It Takes the Village to Secure the Village SM Stan Stahl, Ph.D. President Information Systems Security Association Los Angeles Chapter September 30, 2013
2 Online Bank Fraud is Major Challenge. Victim Losses Often Not Reimbursed. http://www.bankinfosecurity.com/blogs/survey-says-ach-wire-fraud-growing-p-1509
3 Annual Cost of Online Bank Fraud: $1,000,000,000 Bloomberg, Aug 4, 2011: http://www.bloomberg.com/news/2011-08-04/hackers-take-1-billion-a-yearfrom-company-accounts-banks-won-t-indemnify.html
4 Financial Fraud and Identity Theft Continue to Climb 613,483,424 Financial Records Reported Breached January 10, 2005 September 19, 2013 These count only reported breaches. They count neither (1) discovered but unreported breaches nor (2) undiscovered breaches.
Average Cost of Data Breach 5 $200 Per Compromised Record $5.5 Million Per Event California Civil Code Section 56.36 $1,000 nominal damages for disclosure of medical information http://www.ponemon.org/index.php
6 State-Sponsored Intellectual Property Theft: Death by a Thousand Cuts
7 Small Business Cybercrime Risk is Significant More than ¾ of small businesses believe their companies are safe from hackers 20% - 30% of all cyberattacks hit small businesses with 250 or fewer employees 60% of small businesses close within 6 months of being victimized by cybercrime.
8 Organizations Must Comply with Cyber Security Laws & Regulations
Cyber Security Need vs. Reality 9
10 Anti-Virus Catches Only 10% of Most Prevalent Attack: 30 Days Last June http://krebsonsecurity.com/2012/06/a-closer-look-recent-email-based-malware-attacks/
11 60% of Zeus Attacks Get Through Anti-Virus programs March 2013 July 2011 https://zeustracker.abuse.ch/
12 Users Unwittingly Open the Door to Cybercrime http://www.citibank. com.us.welcome.c.tr ack.bridge.metrics.po rtal.jps.signon.online. sessionid.ssl.secure. gkkvnxs62qufdtl83ldz.udaql9ime4bn1siact 3f.uwu2e4phxrm31jy mlgaz.9rjfkbl26xnjskx ltu5o.aq7tr61oy0cmbi 0snacj.4yqvgfy5geuu xeefcoe7.paroquian sdores.org/
13 Caution: Opening that Attachment Can Be Dangerous to Your Information Booby Trapped Attachment Exploits Java Vulnerability When Opened
14 Caution: Visiting That Website Can Be Dangerous to Your Information
Anatomy of Cyber Attack 15 Exploit human & technical weakness Install malware on victim computer Cybercriminal Steal IP, Bank Acct Info, Etc Staff Servers
16 The Bottom Line: The Status Quo is No Longer Acceptable The Risk is Real The Impact Can be Existential The C-Suite Must Get Involved Everyone has Vital Role to Play Information security requires CEO attention in their individual companies Business Roundtable, 2004
17 Sun Tzu and the Art of Cyber Security Management It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles, If you do not know your enemies but do know yourself, you will win one and lose one, If you do not know your enemies nor yourself, you will be imperiled in every single battle.
The New Language of Cyber Security Management 18 Problems cannot be solved by the same level of thinking that created them Albert Einstein Information Risk = Threats Vulnerabilities Countermeasures
Information Risk Management: The Big Picture 19 Information Security Management Copyright 2013. Citadel Information Group, Inc. All Rights Reserved.
20 Information Security Management Strategy Proactively manage information security just as you proactively manage finance, operations and other critical operational functions. 1. Implement formal risk-driven information security policies and standards 2. Identify, document and control sensitive information 3. Train and educate personnel 4. Manage IT Infrastructure from an information security point of view
21 Implement a Risk-Managed Policy-Driven Layered Approach to Achieve Defense in Depth Operating Assumption: Cyber criminals will get through any particular defense Top-Management Policies and Standards Information Inventory Training / Culture 3 rd -Party IT Management & Development Security Standards Documentation Checklists & Procedures Appropriate Technology Training The Citadel. Halifax, Nova Scotia.
22 Comply with Laws, Regulations, Contracts. Take Advantage of Recommended Practices. US Federal Law HIPAA HITECH Gramm-Leach-Bliley FTC Rule FFIEC Banking Rules FISMA State Breach Disclosure & Other Laws CA Civil Code 1798.81.5 CA 1386 / SB24 Breach Disclosure Most states MasterCard and Visa Data Security Standard (PCI) European & Other Laws ISO standards ISO 27001 ISO 27002 Government Standards, Guides & Advisories NIST NSA US-CERT Practitioner Standards ISSA OWASP CSA (ISC) 2 ISACA SANS Institute
23 Provide Top-Level Governance, Management & Leadership Information security requires CEO attention in their individual companies Business Roundtable, 2004
24 The ISO 27001-02 Framework: Information Security Management System A5: Security Policy A6: Organization A7: Asset Management A8: Human Resources A9: Physical / Environmental A10: Communication & Operations Management A11: Access Control A12: Acquisition, Development & Maintenance A13: Incident Management A14: Business Continuity A15: Compliance Continuous Process Improvement Engine
25 Tactic: Be Wary of email and Links on Internet & Social Media Sites
26 Tactic: Keep Computer Programs Patched and Updated Report Available: Citadel, LinkedIn. Facebook. RSS. Twitter. ISSA-LA, CDSA, email.
27 Tactic: Be Wary of Dropbox and Other Cloud Services From Citadel Weekend Vulnerability & Patch Report: Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords. Citadel Guide: Eight Security Concerns Before Jumping Into the Cloud
28 Tactic: Test Your Web-Sites Against Common Vulnerabilities
Tactic: Take Specific Action to Protect Against Online Bank Fraud 29 Use Separate Workstation for On- Line Banking Keep Patched Use Only for On-Line Banking No email No web browsing Isolate from Corporate Network Out-Of-Band Confirmation Daily Reconciliation Manage Authorization Positive Pay
What s in it for us?
Teaching the Community
Teaching the Next Generation
Setting the Next Agenda
Wealth Creation and Protection
Passion
Purpose and Meaning
For More Information 39 Stan Stahl Stan@citadel-information.com 323-428-0441 LinkedIn: Stan Stahl Twitter: @StanStahl Citadel Information Group: www.citadel-information.com Information Security Resource Library Citadel Guides Cyber Security News of the Week Weekend Vulnerability and Patch Report ISSA-LA: www.issa-la.org Technical Meetings: 3 rd Wednesday of Month CFO-Working Group: 3 rd Friday of Odd-Months Financial Services Security Forum: 4 th Friday of Month 6 th Annual Summit: May, 2014
The Information Security Conversation 40
It Takes the Village to Secure the Village SM Thank You!