Digital Outsourcing: Risks, Pitfalls, and Security Considerations

I NTER D YN Innovative Solutions, Proven Results Digital Outsourcing Presented by: Robert J. Bagnall, CEO Maverick-Security, LLC Peter Ward, Business Collaboration Manager InterDyn AKA Risks, Pitfalls, and Security Considerations for Doing It Right

About InterDyn AKA We are a sales and professional services firm focused on: Dynamics GP, Dynamics CRM, and Dynamics AX Office 2007: SharePoint, Project Server, Project Portfolio Server, InfoPath, Forms Server Custom Application Development

About InterDyn AKA 2006 MS Dynamics GP Global Partner of the Year (#1 of the 2,100 partners) 2006 MBS Pinnacle Customer Award – Evangelist (Young Broadcasting) 2006 MS Excellence in Quality 2006 Customer Satisfaction and Experience Award 2006 Excellence in Sales and Marketing (Global Finalist) 2006 Technology Innovation Partner of the Year (Global Finalist) 2006 Inner Circle Member – Top .5% of MS Dynamics Partners 2005/ 2002 Eagle Award 2005 MBS Pinnacle Customer Award – Overall Excellence (American Bible Society) 2003 NY/NJ Medium Business Partner of the Year Microsoft ERP Reseller of the Year finalist Proven Methodologies 275 + MS Dynamics Implementations MBS Gold Certified Partner Exclusively Authorized Training Center 92% Customer Retention Rate

About Maverick Maverick provides customized, personal and corporate security and brand defense services to High-Profile Individuals, small businesses, and a few select corporate clients. Our patented methodology and processes encompass over 15 years of cyber-security and intelligence experience in the government and commercial sectors. Services include Personal Brand Defense (PBD), the SPF Assessment Program, and Global Digital Threat Intelligence.

Topics The Current Global Digital Threat Climate Cyber-Trends Against The U.S. Financial Service Sector Common Threat Motivations & Exploitations Considerations Prior To Outsourcing Pitfalls In International Partnerships Communications, Connections, and Security Considerations Between Locations Dealing With Data Exposures 5 Things You Can Do To Protect Your Existing Outsourcing Right Now … plus a few “optional extras”

The Current Global Digital Threat Climate

3 Most Common Exploitation Types People [most common] Processes Technologies

Primary Motivators Economic Ideological Nationalistic Criminal Opportunistic

Threats By Region Region-1: North & Central America> Although the most regulated, the United States is also still the country with the largest quantity of SPAM site hosts. Mexico and Central America hold regional ideological movements that transcend to the cyber environment. THREATS: Economic, Ideological, Opportunistic, Criminal Region-2: South America & Caribbean> South America is a growing digital threat, with Brazil leading the way. In five short years, Brazil has gone from script kiddie web site defacements to a formidable hacker-for-hire. THREATS: Criminal, Opportunistic, Ideological Region-3: Europe> Although ideological threats persist within this region, the majority of the threat comes from the open practice of cyber-espionage and business intelligence against competitors. THREATS: Economic, Opportunistic, Ideological

Threats By Region Region-4: Russia & Eurasia> Organized crime is by far the biggest threat in Region 4. The Russian and eastern European mafias, tacitly and sometimes openly supported by government, operate fraud, SPAM, hacker-for-hire, and digital extortion with near impunity. THREATS: Criminal, Economic, Ideological, Opportunistic Region-5: MidEast & Southwest Asia> Rising rapidly since 2003, the Middle East threat is almost entirely ideological. Southwest Asia sees economic and criminal activity as well due to ethnic and religious differences within the region. THREATS: Ideological, Economic, Criminal Region-6: Africa> Africa remains the slowest region to rise in terms of global digital threat. Much of the activity within the region is more associated with the infusion of outside influence (religious and criminal) than internal capability. The largest threat here remains scams and other criminal activity, though a spike in ideological hacking activity is being seen today. THREATS: Criminal, Ideological

Threats By Region Region-7: Central & Southeast Asia> China is a formidable digital threat. Regardless of the fact that America and China share extensive economic relationships, Chinese military doctrine states that they plan and execute for cyber war to emerge as the global power. THREATS: Nationalism, Economic, Opportunistic Region-8: Australia> While Australia shares a close personal relationship with the United States, economic and opportunistic threats still exist. THREATS: Economic, Opportunism

Exploitation Categories Fraud Credit Cards Phishing/Pharming Carding SPAM Spyware Accesses Boutique Hacking Specific locations or levels of access Identity Theft Personal Technological Purchasing Power Information Intellectual Property Access Escalation Targeted Attack

Cyber-Trends Against The U.S. Financial Service Sector The outsourcing of financial services and support to countries like India make those foreign partner companies an attractive target. As a result, groups like the Pakistani Hackers Club target Indian companies who support U.S. firms because they can have a double impact with a successful attack. : Fraud versus the “cost-of-doing-business” mentality Targeted identity theft and access against FS companies Targeted attacks against data companies servicing FS companies

Considerations Prior To Outsourcing No matter what kind of outsourcing solution you are considering, you must examine it carefully. Here are a few of the more important ones: If my outsource provider is a foreign firm, what regional threats do I need to consider? [Religious, ethnic, social, criminal, etc.] Know the threats to your company and those within the region where you are considering an outsource relationship What are the threats to my provider? Do they/could they extend to me? Does my provider have any issues I need to consider? [past incidents, poor reputation, bad brand presence online] How seriously does my provider take their own security? Examine the due diligence of each provider you consider prior to contracting with them [make them show proof of security policies, procedures, DR/BC plans, etc.] Do my contracts reflect my requirements and security needs? Write your contracts to ensure the provider is held accountable to meet certain minimum security standards and practices. What are the access requirements my provider will need to my environment, my data, etc., in order to do their job?

Common Pitfalls in Outsourcing A Lack of Due Diligence Poorly written contracts Partners not made to show proof of due diligence Partners not barred from subletting your contract Un-assumed Risks Lack of training on policies & procedures Partner business actions Foreign adversary targeting ripple effect Poor Implementation [Operations] Lack of encryption Regular data backups still not being performed Training & preparedness drills lacking Lack of/poor definitions (boundaries, levels of effort, etc.) Excessive access granted to partners

Communications, Connections, and Security Considerations Between Locations Examine your foreign outsource provider through zones of trust. They should never be viewed at a level better than “Trusted Outsider”. In fact, your own sister companies (those absorbed through acquisition or merger) who perform security outside of the practice of the parent company should not be viewed as trusted insiders until they follow the same standards. Trusted Insiders Trusted Outsiders Untrusted Insiders Untrusted Outsiders

Dealing With Data Exposures There is no way you will ever prevent everything. This is why you work to prevent more problems is exposures occur and expect that they will. Here are some things you need to do when an exposure does occur: Admit it. Have a plan to deal with it. Execute that plan. Move on. Examine how it occurred. Was it preventable? Was it a people, process, or technology issue? See what you can do to prevent it next time. Evolve what you do to prevent it from happening again. Examine the way you do everything at least annually [hopefully you can find a potential issue and prevent it in the future - instead of falling victim to it]

5 Things You Can Do To Protect Your Existing Outsourcing Right Now Restrict Access to Data [based on need] Examine Host Country Threats and Options Prior to Outsourcing Write/Reexamine Contracts From A Security Perspective Plan for Attacks and Breaches That Result From Your Outsourcing Efforts Monitor Your Egress Traffic As Well As Your Ingress Traffic

The Last Word Outsourcing is a viable, necessary, and soon-to-be integral part of American business – particularly in critical infrastructures like financial and medical services. But the risks can be untenable if you are not properly prepared. If you take your organization into it with eyes wide open then you stand a good chance of having a strong, positive experience with minimal disruption. When the day is done, no matter how big your organization or what type, we are all on the same team. It does not pay to create fiefdoms or hold information close. Together we are better. This security stuff is not rocket science. It takes sound practices and the right technology implemented and executed with tireless vigilance. You will never stop cyber-attacks completely, so get used to this being an on-going process. But that does not mean that you cannot prevent most of the pain you face today.

Overview of Technologies Microsoft Office SharePoint Server 2007 Groove Project Server 2007 Liquid Machines (Encryption Software) Glossary of terms Applying this technology to Outsourcing Agenda

Servers Slide 18: On the upper pie, change Office 12 to the updated logo. You can even put the Windows Sharepoint Services Logo in the center of the pie to get the point across. I do want to use this slide because this is how Bill has been talking about all the server capabilities. It’s not very different from 32, especially when you consider the story that Bill normally tells here. The 2007 Microsoft Office System Evolution Collaboration Content management Streamlined processes Portals Business intelligence Search Word processing Business modeling Presentations Business data management Information Management

Definition of a portal Microsoft Confidential The Presentation Layer of information to lines of business Internal Apps External Apps Accounting Sales HR PMO Office

SharePoint Portal Server 2007 What pain points does it solve? Reduces email by 50-60% Less relevance on the ‘some version on the network drive’ culture Increase in user and team productive A single point of contact for information Control of information Integrates multiple technologies- Oracle, IBM Microsoft

Project Server 2007 What is the product? Enterprise project management for a project team and beyond Scheduling engine –Gantt charts Schedule, cost, Process and Resource management Integration to SharePoint, GP, AX Currently uses existing technologies- Win 2003, SQL, Office

Project Server 2007 What pain points does it solve? Enables higher workload capacity-helping people do more with less Reduces time and improve process quality Eliminates elapsed time between project tasks Monitors the current state of workflow and it’s project against the project plan Ensures timely delivery of information Enables tighter control over the distribution of work Eliminates duplication of tasks Alerts to warn tasks that are slipping What gets measured get done

Portfolio Server 2007 What is the product? Ideal for strategic planning Visibility of next years project Scorecard management monitor progress in terms of actuals and forecasted cost, schedules, benefits and risk and communicate status to all stakeholders. Prioritization Workload and Resource Capacity Planning Portfolio Analysis and Reporting

Portfolio Server 2007 What pain points does it solve? Stops projects starting which can never be finished. Ideal for strategic visibility of projects Forecasting resources Allows senior management to view projects at a very high level. The PMO’s dream product

Office Groove Server 2007 A peer to peer network. No server required A ‘Napster’ on steroids The true virtual office Mobile Employee External Partner Knowledge Worker What is Groove? Groove is desktop software that allows teams of people to work together securely over the network as if they were in the same physical location… Enter the age of the virtual office

Liquid Machines Document Control Controls & protects data at all times, no matter where it goes Allows the collaboration of secure information while controlling access & use Enables policies within native applications without affecting user productivity Logs, monitors & reports on access & usage of information Enforces persistent security on protected data

Liquid Machines Policy Droplet™ Native support for over 65 application file formats

Liquid Machines File share Gateway Enables wide-scale rapid deployment of information protection by applying policies to mapped network drives, folders, and existing files in one easy step. Policy X Policy Y and Z

Role-based Enterprise Policies Seamless integration with Active Directory to quickly add or remove users or groups to policies Roles can prohibit full access rights to the document author while giving full access to others in the policy Expiration date can be set by calendar date or number of days from document publication date Allows use of protected content when disconnected from the policy server, optionally for a specified number of days

Activity Reporting On End User Actions Activity reports deliver results based on user-selected queries Results detail access and usage based on Role-based policies Reports provide complete details on file access and usage by user Use with 3 rd party reporting tools

Liquid Machines Document Control Overview Liquid Machines Agent Policy Administration Auditing & Reporting Liquid Machines Policy Server CEO Full Rights Employee Edit, Print Contractor Read Only Policies Audit Logs Key Management

Glossary of terms Digital signature: An electronic scheme used to simulate the security properties of a signature in digital, rather than written, form. Authentication: Confirmed the integrity of the information that is being sent and who is sending it Encryption: Protects the privacy of the electronic information Digital Certificates: These establish your identify in the electronic world

Applying this technology to outsourcing

SharePoint Portal Server 2007 What is the product? Internet, extra net, corporate internet Document management Knowledge management Change Management Issue and risk tracking Workflow engine Collaboration among users, teams, corporations Currently uses existing technologies- Win 2003, SQL, Office Corporate presentation layer of information

Scenario Organization: 500 + employees, located globally, customer service activities have been outsourced to a a 3 rd party. Activities performed: Data Look ups and data entries. Preventive Measures: Rights Management, SharePoint, InfoPath

Scenario Organization: 15 employees, located in NYC, have 3 rd party brokers selling their products. They are on the road. Activities performed: Placing orders, access to price lists. Technology: Groove – Orders SharePoint – On boarding training application, Liquid Machines

Summarize the presentation Obviously this is an important subject What’s important: Process and people, partnership relationships and roles There’s overheard involved Darwin: People who survive are not necessary the fittest or the strongest, but the ones who make a decisive decision to embrace change

Digital Outsourcing: Risks, Pitfalls, and Security Considerations

More Related Content

What's hot (20)

Similar to Digital Outsourcing: Risks, Pitfalls, and Security Considerations (20)

More from Peter1020 (20)

Recently uploaded (20)

Digital Outsourcing: Risks, Pitfalls, and Security Considerations