Top Ten IT Risks. Top Ten IT Risks Wednesday, September 27, 2006

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Top Ten IT Risks. Top Ten IT Risks Wednesday, September 27, 2006"

Transcription

1 Wednesday, Presented by Top Ten IT Risks Presented by: Mark A. Eich, CPA, CISA Principal LarsonAllen Information Security Services Financial Managers Society, Inc. Security = Culture!! Security is a BUSINESS issue, NOT a technical issue!! Administrative Policies / Procedures Physical Access Controls Technical Security Controls 1

2 Wednesday, Top 10 IT Security Risks 1. Weak/Incomplete policies and lack of policy awareness 2. Malicious insider misuse 3. External attack phishing 4. External attack soc eng phone calls 5. External attack website defacement 6. Internal attack social engineering 7. Missing/weak IR policy 8. Patch management 9. Web Application Vulnerabilities 10. IT vendor mgmt Policies and Procedures = Culture Administrative Policies and Procedures Think in terms of Standards This is the foundation that everything else rests on Weaknesses here result in inconsistent or inappropriate application of standards Physical security WILL fail if standards are weak Technical controls WILL fail if standards are weak If employees do not understand standards (policies) security will fail 2

3 Wednesday, A confluence of events Rarely is it a single event or single vulnerability that results in the realization of a risk that leads to a loss. The following examples will highlight how multiple risks are often brought together, resulting in really bad things POLLING QUESTION Has your bank ever experienced a security breach? Yes No Was customer information affected? Yes No 3

4 Wednesday, The Real Estate department at the Bank Story #1 Key IT person takes sudden leave of absence Systems started to fail Consultant discovers side business People (more than one) are fired Law suits Forensics (too late?) Unfavorable settlement Reputational loss? The Real Estate department at the Bank What went wrong? Weak policies (#1) Shared accounts/password No logical auditing or review No required vacation policies Weak/missing Incident Response plan (#7) Allowed malicious insider misuse (#2) This particular case did not result in a direct loss of money (i.e. being stolen), but others with very similar circumstances have. 4

5 Wednesday, Hi, I am Jerry, the new IT guy up from Atlanta Story #2 Jerry hangs out at the smokers door. Drops names and company information Google-hacking Follows new friends/co-workers into building Hi, I am Jerry, the new IT guy up from Atlanta What went wrong? Weak policies (#1) Badges not required, or requirement not enforced No one verified the story What appeared to be good physical security was in fact weak. It was easily defeated through social engineering by exploiting poorly understood and/or enforced policies (#1, #6) Jerry hid out in the bathroom, and later in conference rooms and offices (more on this later ;-) 5

6 Wednesday, Can I use the bathroom? Story #3 John walks in, asks about opening an account, and fills out some paperwork. John asks to use the bathroom. Provides Jerry with hacking tools to use on the inside. Can I use the bathroom? What went wrong? When John came in he was carrying a bag full of goodies Planted keystroke loggers and wireless access point Discovered un-patched systems, AND default credentials (#6 and #8) This resulted in Domain Admin access to Windows systems, and ROOT access to AIX within 20 minutes 6

7 Wednesday, Hi, this is (net admin s name), I need Story #4 Hi, it s Dave, I am sending over two technicians, please put them in the training room. a consultant to fix the branch router. the Xerox copier repair technician Greeted, shown to conference room, and offered beverages Left alone when everyone left at 5:30 PM Hi, this is (net admin s name), I need What went wrong? Person was accepted for what they claimed to be Social Engineering (#4) Phone system did not authenticate the caller Recipient/Receptionist did not authenticate the caller (#1) We discovered un-patched systems, AND default credentials (#6 and #8) AGAIN Planted code and devices on the network. Left with lots of good stuff. 7

8 Wednesday, We caught our limit in only 30 minutes Story #5 (spear) phishing attack resulted in: Harvested credentials Access to webmail and RAS dial up Discovery of un-patched systems (browsers) Remote access to the inside of the network We caught our limit in only 30 minutes What went wrong? Employees did not recognize what was happening Weak/Incomplete polices and/or awareness (#1) Employees supplied credentials (#1) Un-patched systems were exploited for remote access Missing or incomplete Patch Management system (#8) This was all a result of what we call the second generation of phishing (now coined spear phishing) (#3) 8

9 Wednesday, Questions? Select *1 now to ask a live question through the phone OR Type your question into the chat box in the lower left corner of the screen and click on the Send button located right below the box. Mark, you need to see this.. Story #6 Our tech discovers an unpublished vulnerability in Internet banking application Allows FULL COMPROMISE of the web banking server and the entire network!! 9

10 Wednesday, Mark, you need to see this.. What went wrong? Unpublished vulnerability zero day threat (#9) Microsoft is easy to work with compared to these guys!! POLLING QUESTION Does your network penetration testing scope include web applications? Yes No 10

11 Wednesday, Long weekend.. Story #7 Friday 4PM Firewall failed open Open for 3 days Long weekend.. What went wrong Misunderstood level of service from MSSP (#10) No IR policy (#7) Run anti-virus and call me in the morning 11

12 Wednesday, Long weekend (redux).. Story #8 IT manager needs to use Internet banking on Saturday morning Web-site hacked by Turkish group! Long weekend (redux).. What went wrong Misunderstood level of service from web host (#10) Web site had access data base for applications (#5) Host would not allow forensics research (#10) 12

13 Wednesday, Identifying and Mitigating Risks Employees need to be aware of their role in the security of the Bank Regular awareness training Large group sessions blasts Weekly/Monthly flyers Catch them doing it right and make a big deal of it Identifying and Mitigating Risks Systems and Vendors need to be managed Security solutions are tools that need to be managed this takes time. They need to be hardened They need to be patched They need to be used/monitored/managed Their behavior & effectiveness needs to be tested Vendors need to be held to the same standards as those we apply to ourselves Understand EXPLICITLY what you are buying 13

14 Wednesday, Identifying and Mitigating Risks Systems and people need to be audited and tested to make sure processes are functioning properly. Opportunity for continuous improvement vs. Gotcha IT needs to get used to the idea of being audited. This should be done by in-house resources, as well as independent sources. Make your external auditors allow your in-house people to shoulder surf! Identifying and Mitigating Risks Risk Assessments Every 1 to 3 years GLBA focuses on protection of all forms of Customer (consumer) information. Electronic or Paper Risk Assessments should drive what is audited, and how often 14

15 Wednesday, POLLING QUESTION Have you ever experienced a social engineering attack? Yes No Social Engineering: Quantifying the Threat 15

16 Wednesday, Identifying and Mitigating Risks IT Audits Every 1 to 2 years General audits focused on business controls Organization and Management Controls System Security Administration and Access Controls Operational Controls Physical Security and Environmental Controls Disaster Recovery and Contingency Planning Systems and Program Development Controls Internet Banking Controls Identifying and Mitigating Risks Penetration Tests Every 3 to 12 months Frequency based on risk Penetration Tests should be scheduled based on size and complexity of the Banks IT infrastructure Vulnerability scans should supplement penetration tests, NOT replace them 16

17 Wednesday, Identifying and Mitigating Risks Penetration Tests Starts where a vulnerability scan ends - true test of vulnerabilities and resulting risk Should mimic how and what the hackers do - requires experts Should present the Bank with options based on the Bank s particular circumstances Identifying and Mitigating Risks Penetration Tests what should they cover? External Tests Internet facing infrastructure and applications Internal systems that touch the Internet (Phishing) Modems Don t forget the people (Social Engineering) Internal Tests Servers Workstations Infrastructure Don t forget the people 17

18 Wednesday, Security is a Business Issue Think in terms of Standards Administrative, Physical, and Technical Think in terms of People, Rules, and Tools Security is NOT a technical issue Security and Risk should be Managed Questions? 18

19 Wednesday, Questions? Select *1 now to ask a live question through the phone OR Type your question into the chat box in the lower left corner of the screen and click on the Send button located right below the box. Your feedback is important to us! Don t forget to complete the seminar survey. 1. Simply click on the Seminar Survey in the LINKS area to the left of this slide. 2. From the drop-down box at the top of the survey, choose the Top 10 IT Risks. 3. Complete the survey and click on Submit to send us your responses This concludes this program. Thank you for your participation. 19

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current

More information

Information Technology Security Review April 16, 2012

Information Technology Security Review April 16, 2012 Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing

More information

IT Security Risks & Trends

IT Security Risks & Trends IT Security Risks & Trends Key Threats to All Businesses 1 1 What do the following have in common? Catholic church parish Hospice Collection agency Main Street newspaper stand Electrical contractor Health

More information

Software that provides secure access to technology, everywhere.

Software that provides secure access to technology, everywhere. Software that provides secure access to technology, everywhere. Joseph Patrick Schorr @JoeSchorr October, 2015 2015 BOMGAR CORPORATION ALL RIGHTS RESERVED WORLDWIDE 1 Agenda What are we dealing with? How

More information

SESSION 507 Thursday, March 26, 11:15 AM - 12:15 PM Track: Desktop Support

SESSION 507 Thursday, March 26, 11:15 AM - 12:15 PM Track: Desktop Support SESSION 507 Thursday, March 26, 11:15 AM - 12:15 PM Track: Desktop Support Desktop Support and Data Breaches: The Unknown Dangers Bryan Hood Senior Solutions Engineer, Bomgar bhood@bomgar.com Session Description

More information

White Hats and Ethical Hacking: What You ve Been Doing Wrong. FocusOn CyberSecurity 30 March 2016

White Hats and Ethical Hacking: What You ve Been Doing Wrong. FocusOn CyberSecurity 30 March 2016 White Hats and Ethical Hacking: What You ve Been Doing Wrong FocusOn CyberSecurity 30 March 2016 Overview Vulnerability assessments and penetration testing What goes wrong The future of penetration testing

More information

Presented By: Bryan Miller CCIE, CISSP

Presented By: Bryan Miller CCIE, CISSP Presented By: Bryan Miller CCIE, CISSP Speaker Introduction Risks Controls Why We Should Pen Test Why We Don t Pen Test Tools & Techniques Low Hanging Fruit Case Studies Copyright 2010 Syrinx Technologies

More information

Presented by Evan Sylvester, CISSP

Presented by Evan Sylvester, CISSP Presented by Evan Sylvester, CISSP Who Am I? Evan Sylvester FAST Information Security Officer MBA, Texas State University BBA in Management Information Systems at the University of Texas Certified Information

More information

Critical Controls for Cyber Security. www.infogistic.com

Critical Controls for Cyber Security. www.infogistic.com Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability

More information

Information Security for the Rest of Us

Information Security for the Rest of Us Secure Your Way Forward. AuditWest.com Information Security for the Rest of Us Practical Advice for Small Businesses Brian Morkert President and Chief Consultant 1 Introduction President Audit West IT

More information

Auditing in the New Millennium:

Auditing in the New Millennium: : Information Technology Controls and Network Vulnerability Assessments Ernie Barany, CPA, CPT, CEH Principal Auditor Dan Altobelli, CPA, CISA, CEH Principal Auditor 1 When you think of IT auditing, is

More information

THE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols

THE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols THE TOP 4 CONTROLS www.tripwire.com/20criticalcontrols THE TOP 20 CRITICAL SECURITY CONTROLS ARE RATED IN SEVERITY BY THE NSA FROM VERY HIGH DOWN TO LOW. IN THIS MINI-GUIDE, WE RE GOING TO LOOK AT THE

More information

Click to edit Master title style

Click to edit Master title style EVOLUTION OF CYBERSECURITY Click to edit Master title style IDENTIFYING BEST PRACTICES PHILIP DIEKHOFF, IT RISK SERVICES TECHNOLOGY THE DARK SIDE AGENDA Defining cybersecurity Assessing your cybersecurity

More information

What Do You Mean My Cloud Data Isn t Secure?

What Do You Mean My Cloud Data Isn t Secure? Kaseya White Paper What Do You Mean My Cloud Data Isn t Secure? Understanding Your Level of Data Protection www.kaseya.com As today s businesses transition more critical applications to the cloud, there

More information

Information Security Services

Information Security Services Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual

More information

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER 1 Agenda Audits Articles/Examples Classify Your Data IT Control

More information

Conducting an Email Phishing Campaign

Conducting an Email Phishing Campaign Conducting an Email Phishing Campaign WMISACA/Lansing IIA Joint Seminar May 26, 2016 William J. Papanikolas, CISA, CFSA Sparrow Health System Estimated cost of cybercrime to the world economy in 2015 was

More information

A Decision Maker s Guide to Securing an IT Infrastructure

A Decision Maker s Guide to Securing an IT Infrastructure A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

More information

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, 2009. Concepts.

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, 2009. Concepts. Protect - Detect - Respond A Security-First Strategy HCCA Compliance Institute April 27, 2009 1 Today s Topics Concepts Case Study Sound Security Strategy 2 1 Security = Culture!! Security is a BUSINESS

More information

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM Common Gaps in Security Programs Outsourcing highly skilled security resources can be cost prohibitive. Annual assessments don t provide the coverage necessary. Software

More information

Protecting Your Organisation from Targeted Cyber Intrusion

Protecting Your Organisation from Targeted Cyber Intrusion Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology

More information

Network and Host-based Vulnerability Assessment

Network and Host-based Vulnerability Assessment Network and Host-based Vulnerability Assessment A guide for information systems and network security professionals 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free:

More information

Four Top Emagined Security Services

Four Top Emagined Security Services Four Top Emagined Security Services. www.emagined.com Emagined Security offers a variety of Security Services designed to support growing security needs. This brochure highlights four key Emagined Security

More information

External Supplier Control Requirements

External Supplier Control Requirements External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must

More information

Defending Against Data Beaches: Internal Controls for Cybersecurity

Defending Against Data Beaches: Internal Controls for Cybersecurity Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity

More information

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s 1 Agenda Data Security Trends Root causes of Cyber Attacks How can we fix this? Secure Infrastructure Security Practices

More information

Cybersecurity Demystified: Information Technology Security Trends. Joe Oleksak, Plante Moran

Cybersecurity Demystified: Information Technology Security Trends. Joe Oleksak, Plante Moran Cybersecurity Demystified: Information Technology Security Trends Joe Oleksak, Plante Moran Agenda Data Security Trends Example Attacks Industry Examples An Answer 1 Who Are The Victims? Targets - victims

More information

IT Compliance Volume II

IT Compliance Volume II The Essentials Series IT Compliance Volume II sponsored by by Rebecca Herold Addressing Web-Based Access and Authentication Challenges by Rebecca Herold, CISSP, CISM, CISA, FLMI February 2007 Incidents

More information

ETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001

ETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001 001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110

More information

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013 Cyber Security and Information Assurance Controls Prevention and Reaction 1 About Enterprise Risk Management Capabilities Cyber Security Risk Management Information Assurance Strategic Governance Regulatory

More information

Enterprise Computing Solutions

Enterprise Computing Solutions Business Intelligence Data Center Cloud Mobility Enterprise Computing Solutions Security Solutions arrow.com Security Solutions Secure the integrity of your systems and data today with the one company

More information

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services Real World Healthcare Security Exposures Brian Selfridge, Partner, Meditology Services 2 Agenda Introduction Background and Industry Context Anatomy of a Pen Test Top 10 Healthcare Security Exposures Lessons

More information

Cybersecurity: Protecting Your Business. March 11, 2015

Cybersecurity: Protecting Your Business. March 11, 2015 Cybersecurity: Protecting Your Business March 11, 2015 Grant Thornton. All LLP. rights All reserved. rights reserved. Agenda Introductions Presenters Cybersecurity Cybersecurity Trends Cybersecurity Attacks

More information

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA Emerging Network Security Threats and what they mean for internal auditors December 11, 2013 John Gagne, CISSP, CISA 0 Objectives Emerging Risks Distributed Denial of Service (DDoS) Attacks Social Engineering

More information

Achieving Compliance with the PCI Data Security Standard

Achieving Compliance with the PCI Data Security Standard Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),

More information

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance Produced on behalf of New Net Technologies by STEVE BROADHEAD BROADBAND TESTING 2010 broadband testing and new net technologies

More information

Penetration Testing. Presented by

Penetration Testing. Presented by Penetration Testing Presented by Roadmap Introduction to Pen Testing Types of Pen Testing Approach and Methodology Side Effects Demonstration Questions Introduction and Fundamentals Penetration Testing

More information

Data Security for Mortgage Companies: A Focus on Employees. Article by Roshni Patel & Daniel McKenna December 2015

Data Security for Mortgage Companies: A Focus on Employees. Article by Roshni Patel & Daniel McKenna December 2015 Data Security for Mortgage Companies: A Focus on Employees Article by Roshni Patel & Daniel McKenna December 2015 DATA SECURITY FOR MORTGAGE COMPANIES: A Focus on Employees BY ROSHNI PATEL & DANIEL McKENNA

More information

ABB s approach concerning IS Security for Automation Systems

ABB s approach concerning IS Security for Automation Systems ABB s approach concerning IS Security for Automation Systems Copyright 2006 ABB. All rights reserved. Stefan Kubik stefan.kubik@de.abb.com The problem Most manufacturing facilities are more connected (and

More information

Presented by: Mike Morris and Jim Rumph

Presented by: Mike Morris and Jim Rumph Presented by: Mike Morris and Jim Rumph Introduction MICHAEL MORRIS, CISA Systems Partner JIM RUMPH, CISA Systems Manager Objectives To understand how layered security assists in securing your network

More information

Top Security Challenges Facing Credit Unions Today. Chris Gates Lares Consulting

Top Security Challenges Facing Credit Unions Today. Chris Gates Lares Consulting Top Security Challenges Facing Credit Unions Today Chris Gates Lares Consulting 24 September 2013 A Little About Me Chris Gates Employment History: Partner, Lares Senior Security Consultant-Rapid7 Network

More information

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015 Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity

More information

Fear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured!

Fear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured! Fear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured! Presented by: Kristen Zarcadoolas, Jim Soenksen, and Ed Sale PART 2: plan, act, repeat (from the look, plan,

More information

Network Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201

Network Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201 Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...

More information

Managing IT Security with Penetration Testing

Managing IT Security with Penetration Testing Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to

More information

Department of Homeland Security

Department of Homeland Security Department of Homeland Security National Cybersecurity Assessments & Technical Services (NCATS) Service Overview, Success and Challenges 3/18/2016 1 Agenda Discussion about NCATS Current Programs and Services

More information

Intro. Tod Ferran, CISSP, QSA. SecurityMetrics. 2 years PCI and HIPAA security consulting, performing entity compliance audits

Intro. Tod Ferran, CISSP, QSA. SecurityMetrics. 2 years PCI and HIPAA security consulting, performing entity compliance audits HIPAA Security Rule & Live Hack Tod Ferran, CISSP, QSA Intro Tod Ferran, CISSP, QSA 25 years working with IT and physical security 2 years PCI and HIPAA security consulting, performing entity compliance

More information

8 ELEMENTS OF COMPLETE VULNERABILITY MANAGEMENT.

8 ELEMENTS OF COMPLETE VULNERABILITY MANAGEMENT. 8 ELEMENTS OF COMPLETE VULNERABILITY MANAGEMENT. INTRODUCTION It used to be so simple. The threat was hackers. Their method was burrowing into your network through open ports on your firewall or exploiting

More information

2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.

2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program. 2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program. Entry Name HFA Submission Contact Phone Email Qualified Entries must be received by

More information

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011 Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8

More information

2 0 1 4 F G F O A A N N U A L C O N F E R E N C E

2 0 1 4 F G F O A A N N U A L C O N F E R E N C E I T G OV E R NANCE 2 0 1 4 F G F O A A N N U A L C O N F E R E N C E RAJ PATEL Plante Moran 248.223.3428 raj.patel@plantemoran.com This presentation will discuss current threats faced by public institutions,

More information

Network and Security Controls

Network and Security Controls Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting

More information

User Security Education and System Hardening

User Security Education and System Hardening User Security Education and System Hardening Topic 1: User Security Education You have probably received some form of information security education, either in your workplace, school, or other settings.

More information

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808 cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

More information

Common Cyber Threats. Common cyber threats include:

Common Cyber Threats. Common cyber threats include: Common Cyber Threats: and Common Cyber Threats... 2 Phishing and Spear Phishing... 3... 3... 4 Malicious Code... 5... 5... 5 Weak and Default Passwords... 6... 6... 6 Unpatched or Outdated Software Vulnerabilities...

More information

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH Andy Watson Grant Thornton LLP. All rights reserved. CYBERSECURITY 2 SURVEY OF CHIEF AUDIT EXECUTIVES (CAEs) GRANT THORNTON'S 2014 CAE SURVEY Data privacy and

More information

Digital Pathways. Penetration Testing

Digital Pathways. Penetration Testing Penetration Testing inftouch@digitalpathwyas.co.uk Penetration testing, vulnerability tests, assurance projects, ethical hacking it all means broadly the same thing; testing a corporate network to determine

More information

The ICS Approach to Security-Focused IT Solutions

The ICS Approach to Security-Focused IT Solutions The ICS Approach to Security-Focused IT Solutions for the State of Mississippi ICS offers a dynamic and comprehensive portfolio of security-driven IT solutions for the State of Mississippi. Taking a proactive

More information

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports Building a Security Operation Center Agenda: Auditing Your Network Environment Selecting Effective Security

More information

Agenda. Cyber Security: Potential Threats Impacting Organizations 1/6/2015. January 10, 2015 Scott Petree

Agenda. Cyber Security: Potential Threats Impacting Organizations 1/6/2015. January 10, 2015 Scott Petree Cyber Security: Potential Threats Impacting Organizations January 10, 2015 Scott Petree Agenda 2 Data Security Trends Root Causes of Cyber Attacks How Can We Fix This? Secure Infrastructure User Awareness

More information

Office of Inspector General

Office of Inspector General Audit Report OIG-05-040 INFORMATION TECHNOLOGY: Mint s Computer Security Incident Response Capability Needs Improvement July 13, 2005 Office of Inspector General Department of the Treasury Contents Audit

More information

Client Security Risk Assessment Questionnaire

Client Security Risk Assessment Questionnaire Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2

More information

Password Management Evaluation Guide for Businesses

Password Management Evaluation Guide for Businesses Password Management Evaluation Guide for Businesses White Paper 2016 Executive Summary Passwords and the need for effective password management are at the heart of the rise in costly data breaches. Various

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

PENETRATION TESTING GUIDE. www.tbgsecurity.com 1

PENETRATION TESTING GUIDE. www.tbgsecurity.com 1 PENETRATION TESTING GUIDE www.tbgsecurity.com 1 Table of Contents What is a... 3 What is the difference between Ethical Hacking and other types of hackers and testing I ve heard about?... 3 How does a

More information

Implementing a Framework

Implementing a Framework Implementing a Framework 44th Tennessee Higher Education Information Technology Symposium 2015 Greg Jackson Cyber Security Analyst Dynetics Inc. Information Systems Assessment Services (ISAS) www.dynetics.com

More information

The Future of Hacking

The Future of Hacking The Future of Hacking An Ethical Hacker s View Peter Wood Chief of Operations First Base Technologies Who am I? Started in electronics in 1969 Worked in networked computers since 1976 Second microcomputer

More information

Universities and Schools Under Cyber-Attack: How to Protect Your Institution of Excellence

Universities and Schools Under Cyber-Attack: How to Protect Your Institution of Excellence Universities and Schools Under Cyber-Attack: How to Protect Your Institution of Excellence About ERM About The Speaker Information Security Expert at ERM B.S. Software Engineering and Information Technology

More information

AUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005

AUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005 AUDITOR GENERAL S REPORT Protection of Critical Infrastructure Control Systems Report 5 August 2005 Serving the Public Interest Serving the Public Interest THE SPEAKER LEGISLATIVE ASSEMBLY THE PRESIDENT

More information

Department of Agriculture. Network Security Controls. Information Technology Audit

Department of Agriculture. Network Security Controls. Information Technology Audit O L A OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA FINANCIAL AUDIT DIVISION REPORT Department of Agriculture Network Security Controls Information Technology Audit July 1, 2010 Report 10-23 FINANCIAL

More information

Guide to Vulnerability Management for Small Companies

Guide to Vulnerability Management for Small Companies University of Illinois at Urbana-Champaign BADM 557 Enterprise IT Governance Guide to Vulnerability Management for Small Companies Andrew Tan Table of Contents Table of Contents... 1 Abstract... 2 1. Introduction...

More information

The Risks of Cloud Storage

The Risks of Cloud Storage The Risks of Cloud Storage MyWorkDrive.com The Risks of Cloud Storage For all of the benefits cloud storage options provides, we cannot ignore the potential risks of public cloud computing. Even though

More information

Category: Title of Nomination. Project Manager: Job Title: Agency: Department: Address: City: State:

Category: Title of Nomination. Project Manager: Job Title: Agency: Department: Address: City: State: 1. Nomination Form Information: Category: Title of Nomination Project Manager: Job Title: Agency: Department: Address: City: State: Information Security and Privacy Security 2.0: Next Generation Security

More information

Cyber Exploits: Improving Defenses Against Penetration Attempts

Cyber Exploits: Improving Defenses Against Penetration Attempts Cyber Exploits: Improving Defenses Against Penetration Attempts Mark Burnette, CPA, CISA, CISSP, CISM, CGEIT, CRISC, QSA LBMC Security & Risk Services Today s Agenda Planning a Cyber Defense Strategy How

More information

Cyber Security Management

Cyber Security Management Cyber Security Management Focusing on managing your IT Security effectively. By Anthony Goodeill With the news cycles regularly announcing a recurrently theme of targets of hacker attacks and companies

More information

5 TIPS FOR HIPAA COMPLIANT MOBILE DEVICES

5 TIPS FOR HIPAA COMPLIANT MOBILE DEVICES White paper 5 TIPS FOR HIPAA COMPLIANT MOBILE DEVICES PROTECTING PHI ON PORTABLE DEVICES 2016 SecurityMetrics 5 TIPS FOR HIPAA COMPLIANT MOBILE DEVICES 1 5 TIPS FOR HIPAA COMPLIANT MOBILE DEVICES PROTECTING

More information

Data Security for the Hospitality

Data Security for the Hospitality M&T Bank and SecurityMetrics Present: Data Security for the Hospitality Industry Featuring Lee Pierce, SecurityMetricsStrategicStrategic Accounts Dave Ellis, SecurityMetrics Forensic Investigator Doug

More information

Seven Strategies to Defend ICSs

Seven Strategies to Defend ICSs INTRODUCTION Cyber intrusions into US Critical Infrastructure systems are happening with increased frequency. For many industrial control systems (ICSs), it s not a matter of if an intrusion will take

More information

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit. The hidden risks of mobile applications This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit. To learn more about TraceSecurity visit www.tracesecurity.com

More information

Footprinting and Reconnaissance Tools

Footprinting and Reconnaissance Tools Footprinting and Reconnaissance Tools Topic 1: Common Port Scanning Techniques Do some research on computer ports that are most often scanned by hackers. Identify a port scanning exploit that is interesting

More information

External Penetration Assessment and Database Access Review

External Penetration Assessment and Database Access Review External Penetration Assessment and Database Access Review Performed by Protiviti, Inc. At the request of Internal Audit April 25, 2012 Note: This presentation is intended solely for the use of the management

More information

Vulnerability and Threat Management and Prevention

Vulnerability and Threat Management and Prevention A1 Vulnerability and Threat Management and Prevention Weston Hecker Security Expert With KLJ Systems Network Analyst/Penetration Tester/President Of Computer Security Association Of North Dakota Slide

More information

SOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper. Safeguarding data through increased awareness

SOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper. Safeguarding data through increased awareness SOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper Safeguarding data through increased awareness November 2015 1 Contents Executive Summary 3 Introduction 4 Martime Security 5 Perimeters Breached

More information

Hang Seng HSBCnet Security. May 2016

Hang Seng HSBCnet Security. May 2016 Hang Seng HSBCnet Security May 2016 1 Security The Bank aims to provide you with a robust, reliable and secure online environment in which to do business. We seek to achieve this through the adoption of

More information

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security Next-Generation Penetration Testing Benjamin Mossé, MD, Mossé Security About Me Managing Director of Mossé Security Creator of an Mossé Cyber Security Institute - in Melbourne +30,000 machines compromised

More information

DATA SECURITY HACKS, HIPAA AND HUMAN RISKS

DATA SECURITY HACKS, HIPAA AND HUMAN RISKS DATA SECURITY HACKS, HIPAA AND HUMAN RISKS MSCPA HEALTH CARE SERVICES SEMINAR Ken Miller, CPA, CIA, CRMA, CHC, CISA Senior Manager, Healthcare HORNE LLP September 25, 2015 AGENDA 2015 The Year of the Healthcare

More information

Technical Testing. Network Testing DATA SHEET

Technical Testing. Network Testing DATA SHEET DATA SHEET Technical Testing Network Testing The Dell SecureWorks Technical Testing services deliver the independent expertise, experience and perspective you need to enhance your security posture, reduce

More information

Penetration testing & Ethical Hacking. Security Week 2014

Penetration testing & Ethical Hacking. Security Week 2014 Penetration testing & Ethical Hacking Security Week 2014 Agenda Penetration Testing Vulnerability Scanning Social engineering Security Services offered by Endava 2 3 Who I am Catanoi Maxim Information

More information

SECURITY. Risk & Compliance Services

SECURITY. Risk & Compliance Services SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize

More information

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014 Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security

More information

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits A Clear View of Challenges, Solutions and Business Benefits Introduction Cloud environments are widely adopted because of the powerful, flexible infrastructure and efficient use of resources they provide

More information

Top PCI 3.0 Challenges for Chain Merchants. March 11, 2015

Top PCI 3.0 Challenges for Chain Merchants. March 11, 2015 Top PCI 3.0 Challenges for Chain Merchants March 11, 2015 Webinar Program Wednesday, March 11, 2015 Presentations 3PM 3:45PM Eastern Questions & Answers 3:45PM 4:00PM Eastern Agenda Cybercrime PCI DSS

More information

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management. www.kaseya.com

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management. www.kaseya.com Kaseya White Paper Endpoint Security Fighting Cyber Crime with Automated, Centralized Management www.kaseya.com To win the ongoing war against hackers and cyber criminals, IT professionals must do two

More information

How users bypass your security!

How users bypass your security! How users bypass your security! IT Days Security issues 20 th November 2014 Tom Leclerc, Security Consultant SAGS - Security Audits and Governance Services, a Telindus Security department Classification:

More information

Mobile security and your EMR. Presented by: Shawn Tester & Allen Cornwall

Mobile security and your EMR. Presented by: Shawn Tester & Allen Cornwall Mobile security and your EMR Presented by: Shawn Tester & Allen Cornwall Date: October 14, 2011 Overview General Security Challenges & best practices Mobile EMR interfaces - EMR Access - Today & Future

More information

Network Security Policy

Network Security Policy Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Things I can do to protect my network from getting Hacked!!!!!! Jazib Frahim, Technical Leader

Things I can do to protect my network from getting Hacked!!!!!! Jazib Frahim, Technical Leader Things I can do to protect my network from getting Hacked!!!!!! Jazib Frahim, Technical Leader Cisco Support Community Expert Series Webcast Today s featured expert is Cisco Technical Leader Ask him questions

More information

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers. Employee Security Awareness Survey Trenton Bond trent.bond@gmail.com Admin - Version 1.3 Security Awareness One of the most significant security risks that organizations and corporations face today is

More information

Security Is Everyone s Concern:

Security Is Everyone s Concern: Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito

More information