Datos personales y riesgos digitales
0 likes862 views
This document discusses various topics related to personal data and digital risks. It covers ambientes digitales (digital environments) like Windows XP and software firewalls. It also discusses data breach laws in California, recent data leaks involving millions of records, and the growth of security technologies. Other topics include physical vs digital transformations, the costs of digital theft, and why digital data security is an increasing concern due to factors like speed, dispersion, persistence and aggregation of data online.
Datos personales y riesgos digitales
- 1. Datos personales y riesgos digitales
- 2. Casandra
- 18. Ambientes digitales • Windows XP Service Pack 2 • 12 de agosto, 2004 • Por primera vez, Microsoft habilito de forma predeterminada un firewall de software • Cuando las características de seguridad se habilitaron, muchas aplicaciones dejaron de funcionar
- 19. Default Close Default Open Confidencialidad Disponibilidad
- 20. SB1386, California 1 de julio, 2003 Según la ley, las partes afectadas deben revelar cualquier violación de la seguridad de los datos personales a cualquier residente de California, cuya información personal no fue cifrada, y razonablemente se cree que ha sido adquirida por una persona no autorizada.
- 24. Fugas de información recientes 40 millones de registros Entre 45 y 94 millones de registros 4.2 millones de 100 millones de registros datos de tarjetas
- 26. Las Tecnologías de seguridad de información se triplican cada 6 años
- 27. Usamos estrategias de ataque y contra ataque, espionaje y contra espionaje
- 28. Físico vs Digital En 1990, las ventas de la enciclopedia Britannica logro el record de ventas… $650 millones de dólares
- 29. Físico vs Digital Una Enciclopedia Britannica se vendía desde $1,500 y hasta en $2,200 USD Una enciclopedia en CD-ROM se vendía desde $50 y hasta $70 USD
- 30. El cambio de paradigma
- 31. Robo físico
- 32. Robo digital
- 33. ¿Cuánto cuesta el robo digital, por año?
- 34. ¿1 millón de dólares? CONFIDENCIAL Sm4rt Security 34
- 35. ¿1 billón de dólares?
- 36. 1 trillón de dólares por año
- 37. Robo digital 1trillón de dólares por año en pérdidas, con crecimiento del 300% anual
- 41. ¿Por qué la seguridad de los datos digitales es una preocupación creciente?
- 42. El Riesgo de seguridad ha incrementado por 4 aspectos
- 43. 1. Velocidad
- 44. Antes tomaba días o semanas para compartir información
- 46. 2. Dispersión
- 47. Las mismas personas que mantenían tus secretos…
- 48. … son ahora los principales difusores de tu información personal
- 49. •A I N I C I O S D E 2 011, 140 millones DE T WEETS POR DÍA •E N 2 010 E X I S T I A N 50 millones DE T WEETS POR DÍA •H OY, 350 millones D E T W E E T S POR DÍA durante los segundos finales del superbowl, los fans enviaron 4,064 tweets por segundo
- 50. 3. Persistencia
- 51. Solíamos controlar, restringir el acceso y destruir físicamente las copias de nuestros datos personales
- 52. Sm4rt Security CONFIDENCIAL 52
- 53. 4. Agrupación
- 55. agrupados y Ahora están todos disponibles en todo el mundo
- 56. Ahora, si eres visto en un estado inconveniente…
- 57. …tu novia tendrá acceso a la información al momento…
- 58. …así como sus amigas…
- 62. Necesitamos aceptar los riesgos Los riesgos potenciales son infinitos
- 64. Los ambientes son altamente dinámicos
- 66. Las Piezas cambian sin previo aviso
- 67. Las reglas cambian constantemente
- 69. El Fin justifica los Medios En la prevención del Riesgo Intencional Nada menos que asegurar todos los vectores es suficiente
- 70. Las Defensas deben ser Optimizadas
- 74. 3 Tipos de Riesgo Digital 1. Accidental 2. Oportunistico 3. Intencional
- 77. Peor Suma de Mejor Esfuerzo Esfuerzos Esfuerzo Riesgo Riesgo Riesgo ∞ Intencional Oportunista Accidental Relación / conexión Filtrado Confidencialidad Amenaza Integridad Impacto Externa Redundancia Interno Disponibilidad 0 1 1 canal 1 momento 1 1p 1 dispositivo Autenticada c/x factores
- 86. 86
- 92. Necesitamos usar la analogía médica
- 101. 101
- 104. Peor Suma de Mejor Esfuerzo Esfuerzos Esfuerzo Riesgo Riesgo Riesgo ∞ Intencional Oportunista Accidental Relación / conexión Filtrado Confidencialidad Amenaza Integridad Impacto Externa Redundancia Interno Disponibilidad 0 1 1 canal 1 momento 1 1p 1 dispositivo Autenticada c/x factores
- 106. Tres Vectores para gestionar Riesgo Accesibilidad para terceros Anonimidad Valor de los terceros para terceros
- 111. Risk Analysis
- 112. Main Risks Always Weak password storage protocol Absence of robust password policy Absence of data entry validation for Probability web applications Possibl Existing applications with vulnerable e remote support Weak wireless ciphered communication protocol Absence of operating system security configuration Almost never Insignificant Medium Very high Impact
- 113. Action Plan Quick Hits High Password Policy Positive Impact of Implementation Migration of wireless communication protocol Quick Hits Strategic Strategic Security configuration guidelines for applications Moderate Security configuration guidelines for operating systems Migration of passwords storage Nice To Have Not Viable protocols Secure application development process Minimum Migration of remote support protocol Minor Medium Major Effort
- 114. Recommendations Policies and Configuration Guidelines Security configuration guidelines for applications Security configuration guidelines for operating systems Password policy Superior Technologies Governance Migration of remote support protocols Processes and Roles Migration of password storage User controls protocols Migration of wireless communication protocols Network controls Recommendations for Host controls Sustainability Application controls Secure change process administration Data level controls Risk administration process Vulnerability patches and updates process Secure application development process
- 115. Mitigation Roadmap Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Risk Administration Implementation Secure application development implementation Vulnerability patches and updates process administration Secure change process administration Migration to robust remote support protocols Migration of wireless communication protocol Migration of password storage Password policy Security configuration guidelines for operating system Security configuration guidelines for applications 2012 2013
- 116. Demystifying the Business Process Analysis Data Lifecycle Inventory Privacy Legal & Regulatory Data Value (IVA) Implementation Requirements (PIA) Process Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit
- 117. Business Process Analysis • Identification of Business Process Analysis Data Lifecycle Inventory applicable Law Legal & Regulatory Data Value (IVA) Requirements (PIA) Data Categories Data Categories Issuers Obligations Auditors Asset Inventory • Legislators • Laws • Authorities • Regulators • Norms • Organizations Policy Generation • Organizations • Industry Standards Controls, Standards, Procedures • Contracts Implementation & Audit
- 118. Business Process Analysis • Stakeholder Information Business Process Analysis Data Lifecycle Inventory acquisition Legal & Regulatory Data Value (IVA) – Types of data Requirements (PIA) – Internal and external Data Categories Data Categories data flows – Purpose of treatment Asset Inventory – Information systems and Policy Generation security measures – Retention policies Controls, Standards, Procedures Implementation & Audit
- 119. Data Lifecycle Inventory Business Process Analysis Data Lifecycle Inventory Data Data Data Value (IVA) Legal & Regulatory Destruction Reception Requirements (PIA) Data Categories Data Categories Data Purpose Asset Inventory Retention of Use Policy Generation Information 3rd Parties Systems and Controls, Standards, Procedures Involved Storage Implementation & Audit
- 120. Privacy Legal & Regulatory Requirements (PIA) Business Process Analysis 1. Legal & Regulatory Data Lifecycle Inventory – Contracts Legal & Regulatory Data Value (IVA) – Clauses Requirements (PIA) – Privacy notices Data Categories Data Categories – Authorizations – Jurisdictions Asset Inventory – Other regulations Policy Generation • Money laundering • Sectorial Controls, Standards, Procedures • Etc. Implementation & Audit
- 121. Privacy Legal & Regulatory Requirements (PIA) Business Process Analysis 2. Technical Data Lifecycle Inventory – Authentication & Legal & Regulatory Data Value (IVA) authorization Requirements (PIA) – Access control Data Categories Data Categories – Incident log – Removable media and Asset Inventory document management Policy Generation – Security copies – Recovery tests Controls, Standards, Procedures – Physical Access Implementation & Audit
- 122. Privacy Legal & Regulatory Requirements (PIA) Business Process Analysis 3. Organizational Data Lifecycle Inventory – Data privacy officer Legal & Regulatory – Roles and Data Value (IVA) Requirements (PIA) responsibilities – Policies, procedures and Data Categories Data Categories standards Asset Inventory – Notifications to authorities Policy Generation – Audits – Compliance and Controls, Standards, Procedures evidence Implementation & Audit
- 123. Legal & Regulatory Data Categories • High Risk Business Process Analysis Data Lifecycle Inventory – Syndicate Affiliation – Health Legal & Regulatory – Sexual life Data Value (IVA) Requirements (PIA) – Beliefs – Racial Origin Data Categories Data Categories • Medium Risk – Financial Profile Asset Inventory – Personal Fines – Credit Scoring – Tax Payment Information Policy Generation • Basic Risk – Personal Identifying Controls, Standards, Procedures Information – Employment Implementation & Audit
- 124. External Economic Data Value (IVA) • Black Market Value Business Process Analysis Data Lifecycle Inventory – Sale price • News Value Data Value (IVA) Legal & Regulatory Requirements (PIA) – Newspaper – Magazines Data Categories Data Categories – Television • Competition Asset Inventory – Market Value Policy Generation – Brand Value – Political Value Controls, Standards, Procedures • Authorities – Fines Implementation & Audit
- 125. Data Value Categories Business Process Analysis Lvl Value Classification Example Data Lifecycle Inventory CC Magnetic Strip, Legal & Regulatory Data Value (IVA) Requirements (PIA) 4 > $10M Secret PIN number, User & Password Data Categories Data Categories Name, Address, $100K - 3 Confidential Credit History, $10M Account Statements Asset Inventory Bank Account $1,000 - Numbers, Policy Generation 2 Private $100K Pre-published Marketing Info Controls, Standards, Procedures Published 1 $0 - $1,000 Public Marketing Information Implementation & Audit
- 126. Asset Inventory Legal & Data Most Business Process Analysis Applicable Applicable Asset Regulatory Value Sensitive Data Lifecycle Inventory Policy Controls level level Data Legal & Regulatory Data Value (IVA) L&R 1. Oracle Requirements (PIA) Application 1. Secret DB1 Medium Secret Secret Data Passwords Data Policy Risk Standard Data Categories Data Categories 1. J2EE High Security Asset Inventory Standard L&R Payment 1. L&R High App5 High Confidential Card Risk Policy 2. Application Risk Number Confidential Policy Generation Data Mgmt Standard 1. Private Controls, Standards, Procedures Data Policy 1. Solaris 10 L&R Client Medium Srvr3 Medium Private Account 2. L&R Hardening Risk Data Medium Standard Implementation & Audit Risk Policy
- 127. Policy Generation How should this data be: Business Process Analysis Data Lifecycle Inventory – generated? – stored? Legal & Regulatory Data Value (IVA) – transferred? Requirements (PIA) – processed? – accessed? Data Categories Data Categories – backed-up? – destroyed? Asset Inventory – monitored? • How should we react and Policy Generation escalate an incident or breach? Controls, Standards, Procedures • How will we punish compliance? Implementation & Audit
- 128. Controls, Standards & Procedures • Controls are defined Business Process Analysis Data Lifecycle Inventory and mapped for each Legal & Regulatory Data Value (IVA) policy level Requirements (PIA) – Technical Standards Data Categories Data Categories – Procedures – Compensatory Controls Asset Inventory DB2 HP/UX J2EE Oracle Policy Generation High Risk Controls, Standards, Procedures Med Risk Low Risk Implementation & Audit
- 129. Controls, Standards & Procedures Business Process Analysis Data Lifecycle Inventory Legal & Regulatory Data Value (IVA) Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Norms Controls Controls, Standards, Procedures Implementation & Audit
- 130. Implementation & Audit Laws and Regulations Best Practices Business Process Analysis Data Lifecycle Inventory Legal & Regulatory Data Value (IVA) Requirements (PIA) LOPD SOX LSSI Data Categories Data Categories Asset Inventory PROCESSES APPLICATIONS Policy Generation PEOPLE Evidence Controls Controls, Standards, Procedures Implementation & Audit I.ACT D.SEG CONTRACT COMUNIC ASSETS NETWORKS .
- 131. Implementation & Audit Business Process Analysis Data Lifecycle Inventory Legal & Regulatory Data Value (IVA) Requirements (PIA) Data Categories Data Categories Asset Inventory Policy Generation Controls, Standards, Procedures Implementation & Audit