The Human Firewall How Security Awareness Impacts Your Control Environment

Size: px
Start display at page:

Download "The Human Firewall How Security Awareness Impacts Your Control Environment"

Transcription

1 The Human Firewall How Security Awareness Impacts Your Control Environment Dane Boyd, Security Awareness Training Principal Consultant John Andrew, IT Security Auditor Dell

2 Agenda Introduction In The News Red Team Stories Defining the Problem Winning Awareness Strategies Winning Awareness Tactics Q&A 2 Classification: //Dell /Confidential - Limited External Distribution:

3 Introduction Dane Boyd, Security Awareness Training Principal Consultant - Awareness Com Leader CISO - Led DSWx Awareness practice for 5 years - Fun facts: (From, Speak, Hobby) John Andrew, CISA, CISSP, GLEG - IT Security Auditor dotted line to CISO - Over 20 Years IT, IT Audit, and IT Security experience - Fun facts: (From, Speak, Hobby) 3 Classification: //Dell /Confidential - Limited External Distribution:

4 Disclaimer Rules of the Road This presentation is prepared solely for educational purposes. Our goal is to engage IT Auditors in Security Awareness efforts. Much of what we will share is based on our personal experience. Take what benefits you forget the rest. Questions are welcome! Please wait until transition points. 4 Classification: //Dell /Confidential - Limited External Distribution:

5 In The News Wired writer Andy Greenberg reports on Jeep Cherokee exploit All of this is possible only because Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone. Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. 5 Classification: //Dell /Confidential - Limited External Distribution:

6 In The News Wall Street Journal Michael Hayden describing the OPM hack 21 MM Security Clearance Records compromised. 6 Classification: //Dell /Confidential - Limited External Distribution:

7 In The News 7 Classification: //Dell /Confidential - Limited External Distribution:

8 In The News Critical Infrastructure Survey Results 48% of IT Executives believe that it is likely that there will be an attack on critical infrastructure. When - in the next three years Impact resulting in loss of life 8 Classification: //Dell /Confidential - Limited External Distribution:

9 Red Team Stories Critical Infrastructure The ERIPP and SHODAN search engines can be easily used to find Internet facing ICS devices, thus identifying potential attack targets. These search engines are being actively used to identify and access control systems over the Internet. Combining these tools with easily obtainable exploitation tools, attackers can identify and access control systems with significantly less effort than ever before. 9 Classification: //Dell /Confidential - Limited External Distribution:

10 Red Team Stories Project Shine - Control Systems Found Include- Traffic light controls Traffic cameras Swimming Pool Acid Pump Hydroelectric plant Nuclear Power Plant Hotel Wine Cooler Hospital Heart Rate Monitor Home Security System Gondola Ride Car Wash 10 Source: html Classification: //Dell /Confidential - Limited External Distribution:

11 Red Team Stories DHS Public Private Partnership 2014 IC Analyst Private Sector Program Critical Manufacturing Findings Lack of Awareness and information sharing Interpretation of cyber threats and the cyber security posture differed significantly between management, engineering, audit, compliance, and IT security. Need for more training, education, and awareness across all Critical Sectors. 11 Classification: //Dell /Confidential - Limited External Distribution:

12 Information Security = Building a Castle 12 Classification: //Dell /Confidential - Limited External Distribution:

13 95% 95% of all attacks on enterprise networks are the result of successful spear phishing Source: Allan Paller, Director of Research - SANS Institute 13 Classification: //Dell /Confidential - Limited External Distribution:

14 Defense in Depth Firewall IDS/IPS Network Defense Layers Web Proxy Anti-Virus Endpoint Monitoring End-point Defenses User Key Terrain 14 Classification: //Dell /Confidential - Limited External Distribution:

15 Strategies for a Vigilant Employee Executive Support Vigilant Employee Inspect what you expect Proper Attention 15 Classification: //Dell /Confidential - Limited External Distribution:

16 Strategy: Inspect what you expect

17 Defense in Depth: A Closer Look Testing Only 60% User Key Terrain of organizations have a Security Awareness Program. 17 Source: PwC The Global State of Information Security Survey 2014 Classification: //Dell /Confidential - Limited External Distribution:

18 Testing Improves Learning The added effort required to recall the information makes learning stronger. Henry L. Roediger III, Washington University in St. Louis and a co-author of Make It Stick: The Science of Successful Learning. 18 Classification: //Dell /Confidential - Limited External Distribution:

19 Strategy: Executive Support 19 Classification: //Dell /Confidential - Limited External Distribution:

20 Reason #1: Employee Resentment This guy 20 Classification: //Dell /Confidential - Limited External Distribution:

21 Reason #2: Employees Understanding and her! 21 Classification: //Dell /Confidential - Limited External Distribution:

22 Reason #3: Executives are part of the problem 22 Classification: //Dell /Confidential - Limited External Distribution:

23 Whaling

24 The Whale Hunt Salary Previous jobs Donations 24 Classification: //Dell /Confidential - Limited External Distribution:

25 The Whale Hunt 25 Classification: //Dell /Confidential - Limited External Distribution:

26 The Whale Hunt Salary Previous jobs Donations Children s name Mother s death date 26 Classification: //Dell /Confidential - Limited External Distribution:

27 The Whale Hunt Salary Previous jobs Donations Children s name Mother s death date City & State 27 Classification: //Dell /Confidential - Limited External Distribution:

28 The Whale Hunt Salary Previous jobs Donations Children s name Mother s death date City & State Tax Record Home Address Aerial Photo of home 28 Classification: //Dell /Confidential - Limited External Distribution:

29 29 Classification: //Dell /Confidential - Limited External Distribution:

30 30 Classification: //Dell /Confidential - Limited External Distribution:

31 31 Classification: //Dell /Confidential - Limited External Distribution:

32 Strategy: Treat Awareness like a vulnerability 32 Classification: //Dell /Confidential - Limited External Distribution:

33 Proper Importance CVE CVE Employee ID In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. Source: Wikipedia 33 Classification: //Dell /Confidential - Limited External Distribution:

34 Live Poll: How frequently are you patching the human firewall? New Employee Security Awareness Training? Annual Security Awareness Training? Periodic Security Awareness Newsletter? Phishing Assessments? Lunch & Learn? Other areas? 34 Classification: //Dell /Confidential - Limited External Distribution:

35 Tactics 35 Classification: //Dell /Confidential - Limited External Distribution:

36 Typical Security Awareness Program Tactics Once a year Too Long! Computer Expert Policy Acknowledgement Form? 36 Classification: //Dell /Confidential - Limited External Distribution:

37 Frequency Duration Instructor Focus Testing Reinforcement Learn from Arnold Worked out twice a day Trained each muscle group 3x/week sets per workout Tens of thousands of pounds SAT Tip: Frequency matters!!! 37 Classification: //Dell /Confidential - Limited External Distribution:

38 Pop quiz! Where am I from? 38 Classification: //Dell /Confidential - Limited External Distribution:

39 Frequency Duration Instructor Focus Testing Reinforcement How often are you training your employees? 39 Classification: //Dell /Confidential - Limited External Distribution:

40 Frequency Duration Instructor Focus Testing Reinforcement Who is this??? Edward Everett, Spoke at Dedication of Soldier's National Cemetery Two hours long speech Who spoke after him? 40 Classification: //Dell /Confidential - Limited External Distribution:

41 Frequency Duration Instructor Focus Testing Reinforcement Learn from Lincoln Gettysburg Address 272 words Two minutes SAT Tip: Shorter is better! Make it consumable! 41 Classification: //Dell /Confidential - Limited External Distribution:

42 Frequency Duration Instructor Focus Testing Reinforcement How long are your training sessions? 42 Classification: //Dell /Confidential - Limited External Distribution:

43 Frequency Duration Instructor Focus Testing Reinforcement SAT Tip: Understanding security is a skill. Communication is a separate skill! 43 Classification: //Dell /Confidential - Limited External Distribution:

44 Frequency Duration Instructor Focus Testing Reinforcement Who here is a strong communicator? Who here is highly technical? 44 Classification: //Dell /Confidential - Limited External Distribution:

45 Frequency Duration Instructor Focus Testing Reinforcement Learn from Coast Guard Continually adapted to smugglers methods: Cargo ships Fast Boats Submarines SAT Tip: Training must be specific to threats and adapt as threats change. Intel is key! 45 Classification: //Dell /Confidential - Limited External Distribution:

46 Frequency Duration Instructor Focus Testing Reinforcement What threats do we see today? How do we adapt? 46 Classification: //Dell /Confidential - Limited External Distribution:

47 Frequency Duration Instructor Focus Testing Reinforcement What threats do we see today? How do we adapt? 47 Classification: //Dell /Confidential - Limited External Distribution:

48 Frequency Duration Instructor Focus Testing Reinforcement Learn from the US ARMY What is the number one principle in peacetime training? Replicate battlefield conditions SAT Tip: Include realistic simulations as tests 48 Classification: //Dell /Confidential - Limited External Distribution:

49 Frequency Duration Instructor Focus Testing Reinforcement What are the battlefield conditions? How do you simulate these conditions? Phishing Vishing USB Drops Tail gating Bacon Confiscating sensitive info 49 Classification: //Dell /Confidential - Limited External Distribution:

50 Frequency Duration Instructor Focus Testing Reinforcement Learn from Advertisers 1.2 billion media impressions Social Media Television Radio Signage 107% Increase in Sales SAT Tip: Consistent message & multiple mediums (Combined with frequency) to change behavior 50 Classification: //Dell /Confidential - Limited External Distribution:

51 Frequency Duration Instructor Focus Testing Reinforcement What does reinforcement look like? Posters Newsletters Signage Reward Program Recognition Programs Secret Shopper Trivia 51 Classification: //Dell /Confidential - Limited External Distribution:

52 Frequency Duration Instructor Focus Testing Reinforcement Output 52 Case file: Arnold Classification: //Dell /Confidential - Limited External Distribution:

53 Results 53 Classification: //Dell /Confidential - Limited External Distribution:

54 Dell Managed Phishing Phishing Failure Rate 54 Classification: //Dell /Confidential - Limited External Distribution:

55 40% 55 Classification: //Dell /Confidential - Limited External Distribution:

56 Conclusion 56 Classification: //Dell /Confidential - Limited External Distribution:

57 Thank you!

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013 Cyber Security and Information Assurance Controls Prevention and Reaction 1 About Enterprise Risk Management Capabilities Cyber Security Risk Management Information Assurance Strategic Governance Regulatory

More information

INTRODUCTION TO NETWORK SECURITY. Nischit Vaidya, CISSP Instructor

INTRODUCTION TO NETWORK SECURITY. Nischit Vaidya, CISSP Instructor INTRODUCTION TO NETWORK SECURITY Nischit Vaidya, CISSP Instructor COPYRIGHT ARGOTIS, INC. 2 0 1 3 1 INSTRUCTOR BIOGRAPHY Nischit Vaidya, CISSP, Security+ President/CEO of Argotis, Inc. - Providing Cybersecurity

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

Technical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments

Technical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments DATA SHEET Technical Testing Application, Network and Red Team Testing The Dell SecureWorks Technical Testing services deliver the independent expertise, experience and perspective you need to enhance

More information

2011 Forrester Research, Inc. Reproduction Prohibited

2011 Forrester Research, Inc. Reproduction Prohibited 1 2011 Forrester Research, Inc. Reproduction Prohibited Information Security Metrics Present Information that Matters to the Business Ed Ferrara, Principal Research Analyst July 12, 2011 2 2009 2011 Forrester

More information

Cyber Security Management

Cyber Security Management Cyber Security Management Focusing on managing your IT Security effectively. By Anthony Goodeill With the news cycles regularly announcing a recurrently theme of targets of hacker attacks and companies

More information

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C. Belmont Savings Bank Are there Hackers at the gate? 2013 Wolf & Company, P.C. MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2013 Wolf & Company, P.C. About Wolf & Company, P.C.

More information

The Value of Automated Penetration Testing White Paper

The Value of Automated Penetration Testing White Paper The Value of Automated Penetration Testing White Paper Overview As an information security and the security manager of the company, I am well aware of the difficulties of enterprises and organizations

More information

Helmi Rais CERT-TCC Team Manager National Agency for Computer Security, Tunisia helmi.rais@ansi.tn helmi.rais@gmail.com

Helmi Rais CERT-TCC Team Manager National Agency for Computer Security, Tunisia helmi.rais@ansi.tn helmi.rais@gmail.com Promoting a Cybersecurity Culture: Tunisian Experience ITU Regional Cybersecurity Forum for Eastern and Southern Africa Lusaka, Zambia, 25-28 August 2008 Helmi Rais CERT-TCC Team Manager National Agency

More information

SECURITY CONSIDERATIONS FOR LAW FIRMS

SECURITY CONSIDERATIONS FOR LAW FIRMS SECURITY CONSIDERATIONS FOR LAW FIRMS Enterprise Risk Management Professional consulting firm that specializes in cyber security Founded in 1998 in Miami, Florida Serves more than 150 clients, locally,

More information

INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph 0925910 I MCA

INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph 0925910 I MCA INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph 0925910 I MCA OVERVIEW Introduction Overview The IDS Puzzle Current State of IDS Threats I have a good firewall, why do I need an IDS? Expectations

More information

Technical Testing. Network Testing DATA SHEET

Technical Testing. Network Testing DATA SHEET DATA SHEET Technical Testing Network Testing The Dell SecureWorks Technical Testing services deliver the independent expertise, experience and perspective you need to enhance your security posture, reduce

More information

You are the weakest link! Presented by Michael Hammond, CISA, CRISC, CISSP, C EH Director, IT Audit & Security O Connor & Drew P.C. mhammond@ocd.

You are the weakest link! Presented by Michael Hammond, CISA, CRISC, CISSP, C EH Director, IT Audit & Security O Connor & Drew P.C. mhammond@ocd. You are the weakest link! Presented by Michael Hammond, CISA, CRISC, CISSP, C EH Director, IT Audit & Security O Connor & Drew P.C. mhammond@ocd.com Agenda Why do we keep getting hacked? How are they doing

More information

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA Advanced Visibility Moving Beyond a Log Centric View Matthew Gardiner, RSA & Richard Nichols, RSA 1 Security is getting measurability worse Percent of breaches where time to compromise (red)/time to Discovery

More information

Using Risk Modeling & Attack Simulation for Proactive Cyber Security Predictive Solutions for Effective Security Risk Management

Using Risk Modeling & Attack Simulation for Proactive Cyber Security Predictive Solutions for Effective Security Risk Management whitepaper Using Risk Modeling & Attack Simulation for Proactive Cyber Security Predictive Solutions for Effective Security Risk Management Executive Summary For years, security concerns have been a major

More information

13 Ways Through A Firewall What you don t know will hurt you

13 Ways Through A Firewall What you don t know will hurt you Scientech 2013 Symposium: Managing Fleet Assets and Performance 13 Ways Through A Firewall What you don t know will hurt you Andrew Ginter VP Industrial Security Waterfall Security Solutions andrew. ginter

More information

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports Building a Security Operation Center Agenda: Auditing Your Network Environment Selecting Effective Security

More information

Security Challenges and Solutions for Higher Education. May 2011

Security Challenges and Solutions for Higher Education. May 2011 Security Challenges and Solutions for Higher Education May 2011 Discussion Topics Security Threats and Challenges Education Risks and Trends ACH and Wire Fraud Malware and Phishing Techniques Prevention

More information

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers. Employee Security Awareness Survey Trenton Bond trent.bond@gmail.com Admin - Version 1.3 Security Awareness One of the most significant security risks that organizations and corporations face today is

More information

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Ed McMurray, CISA, CISSP, CTGA CoNetrix Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats

More information

Threat Intelligence Pty Ltd info@threatintelligence.com 1300 809 437. Specialist Security Training Catalogue

Threat Intelligence Pty Ltd info@threatintelligence.com 1300 809 437. Specialist Security Training Catalogue Threat Intelligence Pty Ltd info@threatintelligence.com 1300 809 437 Specialist Security Training Catalogue Did you know that the faster you detect a security breach, the lesser the impact to the organisation?

More information

10 Smart Ideas for. Keeping Data Safe. From Hackers

10 Smart Ideas for. Keeping Data Safe. From Hackers 0100101001001010010001010010101001010101001000000100101001010101010010101010010100 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000

More information

Integrated Threat & Security Management.

Integrated Threat & Security Management. Integrated Threat & Security Management. SOLUTION OVERVIEW Vulnerability Assessment for Web Applications Fully Automated Web Crawling and Reporting Minimal Website Training or Learning Required Most Accurate

More information

Ernie Hayden CISSP CEH Executive Consultant

Ernie Hayden CISSP CEH Executive Consultant Ernie Hayden CISSP CEH Executive Consultant The Old Paradigm The New Philosophies What to Do? Discussion, Q&A http://ptcdigitalworld.wikispaces.com/file/view/14.jpg/91941753/964x515/14.jpg Herstmonceux

More information

Why The Security You Bought Yesterday, Won t Save You Today

Why The Security You Bought Yesterday, Won t Save You Today 9th Annual Courts and Local Government Technology Conference Why The Security You Bought Yesterday, Won t Save You Today Ian Robertson Director of Information Security Michael Gough Sr. Risk Analyst About

More information

Cyber Security 2014 SECURE BANKING SOLUTIONS, LLC

Cyber Security 2014 SECURE BANKING SOLUTIONS, LLC Cyber Security CHAD KNUTSON SECURE BANKING SOLUTIONS 2014 SECURE BANKING SOLUTIONS, LLC Presenter Chad Knutson Senior Information Security Consultant Masters in Information Assurance CISSP (Certified Information

More information

Basic Security Considerations for Email and Web Browsing

Basic Security Considerations for Email and Web Browsing Basic Security Considerations for Email and Web Browsing There has been a significant increase in spear phishing and other such social engineering attacks via email in the last quarter of 2015, with notable

More information

Is security awareness a waste of time?

Is security awareness a waste of time? Is security awareness a waste of time? New York State Cyber Security Conference June 5, 2013 Scott Gréaux Vice President Product Management and Services, PhishMe, Inc. They are exploiting human vulnerabilities

More information

developing your potential Cyber Security Training

developing your potential Cyber Security Training developing your potential Cyber Security Training The benefits of cyber security awareness The cost of a single cyber security incident can easily reach six-figure sums and any damage or loss to a company

More information

September 20, 2013 Senior IT Examiner Gene Lilienthal

September 20, 2013 Senior IT Examiner Gene Lilienthal Cyber Crime September 20, 2013 Senior IT Examiner Gene Lilienthal The following presentation are views and opinions of the speaker and does not necessarily reflect the views of the Federal Reserve Bank

More information

Mohamed ElHarras CIIP Strategies and Policies Executive Director

Mohamed ElHarras CIIP Strategies and Policies Executive Director EGYPT National Telecom Regulatory Authority Integrating The Information Security Awareness in Critical Infrastructure Firms Mohamed ElHarras CIIP Strategies and Policies Executive Director Agenda The Connectivity

More information

OPC & Security Agenda

OPC & Security Agenda OPC & Security Agenda Cyber Security Today Cyber Security for SCADA/IS OPC Security Overview OPC Security Products Questions & Answers 1 Introduction CYBER SECURITY TODAY The Need for Reliable Information

More information

FERPA: Data & Transport Security Best Practices

FERPA: Data & Transport Security Best Practices FERPA: Data & Transport Security Best Practices April 2013 Mike Tassey Privacy Technical Assistance Center FERPA and Data Security Unlike HIPAA and other similar federal regulations, FERPA does not require

More information

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow ecfirst @ Agenda Review the

More information

APT Advanced Persistent Threat Time to rethink?

APT Advanced Persistent Threat Time to rethink? APT Advanced Persistent Threat Time to rethink? 23 November 2012 Gergely Tóth Senior Manager, Security & Privacy Agenda APT examples How to get inside? Remote control Once we are inside Conclusion 2 APT

More information

AppGuard. Defeats Malware

AppGuard. Defeats Malware AppGuard Defeats Malware and phishing attacks, drive-by-downloads, zero-day attacks, watering hole attacks, weaponized documents, ransomware, and other undetectable advanced threats by preventing exploits

More information

I ve been breached! Now what?

I ve been breached! Now what? I ve been breached! Now what? THE AFTERMATH OF A BREACH & STEPS TO REDUCE RISK The number of data breaches in the United States in 2014 hit a record high. And 2015 is not looking any better. There have

More information

FIVE PRACTICAL STEPS

FIVE PRACTICAL STEPS WHITEPAPER FIVE PRACTICAL STEPS To Protecting Your Organization Against Breach How Security Intelligence & Reducing Information Risk Play Strategic Roles in Driving Your Business CEOs, CIOs, CTOs, AND

More information

Your security is our priority

Your security is our priority Your security is our priority Welcome to our Cash Management newsletter for businesses. You will find valuable information about how to limit your company s risk for fraud. We offer a wide variety of products

More information

FedVTE Training Catalog SPRING 2015. advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

FedVTE Training Catalog SPRING 2015. advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov FedVTE Training Catalog SPRING 2015 advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov If you need any assistance please contact the FedVTE Help Desk here or email the

More information

Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions

Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions CORE Security +1 617.399-6980 info@coresecurity.com www.coresecurity.com blog.coresecurity.com Preempting

More information

Cyber-Security Risk in the Global Organization:

Cyber-Security Risk in the Global Organization: Cyber-Security Risk in the Global Organization: Trends, Challenges and Strategies for Effective Management David Childers, CCEP, CIPP CEO, Compli Todd Carroll Assistant Special Agent in Charge, FBI Three

More information

Evolution Of Cyber Threats & Defense Approaches

Evolution Of Cyber Threats & Defense Approaches Evolution Of Cyber Threats & Defense Approaches Antony Abraham IT Architect, Information Security, State Farm Kevin McIntyre Tech Lead, Information Security, State Farm Agenda About State Farm Evolution

More information

Security Awareness Training Solutions

Security Awareness Training Solutions DATA SHEET Security Awareness Training Solutions A guide to available Dell SecureWorks services At Dell SecureWorks, we strive to be a trusted security advisor to our clients. Part of building this trust

More information

Cybersecurity: What CFO s Need to Know

Cybersecurity: What CFO s Need to Know Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction

More information

Training Employees to Recognise & Avoid Advanced Threats

Training Employees to Recognise & Avoid Advanced Threats Training Employees to Recognise & Avoid Advanced Threats Joe Ferrara, President & CEO, Wombat Security Technologies Rashmi Knowles, Chief Security Architect EMEA, RSA The Security Division of EMC Session

More information

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015 Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity

More information

CYBER SECURITY: A REPORT FROM THE TRENCHES 2015 AGC NATIONAL & CHAPTER LEADERSHIP CONFERENCE MIKE.ZUSMAN@CARVESYSTEMS.COM

CYBER SECURITY: A REPORT FROM THE TRENCHES 2015 AGC NATIONAL & CHAPTER LEADERSHIP CONFERENCE MIKE.ZUSMAN@CARVESYSTEMS.COM CYBER SECURITY: A REPORT FROM THE TRENCHES 2015 AGC NATIONAL & CHAPTER LEADERSHIP CONFERENCE SECURITY IS A PROCESS, NOT A STATE CARVE SYSTEMS LLC MIKE.ZUSMAN@CARVESYSTEMS.COM How did I get here? (short

More information

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services Real World Healthcare Security Exposures Brian Selfridge, Partner, Meditology Services 2 Agenda Introduction Background and Industry Context Anatomy of a Pen Test Top 10 Healthcare Security Exposures Lessons

More information

Information Security @ Blue Valley Schools FEBRUARY 2015

Information Security @ Blue Valley Schools FEBRUARY 2015 Information Security @ Blue Valley Schools FEBRUARY 2015 Student Data Privacy & Security Blue Valley is committed to providing an education beyond expectations to each of our students. To support that

More information

CYBER SECURITY, A GROWING CIO PRIORITY

CYBER SECURITY, A GROWING CIO PRIORITY www.wipro.com CYBER SECURITY, A GROWING CIO PRIORITY Bivin John Verghese, Practitioner - Managed Security Services, Wipro Ltd. Contents 03 ------------------------------------- Abstract 03 -------------------------------------

More information

Developing a Successful Security Awareness Training Program. Shea Garber, Sr. Account Executive Wombat Security Technologies, Inc.

Developing a Successful Security Awareness Training Program. Shea Garber, Sr. Account Executive Wombat Security Technologies, Inc. Developing a Successful Security Awareness Training Program Shea Garber, Sr. Account Executive Wombat Security Technologies, Inc. Agenda The human element of cyber security Building your case Building

More information

THE HUMAN COMPONENT OF CYBER SECURITY

THE HUMAN COMPONENT OF CYBER SECURITY cybersecurity.thalesgroup.com.au People, with their preference to minimise their own inconvenience, their predictability, apathy and general naivety about the potential impacts of their actions, are the

More information

Security on Embedded Systems

Security on Embedded Systems Cyber Security (CYS) Issue Group Activity Report Security on Embedded Systems Chair : Buheita Fujiwara Information-technology Promotion Agency With Cybersecurity Malaysia, Hitachi and III GBDe Summit 2007,

More information

Presented by Frederick J. Santarsiere

Presented by Frederick J. Santarsiere http://cinoltd.com/ Presented by Frederick J. Santarsiere CHFI, CISSP, CISM, CISA, CEH, CEI, CAP, SSCP Sec+, Net+, A+, MCSA, MCSE, MCITP, MCT CCENT, CCNA, CCNA Wireless, CCNA Voice CISCO SMBEN, SMBAM,

More information

What is Management Responsible For?

What is Management Responsible For? What is Management Responsible For? Matthew J. Putvinski, CPA, CISA, CISSP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2011 Wolf & Company, P.C. About Wolf & Company, P.C Regional

More information

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Improved Security Required for DHS Networks (Redacted) Notice: The Department of Homeland Security, Office of Inspector General, has redacted

More information

Defending Against Data Beaches: Internal Controls for Cybersecurity

Defending Against Data Beaches: Internal Controls for Cybersecurity Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity

More information

How to Secure Your Environment

How to Secure Your Environment End Point Security How to Secure Your Environment Learning Objectives Define Endpoint Security Describe most common endpoints of data leakage Identify most common security gaps Preview solutions to bridge

More information

An Analysis of the Capabilities Of Cybersecurity Defense

An Analysis of the Capabilities Of Cybersecurity Defense UNIDIRECTIONAL SECURITY GATEWAYS An Analysis of the Capabilities Of Cybersecurity Defense Michael Firstenberg, Director of Industrial Security Waterfall Security Solutions Proprietary Information -- Copyright

More information

13 Ways Through A Firewall

13 Ways Through A Firewall Industrial Control Systems Joint Working Group 2012 Fall Meeting 13 Ways Through A Firewall Andrew Ginter Director of Industrial Security Waterfall Security Solutions Proprietary Information -- Copyright

More information

Application Security in the Software Development Lifecycle

Application Security in the Software Development Lifecycle Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO

More information

Spyware. Michael Glenn Technology Management Michael.Glenn@Qwest.com. 2004 Qwest Communications International Inc.

Spyware. Michael Glenn Technology Management Michael.Glenn@Qwest.com. 2004 Qwest Communications International Inc. Spyware Michael Glenn Technology Management Michael.Glenn@Qwest.com Agenda Security Fundamentals Current Issues Spyware Definitions Overlaps of Threats Best Practices What Service Providers are Doing References

More information

Course Title: Penetration Testing: Network & Perimeter Testing

Course Title: Penetration Testing: Network & Perimeter Testing Course Title: Penetration Testing: Network & Perimeter Testing Page 1 of 7 Course Description: The Security Analyst Series from EC-Council Press is comprised of five books covering a broad base of topics

More information

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA Emerging Network Security Threats and what they mean for internal auditors December 11, 2013 John Gagne, CISSP, CISA 0 Objectives Emerging Risks Distributed Denial of Service (DDoS) Attacks Social Engineering

More information

Best Practices for a BYOD World

Best Practices for a BYOD World Face Today s Threats Head-On: Best Practices for a BYOD World Chris Vernon CISSP, VTSP Security Specialist Agenda Mobile Threats Overview 2013 State of Mobility Survey Canada BYOD Best Practices 2 Mobile

More information

How to protect sensitive data, challenges & risks

<Insert Picture Here> How to protect sensitive data, challenges & risks How to protect sensitive data, challenges & risks Lars Klumpes CISSP Security Strategy Consultant EMEA Disclaimer The following is intended to outline our general product direction.

More information

FedVTE Training Catalog SUMMER 2015. advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

FedVTE Training Catalog SUMMER 2015. advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov FedVTE Training Catalog SUMMER 2015 advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov Access FedVTE online at: fedvte.usalearning.gov If you need any assistance please

More information

Data Loss Prevention in the Enterprise

Data Loss Prevention in the Enterprise Data Loss Prevention in the Enterprise ISYM 525 Information Security Final Paper Written by Keneth R. Rhodes 12-01-09 In today s world data loss happens multiple times a day. Statistics show that there

More information

Thomas J. Schlagel Chief Information Officer, BNL

Thomas J. Schlagel Chief Information Officer, BNL Thomas J. Schlagel Chief Information Officer, BNL PhD in Nuclear Physics from the University of Illinois at Urbana-Champaign in 1990 Joined BNL in 1990 as a Postdoctoral Associate in the Nuclear Theory

More information

How to Spot and Combat a Phishing Attack Webinar

How to Spot and Combat a Phishing Attack Webinar How to Spot and Combat a Phishing Attack Webinar October 20 th, 2015 Kevin Patel Sr Director of Information Security, Compliance & IT Risk Mgmt kpatel@controlscan.com Agenda 1) National Cyber Security

More information

8/27/2015. Brad Schuette IT Manager City of Punta Gorda bschuette@pgorda.us (941) 575-3354. Don t Wait Another Day

8/27/2015. Brad Schuette IT Manager City of Punta Gorda bschuette@pgorda.us (941) 575-3354. Don t Wait Another Day Brad Schuette IT Manager City of Punta Gorda bschuette@pgorda.us (941) 575-3354 2015 FRWA Annual Conference Don t Wait Another Day 1 SCADA Subsystems Management Physical Connectivity Configuration Mgmt.

More information

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background: 1. Do you implement virus controls and filtering on all systems? Anti-Virus anti-virus software packages look for patterns in files or memory that indicate the possible presence of a known virus. Anti-virus

More information

Cyber Crime: You Are the Target

Cyber Crime: You Are the Target Cyber Crime: You Are the Target When talking about computer crime, we often hear the observation from computer users that they aren t rich and therefore what they have isn t worth much to a cyber criminal.

More information

Metasploit The Elixir of Network Security

Metasploit The Elixir of Network Security Metasploit The Elixir of Network Security Harish Chowdhary Software Quality Engineer, Aricent Technologies Shubham Mittal Penetration Testing Engineer, Iviz Security And Your Situation Would Be Main Goal

More information

Cybersecurity Awareness for Executives

Cybersecurity Awareness for Executives SESSION ID: SOP-R04 Cybersecurity Awareness for Executives Rob Sloan Head of Cyber Content and Data Dow Jones @_rob_sloan Session Overview Aim: Provide a high level overview of an effective cybersecurity

More information

Is Penetration Testing recommended for Industrial Control Systems?

Is Penetration Testing recommended for Industrial Control Systems? Is Penetration Testing recommended for Industrial Control Systems? By Ngai Chee Ban, CISSP, Honeywell Process Solutions, Asia Pacific Cyber Security Assessment for Industrial Automation Conducting a cyber-security

More information

Cyber Security: Threat & The Maritime Environment Cyber Security: now byting the maritime industry

Cyber Security: Threat & The Maritime Environment Cyber Security: now byting the maritime industry Cyber Security: Threat & The Maritime Environment Cyber Security: now byting the maritime industry Templar Executives NIAS 2007 DHR 2008 IAMM 2008 1 st CSS 2009 2 nd CSS 2011 Advising Government & Industry

More information

Making Database Security an IT Security Priority

Making Database Security an IT Security Priority Sponsored by Oracle Making Database Security an IT Security Priority A SANS Whitepaper November 2009 Written by Tanya Baccam Security Strategy Overview Why a Database Security Strategy? Making Databases

More information

References NYS Office of Cyber Security and Critical Infrastructure Coordination Best Practices and Assessment Tools for the Household

References NYS Office of Cyber Security and Critical Infrastructure Coordination Best Practices and Assessment Tools for the Household This appendix is a supplement to the Cyber Security: Getting Started Guide, a non-technical reference essential for business managers, office managers, and operations managers. This appendix is one of

More information

Use Bring-Your-Own-Device Programs Securely

Use Bring-Your-Own-Device Programs Securely Use Bring-Your-Own-Device Programs Securely By Dale Gonzalez December 2012 Bring-your-own-device (BYOD) programs, which allow employees to use their personal smartphones, tablets and laptops in and out

More information

Anthony J. Keane, MSc, PhD and Jason Flood, MSc Information Security & Digital Forensics Research Group Institute of Technology Blanchardstown

Anthony J. Keane, MSc, PhD and Jason Flood, MSc Information Security & Digital Forensics Research Group Institute of Technology Blanchardstown Anthony J. Keane, MSc, PhD and Jason Flood, MSc Information Security & Digital Forensics Research Group Institute of Technology Blanchardstown 1 Protected networks are continuously being successfully attacked

More information

They Did What?!? How Your End Users Are Putting You At Risk

They Did What?!? How Your End Users Are Putting You At Risk They Did What?!? How Your End Users Are Putting You At Risk SESSION ID: HT-F02 Mike Seifert CISSP, CISA, CIPP, CISM, CGEIT Vice President Enterprise Risk & Resilience Fiserv New/future jobs Cloud Services

More information

About Our 2015 WTA Cyber Security Speakers and Sessions

About Our 2015 WTA Cyber Security Speakers and Sessions About Our 2015 WTA Cyber Security Speakers and Sessions The constant threat of cyber security attacks is the number one concern for most businesses today. Weaknesses in networks and data security can expose

More information

Web Security School Final Exam

Web Security School Final Exam Web Security School Final Exam By Michael Cobb 1.) Which of the following services is not required to run a Windows server solely configured to run IIS and publish a Web site on the Internet? a. IIS Admin

More information

TOP 10 TIPS FOR EDUCATING EMPLOYEES ABOUT CYBERSECURITY. Mark Villinski @markvillinski

TOP 10 TIPS FOR EDUCATING EMPLOYEES ABOUT CYBERSECURITY. Mark Villinski @markvillinski TOP 10 TIPS FOR EDUCATING EMPLOYEES ABOUT CYBERSECURITY Mark Villinski @markvillinski Why do we have to educate employees about cybersecurity? 2014 Corporate Threats Survey 94% of business s suffered one

More information

Jumpstarting Your Security Awareness Program

Jumpstarting Your Security Awareness Program Jumpstarting Your Security Awareness Program Michael Holcomb Director, Information Security HO20110473 1 Jumpstarting Your Security Awareness Program Classification: Confidential Owner: Michael Holcomb

More information

Cyber Security Beginners Guide to Firewalls A Non-Technical Guide

Cyber Security Beginners Guide to Firewalls A Non-Technical Guide Cyber Security Beginners Guide to Firewalls A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Multi-State Information Sharing and Analysis Center (MS-ISAC) U.S.

More information

Cyber Security Threats

Cyber Security Threats Cyber Security Threats What keeps us up at night? Doug Jacobson Information Assurance Center www.iac.iastate.edu Information Assurance Center Iowa State University 1 Outline Who are the players The good,

More information

Presentation Objectives

Presentation Objectives Gerry Cochran, IT Specialist Jennifer Van Tassel, Associate Examiner Office of the State Comptroller Thomas P. DiNapoli State & Local Government Accountability Andrew A. SanFilippo Executive Deputy Comptroller

More information

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics SBA Cybersecurity for Small Businesses 1.1 Introduction Welcome to SBA s online training course: Cybersecurity for Small Businesses. SBA s Office of Entrepreneurship Education provides this self-paced

More information

Cyber Self Assessment

Cyber Self Assessment Cyber Self Assessment According to Protecting Personal Information A Guide for Business 1 a sound data security plan is built on five key principles: 1. Take stock. Know what personal information you have

More information

Data Breach Lessons Learned. June 11, 2015

Data Breach Lessons Learned. June 11, 2015 Data Breach Lessons Learned June 11, 2015 Introduction John Adams, CISM, CISA, CISSP Associate Director Security & Privacy 410.707.2829 john.adams@protiviti.com Powerful Insights. Proven Delivery. Kevin

More information

Education as a defense strategy. Jeannette Jarvis Group Program Manager PSS Security Microsoft

Education as a defense strategy. Jeannette Jarvis Group Program Manager PSS Security Microsoft Education as a defense strategy Jeannette Jarvis Group Program Manager PSS Security Microsoft Introduction to End User Security Awareness End User Security Awareness Challenges Understanding End User

More information

Cyber Security R&D (NE-1) and (NEET-4)

Cyber Security R&D (NE-1) and (NEET-4) Cyber Security R&D (NE-1) and (NEET-4) Trevor Cook Office of Science and Technology Innovation Office of Nuclear Energy U.S. Department of Energy Cyber Security for Nuclear Systems (the threat is real)

More information

SHOULD I BE CONCERNED ABOUT CYBER SECURITY? OR IS THE BETTER QUESTION WHAT IS CYBER SECURITY?!!!?

SHOULD I BE CONCERNED ABOUT CYBER SECURITY? OR IS THE BETTER QUESTION WHAT IS CYBER SECURITY?!!!? SHOULD I BE CONCERNED ABOUT CYBER SECURITY? OR IS THE BETTER QUESTION WHAT IS CYBER SECURITY?!!!? What we are not going to discuss: Understand, I am not a computer guru. My knowledge is probably more limited

More information

Part Banker. Part Geek. All Security & Compliance.

Part Banker. Part Geek. All Security & Compliance. Part Banker. Part Geek. All Security & Compliance. Your IT Security Assessment......begins with Vulnerability Scanning to identify and classify security weaknesses in your IT network. We look for weaknesses

More information

Secure by design: taking a strategic approach to cybersecurity

Secure by design: taking a strategic approach to cybersecurity Secure by design: taking a strategic approach to cybersecurity The cybersecurity market is overly focused on auditing policy compliance and performing vulnerability testing when the level of business risk

More information

Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen. 14th Annual Risk Management Convention

Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen. 14th Annual Risk Management Convention Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen 14th Annual Risk Management Convention New York, New York March 13, 2013 Today s Presentation 1)

More information