CYBER SECURITY AND MITIGATING RISKS

Similar documents
Dissecting Data Breaches. What Keeps Going Wrong?

Cyber Risks in the Boardroom Conference

Checklist: Credit Union Information Security and Privacy Policies

External Supplier Control Obligations. Cyber Security

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Penetration testing.

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Cyber Criminal Methods & Prevention Techniques. By

Cyber Security Audit & Roadmap Business Process and

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Monthly Cyber Threat Briefing

Security Policies and Procedures Principles and Practices

Cyber Security. Building and assuring defence in depth

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Cybersecurity Today Avoid Becoming a News Headline

Cybersecurity and Hospitals: A Board Perspective

2017 Annual Meeting of Members and Board of Directors Meeting

Securing Information Systems

Ethics and Information Security. 10 주차 - 경영정보론 Spring 2014

CYBER SECURITY AIR TRANSPORT IT SUMMIT

Art of Performing Risk Assessments

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Governance Ideas Exchange

CYBERSECURITY PENETRATION TESTING - INTRODUCTION

CYBER SECURITY RISK ASSESSMENT: WHAT EVERY PENSION GOVERNMENTAL ENTITY NEEDS TO KNOW

Choosing the Right Security Assessment

HIPAA Security and Privacy Policies & Procedures

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity

InfoSec Risks from the Front Lines

The Data Breach: How to Stay Defensible Before, During & After the Incident

A Practical Approach to Implement a Risk Based ISMS

ANATOMY OF AN ATTACK!

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

A company built on security

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

The Common Controls Framework BY ADOBE

Incident Response Table Tops

Institute of Internal Auditors 2018 IIA CHICAGO CHAPTER JOIN NTAC:4UC-11

How Breaches Really Happen

The State of the Hack. Kevin Mandia MANDIANT

hidden vulnerabilities

Protect Your Organization from Cyber Attacks

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Cybersecurity, safety and resilience - Airline perspective

locuz.com SOC Services

The Honest Advantage

Information Security Policy

The Cyber Threat. Bob Gourley, Partner, Cognitio June 22, How we think. 1

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Lakeshore Technical College Official Policy

Information Governance, the Next Evolution of Privacy and Security

An ICS Whitepaper Choosing the Right Security Assessment

Healthcare HIPAA and Cybersecurity Update

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Legal Issues Surrounding the Internet of Things and Other Emerging Technology

Cyber Security Program

CoreMax Consulting s Cyber Security Roadmap

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

DeMystifying Data Breaches and Information Security Compliance

Certified Cyber Security Specialist

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

Business Risk Management

Juniper Vendor Security Requirements

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Education Network Security

DETAILED POLICY STATEMENT

Employee Security Awareness Training Program

Take Risks in Life, Not with Your Security

The Cyber War on Small Business

What makes a good KRI? Using FAIR to discover meaningful metrics

CHAPTER 8 SECURING INFORMATION SYSTEMS

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

Total Security Management PCI DSS Compliance Guide

Security Standardization and Regulation An Industry Perspective

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

Penetration Testing and Team Overview

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Securing Information Systems

Carbon Black PCI Compliance Mapping Checklist

E-guide Getting your CISSP Certification

Location-Specific Cyber Risk

Express Monitoring 2019

01.0 Policy Responsibilities and Oversight

Gujarat Forensic Sciences University

Background FAST FACTS

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Recommendations for Implementing an Information Security Framework for Life Science Organizations

Mapping BeyondTrust Solutions to

Forensics and Active Protection

Plant Security Services Protecting productivity in the digital era October

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Vulnerability Management Policy

Transcription:

CYBER SECURITY AND MITIGATING RISKS

01 WHO Tom Stewart Associate Director Technology Consulting Chicago Technical Security Leader Protiviti Slides

PRESENTATION AGENDA 3 START HACKING DEFINITION BRIEF HISTORY TYPES COMPUTER HACKING MOTIVATIONS RISKS CONTROLS 4 SIMPLE STEPS FINISH

HACKING DEFINITON 4 Hacking is the practice of modifying the features of a system, in order to accomplish a goal outside of the creator's original purpose. Computer hacking refers to the technique or process by which an individual attempts to gather information or gain access to a computer system. People who engage in computer hacking activities are often called hackers. There is more than one type of hacking

MORE THAN ONE Types of Hacking. 5 ELECTICAL / MECHANICAL LIFE PHONE COMPUTER

BRIEF HISTORY 6 First Unix Vulnerability Phone Phreaking Worm Invented ---------------- First Large Scale Attacks Sting Op. Sundevil The Movies Mainstream Culture 65% Success Rate Of Government Attacks 1965 1970 s 1980 s 1990 1990 s 1996 Once only a hobby for few, quickly turned into a vehicle for criminal enterprises and garnered the attention main stream culture.

BRIEF HISTORY (Cont.) 7 Rise of the Internet ILOVEYOU Virus, Botnets New Type of Hackers Anonymous, Lulzsec, Wikileaks Large Retail Becomes Major Target (Nieman Marcus, Home Depot) Healthcare Industry Anthem, DDHS Paradigm Shift in Cyberwarfare Democratic National Committee Rising Ransomware (WannaCry) IoT Hacking 2000 s 2010 2012 2014 2016 2017+ A new wave of hackers has emerged based not on financial gain but rather social values

HACKER TYPES 01 WHITE HAT Good Guys; Non-Malicious Intent; Ethical Hacker 8 02 BLACK HAT Bad Guys; Malicious Intent; Cracker 03 GREY HAT White and Black Hat; Notifies Administrator of Issue 04 BLUE HAT Outside Consulting Firm that Tests a System Prior or After Launch 05 06 SCRIPT KIDDIES Little Knowledge; Uses Pre-Packaged Tools HACKTIVIST Uses Hacking to Announce a Social, Religious, or Political Message; WikiLeaks

MODERN HACKING Types of Computer Hacking. 9 VULNERABILITY EXPLOITATION Exploiting system flaws to obtain access to data or networks TYPES SOCIAL ENGINEERING Exploiting human emotion to gain access to personal information WIRELESS Exploiting wireless flaws to remotely obtain access to data or networks

VULNERABILITY EXPLOITATION 10 STEP 1 STEP 2 STEP 3 NETWORK ENUMERATION VULNERABILITY IDENTIFICATION EXPLOITATION ACCESS CRITICAL DATA 3 STEPS TO VULNERABILITY EXPLOITATION While exact techniques differ, modern vulnerability exploitation generally follows three set phases.

SOCIAL ENGINEERING 3 Types 11 PHYSICAL Key Loggers Virus Installs Remote System Setup. ELECTRONIC Phishing Emails Information Gathering TELEPHONIC TELEPHONIC Telephone Calls Information Gathering

WIRELESS 12 01 Major Threats Unauthorized Rogue Access Points New devices with wireless included 02 Compromise Internal Networks Confidentiality Integrity Availability 03 Use or Disrupt Resources Wireless DoS Inject traffic into internal networks Drive-by spammers

HACKER MOTIVATIONS What makes them go? 13 Curiosity and Challenges Reputation and Notoriety Money and Personal Gain Hactivism and Social Rights

RISK TYPES 14 It takes twenty years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. Warren Buffett Resulting in reduced customer and vendor confidence Resulting in fines or legal action Resulting in the loss of productivity and increased operational costs Resulting in employee accountability issues

CONTROL FRAMEWORKS How Do We Protect Ourselves? 15 Program Management 01 NIST CSF Incident Response Logical / Physical Security 02 03 ISO 27002 Cobit Training / Awareness Private Data Vendor Management Compliance Data Privacy

MULTI-FACTED APPROACH 16 Automated Processes and Preventative Controls Manual Processes and Detective Controls

RISK CONTROL Management 17 Management Data Privacy Information Security Physical Security Incident Response Training and Awareness Vendor Management Roles and Responsibilities Risk Assessment Do I know my risks regarding my information? Example Controls Roles and responsibilities for data protection have been clearly defined and assigned to specific individuals. Accessible data within the functional area is identified, classified, and inventoried in accordance with corporate Data Classification Standards. Classification of data is based on the importance of the asset, its business value and its associated security requirements.

RISK CONTROL Data Privacy 18 Management Data Privacy Information Security Physical Security Incident Response Training and Awareness Vendor Management Am I in compliance with all applicable privacy laws and regulations? Collection and Usage of Personal Data Notice, Consent, and Quality Knowledge Sharing Example Controls Personal Data should only be used in compliance with communicated privacy policies to customers, as well as applicable privacy laws and regulations. All procedures have been designed to protect the privacy of Personal Data in compliance with current data privacy laws. A written procedure is in place to confirm packaged knowledge from other sources can be utilized.

RISK CONTROL Information Security 19 Management Data Privacy Information Security Physical Security Incident Response Training and Awareness Vendor Management Access Rights Authentication Storage Transmission Backups Is my information protected? Example Controls Systems Security Network Security Information Disposal Application Development and Management Access rights to confidential data are defined and documented. Access to sensitive information is controlled by authentication methods that comply with current industry standards. The technology and processes used to store sensitive data are in accordance with current industry standards.

RISK CONTROL Physical Security 20 Management Data Privacy Information Security Physical Security Incident Response Training and Awareness Physical Security Walkthroughs Is my information physically secure? Example Controls Physical security controls are in place to prevent unauthorized physical access. Unscheduled physical walkthroughs are performed to check compliance with information security controls. Vendor Management

RISK CONTROL Incident Response 21 Management Data Privacy Information Security Physical Security Incident Response Training and Awareness Security Breach Response and Reporting Root Cause Analysis Am I prepared in the event that a breach occurs? Example Controls A written procedure is in place for the prompt reporting of any known or suspected security breach. Technology is in place to detect breaches. A process is in place after a breach to determine root causes. Vendor Management

RISK CONTROL Training and Awareness 22 Management Data Privacy Information Security Physical Security Incident Response Training and Awareness Vendor Management Is my organization aware of our information protection requirements? Initial Training Ongoing Training and Awareness Roll-On and Roll-Off Example Controls Personnel are required to complete training outlining the proper handling and protection of sensitive information prior to being granted access to sensitive information. Data protection training and awareness is communicated on an on-going basis and is updated annually. Roll-On and Roll-Off procedure is in place to (a) help to ensure personnel rolling onto and off the project are made aware of the requirements with respect to information protection and (b) prevent sensitive information from other projects from entering the current project environment.

RISK CONTROL Vendor Management 23 Management Data Privacy Vendor Compliance Do my vendors securely protect my information? Information Security Physical Security Incident Response Training and Awareness Vendor Management Example Controls A process is in place to protect against privacy concerns with regards to vendors or other third parties that handle confidential information on behalf of the company. VPN access is appropriately restricted to only those systems necessary to perform services.

4 SIMPLE STEPS Where to go from here. 24 01 PERMISSIONS File Shares, Applications, Vendors 02 PATCHING Operating System, Application 03 SYSTEM HARDENING Network Devices, Firewalls, Servers, Workstations 04 PROACTIVE TESTING Simulated penetration testing and vulnerability assessments for low hanging fruit

Q & A Tom Stewart Associate Director Technology Consulting Chicago Technical Security Leader Protiviti

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback