employees, file systems, the total
number of SharePoint Installations and so on,
and then multiply all parameters by the annual
growth rate. With this information at hand, organizations will be able to evaluate cost savings from
the information governance program before and
after implementation.
Deploy the right technologies
It is essential to deploy a combination of technologies that enable an organization to understand
various types of data as well as to maintain security controls over it throughout its lifecycle. The
former starts with automated data classification
that covers the broadest variety of organizations’
information assets.
It is important that businesses consider if their
technology can accurately identify sensitive data
as well as complex data such as proprietary PDF
files, for instance, and, identify duplicate or irrelevant content enterprise-wide. They must also ensure it can integrate with security solutions such
as data loss prevention tools or auditing technologies as well as with the required data sources.
Implement a defensible deletion
program
Defensible deletion reduces risk by eliminating
EBOOK
information in-line with an organization’s legal
obligations and company guidelines. It also ensures the deletion of unnecessary information.
While many organizations conduct annual audits of their records in-line with compliance standards, this type of activity should be conducted
more regularly, and cover both sensitive and
non-sensitive data.
Practical Steps
to Establishing
Good Information
Governance
The approach I have described considers information governance as a vital step towards increasing an organization’s overall data maturity.
In the data-driven era, an effective strategy for
data governance will help IT and security teams
to articulate the value of such a program to the
Learn More
C-Suite, and ensure that value is derived from
enterprise data without compromising on security or compliance.
31
Interview
A perfect
storm in
cybersecurity
Deidre Diamond
CEO at CyberSN and brainbabe.org
There are 2 million
cybersecurity roles
empty worldwide
What are the top challenges in hiring
in cybersecurity?
Deidre:
Is there a shortage of cybersecurity talent? What
The cybersecurity talent marketplace is very
are the main challenges that cybersecurity pros
complex, and there are many problems to be
are facing? If you are looking to understand the
solved. A critical one is connecting cybersecuri-
issues that matter most in cybersecurity, there is
ty experts with their future employers. Although
no better person to ask than Deidre Diamond,
a large portion of the community — 89% — are
founder and CEO of CyberSN and brainbabe.
interested in looking at new opportunities, and
org.
as much as 99% are open to moving to new jobs,
people often waste a lot of time on job search-
Deidre has spent over 20 years leading technol-
ing. There is difficulty in matching a job opening
ogy and cybersecurity organizations, leverag-
with the right person with the appropriate skills.
ing her strong sales background in cybersecurity software. Today, she is working to transform
A big part of this problem is that job descrip-
the cybersecurity employment marketplace
tions are inaccurate. Cybersecurity has 35 job
through her two organizations: CyberSN, the
categories and around 115 titles. “Security en-
largest staffing firm in the U.S. focused solely
gineer” can have eight different profiles. With
on cybersecurity, which works as a bridge be-
changing technologies, there are many more
tween cybersecurity professionals and employ-
titles coming that we don’t know about yet. This
ers; its motto is “Where talent meets its match.”
complexity can be addressed by writing job de-
Brainbabe.org develops opportunities for hiring
scriptions and profiles in a common language
and retaining women in cybersecurity, and also
so they make sense.
supports those already in the profession, with
a communication framework that advances and
There is also a salary problem. IT pros normally
empowers both women and men in the work-
make 25% more in cybersecurity than in technol-
place.
ogy. That’s a challenge for businesses because
it’s hard for them to meet salary requirements.
We asked Deidre for her insights into the cybersecurity skills gap, the role of automation in cybersecurity and cybersecurity trends for 2020.
33
Do you see a shortage of experts?
If so, what is needed to address
that problem?
How do you see the role of
automation in cybersecurity?
Can automation help solve
the skills shortage?
Deidre:
Right now, there are 2 million cybersecurity
Deidre:
roles empty worldwide, and 500,000 of them
With advancements in technology, there is au-
are in the U.S. However, the biggest problem
tomation in all industries, and we welcome it. It
is talent retention. Right now, the industry is
helps from the perspective of jobs that people
not retaining cybersecurity professionals. If we
like to do — burnout happens less. And that’s
want to solve the talent shortage, we need to
critical, because people who are trying to man-
have clearly defined roles and responsibilities,
age vulnerabilities have jobs with high burnout
succession planning, and training — we need to
rates. An average cybersecurity employee does
invest in career development.
a 3-in-1 job, and most of them are emergency
workers. Automation will help people enjoy
The more companies invest in their cyberse-
their work, be more efficient, and be able to do
curity talent, the sooner we will see the impact
things that are more powerful for the company.
because people will be willing to stay in cybersecurity. When companies have entry-level spe-
Because attacks are growing and being secure
cialists and succession planning in their securi-
is more important than being compliant, it is un-
ty departments, that would change the game.
likely that the shortage will become less. We are
Right now, everybody expects specialists to
going to cover part of the job through automa-
come out of school already trained, and that’s
tion, but certainly that won’t enable us to fully
not how schools work — there is no hands-on
bridge the gap.
training. That is starting to transform, mainly because universities see the problem, but it takes
an eternity to change.
An average cybersecurity employee does a 3-in-1 job,
and most of them are emergency workers.
34
Has anything changed
in the cybersecurity hiring
market over the last five years?
Final word
Right now, there is an imbalance between de-
Deidre:
The conversation about equality and inclusion is
at the forefront now. Many initiatives today focus
on policies that push organizations to appreciate diversity. People have begun to understand
the need for women in cybersecurity. For a long
time it was thought that tech and cybersecurity were a man’s world, a man’s job. That really
caused a pipeline problem in the U.S.; we are
short of women significantly. But there is also an
inclusion challenge — we find that women leave
the industry, so the problem is also about culture and working to explain that cybersecurity is
more than a keyboard and a hoodie.
The good news that there is a conscious conversation about diversity, which was hard to imagine several years ago. There are many organizations, including my own, focused on making
mand and supply of cybersecurity professionals. Combined with the lack of gender diversity
and ease of burnout of these professionals, it
seems like the industry is in a critical situation.
With the rise of cyber attacks and the emergence of new technologies and regulations, the
demand for cybersecurity professionals is not
going to decrease any time soon. Therefore, it’s
ultimately important to pay more attention to the
many different factors that contribute to a balanced workforce and workplace for cyber pros.
One of these factors is automation — making
sure to automate as many internal processes
as possible. This simple thing will help ensure
that those few cyber professionals in your organization that you spent so much time searching
for can focus on what’s really important and let
tools and software do the rest.
changes, though it takes time. There are many
programs like “Girls Who Code” and “Brownie Cybersecurity Badge,” and universities and
communities are helping girls think about cybersecurity and be attracted to it.
35
About Netwrix
Netwrix is a software company that enables information security and governance professionals to
reclaim control over sensitive, regulated and business-critical data, regardless of where it resides.
Over 10,000 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the
full business value of enterprise content, pass compliance audits with less effort and expense, and
increase the productivity of IT teams and knowledge workers.
For more information visit www.netwrix.com
WHAT DID YOU THINK
OF THIS CONTENT?
CORPORATE HEADQUARTER:
PHONES:
OTHER LOCATIONS:
300 Spectrum Center Drive
Suite 200 Irvine, CA 92618
1-949-407-5125
Toll-free (USA): 888-638-9749
Spain:
+34 911 982608
Netherlands:
+31 858 887 804
Sweden:
+46 8 525 03487
Switzerland:
+41 43 508 3472
France:
+33 9 75 18 11 19
Germany:
+49 711 899 89 187
Hong Kong:
+852 5808 1306
Italy:
+39 02 947 53539
565 Metro Place S, Suite 400
Dublin, OH 43017
5 New Street Square
London EC4A 3TW
1-201-490-8840
+44 (0) 203 588 3023
SOCIAL:
netwrix.com/social
Copyright © Netwrix Corporation. All rights reserved. Netwrix is trademark of Netwrix Corporation and/or one or more of its subsidiaries and may be registered in
the U.S. Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are the property of their respective owners.
36
Descargar