Risks and Trends in IT (Security and Compliance)
|
|
- Hope Gaines
- 6 years ago
- Views:
Transcription
1 Risks and Trends in IT 012 CliftonLarsonAllen LLP 20 (Security and Compliance) ACUIA Region 3 Meeting September
2 Our perspective CliftonLarsonAllen Started in 1953 with a goal of total client service Today, industry specialized CPA and Advisory firm ranked in the top 10 in the U.S. 2
3 Presentation overview Emerging & Continuing Trends Industry Security Reports 12 Years of Information Security Audit, Assurance, and Incident Response Social Engineering The Cloud Mobile and Electronic Banking 3 Strategies and Key Controls
4 Definition of a Secure System A secure system is one we can depend on to behave as we expect. Source: Web Security and Commerce by Simson Garfinkel with Gene Spafford People Rules Confidentiality Integrity Availability ` Tools 4 4
5 Three Security Reports Trends: Sans 2009 Top Cyber Security Threats cyber security risks/ Intrusion Analysis: TrustWave (Annual) Intrusion Analysis: Verizon Business Services (Annual) 2010 report p p_ 10 DBIR combined reports_en_xg.pdf 2011 report a breach investigations report 2011_en_xg.pdf 5
6 SANS Client Side Vulnerabilities Client side vulnerabilities Missing operating system patches Missing application patches Objective is to get the users to Open the door Vulnerable Web sites Password guessing Attacks on application interfaces with input fields Recent Facebook example 6
7 TrustWave Intrusion Analysis Report Methods of Entry: Methods of Propagation: 7
8 TrustWave Intrusion Analysis Report Most of the compromised systems were managed by a third party 8
9 TrustWave Intrusion Analysis Report Incident Response Investigative Conclusions Window of Data Exposure Once inside, attackers have very little reason to think they will be detected The bad guys are inside for 1 ½ YEARS before anyone knows! 9
10 Verizon Report is analysis of intrusions investigated by Verizon and US Secret Service. KEY POINTS: Time from successful intrusion to compromise of data was days to weeks. Log files contained evidence of the intrusion attempt, success, and removal of data. Most successful intrusions were not considered d highly hl difficult. 10
11 Hackers, Fraudsters, and Victims Opportunistic Attacks Targeted Attacks 11
12 Verizon 2011 Anatomy of a data breach Opportunities 12
13 How do hackers and fraudsters break in? Social Engineering relies on the following: People want to help People want to trust Theappearance of authority People want to avoid inconvenience Timing, timing, timing 13
14 Pre text Phone Calls Hi, this is Randy from Comcast. I am working with Dave, and I need your help Name dropping Establish a rapport Ask for help Inject some techno babble Think telemarketers script Home Equity Line of Credit dit(heloc) fraud calls Recent string of high profile ACH frauds 14
15 Attacks Spoofing and Phishing Impersonate someone in authority and: Ask them to visit a web site Ask them to open an attachment or run update Examples Better Business Bureau complaint businessbureau target phishing scam/ Microsoft Security PatchDownload bogus microsoft patch spam/ 15
16 Phishing Targeted Attack Randall J. Romes Two or Three telltale signs Can you find them? 16
17 Phishing Targeted Attack Fewer tell tlltl tale signs on fake websites 17
18 Physical (Facility) Security Compromise the site: Hi, Joe said he would let you know I was coming to fix the printers Plant devices: Keystroke loggers Wireless access point Thumb drives ( Switch Blade ) Examples Steal hardware (laptops) s how slick la shtml 18
19 Strategies to Combat Social Engineering (Ongoing) user awareness training Network perimeter security layers Mail filter, mail gateway, hardened workstations Antivirus software (3 places) and anti malware software Internet browser proxies and filtering Minimized user access rights Application white listing Logging and Monitoring capabilities (SIEM and DLP) The 3 R s : Recognize, React, Respond VALIDATION Periodic testing People, Rules, Tools, and Spaces 19
20 Questions? 20
21 Managing the Risks as You Outsource to the Cloud 012 CliftonLarsonAllen LLP 20Managing the Risks as You 2121
22 What is the Cloud? Is it a clever marketing term? Where is the cloud? 22
23 Cloud Services Describe types of Cloud Services List Cloud Services YOU currently use
24 What is the Cloud? The original cloud computing : Mainframes 24
25 What is the Cloud? The next generation: Thin Clients (Citrix, RDP, etc ) 25
26 What is the Cloud? Today s cloud: Hosted service or process all the way to hosted infrastructure. 26
27 What is the Cloud? Today s cloud: Hosted service or process all the way to hosted infrastructure. 27
28 What is the Cloud? National Institute of Standards and Technology (NIST) definition of cloud computing published October 7, 2009: Cloud computing is a model for enabling convenient, on demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. 28
29 Examples of Cloud Services Hosted Hosted Exchange, Gmail Hosted productivity applicationsand and enterprise applications Google Apps, Amazon Web Services On line/cloud back up services Hosted infrastructure Private Clouds Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) 29
30 Benefits Low upfront/entry cost Pay as you go Reduced support needs Faster deployment speeds Simpler/easier upgrades Business agility ability to scale Reduced hardware costs Reduced software costs Reduced maintenance/service costs 30
31 Benefits Redundancy & Resiliency Disaster recovery and business continuity Specialized support expertise Compliance benefits Ability to focus on the core of your business 31
32 Risks Vendor Risks Vendor selection and due diligence Vendor viability Vendor management Governance Risks Risk Management Legal and compliance issues Life cycle management and portability Who has your data? Where is your data? Who has access to your data? 32
33 Risks Data Risks Data location Data segregation Data recovery Investigative support End User Risks Privileged user access Normal users Malicious insiders 33
34 Risks Technology Risks Quick scalability Pace of change Outage downtime Application level DDOS attacks (Hacker) ease of access 34
35 Examples in the news Megaupload story: SANS NewsBites Vol. 14 Num wiredefense hobbled/ A Megaupload defense attorney maintains that the government has "cherry picked" data from servers to bolster its case against Megaupload, and to allow the destruction of the data now could potentially destroy evidence that would prove beneficial to the defense. The staggering volume of data 25 petabytes are currently being stored on servers at US hosting company Carpathia, but because Megaupload's assets are frozen, Carpathia is shouldering the US $9,000 daily cost of maintain the data. A hearing on the matter is scheduled for Friday, April 13. Carpathia wants the judge to relieve it of the burden the cost of maintaining the data; an Ohio businessman wants the data preserved because he has legitimate files stored on the servers and wants them returned; the Motion Picture association i of America (MPAA) wants the data preserved so they can be used in future copyright infringement lawsuits; and Carpathia and Megaupload have suggested a proposal wherein Megaupload would purchase the servers and bear the cost of maintain the data, but the government so far has refused to unfreeze the company's assets. 35
36 Examples closer to home Recent client experience 18 months ago we outsourced our to a cloud based solution with Company A 6 months ago Company A was purchased by Company B 2 months ago Company B was purchased by Company C I don t know where my data is I don t know who has access to my data I don t tknow where my dt data is backed up at any more I don t know 36
37 Examples closer to home Recent conference Betweensessions vendors describe their service offerings Company X offers online, secure back up to the cloud Company X has grown over 300% in the last year Best of all, Company X now provides online, secure, cloud based back up for Company Y one of the larger Core hosting company providers Where does the outsourcing chain end? How many using Company Y know where their data is 37
38 Things to do Risk Assessment Cost benefit analysis Vendor due diligence (Pre contract) Scrutinize i contracts t Ongoing vendor management Be disciplined about where your data is DOCUMENT IT an inventory! Understand dvendors responsibility and YOURS Remember basic security tenants 38
39 Questions? 39
40 Mobile Devices 012 CliftonLarsonAllen LLP 20 Understanding the Risks 4040
41 Mobile Computing Basics Mobile Devices are here to stay More people have (smart) phones than computers Mobile payments py are coming (already here?) Topic for another time 41
42 Mobile Banking Basics Different types of mobile banking SMS mobile banking Mobile web Mobile applications 42
43 Mobile Banking Basics Mobile banking applications (i.e. mobile apps ) Various mobile app market places itunes/apple App Store Android Market Verizon App Store BlackBerry App Store 43
44 Mobile Banking Basics Basic/common mobile banking infrastructure Mobile banking system atthethe bank 44
45 Mobile Banking Basics Basic/common mobile banking infrastructure Mobile banking system with third party vendor between customer and bank infrastructure 45
46 Vulnerabilities, Risks, & Controls Vulnerabilities and risks at each component Perform a risk assessment Risk Assessment Heat map Server Side Risks (Vendor Risks) Transmission Risks Mobile Device Risks Mobile App Risks End duser Risks 46
47 Vulnerabilities, Risks, & Controls Server Side Risks Essentially the same as traditional Internet banking website risks Insecure coding practices Default credentials Patch/update maintenance Certificate issues This is essentially a web server for the mobile devices to connect to. 47
48 Vulnerabilities, Risks, & Controls Vendor Risks Same risks as banks now outside of your direct control. Insecure coding practices Default credentials Patch/update maintenance Certificate issues Also need controls on the dedicated link This is essentially a web server for the mobile devices to connect to. 48
49 Vulnerabilities, Risks, & Controls Transmission Risks Most mobile devices have always on Internet connection Cellular (cell phone service provider) Wifi ( home, corporate, public ) Need encryption Common end user practices 49
50 Vulnerabilities, Risks, & Controls Mobile Device Risks Multiple hardware platforms & multiple operating systems 50
51 Vulnerabilities, Risks, & Controls Mobile App Risks Secure coding issues Installation of App Useand protection of credentials Storage of data Transmission of data 51
52 Vulnerabilities, Risks, & Controls End User Risks Losethe device Don t use passwords, or use easy to guess passwords Store passwords on the device Jail break the device Don t use security software Use/don t recognize insecure wireless networks Let their kids use the device 52
53 Vendor Due Diligence and Management All of the above applies to your vendor(s) Mobile banking application provider Mobile banking hosting provider Contracts with SLA s SSAE16 reviews Independent code review and testing 53
54 Questions? 54
55 Risks and Controls for 012 CliftonLarsonAllen LLP 20Risks and Controls for Electronic Banking 5555
56 Phishing and ACH In the News Google: ACH fraud suit Bank Sues Customer $800,000 fraudulent ACH transfer Bank retrieves $600,000 What happens to the other $200,000? 000? 56
57 Phishing and ACH In the News Customer Sues Bank $560,000 in fraudulent ACH transfers to bank accounts in Russia, Estonia, Scotland, Finland, China and the US; withdrawn soon after the deposits were made. Alleges that the bank failed to notice unusual activity. Until the fraudulent transactions were made customer had made just two wire transfers ever In just a three hour period, 47 wire transfers requests were made. 57 In addition, after customer became aware of the situation and asked the bank to halt transactions, the bank allegedly failed to do so until 38 more had been initiated.
58 Phishing and ACH Examples Finance person receives 2000 spam messages Later in the day, fraudsters make three ACH transfers all within 30 minutes: $8,000 to Houston Two transfers for $540,000 each to Romania In this case, business insists the following controls were not followed: Dollar limit/thresholds were exceeded Call back verification did not occur This one was just resolved 58
59 Updated Authentication Guidance Risk Assessment, Risk Assessment, Risk Assessment At least annually or after changes Changes in the internal and external threat environment, including those discussed in the Appendix of the Supplement Changes in the member base Changes in the member functionality At Actual lincidents id of security breaches, identity theft, or fraud experienced by the institution or industry 59
60 Updated Authentication Guidance Do not rely on single control Controls need to increase as risk increases Multi layer Additional controls at different points in transaction/interaction with member Technical (IT/systems) controls 60
61 Updated Authentication Guidance (2) Specific authentication guidance Device identification Challenge questions Multifactor and two factor authentication Out of band authentication 61
62 Controls for Layered Security Control of administrative functions Enhanced controls around payment authorization and verification Positive Pay features Dual authorization Call back verification Detection and response to suspicious activity 62
63 Controls for Layered Security (2) Member awareness and education Explanationof of protections provided and not provided How the financial institution may contact a member on an unsolicited basis A suggestion that commercial online banking members perform assessment and controls evaluation periodically A listing of alternative risk control mechanisms that members may consider implementing to mitigate their own risk A listing of financial institution contacts for members discretionary use to report suspected fraud 63
64 Questions? 64
65 Thank you! 012 CliftonLarsonAllen LLP 20 Randy Romes, CISSP, CRISC, MCP, PCI QSA Principal Information Security Services com
66 Solutions From SANS Report 20 Critical Controls: r_effective_cyber_defense_cag.pdf 1. Inventory of Authorized and Unauthorized Devices Additional Critical Controls (not directly 2. Inventory of Authorized and Unauthorized Software supported by automated 3. Secure Configurations for Hardware and Software on measurement and validation): Laptops, Workstations, and Servers 4. Secure Configurations for Network Devices such as Firewalls, 16. Secure Network Engineering Routers, and Switches 17. Penetration Tests and Red Team 5. Boundary Defense Exercises 6. Maintenance, Monitoring, and Analysis of Security Audit Logs 18. Incident Response Capability 7. Application Software Security 19. Data Recovery Capability 8. Controlled Use of Administrative Privileges 20. Security Skills Assessment and 9. Controlled Access Based on Need to Know Appropriate Training to Fill Gaps 10. Continuous Vulnerability Assessment and Remediation 11. Account Monitoring and Control 12. Malware Defenses 13. Limitation and Control of Network Ports, Protocols, and Services 14. Wireless Device Control 15. Data Loss Prevention 66
67 Common Compliance Requirements Compliance Matrix Resources: mpliance_wp_20.pdf pdf 67
68 Resources Hardening Checklists Hardening checklists from vendors CIS offers vendor neutral hardening resources Microsoft Security Checklists us/library/dd aspx Most of these will be from the BIG software and hardware providers 68
69 Resources In the News Privacy Rights <dot> org Resource for State Laws breach FAQ#10 69
70 References Bank Info Security: com/ FDIC ACH Advisories: i ndex.html SANS report (2009) cyber security risks/summary.php 70 70
71 References Michigan Company sues bank com/s/article/ /michigan sues _bank_over_theft_of_560_000_?taxonomyid=17 phish foiled 2 com/2010/02/comerica phish 2 factor protection/#more 973 Bank sues Texas company 71
72 Examples in the news Google: cloud service outage Microsoft Windows Azure Cloud Suffers Outage; BlameLeap Year... Feb 29, 2012 Microsoft Windows Azure, the software company's cloud computing service, has been suffering through a lengthy outage today, preventing... Amazon gets 'black eye' from cloud outage Computerworld Apr 21, 2011 Keith Shaw chats with Network World's Jon Brodkin about the Amazon EC2 cloud service outage that... 72
73 Examples in the news Chinese Gmail Attack Compromises Hundreds of Accounts June 3, 2012 Earlier this week, Google discovered that a number of its Gmail account user names and passwords of personal accounts bl belonging to senior government officials, i activists, and journalists, had been compromised. The hack appears to have originated from Jinan, China, although Google did not accuse any individuals or governments of orchestrating the attack. 73
74 Examples in the news Cloud Computing Service Outages in t h t / d ti /t /Cl d Computing Major Service Outages In 2011.htm Playstation Network 4/21/11 / 25 days Amazon Web Services 4/21/11 4 days Twitter 2/25, 3/16, 3/25, 3/27 hours at a time Gmail and Google Apps 2/27/11 2 days Intuit Service &Quickbooks 3/28/ days 74
75 References to Specific State Laws Are there state-specific breach listings? Some states have state laws that require breaches to be reported to a centralized data base. These states include Maine, Maryland, New York, New Hampshire, North Carolina, Vermont and Virginia (Virginia s notification law only applies to electronic breaches affecting more than 1,000 residents). However, a number of other states have some level of notification that has been made publicly available, primarily through Freedom of Information requests. These states include California, Colorado, Florida, Illinois, Massachusetts, Michigan, Nebraska, Hawaii and Wisconsin. State laws: For details, see the Open Security Foundation Datalossdb website:
Cloud Computing Definitions and Audits
2014 CliftonLarsonAllen LLP Cloud Computing Definitions and Audits IIA Florida West Coast Chapter February 28, 2014 CLAconnect.com Overview What is the cloud? Benefits Risks Things to Think About Resources
More informationFraud and Social Engineering in Community Banks
Fraud and Social Engineering in Community Banks Information Security Trends and Strategies October 2, 2010 1 Our perspective LarsonAllen Started in 1953 with a goal of total client service Today, industry
More informationHow Credit Unions Are Taking Advantage of the Cloud
2013 CliftonLarsonAllen LLP How Credit Unions Are Taking Advantage of the Cloud CUNA Technology Council Conference September 2013 CLAconnect.com Randy Romes, CISSP, CRISC, MCP, PCI-QSA Principal, Information
More information2014 CliftonLarsonAllen LLP Cyber Crime and Payment Fraud Trends Key Threats to All Businesses CliftonLarsonAllen LLP. CLAconnect.
Cyber Crime and Payment Fraud Trends Key Threats to All Businesses CLAconnect.com What do the following have in common? Catholic church parish Hospice Collection agency Main Street newspaper stand Electrical
More informationCyber Crime and Online Payment Fraud Trends
Cyber Crime and Online Payment Fraud Trends Speaker: Mark Eich, CliftonLarsonAllen Copyright This presentation is protected by U.S. and International copyright laws. Reproduction, distribution, display
More informationCyber Crime and Payment Fraud Trends
2013 CliftonLarsonAllen LLP Cyber Crime and Payment Fraud Trends Threats to All Not For Profit Entities CLAconnect.com What do the following have in common? Catholic church parish Hospice Collection agency
More informationK12 Cybersecurity Roadmap
K12 Cybersecurity Roadmap Introduction Jason Brown, CISSP Chief Information Security Officer Merit Network, Inc jbrown@merit.edu @jasonbrown17 https://linkedin.com/in/jasonbrown17 2 Agenda 3 Why Use the
More informationCLICK TO EDIT MASTER TITLE STYLE Fraud Overview and Mitigation Strategies
Fraud Overview and Mitigation Strategies SUNTRUST TEAM: DOUG HICKMAN SENIOR VICE PRESIDENT FOUNDATIONS AND ENDOWMENTS SPECIALTY PRACTICE JAMES BERNAL ASSISTANT VICE PRESIDENT FOUNDATIONS AND ENDOWMENTS
More informationCyber Crime and Payment Fraud Trends
2014 CliftonLarsonAllen LLP Cyber Crime and Payment Fraud Trends Threats to All Health Care Entities CLAconnect.com Mark Eich May 20, 2014 Housekeeping If you are experiencing technical difficulties, please
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationProtecting Your Religious Organization Against Cybercrime
Protecting Your Religious Organization Against Cybercrime A State of the Union CLAconnect.com Disclaimers The information contained herein is general in nature and is not intended, and should not be construed,
More informationMay 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations
May 14, 2018 1:30PM to 2:30PM CST In Plain English: Cybersecurity and IT Exam Expectations Options to Join Webinar and audio Click on the link: https://www.webcaster4.com/webcast/page/584/24606 Choose
More informationsecurity FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.
security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name. Security for Your Business Mitigating risk is a daily reality for business owners, but you don t have
More informationHow Breaches Really Happen
How Breaches Really Happen www.10dsecurity.com About Dedicated Information Security Firm Clients Nationwide, primarily in financial industry Services Penetration Testing Social Engineering Vulnerability
More informationManaging IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services
Managing IT Risk: What Now and What to Look For Presented By Tina Bode IT Assurance Services Agenda 1 2 WHAT TOP TEN IT SECURITY RISKS YOU CAN DO 3 QUESTIONS 2 IT S ALL CONNECTED Introduction All of our
More information10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual
More informationTackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud
Tackling Cybersecurity with Data Analytics Identifying and combatting cyber fraud San Antonio IIA iheartaudit Conference February 24, 2017 What We ll Cover + Current threat landscape + Common security
More informationCybersecurity Today Avoid Becoming a News Headline
Cybersecurity Today 2017 Avoid Becoming a News Headline Topics Making News Notable Incidents Current State of Affairs Common Points of Failure Three Quick Wins How to Prepare for and Respond to Cybersecurity
More information2016 Tri-State CF Partnership Webinar Series. Cyber Crime Trends a State of the Union April 7, 2016
2016 Tri-State CF Partnership Webinar Series Cyber Crime Trends a State of the Union April 7, 2016 Presenter Mark Eich, Principal Information Security Services Group CliftonLarsonAllen 2014 CliftonLarsonAllen
More informationSurprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS
Surprisingly Successful: What Really Works in Cyber Defense John Pescatore, SANS 1 Largest Breach Ever 2 The Business Impact Equation All CEOs know stuff happens in business and in security The goal is
More informationCyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)
Cyber Security Presenters: - Brian Everest, Chief Technology Officer, Starport Managed Services - Susan Pawelek, Accountant, Compliance and Registrant Regulation February 13, 2018 (webinar) February 15,
More informationWHO AM I? Been working in IT Security since 1992
(C) MARCHANY 2011 1 WHO AM I? Been working in IT Security since 1992 CISO at VA Tech 35+K node network. dual stack IPV4, IPV6 network since 2006 Multi-national Main campus (Blacksburg, VA), Remote campuses
More informationHow do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?
Cybersecurity Due Diligence Checklist Control # Control Name Risks Questions for IT 1 Make an Benign Case: Employees Inventory of using unapproved Authorized devices without Devices appropriate security
More information2017 Annual Meeting of Members and Board of Directors Meeting
2017 Annual Meeting of Members and Board of Directors Meeting Dan Domagala; "Cybersecurity: An 8-Point Checklist for Protecting Your Assets" Join this interactive discussion about cybersecurity trends,
More informationPCI Compliance. What is it? Who uses it? Why is it important?
PCI Compliance What is it? Who uses it? Why is it important? Definitions: PCI- Payment Card Industry DSS-Data Security Standard Merchants Anyone who takes a credit card payment 3 rd party processors companies
More informationTotal Security Management PCI DSS Compliance Guide
Total Security Management PCI DSS Guide The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations to help protect the security of credit card holders. These regulations apply to
More informationTechnology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited
Technology Risk Management in Banking Industry Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Change in Threat Landscape 2 Problem & Threats faced by Banking Industry
More informationCyber Security Risk Management and Identity Theft
Cyber Security Risk Management and Identity Theft 2017 MD SHRM State Conference Presented by Robert Bob Olsen, Chief Executive Officer MS ITS, MBA, CISSP, CISM October 16, 2017 This presentation may not
More informationISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045
Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized intelligence that
More information10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS
10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS WHITE PAPER INTRODUCTION BANKS ARE A COMMON TARGET FOR CYBER CRIMINALS AND OVER THE LAST YEAR, FIREEYE HAS BEEN HELPING CUSTOMERS RESPOND
More informationSecuring the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA
Securing the cloud ISACA Korea Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA What is cloud computing? Source: Wikipedia 2 What is cloud computing A model for enabling:- convenient on-demand network
More informationNEN The Education Network
NEN The Education Network School e-security Checklist This checklist sets out 20 e-security controls that, if implemented effectively, will help to ensure that school networks are kept secure and protected
More informationHow NOT To Get Hacked
How NOT To Get Hacked The right things to do so the bad guys can t do the wrong ones Mark Burnette Partner, LBMC -Risk Services October 25, 2016 Today s Agenda Protecting Against A Hack How should I start?
More informationBest Practices in Securing a Multicloud World
Best Practices in Securing a Multicloud World Actions to take now to protect data, applications, and workloads We live in a multicloud world. A world where a multitude of offerings from Cloud Service Providers
More informationCyber security tips and self-assessment for business
Cyber security tips and self-assessment for business Last year one in five New Zealand SMEs experienced a cyber-attack, so it s essential to be prepared. Our friends at Deloitte have put together this
More informationNORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers
Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.
More informationBuilding Secure Systems
Building Secure Systems Antony Selim, CISSP, P.E. Cyber Security and Enterprise Security Architecture 13 November 2015 Copyright 2015 Raytheon Company. All rights reserved. Customer Success Is Our Mission
More informationIntegrated Access Management Solutions. Access Televentures
Integrated Access Management Solutions Access Televentures Table of Contents OVERCOMING THE AUTHENTICATION CHALLENGE... 2 1 EXECUTIVE SUMMARY... 2 2 Challenges to Providing Users Secure Access... 2 2.1
More informationDesigning and Building a Cybersecurity Program
Designing and Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson lwilson@umassp.edu ISACA Breakfast Meeting January, 2016 Designing & Building a Cybersecurity
More informationKeys to a more secure data environment
Keys to a more secure data environment A holistic approach to data infrastructure security The current fraud and regulatory landscape makes it clear that every firm needs a comprehensive strategy for protecting
More informationGovernance Ideas Exchange
www.pwc.com.au Anatomy of a Hack Governance Ideas Exchange Robert Di Pietro October 2018 Cyber Security Anatomy of a Hack Cyber Security Introduction Who are the bad guys? Profiling the victim Insights
More informationCyber Insurance: What is your bank doing to manage risk? presented by
Cyber Insurance: What is your bank doing to manage risk? David Kitchen presented by Lisa Micciche Today s Agenda Claims Statistics Common Types of Cyber Attacks Typical Costs Incurred to Respond to an
More informationDHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1
Addressing the Evolving Cybersecurity Tom Tollerton, CISSP, CISA, PCI QSA Manager Cybersecurity Advisory Services DHG presenter Tom Tollerton, Manager DHG IT Advisory 704.367.7061 tom.tollerton@dhgllp.com
More informationBest Practices Guide to Electronic Banking
Best Practices Guide to Electronic Banking City Bank & Trust Company offers a variety of services to our customers. As these services have evolved over time, a much higher percentage of customers have
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationWill you be PCI DSS Compliant by September 2010?
Will you be PCI DSS Compliant by September 2010? Michael D Sa, Visa Canada Presentation to OWASP Toronto Chapter Toronto, ON 19 August 2009 Security Environment As PCI DSS compliance rates rise, new compromise
More informationCybersecurity The Evolving Landscape
Cybersecurity The Evolving Landscape 1 Presenter Zach Shelton, CISA Principal DHG IT Advisory Zach.Shelton@DHG.com Raleigh, NC 14+ years of experience in IT Consulting 11+ years of experience with DHG
More informationCloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud Services http://www.cloud-council.org/deliverables/cloud-customer-architecture-for-securing-workloads-on-cloud-services.htm Webinar April 19,
More informationACM Retreat - Today s Topics:
ACM Retreat - Today s Topics: Phase II Cyber Risk Management Services - What s next? Policy Development External Vulnerability Assessment Phishing Assessment Security Awareness Notification Third Party
More informationCybersecurity Auditing in an Unsecure World
About This Course Cybersecurity Auditing in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that cybersecurity
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationFFIEC Guidance: Mobile Financial Services
FFIEC Guidance: Mobile Financial Services Written by: Jon Waldman, CISA, CRISC Partner and Senior Information Security Consultant Secure Banking Solutions, LLC FFIEC Updates IT Examination Handbook to
More informationIngram Micro Cyber Security Portfolio
Ingram Micro Cyber Security Portfolio Ingram Micro Inc. 1 Ingram Micro Cyber Security Portfolio Services Trainings Vendors Technical Assessment General Training Consultancy Service Certification Training
More informationYou ve Been Hacked Now What? Incident Response Tabletop Exercise
You ve Been Hacked Now What? Incident Response Tabletop Exercise Date or subtitle Jeff Olejnik, Director Cybersecurity Services 1 Agenda Incident Response Planning Mock Tabletop Exercise Exercise Tips
More informationWHAT IS CORPORATE ACCOUNT TAKEOVER? HOW DOES IT HAPPEN?
WHAT IS CORPORATE ACCOUNT TAKEOVER? Corporate Account Takeover (also referred to as CATO) is a type of fraud where criminals gain access to a business financial accounts to make unauthorized transactions.
More informationHow technology changed fraud investigations. Jean-François Legault Senior Manager Analytic & Forensic Technology June 13, 2011
How technology changed fraud investigations Jean-François Legault Senior Manager Analytic & Forensic Technology June 13, 2011 The Changing Cyberfraud Landscape Underground Economy Malware Authors Organized
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationAuditing the Cloud. Paul Engle CISA, CIA
Auditing the Cloud Paul Engle CISA, CIA About the Speaker Paul Engle CISA, CIA o Fifteen years performing internal audit, IT internal audit, and consulting projects o Internal audit clients include ADP,
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationSANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045
Critical Security Control Solution Brief Version 6 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable,
More informationData Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle
Data Security and Privacy : Compliance to Stewardship Jignesh Patel Solution Consultant,Oracle Agenda Connected Government Security Threats and Risks Defense In Depth Approach Summary Connected Government
More informationCybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016
Cybersecurity: Considerations for Internal Audit Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016 Agenda Key Risks Incorporating Internal Audit Resources Questions 2 San Francisco
More informationProtecting your Data in the Cloud. Cyber Security Awareness Month Seminar Series
Protecting your Data in the Cloud Cyber Security Awareness Month Seminar Series October 24, 2012 Agenda Introduction What is the Cloud Types of Clouds Anatomy of a cloud Why we love the cloud Consumer
More informationNo IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP
No IT Audit Staff? How to Hack an IT Audit Presenters Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP Learning Objectives After this session, participants will be able to: Devise
More informationSOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2
Requirement Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized intelligence
More informationEducation Network Security
Education Network Security RECOMMENDATIONS CHECKLIST Learn INSTITUTE Education Network Security Recommendations Checklist This checklist is designed to assist in a quick review of your K-12 district or
More informationThe BUSINESS of Fraud. Don t let it put you out of business. AFFILIATE LOGO
The BUSINESS of Fraud. Don t let it put you out of business. Veenindra J. Singh, First Vice President, Treasury Management Consultant California Bank & Trust 300 Lakeside Drive, Suite 800 Oakland, Ca 94612
More informationPersonal Physical Security
Security Essentials For Personal Personal Physical Security Lights at night and/or motion sensitive flood lights Cut your bushes so people can t hide behind them Lock your doors and windows (do a nightly
More informationWatson Developer Cloud Security Overview
Watson Developer Cloud Security Overview Introduction This document provides a high-level overview of the measures and safeguards that IBM implements to protect and separate data between customers for
More informationTOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION
INFORMATION TECHNOLOGY SECURITY GUIDANCE TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION ITSM.10.189 October 2017 INTRODUCTION The Top 10 Information Technology (IT) Security
More informationCarbon Black PCI Compliance Mapping Checklist
Carbon Black PCI Compliance Mapping Checklist The following table identifies selected PCI 3.0 requirements, the test definition per the PCI validation plan and how Carbon Black Enterprise Protection and
More informationEffective Cyber Incident Response in Insurance Companies
August 2017 Effective Cyber Incident Response in Insurance Companies An article by Raj K. Chaudhary, CRISC, CGEIT; Troy M. La Huis; and Lucas J. Morris, CISSP Audit / Tax / Advisory / Risk / Performance
More informationLes joies et les peines de la transformation numérique
Les joies et les peines de la transformation numérique Georges Ataya CISA, CGEIT, CISA, CISSP, MSCS, PBA Professor, Solvay Brussels School of Economics and Management Academic Director, IT Management Education
More informationCybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank
Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank NJ Bankers Association Annual Convention May 19, 2017 Presented by: Jeremy Burris, Principal, S.R. Snodgrass,
More informationToday s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches
Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches Chris Bucolo, PCIP, MBA Today s Speaker Chris Bucolo Sr. Manager, Sikich
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationINFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare
INFORMATION SECURITY A briefing on the information security controls at Computershare One line heading > One line subheading INTRODUCTION Information is critical to all of our clients and is therefore
More informationSneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security
Sneak Peak at CIS Critical Security Controls V 7 Release Date: March 2018 2017 Presented by Kelli Tarala Principal Consultant Enclave Security 2 Standards and Frameworks 3 Information Assurance Frameworks
More informationIs your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner
Is your privacy secure? HIPAA Compliance Workshop September 2008 Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner Agenda Have you secured your key operational, competitive and financial
More informationWhat are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards
PCI DSS What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards Definition: A multifaceted security standard that includes requirements for security management, policies, procedures,
More informationIt Takes the Village to Secure the Village SM
It Takes the Village to Secure the Village SM Stan Stahl, Ph.D. President Information Systems Security Association Los Angeles Chapter September 30, 2013 2 Online Bank Fraud is Major Challenge. Victim
More informationCrises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.
Crises Control Cloud Security Principles Transputec provides ICT Services and Solutions to leading organisations around the globe. As a provider of these services for over 30 years, we have the credibility
More informationCybersecurity. Overview. Define Cyber Security Importance of Cyber Security 2017 Cyber Trends Top 10 Cyber Security Controls
Cybersecurity Hospitality Finance and Technology Professionals June 27, 2017 Presented by: Harvey Johnson, CPA Partner Overview Define Cyber Security Importance of Cyber Security 2017 Cyber Trends 1 About
More informationSolution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites
Solution Pack Managed Services Virtual Private Cloud Security Features Selections and Prerequisites Subject Governing Agreement DXC Services Requirements Agreement between DXC and Customer including DXC
More informationEnterprise Cybersecurity Best Practices Part Number MAN Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More information716 West Ave Austin, TX USA
Fundamentals of Computer and Internet Fraud GLOBAL Headquarters the gregor building 716 West Ave Austin, TX 78701-2727 USA TABLE OF CONTENTS I. INTRODUCTION What Is Computer Crime?... 2 Computer Fraud
More informationTroubleshooting and Cyber Protection Josh Wheeler
May 4, 2016 Troubleshooting and Cyber Protection Josh Wheeler Network Security Network Security Risks Video Network Security Risks Article Network Security Risks Data stealing or disruption of network
More informationEvolution of Cyber Security. Nasser Kettani Chief Technology Officer Microsoft, Middle East and Africa
Evolution of Cyber Security Nasser Kettani Chief Technology Officer Microsoft, Middle East and Africa Nasser.Kettani@microsoft.com @nkettani MODERN SECURITY THREATS THERE ARE TWO KINDS OF BIG COMPANIES:
More informationRegulation P & GLBA Training
Regulation P & GLBA Training Overview Regulation P governs the treatment of nonpublic personal information about consumers by the financial institution. (Gramm-Leach-Bliley Act of 1999) The GLBA is composed
More informationTop Ten IT Security Risks CHRISTOPHER S. ELLINGWOOD SENIOR MANAGER, IT ASSURANCE SERVICES
Top Ten IT Security Risks - 2017 CHRISTOPHER S. ELLINGWOOD SENIOR MANAGER, IT ASSURANCE SERVICES INTRODUCTION IT S ALL CONNECTED IN 2017. All of our Top 10 risks impact both us as consumers and as professionals
More informationISE North America Leadership Summit and Awards
ISE North America Leadership Summit and Awards November 6-7, 2013 Presentation Title: Presenter: Presenter Title: Company Name: Embracing Cyber Security for Top-to-Bottom Results Larry Wilson Chief Information
More informationCISO as Change Agent: Getting to Yes
SESSION ID: CXO-W02F CISO as Change Agent: Getting to Yes Frank Kim Chief Information Security Officer SANS Institute @fykim Outline Catch the Culture Shape the Strategy Build the Business Case 2 #1 Catch
More informationCyberSecurity: Top 20 Controls
CyberSecurity: Top 20 Controls ISACA Kampala Chapter CPD Event - 30 March 2017 By Bernard Wanyama - CISA, CGEIT, CRISC, CISM Assume breach.. The CIS Top 20 Critical Security Controls CIS, SANS, NSA and
More informationA Measurement Companion to the CIS Critical Security Controls (Version 6) October
A Measurement Companion to the CIS Critical Security Controls (Version 6) October 2015 1 A Measurement Companion to the CIS Critical Security Controls (Version 6) Introduction... 3 Description... 4 CIS
More informationISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION
ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION Cathy Bates Senior Consultant, Vantage Technology Consulting Group January 30, 2018 Campus Orientation Initiative and Project Orientation Project
More informationSecuring Information Systems
Chapter 7 Securing Information Systems 7.1 2007 by Prentice Hall STUDENT OBJECTIVES Analyze why information systems need special protection from destruction, error, and abuse. Assess the business value
More informationRecognizing Fraud Staying Safe 2018 Information/Cyber Security Training
Recognizing Fraud Staying Safe 2018 Information/Cyber Security Training Copyright Sage Data Security 2017-2018 All Rights Reserved Presented by: John H Rogers, CISSP Director of Advisory Services john.rogers@sagedatasecurity.com
More informationAgenda. Security essentials. Year in review. College/university challenges. Recommendations. Agenda RSM US LLP. All Rights Reserved.
Agenda Agenda Security essentials Year in review College/university challenges Recommendations 2 About me Matt Franko Director, Risk Advisory Services matthew.franko@rsmus.com (216) 927-8224 11+ years
More information