It Takes the Village to Secure the Village SM

Transcription

1 It Takes the Village to Secure the Village SM Stan Stahl, Ph.D. President Information Systems Security Association Los Angeles Chapter September 30, 2013

2 2 Online Bank Fraud is Major Challenge. Victim Losses Often Not Reimbursed.

3 3 Annual Cost of Online Bank Fraud: $1,000,000,000 Bloomberg, Aug 4, 2011:

4 4 Financial Fraud and Identity Theft Continue to Climb 613,483,424 Financial Records Reported Breached January 10, 2005 September 19, 2013 These count only reported breaches. They count neither (1) discovered but unreported breaches nor (2) undiscovered breaches.

5 Average Cost of Data Breach 5 $200 Per Compromised Record $5.5 Million Per Event California Civil Code Section $1,000 nominal damages for disclosure of medical information

6 6 State-Sponsored Intellectual Property Theft: Death by a Thousand Cuts

7 7 Small Business Cybercrime Risk is Significant More than ¾ of small businesses believe their companies are safe from hackers 20% - 30% of all cyberattacks hit small businesses with 250 or fewer employees 60% of small businesses close within 6 months of being victimized by cybercrime.

8 8 Organizations Must Comply with Cyber Security Laws & Regulations

9 Cyber Security Need vs. Reality 9

10 10 Anti-Virus Catches Only 10% of Most Prevalent Attack: 30 Days Last June

11 11 60% of Zeus Attacks Get Through Anti-Virus programs March 2013 July

12 12 Users Unwittingly Open the Door to Cybercrime com.us.welcome.c.tr ack.bridge.metrics.po rtal.jps.signon.online. sessionid.ssl.secure. gkkvnxs62qufdtl83ldz.udaql9ime4bn1siact 3f.uwu2e4phxrm31jy mlgaz.9rjfkbl26xnjskx ltu5o.aq7tr61oy0cmbi 0snacj.4yqvgfy5geuu xeefcoe7.paroquian sdores.org/

13 13 Caution: Opening that Attachment Can Be Dangerous to Your Information Booby Trapped Attachment Exploits Java Vulnerability When Opened

14 14 Caution: Visiting That Website Can Be Dangerous to Your Information

15 Anatomy of Cyber Attack 15 Exploit human & technical weakness Install malware on victim computer Cybercriminal Steal IP, Bank Acct Info, Etc Staff Servers

16 16 The Bottom Line: The Status Quo is No Longer Acceptable The Risk is Real The Impact Can be Existential The C-Suite Must Get Involved Everyone has Vital Role to Play Information security requires CEO attention in their individual companies Business Roundtable, 2004

17 17 Sun Tzu and the Art of Cyber Security Management It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles, If you do not know your enemies but do know yourself, you will win one and lose one, If you do not know your enemies nor yourself, you will be imperiled in every single battle.

18 The New Language of Cyber Security Management 18 Problems cannot be solved by the same level of thinking that created them Albert Einstein Information Risk = Threats Vulnerabilities Countermeasures

19 Information Risk Management: The Big Picture 19 Information Security Management Copyright Citadel Information Group, Inc. All Rights Reserved.

20 20 Information Security Management Strategy Proactively manage information security just as you proactively manage finance, operations and other critical operational functions. 1. Implement formal risk-driven information security policies and standards 2. Identify, document and control sensitive information 3. Train and educate personnel 4. Manage IT Infrastructure from an information security point of view

21 21 Implement a Risk-Managed Policy-Driven Layered Approach to Achieve Defense in Depth Operating Assumption: Cyber criminals will get through any particular defense Top-Management Policies and Standards Information Inventory Training / Culture 3 rd -Party IT Management & Development Security Standards Documentation Checklists & Procedures Appropriate Technology Training The Citadel. Halifax, Nova Scotia.

22 22 Comply with Laws, Regulations, Contracts. Take Advantage of Recommended Practices. US Federal Law HIPAA HITECH Gramm-Leach-Bliley FTC Rule FFIEC Banking Rules FISMA State Breach Disclosure & Other Laws CA Civil Code CA 1386 / SB24 Breach Disclosure Most states MasterCard and Visa Data Security Standard (PCI) European & Other Laws ISO standards ISO ISO Government Standards, Guides & Advisories NIST NSA US-CERT Practitioner Standards ISSA OWASP CSA (ISC) 2 ISACA SANS Institute

23 23 Provide Top-Level Governance, Management & Leadership Information security requires CEO attention in their individual companies Business Roundtable, 2004

24 24 The ISO Framework: Information Security Management System A5: Security Policy A6: Organization A7: Asset Management A8: Human Resources A9: Physical / Environmental A10: Communication & Operations Management A11: Access Control A12: Acquisition, Development & Maintenance A13: Incident Management A14: Business Continuity A15: Compliance Continuous Process Improvement Engine

25 25 Tactic: Be Wary of and Links on Internet & Social Media Sites

26 26 Tactic: Keep Computer Programs Patched and Updated Report Available: Citadel, LinkedIn. Facebook. RSS. Twitter. ISSA-LA, CDSA, .

27 27 Tactic: Be Wary of Dropbox and Other Cloud Services From Citadel Weekend Vulnerability & Patch Report: Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords. Citadel Guide: Eight Security Concerns Before Jumping Into the Cloud

28 28 Tactic: Test Your Web-Sites Against Common Vulnerabilities

29 Tactic: Take Specific Action to Protect Against Online Bank Fraud 29 Use Separate Workstation for On- Line Banking Keep Patched Use Only for On-Line Banking No No web browsing Isolate from Corporate Network Out-Of-Band Confirmation Daily Reconciliation Manage Authorization Positive Pay

30 What s in it for us?

31

32

33 Teaching the Community

34 Teaching the Next Generation

35 Setting the Next Agenda

36 Wealth Creation and Protection

37 Passion

38 Purpose and Meaning

39 For More Information 39 Stan Stahl LinkedIn: Stan Stahl Citadel Information Group: Information Security Resource Library Citadel Guides Cyber Security News of the Week Weekend Vulnerability and Patch Report ISSA-LA: Technical Meetings: 3 rd Wednesday of Month CFO-Working Group: 3 rd Friday of Odd-Months Financial Services Security Forum: 4 th Friday of Month 6 th Annual Summit: May, 2014

40 The Information Security Conversation 40

41 It Takes the Village to Secure the Village SM Thank You!