Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security among those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP Day New Zealand 2015

Security among those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP Day New Zealand 2015

The security of a firm is impacted not only by what happens inside it but also by what happens inside the firms that are its providers. This keynote examines the case of two leading commercial services providers (one in Perú and the other in New Zealand) and compares and contrasts their security readiness. It also presents two real security incidents and explains how come one of them was a security defeat and the other a victory.

Carlos Cordero

February 27, 2015
Tweet

More Decks by Carlos Cordero

Other Decks in Business

Transcript

  1. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand Security among those who keep your secrets 1
  2. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] THE BUSINESS RISK PERSPECTIVE So what is the problem here? 2
  3. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] Those who keep your firm’s secrets Lawyers Bank 2 Accountants Payroll Accounts Logistics Bank 1 Telecomm. IT Client firm A filthy competitor Another filthy competitor Domain consultants Commercial services 3 Client has some leverage Client has little leverage
  4. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] Context = culture + history (society) + economy + justice system Context = market (firm) Service providers are trusted with commercial secrets of a delicate nature Commercial services provider Market research Database provider Contact centre Debt collection Data analysis (BI & BD) Intelligence (competitive) Advertising agency Digital marketing Direct marketing agency 4 Traditional commercial services providers Modern commercial services providers
  5. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] Context = culture + history (society) + economy + justice system Context = market (firm) Commercial services provider Has your firm asked itself what is going on at the inside of all provider organisations privy to your firm’s secrets? The question is: are said service providers trustworthy? 5 Does your firm have contingency measures in place?
  6. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] Context = culture + history (society) + economy + justice system Context = market (firm) People Process (+Policy) Technology Organisations run on People, Process(+Policy), and Technology 6 (ISC)2 has only been hammering this point for 25 odd years. (this is “Introduction to Business Management 101” level stuff)
  7. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] Context = culture + history (society) + economy + justice system Context = market (firm) People Process (+Policy) Technology Culture = Attitude + Perspective Culture is the connective tissue of an organisation 7
  8. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] People Process (+Policy) Technology Articulating People, Process (+Policy), Technology, and Culture Leadership Staff Decisions Structure Support Consistency Low friction Efficiency 8 Culture = Attitude + Perspective Training Discipline Roles Control Speed & Agility Assurance
  9. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] Context = culture + history (society) + economy + justice system Looking at the organisational problem of security at the deeper management level Context = market (firm) Leadership Staff Decisions Structure Support Consistency Low friction Efficiency Training Discipline 9 What each is meant to do The way in which it should be done The efficient way of doing it The proven way of ensuring that all goes according to plan.
  10. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] 10 LOOKING AT THE TWO FIRMS IN STUDY Introducing Firm A and Firm B Common (to both firms) security and privacy scenarios Macro context and market context Leadership’s profile Attitudes and perspectives of the leadership and the staff
  11. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] Context = market (firm) Introducing Firm A and Firm B Characteristics Firm A Firm B Locality Peru New Zealand Countries of operation Peru Chile Argentina Colombia Brasil Ecuador Bolivia Venezuela México Dominican Republic New Zealand Australia Turnover US$ 1 MM NZ$ 1< x <5 MM Sectors IT, Telecom, Financial Financial, FMCG, Telecom, Transport Main clients Microsoft Oracle IBM Cisco HP Intel Siemens Dell AT&T Telmex Commonwealth Bank Air New Zealand BNZ Sovereign Vodafone Core business Competitive intelligence Market research 11
  12. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] Context = market (firm) Characteristics Firm A Firm B Ownership Local Local first then Multinational Corp. Position in market Leader Leader Employees 30 - 40 40 - 50 Founded 1998 1992 Industry involvement & connections Market Research Association IT Committee Chairmanship at Lima Chamber of Commerce PM Advisory ICT Committee Market Research Association Marketing Association Very well connected in business circles Period of analysis 1999 - 2006 2007 - 2008 12 Introducing Firm A and Firm B
  13. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] Some common situations and scenarios in which security and privacy had to be considered Firm A Firm B By-products of producing outcomes for clients Information exchanges on and off premises and network Acquisition and transfer of clients datasets (i.e. clients lists) Archiving and storage of confidential information Password and encryption keys management Client information availability and integrity Disruption to electricity or water supply Earthquake / Fire Theft / Arson Industrial espionage Sabotage Privacy Security Privacy Privacy Privacy Privacy Privacy 13
  14. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] Context = culture + history (society) + economy + justice system Macro context in which the firms operated Characteristics Perú New Zealand Gross Domestic 210.3 B 181.1 B GDP change rate % 5.1% 2.5% Gross National Savings % 22.2% 15.9% Population 30.2 M 4.4 M Unemployment 3.6% 6.4% 14 Perú appears to provide a better context for business (a larger economy) at first glance
  15. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] Context = culture + history (society) + economy + justice system Macro context in which the firms operated Characteristics Perú New Zealand Unemployment 3.6% 6.4% Sub-employment1 61.5% 0% Informal economy Yes No Annual wage NZ$ 6,000 (average) NZ$ 30,400
 (median) GDP per capita 11,000 30,400 Direct investment abroad 3.2 B 59.1 B 15 Yet scratch the surface and it is obvious that New Zealand provides a far better context 1 Sub-employment is a third world phenomenon when too many people in an economy have a qualification yet are unable to find paid work in their field. Those people have to settle for whatever work they can find
  16. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] Context = culture + history (society) + economy + justice system Macro context in which the firms operated Characteristics Perú New Zealand Colony? Yes Yes Empire Spanish British Duration 1535 to 1821 286 years 1840 to 1907 67 years Result Division What can I get for myself? Unity Mindset Survival Progress Corruption Pervasive Very low Environment Hostile Benign 16 The reason is the history of each country and the resulting cultural and societal attitudes
  17. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] A summary on the security state of both firms during my tenure Characteristics Firm A Firm B Talk about security? Yes Yes, lip service. Secure disposal of documents Yes (print & digital) Yes (print only) Policies and procedures (P-P) Yes Half policies No procedures Supervision Yes No Compliance Yes Contractual Yes Contractual Reason Previous professional background (management) Risky environment Previous professional background (management)
 Ignorance Benign environment 17
  18. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] Description of their leadership Characteristics Firm A Firm B Background & training Business and Banking Engineering, Banking, and Business Ages 40s & 20s 50s & 40s Competent? Yes Yes Networked? Yes (mostly in IT industry) Yes (in high business circles) Sector leadership Yes Yes Experienced and realistic Yes Yes 18
  19. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] Comparing the attitudes of the leadership and of the staff with regards to security Characteristics Firm A Firm B Awareness of value of client info Yes Yes Act accordingly? Yes belief that Peru is not a safe country Not consistently belief nobody would target as New Zealand is a safe country Awareness of privacy issues Yes Yes Act accordingly? Yes (ethics permission marketing) Yes (regulations direct marketing) Message to staff Loud and clear Ambivalent 19
  20. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] 20 COMPARING THE SECURITY AT BOTH FIRMS aka where the rubber meets the road plus some security recommendations made by the author
  21. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] Comparing the mechanisms (compliance, physical, procedural, technological) set in place to 
 protect security Compliance Firm A Firm B Conf. agrmts. with clients Yes Yes Conf. agrmts. with staff Yes Yes biased restraint of trade Conf. agrmts. with providers Yes Yes Goal of conf. agrmts. Information security Privacy Restraint of trade Privacy Compliance with clients’ corporate policies 21
  22. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] Physical Firm A Firm B Premises Dual purpose building Single purpose building Security on doors + windows 5 out 10 7 out 10 Secure disposal printed documents Yes Yes Alarm system Yes 
 once defeated, replaced Yes Fire countermeasures Yes Yes Hazards Paper, furniture, single entrance. Paper, furniture, carpets, stairwell. 22 Comparing the mechanisms (compliance, physical, procedural, technological) set in place to 
 protect security
  23. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] Procedural Firm A Firm B BYOD Forbiden Allowed with no security requirement Taking firms’ devices off premise Allowed (only if secured and audited by IT) Allowed Security through obscurity Yes No No-go areas for non-staff Yes Yes Policies-Processes (P-P) induction Yes Yes P-P refreshers Yes No 23 Comparing the mechanisms (compliance, physical, procedural, technological) set in place to 
 protect security
  24. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] Procedural Firm A Firm B P-P documentation accesible Yes Yes P-P consultation accesible Yes Yes Security training of staff Yes No Clear line of reporting re:infosec Yes Yes Security awareness testing of staff Yes No Staff attitude Security conscious Security ambivalent 24 Comparing the mechanisms (compliance, physical, procedural, technological) set in place to 
 protect security
  25. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] Technological Firm A Firm B Operating system Linux + Windows Windows LAN Wired + Wireless (hardened WPA2 complex long pw) Wired + Wireless (complex but short password WPA2) Full disk encryption Yes No Periodic change of passwords Yes Yes Email encryption & signatures Yes No File encryption and steganography Yes No 25 Comparing the mechanisms (compliance, physical, procedural, technological) set in place to 
 protect security
  26. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] Technological Firm A Firm B Files movement P-P Yes No Port securing on devices Yes No Securing media Yes No Extending security to clients/partnrs. Yes No Guidelines Checklists Yes No Security audits Yes No 26 Comparing the mechanisms (compliance, physical, procedural, technological) set in place to 
 protect security
  27. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] Technological Firm A Firm B Incident response Yes Yes Backups + Archives Yes Yes Business continuity Yes Yes Disaster recovery Yes Yes Insurance relief Yes Yes 27 Comparing the mechanisms (compliance, physical, procedural, technological) set in place to 
 protect security
  28. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] Some recommendations made by myself with regards to improving security at both firms Recommendations Firm A Firm B Storage media encryption Accepted + Implemented Ignored Full HHDD encryption travelling/shared devices Accepted + Implemented Ignored Limit wireless LAN usage Accepted + Implemented - Secure file erasing (multi-pass Gutmann using Eraser) Accepted + Implemented Ignored Training of staff Accepted + Implemented - Auditing of staff practices Accepted + Implemented Ignored 28
  29. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] 29 TWO SECURITY EVENTS COMPARED Description of the events: a victory and a failure plus some security recommendation made by the author
  30. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] Two security events that I witnessed - a victory and a failure A notebook containing information form multiple clients got stolen from the firm’s premises. This is the lesser case Mid-week, overnight, the firm got broken into and every single computer (just the computers) got stolen. Yes, totally owned. 30
  31. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] So which was the victory and which the failure? A notebook containing information form multiple clients got stolen from the firm’s premises. Mid-week, overnight, in February 2004, the firm got broken into and every single computer (just the computers) got stolen. 31
  32. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] THE FAILURE: A notebook containing information form multiple clients got stolen from the firm’s premises. This was the “shared” notebook used by all staff to work from home, go on trips, go to present to clients. Information was mostly never erased from it. If ever, it was a simple “delete” on a Windows 2003 client. HHDD unencrypted. It was stolen from a smaller secondary office that the carrier had stopped at while on the way back from a client. That office’s door was always left unlocked when staff was in. A member of the staff had warned about the risks. No action was ever taken. Information from some 30 projects belonging to some 10 clients were in that notebook. Compliance nightmare: some of those clients had confidentiality and privacy agreements with the firm. 32
  33. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] THE VICTORY: The firm got broken into and every single computer got stolen. Discovered at 8:40 am by first staff member to arrive. He immediately went for the DR/BC file and activated action. From training knew not to touch any surface or object but the file and to walk outside of the premises. 9:00 Project team leaders retrieve backup hard copy (print) of information required for three projects being executed. Management fully notified by 8:45. Insurance broker by 8:55. Staff remains outside office as to not contaminate the scene as per training and as per procedure in execution. 9:02 - 9:25 Project team leaders and teams organise the information matching documents with members of each team. 9:25 Director arrives with police officers (he went straight to police station as per procedure). 9:30 officers enter premises. 33
  34. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] THE VICTORY: The firm got broken into and every single computer got stolen. 10:15 Police finish preliminary investigation and indicate areas that staff is not to interfere with. Core operational staff allowed in at 10:35 to resume core activities. 10:45 set-up core operation with backup resources
 Downtime core activities: 105 minutes. Running at 60% capacity. 12:45 New computers arrive and restore operations begin. 10:30 Broker arrives and gives preliminary approval. MD and IT Mgr. write a check and leave with shopping list to but new white box computers. Operations Mgr. retrieves off-site 24 hours old backup of central server and all computers and encryption keys. 17:00 Company operational at 80%. 34
  35. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] THE VICTORY: The firm got broken into and every single computer got stolen. Day 2 - 15:00: All computers restored and networked. Company operating at 95% of capacity. Day 2 - 16:45: Whole company meeting to declare end of emergency. Operating at 100% of capacity. 35
  36. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] IMPACT: The firm got broken into and every single computer got stolen. Confidentiality loss: NONE. Every computer was fully encrypted at HHDD level, firmware level, with 2048 bit keys. Every computer was turned off fully at the end of the day, as per security policy. Downtime: Core 1h 45m minutes. Rest of the company 36h. Recovery cost: US$ 19,000 (95% covered by insurance). Cost of lost productivity during downtime: US$ 1,050. Tasks, operations, or activities disrupted: None. Cost of investing in DR/BC readiness (training, preparation, infrastructure): US$ 7,500. Client trust loss and reputation loss: NONE. 36
  37. © 2015 Carlos Cordero. All Rights Reserved - Security among

    those who keep your secrets: Comparing the security of a top competitive intelligence firm in Peru against the security of a top market research firm in New Zealand - OWASP New Zealand Conference 2015. Contact: [email protected] Conclusions on the relevance of these experiences in the current New Zealand and 
 Australian contexts A context which is perceived as “low risk” will enable complacency to sneak in and hurt readiness. This sometimes reverses under a “high-risk” context provided management reacts rationally and proactively to said context. • In order to maximise the returns of investments in security, all the pieces of the puzzle must be accounted for. Any gaps will become vulnerabilities. • If the resources are scarce, prioritise around the core mission and core operations. • People are the weak link. Train, rehearse, and audit their compliance of policies and processes. • The leaders have to lead: they have to make crystal clear with words and actions that security is a top corporate priority. • Breaches cost money, reputation, and ultimately jobs and survival. To be proactive is the only rational choice. Leadership Staff Decisions Structure Support Consistency Low friction Efficiency Training Discipline 37