INFORMATION SECURITY FOR YOUR AGENCY

Transcription

1 INFORMATION SECURITY FOR YOUR AGENCY Presenter: Chad Knutson Secure Banking Solutions, LLC

2 CONTACT INFORMATION Dr. Kevin Streff Professor at Dakota State University Director - National Center for the Protection of the Financial Infrastructure Managing Partner at SBS Chad Knutson Senior Information Security Consultant CISSP, CISA, CRISC Phone:

3 DAKOTA STATE NATIONALLY RECOGNIZED National Security Agency Department of Homeland Security 4,000 universities in the country Only 100 named national centers in the past 10 years 3

4 DAKOTA STATE UNIVERSITY SUMMARY Dakota State University is the only national center of excellence focused on the security of banks 4

5 SECURE BANKING SOLUTIONS Information Security IT Risk Assessment Policy Development IT Audit Vulnerability Assessments Penetration Testing Social Engineering Financial Institutions Community Banks & Credit Unions Healthcare 5

6 AGENDA What information security laws and regulations apply to me? What security threats exist in todays world that I should be concerned about? How can I protect my business? What should I do next to improve security? 6

7 CYBERCRIME WHO IS THE TARGET? Cybercrime will eclipse terrorism FBI Director around 85% of cyber attacks are now targeting small businesses Whitehouse 70% of small business lack basic security controls Who has the data that cybercriminals want? Who are the least expecting targets? Where might information security be the weakest? Where could a cybercriminal break in, where they are the least likely to get caught? 7

8 HACKING MADE EASY Default Passwords Hacking Tools Caller ID Spoofing Social Engineer Toolkit ineering_tools:_social_engineer_toolkit_(set) 8

9 Size / Location Large/Metro Small/Rural INDUSTRY RISK ASSESSMENT High Risk Insurance Agent Community Bank Community Hospital Commercial Business Low Risk Business Health Financial Sensitive Data 9

10 GRAMM-LEACH-BLILEY ACT (GLBA) "develop, implement, and maintain a comprehensive written Information Security Program containing administrative, technical, and physical safeguards that are appropriate to the size and complexity of the entity, the nature and scope of its activities, and the sensitivity of any customer information at issue." - Safeguards Rule implement section 501(b) of GLBA (effective on July 1, 2001) The law covers banks, savings and loans, credit unions, insurance companies and securities firms. 10

11 HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-phi. Specifically, covered entities must: Ensure the confidentiality, integrity, and availability of all e-phi they create, receive, maintain or transmit; Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures; and Ensure compliance by their workforce. 11

12 OTHER STATE & FEDERAL LAWS Identify Theft Red Flags Rule Fair Credit Reporting Act Fair & Accurate Credit Transactions (FACT) Act State Data Breach Notification Laws Massachusetts Privacy Law Payment Card Industry (PCI) 12

13 PERSONALLY IDENTIFIABLE INFORMATION Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother s maiden name, etc. (NIST and Westport Personal Data ) First name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit (Mass Privacy Law) 13

14 SECURITY PROCESS Plan Test Do 14

15 INFORMATION SECURITY PROGRAM Administrative Physical Technical 15

16 INFORMATION SECURITY PROGRAM Administrative Documented Security Program Security Awareness Training Social Engineering Testing Physical Technical Data Backup Mobile Devices Physical Security Security Cameras Motion Sensors Receptionist Secure Areas Locked Doors Malware Protection Hardware Firewall Software Firewall Software Patching Wireless Security Unique User Accounts Limited User Permissions Data Encryption 16

17 ISP BLUEPRINT Agency Risk Assessment Incident Response Penetration Test Business Continuity Vulnerability Assessment Security Awareness Social Engineering IT Audit Policy & Procedures 17

18 ISP BLUEPRINT Agency Risk Assessment Incident Response Penetration Test Business Continuity Vulnerability Assessment Security Awareness Social Engineering Q1 Q1 Q2 Q2 Q3 Q3 Q4 Q4 IT Audit Policy & Procedures 18

19 SMALL BUSINESS INFORMATION SECURITY: THE FUNDAMENTALS October 2009 NIST 7621 was released Assist small business management in understanding how to provide basic security for their information, systems, and networks. Provides commercially reasonable security measures which will reduce the likeliness of a security incident. Three basic areas which may reduce likeliness: Absolutely Necessary (todays focus) Highly Recommended Other Considerations 19

20 1) MALWARE - VIRUS, TROJANS, SPYWARE If your networks access the internet, then you have higher risk from Malware (Malicious Software). 20

21 2) HARDWARE FIREWALL Most small businesses have a broadband (high speed) internet connection which is always on. This leaves the network susceptible to network attacks on a 24/7 basis from anywhere in the world. 21

22 3) SOFTWARE FIREWALL In addition to hardware firewalls, software firewalls should be used on all workstations, mobile devices, and servers. Software firewalls protect systems from each other. Microsoft provides built in firewall 22

23 4) SOFTWARE PATCHING All operating systems such as Microsoft Windows, Apple OSX, and all distributions of UNIX/Linux have patches that need to be installed on a regular basis. Most software products require patches, including Microsoft Office, Adobe, Java, QuickTime, Firefox. These patches fix compatibility issues and known security vulnerabilities, not applying them leaves you vulnerable. 23

24 5) BACKUP DATA Backing up your data protects it from numerous threats: Hackers destroying your computer Malware corrupting your data Fire and other natural disaster destroying your systems Many other threats Include all your critical data, backup often. Store a copy offsite. Test your backup process to know you can restore data. 24

25 6) PHYSICAL ACCESS SECURITY Secure each entrance point Monitor areas for unauthorized people Escort visitors around the building Secure documents, computers, servers from theft Secure? Secure? 25

26 7) WIRELESS SECURITY Do not use wireless unless required for business Securely configure all wireless devices and access points. Most users implement with default settings Default passwords - WEP encryption can be hacked in hours (WPA2) Security vulnerabilities in wireless technology Update wireless software and firmware Users connect wireless devices to unsecured wireless, then conduct business. 26

27 8) SECURITY AWARENESS TRAINING Traffic for April 2010 Legitimate 11% Phishing 15% Employees should read security policies Employees should sign Acceptable Use Agreement Employees should receive training on security threats: Malware Phishing Social Engineering Unauthorized Access Other Spam 74% 27

28 9) UNIQUE USER ACCOUNTS Users should have a unique login to all computers, programs, and websites. Users should not be administrators on their local machine. If users can install software, then malware can install itself to the computer when clicked. Complex passwords - the password Spring08 can be cracked with on a normal computer in 24 seconds. Secure Passwords - 73% of users share the passwords which they use for online banking, with at least one nonfinancial website. If its easy to remember, its easy to guess. Try mnemonics Proud to be an American + birth year = PtbaA0&91 0&91 where the & has been substituted for 8 and 0891 is backwards for

29 10) LIMIT ACCESS TO DATA For all employees, provide access to only those systems and only to the specific information that they need to do their jobs. Do not allow a single individual to both initiate and approve a transaction (financial or otherwise). Limited access reduces the exposure of data to malware and hackers. Also reduces the impacts of malicious insiders. 29

30 11) ENCRYPT PERSONALLY IDENTIFIABLE INFORMATION Identify where in your institution you have personally identifiable information. When that information leaves your institution, assess whether or not you have encrypted that data during transmission or storage. Common systems needing encryption are: Company Website Offsite backup tapes Laptops Mobile phones / Tablets / ipads 30

31 12) DOCUMENTED INFORMATION SECURITY POLICY Document the process of how risks to personally identifiable information will be assessed. Document specific controls implemented to protect this information. Document auditing and testing procedures used to validate your security policy. Document acceptable use of information and technology by employees. Document how you will identify, contain, and respond to a security incident; including communication with third parties, regulators, authorities, and customers. Document how you will recover from a disaster. 31

32 RESOURCES HIPAA Security Rule ding/srsummary.html GLBA NIST CERT BBB FTC SANS SearchSecurity 32

33 Questions? Presenter: Chad Knutson, Secure Banking Solutions 33

34 CONTACT INFORMATION Dr. Kevin Streff Professor at Dakota State University Director - National Center for the Protection of the Financial Infrastructure Managing Partner at SBS Chad Knutson Senior Information Security Consultant CISSP, CISA, CRISC Phone: