Financial Implications of Cybercrime Meeting the Information Security Management Challenge in the Cyber-Age

Transcription

1 Financial Implications of Cybercrime Meeting the Information Security Management Challenge in the Cyber-Age Southern California Association for Financial Professionals February 14, 2014 Stan Stahl, Ph.D. President Citadel Information Group Phone: Copyright Citadel Information Group. All Rights Reserved.

2 Citadel Information Group: Who We Are 2 Stan Stahl, Ph.D Co-Founder & President 30+ Years Experience Reagan White House Nuclear Missile Control President, ISSA-LA Kimberly Pease, CISSP Co-Founder & VP Former CIO 15+ Years Information Security Experience David Lam, CISSP, CPP VP Technology Management Services Active CIO 20+ Years Information Security Experience VP, ISSA-LA

3 Citadel Information Group: What We Do 3 Delivering Information Peace of Mind SM to Business and the Not-for-Profit Community Cyber Security Management Services Information Security Leadership Information Security Management Consulting Outsourced Chief Information Security Officer Assessments & Reviews Policies & Standards IT Security Management Management Strategy & Plans Executive & Board Education Awareness Training and Education 3 rd -Party Security Management Disaster Recovery & Incident Response Application Testing Compliance Management, e.g., PCI, HIPAA, ISO-27001, 02 Adverse Termination Support ediscovery, Forensics & Investigations Litigation Support

4 4 Managing Information Risk Four Key Questions 1. How serious is cybercrime and why should my organization care? 2. How vulnerable are we, really? 3. What do we need to do? 4. How do we do it?

5

6 6 Financial Fraud and Identity Theft Continue to Climb 662,076,606 Financial Records Reported Breached January 10, 2005 December 31, 2013 These count only reported breaches. They count neither (1) discovered but unreported breaches nor (2) undiscovered breaches.

7 7 Data Breach Costs Expensive. Money Down the Drain. $200 Per Compromised Record $5.5 Million Per Event Investigative Costs Breach Disclosure Costs Legal Fees Identity Theft Monitoring Lawsuits Customers Shareholders

8 8 Online Bank Fraud: $1,000,000,000. Losses Usually Born by Victim. Bloomberg, Aug 4, 2011:

9 of Fortune 1,000 Known to Be Victims of Chinese Theft of Intellectual Property

10 10 Ransom Ware is Back. More Dangerous Than Ever. Malware encrypts files You must pay ransom to get key

11 11 60% of Small Business Cybercrime Victims Close Within 6 Months More than ¾ of small businesses believe their companies are safe from hackers 20% - 30% of all cyberattacks hit small businesses with 250 or fewer employees 60% of small businesses close within 6 months of being victimized by cybercrime.

12 12 The Bottom Line: Cybercrime is an Existential Risk The C-Suite Must Get Involved Everyone has Vital Role to Play Information security requires CEO attention in their individual companies Business Roundtable, 2004

13 13 Why Are We so Vulnerable? Three Inconvenient Truths Internet was not designed to be secure Computer technology is riddled with security holes We humans are also imperfect

14 14 Cyber Security Need vs. Reality

15 15 Cybercriminals Take Over Websites to Infect User Computers with Malware

16 16 Cybercriminals Take Over Ad Servers to Infect User Computers with Malware

17 17 Attackers Exploit Software Flaws to Install Malware on Computers

18 18 Users Unwittingly Open the Door to Cybercrime com.us.welcome.c.tr ack.bridge.metrics.po rtal.jps.signon.online. sessionid.ssl.secure. gkkvnxs62qufdtl83ldz.udaql9ime4bn1siact 3f.uwu2e4phxrm31jy mlgaz.9rjfkbl26xnjskx ltu5o.aq7tr61oy0cmbi 0snacj.4yqvgfy5geuu xeefcoe7.paroquian sdores.org/

19 Users The Weakest Link 19 Inadvertent Open door to cybercriminal Click on links Use weak passwords Send s to wrong recipient Lose laptop Accidentally delete files Malicious Embezzlement Theft of Trade Secrets Misuse of Resources

20 20 Technology Not Up to Task: Anti-Virus Products Fail to Block Modern Malware

21 21 Meeting the Cybercrime Challenge What We Need to Do Distrust and caution are the parents of security. Benjamin Franklin

22 22 Recognize Information Security Management as an Element of Cyber Risk Management Information Security Management Information Security Management is NOT a part of IT

23 23 Manage Security of Information as Rigorously as You Manage Finance Implement Information Security Management System 1. Put proactive senior manager in charge 2. Implement formal risk-driven information security policies and standards 3. Identify, document and control sensitive information 4. Train and educate personnel 5. Manage IT Infrastructure from an information security point of view * * Also known to lower costs, improve user productivity and raise organizational morale

24 24 Implementation Case Study 90 Days to Improved Information Security

25 Started with an Assessment 25 Risk-Driven Information Security Assessment Information to Protect Information Risks Information Security Management Organizational Strengths / Weaknesses Technology Management Strengths / Weaknesses IT Network Weaknesses

26 26 Assessment Findings Led to Phase 1 Improvement Planning Organizational Weaknesses No one in charge No policies or standards Information dispersed No user awareness Online banking security inadequate Uncontrolled use of Dropbox No vendor security management No cyber insurance Technology Management Weaknesses No vulnerability management IT vendor weaknesses Backups not tested Gap between C-Suite & IT No Disaster Recovery planning No incident response planning BYOD not managed IT Network Weaknesses No VPN for remote use Missing patches Laptops not encrypted

27 27 Established Leadership. Senior Management Education.

28 28 Took Specific Action to Protect Against Online Bank Fraud Separate On-Line Banking Workstation Kept Patched Used Only for On-Line Banking Worked with Bank Dual Control Out-Of-Band Confirmation Remote Transfer Limits No Overseas Wires

29 29 Installed Policies and Standards

30 30 Provided Awareness Training. Trained Staff to Be Mindful.

31 31 Began Information Security Education Program If you do not know your enemies nor yourself, you will be imperiled in every single battle. Sun Tzu The Art of War

32 Began Information Inventory 32 Credit cards Employee Health Information Salaries Trade Secrets Intellectual Property Servers Desktops Cloud Home PCs BYOD devices

33 33 Worked with IT Vendor to Meet Security Management Standards Service Level Agreements Vendor Access Controls IT Vendor Internal Security Management

34 34 Implemented Vulnerability and Patch Management Program

35 35 Implemented VPN for Remote Access

36 36 Encrypted Laptops

37 37 Conducted BYOD and Remote PC Inventory

38 38 Tested Backup Quality with Full System Restore

39 39 Implemented Formal Incident Response Management

40 Introduced Staff to ISSA-LA Activities 40 Monthly Technical Meetings 3 rd Wednesday of Month CFO Information Security Working Group Meets Bi-Monthly Next Meeting: March 21, 2104 Richard Clarke Keynote Speaker Summit 6 Annual Information Security Summit May 16, 2014

41 41 Reviewed Progress and Developed Next- Phase Plans Continuous Improvement Decide Information Security Improvement Objectives Information Security Requirements & Expectations Assess Current Information Security Capabilities and Needs Plan Information Security Improvement Implementation Information Security Management System Continuous Improvement Implement Information Security Improvement Plan

42 Information Security is Proactively Managed Meet Information Security Standard of Care Lower Total Cost of Information Security SM

43 For More Information 43 Stan Stahl LinkedIn: Stan Stahl Citadel Information Group: Information Security Resource Library Free: Cyber Security News of the Week Free: Weekend Vulnerability and Patch Report ISSA-LA: Technical Meetings: 3 rd Wednesday of Month CFO-Working Group: 3 rd Friday of Odd-Months Financial Services Security Forum: 4 th Friday of Month CISO Forum: Quarterly 6 th Annual Summit: May, 2014

44 Financial Implications of Cybercrime Meeting the Information Security Challenge in the Cyber-Age Copyright Citadel Information Group. All Rights Reserved.