Meeting the Information Security Management Challenge in the Cyber-Age

Transcription

1 Meeting the Information Security Management Challenge in the Cyber-Age April Stan Stahl, Ph.D. President Citadel Information Group Phone: Copyright Citadel Information Group. All Rights Reserved.

2 Objectives Bring you up-to-date on cybercrime and its threat to your organization Show you where and how we are vulnerable to attack Provide practical defense tactics Provide a strategic overview of information security management Help you see that the fundamental information security challenge is cultural Enlist your support as emissaries back to your organizations to begin the process of culture change

3 3 The number one thing at the Board level and CEO level is to take cybersecurity as seriously as you take business operations and financial operations. It s not good enough to go to your CIO and say are we good to go. You ve got to be able to ask questions and understand the answers. Major Gen Brett Williams, U.S. Air Force (Ret) This Week with George Stephanopoulos, December 2014

4 Citadel Information Group: Who We Are 4 Stan Stahl, Ph.D Co-Founder & President 30+ Years Experience Reagan White House Nuclear Missile Control President, ISSA-LA Kimberly Pease, CISSP Co-Founder & VP Former CIO 15+ Years Information Security Experience David Lam, CISSP, CPP VP Technology Management Services Former CIO 20+ Years Information Security Experience VP, ISSA-LA

5 Citadel Information Group: What We Do 5 Deliver Information Peace of Mind to Business and the Not-for-Profit Community Cyber Security Management Services Information Security Leadership Information Security Management Consulting Assessments & Reviews Executive Management Technical Management

6 6 CyberCrime in the News

7 7 Cybercrime s Greatest Impact is on Small & Medium Sized Businesses 30% of victims have fewer than 250 employees 60% of smallbusiness victims are out of business within 6 months 80% of these breaches preventable

8 8 Managing Information Risk Four Key Questions 1. How serious is cybercrime and why should my organization care? 2. How vulnerable are we, really? 3. What do we need to do? 4. How do we do it?

9 9 Online Financial Fraud Continues To Be Growing Challenge From: Your Vendor, Stan Sent: Sunday, December 28, :07 PM To: Bill Hopkins, CFO Subject: Change of Bank Account Hi Bill Just an alert to let you know we ve changed banks. Please use the following from now on in wiring our payments. RTN: Account: I m still planning to be out your way in February. It will be nice to get out of the cold Montreal winter. Great thanks. Cheers - Stan The secret of success is honesty and fair-dealing. If you can fake that, you ve got it made... Groucho Marx

10 10 Lawyer Clicks on Attachment. Loses $289K. A lawyer who clicked on an attachment lost $289,000 to hackers who likely installed a virus that recorded his keystrokes. The anonymous lawyer, identified only as John from the San Diego area, told ABC 10 News how it happened. On Feb. 9, John received an with an address ending in usps.gov. Thinking he had received a legitimate from the U.S. Postal Service, he clicked on the attachment. "I thought it was legitimate and I clicked on the attachment," said John, an attorney with a local firm, who asked 10News not to identify him for fear of hurting his firm.

11 11 Hackers Encrypt Your Files, Demand 'Ransom'

12 12 Data Breach Costs Expensive. Money Down the Drain. $200 Per Compromised Record $5.5 Million Per Event Investigative Costs Breach Disclosure Costs Legal Fees Identity Theft Monitoring Lawsuits Customers Shareholders

13 13 Company Driven Into Bankruptcy by Competitor Hack

14 14 Sony is Not Only Company Breached for Political Views

15 15 Disgruntled Employees Sabotage Systems, Steal Information and Extort Money

16 The Bottom Line: Cyber Security Management Is Now An Executive Management Necessity 16 Customer and Client Information Credit Cards and PCI Compliance HIPAA Security Rule Breach Disclosure Laws On-Line Bank Fraud & Embezzlement Theft of Trade Secrets & Other Intellectual Property Loss of Other Peoples Information Critical Information Made Unavailable Systems Used for Illegal Purposes

17 17 Why Are We so Vulnerable? Three Inconvenient Truths Internet was not designed to be secure Computer technology is riddled with security holes We humans are also imperfect

18 18 Cyber Security Need vs. Reality

19 19 Users Unwittingly Open the Door to Cybercrime com.us.welcome.c.tr ack.bridge.metrics.po rtal.jps.signon.online. sessionid.ssl.secure. gkkvnxs62qufdtl83ldz.udaql9ime4bn1siact 3f.uwu2e4phxrm31jy mlgaz.9rjfkbl26xnjskx ltu5o.aq7tr61oy0cmbi 0snacj.4yqvgfy5geuu xeefcoe7.paroquian sdores.org/

20 20 Vendors an Increasing Information Security Risk

21 21 Cybercriminals Hack Websites to Infect User Computers with Malware

22 22 Cybercriminals Hack Ad Servers to Infect User Computers with Malware

23 23 Bottom Line: We Let Cybercriminals in the Front Door Fall for Phishing Attacks Click on Links Open Attachments Use Weak Passwords Use Same Passwords on Multiple Accounts Send Personally Identifiable Information (PII) Unencrypted Send s to Wrong Recipient Lose Laptops

24 24 Cybercriminals Exploit Flaws Vulnerabilities in the Programs We Use

25 25 Technology Solutions Are Inadequate to Challenge

26 26 Management Too Often Fails to Set Security Standards for IT Network Hi Bob. Things good? You re keeping us secure now aren t you? Yes sir. Everything s fine. Yes sir. Everything s fine. Senior Management That s great Bob. We re all counting on you. IT Head I appreciate that sir. Know how to ask questions and understand answers

27 27 Management Too Often Fails to Properly Fund IT Network Security Hi Bob. Things good? You re keeping us secure now aren t you? Yes sir. Everything s fine. We need a BYOD Solution. Senior Management I understand. But you know how tight budgets are. IT Head I do. Yes sir. Know how to ask questions and understand answers

28 28 Meeting the Cybercrime Challenge Distrust and caution are the parents of security. Benjamin Franklin

29 The Objective of Cyber Security Management is to Manage Information Risk Cyber Fraud Information Theft Ransomware Denial of Service Attack Regulatory / Compliance Disaster Loss of Money Brand Value Competitive Advantage

30 30 Establish Leadership. Provide Senior Management Education. An organization's ability to learn, and translate that learning into action rapidly, is the ultimate competitive advantage. Jack Welch

31 31 Take Specific Action to Protect Against Online Financial Fraud Implement Internal Controls Over Payee Change Requests Assume Compromise Out-of-Band Confirmation Use Dedicated On-Line Banking Workstation Keep Patched Use Only for On-Line Banking Work with Bank Dual Control Out-Of-Band Confirmation Strong Controls on Wires

32 32 Train Staff to Be Mindful. Provide Phishing Defense Training.

33 33 Provide Information Security Education. Change Culture. If you do not know your enemies nor yourself, you will be imperiled in every single battle. Sun Tzu The Art of War

34 34 Patch All Vulnerabilities At Least Weekly. Sign Up for Free Citadel Weekend Report.

35 35 Know What Information Needs To Be Protected and Where It Is Online Banking Credentials Credit cards Employee Health Information Salaries Trade Secrets Intellectual Property Servers Desktops Cloud Home PCs BYOD devices

36 36 Implement Written Information Security Management Policies and Standards

37 37 Require IT Staff to Take Information Systems Security Continuing Education Information Security Summit 7 June 4-5, 2015 Monthly Technical Meetings 3 rd Wednesday of Month

38 38 Require Vendor(s) to Meet Security Management Standards Compliance with Information Security Standards Security Management Included in Service Level Agreements Full System & Procedural Documentation Business Associate Agreements (HIPAA) Vendor Access Controls IT Vendor Internal Security Management

39 39 Critical Information Available in Disaster? Trust But Verify.

40 40 Be Prepared: It s Not If But When

41 41 Be Prepared to Collect, Protect and Analyze Evidence Ensure IT is logging all potentially-relevant events Make sure IT staff doesn t unknowingly destroy valuable evidence Use trained experts to conduct incident forensics

42 42 Build Continuous Performance Improvement Into Information Security Management Decide Information Security Improvement Objectives Information Security Requirements & Expectations Assess Current Information Security Capabilities and Needs Plan Information Security Improvement Implementation Information Security Management System Continuous Improvement Implement Information Security Improvement Plan Improve constantly and forever the system of production and service, to improve quality and productivity, and thus constantly decrease costs W. Edwards Deming 14 Key Principles for Improving Organizational Effectiveness

43 43 Getting Started: If You Don t Know Where You Are, a Map Won t Help. Risk-Driven Information Security Assessment Information to Protect Donor and Client Information Staff Information Credit Cards Trade Secrets & Intellectual Property Compliance Responsibilities Payment Card Industry PCI DSS HIPAA Security Rule Organizational Strengths / Weaknesses Technology Management Strengths / Weaknesses IT Network Weaknesses

44 44 Use Assessment Findings to Build Improvement Roadmap Organizational Weaknesses No one in charge No policies or standards Information dispersed No user awareness Online banking security inadequate Uncontrolled use of Dropbox No vendor security management No cyber insurance Technology Management Weaknesses No vulnerability management IT vendor weaknesses Backups not tested Gap between C-Suite & IT No Disaster Recovery planning No incident response planning BYOD not managed IT Network Weaknesses No VPN for remote use Missing patches Laptops not encrypted

45 Don t Try to Reinvent Wheel: Use an Accepted Information Security Management Framework 45 Information Security Policies Communications Security Organization of Information Security System Acquisition, Development & Maintenance Human Resource Security Supplier Relationships Asset Management Access Control Cryptography Physical / Environmental Security Operations Security Information Security Incident Management Information Security Aspects of Business Continuity Management Compliance

46 46 Get Information Systems Security Subject Matter Expertise 7 th Annual Information Security Summit Los Angeles Convention Center June 4-5, 2015 June 4: The Executive Forum for Board & C-Suite June 4: Technical Management Speakers and Tracks June 5: Information Security Management Boot Camp for IT Professionals 20% Promotional Code for June 4 Summit: 7Summit_SS_20

47 47 Manage the Security of Information as Seriously as Operations and Finance Implement Formal Information Security Management System 1. Information Security Manager / Chief Information Security Officer a. C-Suite Access b. Independent of CIO or Technology Director c. Provide Cross-Functional Support 2. Implement Formal Risk-Driven Information Security Policies and Standards 3. Identify, Document and Control Sensitive Information 4. Train and Educate Personnel. Change Culture. 5. Manage Vendor Security 6. Manage IT Infrastructure from information security point of view

48 Information Security is Proactively Managed Security is Meet Proactively Information Managed Security Standard of Care ation Security Lower Standard Total Cost of Care of Information Security SM

49 For More Information 49 Stan Stahl LinkedIn: Stan Stahl Citadel Information Group: Information Security Resource Library Free: Cyber Security News of the Week Free: Weekend Vulnerability and Patch Report ISSA-LA: Technical Meetings: 3 rd Wednesday of Month Financial Services Security Forum: 4 th Friday of Month CISO Forum: Quarterly 7 th Annual Information Security Summit: June 4-5, 2015

50 Meeting the Information Security Management Challenge in the Cyber-Age Copyright Citadel Information Group. All Rights Reserved.

51 The Insurance Related Financial Impact and Costs of Cyber Crime/Privacy Liability Ted Doolittle Senior Vice President Risk Placement Services, Inc.

52 What is Cyber Liability/ Privacy Liability? Define it by what its meant to cover data Terminology 1 st and 3 rd party coverage Distinctions in 1 st party coverage

53 Potential Costs to Your Organization Financial Policy holder costs Regulatory requirements Downstream costs/liability Customer data/3 rd party data Frictional costs Downtime Staffing Company Focus Reputational

54 Coverage Triggers Generic privacy coverage (typically 3 rd party related) Privacy and Network Security Acts, Errors, Omissions (accidents) Hacking (social engineering, phishing, unauthorized access) Employees vs. Outside forces Online/offline, hardcopy/softcopy, inside network/outside network, portable devices Privacy Regulatory

55 What Else Do You Get With Privacy Liability Programs? Breach Services Breach Coach Security Vendors Legal Counsel Additional Coverage Professional Services Media Liability Cyber/Network Extortion Crisis Management/PR

56 Factors in Securing Privacy Liability Coverage Process Application requirements Application PII Revenue Marketplace Carriers Ever changing exposures Ever changing products

57 Factors in Securing Privacy Liability Coverage (Continued) Cost Minimum premiums/deductibles Capacity/competition Industry Higher Education Financial Institutions Retail/POS related Healthcare

58 For More Information Ted Doolittle

59 Thank You!! Ted Doolittle Senior Vice President Risk Placement Services, Inc.