Technology Security: 27 th Annual Accounting Show Seminar. Chris Fraser: Consulting Services Manager Infinity Technology Solutions September 21, 2012

Transcription

1 Technology Security: 27 th Annual Accounting Show Seminar Chris Fraser: Consulting Services Manager Infinity Technology Solutions September 21, 2012

2 Quick Poll

3 Agenda Know your Risks Cloud and Security Virtualization Smartphones/Tablets Mobile Devices / BYOD Social Media Next Steps (Including DR)

4 Know Your Risks Why Cloud Fires, Floods, Hurricanes, Power Outages Only 6% of companies that suffer catastrophic data loss fully recover 43% never reopen 51% close within 2 years of the disaster Advantage: Cloud vs. Premise-based Statistics compiled from 2005 Gartner Group Report

5 Leverage the Cloud Connect from anywhere (but so can the bad guys) Cloud providers will add further redundancy with geographically dispersed data centers Physical security of data centers is simply not affordable to SMBs on your own ($$$) Power Protection Fire Protection Temperature and Humidity Controls Physical Security Data Security

6 What is the Cloud Virtual Server Hosting SasS (Software as a Service) (ie QB Online) Co-location Services Website Hosting Application Hosting Hosted Exchange Hosted SharePoint

7 What about Cloud Problems? High profile cases in the news In the Summer of 2012 nearly half a million addresses and passwords of Yahoo account holders were published online. In June, more than six million passwords for the professional social networking service LinkedIn were published online. Days later music website Last.fm warned users of a potential password theft. Then Drop box

8 What about Cloud Security? Addresses Risk of Complacency Just pay someone else to worry about it, right? Lower probability of occurrence if done right Higher profile disruption local server crash doesn t make the news Different Threats Update your risk assessment

9 Great Quote: Trust but Verify

10 Cloud Security Cloud computing security (sometimes referred to simply as "cloud security") is an evolving subdomain of computer security, network security, and, more broadly, information security. It refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing. Source:

11 Passwords Protected by Hash? The passwords often stolen in hashed form, meaning some computing work is required to convert them back into usable passwords. Yet By Wednesday afternoon the hackers said they had already recovered hundreds of thousands. Source: /LinkedIn-hacker-also-stole-1.5mpasswords-from-dating-site-eHarmony.html

12 Know Your Security COBIT SOC 2 (SAS 70) Controls such as Data Encryption 2 factor authentication (can use the smartphone) Monitoring

13 Tips for selecting for Cloud Vendors Do they have their Service Level Agreements? What type of encryption is used to transmit and store data? What are the credentials of the data center? Ask for the SOC2 report, and any other 3 rd party audits What regular security testing do they perform? Bandwidth limits? Breach History? Training

14 Dropbox Response Dropbox will now offer two-factor authentication for members, giving the option of using two forms of identity before access to an account is granted. The company was also adding new automated systems to monitor suspicious activity and a new page allowing members to see all active logins on their account.

15 Virtualization This is BIG! Virtualization adds a low-level software layer that allows multiple, even different operating systems and applications to run simultaneously on a host Can move physical server to virtual, No longer directly tied to physical equipment Competition: VMware Microsoft Hyper-V Server 2012

16 Virtualization One option Use it for Disaster Recovery Local/Onsite Virtualization Stored images of the server environment on the local device which can be mounted following hardware failure or disaster bringing critical systems up and running. Off-site Virtualization (Cloud) Images of the server environment which are stored at off-site data centers and can be mounted following hardware failure or disaster to bring critical systems up and running.

17 Leverage the Cloud With a major disaster, there may not be any equipment to restore to. Those backups are useless! Cloud providers also provide valuable virtualization features Offsite Virtualization allows for the use of servers remotely Server images that are backed up offsite can be fully virtualized within hours, or less Access to your data is available with an Internet connection only

18 Virtualization Security secure all elements of a full virtualization solution and maintain their security; restrict and protect administrator access to the virtualization solution; ensure that the hypervisor, the central program that runs the virtual environment, is properly secured; and carefully plan the security for a full virtualization solution before installing, configuring and deploying it.

19 Your Biggest Risk No Policy

20 Smartphones/Tablets Getting smarter it s a mobile computer ipad and competitors New iphone 5 Android Samsung Galaxy S III Secure it Use a password Track it catch a thief Encrypt it

21 Mobile Devices / BYOD Bring Your Own Device - You can t stop it Allows your employees to be more connected If the device is not owned by the company, what rights do you have? How do you know if its safe to bring into your network? Demand passwords and encryption Policy to allow company to anything company related from the device

22 Mobile Device Risks Human Error We love and trust our employees Until we don t. Unintentional Threats Accidental File Deletion Failure to Backup Accidental Infection Device Loss Location Data good and bad

23 Social Media Know your risks Rapidly changing Facebook owns everything you post SEO

24 Update your DR Plan A Disaster Recovery (DR) Plan is a document detailing how you will respond to a disaster. Can, and should, be an extensive document New technologies change the old DR plan At a minimum, it should include: Full technical documentation List of vendor contacts and any support agreements Onsite and Offsite backup solution Detailed recovery steps based on different disaster levels Test it!

25 Managed Services Best Practice for new technologies: Managed IT Service Providers Expertise in changing arena (IT) Option that Ensures Alignment of Interests Best Bang for the Buck Scalable Fixed Cost for Unlimited Support Provide Fortune 100 Grade Support for Price that SMB Can Afford

26 Security Tip Your take away from today: Improve your online safety by setting a unique password for each website you use. Though it s easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk Password complexity matters Don t keep your password static (Change every # days/months)

27 What are the Next Steps? Develop a policy and plan even if it is brief Adapt to new technologies Ensure that a reliable security is in place Ensure that critical data and systems have proper controls Plan for BYOD devices

28 For CPAs FICPA Business Technology Section CITP Credential

29 CITP Credential A Certified Information Technology Professional ( CITP) is a Certified Public Accountant recognized for his or her unique ability to provide business insight by leveraging knowledge of information relationships and supporting technologies. The CITP credential focuses on information management and technology assurance, making a CPA among the most trusted business advisor. Distinguish yourself from other information management and technology assurance professionals. Only CPAs can be CITPs, allowing CITPs to capitalize on profession s trusted reputation and helping them to differentiate themselves from other professionals in the marketplace.

30 CITP Body of Knowledge

31 AICPA, Certified Information Technology Professional Credential - Informati IT AUDIT AND ATTEST SERVICES INFORMATION CONTROL AND ASSURANCE (on financial statements, a segment, or operations) Summary Descr. Types Internal Control Specific Application Related AICPA Initiatives Market Impact/ Trend - Fin. Stmt Audit - SAS 70s - Trust Services - Privacy - Sarbanes Oxley - COSO, CoBIT - Peer Review - Risk-Based Auditing Stds (SASs) - Stmt on Auditing Stds (SASs) - Exposure drafts - PCAOB & SEC - AICPA ASB - Center of Audit Quality - PCAOB & SEC - Economic crisis Fraud - Digital Evidence - SAS 99 - Forensic Valuation Svcs - Certified in Fin. Forensics (CFF) - Stmt on Auditing Stds (SASs) - Economic crisis - Computer Forensics Risk Assessment IT General Controls Auditing Techniques Assessment of IT Controls - Risk-based auditing - Risk-Based Auditing Stds (SASs) - Center of Audit Quality - PCPS Firm Management - IT Audit/ Compliance - Governance - Security - App. Testing - CAATTs - Data Analytics - Deficiency/ Mat. Weakness - Unqualified/ Qual. Opinion - Risk-Based Auditing Stds (SASs) - Center of Audit Quality - Forensic Valuation Svcs - Certified in Fin. Forensics (CFF) - Center of Audit Quality - Risk-Based Auditing Stds (SASs) - Center of Audit Quality - AICPA ASB - Risk Management - AICPA ASB - Continuous Auditing - PCAOB & SEC - AICPA ASB Version: July 2009

32 Thank You Chris Fraser, CPA, CITP Consulting Services Manager Infinity Technology Solutions infinityit.com

33 Which is Scarier?

34